Cloud computing has not only altered the way the world does business, but it also has brought new and often challenging enterprise security requirements. As a result, a whole new sector of IT has sprung up in the last decade focused on cloud-access security–acronymed CASB (for cloud access security brokers)–which requires very different skills and tools from data center or campus-centric security.
Going into 2021, there are few areas of security that are more important to businesses, government, the military, consumers or the scientific sector than CASB. This is because all of use are doing the majority of our work in cloud-based applications.
As enterprises adopt new services, applications and methods to manage data, the need to address changing data models and threat risks is essential. Organizations must address an array of issues that revolve around collaborative web applications, data flow, network designs, cloud infrastructure and other key areas.
Although major cloud providers typically offer robust built-in protections—including strong authentication, encryption and malware detection—there are often gaps in protection that result when organizations rely on multiple cloud service providers, different network topologies and numerous applications. These risks often involve key areas such as web application firewalls (WAFs), secure web gateways (SWGs) and data loss prevention (DLP).
Cloud access security brokers (CASB) take aim at this issue. “They deliver differentiated, cloud-specific capabilities generally not available as features in other security controls,” a recent industry report from Gartner Research said. “CASB vendors understand that for cloud services the protection target is different: it’s still your data but processed and stored in systems that belong to someone else.” Consequently, CASBs store policy management information and governance details across multiple cloud services. This delivers granular visibility and stronger controls. Gartner predicts that by 2022, 60 percent of large enterprises will use a CASB to govern cloud services, up from 20 percent today.
Here’s a look at 10 of the top vendors in the cloud security space. These ratings were curated with data and reviews from Gartner Peer Insights, G2 Crowd and IT Central.
Top CASB Solutions
Cisco Systems Cloudlock
Security Package: Cisco Cloudlock
Value proposition for potential buyers: Since Cisco Systems acquired Cloudlock four years ago, it has worked hard to incorporate the company into its portfolio of cloud-based products. The CASB solution offers a number of powerful capabilities, including the ability to configure policies dynamically and aggregate users into specific groups, based on real-time actions and behavior.
Key values/differentiators:
- Cloudlock can also constrain user behavior, thus providing a powerful form of adaptive access control. In addition, it provides powerful controls, based on OAuth, that can override permissions and block certain types of cloud attacks.
- A strong API framework helps organizations extend controls to SaaS applications that do not include native support for these and other features.
To Take Under Advisement:
- One of the drawbacks to the approach Cloudlock takes is that all these features and controls are based on sanctioned applications that provide APIs. Cisco also offers no support for CSPMs. Users rate the platform as easy-to-implement, powerful and highly scalable.
Who uses it: Medium to large enterprises
How it works: subscription cloud service and on-prem options
Palo Alto Networks
Security Package: Palo Alto Aperture
Value proposition for potential buyers: Palo Alto Networks acquired CirroSecure in 2015 and has since relaunched the solution to include more focused cloud security tools. The 2020 solution is heavily focused on discovery along with SaaS policy and security management. Aperture includes strong data classification and monitoring tools, DLP, user activity tracking, known and unknown malware protection and detailed risk and usage reporting.
Key values/differentiators:
- Palo Alto Networks is considered a niche player in the CASB space. Users say that Aperture is an excellent product with strong functionality, though it lacks some desirable features.
- Among its strengths is an ability to identify SaaS and non-SaaS web applications that can be used to exfiltrate data.
- It also delivers comparisons to multiple industry baselines and it suggests configuration changes to improve compliance.
- Users rate the company’s support high.
To Take Under Advisement:
- Cautions include configuration complexity and a lack of functionality in a few key areas, including reverse-proxy inspections.
Who uses it: Midrange and large enterprises
How it works: subscription cloud service and on-premises servers
CipherCloud
Security Package: CipherCloud CASB+
Value proposition for potential buyers: CipherCloud is one of the more respected young cloud security companies on the scene. Encryption and tokenization are key elements of cloud security. CipherCloud, which has offered a CASB solution since 2011, places a heavy emphasis on data protection through cloud-native security and compliance across SaaS, PaaS and IaaS platforms. The solution offers robust cloud-based visibility and controls—extending to applications running in the cloud—and it can manage both structured and unstructured data.
Key values/differentiators:
- One of the biggest strengths of the solution is an ability to encrypt data before delivering it to SaaS applications—while preserving partial application functionality.
- The solution manages keys for SaaS-native encryption mechanisms in the CipherCloud or a KMIP-compliant key management server.
To Take Under Advisement:
- Potential weakness includes adaptive access controls and continuous risk assessment tools that trail competitors, Gartner noted. It positioned the company between a visionary and leader in its Magic Quadrant.
- Some adopters rate the product a bit difficult to use and say it’s a bit pricy. Overall ratings are extremely high.
Who uses it: small to large enterprises
How it works: subscription cloud service
Microsoft
Security Package: Microsoft Cloud App Security (MCAS)
Value proposition for potential buyers: Microsoft’s addition of Adallom in 2015 broadened the company’s security offerings in a big way. MCAS offers a reverse-proxy-plus-API CASB that can operate independently or part of Microsoft’s Enterprise Mobility + Security (EMS) suite. This includes tools for Azure and other applications and components. The solution also includes threat protections and sophisticated analytics.
Key values/differentiators:
- Gartner positions the company in the “challenger” quadrant, while users say that while it can be a bit tricky to implement, it delivers powerful features and strong protections.
- Gartner describes the interface as “intuitive” and says that the solution handles complex policies using a visual editor. This makes the process simpler by eliminating scripting and programming.
- It also offers suggestions and hints that can guide an organization to more robust cloud security.
- Finally, it delivers strong automation, particularly around watermarking and encryption.
Who uses it: Personal to SMBs to midrange enterprises
How it works: subscription cloud service
Forcepoint
Security Package: Forcepoint CASB
Value proposition for potential buyers: Identifying shadow IT, preventing compromised accounts and ensuring secure mobile access to cloud apps covers a broad expanse of enterprise security requirements. Clouds ratchet up the challenges exponentially. Forcepoint CASB focuses on these issues.
Key values/differentiators:
- It delivers a broad package of security products that revolve around secure web gateways, email security, user and entity behavior analytics, DLP and data security, and imposing a network firewall.
- The solution delivers a powerful engine that meshes with workflows and enterprise policies. It also offers risk scoring, anomaly detection, strong analytics and metrics tools, real-time oversight and powerful application governance.
- The focus is heavily tilted toward business applications.
To Take Under Advisement:
- One of the key cautions for adopting the platform revolve around an inability to configure control policies toward preferred SaaS applications. Users describe the solution as powerful, granular and highly flexible. Gartner rates it in the middle of its quadrant.
Who uses it: SMBs to midrange enterprises
How it works: subscription cloud service and on-prem options
McAfee
Security Package: McAfee MVISION Cloud
Value proposition for potential buyers: McAfee is one of the best-known and utilized security solutions in the world, in several categories that inlcude both B2B and consumer markets. The company, owned for a few years by Intel but back to being independent, acquired Skyhigh Networks in January 2018. The solution bolstered the company’s existing portfolio of DLP, SWG and network sandboxing technologies.
Key values/differentiators:
- McAfee’s strengths lie in its powerful dashboard, high level of configurability and flexibility, real-time capabilities, and strong DLP controls.
- Gartner notes: “McAfee offers extensive CSPM capabilities that exceed those of even some pure CSPM vendors. It includes strong auditing and compliance scanning plus multiple options for automatic and guided manual remediation.”
- Users give the solution high marks and say it provides strong controls, particularly in finding shadow IT.
To Take Under Advisement:
- Potential drawbacks include: the ability to configure error messages for specific users and gaps in certain types of notifications, particularly involving real-time APIs. Gartner ranks the solution among the leaders.
Who uses it: SMBs, midrange, large enterprises
How it works: subscription cloud service
Bitglass
Security Package: Bitglass Next-Gen CASB
Value proposition for potential buyers: Bitglass runs natively from the cloud but it also can be deployed as a Docker container that serves as a host on-premises. The vendor has emerged as a leader in the CASB space by introducing a zero-day approach heavily tilted toward trust ratings, trust levels and at-rest encryption that’s tightly integrated with enterprise compliance and governance requirements.
Key values/differentiators:
- The platform, which extends to mobile security and shadow IT controls, is powered by an agentless “AJAX Virtual Machine (VM)” abstraction layer transparently embedded within a user’s browser to support real-time data protection in specific scenarios, including unmanaged devices.
- Bitglass CASB features an automated learning mode, digital watermarks, and strong data loss prevention.
- On the downside, Gartner points out that the solution isn’t able to modify SaaS application native security controls and it is limited in its ability to assign and consumer Azure Information Protection templates. Overall, Gartner rated Bitglass a leader in its 2018 Magic Quadrant ratings. Users say that the solution is intuitive and offers powerful capabilities.
Who uses it: mid-range to large enterprises
How it works: subscription cloud service with container option
Netskope
Security Package: Netskope Security Cloud
Value proposition for potential buyers: Netskope remains an independent company in a space where major software and networking companies are scooping up CASB solution providers. The company has been shipping products since late 2013. The company focuses heavily on application discovery and SaaS security posture assessments.
Key values/differentiators:
- Among its strengths are strong analytics tools, including behavioral analytics, and a robust alert system. This, among other things, helps Netskope spot vulnerabilities in APIs, mobile devices and shadow IT.
- Gartner labeled the company a leader in its 2018 Magic Quadrant.
- Users report that the solution offers strong visibility, powerful DLP features and excellent threat intelligence feeds.
To Take Under Advisement:
- Complaints revolve around difficulties configuring agents and a limited ability to use APIs for remediation. Many CASB vendors now incorporate APIs for posture assessment as well.
Who uses it: SMBs, midrange, large enterprises
How it works: subscription cloud service
Oracle
Security Package: Oracle Cloud Access Security Broker (CASB) Cloud Service
Value proposition for potential buyers: Oracle has moved beyond a one-solution-fits-all approach to CASB. Its solution, originally Palerra, offers discovery and deep visibility into SaaS applications using a log-based approach that revolves around cloud activity. This helps the solution identify risky applications installed through Oracle, Salesforce and other platforms. The result is strong security monitoring, threat protection and incident response. Organizations can also license Inline DLP (for real-time detection) and API DLP (for retroactive scanning).
Key values/differentiators:
- One of Oracle CASB’s strengths is a high level of flexibility, including the ability to expand detection to new content easily. In addition, custom applications running in the Java Virtual Machine (JVM) require no further action. They are automatically protected.
- Finally, Oracle CASB monitors for misconfigurations and notify users when a problem may be present—and when the organization doesn’t match industry benchmarks.
- Oracle landed as a challenger on its way to becoming a leader in Gartner’s MQ. Users praise the platform for easy integration and strong protection capabilities but say it can prove difficult to fully integrate across a portfolio of cloud solutions.
Who uses it: large enterprises
How it works: subscription cloud service and on-premises servers
Symantec
Security Package: Symantec Cloud Data Protection
Value proposition for potential buyers: Strong cloud security requires an array of features. Symantec delivers strong capabilities through its Cloud Data Protection platform, which incorporates products formerly offered by Blue Coat. The focus is on tokenizing or encrypting data stored in SaaS applications. The platform achieves a high level of protection through log analysis and traffic inspection. It provides cloud security assessment ratings by plugging in user behavior analytics, cloud usage patterns, malware analysis and cloud application discovery.
Key values/differentiators:
- Strengths include: strong reporting capabilities, alerts for policy violations, highly adaptive access controls and a wide range of predefined DLP selectors.
- Symantec is among the leaders in the Gartner MQ. Users say the platform delivers strong and mature capabilities.
Who uses it: Small,midrange and large enterprises
How it works: subscription cloud service