Market Guide - Cloud Application Security Brokers (CASB)
This Market Guide is focused on one of the technologies contributing to convergence between dedicated ITAM teams and other areas of IT Governance. Cloud Access Security Brokers (CASB) act as an intermediary between users and cloud service providers. Their purpose is to discover, monitor, control, and secure access across the perimeter between corporate users, devices, and networks and the internet. For ITAM teams it is the Discover and Monitor aspects that overlap most with our priorities.
How do CASBs work?
Many IT professionals will be familiar with mature security technologies such as network firewalls and internet proxies. Essentially, CASBs combine those technologies with highly configurable policies enabling fine-grained access control on a per user and per application basis. Many CASBs will also include Data Loss Prevention (DLP) functionality too.
They are perhaps best thought of as passport control – defending the organisation from external threats whilst simultaneously checking the credentials of everyone who wants to leave the safety of the corporate network. Visas will be issued to allow access to certain applications (e.g. Slack, Zoom, Dropbox), and suitcases will be searched to ensure only authorised information leaves the network (DLP). Some CASB solutions also have the ability to manage IaaS & PaaS services (i.e. Microsoft Azure, Amazon AWS, Google Cloud Platform).
For ITAM professionals, the deployment method used for the CASB may be important. Typically, there are four options;
This is the simplest method, logs from existing infrastructure such as network firewalls and routers are sent to the CASB for analysis.
Think of this as agentless scanning. All traffic, regardless of whether a device is managed (i.e. has an agent installed), is routed automatically via the CASB for analysis.
Think of this as agent-based scanning. Devices are configured to route all traffic via the CASB for analysis.
The API method uses the destination services API to communicate with the CASB for analysis. For example, Office 365 has functionality designed to integrate to a CASB via API.
What is a Multimode CASB?
CASBs which use more than one of the above options are multimode. Typically, these are the most desirable and feature-rich, but suitability will depend on budget and the level of control you exert over application and device usage on your network.
What’s the value to an ITAM team?
This largely depends on the security posture and IT policy of your organisation. If you have very light touch policies around purchasing of IT hardware, software, and services, a CASB is an immensely powerful detector of potential Shadow IT on your corporate network. Essentially, because a CASB sits at the edge of your network all network traffic leaving the organisation can be configured to pass through it. Discovery is thus fully-automated – it becomes incredibly difficult to avoid detection. The CASB solution will provide a definitive list of which applications are in use on your network, and by which users. Most will identify common cloud storage services – so you can monitor capacity and usage which may be a useful metric at renewal time. You greatly ease the challenge of discovering Shadow IT spend particularly inherent in SaaS.
This definitive discovery is an extremely valuable enabling technology for optimising your Shadow IT estate. By knowing which applications are in use, and who is using them, you can build an optimisation programme. For example, your CASB may show that employees are using Zoom, WebEx, and GoToMeeting for web conferencing. Armed with that information an ITAM team can look to recommend optimisation by standardising on a single service.
For organisations with stronger IT usage policies, the CASB provides certainty around application usage. This is particularly important for regulations such as PCI-DSS which require application whitelisting for environments processing payment card transactions. An application whitelist means that only certain applications are permitted for use – clearly from an ITAM perspective this enables further optimisation through standardisation. And with a standard application catalogue implemented and enforced at the edge of the network you can enable automation of software delivery to your users through self-service.
Alternatively, you may take the opposite approach and implement application blacklisting – essentially saying “you may use any application except these”. This can be useful in enforcing standardisation too. For example, if for contractual or licensing reasons you wish to prevent employees from using Dropbox for file-sharing - you can do so via a blacklist. The Dropbox use-case is a prime example of the value of a CASB to an ITAM function. The free personal edition of Dropbox may not be used for commercial purposes. Dropbox have been known to identify corporate use of the free tier via email address and contact the company to discuss commercial terms.
Moving beyond these technical solutions to common ITAM problems, a CASB can be valuable in fostering strong stakeholder relationships. CASBs are managed by your Network and Security teams, who are key allies in achieving your ITAM objectives. By working together, you can ensure keeping the organisation safe also delivers value in terms of reduced costs and application complexity.
Key Capabilities for ITAM teams
This is an emerging area of integration for ITAM teams. As such, CASBs tend to be isolated and siloed from our existing toolsets. Until the IT Governance tools market matures, we shouldn’t expect any out-of-the-box integration. You may find, with the right technical skills, that it’s possibly to ingest information from certain CASB solutions via reporting APIs but for now this is a largely manual process.
When speaking with your IT Security team on this subject the primary capabilities that will enhance certainty about assets in your ITAM tool are:
- Whether the tool has API-based connectivity to your most-used cloud applications
- Ability for the vendor to customise the tool to discover all of your critical applications
- Support for the following metrics:
- Application usage by user
- Application usage by category (e.g. Web-conferencing, file-sharing, project management)
- Frequency of application access
- Application usage by device
- Authentication method used
- Device/User network location
- Deployment method
- Log Ingestion
- Forward Proxy
- Reverse Proxy
- Multimode (a combination of the above)
These capabilities are beneficial in building certainty in the discovery and inventory results from your dedicated ITAM toolset. Furthermore, they may be the best method for discovering application usage metrics for the majority of SaaS apps that don’t have direct API connections, or if your ITAM tool doesn’t provide SaaS discovery.
For organisations with existing web security solutions it may be worth checking if CASB is available as an option in those tools. For example, Forcepoint make a free CASB service available to subscribers to their web proxy service.
In compiling this guide, we have sought to include a wide variety of solutions in terms of cost, target organisation size, and geographies. If you are a vendor with a CASB solution with ITAM-related capabilities and are not included, please contact us for possible inclusion in a later revision. Similarly, if you are an end user of a solution not listed, please consider submitting a review on The ITAM Review Market Place.
The CASB market has been through a period of rapid growth leading to most independent/category founder companies being acquired by the giants of the security world. In terms of usage, CASB technology still has a long way to grow; according to Gartner research just 20% of large enterprises were using the technology in 2018. Growth to around 60% by 2022 is expected, so for ITAM Managers now is a good time to be talking to your security team about this emerging technology.
California-based Bitglass are one of a handful of remaining independent pure-play CASB providers. Their product is one of the more mature options in the market, released in 2014. It is primarily a reverse-proxy solution but does support API & forward proxy as well. For ITAM managers, check the list of SaaS apps managed via API for correlation with your known SaaS estate.
Censornet are UK-based and provide a multimode CASB as a component of their security platform which also includes email security, web security, and multi-factor authentication.
California-based CipherCloud, an independent CASB provider, provide CASB capabilities as part of their Cloud Governance & Data Protection suite. They market strongly around their AnyApp connector, useful for managing custom & industry-specific applications.
California-based Cisco acquired Cloudlock in 2016. Cloudlock provides CASB functionality for IaaS, PaaS, and SaaS and the product is now bundled in a suite called Umbrella. It is an API-only CASB so is only suitable for services that provide API connectivity. This may limit its usefulness for ITAM teams seeking to capture and manage all cloud application usage.
Texas-based Forcepoint, formerly Websense, acquired CASB functionality from fellow security vendor Imperva in 2016. CASB is integrated into their web and email security suites. It is a multi-mode CASB, utilising APIs and forward/reverse proxy methods for deployment. They claim 100% protection for Cloud apps through “fingerprinting” of application behaviour.
Colorado-based Managed Methods were founded in 2013 and are an independent vendor focused on the CASB market. The solution relies solely on SaaS provider API connectivity and includes support for Office 365, G Suite, Slack, Dropbox, OneDrive and others, including any services making use of OAuth for authentication. A cloud-based service, it requires no hardware or software to be installed.
McAfee acquired SkyHigh Network’s CASB service in 2018, rebranding it as MVision Cloud. It is primarily an API-mode CASB, although does also support proxy deployment. Prior to acquisition, SkyHigh’s product was one of the more mature in this market, having been released in 2013.
Microsoft acquired Adallom in 2015. The former Adallom CASB product is now known as Cloud App Security and comes in 2 flavours – the fully featured “Microsoft Cloud App Security” is included within EM+S E5 & Microsoft 365 E5, while Office 365 E5 includes a limited version known as “Office 365 Cloud App Security”. It is also available standalone although it should be noted that, in common with other re-architected Microsoft products, it tends to rely on other components of the Microsoft platform such as Azure Active Directory. It is a multi-mode CASB solution deployed via Reverse Proxy & API.
Netskope are an independent CASB vendor based in California. Their product is mature, having been in the market since 2013. The CASB is primarily deployed via API & forward-proxy, including agent-based deployment for managed corporate devices. In common with many other vendors the CASB is available as part of a wider security platform.
Oracle acquired CASB vendor Palerra in 2016. In keeping with Oracle’s usual business model, the CASB functionality is split into separate products meaning that a customer can potentially “mix and match” the capabilities they require. For ITAM teams, Oracle CASB for Discovery is of most relevance.
Palo Alto are a network security company based on California, well-known for their “next-generation” firewall products. Their CASB is marketed under their Prisma Cloud Security platform as Prisma SaaS. Palo Alto have built their CASB offering via a series of acquisitions including CirroSecure. Deployment is primarily via API mode.
Perimeter 81 are based in Tel Aviv, Israel and provide a range of enterprise security capabilities as a per-user SaaS subscription. The service is priced at $8 per user per month. Founded in 2018 they focus on providing SMEs with a fully managed Cloud Access Gateway. This gateway controls and inspects traffic leaving the organisation, thereby providing CASB services. Agent-based, the solution is particularly suited to organisations with many remote employees and no single corporate network.
Similar to Forcepoint, California-based Proofpoint are a well-established enterprise web & email security vendor, having been founded in 2002. Their CASB product was acquired from Firelayers in 2017. Proofpoint don’t highlight CASB capabilities of interest to ITAM teams in their marketing but the product does have the ability to discover third-party app usage in other cloud services. This capability is often noted as important by SaaS Management tool providers.
Symantec are based in California and are currently (September 2019) subject to a partial acquisition by Broadcom which will include their CASB product, CloudSOC. Symantec highlight Cloud App Visibility as a key capability, enabling ITAM teams to potentially discover Shadow IT. As a standalone product it relies on firewall log inspection for discovery, but it also integrates with other Symantec products to provide enhanced capabilities.
This market has been through an intense round of acquisitions with many category-founding companies having been snapped up by industry giants. It is now relatively mature whilst still providing plenty of choice. It is interesting to note that it is still attracting new entrants such as Perimeter 81. Whilst CASBs have functionality that goes way beyond what is of interest to an ITAM professional, the core discovery capability they provide makes them a vital component in building tooling for an broad IT Governance function.