market guide for cloud access security brokers
TRANSCRIPT
-
8/18/2019 Market Guide for Cloud Access Security Brokers
1/8
29/1/2016 Market Guide for Cloud Access Security Brokers
http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb
Market Guide for Cloud Access SecurityBrokers
22 October 2015 ID:G00274053
Analyst(s): Craig Lawson, Neil MacDonald, Brian Lowans
VIEW SUMMARY
The cloud access security broker market is rapidly evolving, with vendors providing a wide range of
security features and multiple delivery options. CASB is a required security platform for
organizations using cloud services, and security leaders should use this research to shortlist CASB
providers.
Overview
Key Findings
The cloud access security broker market has evolved rapidly since its gestation period in 2012,
and it has rapidly become a necessary cloud security control technology, regardless of the
industry vertical, for organizations adopting multiple cloud services.
CASBs primarily address back-office applications delivered as SaaS (e.g., CRM, ERP, HR,
productivity and service desks). Applications focused on specific industry sectors, such as
healthcare and general cloud services (e.g., business intelligence), are not well-covered.
SaaS dominates CASB coverage, and infrastructure as a service support is improving;
however, platform as a service coverage is limited. Saa S and IaaS are the main are as seeing
service support a nd feature improvements.
Enterprise business units are acquiring cloud services d irectly without involving the IT
organization. This is fueling growth in cloud service adoption.
The wide adoption of identity as a service and identity and access management into the cloud,
meaning a single identity store, has reduced the friction in adopting CASBs and cloud services.
Providers in this market are mainly fueled by venture capital funding; therefore, the number of
providers will consolidate at approximately seven or fewer stand-alone vendors by 2 018.
Recommendations
Security leaders should deploy CASB for the centralized control of multiple services that would
otherwise require individual management.
Security leaders should use Gartner's four pillars of CASB definition as a guide for selecting the
providers that best address cloud service security use cases.
Security leaders should be cautious when entering into long-term contracts. Build in flexibility,
because you may need more than one CASB or you may need to transition from your current
provider to one delivering a complete set of your use cases during the next two years.
Market Definition
This document was revised on 26 October 2015. For more information, see the Corrections page.
Cloud access security brokers (CASBs) address gaps in security resulting from the significant
increases in cloud service and mobile usage. They deliver capabilities that are differentiated and
generally unavailable today in security controls such as Web application firewalls (WAFs), secure
Web gateways (SWGs) and enterprise firewalls. CASBs provide a single point of control over
multiple cloud services concurrently, for any user or device.
CASBs primarily address SaaS back-office enterprise applications today, such as CRM, HR, ERP,
service desk and productivity applications (e.g., Google Apps for Work and Microsoft Office 365).
They increasingly support the control of enterprise social networking use, and popular infrastructure
as a service (IaaS) and platform as a service (PaaS) providers. However, we anticipate a battle for
the control of this emerging technology class, and vendors will be acquiring or building CASB
offerings during the next three years.
CASBs deliver functionality around four pillars of functionality, which are of equal importance (see
"Technology Overview for Cloud Access Security Broker"):
Visibility — CASBs provide shadow IT discovery and sanctioned application control, as well as
a consolidated view of an organization's cloud service usage and the users who access data
STRATEGIC PLANNING ASSUMPTIONS
Through 2020, 95% of cloud security failures will
be the customer's fault.
By 2020, 85% of large enterprises will use a cloud
access security broker product for their cloud
services, which is up from fewer than 5% today.
EVIDENCE
CirroSecure/Palo Alto
http://www.4-traders.com/PALO-ALTO-NETWORKS-
INC-11067980/news/Palo -Alto-Networks—
Acquires-CirroSecure-CirroSecure-20488890/
http://www.CirroSecure.com/
Adallom/HP
https://www.adallom.com/partners/hp/
http://www8.hp.com/us/en/software-
solutions/cloud-data-security-
governance/index.html
http://www8.hp.com/us/en/hp-news/press-
release.html?id=1964113#.VgTmICCqpBc
Adallom/Microsoft
http://www.reuters.com/article/2015/07/20/us-
adallom-m-a-microsoft-idUSKCN0PU0I720150720
http://www.wsj.com/articles/microsoft-plans-to-
buy-israeli-cloud-security-firm-adallom-for-320-
million-1437390286
http://thenextweb.com/microsoft/2015/07/19/mic
rosoft-reportedly-acquires-cloud-security-firm-adallom-for-320-million/
http://seekingalpha.com/news/2637425-
microsoft-to-buy-adallom-for-320m
Check Point/FireLayers
http://extendsecurity.firelayers.com/
http://betanews.com/2015/10/05/firelayers-and-
check-point-bring-security-to-enterprise-cloud-
apps/
Perspecsys/Blue Coat
https://www.bluecoat.com/company/news/blue-
coat-acquires-perspecsys-make-public-cloud-
private
http://perspecsys.com/perspecsys-acquired-by-
blue-coat-systems/
Skyfence/Imperva
http://www.imperva.com/Products/SkyfenceElastica/Centrify
https://www.elastica.net/2014/02/centrify-and-
elastica-partner-to-provide-comprehensive-cloud-
security-solution-for-saas-applications/
http://blog.centrify.com/centrify-partners-with-
elastica-for-a-comprehensive-saas-security-
analytics-solution/
Elastica/Cisco
http://www.businesscloudnews.com/2015/04/22/ci
sco-elastica-join-forces-on-cloud-security-
monitoring/
https://www.elastica.net/2015/04/cisco-to-offer-
elastica-shadow-it-and-casb-solution-to-
enterprises/
Skyfence/Websense
http://finance.yahoo.com/news/imperva-
https://www.elastica.net/2014/02/centrify-and-elastica-partner-to-provide-comprehensive-cloud-security-solution-for-saas-applications/http://thenextweb.com/microsoft/2015/07/19/microsoft-reportedly-acquires-cloud-security-firm-adallom-for-320-million/http://www.wsj.com/articles/microsoft-plans-to-buy-israeli-cloud-security-firm-adallom-for-320-million-1437390286https://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-bannerhttps://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-bannerhttps://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-bannerhttp://www.gartner.com/http://www.gartner.com/http://www.gartner.com/http://www.gartner.com/http://finance.yahoo.com/news/imperva-skyfence-raytheon-websense-team-110000104.htmlhttps://www.elastica.net/2015/04/cisco-to-offer-elastica-shadow-it-and-casb-solution-to-enterprises/http://www.businesscloudnews.com/2015/04/22/cisco-elastica-join-forces-on-cloud-security-monitoring/http://blog.centrify.com/centrify-partners-with-elastica-for-a-comprehensive-saas-security-analytics-solution/https://www.elastica.net/2014/02/centrify-and-elastica-partner-to-provide-comprehensive-cloud-security-solution-for-saas-applications/http://www.imperva.com/Products/Skyfencehttp://perspecsys.com/perspecsys-acquired-by-blue-coat-systems/https://www.bluecoat.com/company/news/blue-coat-acquires-perspecsys-make-public-cloud-privatehttp://betanews.com/2015/10/05/firelayers-and-check-point-bring-security-to-enterprise-cloud-apps/http://extendsecurity.firelayers.com/http://seekingalpha.com/news/2637425-microsoft-to-buy-adallom-for-320mhttp://thenextweb.com/microsoft/2015/07/19/microsoft-reportedly-acquires-cloud-security-firm-adallom-for-320-million/http://www.wsj.com/articles/microsoft-plans-to-buy-israeli-cloud-security-firm-adallom-for-320-million-1437390286http://www.reuters.com/article/2015/07/20/us-adallom-m-a-microsoft-idUSKCN0PU0I720150720http://www8.hp.com/us/en/hp-news/press-release.html?id=1964113#.VgTmICCqpBchttp://www8.hp.com/us/en/software-solutions/cloud-data-security-governance/index.htmlhttps://www.adallom.com/partners/hp/http://www.shieldarc.com/http://www.4-traders.com/PALO-ALTO-NETWORKS-INC-11067980/news/Palo-Alto-Networks--Acquires-ShieldArc-CirroSecure-20488890/https://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-bannerhttp://www.gartner.com/technology/about/policies/current_corrections.jsp
-
8/18/2019 Market Guide for Cloud Access Security Brokers
2/8
29/1/2016 Market Guide for Cloud Access Security Brokers
http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb
from any device or location.
Compliance — CASBs assist with data residency and compliance with regulations and
standards, as well as identify cloud usage and the risks of specific cloud services.
Data security — CASBs provide the ability to enforce data-centric security policies to prevent
unwanted activity based on data classification, discovery and user activity monitoring of access
to sensitive data or privilege escalation. Policies are applied through controls, such as audit,
alert, block, quarantine, delete and encrypt/tokenize, at the field and file level in cloud
services.
Threat protection — CASBs prevent unwanted devices, users and versions of applications
from accessing cloud services. Other examples in this category are user and entity behavior
analytics (UEBA), the use of threat intelligence and malware identification.
This technology is available as a SaaS application or on-premises via virtual or physical applianceform factors (see "Technology Overview for Cloud Access Security Broker"). The SaaS form factor is
appreciably more popular than the on-premises flavors of this technology, and it is increasingly the
preferred option for most use cases. However, the on-premises versions are meeting specific use
cases in which regulatory and/or data sovereignty require an on-premises answer.
Initially, the market was segregated between providers that delivered their CASB features via
forward and/or reverse proxy modes and others that used API modes exclusively. Increasingly, a
growing number of CASBs offer a choice between proxy modes of operation and also support APIs.
Gartner refers to this as "multimode CASBs." They give their customers a wider range of choices in
how they can control a larger set of cloud applications. (See "Select the Right CASB Deployment for
Your SaaS Security Strategy" for more details on this critical deployment consideration.)
Organizations need to look past CASB providers' "lists of supported applications and services,"
because there are (sometimes substantial) differences in the capabilities supported for each specific
cloud service, based on their features, the CASB architectures used and the organizations' end-
user computing models. For example, one CASB version's "support for Salesforce or Office 365" can
be markedly different from another's, depending on bring your own device (BYOD) use cases, eventhough both "on paper" support these applications. Proxy or API architectures from CASB have
different abilities to perform different actions, which have various implications for how that provider
delivers the four pillars for a specific cloud service.
The maturity level of APIs across cloud service providers today is wildly divergent. Organizations
such as the Cloud Security Alliance are trying to address this problem by working with the industry
to develop a set of common, open API standards. Regardless of this work, Gartner expects cloud
application and services providers to develop their APIs significantly during the next two to three
years, even if they are not pursuing compliance with an industry standard. APIs will increasingly
deliver more utility, supporting the potential for newer security use cases not yet thought of. In the
long term, APIs have the potential to obviate having to intercept traffic with proxies if they mature
to the point where real-time visibility and control become possible.
Enterprise Integration
CASBs provide a number of critical points of integration with the environment, and these integration
points play an important role in preventing enterprise security delivery from becoming yet another
silo. CASB integration points cover identity and access management (IAM) integration; reuse of
data security policies for the cloud; and event integration with technologies such as security
information and event management (SIEM) for a single view of an organization's security events,
plus support for a number of existing security processes such as incident response. CASBs
themselves offer APIs that can be used by enterprises to take advantage of automation and
integration opportunities and to instrument them with other enterprise management tools.
Cross-Over Technologies in CASB
Although CASBs deliver a number of "net new" features to the security technology landscape, they
are also delivering features that have been found historically in other technology siloes or solution
sets. Primarily, these come in the form of tokenization, encryption, data loss prevention (DLP) and
analytics.
Enterprises should not treat data used in cloud SaaS applications in isolation from on-premises data
environments. There is a critical need to establish enterprisewide data security policies and controls
based on data security governance processes. However, data security capabilities should be
integrated with on-premises enterprise data security solutions for DLP, data-centric audit and
protection (DCAP), encryption, tokenization, user activity monitoring and analytics.
DLP and DCAP
Many CASBs provide data classification and discovery capabilities with built-in policy templates, as
well as document controls, such as fingerprinting and watermarking, which are merging capabilities
from both DLP and DCAP (see "Market Guide for Data-Centric Audit and Protection") methodologies.
Policies can enable automatic blocking, quarantining, encryption/tokenization, etc., before data is
loaded into a SaaS or as a forensic capability after the fact, and some SaaS applications are
beginning to offer DLP-like functionality. Via their own DLP engines, several CASB products can also
integrate directly with enterprise DLP products through APIs to ensure policy uniformity between
on-premises network DLP and CASB DLP policies (see "Overcome the Limitations of DLP for Mobile
Devices").
CASBs are also developing overlapping DCAP policy capabilities, such as user activity monitoring
that can detect anomalous data access or privilege changes, audit reports, and real-time security
skyfence-raytheon-websense-team-
110000104.html
http://www.reuters.com/article/2015/07/27/idUSn
GNX576Cgq+1c4+GNW20150727
Bitglass
http://www.bitglass.com/company/partners
Cloud Security A lliance
Cloud Security Alliance working with industry on
the cloud security open API working group
https://cloudsecurityalliance.org/media /news/ciph
ercloud-and-cloud-security-alliance-forge-cloud-
security-working-group/
https://cloudsecurityalliance.org/group/open-api/
NOTE 1ENDPOINT-BASED CLOUD DATA PROTECTIONSOLUTIONS
These vendors, which fall outside the scope of
this research, use an endpoint-based approach.
This is typically an agent or browser plug-in, used
to gain visibility of traffic to and from cloud-based
SaaS applications and for the protection of cloud
data. Most of the vendors focus on SaaS
enterprise file synchronization and sharing (EFSS)
applications, such as Box, Dropbox, OneDrive and
Google Drive. If the primary requirement for the
organization is the protection of data in an EFSS
application, these vendors offer an alternative to
the mediation-based approaches via proxies and
APIs of the CASB platform providers. The
following vendors provide solutions in this area:
Boxcryptor
CenterTools Software
CloudCrypt
Covata
Cryptzone
Fasoo
nCrypted Cloud
Ohanae
SearchYourCloud
Secure Islands Technologies
SecureAge Technology
Sookasa
Sophos
Vera
Viivo (PKware)
NOTE 2
CLOUD APPLICATION DISCOVERY
These vendors do not supply CASB platforms, but
provide visibility into cloud application usage:
Microsoft Azure Cloud App Discovery
OpenDNS
Intel Security (McAfee)
https://www.opendns.com/https://msdn.microsoft.com/en-us/library/azure/Mt143581.aspxhttps://cloudsecurityalliance.org/group/open-api/https://cloudsecurityalliance.org/media/news/ciphercloud-and-cloud-security-alliance-forge-cloud-security-working-group/http://www.bitglass.com/company/partnershttp://www.reuters.com/article/2015/07/27/idUSnGNX576Cgq+1c4+GNW20150727http://finance.yahoo.com/news/imperva-skyfence-raytheon-websense-team-110000104.html
-
8/18/2019 Market Guide for Cloud Access Security Brokers
3/8
29/1/2016 Market Guide for Cloud Access Security Brokers
http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb
alerts or blocking, etc. In addition, cloud application and services providers are also building DLP
functionality into the application or service itself. One example is Microsoft adding DLP to multiple
areas of the Office 365 platform (see "Data Loss Prevention in Microsoft Office 365"). An advantage
of a CASB over native DLP capabilities is consistency— for example, one can apply a set of common
DLP policies that extends to multiple services and even multiple providers, reducing the overall time
required for developing and enforcing policies.
Security Analytics and UEBA
A number of CASBs employ advanced analytics, using techniques such as machine learning and
anomaly detection. Scalability of analytics is efficiently supported in the cloud, due to its ability to
scale horizontally to enable high ingest rates and timely responses. CASBs are using this scalability
to good advantage in delivering outcomes that monitor dozens of attributes (such as cloud service,
field, file, object, user, location, device and action requested) against behavior and usage patterns.
This gives CASBs the ability to perform sophisticated threat and misuse detection, which can thenenable blocking options at the user, object and device levels. This clearly shows another approach
embedded in the CASB platforms to perform security analytics and UEBA (see "Market Guide for
User and Entity Behavior Analytics").
Encryption and Tokenization
CASBs provide a common point of encryption and tokenization for cloud applications, making it
another technology that organizations need to manage. Although it's an extra technology to
manage, the benefit is that it's only one place for many cloud applications and services. This
reinforces the need to understand the level of data security provided in context with potential
trade-offs in functionality and compliance. The selection of a particular mode of operation has an
effect on the cryptography and data security mechanisms available:
Reverse proxy — This can be deployed as a gateway on-premises or the more popular SaaS
option. The on-premises option provides full physical control over key management and the
application of cryptography solutions on-premises with no access by the CASB or cloud service
provider (CSP). However, the functionality provided by the target SaaS will be affected. With
hosted reverse proxy, there may be indirect access to the key management system and
keys/tokens being used in the cloud by the CASB and/or CSP.
Forward proxy — This can be deployed as a hosted solution or on-premises, and some
vendors may deploy software agents on endpoint devices that actually employ the
cryptographic services. The CASB typically provides encryption keys/tokens to the endpoints
using asymmetric key distribution techniques or VPN connections. It may use self-signed digital
certificates or supported third parties, or it may provide key management solutions that are
managed by the enterprise.
API mode — This effectively moves the encryption engine to the CSP itself. This mode also
enables organizations to perform data security inspection functions on all data "at rest" in the
cloud application or service. The CASB may offer on-premises or hosted key management
options. API mode makes it possible to take advantage of a growing number of native data
protection tools offered independently by the SaaS applications themselves (e.g., Salesforce),
whereby they perform encryption/tokenization functions, but the end users still control the
keys.
Endpoint agent — No CASB can operate exclusively on the endpoint, but several vendors offer
optional endpoint software for purposes such as cloud application discovery and tracking,routing to the proxy, and object encryption and decryption.
The selection of a particular cryptographic algorithm and key management will also affect the level
of data security provided as a direct trade-off to functionality that has been enabled. For structured
data types, it may still be possible to achieve search and sort, even if the fields are encrypted or
tokenized; however, other SaaS functions will be lost. For unstructured files that are encrypted
through a proxy, search and document preview functionality will be lost.
In addition, the choice of encryption algorithm or tokenization method applied may affect the ability
to achieve compliance, because functionality may have been traded off against the strength of
cryptography — for example, by weakening the algorithm or adding external metadata. The use of
cloud-based key management solutions raises the potential for application administrators, who
often aren't in the security or even in the IT team altogether, accessing the encryption keys/tokens
in the clear.
Market DirectionThe CASB market has evolved quickly from its gestation period in 2012. Although most of the
providers are still startups running off venture capital funding, the market is suddenly looking as if it
will mature rapidly. Gartner sees signs of three movements in this market:
Acquisitions
Established vendors entering into go-to-market partnerships with CASB providers
CASB feature delivery from vendors expanding features organically or with new product
releases
Some notable events that align with these market evolution trends include:
Check Point Software Technologies' partnership with FireLayers (October, 2015)
IBM's entry into the CASB market (September 2015)
Microsoft's acquisition of Adallom (September 2015)
-
8/18/2019 Market Guide for Cloud Access Security Brokers
4/8
29/1/2016 Market Guide for Cloud Access Security Brokers
http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb
Deloitte's partnership with Bitglass (September 2015)
Imperva's partnership with WebSense (July 2015)
Blue Coat Systems' acquisition of Perspecsys (July 2015)
Palo Alto Networks' acquisition of CirroSecure (April 2015)
Cisco's reseller arrangement with Elastica (April 2015)
HP's entry into a reseller arrangement with Adallom (April 2015)
Akamai's investment in FireLayers (2014)
Imperva's acquisition of Skyfence (April 2014)
Centrify's partnership with Elastica (February 2014)
In terms of the evolution of this market (as first called out in 2012, see "The Growing Importance of
Cloud Access Security Brokers"), Gartner believes that an intersection of an SWG, identity as a
service (IDaaS) and a CASB is likely to arrive. This would be a new product category in which all
three isolated feature sets become available from the same provider. There is also the possibility
that the already-increasingly, paired-together cloud security services of distributed denial of service
(DDoS) and WAFs will also have CASB delivered from those providers.
Merger and acquisition activities will be an interesting area of development, as providers that have
been acquired will have significantly improved routes to market, with larger salesforces and
channels, as well as funding for roadmap expansion. This is likely to shake up the market
landscape.
In addition, the intersection with data security markets, such as DLP and DCAP, will also drive the
evolution toward solutions that protect data wherever it resides in the enterprise, in the cloud, on-
premises and on the endpoint.
The CASB feature set described by the four pillars in existing Gartner research will remain as
compelling features for the foreseeable future, regardless of provider consolidations or the merging
of product feature sets. These blended offerings will begin to present a different value proposition,with SWG/IDaaS/CASB available from the same provider. Regardless of consolidation, IT security
leaders will still demand competitive feature sets, leaving room for pure-play vendors to continue to
lead the market.
CASB capabilities are more mature and targeted for SaaS than for IaaS and PaaS today. Gartner
expects CASB vendors to evolve their coverage across the four pillars for IaaS and PaaS in the
coming 12- to 24-month period (see Table 1), while improving coverage for other applications, such
as business intelligence (BI) and industry-specific (e.g., healthcare) SaaS applications. However,
there will be a "line in the sand" for CASB in relation to IaaS and the large array of public cloud
native and third-party security solutions. Gartner does not expect CASB to enter the virtual machine
(VM) per se to supplement existing public cloud-agent-based (firewall, DLP, anti-malware, etc.) or
virtual-appliance-based solutions, such as firewalls or intrusion detection systems/intrusion
prevention systems (IDSs/IPSs). However, CASBs will leverage IaaS APIs for a range of security use
cases.
Table 1. CASB Will Evolve to CoverSaaS, PaaS and IaaS
Sa aS Pa aS Ia aS
Visibility X X X
C ompliance X X X
Data Security X X X
Threat Protection X X X
Source: Gartner (October 2015)
Market Analysis
This market is dominated by startups that have been underwritten by a considerable amount of
venture capital funding during the past three years. Vendors are starting to make acquisitions orpartner with these CASB providers. CASB could also be a driver for vendors in adjacent markets
entering the fray — for example, enterprise mobility management (EMM) or other cloud security
delivery vendors.
Gartner sees three macro IT trends driving the expansion and maturation of the CASB market:
Enterprises' move to adopt non-PC form factors — The massive enterprise adoption of
tablets and smartphones for core business processes creates security risks that can be
mitigated effectively with the assistance of a CASB. The average enterprise end user is
spending significantly more "screen time" on these non-PC form factors, and CASB helps
secure the cloud application and the service side of this equation.
The move to cloud services — This is significantly accelerating, with SaaS being approximately
2.5 times bigger than IaaS in spending (see "Forecast: Public Cloud Services, Worldwide,
2013-2019, 2Q15 Update"). It is driving the need to have security technology capable of
providing similar security functions, but for a different model of computing. Significant amounts
of spending and computing will aggregate around the top cloud service providers. This will
-
8/18/2019 Market Guide for Cloud Access Security Brokers
5/8
29/1/2016 Market Guide for Cloud Access Security Brokers
http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb
have an impact on on-premises-based technology in the long term, including the security
software and appliance markets.
Heavy cloud investments — Most large enterprise software providers, such as Oracle, IBM,
Microsoft and Siebel, are now heavily invested in cloud, and are actively driving their large
client bases to use their cloud services. The enterprise software upgrade cycle will organically
lead enterprises to the cloud as a natural evolution. Enterprise security teams will need CASB-
like features to deal with the security implications of that evolution.
The forces of cloud and mobility fundamentally change how "packets" (and the data in them) move
between users and applications. This causes a need to adjust the list and the priorities of
investment in security controls for an organization consuming cloud services.
However, the climate for cloud is showing geographical differences (see "Survey Analysis:
Geographic Differences Among Buyers — Cloud Services Planning, Adoption and Strategy, 2015").Although the U.S. is consuming the most cloud today, parts of Latin America and the Asia/Pacific
region have the highest percentage of end users expecting to significantly increase their cloud
spending. CASB will always tightly follow geographical and organization-specific cloud adoption
patterns, which require cloud usage to exist (or be planned) prior to CASB adoption.
The security industry has a history of startups quickly entering markets and performing a level of
disruption that hasn't been immediately countered by incumbent vendors. This has been the case
for the CASB market. The leading CASB providers are seeing valuations of more than $300 million,
making them relatively large acquisitions for existing providers.
Representative Vendors
The vendors listed in this Market Guide do not represent an exhaustive list. This section is intended to
provide more u nderstanding of the market and its offerings. It is not, nor is it intended to be, a list of all
vendors or offerings on the market. It is not, nor is it intended to be, a competitive analysis of the
vendors discussed.
At this stage of the market's evolution, we have two rough groups of providers categorized by
multiple tiers. The Tier 1 CASB providers have established themselves in the CASB market and
frequently appear on shortlists in discussions with Gartner clients, across a wide range of industry
verticals. Several were early pioneers in specific CASB use cases. They have also gained larger
market adoption than other market players. Several have partnered with larger providers, such as
HP and Cisco, and one was recently acquired by Microsoft.
The other tier of CASBs are often competitive with the Tier 1 providers for specific use cases. The
differentiators between the tiers are categorized by the maturity of the product, its ability to scale,
partnerships and channels, time in the market, ability to address a majority of popular use cases in
most industries, geographical constraints, market share and visibility in Gartner's client base.
Bitglass
Bitglass was founded in January 2013 and has been shipping a CASB product since January 2014.
Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering,
such as remote wipe and single sign-on (SSO) and Security Assertion Markup Language (SAML)proxy, providing basic MDM and IDaaS capabilities. It also integrates several data security policy
capabilities, in addition to integrating with some DLP vendor solutions. With a focus on sensitive
data discovery, classification and protection, it also includes several document management
protection capabilities, such as watermarking and encryption methods that support search and
sort. Bitglass provides cloud application discovery and a limited SaaS security posture assessment
database. Bitglass is now a multimode CASB, with the recent addition of API support on top of
forward- and reverse-proxy modes originally delivered.
Blue Coat Systems (Perspecsys)
Blue Coat was founded in 1996 and has been shipping a CASB product from July 2015, with the
acquisition of Perspecsys. Perspecsys was an early entrant into the CASB market, offering a focus
on data residency and protection with the tokenization of data in various cloud services, such as
Salesforce, ServiceNow and SuccessFactors. It offers its own proprietary tokenization methods and
has a unique model to offer integration with the enterprises chosen data protection suite, which
may already be deployed on-premises. This is most frequently deployed with products from HP's
Voltage, Gemalto SafeNet and the Java AES 256 module.
Perspecsys has not yet delivered a cloud application discovery and SaaS security posture
assessment database; however, it is available from the Blue Coat SWG product. Its implementation
model is reverse-proxy-based, using an on-premises physical or virtual appliance. Blue Coat has not
yet publicly disclosed a roadmap for the integration of these technologies into a common security
policy and processing fabric.
CensorNet
CensorNet was founded in February 2007 and has been shipping a CASB product since April 2015.
CensorNet is one of the newest entrants into the CASB market. Based on its existing SWG platform,
CensorNet is already positioned to capture traffic and see the flow of data to and from SaaS
applications. Like most SWGs, CensorNet is based on a forward-proxy architecture, using on-
premises, physical/virtual appliances. CensorNet can also support deployments of the technology in
the cloud. The initial offering is focused on visibility and SaaS application user and policy control.
-
8/18/2019 Market Guide for Cloud Access Security Brokers
6/8
29/1/2016 Market Guide for Cloud Access Security Brokers
http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb
CipherCloud
CipherCloud was founded in October 2010 and has been shipping a CASB product since March
2011. CipherCloud was an early pioneer in the CASB market, with an initial focus on the encryption
and tokenization of data in some popular enterprise cloud applications. CipherCloud is well-known
for this initial use case and can integrate with on-premises key management, DLP and DCAP
solutions. It has expanded its data protection capabilities to a broad range of structured and
unstructured da ta within SaaS applications.
In 2013, CipherCloud added content and user monitoring and, more recently, cloud discovery and
SaaS security posture assessment. CipherCloud uses a primary implementation model based on a
reverse-proxy model for salesforce data protection. It also supports forward-proxy implementations
for example, with SAP, along with API support for some applications. Although it is available in the
cloud, CipherCloud is predominantly deployed on-premises as a physical or virtual appliance.
CloudLock
CloudLock was founded in January 2011 and has been shipping a CASB product since October
2013. CloudLock is one of the API only CASBs and can also take log files for cloud service usage
purposes, as well as provide integrations with proxy and firewall vendors. CloudLock has already
established a substantial client base in multiple industry verticals. CloudLock delivers a competitive
set of use case features, such as UEBA for improved threat detection, cloud malware, DLP, DCAP,
data protection of structured and unstructured SaaS, compliance, forensics and security operations.
CloudLock also uses its end users to help "crowdsource" ratings for cloud services for a large
number of cloud services. This community trust rating also enables end users to see a current rating
about why a service has been blocked from use at an organization. CloudLock supports
homegrown and marketplace applications built on public IaaS or PaaS, such as Amazon Web
Services (AWS) and Force.com by enabling customers to embed CloudLock services into their own
applications via APIs.
Elastica
Elastica was founded in January 2012 and has been shipping a CASB product since February 2014
Elastica is a CASB platform provider with credible capabilities in data science, machine learning and
deep content inspection providing DLP features, application discovery via logs and cloud application
traffic, cloud service assessment ratings, usage analytics, remediation, reporting and visualization.
It uses a forward proxy-based and API architecture supporting agentless methods, as well as
agents for Windows, Mac and iOS endpoints with support for a major cloud services. Its distributed
cloud-based solution is based primarily in Amazon, RackSpace and Cisco datacenters. In 2015,
Cisco entered into a reseller agreement where Elastica appears on Cisco price list and can be sold
by the general Cisco sales force.
FireLayers
FireLayers was founded in November 2013 and has been shipping a CASB product since April 2014.
FireLayers is a reverse-proxy-based CASB provider that also uses APIs. It does not provide cloud
application discovery and SaaS security posture assessments. Instead, it focuses on threat
protection, contextual access control and detailed activity monitoring (with a focus on privileged
account monitoring) for supported SaaS applications and some IaaS services. FireLayers' preferred
deployment option uses a reverse-proxy model with APIs, but it has support for forward-proxy
deployments. FireLayers can also interject user-session-centric authentication mitigation methods,
such as two-factor authentication (2FA), using SMS and captcha for actions in cloud applications.
This is based on a policy in which the cloud service itself doesn't support 2FA or doesn't support the
granular use of 2FA for certain high-risk user and administrative actions. FireLayers delivers its
CASB services from AWS or on-premises with a virtual appliance.
Imperva
Imperva in was founded in November 2002 and has been shipping a CASB product from January
2014, when it acquired Skyfence. Imperva's vision is to provide full visibility and protection of data,
whether in on-premises databases, websites, file shares, SharePoint or in SaaS applications.
Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat
protection. Imperva's CASB is provisioned within its existing DDoS and Incapsula cloud WAF and
content delivery network (CDN) offering as SaaS. An on-premises physical or virtual version is also
available. Imperva's primary implementation model is reverse-proxy-based, which is a good fit withthe expertise Imperva developed with its WAF (see "Magic Quadrant for Web Application Firewall").
It uses reverse-proxy plus APIs. Imperva also intends to use this technology for the coverage of
internally developed SaaS applications on top of publicly available SaaS services as an integral
component of its DCAP offering.
Microsoft (Adallom)
Adallom was founded in 2012 and has been shipping a CASB product since early 2013. Adallom is a
CASB platform provider that was an early pioneer in adding API-based cloud discovery capabilities
into its CASB reverse proxy platform for extended visibility, including the use of a WAF in the proxy
fabric itself. Adallom uses what it refers to as an "adaptive reverse-proxy model" for its distributed
architecture. This is hosted in multiple cloud data centers worldwide, with providers such as
Amazon, Equinix and Rackspace; however, it is delivered to organizations transparently as SaaS.
Adallom also supports API and forward-proxy methods. It supports an on-premises, virtual
appliance implementation and cloud application discovery, and it provides security posture
assessments. In 2015, Adallom announced a partnership by HP. In September 2015, Microsoft
-
8/18/2019 Market Guide for Cloud Access Security Brokers
7/8
29/1/2016 Market Guide for Cloud Access Security Brokers
http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb
completed its acquisition of Adallom as an asset to strengthen its Azure and Office 365 capabilities.
Microsoft has stated its intention to continue to provide Adalllom's CASB services for non-Microsoft
cloud services, such as Salesforce, ServiceNow and Google Apps. In addition, Adallom offers
encryption of files through partnerships with Secure Islands, HP Atalla and Checkpoint Capsule. It
can also leverage cloud providers' APIs to offer data classification and discovery tools through its
DLP engine to apply controls to newly discovered files at rest or in motion through its hosted
service.
Netskope
Netskope was founded in October 2012 and has been shipping a CASB product since October 2013.
Netskope was one of the first CASB providers to emphasize cloud application discovery and SaaS
security posture assessments as an initial use case for CASB adoption. It has developed deep
visibility into user actions, including user behavior analytics, within managed and unmanaged SaaS
applications, including extensive user activity monitoring and DLP/DCAP capabilities. This also
includes integration with on-premises DLP systems via Internet Content Adaptation Protocol (ICAP).
Netskope's primary implementation model is forward-proxy (with or without agents, depending on
the use case required) or forward-proxy chaining. It added support for reverse-proxy capabilities in
2014 and already supported APIs. Netskope's agents allow for the monitoring and control of native
mobile applications and sync clients, etc. It offers object-level encryption and support for field-level
encryption only with Salesforce. To deliver its CASB services, it uses a globally distributed cloud-
based fabric with points of presence, using its own hardware stack placed in Equinix data centers in
North America, Europe and Asia. It also offers an on-premises virtual or physical appliance
deployment option.
Palerra
Palerra was founded in July 2013 and has been shipping a CASB product since January 2015.
Palerra is another of the API-centric CASBs. Its offering covers SaaS, PaaS and IaaS. Some of its key
features include delivery of user and risk analytics, incident response, case management, threat
intelligence integration and consent-driven remediation. Palerra also delivers SaaS platform security
management (SPSM) features that enable organizations to control the configuration of SaaS and
other cloud services policies centrally from one location. Palerra is delivered from Amazon as SaaS
or from a dedicated appliance hosted there.
Palo Alto Networks
Palo Alto Networks was founded in 2005 and has been shipping a CASB product since September
2015. In May 2015, Palo Alto Networks acquired CirroSecure, an API-only based CASB provider
more focused at SPSM. The new offering is called Aperture. Palo Alto Networks had already been
delivering cloud application discovery capabilities to its customers, so expanding its visibility using
APIs is an extension of its cloud protection strategy for users who are off-premises. The data flows
are not visible to on-premises-based Palo Alto Networks devices without the forced use of a VPN to
the on-premises appliances. Aperture will also provide additional field- and file-level object visibility
into cloud services, on top of what is available from its existing product range for cloud services.
These include content scanning, remediation, analytics, risk identification and reporting.
Skyhigh Networks
Skyhigh Networks was founded in December 2011 and has been shipping a CASB product since
January 2013. Skyhigh Networks was one of the first CASB providers to emphasize the shadow IT
problem with cloud application discovery, and SaaS security posture and risk assessments as a
primary initial use case for CASB platforms. It has built a large installed base and is a multimode
CASB. It has since expanded into data security with DLP/DCAP policies, such as user activity
analytics and monitoring and, more recently, encryption and tokenization of data for a number of
SaaS applications such as Salesforce.
Skyhigh uses a primary implementation model of a reverse-proxy and APIs, as well as supporting
forward-proxy implementations. It uses a deployment model of distributed proxies running in
multiple AWS, Equinix and IBM SoftLayer data centers worldwide. Skyhigh offers an on-premises
virtual appliance option, with an innovative model for on-premises data acquisition via standard
logs. It also provides netflow for additional cloud discovery usage options, while offering client data
protection, so that Skyhigh has no visibility into an organization's data.
Vaultive
Vaultive was founded in January 2009 and has been shipping a CASB product since May 2012.
Vaultive is a CASB provider that has focused on the protection of data in Microsoft's Office 365 suite
of SaaS applications, using proprietary searchable encryption. It has developed extensive expertise
in the handling of Microsoft's disparate protocols used in Office 365 — for example, SMTP, IMAP,
ActiveSync, archiving and e-Discovery. It is also able to encrypt data in Microsoft's OneDrive and
SharePoint online offerings. Recently, it has expanded its cloud portfolio to other Microsoft SaaS
applications, such as Dynamics Online and Yammer. Other cloud services include Salesforce,
ServiceNow, SuccessFactors, Workday, Google Apps and Box. Its primary implementation model is
forward-proxy-based; however, it supports reverse-proxy implementations as well.
The following vendors provide features that can also be considered CASB functionality:
Armor5
BetterCloud
-
8/18/2019 Market Guide for Cloud Access Security Brokers
8/8
29/1/2016 Market Guide for Cloud Access Security Brokers
http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb
IBM
Ionic Security
Protegrity USA
Saviynt
SkyFormation
Vormetric
Trend Micro
Market Recommendations
IT security leaders should:
Immediately review their enterprise application providers' cloud, mobile and on-premises
enterprise software roadmaps for the cloud to understand their organizations' direction and
velocity and how they're aligning with their security architectures and budgeting strategies.
Facilitate and support these plans, but play a significant role in leading the shift of applications
and services to the cloud. Therefore, IT security leaders' goal should be to avoid being the
"no" team"; instead, they should be the "yes we can and here's how" team.
Get your IDaaS house in order prior to or during the selection of CASBs, because it's a
foundational control that will make cloud service adoption more efficient and secure. Some
CASBs provide entry-level capabilities to stretch Active Directory into the cloud; however, this
is likely to be more of a stopgap measure, until a comprehensive IDaaS strategy can be
delivered.
Consider the differences of CASBs that are multimode versus those that are API-only to
ensure a successful deployment.
Start with an investigation of what cloud services are being used in your environment. This will
help level set "how big the problem actually is" (or isn't) and provide insight into how many
cloud services you have to sanction, remediate, control, monitor or block.
Establish enterprisewide data security governance policies that prioritize the protection of
sensitive data and establish the appropriate data security controls from a CASB before using a
SaaS.
Look for ways not to stop cloud usage, but, instead, to encourage its use by encouraging the
use of cloud services that are "enterprise ready"
Look for CASBs that:
Support the widest range of cloud applications services that you are running today and
plan to consume in the coming 12 to 18 months.
Support your mobile computing usage patterns (managed versus BYOD, etc.).
Work effectively with your network topology.
Allow for an acceleration of cloud service adoption by effectively controlling sanctioned
cloud services and aid in the selection of proposed new cloud services that are
enterprise-ready.
Ease your compliance burden for cloud services.
Support the modes of operation that align with your core use cases. For example, an API-
only CASB could be sufficient for your needs or, alternatively, in-line features may need to
be deployed for your organization, so an API-only CASB will only partially meet these
needs.
Integrate with your existing controls — for example, IAM, SWG and events going into
your central log management or SIEM
Consider other cloud usage patterns of B2B- and B2C-based cloud services in which you have
sporadic use; however, you should maintain control, and a CASB may be able to cover these
interactions with your organization's data, by people outside your organization.
© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be
reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the
Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies
in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legaladvice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that
have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research
is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the
independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity.”
About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner
http://www.gartner.com/technology/contact/contact_gartner.jsphttp://www.gartner.com/technology/it-glossaryhttp://www.gartner.com/technology/site-index.jsphttp://www.gartner.com/technology/about/policies/guidelines_ov.jsphttp://www.gartner.com/it/products/newsroomhttp://www.gartner.com/technology/careershttp://www.gartner.com/technology/about.jsphttp://www.gartner.com/technology/about/ombudsman/omb_guide2.jsphttp://www.gartner.com/technology/about/policies/usage_guidelines.jsp