Analyst(s):Steve Riley, Craig Lawson
Cloud access security brokers have become an essential element of any cloud security strategy, helping organizations govern the use of cloud and protect sensitive data in the cloud. Security and risk management leaders should align CASB vendors to address specific use-case requirements.
By 2020, 60% of large enterprises will use a CASB to govern cloud services, up from less than 10% today.
Through 2020, at least 99% of cloud security failures will be the customer's fault.
Gartner defines the cloud access security broker (CASB) market as products and services that provide visibility into general cloud application usage, data protection and governance for enterprise-sanctioned cloud applications (see "Mind the SaaS Security Gaps" ). This technology is the result of the need to secure the significantly increased adoption of cloud services and access to them from users both within and outside of the traditional enterprise perimeter. They deliver capabilities that are differentiated from and generally not available in other security controls such as web application firewalls (WAFs), secure web gateways (SWGs) and enterprise firewalls. The CASB design philosophy recognizes that, for cloud services, the protection target is different: The data is yours, but processed and stored in systems you don't own. CASBs provide consistent policy and governance concurrently across multiple cloud services, for users and devices, and granular visibility into and control over user activities and sensitive data.
CASBs primarily govern SaaS back-office enterprise applications, such as content collaboration platforms (CCPs), CRM, HR, ERP, service desk and productivity applications (for example, Salesforce, Microsoft Office 365 and Google G Suite) that are used by all industry verticals. CASBs provide a consistent and convenient point of control over user activity and user data in a growing set of SaaS and other cloud-based applications. They increasingly support control of enterprise social networking use and can impose additional control over the consoles for popular infrastructure as a service (IaaS) offerings like Amazon Web Services (AWS) and Microsoft Azure. Some vendors provide the ability to extend data security and threat protection capabilities to custom applications in IaaS and platform as a service (PaaS) clouds. Some also deploy in front of enterprise applications to bring these under a consistent cloud service management framework.
CASBs deliver functionality through four pillars:
Visibility. CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location. Leading CASBs take this further with a cloud service security posture assessment database to provide visibility into the trustworthiness of the security capabilities and secure operations of the cloud service provider (CSP; see "Unsanctioned Business Unit IT Cloud Adoption Will Increase Financial Liabilities" ).
Data security. CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, on data discovery, and on user activity monitoring of access to sensitive data or privilege escalation. Policies are applied through controls, such as audit, alert, block, quarantine, delete and view-only. Several CASBs provide the ability to encrypt or tokenize and redact content at the field and file level in cloud services. Encryption key management may be integrated with on-premises products. CASBs can perform data loss prevention (DLP) natively on text-based content in structured data and in files, and some can import policies from on-premises or cloud-based DLP tools through either ICAP or RESTful APIs. Some CASBs now offer data-centric audit and protection (DCAP) features and integration with enterprise digital rights management (EDRM).
Threat protection. CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behavior analytics (UEBA) for determining anomalous behavior, the use of threat intelligence, malware identification and remediation, and file sandboxing. In some cases, CASB vendors have their own analyst teams researching cloud-specific and cloud-native attacks.
Compliance. Compliance mandates, whether from government legislation, external agency rules, or internal compliance requirements, do not disappear when moving to the cloud (even though a fair amount of on-premises technical debt does). CASBs help organizations achieve and demonstrate compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.
The CASB market is crowded, with vendors seeking differentiation across the four pillars. Some execute well across all of them, while others choose to focus on fewer of them but still offer basic functionality in all four. When originally conceived, CASBs focused on either visibility or encryption. As products have matured, visibility remains an important use case, but additional use cases have arisen that are as important, if not more so, than visibility. Many Gartner clients deploy CASBs for DLP and data security, for adaptive access control, and for UEBA, which raise the importance of a CASB from a visibility tool to a cloud service governance tool. Encryption or tokenization at the field level is not a common use case for most clients.
CASB technology is deployable as a SaaS application, as an on-premises virtual or physical appliance, or as both using a hybrid combination of on-premises and cloud-based inspection and enforcement points. The SaaS form factor is appreciably more popular than the on-premises flavors of this technology, and it is increasingly the preferred option for most use cases as it more easily handles remote and mobile users. However, the on-premises versions satisfy use cases in which regulatory or data sovereignty rules mandate specific data security policies or storage locations. The implications of impending General Data Protection Regulation (GDPR) will have an impact on this market (see "GDPR Clarity: 19 Frequently Asked Questions Answered" ).
A common question from many Gartner clients is which technical architecture is best: API-only, proxy-only, or multimode (both API and proxy; see "Select the Right CASB Deployment for Your SaaS Security Strategy" ). No single answer exists for this question because product selection should be driven by use cases, not by technical architecture. Your existing "SaaS-scape" (that is, the landscape of SaaS applications in use) and network connectivity may place restrictions on certain kinds of deployment modes, but CASB use cases should remain in mind when evaluating vendor capabilities.
Because of the rapid adoption of cloud services by enterprises, CASB vendors have aggressively competed for leadership. Some incumbent security vendors have made acquisitions, while others have added some aspects of CASB functionality into existing products. We anticipate even further consolidation in the market during the months and years to come.
Source: Gartner (November 2017)
Bitglass was founded in January 2013 and began shipping a CASB in January 2014. With a focus on sensitive data discovery, classification and protection, it also includes several document management and protection capabilities, such as watermarking and encryption methods that support search and sort. It uses an agentless "Ajax Virtual Machine (VM)" abstraction layer that is transparently embedded within the user's browser to support real-time data protection in specific scenarios including unmanaged devices. The Ajax-VM detects and reacts to changes in underlying SaaS applications that might otherwise bypass traditional reverse proxies. Bitglass is a full multimode CASB, offering reverse proxy, forward proxy and API support of major SaaS applications. Bitglass also offers basic mobile device management (MDM) and identity and access management as a service (IDaaS) capabilities. Bitglass can be consumed as SaaS or deployed on-premises and, in either case, the Key Management Interoperability Protocol (KMIP) interface for encryption keys is supported.
With an emphasis on governing sanctioned apps and steering traffic via reverse proxy with single sign-on (SSO) integration, Bitglass' time to deployment is rapid for most supported cloud services.
DLP policies can include native DRM actions that extend protection to data stored outside SaaS applications, as links to read-only HTML files that require authentication or as locally encrypted objects. DLP fingerprinting extracts contents from documents and form fields to detect percentage matches.
Policy management is applied on a per-application basis and works like a firewall policy (processed in order), making it straightforward to review a policy for a cloud service.
For midsize enterprises, Bitglass can replace the need for separate MDM and IDaaS tools by offering these capabilities directly. Authentication is processed through a SAML proxy connected to on-premises Active Directory. ActiveSync and Exchange Messaging API (MAPI) proxies allow native Office client protocols.
When users visit unsanctioned cloud applications, Bitglass can insert HTML messages to coach users toward sanctioned applications instead.
Discovery capabilities are adequate but basic, and shadow IT detection isn't a primary use case; its set of SaaS security posture attributes is smaller than some of its competition.
Bitglass' depth of API integrations is sufficient for leading cloud services, but it lacks the breadth of support compared to other vendors.
Step-up authentication is limited to Bitglass' IAM actions, Google Authenticator and Duo only.
Workflow through the user interface can become unwieldy if governing a large number of SaaS applications.
Bitglass lacks the market profile and channel partner reach of competing CASB-only vendors.
CensorNet was founded in February 2007 and began shipping a CASB in April 2015. Its CASB complements existing email, web security and multifactor authentication products. Derived from its existing SWG platform, CensorNet is already positioned to capture traffic and see the flow of data to and from SaaS applications. It has a generalized policy engine through which a CASB administrator can define sensitive data based on content types, locations, users and other markers. CensorNet helps with compliance mandates by monitoring sensitive data and generating reports about what it sees.
Like most SWGs, CensorNet acts as a forward proxy, using on-premises physical/virtual appliances and on-device agents that rely on a cloud-based back end for analysis and enforcement. The current offering is focused on visibility and SaaS application user and policy control, and now delivers more capabilities for more cloud services.
CensorNet's combination of CASB, SWG, multifactor authentication (MFA) and email security capabilities, along with its easy-to-understand pricing, make the product well-suited to midsize enterprises.
When users connect to cloud services, CensorNet sends only metadata about cloud requests for analysis; if requests are allowed, direct user-to-cloud connections are permitted and optionally logged. Return traffic passes through CensorNet for analysis, including checking for malware.
In addition to engineering staff responsible for updating the product as SaaS applications change, CensorNet runs an automated tool that continuously probes the most popular (top 50) SaaS destinations to learn about and react to changes in application architecture.
Although CensorNet has basic capabilities for identifying sensitive data and reacting in some way, the product has no encryption or tokenization capability, no DLP or document classification capabilities, and no form of native EDRM or EDRM integration.
CensorNet does not support API modes of operation now, although that is on its roadmap. This limits CensorNet's use cases compared to other CASBs.
CensorNet tracks a limited number of attributes for describing the security posture of supported cloud services, and this information is not exposed to customers.
CensorNet lacks the market profile and channel partner reach of competing CASB-only vendors.
CipherCloud was founded in October 2010 and began shipping a CASB in March 2011. CipherCloud was an early entrant in the CASB market, with an initial focus on encrypting and tokenizing data at the field level in popular enterprise SaaS applications. CipherCloud is well-known for this use case and can integrate with on-premises key management, DLP and DCAP products. It has expanded its data protection capabilities to cover a broader range of structured and unstructured data within SaaS applications.
CipherCloud performs content and user activity monitoring, threat protection, cloud discovery and SaaS security posture assessment. CipherCloud's most popular deployment is as software or as a virtual on-premises appliance that can act in forward- or reverse-proxy mode to encrypt content before it enters a cloud service to satisfy regulatory requirements. It is also available as a service, in which it offers only API-based inspection of data in cloud applications.
CipherCloud offers a thorough and well-defined policy configuration workflow for data security and compliance use cases.
CipherCloud can manage keys for SaaS-native encryption services to preserve maximum application functionality, and it can tokenize and encrypt data outside SaaS applications while preserving functionality like searching and sorting.
For blocking unsanctioned SaaS apps, CipherCloud generates access control lists (ACLs) to import into proxy servers or firewalls.
The policy creation workflow presents an easy way to choose whether to use API inspection, proxy insertion, or both for each governed cloud application.
DLP policies can be built only from keywords, regular expressions and common number types. More advanced DLP, such as similarity matching and fingerprinting, requires importing policies from enterprise DLP tools via ICAP.
The on-premises and cloud-delivered versions vary with respect to features, policy creation and management interface; however, CipherCloud is working to mitigate the differences.
The management console lacks incident management. Proper workflows require integration with third-party security information and event management (SIEM) tools or incident management services.
While the policy engine is sophisticated, at times administrators might struggle with the complexity of the interface, rule interpretation and troubleshooting the perceived versus enforced policy in place.
Gartner clients have reported issues with CipherCloud negatively affecting SaaS application functionality. CipherCloud has a lower renewal rate than its competitors.
Cisco acquired Cloudlock, an API-only CASB, in August 2016 and began the work of integrating it along with several other acquisitions into a broad security portfolio. This portfolio covers its heritage in network and endpoint security, client VPN, email and web security, identity-based networking, threat detection, and cloud security. This large collection of products has considerable reach given Cisco's network of direct sales, channel providers and resellers. Customers of all Cisco security products, including Cloudlock, receive threat intelligence from Talos, Cisco's well-regarded threat research organization.
Cisco has been heavily investing in its range of products that deliver traditional security capabilities from the cloud and products that deliver cloud-native security services such as OpenDNS. For Gartner clients already invested in the Cisco ecosystem, Cloudlock should be on vendor shortlists. Cloudlock is currently In Process for a Federal Risk and Authorization Management Program (FedRAMP) Authority to Operate at the Moderate impact level.
Cloudlock's API inspection supports popular cloud services, all applications on Salesforce's AppExchange (with more than 6,000 apps), and applications on Okta and OneLogin marketplaces; but it is, as with any API-only CASB, limited to only those APIs.
Cloudlock was an early identifier of potential abuse via connected in-cloud apps, and it provides a mechanism for overriding permissions granted to OAuth tokens, thus blocking a growing form of cloud attack.
DLP rules with selectors for exact data matching do not require submitting data to Cisco; instead, only the results of matches are sent.
Cisco's addition of developer APIs allows organizations to extend Cloudlock to SaaS applications not natively supported and to custom applications running in IaaS clouds and on-premises.
Field and file encryption support are limited to a small subset of governed SaaS applications, and rely on SaaS-native encryption (if it's available) and an API for configuring it; it cannot manage the keys for this. Cloudlock has no support for tokenization of data in SaaS applications.
Cloudlock lacks ICAP and RESTful integration with on-premises DLP tools.
Use cases that require in-line inspection cannot be supported by Cloudlock alone; a subscription to the full Umbrella platform will be required, which includes a dedicated agent for forward-proxy mode. No reverse-proxy mode is available.
The workflow for investigating a particular user's activity is cumbersome.
The cloud discovery database relies primarily on crowdsourced data and lacks the depth of coverage that competitors have.
In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013, and renamed it Microsoft Cloud App Security (MCAS). It is an API-only CASB available stand-alone and as part of Microsoft's Enterprise Mobility + Security (EMS) suite. While MCAS on its own offers features that touch each of the four pillars, more complete functionality requires a suite of Microsoft services. The suite includes MCAS, Azure Active Directory (including Azure AD Conditional Access and Azure AD Identity Protection), Azure Information Protection, Advanced Threat Analytics, and Intune.
MCAS is delivered as SaaS from Azure data centers. No endpoint agents or on-premises editions are available. Except for DLP, certain Office 365 subscriptions include a subset of MCAS capabilities called Office 365 Advanced Security Management (ASM), designed to protect only an Office 365 tenant (not other SaaS applications).
For customers already heavily invested in the Microsoft ecosystem, MCAS provides adequate governance over and protection of data in Office 365 and other SaaS applications. The EMS suite offers even stronger configuration and integration options.
MCAS's report ingestion works with more on-premises firewalls and proxy servers than most of its competitors, and ranks the risk of SaaS applications using a respectable 60 attributes.
MCAS offers control over sanctioned SaaS applications via a broad range of predefined and custom policies. The policy engine tracks how file access policies change over time.
MCAS observes how users interact with SaaS applications and can detect risky or abnormal behavior that indicates possible attack.
To improve functionality across all four CASB pillars, customers will likely need to deploy multiple Microsoft products alongside MCAS. Microsoft's cloud security products work best when customers deploy the entire suite of products; stand-alone or a la carte deployments offer reduced functionality.
Cloud App Security relies on API connectors to govern popular SaaS applications. Proxy functionality remains a roadmap item, now slated for the end of 2017 and expected via Azure AD Conditional Access or a SAML proxy. When it arrives, evaluate its behavior to ensure it supports the content and applications you require.
Configuring policies in the full suite often requires duplication of administrative effort. There is no coordination between Office 365 DLP polies, MCAS DLP policies and Azure Information Protection policies. Most organizations will find that third-party data security providers are far more robust, including having larger predefined DLP policy libraries and more sophisticated detection methods.
Field-level tokenization and data encryption are not available in MCAS natively. Data protection (including classifying, labeling, and file encryption) is possible using Azure Information Protection.
Netskope was founded in October 2012 and began shipping a CASB in October 2013. Netskope was one of the early CASB vendors that emphasized cloud application discovery and SaaS security posture assessments as initial use cases. It has since added better user behavior analytics and alerting within managed and unmanaged SaaS applications. Netskope's DLP engine rivals that of some on-premises tools and is frequently cited by Gartner clients as a reason for choosing the product. Netskope is one of the few CASBs that deploys and runs its own distributed network fabric and does not rely on an IaaS provider. On-premises physical and virtual appliances are also available.
Netskope's most common implementation models are forward proxy (with or without agents, depending on the use case required) or forward-proxy chaining and API inspection of popular SaaS applications. It added support for reverse-proxy capabilities and ActiveSync in 2014. Netskope's agents permit monitoring and control of native mobile applications and sync clients and can perform file-level encryption. It has further expanded its threat protection features by adding in-line proxy and API-based inspection of content for malware using an anti-malware engine from an OEM.
Netskope offers a DLP engine that includes a corpus-based fingerprinting and similarity matching capability, OCR of images, and ICAP-based integration with on-premises DLP tools.
The shadow IT discovery process includes a guided remediation procedure with common recommendations for improving cloud security postures.
Netskope's Cloud Confidence Index risk database is comprehensive, with 44 criteria that include details about pricing, business risk and GDPR readiness across thousands of cloud services.
Encryption and tokenization of structured data support searching and preservation of common functions, but currently only in Salesforce.
Device posture policies can signal an endpoint protection tool (like Carbon Black) to take various actions, including isolation from governed SaaS applications.
While Netskope recommends a forward-proxy deployment for many use cases, necessitating network or endpoint configuration, this may negatively affect use cases that prefer API inspection or require a focus on access to SaaS applications by unmanaged devices.
Netskope's API support extends only to the most popular cloud services; its API coverage isn't as broad as some other vendors. Customers requiring API inspection for more cloud services may need to augment with additional components.
Step-up authentication policies work with only a single IDaaS provider (Ping Identity).
Netskope does not support function-preserving operations on encrypted unstructured data.
In September 2016, Oracle acquired Palerra, a vendor founded in July 2013, which has been shipping a CASB product since January 2015. Now called Oracle CASB Cloud Service, it's a multimode CASB with capabilities to govern SaaS, PaaS and IaaS applications. The Oracle CASB for Discovery product provides visibility into SaaS applications by analyzing logs for cloud service activity and identifying risky applications (including those installed from Salesforce's AppExchange). The Oracle CASB for SaaS, for IaaS, and for Custom Apps in AWS products are suitable for uses cases such as security monitoring, threat protection and incident response.
The user behavior analytics features in Oracle CASB incorporate data from access and in-application activity, support threat intelligence feeds, and provide threat modeling to assist with threat detection. Oracle CASB offers features that allow organizations to centrally control the native security configurations of SaaS applications and IaaS consoles. Oracle CASB is delivered from a global multiregion data center backbone as SaaS or sold through a managed security service provider (MSSP)-managed cloud-based service. No on-premises version is available.
Oracle's risk scoring mechanism augments the research of an internal intelligence team with data derived from a third-party assessment service and from user-weighted attributes.
Oracle CASB can measure the configuration of native security controls in sanctioned apps and suggest improvements.
Oracle's UEBA stood out from the competition. Continuous assessment of behavior assigns every user a dynamic risk score that then informs assessments across the entire Oracle CASB installed base. Inappropriate behaviors can be linked to instructions that inform users how to avoid risky behavior.
Incident response includes case management, multilevel alerting and notification, and support for external ticketing systems with orchestration for consent-driven remediation.
Typically, Gartner clients do not view Oracle as a strategic vendor for cloud security or threat protection.
Oracle sellers and channel partners lack experience selling products to security buyers. A consistent approach to showing the value of the product globally is not yet evident.
While Oracle CASB can be the key life cycle manager for SaaS-native encryption capabilities, the product has no mechanism for tokenizing or encrypting data at the field or file level.
DLP capabilities are basic, with policies containing keywords, regular expressions and common content types. It lacks support for fingerprinting and similarity matching, and it has no integration with on-premises DLP products.
Oracle CASB has no integrations with enterprise mobility management (EMM) products for posture assessment and traffic steering.
In May 2015, Palo Alto Networks acquired CirroSecure, a vendor founded in July 2013, and relaunched the product as Aperture with built-in threat intelligence (via WildFire). It's an API-only CASB that was released in September 2015. Palo Alto Networks already offered cloud application discovery and in-line control capabilities to its customers for some time via its firewall. Aperture augments this with API-based visibility and governance for users who are either on- or off-premises, on managed and unmanaged devices. With this architecture, customers must run both Palo Alto Networks' firewall and Aperture to enable coverage of the four CASB pillars and to satisfy the most common CASB use cases. The intended market for Aperture is existing Palo Alto Networks customers seeking cloud visibility and governance not available through Palo Alto Networks' firewall alone. Additional features within Aperture offer content scanning, sensitive data monitoring, malware detection and remediation, analytics, risk identification, and reporting.
Aperture provides improved cloud security for Palo Alto Networks customers who are making the transition to more cloud services.
Aperture's API inspection offers Palo Alto Networks' customers a mechanism to investigate data already at rest inside sanctioned SaaS applications, a capability not available with the firewall alone.
Aperture DLP extends beyond keywords and common content types, using classifications that Palo Alto Networks developed with machine learning via acquired datasets from third parties; policies can also include actions based on automated classifications applied by Titus.
Aperture's primary focus is governing only supported, sanctioned applications via APIs. Palo Alto Networks requires the use of its firewall and its management console (Panorama) to perform shadow IT discovery, in-line inspection and other functions, narrowing Aperture's appeal to Palo Alto Networks' installed base.
Aperture lacks encryption and tokenization of data in SaaS applications. Customers can subscribe to Ionic, a third-party service, for file encryption (but not for field encryption or tokenization).
There is no integration between Panorama (for managing in-line inspection through the firewall) and Aperture (for API inspection). Separate consoles are required; there is no common workflow and policy duplication may occur.
Palo Alto Networks lacks integration with an on-premises DLP product. While its firewall has a DLP capability, it's unrelated to Aperture and is extremely limited compared to the competition.
Saviynt was founded in January 2010 and began shipping a CASB in July 2014. Saviynt offers only API-based inspection for some common SaaS applications and for IaaS cloud infrastructure components. Saviynt emphasizes the role of identity in its cloud security products; indeed, its CASB is derived from its identity and access governance platform, and available SaaS controls exhibit a focus on identity. Visibility is available only for sanctioned applications and does not extend to unsanctioned applications or to unmanaged devices, which can limit the overall set of available use cases. Saviynt is available as SaaS and as on-premises physical and virtual appliances.
With a focus on compliance-driven use cases for governing sanctioned cloud services, Saviynt includes controls for managing privileged access and separation of duties.
Saviynt exposes granular entitlement settings for users and objects in SaaS applications. Its distinctive graphical workflow editor enables sophisticated yet easy-to-understand workflows for policy management.
Its DLP engine can ingest policies from an existing on-premises DLP product. It can also classify content after scanning, including adding metadata to Office 365 documents.
Saviynt gathers detailed event information and telemetry from sanctioned apps and generates reports with suggested remediation actions for security administrators and researchers.
Saviynt has no native shadow IT discovery and no mechanism for blocking access to consumer versions of services, but can audit transfer of files (if the SaaS service exposes an audit API and audit permission is granted).
Saviynt lacks tokenization or encryption of data in SaaS applications.
Trying to understand which entitlements are assigned per role and then applying those to specific users via role-based access control (RBAC) is a thorough but complicated process.
Threat detection is limited; it offers only an IP-address-blocking capability based on threat intelligence feeds. Saviynt offers no malware scanning, natively or via third-party engines. It lacks UEBA and other advanced analytics capabilities.
Skyhigh Networks was founded in December 2011 and began shipping a CASB in January 2013. On 27 November 2017 McAfee announced its intention to acquire Skyhigh Networks. Skyhigh was one of the first CASB vendors to raise awareness of shadow IT. Using one of the largest cloud service discovery databases, Skyhigh customers could perform security posture and risk assessment of sanctioned and unsanctioned cloud services. Skyhigh has since expanded further into data security with the addition of DLP, encryption, and tokenization of structured and unstructured data for popular SaaS applications. Skyhigh continues to improve its security analytics with UEBA capabilities.
Most Skyhigh deployments combine a reverse proxy with API inspection; forward proxy is also available. Skyhigh's service runs on multiple IaaS clouds worldwide and is available in an on-premises virtual appliance. It is the only CASB with a completed FedRAMP Authority to Operate in the market.
Recent interface and dashboard improvements display important indicators of security posture along with recommended remediations, some of which involve initiating updates to network firewalls, SWGs and endpoint security products.
The policy engine keeps versioned copies as policy changes are made to simplify reverting if necessary. The engine's monitor-only mode allows administrators to test policy changes before implementing them.
For controlling open shares, Skyhigh displays a graph that shows existing connections between objects. A feature called Lightning Link hooks into sharing events and applies actions to triggers before the trigger completes, which provides real-time API-based control over sharing activities.
Skyhigh's DLP engine is sophisticated enough such that many organizations will not need to use existing DLP tools for data in SaaS applications. It can be fed a corpus of content to create rules that trigger on percentage match. For some SaaS applications, the engine performs in-app notification of violations.
Using AppExchange connectors, a SaaS vendor can create an API adapter configuration file to enable Skyhigh's CASB to monitor and control the application, alleviating the need to wait for Skyhigh's engineers to add built-in support.
The range of features, which are often delivered on a per-SKU basis, complicates licensing.
Although Skyhigh recently reduced prices, some Gartner clients continue to find Skyhigh's pricing unfavorable when compared with other vendors.
Despite improvements to its DLP, Skyhigh is not as well-known as some competitors for discovering and monitoring sensitive data. Few Gartner clients mention DLP as a deciding factor for selecting Skyhigh.
Step-up authentication works only through an IDaaS; no native capability is available.
In June 2016, Symantec acquired Blue Coat, adding several security products to its portfolio. Included were two CASBs previously acquired by Blue Coat: Perspecsys in July 2015 and Elastica in November 2015. Perspecsys, founded in 2009, emphasized satisfying data residency requirements by tokenizing or encrypting data stored in SaaS applications. Elastica, founded in 2012, was best-known for its DLP, UEBA and content inspection capabilities.
With these acquisitions, the renamed Symantec CloudSOC offers a complete multimode CASB with an optional data encryption/tokenization gateway. Symantec incorporated cloud application discovery and security posture assessment capabilities into its traditional management console for SWG customers, creating an upsell opportunity to its full CASB.
CloudSOC produces a wide range of reports for different audiences including executive boards, auditors and security teams.
Encryption support includes integration with on-premises hardware storage modules (HSMs) and CASB-generated keys, but does not manage SaaS-native keys. The ability to tokenize and encrypt data at the field level for selected SaaS applications like Salesforce preserves common functions like searching and sorting.
Integration with on-premises DLP tools allows for a single console to manage policies everywhere via a native RESTful API; customers already invested in Symantec DLP should shortlist CloudSOC for this reason. CloudSOC DLP extends beyond strings and regular expressions to include all the native features of Symantec DLP, supporting more than text-based pattern matching.
CloudSOC policies can read and react to data classifications from SaaS applications that support such capability, like Box and Office 365 Information Rights Management (IRM).
CloudSOC's UEBA capabilities include risk scoring from multiple events and suggested remediations, which can include step-up authentication.
The tokenization function is performed by a separate on-premises appliance and isn't yet integrated into the cloud-delivered product.
Depending on use cases, multiple client-side software components may be required — one for CloudSOC, another for other Symantec products, and yet another for displaying encrypted or tokenized data on mobile devices.
The amount of information gleaned from logs (network and endpoint) and user and application behavior profiling can be overwhelming; it will take some time for customers to develop useful dashboards.
Gartner clients have reported that the Symantec CASB DLP connector is an expensive extra cost.
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
This is a new Magic Quadrant so no companies were added or dropped.
The evaluations in this Magic Quadrant represent vendor capabilities and positions during the evaluation period, which was January 2016 through May 2017. Like all Magic Quadrants, this is a snapshot in time and vendors will have likely added additional capabilities not captured here. In a few cases, product names will have changed, too.
To qualify for inclusion, vendors must meet the following criteria:
Revenue and deployment. Must have achieved CASB product sales globally in the 2016 calendar year of more than $5 million, have at least 25 paying customers, and at least 25,000 seats deployed.
Geography. Must compete in at least two of the four major regional markets (Americas, Europe, Asia/Pacific and the Middle East/Africa).
Product configuration. Must sell the product as primarily meeting stand-alone CASB use cases — that is, not relying on some adjacent product or service to fulfill the four pillars of capabilities (visibility, data security, threat protection and compliance).
Product features. Must meet Gartner's definition of a CASB:
Inspect data and user behavior in cloud services via provider APIs
Optionally operate in-line between users and cloud services as a forward and/or reverse proxy (a capability strongly favored by Gartner clients)
Support a range of endpoint deployment and configuration options
Support the ability to perform access control of any user, device and location accessing cloud services
Support the integration of CASB into an existing enterprise's identity provider and event management system
Operate as a multitenant service delivered from the public cloud
Operate as a virtual or physical appliance in on-premises or public cloud environments
Able to use various forms of advanced analytics to monitor behavior of users and data
Able to identify and respond to malicious and/or unwanted sessions with multiple methods, such as allow, restrict, raise multiple alert types, prompt for additional authentication, end session, etc.
Products and vendors will be excluded if:
They are using open-source technology. There may be products and implementations using popular open-source projects. This Magic Quadrant is not evaluating open-source technology. If a vendor is using this, it must clearly demonstrate that it is providing more than the functionality delivered by these projects by improved packaging (hardware or software) and especially additional research and security content that would take this beyond just running open source.
They support less than five cloud services.
They do not materially address all four pillars of capabilities (visibility, data security, threat protection and compliance).
In February 2017, Forcepoint acquired Skyfence from Imperva and renamed it Forcepoint CASB. This Magic Quadrant is a snapshot in time and evaluated vendor strategies and product capabilities as of May 2017. This research reflects customer opinion and data gathered from January 2016 to May 2017, which includes less than three months after Forcepoint’s acquisition of Skyfence from Imperva.
Historically, Forcepoint has been strong in the SWG and DLP markets; the Skyfence acquisition adds cloud application security capabilities to its portfolio, and Forcepoint is steadily advancing the product. Forcepoint CASB supports forward proxy via agents, reverse proxy and API-based inspection; the forward proxy supports an exceptionally wide range of SaaS applications while its API inspection isn’t as broad as some other vendors. The policy creation workflow is clear and straightforward, with all policy elements exposed in one place. While CASB DLP policies can bidirectionally synchronize with an on-premises Forcepoint DLP product, CASB DLP policies can trigger only on keywords, regular expressions and simple data types. DLP fingerprinting and optical character recognition (OCR) for data in cloud services require sending the data to a separate on-premises Forcepoint DLP product. The CASB’s UEBA mechanism analyzes both users' behavior (what they do) and impact (what they have access to) to calculate risk scores for individual users. Additional Forcepoint products are required to measure the posture of unmanaged devices and to enforce policies on unsanctioned cloud services. Forcepoint CASB has no support for encrypting or tokenizing data stored in SaaS applications. Forcepoint CASB is available as an on-premises virtual appliance or is delivered from the cloud. Also in 2017, Forcepoint agreed to license sandboxing technology from Lastline, which is incorporated into Forcepoint CASB.
ManagedMethods is a new entrant to the crowded CASB market, providing governance and security for a limited set of the most popular SaaS applications. It is targeting midsize enterprises and the education vertical with an easy-to-use and -deploy API-only CASB called Cloud Access Monitor. While it doesn't yet provide features found in other more established CASBs, it does provide a suitable set of features for midsize enterprise customers that are using popular cloud services like G Suite, Microsoft Office 365, Box, Dropbox and Slack. Buyers in the education vertical will find its pricing and base functionality meets the needs of this vertical's main use cases. Notably, ManagedMethods has good enumeration of OAuth-related account usage by third-party applications, including the ability to detect misuse of OAuth tokens granted to malicious applications — an increasingly common cloud-based threat. ManagedMethods lacks a UEBA capability that can track users across multiple applications and, instead, uses a SaaS vendor's own threat intelligence feed to augment analysis of activity in that particular SaaS application.
Vaultive focuses on the data security pillar of CASBs and has identified a segment of the market for whom this is the most important use case — a segment that requires complete separation of content and cryptographic material from cloud providers. Vaultive has developed an interesting approach to function-preserving encryption that involves creating and storing (with the data) a metadata transformation to manipulate search queries; no clear-text data or metadata is stored in SaaS applications or on the Vaultive appliance. Originally available only as a data protection proxy gateway, Vaultive has added API support for governing SaaS applications and the AWS administrative console. The product, Vaultive Cloud Security Platform, isn't available as a service; instead, it must be installed and managed by the customer on-premises, at a hosting facility or in an IaaS cloud deployment. Because Vaultive's principal use case covers only sanctioned SaaS applications, it lacks a discovery capability. Its DLP engine supports basic rules that match keywords, regular expressions and common number formats; integration with an on-premises DLP (via a proprietary protocol) is required for more complex rules involving similarity matching or document fingerprinting.
Product or service. Innovative and effective cloud visibility and control capabilities with rapid reaction to changes in SaaS application functionality and speed/accuracy of SaaS application risk ranking. Strong and accurate DLP capabilities that rival enterprise DLP products. A focus that favors protection and control as much as or more than visibility, and the ability to provide (or work with other tools to orchestrate) adaptive access control for users, devices and content to/from cloud services.
Overall viability. Sustained funding sources (venture capital or otherwise) including positive year-over-year growth in customers, seats and revenue. Evidence of continual investment in product development and sales.
Sales execution and pricing. Pricing that places few restrictions on which SaaS applications and features can be used, with reasonably priced visibility use cases. Vendors should be able to successfully compete in deals that displace incumbents because of better value and customer use case alignment with effective sales, presales and marketing teams, and win in highly competitive shortlists.
Market responsiveness and track record. Developing innovative security controls faster than competitors, addressing a wide range of use cases, and mitigating cloud security threats quickly are well-regarded for this research.
Marketing execution. Well-defined use cases that highlight the value of a CASB over native cloud security controls, and well-articulated details about how traffic is steered and processed with a demonstrated track record of reducing customer risk posture are being evaluated for this research.
Customer experience. Day-to-day operation can be performed by existing customer personnel. No significant change to end-user experience with or behavior of cloud services after deployment. A support escalation path that permits communicating, when the severity is appropriate, with vendor support resources (including engineers at the highest severity levels). Evidence of deployment in multiple verticals, with multiple cloud services and multiple customer sizes.
Operations. Not evaluated in this Magic Quadrant iteration.
Product or Service
Source: Gartner (November 2017)
Market understanding. The correct blend of visibility, protection and control capabilities that meet or exceed the requirements for native cloud security features. Innovation, forecasting customer requirements, and being ahead of competitors on new features are also regarded, as well as integration with other security products and services. Finally, vendors must solve challenging problems associated with the use of multiple cloud services by organizations of all sizes.
Marketing strategy. An understanding of and commitment to the security market, the prevailing threat landscape and, more specifically, the cloud security market. A focus on security as a business enabler over security for the sake of compliance is important, as is avoidance of unrealistic promises (like "unbreakable," "impenetrable," etc.). Marketing messages must align with actual product and service deliverables.
Sales strategy. A recognition that SaaS (and SaaS security) and other cloud service buyers are not always in IT departments. Pricing and packaging that is familiar to cloud-using organizations, including immediate after-sales assistance with deployment. Periodic follow-up contact with existing customers must be evident, along with a capable channel program that enables consistency and high-quality access to the product or service to organizations in all available geographies.
Offering (product) strategy. Well-regarded products must show full breadth and depth of SaaS application support, the ability to react quickly to changes in cloud applications, strong and actionable user behavior analytics, successful completion of third-party assessments (such as ISO 27001 or SOC 2), a well-rounded roadmap with a sustained feature cadence, and support for custom applications in IaaS and on-premises (which was not weighted for the 2017 Magic Quadrant, but is a differentiator).
Business model. The process and success rate for developing new features and innovation through investments in research and development. A demonstrated understanding of the particular challenges associated with securing multiple cloud applications and a track record of translating that understanding into a competitive go-to-market strategy.
Vertical/industry strategy. Not evaluated in this Magic Quadrant iteration.
Innovation. Evidence of continued research and development with quality differentiators, such as performance, management interface, and clarity of reporting. Features aligned with the realities of the distributed nature of cloud security responsibility (e.g., consoles for various security/audit roles, consoles for business units' administration of their portions of policies). A roadmap showing a platform focus, continued support for more cloud services, and strategies for addressing evolving threats — including advanced threat detection and mitigation capabilities, with a strong in-house threat and risk research group.
Geographic strategy. Third-party attestations relevant to regions in which the product is sold and an ability to help customers meet regional compliance requirements. An effective channel that delivers consistent messaging and support in every available geography.
Offering (Product) Strategy
Source: Gartner (November 2017)
Leaders demonstrate balanced progress and effort in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain Leaders, vendors must demonstrate a track record of delivering successfully in enterprise CASB deployments, and in winning competitive assessments. Leaders produce products that embody CASB capabilities, provide coverage of many cloud services, innovate with or ahead of customer challenges and have a wide range of use cases. Leaders continually win selections and are consistently visible on enterprise shortlists. However, a leading vendor is not a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.
Challengers offer products that address the typical needs of the market, with strong sales, large market share, visibility and clout that add up to higher execution than Niche Players. Challengers often succeed in established customer bases; however, they do not often fare well in competitive selections, and they generally lag in new feature introductions.
Visionaries invest in leading-edge/"bleeding"-edge features that will be significant in next-generation products, and that give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution skills to outmaneuver Challengers and Leaders.
Niche Players offer viable products or services that meet the needs of some buyers, such as those in a particular geography or vertical market. Niche Players are less likely to appear on shortlists, but they fare well when given the right opportunities. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the Leaders. Niche Players may address subsets of the overall market (for example, the small or midsize business segment, or a vertical market), and they often do so more efficiently than Leaders. Niche Players frequently are smaller vendors, and do not yet have the resources to meet all enterprise requirements.
The rapid adoption of cloud services has caught many security teams flat-footed. Visibility into users, devices and data application interactions in cloud environments is required to answer the question, "How do I secure my data in someone else's system?"
The CASB market has evolved rapidly, displaying credible examples of products being shipped mostly from venture capital (VC)-funded startups. In recent years, a considerable amount of volatility from several acquisitions has created confusion for buyers. Of 14 CASB startups formed since 2011, eight have been acquired.
The market has grown significantly, but stabilized somewhat in terms of the vendor landscape. Common use cases (see "10 Best Practices for Successful CASB Projects" ) have formed, and vendors now focus on adding security value for an ever-expanding list of cloud services. These use cases suggest that the market for CASB will continue to be dominated by full-featured platform providers for the next three to five years, a common scenario when new IT product categories emerge. The growth in common use cases also enables IT security leaders to conduct useful comparisons of vendors on core sets of features in competitive environments.
Gartner receives many client inquiries on how to select a CASB. We strongly advise starting with a reasonably detailed listing of use cases that are specific to your exact needs. See "CASB Platforms Deliver the Best Features and Performance" for some suggestions. From here, a proof of concept (POC) can be developed, and, therefore, acquisition becomes considerably easier.
Pure-play, stand-alone CASB platforms provide more features, for more cloud services, and for a wider array of enterprise use cases to protect your data in cloud services. This agility is far outpacing the features being delivered by CSPs, as well as by other vendors that offer a subset of CASB features as an extension of their existing security technologies for their client bases. Furthermore, platforms from leading CASB vendors were born in the cloud, designed for the cloud, and have a deeper understanding of users, devices, applications, transactions and sensitive data than CASB functions that are designed as extensions of traditional network security and SWG security technologies.
A large amount of VC funding, many hundreds of millions of dollars now, fueled the initial growth of CASBs. Recent acquisitions by large vendors suggest the market is maturing, as some startups have been acquired to take their place as part of bigger vendors' portfolios. Other vendors in adjacent markets (like IDaaS, SWG, and EMM) have begun partnering with CASB vendors to increase reach and find new buyers. CASB could also be the driver for vendors in adjacent markets to enter the fray with further acquisitions — for example, enterprise mobility management, secure web gateway, firewall or other vendors who want to, or are already, delivering cloud security.
One thing that has become clear, though, is that there are two aspects to cloud security. The first is the notion of delivering security from the cloud, in which existing technologies like email, web filtering and even firewalling move away from on-premises appliances into cloud services. The second is securing access to cloud services, in which capabilities like CASB and IDaaS become evident. These two aspects are related but fundamentally different in their scope, their design and deployment approaches, and where they operate in the life cycle of managing users, data, actions, transactions and applications.
Gartner sees three IT trends driving the expansion and maturation of the CASB market:
The enterprise moves to adopt bring your own (BYO) traditional PC and non-PC form factors, and usage increases from unmanaged devices. The massive enterprise adoption of tablets and smartphones for core business processes creates security risks that can be mitigated effectively with a CASB, as the average enterprise end user is spending significantly more screen time on non-PC devices. While employee BYOPC may be waning, business partner access to cloud services is certainly on the rise; here, too, CASBs have a role, with separate policies for business partner access to enterprise data.
The enterprise moves to cloud services. Cloud adoption exhibits no signs of slowing; Gartner expects SaaS spend to eclipse IaaS spend by about 1.5 times (see "Forecast: Public Cloud Services, Worldwide, 2015-2021, 3Q17 Update" ). The need for governing cloud usage and demonstrating that governance exists is clear. Significant amounts of spending and computing will aggregate around cloud service providers. This affects on-premises-based technology in the long term, including the security software and appliance markets.
Heavy cloud investments by vendors. Most large enterprise software providers, such as Oracle, IBM, Microsoft and SAP are now heavily invested in cloud, and are actively moving their large installed bases to cloud services. The enterprise software upgrade cycle will shift to cloud over time. Enterprise security teams will need CASB-like features to deal with the security implications of that evolution.
The forces of cloud and mobility fundamentally change how data and transactions move between users and applications. Consequently, cloud-using organizations will need to adjust the priorities of investment in security controls.
Some SaaS vendors — Microsoft is a prime example — discourage the placement of certain products like proxies, caches and WAN optimizers in front of their applications. The worry is that performance or availability issues lying entirely within the other product will be perceived as issues with the cloud service itself. Don't let this dissuade you from evaluating and deploying a CASB. SaaS vendors can't place restrictions on how their customers consume their services. Meanwhile, SaaS vendors should be encouraged to continue to develop a range of APIs that support enterprise integration and security use cases. Over time, the need for proxies in front of their services will diminish. Also, realize that troubleshooting any issues will require you to include the CASB in your investigations. In several cases, CASBs can assist this troubleshooting process, rather than hinder it.
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.