CASBs address wide range of cloud security concerns

Cloud, complex apps bring new security demands

With the rise of cloud, enterprises found that more traditional security models, such as virtual private networks (VPNs), aren't always enough to sufficiently protect their data.

"VPNs were adequate when users accessed [on-premises] solutions via PCs," said Patrick Hevesi, research director at Gartner. "With public cloud, they log in anywhere on the planet from any type of device, so a new approach is needed to safeguard information."

In addition, as enterprises break their applications down into smaller, more dispersed components, IT teams deploy a growing number of tools to provide different types of security checks. For example, they have gradually supplemented traditional firewalls with auditing systems, authorization products, web application firewalls, data leak protection (DLP) and encryption tools. Rather than implement and manage these products independently, businesses deploy them as security suites.

Cloud access security brokers (CASBs) include all of these security functions, help enforce an organization's existing security policies and ensure compliance, as users access cloud resources. Their importance in the security industry is underscored by interest from top IT vendors, like Microsoft and Cisco, many of which have made acquisitions in this space over the past few years. Startups, such as Bitglass and Netskope, have also emerged.

A variety of functionality

CASBs first became popular when businesses tried to reign in shadow IT.

"[Shadow IT is] risky because many departments do not have strong data protection policies," Hevesi said.

To combat these risks, organizations turned to CASBs, because they typically offer strong auditing features that can sift through system logs and find unauthorized applications. Additionally, they are adept at basic firewall functions, such as warding off malware.

However, not all CASBs are the same; some focus on one security aspect more than another. Also, some are tailored specifically for smaller or larger enterprises.

CASBs bite off a huge range of features.

"CASBs bite off a huge range of features," said Dan Blum, managing partner and principal consultant at Security Architects Partners. "Since vendors emerged from different niches, their tools often offer different degrees of sophistication for each function."

For example, single sign-on features, which ensure only authorized individuals access corporate applications, come with varying levels of sophistication depending on the CASB you choose. Encryption, DLP and threat prevention capabilities can also vary by CASB vendor, so be sure to determine the security features that are most important to your enterprise -- today and in the future -- before you make a decision.

Some gaps to address

While CASBs, in general, offer a wide range of security features, there's room for growth.

For example, user behavior analytics is an area that has gained traction in the enterprise. These analytics tools can help IT teams spot anomalies in user interactions. For instance, if a user accesses information in the morning from his or her home office in New York and then, at noon, logs in from Shanghai, the tool would raise a red flag. CASB capabilities, in this area, are still immature.

In addition, digital rights management is another capability that CASBs could support moving forward, according to Hevesi.

What's more, to gain value from CASBs, enterprises need to tie them into their business applications, which have, over the years, become increasingly complex.

"Salesforce is no longer a monolithic application; it consists of thousands of components tied together by a series of APIs," Blum said. Connecting different security checks to these individual interfaces is difficult, time-consuming work.

As SaaS vendors continue to update their applications, this is another area where CASBs need to keep up.