Security leaders moving to the cloud are worried about data protection. Many are considering cloud access security broker (CASB) systems to monitor security as they navigate the cloud security space.
Many organizations lack full understanding of the cloud services they use and their associated risks, interfering with compliance and protection, research shows. Meanwhile, more sensitive information is being stored with SaaS apps like Office 365, Box, DropBox, Slack, and others.
CASB is an intermediary to give businesses "a single console approach to providing consistent security and policy management across the hundreds, and even thousands, of unique cloud services an enterprise is using," says Jim Reavis, CEO for the Cloud Security Alliance.
The need for CASB to provide visibility, compliance, data security, and threat protection has grown as IT functions move off-premise and security leaders need more granular visibility and policy management. By 2020, Gartner reports, 85% of large enterprises will use a CASB.
"The most common use case for CASBs today is to gain visibility of organizational cloud service usage -- how many cloud services, what are they used for, which departments are using them," says Reavis.
"That information is used to discover policy violations and organizational risks and allow enterprises to take corrective action," he continues. This may include automated remediation, detailed information for manual response, or integration with other security tools in the SOC.
Businesses can use CASB to understand where corporate data is going, detect suspicious activity, scan emails for malicious content and prevent the spread of malware, and stop a range of attacks.
CASB systems are also used for inline data protection, like with encryption or tokenization. This is more popular in regulated environments because it keeps cloud-based data under user control. While it has potential for the long term, says Reavis, this is challenging today because there aren't many technical standards for data protection APIs that cloud providers can use.
Two major deployment methods for CASB are API-based and proxy-based, he explains. API-based involves out-of-band deployment directly integrated with the cloud providers' API interfaces. Proxy-based CASB systems examine identified network traffic flows.
Both API- and proxy-based solutions have benefits and drawbacks. API products enable access by anyone from anywhere, but they don't eliminate access by cloud providers, says Willy Leichter, VP of product and content marketing for CipherCloud. These also depend on the quality and performance of APIs from cloud security providers.
API solutions may vary in quality or not be supported by the CASB vendor. Proxy-based systems may cause an outage for end users if a SaaS app alters its user interface.
Where today's systems fall short
While CASB systems are good for visibility, they don't help solve all the issues they highlight, says Tim Prendergast, founder and CEO at Evident.io. He likens the situation to a doctor telling a patient they have several problems but lacking the ability to fix them.
This poses a challenge to overworked security teams, which may question the benefit of buying a CASB system when they lack people to solve issues it highlights. Many may wonder whether they should have used the funds to hire more talent for assigning and solving problems.
"Data without action is kind of useless," says Prendergast. "Data has to be automatable so your team can solve the problem and move on to bigger projects."
The newness of the cloud has proven a constraint to the evolution of CASB, Reavis adds, because cloud providers still view one another as competition.
"CASBs have to take a lot of different competitive, incompatible cloud services and make a coherent picture for the enterprise," he explains. For API solutions, there is a practical challenge because APIs are inconsistent among different cloud providers.
"It will reflect tensions, competition, and lack of standards if they can't provide as rich of information as if everyone agreed on the same thing," says Reavis.
Predicting the future of CASB
Reavis says the competitive dynamic among CASB providers is a "consequence of newness" and limits the consistency and richness of the service they can provide. However, consolidation is happening. Companies are being purchased and maintaining service with their buyers.
CASB systems will have a difficult time as teams and users become more distributed, says Prendergast. Providers may have to re-architect their systems to monitor traffic of employees logging in from different networks.
For businesses that need to protect sensitive data, CASB solutions should give deep integration with specific clouds, third-party tools, enterprise systems, and workflows, says Leichter. Tools promising advanced data protection should support complex environments and maintain the functionality of cloud applications.
David Waugh, VP of sales and marketing at ManagedMethods, warns of "proxy fatigue" among CASB customers and end users of going through a proxy. As CASB adoption increases, he expects API-based tools to be as prevalent as firewalls were in the last decade.
What to know before you buy
Security leaders weighing the pros and cons of CASB systems should think about their infrastructure before purchasing.
"In order for a CASB solution to be effective, businesses need to carefully consider what clouds are businesses-critical, what data is sensitive, and who needs to access it," says Leichter, "If data protection is applied poorly, it can be a blunt instrument that breaks important cloud functionality."
The need for CASB varies from business to business, Prendergast explains, and it's important to have realistic expectations. If you're hoping to better understand the web and SaaS services employees are using, CASB could be worth the cost.
"The reality is, there are ups and downs and pros and cons," he says. "Ask what you want to get out of it before you engage. If you're a startup or a large business, a lot of times CASB won't make sense ... There are probably 500 other security problems you should be solving before that."