Tip

Review these 7 CASB vendors to best secure cloud access

CASB technology offers threat protection, increased visibility and policy enforcement. Explore how these seven vendors stack up and protect access to cloud applications.

Consumption of cloud-based services has soared in the wake of the increasing number of employees working remotely. That's led enterprises to deploy a variety of tools across their networks to protect their corporate data -- among them cloud access security broker technology.

Yet, CASBs span many different security capabilities. They all set out to do the same job, but they do it in different ways. Unlike LAN switches or Wi-Fi, where the core features are defined by standards committees, CASBs are the Wild West of technology. Providers have no constraints on how they architect their platforms, no requirements for features they need to include and no required list of applications they need to support. Yet, they are essential elements of corporate cloud security.

A meaningful comparison of vendors requires prospective buyers to know each company's product features and pricing to determine the best fit and value. In the past, a data sheet was only a few clicks away, and pricing was easy to come by. But, all too often, this is no longer the case.

That information isn't easily accessible from the CASB vendors and their public websites. Some vendors provide links to their data sheets, but the pages often contain vague, high-level information about the product, which isn't enough to build a comprehensive comparison.

Comparison shopping gets even more challenging when balancing the CASB offerings of newly minted companies, such as Bitglass and Netskope, against longstanding security vendors, like McAfee and Broadcom, which have acquired CASB startups. Let's examine some of the factors that should be considered.

Deployment model

CASB products, as their names imply, are primarily cloud-based -- SaaS -- services. Most vendors provide few details on the providers they themselves use. Bitglass, an AWS customer, is a notable exception.

Bitglass, McAfee and Netskope also make their CASBs available either on premises or as virtual appliances.

It's helpful to ask a prospective vendor how its SaaS is managed and scaled. Prospective buyers should also ask how the vendor configures its cloud-based CASB, whether it is multi-tenant or if it is available to customers as a dedicated virtual appliance.

Target customer segments

While core CASB features are applicable to all customer segments, application support and other characteristics might favor specific customer segments. For example, Bitglass is focused on heavily regulated industries, such as financial services and healthcare. CipherCloud targets a similar market, along with large enterprises. McAfee concentrates on enterprises with 1,000+ employees. Symantec's target customers are similar to McAfee's. Microsoft's CASB is integrated into its 365 SaaS offering, a popular choice globally for its corporate email and associated collaboration technologies, like Teams and SharePoint.

Of the vendors profiled, only Microsoft, Netskope and Proofpoint seem to target a range of companies from SMBs to large enterprises.

Licensing and pricing models

Asking how much a CASB costs is a simple question with no simple answer. Vendors offer a variety of pricing and licensing models, with annual licensing and per-user, rather than per-device, pricing the most commonly available.

Vendors may also charge differently for on-premises deployments or dedicated services rather than shared SaaS implementations, so it's important to verify the details of a CASB deployment cost. A cloud multi-tenant service should cost less than a dedicated virtual appliance.

API-supported cloud applications

API-based CASBs give users secure access to cloud applications from whatever device they may be using. Some vendors list about half a dozen applications they support, while McAfee lists more than two dozen. What matters is whether the product supports a potential customer's applications.

All seven vendors below support the most well-known and common cloud applications, which include Dropbox, Salesforce, Microsoft 365 and the three major cloud providers -- AWS, Microsoft Azure and Google Cloud Platform (GCP). Some vendors support products like Jive, Slack and Egnyte, so it's important to ask potential vendors about specific applications when considering a purchase.

Weighing app support by just comparing the number of APIs a vendor supports can be misleading. Some vendors count Microsoft 365 and its major components, like Outlook, SharePoint and OneDrive, as a single app, while other vendors count each one separately.

If an application integral to the prospective customer's organization isn't supported with an existing API, the CASB can be asked to provide it. It may or may not be able to satisfy the request, however.

DLP options

Data loss prevention (DLP) has become even more critical as employees work remotely -- to keep data loss at a minimum and to secure the unmanaged devices remote employees use to access apps and services. CASB vendors use a technique called reverse proxies, which create a separate, and safe, session to target the application. But CASB performance can suffer as a result. That means customers need to ask vendors whether their CASBs offer DLP support only to managed, agent-based devices or to unmanaged devices as well.

Customers should also consider whether a CASB has a native DLP product or if it is bringing a partner into the equation. DLP setup can be complex and time-consuming. A misconfigured DLP might not catch the data it is supposed to prevent from leaving your organization.

Broadcom, for example, integrated Symantec's DLP product into its CASB after it purchased the vendor's enterprise security business in 2019. That simplifies administration and management for those Symantec DLP customers who wish to consider Broadcom's CASB. Proofpoint, meanwhile, comes with 80 predefined security policies and can scan 300 file types, while Bitglass has predefined policies and can import DLP policies from several leading DLP vendors.

Once your DLP catches data that violates guidelines, it's imperative to know what actions the product can take -- among them watermarking, quarantining, redacting and blocking. Vendors should outline the specific actions their product can take to detect suspicious data.

Endpoint security options

Management is simpler if IT can combine the agents supporting endpoint security and CASB. McAfee and Broadcom, for example, provide endpoint security options that integrate with their CASBs. Before buying, customers should make sure integration is at the management level or extends to a single agent footprint that can handle both functions.

Most of the other vendors profiled reference third-party endpoint security partners. Here, too, potential customers should determine if this is just a referral to another vendor or if the CASB offers management or agent integration.

Vendor and product profiles

Bitglass

Product name: Bitglass Cloud Access Security Broker
Release date: January 2014
Target customer segments: Initially on heavily regulated industries, like financial services and healthcare; focus has expanded to include legal, higher education, government and manufacturing.
Licensing/pricing: Based on number of users and applications it secures (no dollar amounts available).
Deployment model: Primarily cloud; hosted on AWS; optional on-premises model.
API-supported applications: AnyApp, Microsoft 365, Salesforce, AWS, Azure, GCP, Box, Dropbox, G Suite and Slack.
DLP options: Yes; extends to any device, including personal phones; real-time DLP and remediation actions include watermark, quarantine, redaction and removal.
Endpoint security: Unknown.

Broadcom (formerly Symantec)

Product name: CloudSOC Cloud Access Security Broker
Release date: 2014
Target customer segments: Large enterprises, partners, security integrators, hosted full-service providers, finance, insurance, healthcare and other highly regulated industries.
Licensing/pricing: Per user, per annum.
Deployment model: Cloud-based.
API-supported applications: AWS, Box, Cisco Webex Teams, DocuSign, Dropbox, GitHub, G Suite, Jive, Azure, Microsoft 365, Salesforce, ServiceNow, Workday, Workplace by Facebook and Yammer.
DLP options: Offers standalone CloudSOC DLP or Symantec DLP Cloud for a single, centralized DLP platform for the entire enterprise, including data in the cloud and on premises.
Endpoint security: Yes; Symantec Endpoint Protection.

CipherCloud

Product name: CipherCloud CASB+
Release date: Unknown (company founded 2010)
Target customer segments: Large enterprises and service providers; special focus on banks, government and healthcare.
Licensing/pricing: Unknown.
Deployment model: Cloud-based.
API-supported applications: AWS, Microsoft 365, Azure, Adobe Analytics, Google G Suite, GCP, ServiceNow, Salesforce, SAP, Slack, Dropbox, Box, Adobe Marketing Cloud and AnyApp.
DLP options: Yes; also integrates with third-party platforms, such as Broadcom; provides predefined regulation templates -- among them PCI, HIPAA, GDPR and Gramm-Leach-Bliley Act.
Endpoint security: Antivirus and antimalware (implementation method unknown); partners with FireEye to provided threat protection for SaaS mobile.

McAfee

Product name: McAfee MVISION Cloud
Release date: 2013
Target customer segments: Enterprise (customers with 1,000+ employees).
Licensing/pricing: Available upon request.
Deployment model: SaaS (cloud) or virtual appliance (on premises) by request.
API-supported applications: Microsoft 365 and Teams, Box, Salesforce, Slack, ServiceNow, AWS, Azure, GCP, Aprimo, Atlassian Jira, Cisco Spark, Clarizen, Confluence, Ctera, Dropbox, Egnyte, GitHub, Intralinks, Jive, Okta, OneLogin, SAP Concur, ShareFile, Smartsheet, Trello, Webex Teams, Workplace by Facebook and Zendesk; integrates with Splunk's Mitre ATT&CK into its CASB analysis workflow to provide more effective protection against threats.
DLP options: Yes; also structured data encryption for protecting data with keys controlled by the enterprise organization.
Endpoint security: Yes; broad portfolio of threat detection and DLP for endpoints is available.

Microsoft

Production name: Microsoft Cloud App Security
Release date: 2016 (part of Microsoft 365 product suite)
Target customer segments: General SMB and enterprises.
Licensing/pricing: Per user/month; basic endpoint management $8.80 per user/month; all functions $14.80 per user/month.
Deployment model: Cloud-based.
API-supported applications: Azure, AWS, Box, Dropbox, GitHub, Google Workspace, GCP, Microsoft 365, Okta, Salesforce, ServiceNow, Webex and Workday.
DLP options: Provides native DLP and integrates with third-party DLP.
Endpoint security: Integrated with Microsoft Defender for Endpoint.

Netskope

Product name: Netskope Security Cloud Platform
Release date: 2012
Target customer segments: Enterprise and SMBs; special focus on financial, government and tech industries.
Licensing/pricing: Per user, per year.
Deployment model: Cloud-based, virtual or on premises.
API-supported applications: Amazon S3, Box, Cisco, Webex Teams, Dropbox, Egnyte, GitHub, Google Drive, Gmail, G Suite and G Suite Business, Jive, Azure Blob Storage, Microsoft OneDrive and OneDrive for Business, Microsoft 365, Outlook, SharePoint, Salesforce, ServiceNow, ServiceNow Unstructured Data, ServiceNow Chatter, Slack (Standard and Plus), Slack Enterprise Grid and Workplace by Facebook.
DLP options: Yes; standard and advanced; advanced adds capabilities such as fingerprinting, exact data matching and optical character recognition.
Endpoint security: Via third parties, including CrowdStrike, Carbon Black, Cylance and SentinelOne.

Proofpoint

Product name: Proofpoint Cloud App Security Broker
Release date: 2018
Target customer segments: Small to large enterprises.
Licensing/pricing: Per user, per annum.
Deployment model: Cloud-based.
API-supported applications: Microsoft 365 and Teams, Google G Suite, Salesforce, Box, Dropbox, Slack, AWS and Okta; claims visibility across 46,000 applications with more than 50 attributes per app.
DLP options: Yes; built-in smart identifiers, dictionaries, rules and templates; scans 300 files types out of box.
Endpoint security: Yes; web isolation and zero-trust networks.

Next Steps

How to evaluate CASB tools for multi-cloud deployments

Dig Deeper on Cloud provider platforms and tools