Cloud access security brokers (CASBs) have entered middle age. They have been around for nearly a decade and originally were created as central data authentication and encryption hubs for the enterprise. They were originally designed to serve both cloud and on-premise applications and manage end-user and endpoint access, and their role has only gotten more significant.
CASBs have evolved to the point where many analysts feel CASBs will soon be just as important as firewalls once were back in the day when PCs were being bought by the truckloads. Gartner predicts that by 2022, 60% of large enterprises will use CASBs, up from the 20% that used them at the end of 2018. Forrester predicts that cloud security will become a $112.7B market by 2023.
Before CASBs were invented, enterprise security managers had no visibility into how to protect their data. Now that we have smartphones and tablets that may not be owned by the enterprise IT operation, CASBs are essential security tools and are used to deliver a consistent security envelope across multiple cloud providers and devices. But they are also invaluable because they can help show those individual file names and data elements that might be exposed to the greater Internet and provide points of compromise for hackers.
The maturity for CASBs shows how quickly that market has progressed, since many of the vendors have only been in business a few years. Nevertheless, there are four reasons why CASBs have seen this growth. First was a period of time when most of the main-line security vendors purchased CASB product lines: Oracle (Palerra), Cisco (CloudLock), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Elastica and Perspecsys) and McAfee (Skyhigh Networks). This merger mania has abated somewhat and there are three major CASB independent vendors remaining: CipherCloud, Netskope and Bitglass.
The second reason is that CASBs are moving their focus from being proxy servers to more sophisticated API-based controls. CASBs operate in one of three different modes, and have become more flexible as more products now support more apps in each mode:
A third reason has to do with the increasing sophistication of the modern threat landscape and application usage. Now we have blended threats spanning multiple exploit methods that hide behind a series of obfuscation techniques. This, in turn, makes malware harder to ferret out and neutralize. Phishing attacks can exploit very subtle features of cloud services that can quickly go viral and infect millions of users.
The news is filled with reports of data leaks caused by sloppy (or missing) access rights to various cloud-related data repositories such as AWS S3 or ElasticSearch continues to grab headlines. Digital Shadows found that in 2018 there were 1.5 billion files exposed around the world solely due to misconfigurations in cloud services. CASBs can sometimes be the last bulwark to catch these issues.
Finally, there is a need for better compliance and reporting tools, especially in response to the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act. This is because a CASB can show where potential risks lie and summarize issues to help focus a security team’s efforts on suspicious behavior, in a way that other products couldn’t easily do. Both of these regulations require timely breach reporting, so a CASB is a natural fit.
Several years ago, many enterprises purchased CASBs to stem the tide of what was then called ‘shadow IT’ and is now considered standard operating procedure in many businesses. IT managers would get a call from their commercial Dropbox sales rep and be told that hundreds of their users were using personal Dropbox accounts, which was often news that they didn’t want to hear. That was the initial sales pitch by the CASB vendors: we can discover where all your cloud data lies and help to protect it. Traditional security tools didn’t provide this visibility, especially when the cloud network traffic was never seen by the corporate data center. “I want to have control over my data, even when it isn’t residing in my own machines,” said Steve Riley of Gartner.
The first attempts at using CASBs were eye-opening for many corporate IT managers. When they were first deployed, IT would find many times the number of cloud services in use than they had estimated, according to Riley. That turned into a big selling point for these products.
CASBs have another two things going for them. First, they have quick learning curves and can be relatively easy to bring up. Most have data dashboards that are actionable and, in some cases, easier to understand than even the latest firewalls or data loss prevention tools. Second, all of the vendors have worked hard to widen their applications support, and some products can detect changes in underlying apps that might elude traditional reverse proxies or can create custom prevention policies without any coding.
CASBs are certainly the future for security operations. Expect them to become more capable and to be an essential part of any protective portfolio for even middle-market enterprises in the coming years.