Over the last year, we’ve been hearing a lot about cloud access security brokers, or CASBs. It’s becoming clear that they could have a significant role in protecting corporate data in the cloud and mobile era, so it’s time to dive in and take a look.
Usage of cloud apps like Office 365, Box, Salesforce, and Google Apps is skyrocketing, and of course users are accessing these apps from mobile devices.
These days most customers are satisfied that the cloud apps themselves are secure enough—each one of these cloud app providers has dozens or hundreds of security experts dedicated to protecting their product, an effort that would be impossible for most customers to match for their own on-premises apps. Suffice it to say, customers are comfortable cloud apps.
Instead, a lot of the worrying is on the EUC side. Since all of these cloud apps (and easy access to them from mobile devices) are so new, customers have concerns about how to prevent data leakage, what to do about BYOD and unmanaged devices, how to make sure they’re compliant, how to secure and control access, and most important, how to generally get more visibility into what’s going on.
At BrianMadden.com, we’ve already been writing about some of the major elements needed to control cloud apps and mobility: Identity management platforms can provide federation and SSO, control access, and provision users. Enterprise mobility management can protect data in devices, apps, and in transit.
CASBs take on the cloud and mobile era from another angle: they provide visibility and control centered on the cloud apps themselves, usually through a combination of APIs and traffic inspection.
Many cloud apps have APIs to control user access and permissions, data sharing, integration with other apps, and so on. (Naturally these vary by vendor.) All these things could controlled manually by an app administrator, but by using a CASB to control them through APIs, customers can aggregate the controls from all of their apps, and make them easier for security teams to manage.
Traffic inspection can add more capabilities, in real time and independent of APIs. Inspection can be done using a forward or reverse proxy, and SSL traffic can be manipulated in various ways: files and fields can be encrypted or tokenized; user behavior can be monitored; analytics can be applied; and malicious activity can be spotted. Again, one of the benefits of CASBs is that they can aggregate visibility and control across multiple cloud apps.
Besides monitoring web and app traffic, some CASBs can also proxy and manipulate Exchange ActiveSync, giving them better visibility and control on mobile devices themselves.
According to Gartner, CASBs first came along in 2012; however, many people really started noticing them last year. Fellow TechTarget editor Rob Write noted that CASBs also got a lot of attention this year at the RSA conference.
There’s been significant acquisition activity already: Microsoft bought Adallom; Symantec bought Blue Coat (after Blue Coat had bought Perspecsys and Elastica); and Cisco bought CloudLock. IBM launched its own CASB; and VMware added CASBs to their Mobile Security Alliance (including Blue Coat, CloudLock, Netskope, Palo Alto Networks, and Skyhigh Networks).
How do CASBs fit into EUC?
CASBs are just one of many newer tools (like EMM and identity management as a service) that have risen to help companies deal with the cloud and mobile era.
So where do they fit? In some cases there is overlap. Some CASBs can replace EMM functions in certain use cases; and some CASBs can function as an identity provider. (Later this week I’ll write about Bitglass, which is very much positioning itself against EMM.) On the other hand, CASBs can also work together with EMM and other EUC products, as shown in the many partnerships and acquisitions that have already happened. Either way, CASBs are another tool for us to make sense of now.