As business functions move to the cloud, it’s imperative to retain visibility into who is connecting to cloud applications, what they are doing, and what devices they are using to connect. This is where Cloud Access Security Brokers (CASBs) come into play. CASB solutions help manage risk by providing the visibility, and in some cases, control, over what is happening in cloud applications.
CISOs need to be aware, however, that the current CASB landscape is fragmented, with considerable consolidation going on. In late November, McAffee announced that it would acquire Skyhigh Networks, one of the most recognized standalone CASB offerings, which had more than $106 million in funding. If you are looking to secure your cloud, I recommend a thorough discussion with each CASB vendor under consideration to understand its solution focus and roadmap.
The bulk of standalone CASBs today focus on the Software as a Service (SaaS) market. However, there aren’t many vendors entering this space right now; rather, the vendor list, as we are seeing with the Skyhigh acquisition, is shrinking as larger companies buy the smaller ones, often to incorporate CASB features into other cloud or security offerings. What’s more, firewall vendors are moving into this market as well.
The SaaS-oriented CASB solutions help provide visibility into all the cloud applications that users access. For a small set of the more significant SaaS applications – Workday, ServiceNow, Office 365, Google G Suite, Box, etc. – the CASBs have API integrations that enable control over what users can do with those apps. For example, controls ensure that users can do certain things only when they’re on the corporate network, but not when they’re on a private network or on a personal device; perhaps users can only read and not download data when off the corporate network.
The SaaS focus leaves a gap in cloud coverage where Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) is involved. When running workloads in Azure, AWS or different hosting providers, it’s important to have visibility and control over what’s happening with those hosting providers. There are some CASB vendors with this specific focus, and even SaaS-oriented CASBs are heading in this direction. For instance, Microsoft bought Adallom, which was a very good standalone CASB, to help support and protect workloads in Azure. Oracle bought Palerra to add protection to workloads in the Oracle cloud. Symantec added Elastica to its security stack via the Blue Coat acquisition.
Many of the CASB solutions provide, or are looking to provide, advanced controls such as data tokenization, encryption or data loss prevention of specific data fields. Depending on what features you want to license and what you want to do, you can go through a CASB to leverage encryption, DLP, or other controls as needed on a case by case basis.
The bottom line is, if your enterprise is putting sensitive information in the cloud – regardless of whether the service is SaaS, IaaS or even PaaS – then you need to have visibility into what users are actually doing with your data. Existing solutions such as firewalls might be able to provide some visibility, but if you want more in-depth insight into data risk, and certainly if you want to put controls around the data, then you’ll likely need a CASB or the functionality it offers. Survey the CASB market and do a proof of concept with one or two products, understand their roadmap and determine which solution can best help provide the visibility and risk reduction that you need.