Cloud Access Security Brokers
How do you ensure secure and compliant access to cloud services without losing the agility and cost benefits that these services provide? This report gives you an overview of the market for Cloud Access Security Brokers and a compass to help you to find the product that you need.
The KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership compass focuses on the market segment of CASBs (Cloud Access Security Brokers). CASBs address the challenges of security and compliance around the use of cloud services. They provide security controls that are not available through existing security devices and provide a point of control over access to cloud services by any user and from any device. The market for CASBs has evolved from the first products that focussed on the discovery of cloud usage, through network access control points to become integrated cloud security solutions. These are sometimes called CASB+ or CASB 2.0.
1.1 Market Segment
Most organizations are now using several cloud services as well as on-premises and hosted IT services. This hybrid environment has given rise to many challenges in the areas of management, security, and compliance. This is because the use of these services is not well integrated into the normal IT and access governance processes and technologies found within organizations. Furthermore, the use of these services create other risks.
Employees and associates can use their personal cloud services to perform their jobs without reference to their employer. Line of business managers can acquire cloud services without performing risk assessment or considering the impact of these on compliance. The requirements for control over the processing and storage of personal data from the recent EU GDPR is one example of these challenges. The uncontrolled use of cloud services also increases cyber-risks; cyber adversaries may obtain unauthorized access to steal or corrupt data held in the services, as well as to plant malware that could then infect the organization using them.
In an ideal world, the functionality to manage access to cloud services and to control the data that they hold would be integrated with the normal access governance and cyber security tools used by organizations. However, these tools were slow to develop the required capabilities, and this has led to a market in CASBs (Cloud Access Security brokers) to plug the gap. It is notable that some of the CASBs on the market have already been acquired by major security software vendors and are being integrated into their toolsets.
Figure 1 illustrates how CASBs fit into the overall cloud governance process. The basic functionalities that CASBs provide are:
- Discovery of what cloud services are being used, by whom and for what data.
- Control over who can use which services and what data can be transferred.
- Protection of data in the cloud against unauthorized access and leakage as well as cyber threats.
The products which address various aspects of this provide overlapping functionality and these solutions include:
- Rights Management – that provide granular access control over access to unstructured files.
- Data Leakage Prevention – that provide discovery and control over the sharing, transmission, and storage in the cloud of specific classes of data.
- Secure Web Gateways – that protect web-surfing devices from infection and enforce company policies.
- Cloud Access Security Brokers – that provide granular access over who can access cloud services and the functions that they can perform.
|Rights Management||Sometimes include rules to detect specific kinds of data||Over individual access to unstructured files||Against unauthorized access to files including if forwarded or leaked|
|Data Leakage Prevention||Of specific kinds of data stored or being transmitted||Warn, report, quarantine, remove data, prevent transmission||Against unauthorized storage and transmission of specific types of data|
|Secure Web Gateway||Access to URLs||Over which services (URLs) can be accessed and malware filtering||Protect web-surfing devices from infection and enforce company policies|
|Cloud Access Security Broker||Who is accessing which cloud services||Granular control over who can access which transactions from where using which device||Against unauthorized access to specific services, transactions, and data|
|Access Governance||Of user, roles and entitlements||Over entitlements against policies and separation of duties||Enforcement of allocation of entitlements that are against policies and separation of duties|
The distinction between these types of product and the functionalities provided by Cloud Access Security Brokers are shown in the table. The next generation CASB 2 or CASB+ solutions now on the market providing several of these functions, sometimes through inbuilt capabilities and sometimes through integration with other products.
There are two basic discovery and control models used by CASB+ solutions: network-based control (using a proxy for example) and cloud-service-based control (using cloud service APIs). Each of these approaches has advantages and disadvantages. The better solutions use a combination of the two.
However, the integration of CASBs with the traditional security products is not enough. CASBs should become more integrated with identity and access technologies over time. There is already a level of integration between most CASBs and user directories and IDaaS to identify users and feedback to enable or disable access via these. Access to cloud services and the ability to upload/download content should ultimately be governed through the same processes as access to other kinds of services.
1.2 Required Capabilities
The core features and functionalities that we are looking for include but are not limited to:
- Discovery - of cloud services being used from within the organization;
- Access Control - of access to cloud services from within the organization in a granular manner;
- Securing Data - The functionality provided by the product to implement security controls over organizational data that is held in or being moved to cloud services;
These features should also be supplemented in ways that support:
- Compliance - functionality provided by the product to support the use of cloud services by the organization in compliance with laws and regulations;
- Cyber Security - how the products help the organization to protect against cyber security risks from the use of cloud services.
Specific functionality that we are looking for include:
1.2.1 Discovery of Cloud Usage
How the product helps an organization to discover and control the use of cloud services from within and from outside of the organization. This includes:
- The approach used to discover the use of cloud services;
- Whether or not the individual identities of people using the services are recorded;
- The kinds of enterprise data that the product can detect are being held in cloud services;
- Risk profiles of different cloud services;
- Cloud traffic (to/from, sharing, collaboration etc);
- The functionality provided to control access to cloud services;
- Cloud service configuration assessment and controls.
1.2.2 Access Control
How the product helps to control access to cloud services. This may be at a service by service level – giving the ability to prohibit or allow the use of specific cloud services. It may also enable more finely grained access control based on individual user identities, devices, transactions, and data. We specifically look at:
- Access policies supported;
- The granularity of access controls;
- Support for standards like SAML, OAuth and XACML;
- Integration with organizational identity and policy stores;
- Integration with the access controls provided by the cloud services themselves;
- Adaptive authentication;
- Identifying user activity, such as privileged user traffic patterns;
- Integration with on-premises access governance.
1.2.3 Securing Data in the Cloud
This includes the functionality provided by the product to implement data security controls. These may include controls based on the classification or types of data as well as functionality to discover sensitive data that is held in or being moved to a cloud service. Controls may be implemented through detection, warning, quarantining, blocking, encrypting or tokenizing data. The granularity of the controls is also important, and include:
- Cloud service models supported;
- Specific cloud services supported “out of the box”;
- Types of data protected;
- The mechanisms used to protect the data - (UEBA, collaboration control, device control etc.);
- DLP and RMS capabilities and integration with other vendors‘ DLP and RMS solutions;
- Kinds of encryption used and how keys are managed.
How the product helps to support the use of cloud services by the organization in a way that is compliance with laws and regulations, specifically:
- The kinds of functionality provided by the product to support compliance;
- The compliance areas and regulations for which the product provides “out of the box” functionality;
- The standards to which the product has been certified;
- The product’s monitoring and reporting capabilities.
1.2.5 Cyber Security
This area covers how the products help the organization to protect against cyber risks. Using cloud services increased the attack surface for cyber criminals. The products often provide features to mitigate this. For example, through control over which devices have access to specific cloud services and hence prevent access from unregulated devices. They may also provide mechanisms to monitor access behaviors to help to identify hijacked accounts and malware. Specifically, we consider:
- The kinds of cyber risks that the product can detect and protect against;
- The way in which the product protects data held in cloud services against unauthorized access and leakage;
- The extent to which the product monitors access to data held in the cloud;
- Integrated malware detection and antimalware capabilities or integration with solutions from other vendors;
- Reporting and integration with security intelligence systems.
1.2.6 Other Unique Features
We also consider any other unique features or functionality provided by the product.