Forget the days when you could blame a hazy notion of the cloud for a breach in your security protocol. By 2023, at least 99 percent of all cloud security failures will be your fault, Gartner predicted in its 2018 Magic Quadrant on cloud access security brokers, so now’s the time to investigate which CASB is right for you. With dozens of options available, this list of the top 10 CASB products and services is intended to help you winnow down the choices.
The cloud access security broker market offers four main services to keep your enterprise and its workflows safe from the public applications employees and contractors use to stay productive and connected, wherever and whenever they need access.
Visibility. A CASB lets you see what your people are accessing beyond your enterprise, including who is using cloud applications, where they are accessing the information, and what they are looking at. Almost every cloud access security broker allows an enterprise to move beyond the “shadow IT” style of finding out too late that employees are using unapproved apps in the cloud to share or access data.
Data security. CASBs keep your data intact and secure, just the way you like it when it resides on your own campus. To ensure data loss prevention (DLP) in the cloud, a CASB will monitor employee clearance, or levels of access. Some CASBs offer tokenized access or redact prohibited content on the fly.
Threats. CASBs monitor and prevent unwanted and threatening access to your data by providing adaptive access controls and embedded user and entity behavior analytics(UEBA). Their products scan emails, learn how to identify anomalous user behavior and prioritize threat levels before locking out individuals or apps
Compliance. Reporting and regulatory compliance are key for enterprises with governance and governmental accountability, as well as for those who want to show clients and customers how much value they place in proactive security measures.
Most CASB products and services are available as SaaS (software as a service) offerings, with tweaking available through plug-ins or additional on-premises hardware to help IT staff monitor activity.
Before we present the top 10 list, here are a few questions to consider when choosing a CASB.
- Will the CASB’s filtering and encryption protocols impact latency and adversely affect user access times?
- Does the web filtering tool see beyond domain names and paths taken to the specific applications being used? And does the tool decide whether to allow access or is that decision made by a different tool managed by on-site IT?
- Does the CASB allow users to extract or download data from shared files? Should the data be encrypted if it comes from a trusted CRM source like Salesforce? Who makes that decision?
- Are analyses of threats and anomalous user activity based on machine learning with scalable results?
- Does the CASB offer reverse proxy applications? In other words, does the CASB monitor data flowing back to your network before it reaches your own servers and clients?
Criteria for inclusion on this list included the company’s focus on the CASB market, partnerships, innovation, reviews of the company’s performance and expertise, and company size. When available, we factored in the company’s financial stability and reviews of the companies’ workplace culture.
One final thing to keep in mind is that the CASB market is both competitive and shifting. In its 2018 CASB Magic Quadrant report, Gartner said that CASBs have become an “essential element” of cloud security strategy, and that by 2022, 60 percent of large enterprises will use a CASB to govern some cloud services, up from less than 20 percent today.
“Not surprisingly, this is starting to become a more crowded market,” said Rik Turner, senior analyst for infrastructure solutions at Ovum. “Cloud access security platforms, whether they are called brokers, controllers or gateways, are certain to see further growth in demand as more and more companies move at least part of their enterprise application infrastructure to the cloud.”
Turner said he expects to see a “land grab” by the more established players, with the more successful startups getting gobbled up. “All the companies competing in this market should therefore expand their customer base and gain visibility in readiness for this phase,” he said.
The land grab is well under way. Cisco, McAfee, Microsoft, Symantec and Palo Alto Networks have made acquisitions in the CASB space in the past few years.
If you’re looking to beef up your cloud security and monitor employee access, this top 10 list is designed to simplify your choice of provider. To compile the list, we identified the cloud access security brokers in the market — with a starting lineup of 20 companies — and then determined which factors we’d use to assess them. Helping along the way were analysts, company executives and IT professionals.
Here’s the list, which is presented alphabetically:
Bitglass Next-Gen CASB
Bitglass’ platform relies on “zero-day” threat data protection and a virtual, or agentless, architecture (called AJAX VM) that allows an enterprise to secure applications from any device, including mobile. It runs in the cloud or on premises and can be used as a managed or unmanaged service. The Next-Gen CASB currently supports Office 365, G Suite, Salesforce, Amazon Web Services, LinkedIn, Slack, Facebook, Box, Confluence, Dropbox and more.
Founded in 2013 and based in Campbell, California, Bitglass is still privately held. It reports raising $80.1 million in funding over three rounds with $21.6 million in annual revenue. In November 2018, Bitglass announced a partnership with Hitachi Solutions, its first distribution partner in Japan.
The Wall Street Journal named Bitglass the top tech company to watch in 2018, the only CASB on the list. Bitglass moved to the Leader quadrant in Gartner’s October 2018 CASB Magic Quadrant and was named an SCMedia 2019 awards finalist for Best Cloud Computing Security Solution.
CipherCloud’s on-premises, cloud and hybrid solutions encrypt data before delivery to SaaS applications while also allowing some app functionality. They can integrate with on-premises key management, DLP, and audit and protection products. CipherCloud’s primary implementation is as a reverse proxy for SaaS apps. CipherCloud CASB+ targets Office 365, Salesforce, ServiceNow, Azure, SAP, SuccessFactors, Box, Slack and Dropbox.
Based in San Jose, California, the privately held CipherCloud is another of the CASBs still in early venture rounds. It raised $80 million over four rounds and reports $22.5 million in annual revenue. Founded in 2010, CipherCloud serves mainly healthcare, financial services, insurance, government, telecom and banking enterprises in 25 countries.
CipherCloud was named a finalist in the 2019 SCMedia Awards for Best Cloud Computing Security Solution. The CASB provider also moved from the Challenger quadrant in Gartner’s 2017 CASB Magic Quadrant to the Visionary quadrant in 2018.
Networking giant Cisco acquired Cloudlock, based in Waltham, Massachusetts, for its CASB product in 2016. Founded in 2007, Cloudlock claims deployment in more than 700 organizations worldwide. The company notes that the API-driven CASB is easy to deploy, benefits from Cloudlock’s CyberLab security intelligence arm, and uses UEBA to scan and monitor all platforms for unusual or unauthorized activities.
The Cisco CASB monitors data at rest and offers retroactive monitoring of user activity. It also uses geolocation logs and timing of occurrences to note anomalies. For DLP, the CASB can be configured to provide automated response to remediate risk by, for instance, notifying end users, encrypting data and quarantining data.
Cloudlock covers Salesforce, Office 365, G Suite Dropbox and Box. It also works in IaaS (infrastructure as a service) and PaaS (platform as a service) environments and integrates with cloud-based identity and access management providers such as Okta, OneLogin and Centrify to remediate suspicious behavior.
The services that allow Cloudlock to reset access control lists, revoke sharing rights or encrypt or quarantine a file move this CASB beyond the typical vendor, according to Ovum’s Turner. He also noted Cloudlock’s ability to ingest security intelligence from its lab composed of former members of Israeli and U.S. intelligence services.
A Niche player in Gartner’s 2018 CASB Magic Quadrant, Cloudlock is also an SCMedia 2019 awards finalist for Best Cloud Computing Security Solution.
McAfee’s MVISION Cloud
McAfee bought its MVISION Cloud in the 2018 acquisition of Skyhigh Networks, a CASB vendor based in Campbell, California. According to McAfee, the product is in use in more than 600 companies.
Primarily deployed for APIs, McAfee’s CASB offers encryption and tokenization of structured and unstructured data. It protects against malware and external and insider threats through UEBA driven by machine learning built for the scale and elasticity of cloud environments. According to the company, DLP policies are easily extended to the cloud and custom apps to ensure consistent data protection across multiple environments. MVISION Cloud supports Office 365, Amazon Web Services, Box, Salesforce and Azure, among other cloud-based applications and services.
McAfee was a Gartner Magic Quadrant Leader in October 2018 and a 2018 Gartner Peer Insights Customers’ Choice for Enterprise Data Loss Prevention. It is also an SCMedia 2019 awards finalist for Best Cloud Computing Security Solution.
Microsoft Cloud App Security
In the fall of 2015 Microsoft acquired Adallom Pro Active CASB, along with its dedicated lab, to test and analyze cloud applications and vulnerabilities, and it launched its own Cloud App Security in April 2016.
A reverse-proxy-plus-API CASB, it is available stand-alone and as part of Microsoft’s Enterprise Mobility + Security (EMS) suite. (The suite takes the toolkit beyond your standard CASB offerings of visibility, data security, threats and compliance.)
Microsoft Cloud App Security's anomaly detection policies provide out-of-the-box UEBA and machine learning. Anomalies are detected by scanning user activity. Risk is evaluated by looking at over 30 indicators grouped into risk factors: risky IP address, login failures, admin activity, inactive accounts, location, “impossible travel” scenarios, device and user agent, and activity rate. Security alerts are triggered based on the policy results. User information coupled with risk factor analyses (including regulatory certifications and industry standards like GDPR) can assess the compliance of the cloud apps in an organization.
The Microsoft CASB covers Office 365, Azure, Box, Salesforce, Workday, G Suite and more.
It was a Gartner Magic Quadrant Challenger in 2018.
Netskope Security Cloud
Netskope, which is based in Santa Clara, California and was founded in 2012, is a late-stage venture, having raised nearly $400 million in six rounds. It acquired Sift Security, a cloud security breach engine, in July 2018.
Netskope’s CASB includes behavior analytics and alerting within managed and unmanaged SaaS applications. Its Active Threat Protection defends against threats in cloud applications using internally and externally developed threat intelligence. It can analyze suspected malware and move it to a safe space, or sandbox, on the Netskope cloud to derail it.
The Netskope CASB is implemented largely via an API and forward proxy, or with a combination of an on-premises gateway and end-user agents. Reverse proxy is also available. It provides visibility to vulnerabilities in APIs, mobile devices and shadow IT. According to Gartner, Netskope’s Cloud Confidence Index cloud risk database is comprehensive, measuring 28,000 services across 50 criteria that include details about pricing, business risk and readiness to tackle GDPR compliance.
Netskope was a Gartner Magic Quadrant Leader in 2017 and 2018.
In 2016, Oracle expanded its security portfolio by acquiring Palerra, which had been shipping a CASB product since early 2015.
Using an API-based approach to detect threats, Oracle offers several CASB versions with specific applications for SaaS, IaaS and custom applications. They provide discovery for SaaS apps by analyzing logs and cloud activity and identifying risky applications, and they offer security monitoring, threat protection and incident response.
Additional licensing allows real-time threat detection for DLP and retroactive scanning. Delivered as SaaS or sold through a managed security service provider, the CASB can scale to new content, and custom applications are also protected.
Oracle was a Gartner Magic Quadrant Challenger for 2018.
Palo Alto Networks Aperture
Founded in 2005, the company known for next-generation firewall technology, Palo Alto Networks, has built out its CASB business on top of its core strengths. The company, which is based in Santa Clara, California, acquired CirroSecure (a maker of SaaS application security) in 2015 and Evident.io (cloud infrastructure security) and RedLock (cloud cybersecurity) in 2018.
Aperture provides monitoring tools, DLP, user tracking, malware detection and remediation, analytics, risk identification and reporting. Cloud-focused security tools target discovery of apps and security management. It identifies apps that can exfiltrate data and suggests ways to improve compliance. Aperture also scans content for sensitive data.
Aperture was a Niche Player in Gartner’s 2018 CASB Magic Quadrant.
Proofpoint Cloud App Security Broker
Proofpoint, founded in 2002 and based in Sunnyvale, California, is another vendor that has acquired CASB technology. In its case, it bought startup FireLayers in 2017, extending Proofpoint beyond its strengths around email security.
Proofpoint Cloud App Security Broker has DLP, advanced threat detection, threat intelligence, and built-in two-factor authentication. It identifies risks in a wide range of categories informed by a diverse audience of threat intelligence. Proofpoint also added multiple nonproxy mitigations for SaaS, including a mechanism in many SaaS applications and content-scanning bots that can provide near-real-time DLP. According to Gartner, Proofpoint is the only CASB with the capability to force access to risky services through a remote browser isolation mechanism that protects users, devices and applications from remote attack.
Proofpoint was a Gartner Magic Quadrant Visionary in 2018.
Symantec, already a leader in anti-virus and endpoint protection, has built out its CASB product line through acquisition. It bought Blue Coat Systems in 2016, which had itself acquired Elastica and PerspecSys.
The multimode CASB focus is on encrypting or tokenizing data in SaaS applications. Based on a portfolio with DLP, UEBA and content inspection tools, CloudSOC offers log analysis and traffic inspection, behavior analytics, cloud usage patterns, malware analysis and cloud application discovery. Adaptive access controls can be built based on threats, behaviors, device and user location.
Symantec was a CASB Magic Quadrant Leader in 2017 and 2018.