Fotolia

Tip

CASB tools evolve to meet broader set of cloud security needs

When choosing a CASB, enterprises face two primary options: a stand-alone service from a third party or a bundled tool set from some of the large cloud providers. It's important to pick your flavor wisely.

While public cloud providers offer their own suites of security services, organizations can also incorporate a third-party CASB -- an IT security tool that continues to evolve and broaden its reach.

A cloud access security broker is software that sits between users and cloud services to make sure that the individuals working with those services are authorized and that their actions conform to company policies. CASB tools emerged as a means to reign in shadow IT.

"The sweet spot for CASBs has been protecting public SaaS applications," explained Pete Lindstrom, vice president of security research at IDC. "Many enterprises now have half a dozen or more SaaS applications and need tools to ensure that security is implemented in a consistent manner across all of them."

CASBs typically offer features, including the following:

  • Firewalls: Identify malware and prevent it from entering the enterprise network.
  • Authentication: Checks users' credentials and ensures they only access appropriate company resources.
  • Web application firewalls: Thwarts malware designed to breach security at the application level, rather than at the network level.
  • Data loss prevention: Ensures that users do not transmit sensitive information outside of the corporation.
CASB core features

Vendors add more features, embrace IaaS

CASB tools have evolved to include, or work alongside, other IT security services -- though some vendors, such as Netskope and Bitglass, still offer stand-alone tools. These vendors differentiate their services in various ways, such as working with new and popular SaaS offerings, said Dan Blum, managing partner and principal consultant at Security Architects Partners.

PaaS and IaaS support is a bit tricky because that market is evolving at such a rapid pace that it is difficult for third parties to keep up.
Pete LindstromVice president of security research, IDC

Another emerging area for CASB tools is support for PaaS and IaaS, but that functionality is a work in progress. "PaaS and IaaS support is a bit tricky because that market is evolving at such a rapid pace that it is difficult for third parties to keep up," Lindstrom said.

That said, to meet the needs of IaaS and PaaS users, CASB vendors have added or expanded functionality for security tasks, such as the following:

  • Single sign-on: Enables an employee to enter their credentials one time and access a number of applications.
  • Encryption: Encrypts information from the moment it's created until it's sitting at rest in the cloud.
  • Compliance: Includes reporting tools that ensure that the company's security systems meet the ever-growing list of compliance specifications, like GDPR.
  • User behavior analytics: Mines information and identifies potential aberrant behavior, which may indicate an outsider is trying to access system resources.

Bundling pros and cons

As the CASB market grew, established vendors acquired, and continue to acquire, a number of offerings. Among the transactions have been Cisco's acquisition of Cloudlock, Microsoft's acquisition of Adallom and Palo Alto Networks' acquisition of RedLock.

Bundled offerings, like those produced by acquisitions, provide numerous benefits, such as lower pricing. For example, Microsoft includes CASB functionality in its base Azure security services at no extra charge.

Bundled services also reduce integration complexity, since the vendor takes on that work. Additionally, they offer a single management interface, so IT teams don't have to bounce between offerings to troubleshoot system issues.

"The more heterogeneous the environment, the more complex security integration becomes," IDC's Lindstrom said.

However, there are tradeoffs, such as vendor lock-in. Dependency on a specific provider will make it difficult to switch if a better option arises. Also, providers with a broader focus might not be the best option for those with industry-specific needs.

Dig Deeper on Cloud infrastructure design and management