Cloud access security brokers (CASBs): What to know before you buy

Cloud access security brokers (CASBs) explained

As the name suggests, a cloud access security broker (CASB) manages access between enterprise endpoints and cloud resources from a security perspective. CASBs can be deployed on-premises or in the cloud; as a hardware appliance or software-only, as a proxy, reverse proxy, or through specific APIs.

Enterprises have untold numbers of endpoints, both managed (corporate-owned devices) and unmanaged (devices owned by employees or third-party contractors). Endpoints can be on-premises or remote. And endpoints can include internet of things (IoT) devices.

In a multicloud environment, each endpoint could connect to multiple cloud resources over the course of a single day — productivity apps (like Microsoft 365), SaaS apps (like Salesforce and Workday), collaboration apps (like Slack and Zoom), and cloud storage (like Amazon Web Services and Dropbox). Not to mention homegrown apps that have been migrated to the cloud, or apps that have been developed in the cloud (that is, cloud-native).

CASBs sit between an organization’s endpoints and cloud resources, acting as a gateway that monitors everything that goes in or out, providing visibility into what users are doing in the cloud, enforcing access control policies, and looking out for security threats.

Some vendors have begun incorporating additional features into core CASB functionality, such as data loss prevention (DLP), secure web gateway (SWG), cloud security posture management (CSPM), and user and entity behavior analytics (UEBA).

Why enterprises need cloud access security brokers (CASBs)

The original use case for CASBs was to address shadow IT. When security execs deployed their first CASB tools, they were surprised to discover how many employees had their own personal cloud storage accounts, where they squirreled away corporate data. CASB tools can help security teams discover and monitor unauthorized or unmanaged cloud services being used by employees.

Today, CASBs encompass a variety of other use cases:

• Data protection: The COVID-19 pandemic drove employees to remote work and applications to the cloud, where they could be more easily accessed. The pandemic has passed, and many employees have returned to the office, but those applications and that data are still in the cloud. Organizations must protect sensitive data as it moves across a hybrid cloud environment.
• Compliance: Data privacy regulations continue to tighten. CASBs are an important tool in an organization’s overall regulatory compliance framework, enforcing data privacy policies.
• Remote workforce: Regardless of the location of employees, CASBs allow enterprises to implement security standards and secure remote access to cloud resources.
• Threat detection: CASBs can detect malicious activity, intrusion attempts, ransomware, and other types of security events. CASB tools can generate real-time alerts to enable quick response by security teams.

What to look for in a cloud access security broker (CASB) tool

From a purely functional perspective, there are four key features of a CASB tool:

• Visibility: CASBs provide comprehensive visibility into cloud usage, user activities, and data flows.
• Control: CASBs offer granular control over user permissions and data access.
• Data protection: CASB solutions provide data protection capabilities to safeguard sensitive information across multiple cloud services.
• Compliance: CASB tools help maintain compliance with data privacy regulations.

Beyond those core features, organizations need to make sure the CASB tool well integrates with existing cloud services, applications, and security infrastructure.

There are two basic deployment modes: proxy-based and API-based. Most experts say that API-based CASBs provide better functionality, but organizations need to make sure that the vendor’s list of application programming interface (API) connections matches up with the organization’s inventory of cloud apps.

Major trends in cloud access security brokers (CASBs)

Standalone CASBs are a growing market, valued at $11 billion in 2023 and expected to grow 17% annually to reach $24.2 billion by 2029, according to Mordor Research. “The surge in the adoption of various cloud-based services, growing concerns about data security, and the increasing demand for integrated security solutions drive the market’s growth significantly,” says Mordor.

However, it is important to note that CASBs are also a key component of a broader security strategy that goes by two names:

• Gartner calls that broader strategy Secure Service Edge (SSE), an integration of CASB, SWG, and Zero Trust network access (ZTNA). Gartner says, “By 2026, 85% of organizations seeking to secure their web, SaaS, and private applications will obtain the security capabilities from a Security Service Edge (SSE) offering.” (The Gartner nomenclature has become the de facto standard.)
• IDC defines the category as network edge security as a service (NESaaS), with the same three core components: CASB, SWG, and ZTNA. IDC says, “The network security market is in the process of a much-needed convergence trend. Security vendors have shifted from a focus on à la carte, individualized security services to a consolidated, cloud-delivered network security platform that treats individual services as optional modules.”

Leading cloud access security broker CASB vendors

The list of leading CASB vendors (in alphabetical order) includes pure-play companies as well as traditional security vendors that have added CASB capabilities to their portfolios either by acquisition or through internal development.

Cisco Cloudlock: Cisco Systems acquired CASB startup Cloudlock back in 2016 and retained the brand name. Cisco Cloudlock is a cloud-native CASB that protects users, data, and apps with an automated approach that uses APIs to manage the risks in the cloud app ecosystem. Cloudlock uses advanced machine learning algorithms to detect anomalies. It provides DLP functionality. And Cloudlock targets shadow IT with policy-based controls that can block dangerous activities, depending on permissions and risk levels.

Forcepoint: Forcepoint bought Bitglass in 2021, one of the original standalone CASB vendors and a leader in Gartner’s Magic Quadrant for CASB. Forcepoint has integrated Bitglass technology with its own powerful DLP capabilities to provide an SSE solution. Forcepoint excels in monitoring and reporting on shadow IT, and its UEBA feature is popular. The software also supports a Zero Trust architecture, providing device and user authentication. 

Lookout: Endpoint protection vendor Lookout acquired CASB innovator CipherCloud in 2021 and has put together a CASB designed to provide visibility across managed and unmanaged cloud-based applications, users, endpoints, and data. Lookout CASB helps implement Zero Trust access controls, features advanced DLP capabilities, and supports a range of purpose-built integrations.

Microsoft Defender for Cloud Apps: Microsoft Defender for Cloud Apps is a full-featured CASB focused on protection for SaaS applications. It includes shadow IT discovery, visibility into cloud app usage, protection against app-based threats, information protection, and compliance assessments. Advanced capabilities include SaaS security posture management (SSPM), which enables security teams to improve the organization’s security posture; advanced threat protection as part of Microsoft’s extended detection and response (XDR) solution; and an app governance feature that extends additional threat protection to critical data and resources.

Netskope: One of the original pure-play CASB vendors, Netskope is a leader in CASBs as well as SSE. Forrester Research says, “Netskope has shown innovation across its technology stack, including significant investments in an impressive new private global network, artificial intelligence and generative AI security.” Netskope has recently merged SWG functionality into its CASB tool.

Palo Alto Networks: Palo Alto touts its CASB as being “next-generation,” based on the proposition that it’s less a standalone product and more of a range of integrated solutions such as inline security, SSPM, and enterprise DLP. The Palo Alto CASB is designed to secure apps and data across cloud and hybrid workforce environments, protects data in transit between users and SaaS providers, facilities regulatory compliance and minimizes risks from shadow IT.

Proofpoint: Proofpoint CASB is focused on extending DLP and threat protection from email to cloud apps. Proofpoint takes a people-centric approach; it provides granular visibility into who creates sensitive data and who owns, downloads, uploads, shares and edits that data. It identifies users who have been successfully phished, and those who have been attacked most by hackers.

Skyhigh Security: Skyhigh CASB, through its inline deployment modes (forward and reverse proxy), enables real-time control over user access to sanctioned and unsanctioned cloud services. Skyhigh (a unit of Indian IT tech provider Musarubra) focuses on providing comprehensive multimode coverage that feeds security events into a machine learning system to provide sophisticated event correlation, helping security teams to focus on real threats rather than false alarms.

Symantec: Symantec, a division of Broadcom, offers its CloudSOC CASB to monitor and control the use of sanctioned SaaS apps through extensive API integrations and in-line traffic analysis. The Symantec CASB provides full visibility and automatic detection of high-risk users, compromised accounts, and malicious insiders. Individualized behavioral-based user ThreatScores allow fast identification of risky user accounts. The tool automates the classification regulated data flowing in and out apps, and it enforces controls that align with corporate policies. The tool includes DLP functionality and CSPM.

Zscaler: Zscaler CASB offers inline, real-time capabilities and out-of-band scanning functionality to protect data, block threats, provide visibility, and assure compliance. Key features include agentless cloud browser isolation to secure BYOD and third-party devices where software installations are infeasible, advanced threat protection to stop malware from reaching cloud resources in real time, cloud sandboxing to detect new ransomware and other zero-day infections, shadow IT discovery to automatically identify unsanctioned apps used by employees and create a risk score for each.

What to ask before buying a cloud access security broker (CASB) tool

Buying a CASB tool can be complex. There’s a laundry list of possible features that fall within the broad CASB definition (DLP, SWG, etc.) And CASB tools themselves are part of a larger trend toward SSE and SASE platforms that include features such as ZTNA or SD-WAN. Enterprises need to identify their specific pain points — whether that’s regulatory compliance or shadow IT — and select a vendor that meets their immediate needs and can also grow with the enterprise over time.

8 key questions to ask yourself before buying a CASB tool

1. Do I have a good handle on what cloud services my users are accessing, including employees, contractors, and other third-parties?
2. Do I have a solid data classification system in place, so that I know what types of data are sensitive or mission critical?
3. Do I have policies in place for access control across on-prem and cloud environments, including SaaS applications?
4. Do I have clear objectives? What are my priorities when shopping for a CASB?
5. How will a CASB tool integrate with my existing security infrastructure?
6. How will the purchase of a CASB tool play into my broader security roadmap that might include the adoption of SSE or SASE?
7. Do I have the budget for a new tool?
8. Do I have the inhouse staff to deploy and manage the tool on-premises, or should I take the cloud-based, managed service route?

8 key questions to ask CASB vendors

1. What features are included in the CASB product? Do I get DLP and SWG as part of the CASB, or are those additional modules?
2. What is your roadmap for SSE and SASE?
3. Many vendors have purchased freestanding CASB tools and integrated them into the company’s broader security portfolio. What is your level of integration?
4. How will this tool fit into my existing security infrastructure now and in the future, as I migrate more security functionality to the cloud?
5. What geographies do you cover?
6. Do your APIs cover all the cloud services that I use?
7. Can your product scale as my company grows?
8. What is the initial cost, as well as the longer-term total cost of ownership?