What’s a CASB? Gartner Report Outlines Use Cases, Architecture, and Evaluation Criteria

By Cameron Coles, Sr. Product Marketing Manager, Skyhigh Networks

Given the explosive growth of cloud computing and numerous high-profile security and compliance incidents, it’s not surprising that surveys of IT leaders find that cloud tops the list of security priorities this year. In its latest technology overview (download a free copy here), Gartner gives a detailed overview of the emerging security category called cloud access security brokers (CASB) that offer a control point for enforcing security policies across cloud services. By 2016, Gartner predicts 25% of enterprises will secure their cloud usage using a CASB, up from less than 1% in 2012. Organizations across all industries are deploying CASB solutions because they enable them to migrate to the cloud securely.

As corporate data moves to the cloud and employees access data from mobile devices, they bypass existing security technologies. Gartner says this has created a “SaaS security gap”. In response, many organizations have attempted to block cloud services en masse using their firewall or proxy. However, with thousands of cloud services available today, organizations block the ones that are well known and that causes employees to seek out lesser-known, potentially riskier cloud services that are not being blocked. CASB solutions will, according to Gartner, enable IT to shift from the “no” team to the “let’s do this and here’s how” team.

Gartner’s 4 Pillars of Required CASB Functionality

Gartner organizes CASB capabilities into four pillars of required functionality: visibility, compliance, data security, and threat protection. While cloud providers are starting to offer some limited policy enforcement capabilities, one benefit of using a cross-cloud CASB solution that addresses each functional area, says Gartner, is that an organization has a centralized place to manage and enforce policies. Since capabilities vary widely among cloud providers (and even CASB vendors) this also ensures a consistent set of controls across cloud services.

Using cloud access security brokers, organizations can:

• Identify what Shadow IT cloud services are in use, by whom, and what risks they pose to the organization and its data
• Evaluate and select cloud services that meet security and compliance requirements using a registry of cloud services and their security controls
• Protect enterprise data in the cloud by preventing certain types of sensitive data from being uploaded, and encrypting and tokenizing data
• Identify threats and potential misuse of cloud services
• Enforce differing levels of data access and cloud service functionality based on the user’s device, location, and operating system

CASBs Have Multiple Deployment Models

While many CASBs leverage log data from firewalls and web proxies to gain visibility into cloud usage, Gartner defines two major deployment architectures that CASB solutions use to enforce policies across cloud services: proxies and APIs. In proxy mode, a CASB sits between the end user and the cloud service to monitor traffic and enforce inline policies such as encryption and access control. CASBs can leverage a forward proxy, reverse proxy, or both. Another deployment mode is direct integration to specific cloud providers that have exposed events and policy controls via their API. Depending on the cloud provider’s API, a CASB can view end user activity and define policies.

Certain security capabilities are dependent on the deployment model, and Gartner recommends organizations look to CASB solutions that offer a full range of architecture options to cover all cloud access scenarios. They also note that vendors offering API-based controls today are not well-positioned to extend their platforms to include proxy-based controls given the significant investment needed to develop a robust proxy architecture that scales to the large data volumes exchanged between end users and cloud services. Depending on industry regulations, customers may also look for on-premises proxy solutions, so Gartner recommends looking for a vendor that offers both on premises and cloud-based proxy models.

CASB Evaluation Criteria

According to Gartner, while many providers focus on limited areas of the four CASB functionality pillars, most organizations prefer to select a single CASB provider that covers all use cases. Gartner recommends that organizations carefully evaluate CASB solutions based on multiple criteria. One consideration is how many cloud providers the CASB solution can discover and the breadth of attributes tracked in the CASB’s registry of cloud providers. Another consideration is whether the CASB supports controls for the business-critical cloud services currently in use or planned in the near future.

Finally, Gartner notes that the CASB market is crowded and expects that consolidation will occur and some vendors will exit the market in the next five years. A good predictor of whether a vendor will continue operating is whether they are one of the leaders in the market in terms of customer traction. Companies with more customers will naturally have a more complete view of customer needs, which will enable them to develop better solutions to meet those needs that will, in turn, attract more customers and support a sustainable business. To read more about Gartner’s view of the market, I encourage you to download a free copy today.