The role of the cloud access security broker (CASB) will become ever-more important in the context of organisational security.
According to analyst firm Gartner, through 2023 “at least 99%” of cloud security issues will be the fault of the customer. The notion of shared responsibility – one which regular readers of this publication may well be sick of hearing given its frequency – needs to be hammered home again. Cloud vendors are predominantly responsible for security of the cloud – protecting infrastructure – while the customer is responsible for security in the cloud, such as the data, applications, and identity and access management.
Writing for this publication in August, Hatem Naguib, SVP security at Barracuda Networks, noted his belief that many organisations misunderstand this model. “The organisations benefiting the most from public cloud are those that understand their public cloud provider is not responsible for securing data or applications, and are augmenting security with support from third party vendors,” wrote Naguib.
CASBs, therefore, are something of an intermediary in this process. Sitting in between a company’s on-premises infrastructure and a cloud provider’s infrastructure, they can take the responsibility away from the customer end. This can be through greater visibility of who and what is accessing data in various clouds, enforcing security and identity policies, threat protection, and compliance.
With this in mind, Gartner’s latest Magic Quadrant for CASBs makes for an interesting read. In all, 13 vendors made the cut, with four tightly bunched in the leaders’ section; Bitglass, McAfee, Netskope, and Symantec.
One of the more egregious security errors organisations can make is through exposed storage buckets. According to recent McAfee research, there are thousands of individual misconfigurations in companies’ IaaS and PaaS public cloud instances. Worryingly, 5.5% of AWS S3 buckets analysed were set to ‘world read’ permissions.
McAfee claimed in February to be the only CASB which was able to provide visibility into third party risk and identify exposed S3 buckets. Indeed, after the acquisition of Skyhigh Networks closed at the start of this year, Gartner notes, McAfee’s offering was one of the first to raise awareness of shadow IT. The analyst firm notes its ‘comprehensive’ dashboard and much improved visibility processes for sensitive content as strengths. For weaknesses, the report warned over future performance given McAfee’s ‘spotty’ execution of acquisitions.
Of the other leaders, Bitglass was praised for various technical attributes, including watermarking of documents and automated learning, although noting its name did not come up as often as its rivals in client inquiries. Netskope – which acquired Sift Security in July to improve its threat detection capabilities – was given good marks for a comprehensive risk database and access control policies, albeit with a ‘minor’ increase in inquiries around installation challenges and service performance. Symantec, whose acquisition of Blue Coat in 2016 included Perspecsys and Elastica, two previous CASBs in the latter’s portfolio, has strong service discovery and usage but a ‘cumbersome’ UI.
The other companies which made the cut are an interesting list of security specialists and huge names. In the second category, naturally, are Cisco, Oracle and Microsoft – the latter two placed as challengers – while CensorNet, CipherCloud, Forcepoint, Palo Alto Networks, Proofpoint and Saviynt were also analysed.
As ever with these things, it really pays to do due diligence: work out your organisation’s specific needs and which vendor ticks the most boxes. Indeed, any concerns about a company’s cloud use should prompt an exploration of these companies at the least. As Gartner notes, the agility of the CASBs – born and made in the cloud – far outstrips the wider cloud service providers. Indeed, Gartner adds that while Microsoft has Microsoft Cloud App Security (MCAS), an Azure house looking for a full cloud security strategy needs more Microsoft products than its CASB.
Ultimately, the state of where things are today can be summed up by a comment from Netskope CEO Sanjay Beri. “The challenges presented by the cloud necessitate a shift from legacy vendors toward a security cloud that was built from the ground up with the unique characteristics of the cloud in mind,” he said. “This includes real-time visibility into and control over all cloud services, robust data loss prevention, the ability to prevent and remediate cloud threats, and enablement of granular dynamic access control that governs usage in real time for any user from any device across all cloud services.”
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.