Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

CASB tools evolve to meet broader set of cloud security needs

When choosing a CASB, enterprises face two primary options: a stand-alone service from a third party or a bundled tool set from some of the large cloud providers. It's important to pick your flavor wisely.

While public cloud providers offer their own suites of security services, organizations can also incorporate a third-party CASB -- an IT security tool that continues to evolve and broaden its reach.

A cloud access security broker is software that sits between users and cloud services to make sure that the individuals working with those services are authorized and that their actions conform to company policies. CASB tools emerged as a means to reign in shadow IT.

"The sweet spot for CASBs has been protecting public SaaS applications," explained Pete Lindstrom, vice president of security research at IDC. "Many enterprises now have half a dozen or more SaaS applications and need tools to ensure that security is implemented in a consistent manner across all of them."

CASBs typically offer features, including the following:

  • Firewalls: Identify malware and prevent it from entering the enterprise network.
  • Authentication: Checks users' credentials and ensures they only access appropriate company resources.
  • Web application firewalls: Thwarts malware designed to breach security at the application level, rather than at the network level.
  • Data loss prevention: Ensures that users do not transmit sensitive information outside of the corporation.
CASB core features

Vendors add more features, embrace IaaS

CASB tools have evolved to include, or work alongside, other IT security services -- though some vendors, such as Netskope and Bitglass, still offer stand-alone tools. These vendors differentiate their services in various ways, such as working with new and popular SaaS offerings, said Dan Blum, managing partner and principal consultant at Security Architects Partners.

PaaS and IaaS support is a bit tricky because that market is evolving at such a rapid pace that it is difficult for third parties to keep up.
Pete LindstromVice president of security research, IDC

Another emerging area for CASB tools is support for PaaS and IaaS, but that functionality is a work in progress. "PaaS and IaaS support is a bit tricky because that market is evolving at such a rapid pace that it is difficult for third parties to keep up," Lindstrom said.

That said, to meet the needs of IaaS and PaaS users, CASB vendors have added or expanded functionality for security tasks, such as the following:

  • Single sign-on: Enables an employee to enter their credentials one time and access a number of applications.
  • Encryption: Encrypts information from the moment it's created until it's sitting at rest in the cloud.
  • Compliance: Includes reporting tools that ensure that the company's security systems meet the ever-growing list of compliance specifications, like GDPR.
  • User behavior analytics: Mines information and identifies potential aberrant behavior, which may indicate an outsider is trying to access system resources.

Bundling pros and cons

As the CASB market grew, established vendors acquired, and continue to acquire, a number of offerings. Among the transactions have been Cisco's acquisition of Cloudlock, Microsoft's acquisition of Adallom and Palo Alto Networks' acquisition of RedLock.

Bundled offerings, like those produced by acquisitions, provide numerous benefits, such as lower pricing. For example, Microsoft includes CASB functionality in its base Azure security services at no extra charge.

Bundled services also reduce integration complexity, since the vendor takes on that work. Additionally, they offer a single management interface, so IT teams don't have to bounce between offerings to troubleshoot system issues.

"The more heterogeneous the environment, the more complex security integration becomes," IDC's Lindstrom said.

However, there are tradeoffs, such as vendor lock-in. Dependency on a specific provider will make it difficult to switch if a better option arises. Also, providers with a broader focus might not be the best option for those with industry-specific needs.

Dig Deeper on Cloud security tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Which type of CASB do you prefer: stand-alone or bundled?
I really have issues with your definition of CASB (Cloud Access Security Broker), especially by including the threat protection and security features.  Saying firewall is a feature of CASB is plain wrong.

You conflate private cloud, public cloud and Internet as if they are all the same.  I have much more native control of my private cloud's use and access then I do of public cloud.  For example I could be using a direct cloud connection to Amazon so of what use is firewall?  Why would I want DLP only for this link?  If I want SSO, why would I want it only for cloud applications?

The need for these tools depends on individual company configurations. If they have private clouds with legacy security solutions, then the new CASB services may not be a good fit.  

However, the traditional dividing lines among private, hybrid, and cloud are changing as the market evolves. AWS Outpost is a good example. It is a public cloud service that runs in a private data center, an option that did not exist until recently.   

Strip away the terminonly and you have data centers, which are more similar than different. Public cloud needs the same (and in some cases additional) security checks as those found in a private data center. Consequently, cloud firewalls have emerged and the article below illustrates some of its uses as well as similarities and differences between it and traditional firewalls. Those differences constantly change as vendors enhance their services.

Single Sign On systems ideally work for all applications. In reality, they provide access to some but not all applications. Having one SSO for cloud and another for legacy systems is cumbersome. Consequently, vendors have been moving to integrate the two. However, the work is complex and time consuming. So, businesses may find that a SSO does not work for all of their applications, so is it really SSO? In some ways yes because it consolidates a number of systems. In other ways, no because it does not work with every application, so users have multiple sign ons.