market guide for cloud access security brokers

8/18/2019 Market Guide for Cloud Access Security Brokers

1/8


http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb

Market Guide for Cloud Access SecurityBrokers

22 October 2015 ID:G00274053

Analyst(s): Craig Lawson, Neil MacDonald, Brian Lowans

VIEW SUMMARY

The cloud access security broker market is rapidly evolving, with vendors providing a wide range of

security features and multiple delivery options. CASB is a required security platform for

organizations using cloud services, and security leaders should use this research to shortlist CASB

providers.

Overview

Key Findings

The cloud access security broker market has evolved rapidly since its gestation period in 2012,

and it has rapidly become a necessary cloud security control technology, regardless of the

industry vertical, for organizations adopting multiple cloud services.

CASBs primarily address back-office applications delivered as SaaS (e.g., CRM, ERP, HR,

productivity and service desks). Applications focused on specific industry sectors, such as

healthcare and general cloud services (e.g., business intelligence), are not well-covered.

SaaS dominates CASB coverage, and infrastructure as a service support is improving;

however, platform as a service coverage is limited. Saa S and IaaS are the main are as seeing

service support a nd feature improvements.

Enterprise business units are acquiring cloud services d irectly without involving the IT

organization. This is fueling growth in cloud service adoption.

The wide adoption of identity as a service and identity and access management into the cloud,

meaning a single identity store, has reduced the friction in adopting CASBs and cloud services.

Providers in this market are mainly fueled by venture capital funding; therefore, the number of

providers will consolidate at approximately seven or fewer stand-alone vendors by 2 018.

Recommendations

Security leaders should deploy CASB for the centralized control of multiple services that would

otherwise require individual management.

Security leaders should use Gartner's four pillars of CASB definition as a guide for selecting the

providers that best address cloud service security use cases.

Security leaders should be cautious when entering into long-term contracts. Build in flexibility,

because you may need more than one CASB or you may need to transition from your current

provider to one delivering a complete set of your use cases during the next two years.

Market Definition

This document was revised on 26 October 2015. For more information, see the Corrections page.

Cloud access security brokers (CASBs) address gaps in security resulting from the significant

increases in cloud service and mobile usage. They deliver capabilities that are differentiated and

generally unavailable today in security controls such as Web application firewalls (WAFs), secure

Web gateways (SWGs) and enterprise firewalls. CASBs provide a single point of control over

multiple cloud services concurrently, for any user or device.

CASBs primarily address SaaS back-office enterprise applications today, such as CRM, HR, ERP,

service desk and productivity applications (e.g., Google Apps for Work and Microsoft Office 365).

They increasingly support the control of enterprise social networking use, and popular infrastructure

as a service (IaaS) and platform as a service (PaaS) providers. However, we anticipate a battle for

the control of this emerging technology class, and vendors will be acquiring or building CASB

offerings during the next three years.

CASBs deliver functionality around four pillars of functionality, which are of equal importance (see

"Technology Overview for Cloud Access Security Broker"):

Visibility — CASBs provide shadow IT discovery and sanctioned application control, as well as

a consolidated view of an organization's cloud service usage and the users who access data

STRATEGIC PLANNING ASSUMPTIONS

Through 2020, 95% of cloud security failures will

be the customer's fault.

By 2020, 85% of large enterprises will use a cloud

access security broker product for their cloud

services, which is up from fewer than 5% today.

EVIDENCE

CirroSecure/Palo Alto

http://www.4-traders.com/PALO-ALTO-NETWORKS-

INC-11067980/news/Palo -Alto-Networks—

Acquires-CirroSecure-CirroSecure-20488890/

http://www.CirroSecure.com/

Adallom/HP

https://www.adallom.com/partners/hp/

http://www8.hp.com/us/en/software-

solutions/cloud-data-security-

governance/index.html

http://www8.hp.com/us/en/hp-news/press-

release.html?id=1964113#.VgTmICCqpBc

Adallom/Microsoft

http://www.reuters.com/article/2015/07/20/us-

adallom-m-a-microsoft-idUSKCN0PU0I720150720

http://www.wsj.com/articles/microsoft-plans-to-

buy-israeli-cloud-security-firm-adallom-for-320-

million-1437390286

http://thenextweb.com/microsoft/2015/07/19/mic

rosoft-reportedly-acquires-cloud-security-firm-adallom-for-320-million/

http://seekingalpha.com/news/2637425-

microsoft-to-buy-adallom-for-320m

Check Point/FireLayers

http://extendsecurity.firelayers.com/

http://betanews.com/2015/10/05/firelayers-and-

check-point-bring-security-to-enterprise-cloud-

apps/

Perspecsys/Blue Coat

https://www.bluecoat.com/company/news/blue-

coat-acquires-perspecsys-make-public-cloud-

private

http://perspecsys.com/perspecsys-acquired-by-

blue-coat-systems/

Skyfence/Imperva

http://www.imperva.com/Products/SkyfenceElastica/Centrify

https://www.elastica.net/2014/02/centrify-and-

elastica-partner-to-provide-comprehensive-cloud-

security-solution-for-saas-applications/

http://blog.centrify.com/centrify-partners-with-

elastica-for-a-comprehensive-saas-security-

analytics-solution/

Elastica/Cisco

http://www.businesscloudnews.com/2015/04/22/ci

sco-elastica-join-forces-on-cloud-security-

monitoring/

https://www.elastica.net/2015/04/cisco-to-offer-

elastica-shadow-it-and-casb-solution-to-

enterprises/

Skyfence/Websense

http://finance.yahoo.com/news/imperva-

https://www.elastica.net/2014/02/centrify-and-elastica-partner-to-provide-comprehensive-cloud-security-solution-for-saas-applications/http://thenextweb.com/microsoft/2015/07/19/microsoft-reportedly-acquires-cloud-security-firm-adallom-for-320-million/http://www.wsj.com/articles/microsoft-plans-to-buy-israeli-cloud-security-firm-adallom-for-320-million-1437390286https://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-bannerhttps://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-bannerhttps://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-bannerhttp://www.gartner.com/http://www.gartner.com/http://www.gartner.com/http://www.gartner.com/http://finance.yahoo.com/news/imperva-skyfence-raytheon-websense-team-110000104.htmlhttps://www.elastica.net/2015/04/cisco-to-offer-elastica-shadow-it-and-casb-solution-to-enterprises/http://www.businesscloudnews.com/2015/04/22/cisco-elastica-join-forces-on-cloud-security-monitoring/http://blog.centrify.com/centrify-partners-with-elastica-for-a-comprehensive-saas-security-analytics-solution/https://www.elastica.net/2014/02/centrify-and-elastica-partner-to-provide-comprehensive-cloud-security-solution-for-saas-applications/http://www.imperva.com/Products/Skyfencehttp://perspecsys.com/perspecsys-acquired-by-blue-coat-systems/https://www.bluecoat.com/company/news/blue-coat-acquires-perspecsys-make-public-cloud-privatehttp://betanews.com/2015/10/05/firelayers-and-check-point-bring-security-to-enterprise-cloud-apps/http://extendsecurity.firelayers.com/http://seekingalpha.com/news/2637425-microsoft-to-buy-adallom-for-320mhttp://thenextweb.com/microsoft/2015/07/19/microsoft-reportedly-acquires-cloud-security-firm-adallom-for-320-million/http://www.wsj.com/articles/microsoft-plans-to-buy-israeli-cloud-security-firm-adallom-for-320-million-1437390286http://www.reuters.com/article/2015/07/20/us-adallom-m-a-microsoft-idUSKCN0PU0I720150720http://www8.hp.com/us/en/hp-news/press-release.html?id=1964113#.VgTmICCqpBchttp://www8.hp.com/us/en/software-solutions/cloud-data-security-governance/index.htmlhttps://www.adallom.com/partners/hp/http://www.shieldarc.com/http://www.4-traders.com/PALO-ALTO-NETWORKS-INC-11067980/news/Palo-Alto-Networks--Acquires-ShieldArc-CirroSecure-20488890/https://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-bannerhttp://www.gartner.com/technology/about/policies/current_corrections.jsp


2/8



from any device or location.

Compliance — CASBs assist with data residency and compliance with regulations and

standards, as well as identify cloud usage and the risks of specific cloud services.

Data security — CASBs provide the ability to enforce data-centric security policies to prevent

unwanted activity based on data classification, discovery and user activity monitoring of access

to sensitive data or privilege escalation. Policies are applied through controls, such as audit,

alert, block, quarantine, delete and encrypt/tokenize, at the field and file level in cloud

services.

Threat protection — CASBs prevent unwanted devices, users and versions of applications

from accessing cloud services. Other examples in this category are user and entity behavior

analytics (UEBA), the use of threat intelligence and malware identification.

This technology is available as a SaaS application or on-premises via virtual or physical applianceform factors (see "Technology Overview for Cloud Access Security Broker"). The SaaS form factor is

appreciably more popular than the on-premises flavors of this technology, and it is increasingly the

preferred option for most use cases. However, the on-premises versions are meeting specific use

cases in which regulatory and/or data sovereignty require an on-premises answer.

Initially, the market was segregated between providers that delivered their CASB features via

forward and/or reverse proxy modes and others that used API modes exclusively. Increasingly, a

growing number of CASBs offer a choice between proxy modes of operation and also support APIs.

Gartner refers to this as "multimode CASBs." They give their customers a wider range of choices in

how they can control a larger set of cloud applications. (See "Select the Right CASB Deployment for

Your SaaS Security Strategy" for more details on this critical deployment consideration.)

Organizations need to look past CASB providers' "lists of supported applications and services,"

because there are (sometimes substantial) differences in the capabilities supported for each specific

cloud service, based on their features, the CASB architectures used and the organizations' end-

user computing models. For example, one CASB version's "support for Salesforce or Office 365" can

be markedly different from another's, depending on bring your own device (BYOD) use cases, eventhough both "on paper" support these applications. Proxy or API architectures from CASB have

different abilities to perform different actions, which have various implications for how that provider

delivers the four pillars for a specific cloud service.

The maturity level of APIs across cloud service providers today is wildly divergent. Organizations

such as the Cloud Security Alliance are trying to address this problem by working with the industry

to develop a set of common, open API standards. Regardless of this work, Gartner expects cloud

application and services providers to develop their APIs significantly during the next two to three

years, even if they are not pursuing compliance with an industry standard. APIs will increasingly

deliver more utility, supporting the potential for newer security use cases not yet thought of. In the

long term, APIs have the potential to obviate having to intercept traffic with proxies if they mature

to the point where real-time visibility and control become possible.

Enterprise Integration

CASBs provide a number of critical points of integration with the environment, and these integration

points play an important role in preventing enterprise security delivery from becoming yet another

silo. CASB integration points cover identity and access management (IAM) integration; reuse of

data security policies for the cloud; and event integration with technologies such as security

information and event management (SIEM) for a single view of an organization's security events,

plus support for a number of existing security processes such as incident response. CASBs

themselves offer APIs that can be used by enterprises to take advantage of automation and

integration opportunities and to instrument them with other enterprise management tools.

Cross-Over Technologies in CASB

Although CASBs deliver a number of "net new" features to the security technology landscape, they

are also delivering features that have been found historically in other technology siloes or solution

sets. Primarily, these come in the form of tokenization, encryption, data loss prevention (DLP) and

analytics.

Enterprises should not treat data used in cloud SaaS applications in isolation from on-premises data

environments. There is a critical need to establish enterprisewide data security policies and controls

based on data security governance processes. However, data security capabilities should be

integrated with on-premises enterprise data security solutions for DLP, data-centric audit and

protection (DCAP), encryption, tokenization, user activity monitoring and analytics.

DLP and DCAP

Many CASBs provide data classification and discovery capabilities with built-in policy templates, as

well as document controls, such as fingerprinting and watermarking, which are merging capabilities

from both DLP and DCAP (see "Market Guide for Data-Centric Audit and Protection") methodologies.

Policies can enable automatic blocking, quarantining, encryption/tokenization, etc., before data is

loaded into a SaaS or as a forensic capability after the fact, and some SaaS applications are

beginning to offer DLP-like functionality. Via their own DLP engines, several CASB products can also

integrate directly with enterprise DLP products through APIs to ensure policy uniformity between

on-premises network DLP and CASB DLP policies (see "Overcome the Limitations of DLP for Mobile

Devices").

CASBs are also developing overlapping DCAP policy capabilities, such as user activity monitoring

that can detect anomalous data access or privilege changes, audit reports, and real-time security

skyfence-raytheon-websense-team-

110000104.html

http://www.reuters.com/article/2015/07/27/idUSn

GNX576Cgq+1c4+GNW20150727

Bitglass

http://www.bitglass.com/company/partners

Cloud Security A lliance

Cloud Security Alliance working with industry on

the cloud security open API working group

https://cloudsecurityalliance.org/media /news/ciph

ercloud-and-cloud-security-alliance-forge-cloud-

security-working-group/

https://cloudsecurityalliance.org/group/open-api/

NOTE 1ENDPOINT-BASED CLOUD DATA PROTECTIONSOLUTIONS

These vendors, which fall outside the scope of

this research, use an endpoint-based approach.

This is typically an agent or browser plug-in, used

to gain visibility of traffic to and from cloud-based

SaaS applications and for the protection of cloud

data. Most of the vendors focus on SaaS

enterprise file synchronization and sharing (EFSS)

applications, such as Box, Dropbox, OneDrive and

Google Drive. If the primary requirement for the

organization is the protection of data in an EFSS

application, these vendors offer an alternative to

the mediation-based approaches via proxies and

APIs of the CASB platform providers. The

following vendors provide solutions in this area:

Boxcryptor

CenterTools Software

CloudCrypt

Covata

Cryptzone

Fasoo

nCrypted Cloud

Ohanae

SearchYourCloud

Secure Islands Technologies

SecureAge Technology

Sookasa

Sophos

Vera

Viivo (PKware)

NOTE 2

CLOUD APPLICATION DISCOVERY

These vendors do not supply CASB platforms, but

provide visibility into cloud application usage:

Microsoft Azure Cloud App Discovery

OpenDNS

Intel Security (McAfee)

https://www.opendns.com/https://msdn.microsoft.com/en-us/library/azure/Mt143581.aspxhttps://cloudsecurityalliance.org/group/open-api/https://cloudsecurityalliance.org/media/news/ciphercloud-and-cloud-security-alliance-forge-cloud-security-working-group/http://www.bitglass.com/company/partnershttp://www.reuters.com/article/2015/07/27/idUSnGNX576Cgq+1c4+GNW20150727http://finance.yahoo.com/news/imperva-skyfence-raytheon-websense-team-110000104.html


3/8



alerts or blocking, etc. In addition, cloud application and services providers are also building DLP

functionality into the application or service itself. One example is Microsoft adding DLP to multiple

areas of the Office 365 platform (see "Data Loss Prevention in Microsoft Office 365"). An advantage

of a CASB over native DLP capabilities is consistency— for example, one can apply a set of common

DLP policies that extends to multiple services and even multiple providers, reducing the overall time

required for developing and enforcing policies.

Security Analytics and UEBA

A number of CASBs employ advanced analytics, using techniques such as machine learning and

anomaly detection. Scalability of analytics is efficiently supported in the cloud, due to its ability to

scale horizontally to enable high ingest rates and timely responses. CASBs are using this scalability

to good advantage in delivering outcomes that monitor dozens of attributes (such as cloud service,

field, file, object, user, location, device and action requested) against behavior and usage patterns.

This gives CASBs the ability to perform sophisticated threat and misuse detection, which can thenenable blocking options at the user, object and device levels. This clearly shows another approach

embedded in the CASB platforms to perform security analytics and UEBA (see "Market Guide for

User and Entity Behavior Analytics").

Encryption and Tokenization

CASBs provide a common point of encryption and tokenization for cloud applications, making it

another technology that organizations need to manage. Although it's an extra technology to

manage, the benefit is that it's only one place for many cloud applications and services. This

reinforces the need to understand the level of data security provided in context with potential

trade-offs in functionality and compliance. The selection of a particular mode of operation has an

effect on the cryptography and data security mechanisms available:

Reverse proxy — This can be deployed as a gateway on-premises or the more popular SaaS

option. The on-premises option provides full physical control over key management and the

application of cryptography solutions on-premises with no access by the CASB or cloud service

provider (CSP). However, the functionality provided by the target SaaS will be affected. With

hosted reverse proxy, there may be indirect access to the key management system and

keys/tokens being used in the cloud by the CASB and/or CSP.

Forward proxy — This can be deployed as a hosted solution or on-premises, and some

vendors may deploy software agents on endpoint devices that actually employ the

cryptographic services. The CASB typically provides encryption keys/tokens to the endpoints

using asymmetric key distribution techniques or VPN connections. It may use self-signed digital

certificates or supported third parties, or it may provide key management solutions that are

managed by the enterprise.

API mode — This effectively moves the encryption engine to the CSP itself. This mode also

enables organizations to perform data security inspection functions on all data "at rest" in the

cloud application or service. The CASB may offer on-premises or hosted key management

options. API mode makes it possible to take advantage of a growing number of native data

protection tools offered independently by the SaaS applications themselves (e.g., Salesforce),

whereby they perform encryption/tokenization functions, but the end users still control the

keys.

Endpoint agent — No CASB can operate exclusively on the endpoint, but several vendors offer

optional endpoint software for purposes such as cloud application discovery and tracking,routing to the proxy, and object encryption and decryption.

The selection of a particular cryptographic algorithm and key management will also affect the level

of data security provided as a direct trade-off to functionality that has been enabled. For structured

data types, it may still be possible to achieve search and sort, even if the fields are encrypted or

tokenized; however, other SaaS functions will be lost. For unstructured files that are encrypted

through a proxy, search and document preview functionality will be lost.

In addition, the choice of encryption algorithm or tokenization method applied may affect the ability

to achieve compliance, because functionality may have been traded off against the strength of

cryptography — for example, by weakening the algorithm or adding external metadata. The use of

cloud-based key management solutions raises the potential for application administrators, who

often aren't in the security or even in the IT team altogether, accessing the encryption keys/tokens

in the clear.

Market DirectionThe CASB market has evolved quickly from its gestation period in 2012. Although most of the

providers are still startups running off venture capital funding, the market is suddenly looking as if it

will mature rapidly. Gartner sees signs of three movements in this market:

Acquisitions

Established vendors entering into go-to-market partnerships with CASB providers

CASB feature delivery from vendors expanding features organically or with new product

releases

Some notable events that align with these market evolution trends include:

Check Point Software Technologies' partnership with FireLayers (October, 2015)

IBM's entry into the CASB market (September 2015)

Microsoft's acquisition of Adallom (September 2015)


4/8



Deloitte's partnership with Bitglass (September 2015)

Imperva's partnership with WebSense (July 2015)

Blue Coat Systems' acquisition of Perspecsys (July 2015)

Palo Alto Networks' acquisition of CirroSecure (April 2015)

Cisco's reseller arrangement with Elastica (April 2015)

HP's entry into a reseller arrangement with Adallom (April 2015)

Akamai's investment in FireLayers (2014)

Imperva's acquisition of Skyfence (April 2014)

Centrify's partnership with Elastica (February 2014)

In terms of the evolution of this market (as first called out in 2012, see "The Growing Importance of

Cloud Access Security Brokers"), Gartner believes that an intersection of an SWG, identity as a

service (IDaaS) and a CASB is likely to arrive. This would be a new product category in which all

three isolated feature sets become available from the same provider. There is also the possibility

that the already-increasingly, paired-together cloud security services of distributed denial of service

(DDoS) and WAFs will also have CASB delivered from those providers.

Merger and acquisition activities will be an interesting area of development, as providers that have

been acquired will have significantly improved routes to market, with larger salesforces and

channels, as well as funding for roadmap expansion. This is likely to shake up the market

landscape.

In addition, the intersection with data security markets, such as DLP and DCAP, will also drive the

evolution toward solutions that protect data wherever it resides in the enterprise, in the cloud, on-

premises and on the endpoint.

The CASB feature set described by the four pillars in existing Gartner research will remain as

compelling features for the foreseeable future, regardless of provider consolidations or the merging

of product feature sets. These blended offerings will begin to present a different value proposition,with SWG/IDaaS/CASB available from the same provider. Regardless of consolidation, IT security

leaders will still demand competitive feature sets, leaving room for pure-play vendors to continue to

lead the market.

CASB capabilities are more mature and targeted for SaaS than for IaaS and PaaS today. Gartner

expects CASB vendors to evolve their coverage across the four pillars for IaaS and PaaS in the

coming 12- to 24-month period (see Table 1), while improving coverage for other applications, such

as business intelligence (BI) and industry-specific (e.g., healthcare) SaaS applications. However,

there will be a "line in the sand" for CASB in relation to IaaS and the large array of public cloud

native and third-party security solutions. Gartner does not expect CASB to enter the virtual machine

(VM) per se to supplement existing public cloud-agent-based (firewall, DLP, anti-malware, etc.) or

virtual-appliance-based solutions, such as firewalls or intrusion detection systems/intrusion

prevention systems (IDSs/IPSs). However, CASBs will leverage IaaS APIs for a range of security use

cases.

Table 1. CASB Will Evolve to CoverSaaS, PaaS and IaaS

Sa aS Pa aS Ia aS

Visibility X X X

C ompliance X X X

Data Security X X X

Threat Protection X X X

Source: Gartner (October 2015)

Market Analysis

This market is dominated by startups that have been underwritten by a considerable amount of

venture capital funding during the past three years. Vendors are starting to make acquisitions orpartner with these CASB providers. CASB could also be a driver for vendors in adjacent markets

entering the fray — for example, enterprise mobility management (EMM) or other cloud security

delivery vendors.

Gartner sees three macro IT trends driving the expansion and maturation of the CASB market:

Enterprises' move to adopt non-PC form factors — The massive enterprise adoption of

tablets and smartphones for core business processes creates security risks that can be

mitigated effectively with the assistance of a CASB. The average enterprise end user is

spending significantly more "screen time" on these non-PC form factors, and CASB helps

secure the cloud application and the service side of this equation.

The move to cloud services — This is significantly accelerating, with SaaS being approximately

2.5 times bigger than IaaS in spending (see "Forecast: Public Cloud Services, Worldwide,

2013-2019, 2Q15 Update"). It is driving the need to have security technology capable of

providing similar security functions, but for a different model of computing. Significant amounts

of spending and computing will aggregate around the top cloud service providers. This will


5/8



have an impact on on-premises-based technology in the long term, including the security

software and appliance markets.

Heavy cloud investments — Most large enterprise software providers, such as Oracle, IBM,

Microsoft and Siebel, are now heavily invested in cloud, and are actively driving their large

client bases to use their cloud services. The enterprise software upgrade cycle will organically

lead enterprises to the cloud as a natural evolution. Enterprise security teams will need CASB-

like features to deal with the security implications of that evolution.

The forces of cloud and mobility fundamentally change how "packets" (and the data in them) move

between users and applications. This causes a need to adjust the list and the priorities of

investment in security controls for an organization consuming cloud services.

However, the climate for cloud is showing geographical differences (see "Survey Analysis:

Geographic Differences Among Buyers — Cloud Services Planning, Adoption and Strategy, 2015").Although the U.S. is consuming the most cloud today, parts of Latin America and the Asia/Pacific

region have the highest percentage of end users expecting to significantly increase their cloud

spending. CASB will always tightly follow geographical and organization-specific cloud adoption

patterns, which require cloud usage to exist (or be planned) prior to CASB adoption.

The security industry has a history of startups quickly entering markets and performing a level of

disruption that hasn't been immediately countered by incumbent vendors. This has been the case

for the CASB market. The leading CASB providers are seeing valuations of more than $300 million,

making them relatively large acquisitions for existing providers.

Representative Vendors

The vendors listed in this Market Guide do not represent an exhaustive list. This section is intended to

provide more u nderstanding of the market and its offerings. It is not, nor is it intended to be, a list of all

vendors or offerings on the market. It is not, nor is it intended to be, a competitive analysis of the

vendors discussed.

At this stage of the market's evolution, we have two rough groups of providers categorized by

multiple tiers. The Tier 1 CASB providers have established themselves in the CASB market and

frequently appear on shortlists in discussions with Gartner clients, across a wide range of industry

verticals. Several were early pioneers in specific CASB use cases. They have also gained larger

market adoption than other market players. Several have partnered with larger providers, such as

HP and Cisco, and one was recently acquired by Microsoft.

The other tier of CASBs are often competitive with the Tier 1 providers for specific use cases. The

differentiators between the tiers are categorized by the maturity of the product, its ability to scale,

partnerships and channels, time in the market, ability to address a majority of popular use cases in

most industries, geographical constraints, market share and visibility in Gartner's client base.

Bitglass

Bitglass was founded in January 2013 and has been shipping a CASB product since January 2014.

Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering,

such as remote wipe and single sign-on (SSO) and Security Assertion Markup Language (SAML)proxy, providing basic MDM and IDaaS capabilities. It also integrates several data security policy

capabilities, in addition to integrating with some DLP vendor solutions. With a focus on sensitive

data discovery, classification and protection, it also includes several document management

protection capabilities, such as watermarking and encryption methods that support search and

sort. Bitglass provides cloud application discovery and a limited SaaS security posture assessment

database. Bitglass is now a multimode CASB, with the recent addition of API support on top of

forward- and reverse-proxy modes originally delivered.

Blue Coat Systems (Perspecsys)

Blue Coat was founded in 1996 and has been shipping a CASB product from July 2015, with the

acquisition of Perspecsys. Perspecsys was an early entrant into the CASB market, offering a focus

on data residency and protection with the tokenization of data in various cloud services, such as

Salesforce, ServiceNow and SuccessFactors. It offers its own proprietary tokenization methods and

has a unique model to offer integration with the enterprises chosen data protection suite, which

may already be deployed on-premises. This is most frequently deployed with products from HP's

Voltage, Gemalto SafeNet and the Java AES 256 module.

Perspecsys has not yet delivered a cloud application discovery and SaaS security posture

assessment database; however, it is available from the Blue Coat SWG product. Its implementation

model is reverse-proxy-based, using an on-premises physical or virtual appliance. Blue Coat has not

yet publicly disclosed a roadmap for the integration of these technologies into a common security

policy and processing fabric.

CensorNet

CensorNet was founded in February 2007 and has been shipping a CASB product since April 2015.

CensorNet is one of the newest entrants into the CASB market. Based on its existing SWG platform,

CensorNet is already positioned to capture traffic and see the flow of data to and from SaaS

applications. Like most SWGs, CensorNet is based on a forward-proxy architecture, using on-

premises, physical/virtual appliances. CensorNet can also support deployments of the technology in

the cloud. The initial offering is focused on visibility and SaaS application user and policy control.


6/8



CipherCloud

CipherCloud was founded in October 2010 and has been shipping a CASB product since March

2011. CipherCloud was an early pioneer in the CASB market, with an initial focus on the encryption

and tokenization of data in some popular enterprise cloud applications. CipherCloud is well-known

for this initial use case and can integrate with on-premises key management, DLP and DCAP

solutions. It has expanded its data protection capabilities to a broad range of structured and

unstructured da ta within SaaS applications.

In 2013, CipherCloud added content and user monitoring and, more recently, cloud discovery and

SaaS security posture assessment. CipherCloud uses a primary implementation model based on a

reverse-proxy model for salesforce data protection. It also supports forward-proxy implementations

for example, with SAP, along with API support for some applications. Although it is available in the

cloud, CipherCloud is predominantly deployed on-premises as a physical or virtual appliance.

CloudLock

CloudLock was founded in January 2011 and has been shipping a CASB product since October

2013. CloudLock is one of the API only CASBs and can also take log files for cloud service usage

purposes, as well as provide integrations with proxy and firewall vendors. CloudLock has already

established a substantial client base in multiple industry verticals. CloudLock delivers a competitive

set of use case features, such as UEBA for improved threat detection, cloud malware, DLP, DCAP,

data protection of structured and unstructured SaaS, compliance, forensics and security operations.

CloudLock also uses its end users to help "crowdsource" ratings for cloud services for a large

number of cloud services. This community trust rating also enables end users to see a current rating

about why a service has been blocked from use at an organization. CloudLock supports

homegrown and marketplace applications built on public IaaS or PaaS, such as Amazon Web

Services (AWS) and Force.com by enabling customers to embed CloudLock services into their own

applications via APIs.

Elastica

Elastica was founded in January 2012 and has been shipping a CASB product since February 2014

Elastica is a CASB platform provider with credible capabilities in data science, machine learning and

deep content inspection providing DLP features, application discovery via logs and cloud application

traffic, cloud service assessment ratings, usage analytics, remediation, reporting and visualization.

It uses a forward proxy-based and API architecture supporting agentless methods, as well as

agents for Windows, Mac and iOS endpoints with support for a major cloud services. Its distributed

cloud-based solution is based primarily in Amazon, RackSpace and Cisco datacenters. In 2015,

Cisco entered into a reseller agreement where Elastica appears on Cisco price list and can be sold

by the general Cisco sales force.

FireLayers

FireLayers was founded in November 2013 and has been shipping a CASB product since April 2014.

FireLayers is a reverse-proxy-based CASB provider that also uses APIs. It does not provide cloud

application discovery and SaaS security posture assessments. Instead, it focuses on threat

protection, contextual access control and detailed activity monitoring (with a focus on privileged

account monitoring) for supported SaaS applications and some IaaS services. FireLayers' preferred

deployment option uses a reverse-proxy model with APIs, but it has support for forward-proxy

deployments. FireLayers can also interject user-session-centric authentication mitigation methods,

such as two-factor authentication (2FA), using SMS and captcha for actions in cloud applications.

This is based on a policy in which the cloud service itself doesn't support 2FA or doesn't support the

granular use of 2FA for certain high-risk user and administrative actions. FireLayers delivers its

CASB services from AWS or on-premises with a virtual appliance.

Imperva

Imperva in was founded in November 2002 and has been shipping a CASB product from January

2014, when it acquired Skyfence. Imperva's vision is to provide full visibility and protection of data,

whether in on-premises databases, websites, file shares, SharePoint or in SaaS applications.

Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat

protection. Imperva's CASB is provisioned within its existing DDoS and Incapsula cloud WAF and

content delivery network (CDN) offering as SaaS. An on-premises physical or virtual version is also

available. Imperva's primary implementation model is reverse-proxy-based, which is a good fit withthe expertise Imperva developed with its WAF (see "Magic Quadrant for Web Application Firewall").

It uses reverse-proxy plus APIs. Imperva also intends to use this technology for the coverage of

internally developed SaaS applications on top of publicly available SaaS services as an integral

component of its DCAP offering.

Microsoft (Adallom)

Adallom was founded in 2012 and has been shipping a CASB product since early 2013. Adallom is a

CASB platform provider that was an early pioneer in adding API-based cloud discovery capabilities

into its CASB reverse proxy platform for extended visibility, including the use of a WAF in the proxy

fabric itself. Adallom uses what it refers to as an "adaptive reverse-proxy model" for its distributed

architecture. This is hosted in multiple cloud data centers worldwide, with providers such as

Amazon, Equinix and Rackspace; however, it is delivered to organizations transparently as SaaS.

Adallom also supports API and forward-proxy methods. It supports an on-premises, virtual

appliance implementation and cloud application discovery, and it provides security posture

assessments. In 2015, Adallom announced a partnership by HP. In September 2015, Microsoft


7/8



completed its acquisition of Adallom as an asset to strengthen its Azure and Office 365 capabilities.

Microsoft has stated its intention to continue to provide Adalllom's CASB services for non-Microsoft

cloud services, such as Salesforce, ServiceNow and Google Apps. In addition, Adallom offers

encryption of files through partnerships with Secure Islands, HP Atalla and Checkpoint Capsule. It

can also leverage cloud providers' APIs to offer data classification and discovery tools through its

DLP engine to apply controls to newly discovered files at rest or in motion through its hosted

service.

Netskope

Netskope was founded in October 2012 and has been shipping a CASB product since October 2013.

Netskope was one of the first CASB providers to emphasize cloud application discovery and SaaS

security posture assessments as an initial use case for CASB adoption. It has developed deep

visibility into user actions, including user behavior analytics, within managed and unmanaged SaaS

applications, including extensive user activity monitoring and DLP/DCAP capabilities. This also

includes integration with on-premises DLP systems via Internet Content Adaptation Protocol (ICAP).

Netskope's primary implementation model is forward-proxy (with or without agents, depending on

the use case required) or forward-proxy chaining. It added support for reverse-proxy capabilities in

2014 and already supported APIs. Netskope's agents allow for the monitoring and control of native

mobile applications and sync clients, etc. It offers object-level encryption and support for field-level

encryption only with Salesforce. To deliver its CASB services, it uses a globally distributed cloud-

based fabric with points of presence, using its own hardware stack placed in Equinix data centers in

North America, Europe and Asia. It also offers an on-premises virtual or physical appliance

deployment option.

Palerra

Palerra was founded in July 2013 and has been shipping a CASB product since January 2015.

Palerra is another of the API-centric CASBs. Its offering covers SaaS, PaaS and IaaS. Some of its key

features include delivery of user and risk analytics, incident response, case management, threat

intelligence integration and consent-driven remediation. Palerra also delivers SaaS platform security

management (SPSM) features that enable organizations to control the configuration of SaaS and

other cloud services policies centrally from one location. Palerra is delivered from Amazon as SaaS

or from a dedicated appliance hosted there.

Palo Alto Networks

Palo Alto Networks was founded in 2005 and has been shipping a CASB product since September

2015. In May 2015, Palo Alto Networks acquired CirroSecure, an API-only based CASB provider

more focused at SPSM. The new offering is called Aperture. Palo Alto Networks had already been

delivering cloud application discovery capabilities to its customers, so expanding its visibility using

APIs is an extension of its cloud protection strategy for users who are off-premises. The data flows

are not visible to on-premises-based Palo Alto Networks devices without the forced use of a VPN to

the on-premises appliances. Aperture will also provide additional field- and file-level object visibility

into cloud services, on top of what is available from its existing product range for cloud services.

These include content scanning, remediation, analytics, risk identification and reporting.

Skyhigh Networks

Skyhigh Networks was founded in December 2011 and has been shipping a CASB product since

January 2013. Skyhigh Networks was one of the first CASB providers to emphasize the shadow IT

problem with cloud application discovery, and SaaS security posture and risk assessments as a

primary initial use case for CASB platforms. It has built a large installed base and is a multimode

CASB. It has since expanded into data security with DLP/DCAP policies, such as user activity

analytics and monitoring and, more recently, encryption and tokenization of data for a number of

SaaS applications such as Salesforce.

Skyhigh uses a primary implementation model of a reverse-proxy and APIs, as well as supporting

forward-proxy implementations. It uses a deployment model of distributed proxies running in

multiple AWS, Equinix and IBM SoftLayer data centers worldwide. Skyhigh offers an on-premises

virtual appliance option, with an innovative model for on-premises data acquisition via standard

logs. It also provides netflow for additional cloud discovery usage options, while offering client data

protection, so that Skyhigh has no visibility into an organization's data.

Vaultive

Vaultive was founded in January 2009 and has been shipping a CASB product since May 2012.

Vaultive is a CASB provider that has focused on the protection of data in Microsoft's Office 365 suite

of SaaS applications, using proprietary searchable encryption. It has developed extensive expertise

in the handling of Microsoft's disparate protocols used in Office 365 — for example, SMTP, IMAP,

ActiveSync, archiving and e-Discovery. It is also able to encrypt data in Microsoft's OneDrive and

SharePoint online offerings. Recently, it has expanded its cloud portfolio to other Microsoft SaaS

applications, such as Dynamics Online and Yammer. Other cloud services include Salesforce,

ServiceNow, SuccessFactors, Workday, Google Apps and Box. Its primary implementation model is

forward-proxy-based; however, it supports reverse-proxy implementations as well.

The following vendors provide features that can also be considered CASB functionality:

Armor5

BetterCloud


8/8



IBM

Ionic Security

Protegrity USA

Saviynt

SkyFormation

Vormetric

Trend Micro

Market Recommendations

IT security leaders should:

Immediately review their enterprise application providers' cloud, mobile and on-premises

enterprise software roadmaps for the cloud to understand their organizations' direction and

velocity and how they're aligning with their security architectures and budgeting strategies.

Facilitate and support these plans, but play a significant role in leading the shift of applications

and services to the cloud. Therefore, IT security leaders' goal should be to avoid being the

"no" team"; instead, they should be the "yes we can and here's how" team.

Get your IDaaS house in order prior to or during the selection of CASBs, because it's a

foundational control that will make cloud service adoption more efficient and secure. Some

CASBs provide entry-level capabilities to stretch Active Directory into the cloud; however, this

is likely to be more of a stopgap measure, until a comprehensive IDaaS strategy can be

delivered.

Consider the differences of CASBs that are multimode versus those that are API-only to

ensure a successful deployment.

Start with an investigation of what cloud services are being used in your environment. This will

help level set "how big the problem actually is" (or isn't) and provide insight into how many

cloud services you have to sanction, remediate, control, monitor or block.

Establish enterprisewide data security governance policies that prioritize the protection of

sensitive data and establish the appropriate data security controls from a CASB before using a

SaaS.

Look for ways not to stop cloud usage, but, instead, to encourage its use by encouraging the

use of cloud services that are "enterprise ready"

Look for CASBs that:

Support the widest range of cloud applications services that you are running today and

plan to consume in the coming 12 to 18 months.

Support your mobile computing usage patterns (managed versus BYOD, etc.).

Work effectively with your network topology.

Allow for an acceleration of cloud service adoption by effectively controlling sanctioned

cloud services and aid in the selection of proposed new cloud services that are

enterprise-ready.

Ease your compliance burden for cloud services.

Support the modes of operation that align with your core use cases. For example, an API-

only CASB could be sufficient for your needs or, alternatively, in-line features may need to

be deployed for your organization, so an API-only CASB will only partially meet these

needs.

Integrate with your existing controls — for example, IAM, SWG and events going into

your central log management or SIEM

Consider other cloud usage patterns of B2B- and B2C-based cloud services in which you have

sporadic use; however, you should maintain control, and a CASB may be able to cover these

interactions with your organization's data, by people outside your organization.

© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be

reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the

Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable.

Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies

in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions

expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legaladvice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that

have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research

is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the

independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity.”

About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner
http://www.gartner.com/technology/contact/contact_gartner.jsphttp://www.gartner.com/technology/it-glossaryhttp://www.gartner.com/technology/site-index.jsphttp://www.gartner.com/technology/about/policies/guidelines_ov.jsphttp://www.gartner.com/it/products/newsroomhttp://www.gartner.com/technology/careershttp://www.gartner.com/technology/about.jsphttp://www.gartner.com/technology/about/ombudsman/omb_guide2.jsphttp://www.gartner.com/technology/about/policies/usage_guidelines.jsp

market guide for cloud access security brokers

Documents