CASB buyer’s guide: What to know about cloud access security brokers before you buy

Cloud access security brokers (CASBs) explained

As the name suggests, a cloud access security broker (CASB) manages access between enterprise endpoints and cloud resources from a security perspective. CASBs can be deployed on-premises or in the cloud; as a hardware appliance or software-only, as a proxy, reverse proxy, or through specific APIs.

Enterprises have untold numbers of endpoints, both managed (corporate-owned devices) and unmanaged (devices owned by employees or third-party contractors). Endpoints can be on-premises or remote. And endpoints can include internet of things (IoT) devices.

[ Download our editors’ PDF cloud access security broker (CASB) enterprise buyer’s guide today! ]

In this buyer’s guide

• Cloud access security brokers (CASBs) explained
• Why enterprises need cloud access security brokers (CASBs)
• What to look for in a cloud access security broker (CASB) tool
• Major trends in cloud access security brokers (CASBs)
• Leading cloud access security broker (CASB) vendors
• What to ask before buying a cloud access security broker (CASB) tool
• Essential reading

In a multicloud environment, each endpoint could connect to multiple cloud resources over the course of a single day — productivity apps (like Microsoft 365), SaaS apps (like Salesforce and Workday), collaboration apps (like Slack and Zoom), and cloud storage (like Amazon Web Services and Dropbox). Not to mention homegrown apps that have been migrated to the cloud, or apps that have been developed in the cloud (that is, cloud-native).

CASBs sit between an organization’s endpoints and cloud resources, acting as a gateway that monitors everything that goes in or out, providing visibility into what users are doing in the cloud, enforcing access control policies, and looking out for security threats.

Some vendors have begun incorporating additional features into core CASB functionality, such as data loss prevention (DLP), secure web gateway (SWG), cloud security posture management (CSPM), and user and entity behavior analytics (UEBA).

Why enterprises need cloud access security brokers (CASBs)

The original use case for CASBs was to address shadow IT. When security execs deployed their first CASB tools, they were surprised to discover how many employees had their own personal cloud storage accounts, where they squirreled away corporate data. CASB tools can help security teams discover and monitor unauthorized or unmanaged cloud services being used by employees.

Today, CASBs encompass a variety of other use cases:

• Data protection: The COVID-19 pandemic drove employees to remote work and applications to the cloud, where they could be more easily accessed. The pandemic has passed, and many employees have returned to the office, but those applications and that data are still in the cloud. Organizations must protect sensitive data as it moves across a hybrid cloud environment.
• Compliance: Data privacy regulations continue to tighten. CASBs are an important tool in an organization’s overall regulatory compliance framework, enforcing data privacy policies.
• Remote workforce: Regardless of the location of employees, CASBs allow enterprises to implement security standards and secure remote access to cloud resources.
• Threat detection: CASBs can detect malicious activity, intrusion attempts, ransomware, and other types of security events. CASB tools can generate real-time alerts to enable quick response by security teams.

What to look for in a cloud access security broker (CASB) tool

From a purely functional perspective, there are four key features of a CASB tool:

• Visibility: CASBs provide comprehensive visibility into cloud usage, user activities, and data flows.
• Control: CASBs offer granular control over user permissions and data access.
• Data protection: CASB solutions provide data protection capabilities to safeguard sensitive information across multiple cloud services.
• Compliance: CASB tools help maintain compliance with data privacy regulations.

Beyond those core features, organizations need to make sure the CASB tool well integrates with existing cloud services, applications, and security infrastructure.

There are two basic deployment modes: proxy-based and API-based. Most experts say that API-based CASBs provide better functionality, but organizations need to make sure that the vendor’s list of application programming interface (API) connections matches up with the organization’s inventory of cloud apps.

Core CASB services

The following three basic services that all CASBs offer are at the core of what CASBs do and why you would buy one:

Monitor and control your most sensitive data flows: CASBs were originally designed to stem the tide of shadow IT products and to control and make SaaS applications more secure. Now they have broadened their use and can fit into a variety of situations, including operating across multiple cloud providers and mixing SaaS, mobile, and on-premises applications, too.

Apply uniform DLP policies across all servers and apps: As your data appetite increases, you need better ways to ensure that you aren’t leaking customer- and business-sensitive information, either through a malicious insider or inadvertently through a bad combination of security loopholes. While DLP products have been around for years, having DLP-like features in your CASB can be a nice way to track these potential weak spots, especially as more of your data moves into the cloud and is accessed by unmanaged mobile devices.

Manage cloud-native encryption keys: Ideally, your CASB should automatically keep track of your encryption needs and keys so you don’t have to do this manually, and so you can encrypt more of your data.

CASB tools are better at some things than others. For example:

• Bitglass has an Ajax virtual machine-like layer that handles near-real-time DLP on unmanaged devices. The only caveat is that these devices have to access data through their browsers.
• Lookout has field-level encryption on some SaaS structured data services, which can be a handy mechanism for protecting sensitive information.
• Netskope excels at showing a very solid behavior analytics dashboard and also has impressive application discovery tools.
• Forcepoint and Skyhigh Security both have two different DLP product lines, one for on-premises and one for the cloud. Both vendors’ lines aren’t at feature parity and do require some effort to integrate across cloud and local servers.
• Microsoft continues to expand and enhance its CASB line but will require integration of a series of its separate management tools.

Beyond these basics, all CASBs offer the potential to operate in one (or more) of three different modes:

• Forward proxy, usually deployed with endpoint agents or VPN clients
• Reverse proxy, which doesn’t require agents and can work better for unmanaged devices
• API control, which provides visibility into data already stored in cloud repositories or data that is used in a cloud process that never enters a corporate network.

Agent deployment is a big CASB differentiator

Take note about the use or requirements for deploying various agents with each product. This is where the CASB vendors often place their secret sauce, which could be an issue depending on how agent-friendly or agent-adverse your IT department is. Skyhigh uses a single agent that functions across all three operational modes. Some of the others have multiple agents — such as for specific functional areas like antivirus, DL, or VPN — that can get messy, not to mention tough to deal with unmanaged endpoints such as personal cellphones.

Feature sets across CASB operational modes vary

Part of the CASB evaluation challenge is understanding how the feature set extends to each operational mode – if indeed the product operates in more than one mode. Broadcom’s Symantec CASB, for example, has reverse proxies just for Microsoft 365 and no other application. Meanwhile, Cisco Systems and Palo Alto Networks both offer API-only CASB products. Such differences mean you need to understand the types of protection and not just which apps are supported but how they are supported, and what is the exact API portfolio that is covered by each product.

You really need the API support if you want to get granular with your CASB protection, in particular to understand the state of your public cloud security exposure and to stop any cloud-based malware too. API deployments also can trap cloud-to-cloud activities and to retrospectively inspect archived traffic flows. You will also need some level of proxying to handle application gateways and for implementing specific security policies. It pays to read the fine print and develop an appropriate test plan that will reveal the relevant features for each vendors’ product.

Consider how the CASB will work with other security tools

The word “apps” should refer to more than individual applications but to the entirety of your existing security apparatus, too — how your CASB interacts with your existing firewalls, endpoint protection, and web application gateways should also be part of your evaluation and in understanding if all these tools will play nicely with each other, or get into each other’s way.

Here are some examples of how CASBs can play nice with other apps:

• Forcepoint claims it can protect any custom app within a few days’ effort by their engineering support staff.
• Bitglass claims it has a feature that can detect changes in underlying apps that might elude traditional reverse proxies.
• Skyhigh’s CASB can create custom prevention policies for apps without any coding. IT also has comprehensive policy management that is applied uniformly for all three modes of operation.

Nice-to-have CASB features

Finally, there are two nice-to-have sets of CASB features.

Conduct continuous risk assessments and compliance audits on demand: A CASB can show in a single place where a corporation has the most risk and summarizes issues that a security team can quickly focus on for suspicious behavior that other products couldn’t easily do.

Forcepoint, Netskope, and Proofpoint all have nice risk summary dashboards that you can customize to display the things you need to understand how your environment is behaving and what needs immediate attention.

Apply uniform adaptive authentication policies across all logins, servers, and apps: This should include read-only access (Gartner suggests this would be a good situation for unsanctioned SaaS services that are nonetheless needed), step-up authentication, and more granular access rights management.

Identity management and single sign-on (SSO) tools are the usual go-to reasons for these sorts of tasks, and one important trend is that more CASBs are integrating with traditional SSO products. The trick is to understand that the typical level of integration happens (usually) in reverse proxy mode only, and the SSO authentication is only passed to the CASB at the initial application login moment. This means that if you want a more complete adaptive authentication to trap when more risky behavior happens, you will probably have to stick with your dedicated SSO product.

As you can see, CASBs touch a lot of different existing security products across your enterprise. The challenge for successful integration is being able to understand these interactions and ensure that you overall security profile is enhanced rather than degraded with their use.

Major trends in cloud access security brokers (CASBs)

Standalone CASBs are a growing market, valued at $11 billion in 2023 and expected to grow 17% annually to reach $24.2 billion by 2029, according to Mordor Research. “The surge in the adoption of various cloud-based services, growing concerns about data security, and the increasing demand for integrated security solutions drive the market’s growth significantly,” says Mordor.

However, it is important to note that CASBs are also a key component of a broader security strategy that goes by two names:

• Gartner calls that broader strategy Secure Service Edge (SSE), an integration of CASB, SWG, and Zero Trust network access (ZTNA). Gartner says, “By 2026, 85% of organizations seeking to secure their web, SaaS, and private applications will obtain the security capabilities from a Security Service Edge (SSE) offering.” (The Gartner nomenclature has become the de facto standard.)
• IDC defines the category as network edge security as a service (NESaaS), with the same three core components: CASB, SWG, and ZTNA. IDC says, “The network security market is in the process of a much-needed convergence trend. Security vendors have shifted from a focus on à la carte, individualized security services to a consolidated, cloud-delivered network security platform that treats individual services as optional modules.”

Leading cloud access security broker CASB vendors

The list of leading CASB vendors (in alphabetical order) includes pure-play companies as well as traditional security vendors that have added CASB capabilities to their portfolios either by acquisition or through internal development.

Cisco Cloudlock: Cisco Systems acquired CASB startup Cloudlock back in 2016 and retained the brand name. Cisco Cloudlock is a cloud-native CASB that protects users, data, and apps with an automated approach that uses APIs to manage the risks in the cloud app ecosystem. Cloudlock uses advanced machine learning algorithms to detect anomalies. It provides DLP functionality. And Cloudlock targets shadow IT with policy-based controls that can block dangerous activities, depending on permissions and risk levels.

Forcepoint: Forcepoint bought Bitglass in 2021, one of the original standalone CASB vendors and a leader in Gartner’s Magic Quadrant for CASB. Forcepoint has integrated Bitglass technology with its own powerful DLP capabilities to provide an SSE solution. Forcepoint excels in monitoring and reporting on shadow IT, and its UEBA feature is popular. The software also supports a Zero Trust architecture, providing device and user authentication. 

Lookout: Endpoint protection vendor Lookout acquired CASB innovator CipherCloud in 2021 and has put together a CASB designed to provide visibility across managed and unmanaged cloud-based applications, users, endpoints, and data. Lookout CASB helps implement Zero Trust access controls, features advanced DLP capabilities, and supports a range of purpose-built integrations.

Microsoft Defender for Cloud Apps: Microsoft Defender for Cloud Apps is a full-featured CASB focused on protection for SaaS applications. It includes shadow IT discovery, visibility into cloud app usage, protection against app-based threats, information protection, and compliance assessments. Advanced capabilities include SaaS security posture management (SSPM), which enables security teams to improve the organization’s security posture; advanced threat protection as part of Microsoft’s extended detection and response (XDR) solution; and an app governance feature that extends additional threat protection to critical data and resources.

Netskope: One of the original pure-play CASB vendors, Netskope is a leader in CASBs as well as SSE. Forrester Research says, “Netskope has shown innovation across its technology stack, including significant investments in an impressive new private global network, artificial intelligence and generative AI security.” Netskope has recently merged SWG functionality into its CASB tool.

Palo Alto Networks: Palo Alto touts its CASB as being “next-generation,” based on the proposition that it’s less a standalone product and more of a range of integrated solutions such as inline security, SSPM, and enterprise DLP. The Palo Alto CASB is designed to secure apps and data across cloud and hybrid workforce environments, protects data in transit between users and SaaS providers, facilities regulatory compliance and minimizes risks from shadow IT.

Proofpoint: Proofpoint CASB is focused on extending DLP and threat protection from email to cloud apps. Proofpoint takes a people-centric approach; it provides granular visibility into who creates sensitive data and who owns, downloads, uploads, shares and edits that data. It identifies users who have been successfully phished, and those who have been attacked most by hackers.

Skyhigh Security: Skyhigh CASB, through its inline deployment modes (forward and reverse proxy), enables real-time control over user access to sanctioned and unsanctioned cloud services. Skyhigh (a unit of Indian IT tech provider Musarubra) focuses on providing comprehensive multimode coverage that feeds security events into a machine learning system to provide sophisticated event correlation, helping security teams to focus on real threats rather than false alarms.

Symantec: Symantec, a division of Broadcom, offers its CloudSOC CASB to monitor and control the use of sanctioned SaaS apps through extensive API integrations and in-line traffic analysis. The Symantec CASB provides full visibility and automatic detection of high-risk users, compromised accounts, and malicious insiders. Individualized behavioral-based user ThreatScores allow fast identification of risky user accounts. The tool automates the classification regulated data flowing in and out apps, and it enforces controls that align with corporate policies. The tool includes DLP functionality and CSPM.

Zscaler: Zscaler CASB offers inline, real-time capabilities and out-of-band scanning functionality to protect data, block threats, provide visibility, and assure compliance. Key features include agentless cloud browser isolation to secure BYOD and third-party devices where software installations are infeasible, advanced threat protection to stop malware from reaching cloud resources in real time, cloud sandboxing to detect new ransomware and other zero-day infections, shadow IT discovery to automatically identify unsanctioned apps used by employees and create a risk score for each.

What to ask before buying a cloud access security broker (CASB) tool

Buying a CASB tool can be complex. There’s a laundry list of possible features that fall within the broad CASB definition (DLP, SWG, etc.) And CASB tools themselves are part of a larger trend toward SSE and SASE platforms that include features such as ZTNA or SD-WAN. Enterprises need to identify their specific pain points — whether that’s regulatory compliance or shadow IT — and select a vendor that meets their immediate needs and can also grow with the enterprise over time.

8 key questions to ask yourself before buying a CASB tool

1. Do I have a good handle on what cloud services my users are accessing, including employees, contractors, and other third-parties?
2. Do I have a solid data classification system in place, so that I know what types of data are sensitive or mission critical?
3. Do I have policies in place for access control across on-prem and cloud environments, including SaaS applications?
4. Do I have clear objectives? What are my priorities when shopping for a CASB?
5. How will a CASB tool integrate with my existing security infrastructure?
6. How will the purchase of a CASB tool play into my broader security roadmap that might include the adoption of SSE or SASE?
7. Do I have the budget for a new tool?
8. Do I have the inhouse staff to deploy and manage the tool on-premises, or should I take the cloud-based, managed service route?

8 key questions to ask CASB vendors

1. What features are included in the CASB product? Do I get DLP and SWG as part of the CASB, or are those additional modules?
2. What is your roadmap for SSE and SASE?
3. Many vendors have purchased freestanding CASB tools and integrated them into the company’s broader security portfolio. What is your level of integration?
4. How will this tool fit into my existing security infrastructure now and in the future, as I migrate more security functionality to the cloud?
5. What geographies do you cover?
6. Do your APIs cover all the cloud services that I use?
7. Can your product scale as my company grows?
8. What is the initial cost, as well as the longer-term total cost of ownership?

Essential reading

• How do you secure the cloud? New data points a way
• What is SASE? A cloud service that marries SD-WAN with security