The purpose of a cloud access security broker (CASB) is to provide all users—regardless of location, device, or application—a secure connection to a cloud service provider. Current CASB products vary in capability, strength, emphasis, and deployment mode. As market demand increases, the technology will continue to evolve and mature.
The table below provides a list of capabilities that should be prioritized and assessed when evaluating CASB products. When considering products, enterprises should be particularly careful to understand vendors’ long-term product roadmaps, as well as the flexibility of deployment options and responsiveness to feature requests and bug fixes.
Leading vendors in the CASB market include Bitglass, Blue Coat, CipherCloud, Palo Alto Networks, Netskope, and Skyhigh Networks.
Founded in 2013, Bitglass began offering a CASB in 2014. It offers a multimode CASB that supports reverse proxy, forward proxy, and active sync proxy, and has recently added support for API mode. Bitglass’ CASB provides real-time, inline data protection on any device, remote wipe data protection for mobile devices, limited data sync, agentless encryption, and robust proxy with AjaxVM technology. The vendor holds a patent for searchable, full-strength encryption for cloud applications, which provides hard-to-crack encryption and full search functionality for cloud data. Bitglass CASBs are chosen by enterprises in regulated industries—such as financial services and healthcare—due to their Office 365 integration, context access policy, and mobile device management functionality.
After acquiring Perspecsys in July 2015 and Elastica in November 2015, Blue Coat began shipping CASBs in Q3 2015. The CASB gained with Perspecsys is available as a stand-alone service, as a component of BlueCoat ProxySG, or as a managed security service. The CASB acquired with Elastica is a cloud-based gateway (forward proxy), and can also be deployed in API mode.
CipherCloud was an early market player and began shipping CASBs in 2011. The vendor’s original CASB could be deployed as a reverse proxy, and has evolved to also support forward proxy and API modes. The CipherCloud CASB is deployed as software that can be run on a physical server, on a virtual server, or on a private cloud such as Amazon Web Services. It can be deployed as an inline gateway or as an encryption service, and in the past few years, additional capabilities such as content and user monitoring and sandbox support have also been added. CipherCloud’s cloud encryption gateway uses AES 256-bit encryption, one of the highest levels of encryption in commercial use.
Palo Alto Networks gained CASB technology with the 2015 acquisition of CirroSecure. Its CASB has an API-based deployment mode and integrates with existing Palo Alto Networks solutions. Uploaded files are scanned within seconds, and the cloud is scrubbed as soon as a file is uploaded, viewed, or shared. When combined with a next generation firewall (NGFW), Palo Alto Network’s CASB provides on-premises and SaaS server protection. The vendor's CASB also integrates with WildFire for threat analysis.
Netskope has offered a CASB since 2013. It can be deployed in forward proxy mode, reverse proxy mode, or API mode and supports active sync and SAML. The vendor holds a patent for its CASB traffic steering technique, which directs traffic to and from both sanctioned and unsanctioned cloud applications. Netskope is one of the few vendors offering an on-premises CASB appliance.
Skyhigh Networks’ CASB, which has been offered since January 2013, supports reverse proxy and API deployment modes. Reportedly, the vendor will also begin offering forward proxy deployment, but these reports have not been confirmed by Skyhigh Networks. The vendor holds a patent for pervasive cloud control and has a patented method for providing CASB services using a reverse proxy mode that offers authentication and policy controls.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.