Gartner’s Latest CASB Report: How to Evaluate Vendors
Market Guide Compares CASB Vendors And Provides Evaluation Criteria
By Cameron Coles, Senior Product Marketing Manager, Skyhigh Networks
As sensitive data moves to the cloud, enterprises need new ways to meet their security, compliance, and governance requirements. According to Gartner Research, “through 2020, 95% of cloud security failures will be the customer’s fault,” meaning that enterprises need to look beyond the security capabilities of their core cloud services and focus on implementing controls over how those services are used in order to prevent the vast majority of potential security breaches.
Many companies invested in firewalls, proxies, intrusion prevention systems, data loss prevention solutions, and rights management solutions to protect on-premises applications. The cloud access security broker (CASB) offers similar controls for cloud services. According to a new Gartner report (download a free copy here), a CASB is “required technology” for any enterprise using multiple cloud services. By 2020, Gartner predicts 85% of large enterprises will use a CASB, up from fewer than 5% today.
“By 2020, 85% of large enterprises will use a cloud access security broker product for their cloud services, which is up from fewer than 5% today. – Gartner “Market Guide for Cloud Access Security Brokers”
The need for a solution is clear. Cloud adoption within enterprise is growing exponentially – driven in large part by business units procuring cloud services and individual employees introducing ad hoc services without the involvement of IT. IT Security teams need a central control point for cloud services to understand how their employees use cloud services and enforce corporate policies across data in the cloud, rather than managing each cloud application individually. This functionality is not available in Web application firewalls (WAFs), secure Web gateways (SWGs) and enterprise firewalls, driving the need for a new solution that addresses these challenges.
Why do companies use CASBs?
In the report, Gartner explains there are three market forces driving enterprises to consider using a CASB. First, employees are moving to non-PC form factors. Employees use mobile devices to store corporate data in cloud services, and IT Security teams lack controls for this activity. Second, as corporate IT budgets are redirected toward cloud services, companies are beginning to think strategically about the security stack needed for the cloud. And lastly, as the largest enterprise software companies like Oracle, Microsoft, and IBM invest heavily in migrating their installed base to cloud services, more of these enterprise are looking to secure this data.
“CASB is a required security platform for organizations using cloud services. – Gartner “Market Guide for Cloud Access Security Brokers”
While some cloud providers are beginning to add security and compliance controls to their solutions, companies need a more centralized approach. The average enterprise uses 1,154 cloud services, and managing a different set of policies across each of these services would not be practical for any organization. A CASB offers a central control point for thousands of cloud services for any user on any device – delivering many of the security functions found in on-premises security solutions including data loss prevention (DLP), encryption, tokenization, rights management, access control, and anomaly detection.
Gartner’s 4 Pillars of CASB Functionality
Gartner uses a four-pillar framework to describe the functions of a CASB. Not all CASB providers cover these four pillars, so customers evaluating solutions should carefully evaluate marketing claims made by vendors and ask for customer references.
- Visibility – discover shadow IT cloud services and gain visibility into user activity within sanctioned apps
- Compliance – identify sensitive data in the cloud and enforce DLP policies to meet data residency and compliance requirements
- Data security – enforce data-centric security such as encryption, tokenization, and information rights management
- Threat protection – detect and respond to insider threats, privileged user threats, compromised accounts
Deployment architecture is an important consideration in a CASB project. A CASB can be delivered via SaaS or as an on-premises virtual or physical appliance. According to Gartner, the SaaS form factor is significantly more popular and easier, making it the increasingly preferred option. Another factor to consider is whether to use an inline forward or reverse proxy model, direct API connectivity to each cloud provider, or both. Gartner refers to CASB providers that offer both proxy and API options as “multimode CASBs” and points out that certain functionality such as encryption, real-time DLP, and access control are not possible with API-only providers.
How to choose a CASB
Not all CASB solutions are equal and the features, deployment architectures, and supported cloud applications vary widely from provider to provider. Gartner splits the CASB market into Tier 1 providers that frequently appear on short lists for Gartner clients, and other vendors. Tier 1 providers are distinguished by their product maturity, scalability, partnerships and channel, experience in the market, ability to address common CASB use cases across industries, and market share and visibility among Gartner clients.
In its latest report, Gartner offers numerous recommendations that customers should consider when evaluating a CASB, including these considerations:
- Consider the functionality not available with API-only CASBs compared with multimode CASBs before making a decision
- Start with shadow IT discovery in order to know what’s in your environment today before moving to policy enforcement
- Look for CASBs that support the widest range of cloud applications, including those you plan to use in the next 12-18 months
- Look past CASB providers’ “lists of supported applications and services,” because there are often substantial differences in the capabilities supported for each specific application
- Whether the CASB deployment path will work well with your current network topology
- Whether the solution integrates with your existing security systems such as IAM, firewalls, proxies, and SIEMs
One way to evaluate claims made by CASB vendors is to speak with several customer references. Another recommended element in the selection process is conducting a proof of concept. Using real data for the proof of concept enables a potential customer to try out the analytics capabilities of a CASB, including the ability to discover all cloud services in use by employees and detect internal and external threats that could result in data loss.