29/1/2016

MarketGuideforCloudAccessSecurityBrokers

MarketGuideforCloudAccessSecurity
Brokers
22October2015ID:G00274053
Analyst(s):C raigLawson,NeilMacDonald,BrianLowans

VIEWSUMMARY
Thecloudaccesssecuritybrokermarketisrapidlyevolving,withvendorsprovidingawiderangeof
securityfeaturesandmultipledeliveryoptions.CASBisarequiredsecurityplatformfor
organizationsusingcloudservices,andsecurityleadersshouldusethisresearchtoshortlistCASB
providers.

STRATEGICPLANNINGASSUMPTIONS
Through2020,95%ofcloudse curityfailure swill
be the custom e r'sfault.
By2020,85%oflarge e nte rprise swilluse acloud
acce ssse curitybrok e rproductforthe ircloud
se rvice s,whichisupfrom fe we rthan5%today.

EVIDENCE

Overview
KeyFindings
Thecloudaccesssecuritybrokermarkethasevolvedrapidlysinceitsgestationperiodin2012,
andithasrapidlybecomeanecessarycloudsecuritycontroltechnology,regardlessofthe
industryvertical,fororganizationsadoptingmultiplecloudservices.
CASBsprimarilyaddressbackofficeapplicationsdeliveredasSaaS(e.g.,CRM,ERP,HR,
productivityandservicedesks).Applicationsfocusedonspecificindustrysectors,suchas
healthcareandgeneralcloudservices(e.g.,businessintelligence),arenotwellcovered.
SaaSdominatesCASBcoverage,andinfrastructureasaservicesupportisimproving
however,platformasaservicecoverageislimited.SaaSandIaaSarethemainareasseeing
servicesupportandfeatureimprovements.
EnterprisebusinessunitsareacquiringcloudservicesdirectlywithoutinvolvingtheIT
organization.Thisisfuelinggrowthincloudserviceadoption.
Thewideadoptionofidentityasaserviceandidentityandaccessmanagementintothecloud,
meaningasingleidentitystore,hasreducedthefrictioninadoptingCASBsandcloudservices.
Providersinthismarketaremainlyfueledbyventurecapitalfundingtherefore,thenumberof
providerswillconsolidateatapproximatelysevenorfewerstandalonevendorsby2018.

Recommendations
SecurityleadersshoulddeployCASBforthecentralizedcontrolofmultipleservicesthatwould
otherwiserequireindividualmanagement.
SecurityleadersshoulduseGartner'sfourpillarsofCASBdefinitionasaguideforselectingthe
providersthatbestaddresscloudservicesecurityusecases.
Securityleadersshouldbecautiouswhenenteringintolongtermcontracts.Buildinflexibility,
becauseyoumayneedmorethanoneCASBoryoumayneedtotransitionfromyourcurrent
providertoonedeliveringacompletesetofyourusecasesduringthenexttwoyears.

MarketDefinition
Thisdocumentwasrevisedon26October2015.Formoreinformation,seetheCorrectionspage.
Cloudaccesssecuritybrokers(CASBs)addressgapsinsecurityresultingfromthesignificant
increasesincloudserviceandmobileusage.Theydelivercapabilitiesthataredifferentiatedand
generallyunavailabletodayinsecuritycontrolssuchasWebapplicationfirewalls(WAFs),secure
Webgateways(SWGs)andenterprisefirewalls.CASBsprovideasinglepointofcontrolover
multiplecloudservicesconcurrently,foranyuserordevice.

CirroSecure/PaloA lto
http://www.4trade rs.com /PALO ALTO NETW O R KS
INC 11067980/ne ws/PaloAltoNe twork s
Acquire sC irroSe cure C irroSe cure 20488890/
http://www.C irroSe cure .com /
A dallom/HP
https://www.adallom .com /partne rs/hp/
http://www8.hp.com /us/e n/software
solutions/clouddatase curity
gove rnance /inde x .htm l
http://www8.hp.com /us/e n/hpne ws/pre ss
re le ase .htm l?id=1964113#.VgTm IC C qpBc
A dallom/Microsoft
http://www.re ute rs.com /article /2015/07/20/us
adallom m am icrosoftidUSKC N0PU0I720150720
http://www.wsj.com /article s/m icrosoftplansto
buyisrae licloudse curityfirm adallom for320
m illion1437390286
http://the ne x twe b.com /m icrosoft/2015/07/19/m ic
rosoftre porte dlyacquire scloudse curityfirm
adallom for320m illion/
http://se e k ingalpha.com /ne ws/2637425
m icrosofttobuyadallom for320m
CheckPoint/FireLayers
http://e x te ndse curity.fire laye rs.com /
http://be tane ws.com /2015/10/05/fire laye rsand
che ck pointbringse curitytoe nte rprise cloud
apps/
Perspecsys/BlueCoat
https://www.blue coat.com /com pany/ne ws/blue
coatacquire spe rspe csysm ak e publiccloud
private
http://pe rspe csys.com /pe rspe csysacquire dby
blue coatsyste m s/
Skyfence/Imperva
http://www.im pe rva.com /Products/Sk yfe nce
Elastica/Centrify
https://www.e lastica.ne t/2014/02/ce ntrifyand
e lasticapartne rtoprovide com pre he nsive cloud
se curitysolutionforsaasapplications/

CASBsprimarilyaddressSaaSbackofficeenterpriseapplicationstoday,suchasCRM,HR,ERP,
servicedeskandproductivityapplications(e.g.,GoogleAppsforWorkandMicrosoftOffice365).
Theyincreasinglysupportthecontrolofenterprisesocialnetworkinguse,andpopularinfrastructure
asaservice(IaaS)andplatformasaservice(PaaS)providers.However,weanticipateabattlefor
thecontrolofthisemergingtechnologyclass,andvendorswillbeacquiringorbuildingCASB
offeringsduringthenextthreeyears.

http://blog.ce ntrify.com /ce ntrifypartne rswith

e lasticaforacom pre he nsive saasse curity
analyticssolution/

CASBsdeliverfunctionalityaroundfourpillarsoffunctionality,whichareofequalimportance(see
"TechnologyOverviewforCloudAccessSecurityBroker"):

https://www.e lastica.ne t/2015/04/ciscotooffe r

e lasticashadowitandcasbsolutionto
e nte rprise s/

VisibilityCASBsprovideshadowITdiscoveryandsanctionedapplicationcontrol,aswellas
aconsolidatedviewofanorganization'scloudserviceusageandtheuserswhoaccessdata

http://www.gartner.com/technology/reprints.do?id=12RUEH70&ct=151110&st=sb

Elastica/Cisco
http://www.busine sscloudne ws.com /2015/04/22/ci
scoe lasticajoinforce soncloudse curity
m onitoring/

Skyfence/Websense
http://finance .yahoo.com /ne ws/im pe rva

1/8

29/1/2016

MarketGuideforCloudAccessSecurityBrokers
fromanydeviceorlocation.
ComplianceCASBsassistwithdataresidencyandcompliancewithregulationsand
standards,aswellasidentifycloudusageandtherisksofspecificcloudservices.
DatasecurityCASBsprovidetheabilitytoenforcedatacentricsecuritypoliciestoprevent
unwantedactivitybasedondataclassification,discoveryanduseractivitymonitoringofaccess
tosensitivedataorprivilegeescalation.Policiesareappliedthroughcontrols,suchasaudit,
alert,block,quarantine,deleteandencrypt/tokenize,atthefieldandfilelevelincloud
services.
ThreatprotectionCASBspreventunwanteddevices,usersandversionsofapplications
fromaccessingcloudservices.Otherexamplesinthiscategoryareuserandentitybehavior
analytics(UEBA),theuseofthreatintelligenceandmalwareidentification.

ThistechnologyisavailableasaSaaSapplicationoronpremisesviavirtualorphysicalappliance
formfactors(see"TechnologyOverviewforCloudAccessSecurityBroker").TheSaaSformfactoris
appreciablymorepopularthantheonpremisesflavorsofthistechnology,anditisincreasinglythe
preferredoptionformostusecases.However,theonpremisesversionsaremeetingspecificuse
casesinwhichregulatoryand/ordatasovereigntyrequireanonpremisesanswer.
Initially,themarketwassegregatedbetweenprovidersthatdeliveredtheirCASBfeaturesvia
forwardand/orreverseproxymodesandothersthatusedAPImodesexclusively.Increasingly,a
growingnumberofCASBsofferachoicebetweenproxymodesofoperationandalsosupportAPIs.
Gartnerreferstothisas"multimodeCASBs."Theygivetheircustomersawiderrangeofchoicesin
howtheycancontrolalargersetofcloudapplications.(See"SelecttheRightCASBDeploymentfor
YourSaaSSecurityStrategy"formoredetailsonthiscriticaldeploymentconsideration.)
OrganizationsneedtolookpastCASBproviders'"listsofsupportedapplicationsandservices,"
becausethereare(sometimessubstantial)differencesinthecapabilitiessupportedforeachspecific
cloudservice,basedontheirfeatures,theCASBarchitecturesusedandtheorganizations'end
usercomputingmodels.Forexample,oneCASBversion's"supportforSalesforceorOffice365"can
bemarkedlydifferentfromanother's,dependingonbringyourowndevice(BYOD)usecases,even
thoughboth"onpaper"supporttheseapplications.ProxyorAPIarchitecturesfromCASBhave
differentabilitiestoperformdifferentactions,whichhavevariousimplicationsforhowthatprovider
deliversthefourpillarsforaspecificcloudservice.
ThematuritylevelofAPIsacrosscloudserviceproviderstodayiswildlydivergent.Organizations
suchastheCloudSecurityAlliancearetryingtoaddressthisproblembyworkingwiththeindustry
todevelopasetofcommon,openAPIstandards.Regardlessofthiswork,Gartnerexpectscloud
applicationandservicesproviderstodeveloptheirAPIssignificantlyduringthenexttwotothree
years,eveniftheyarenotpursuingcompliancewithanindustrystandard.APIswillincreasingly
delivermoreutility,supportingthepotentialfornewersecurityusecasesnotyetthoughtof.Inthe
longterm,APIshavethepotentialtoobviatehavingtointercepttrafficwithproxiesiftheymature
tothepointwhererealtimevisibilityandcontrolbecomepossible.

EnterpriseIntegration
CASBsprovideanumberofcriticalpointsofintegrationwiththeenvironment,andtheseintegration
pointsplayanimportantroleinpreventingenterprisesecuritydeliveryfrombecomingyetanother
silo.CASBintegrationpointscoveridentityandaccessmanagement(IAM)integrationreuseof
datasecuritypoliciesforthecloudandeventintegrationwithtechnologiessuchassecurity
informationandeventmanagement(SIEM)forasingleviewofanorganization'ssecurityevents,
plussupportforanumberofexistingsecurityprocessessuchasincidentresponse.CASBs
themselvesofferAPIsthatcanbeusedbyenterprisestotakeadvantageofautomationand
integrationopportunitiesandtoinstrumentthemwithotherenterprisemanagementtools.

sk yfe nce raythe onwe bse nse te am

110000104.htm l
http://www.re ute rs.com /article /2015/07/27/idUSn
GNX576C gq+1c4+GNW 20150727
Bitglass
http://www.bitglass.com /com pany/partne rs
CloudSecurityA lliance
C loudSe curityAlliance work ingwithindustryon
the cloudse curityope nAPIwork inggroup
https://cloudse curityalliance .org/m e dia/ne ws/ciph
e rcloudandcloudse curityalliance forge cloud
se curitywork inggroup/
https://cloudse curityalliance .org/group/ope napi/

NOTE1
ENDPOINTBASEDCLOUDDATAPROTECTION
SOLUTIONS
The se ve ndors,whichfalloutside the scope of
thisre se arch,use ane ndpointbase dapproach.
Thisistypicallyanage ntorbrowse rplugin,use d
togainvisibilityoftraffictoandfrom cloudbase d
SaaSapplicationsandforthe prote ctionofcloud
data.Mostofthe ve ndorsfocusonSaaS
e nte rprise file synchronizationandsharing(EFSS)
applications,suchasBox ,Dropbox ,O ne Drive and
Google Drive .Ifthe prim aryre quire m e ntforthe
organizationisthe prote ctionofdatainanEFSS
application,the se ve ndorsoffe ranalte rnative to
the m e diationbase dapproache sviaprox ie sand
APIsofthe C ASBplatform provide rs.The
followingve ndorsprovide solutionsinthisare a:
Box cryptor
C e nte rToolsSoftware
C loudC rypt
C ovata
C ryptzone
Fasoo
nC rypte dC loud
O hanae
Se archYourC loud
Se cure IslandsTe chnologie s
Se cure Age Te chnology
Sook asa
Sophos
Ve ra
Viivo(PKware )

NOTE2
CLOUDAPPLICATIONDISCOVERY
The se ve ndorsdonotsupplyC ASBplatform s,but
provide visibilityintocloudapplicationusage :
MicrosoftAzure C loudAppDiscove ry
O pe nDNS
Inte lSe curity(McAfe e )

CrossOverTechnologiesinCASB
AlthoughCASBsdeliveranumberof"netnew"featurestothesecuritytechnologylandscape,they
arealsodeliveringfeaturesthathavebeenfoundhistoricallyinothertechnologysiloesorsolution
sets.Primarily,thesecomeintheformoftokenization,encryption,datalossprevention(DLP)and
analytics.
EnterprisesshouldnottreatdatausedincloudSaaSapplicationsinisolationfromonpremisesdata
environments.Thereisacriticalneedtoestablishenterprisewidedatasecuritypoliciesandcontrols
basedondatasecuritygovernanceprocesses.However,datasecuritycapabilitiesshouldbe
integratedwithonpremisesenterprisedatasecuritysolutionsforDLP,datacentricauditand
protection(DCAP),encryption,tokenization,useractivitymonitoringandanalytics.

DLPandDCAP
ManyCASBsprovidedataclassificationanddiscoverycapabilitieswithbuiltinpolicytemplates,as
wellasdocumentcontrols,suchasfingerprintingandwatermarking,whicharemergingcapabilities
frombothDLPandDCAP(see"MarketGuideforDataCentricAuditandProtection")methodologies.
Policiescanenableautomaticblocking,quarantining,encryption/tokenization,etc.,beforedatais
loadedintoaSaaSorasaforensiccapabilityafterthefact,andsomeSaaSapplicationsare
beginningtoofferDLPlikefunctionality.ViatheirownDLPengines,severalCASBproductscanalso
integratedirectlywithenterpriseDLPproductsthroughAPIstoensurepolicyuniformitybetween
onpremisesnetworkDLPandCASBDLPpolicies(see"OvercometheLimitationsofDLPforMobile
Devices").
CASBsarealsodevelopingoverlappingDCAPpolicycapabilities,suchasuseractivitymonitoring
thatcandetectanomalousdataaccessorprivilegechanges,auditreports,andrealtimesecurity

http://www.gartner.com/technology/reprints.do?id=12RUEH70&ct=151110&st=sb

2/8

29/1/2016

MarketGuideforCloudAccessSecurityBrokers

alertsorblocking,etc.Inaddition,cloudapplicationandservicesprovidersarealsobuildingDLP
functionalityintotheapplicationorserviceitself.OneexampleisMicrosoftaddingDLPtomultiple
areasoftheOffice365platform(see"DataLossPreventioninMicrosoftOffice365").Anadvantage
ofaCASBovernativeDLPcapabilitiesisconsistencyforexample,onecanapplyasetofcommon
DLPpoliciesthatextendstomultipleservicesandevenmultipleproviders,reducingtheoveralltime
requiredfordevelopingandenforcingpolicies.

SecurityAnalyticsandUEBA
AnumberofCASBsemployadvancedanalytics,usingtechniquessuchasmachinelearningand
anomalydetection.Scalabilityofanalyticsisefficientlysupportedinthecloud,duetoitsabilityto
scalehorizontallytoenablehighingestratesandtimelyresponses.CASBsareusingthisscalability
togoodadvantageindeliveringoutcomesthatmonitordozensofattributes(suchascloudservice,
field,file,object,user,location,deviceandactionrequested)againstbehaviorandusagepatterns.
ThisgivesCASBstheabilitytoperformsophisticatedthreatandmisusedetection,whichcanthen
enableblockingoptionsattheuser,objectanddevicelevels.Thisclearlyshowsanotherapproach
embeddedintheCASBplatformstoperformsecurityanalyticsandUEBA(see"MarketGuidefor
UserandEntityBehaviorAnalytics").

EncryptionandTokenization
CASBsprovideacommonpointofencryptionandtokenizationforcloudapplications,makingit
anothertechnologythatorganizationsneedtomanage.Althoughit'sanextratechnologyto
manage,thebenefitisthatit'sonlyoneplaceformanycloudapplicationsandservices.This
reinforcestheneedtounderstandthelevelofdatasecurityprovidedincontextwithpotential
tradeoffsinfunctionalityandcompliance.Theselectionofaparticularmodeofoperationhasan
effectonthecryptographyanddatasecuritymechanismsavailable:
ReverseproxyThiscanbedeployedasagatewayonpremisesorthemorepopularSaaS
option.Theonpremisesoptionprovidesfullphysicalcontroloverkeymanagementandthe
applicationofcryptographysolutionsonpremiseswithnoaccessbytheCASBorcloudservice
provider(CSP).However,thefunctionalityprovidedbythetargetSaaSwillbeaffected.With
hostedreverseproxy,theremaybeindirectaccesstothekeymanagementsystemand
keys/tokensbeingusedinthecloudbytheCASBand/orCSP.
ForwardproxyThiscanbedeployedasahostedsolutionoronpremises,andsome
vendorsmaydeploysoftwareagentsonendpointdevicesthatactuallyemploythe
cryptographicservices.TheCASBtypicallyprovidesencryptionkeys/tokenstotheendpoints
usingasymmetrickeydistributiontechniquesorVPNconnections.Itmayuseselfsigneddigital
certificatesorsupportedthirdparties,oritmayprovidekeymanagementsolutionsthatare
managedbytheenterprise.
APImodeThiseffectivelymovestheencryptionenginetotheCSPitself.Thismodealso
enablesorganizationstoperformdatasecurityinspectionfunctionsonalldata"atrest"inthe
cloudapplicationorservice.TheCASBmayofferonpremisesorhostedkeymanagement
options.APImodemakesitpossibletotakeadvantageofagrowingnumberofnativedata
protectiontoolsofferedindependentlybytheSaaSapplicationsthemselves(e.g.,Salesforce),
wherebytheyperformencryption/tokenizationfunctions,buttheendusersstillcontrolthe
keys.
EndpointagentNoCASBcanoperateexclusivelyontheendpoint,butseveralvendorsoffer
optionalendpointsoftwareforpurposessuchascloudapplicationdiscoveryandtracking,
routingtotheproxy,andobjectencryptionanddecryption.
Theselectionofaparticularcryptographicalgorithmandkeymanagementwillalsoaffectthelevel
ofdatasecurityprovidedasadirecttradeofftofunctionalitythathasbeenenabled.Forstructured
datatypes,itmaystillbepossibletoachievesearchandsort,evenifthefieldsareencryptedor
tokenizedhowever,otherSaaSfunctionswillbelost.Forunstructuredfilesthatareencrypted
throughaproxy,searchanddocumentpreviewfunctionalitywillbelost.
Inaddition,thechoiceofencryptionalgorithmortokenizationmethodappliedmayaffecttheability
toachievecompliance,becausefunctionalitymayhavebeentradedoffagainstthestrengthof
cryptographyforexample,byweakeningthealgorithmoraddingexternalmetadata.Theuseof
cloudbasedkeymanagementsolutionsraisesthepotentialforapplicationadministrators,who
oftenaren'tinthesecurityorevenintheITteamaltogether,accessingtheencryptionkeys/tokens
intheclear.

MarketDirection
TheCASBmarkethasevolvedquicklyfromitsgestationperiodin2012.Althoughmostofthe
providersarestillstartupsrunningoffventurecapitalfunding,themarketissuddenlylookingasifit
willmaturerapidly.Gartnerseessignsofthreemovementsinthismarket:
Acquisitions
EstablishedvendorsenteringintogotomarketpartnershipswithCASBproviders
CASBfeaturedeliveryfromvendorsexpandingfeaturesorganicallyorwithnewproduct
releases
Somenotableeventsthatalignwiththesemarketevolutiontrendsinclude:
CheckPointSoftwareTechnologies'partnershipwithFireLayers(October,2015)
IBM'sentryintotheCASBmarket(September2015)
Microsoft'sacquisitionofAdallom(September2015)

http://www.gartner.com/technology/reprints.do?id=12RUEH70&ct=151110&st=sb

3/8

29/1/2016

MarketGuideforCloudAccessSecurityBrokers
Deloitte'spartnershipwithBitglass(September2015)
Imperva'spartnershipwithWebSense(July2015)
BlueCoatSystems'acquisitionofPerspecsys(July2015)
PaloAltoNetworks'acquisitionofCirroSecure(April2015)
Cisco'sresellerarrangementwithElastica(April2015)
HP'sentryintoaresellerarrangementwithAdallom(April2015)
Akamai'sinvestmentinFireLayers(2014)
Imperva'sacquisitionofSkyfence(April2014)
Centrify'spartnershipwithElastica(February2014)

Intermsoftheevolutionofthismarket(asfirstcalledoutin2012,see"TheGrowingImportanceof
CloudAccessSecurityBrokers"),GartnerbelievesthatanintersectionofanSWG,identityasa
service(IDaaS)andaCASBislikelytoarrive.Thiswouldbeanewproductcategoryinwhichall
threeisolatedfeaturesetsbecomeavailablefromthesameprovider.Thereisalsothepossibility
thatthealreadyincreasingly,pairedtogethercloudsecurityservicesofdistributeddenialofservice
(DDoS)andWAFswillalsohaveCASBdeliveredfromthoseproviders.
Mergerandacquisitionactivitieswillbeaninterestingareaofdevelopment,asprovidersthathave
beenacquiredwillhavesignificantlyimprovedroutestomarket,withlargersalesforcesand
channels,aswellasfundingforroadmapexpansion.Thisislikelytoshakeupthemarket
landscape.
Inaddition,theintersectionwithdatasecuritymarkets,suchasDLPandDCAP,willalsodrivethe
evolutiontowardsolutionsthatprotectdatawhereveritresidesintheenterprise,inthecloud,on
premisesandontheendpoint.
TheCASBfeaturesetdescribedbythefourpillarsinexistingGartnerresearchwillremainas
compellingfeaturesfortheforeseeablefuture,regardlessofproviderconsolidationsorthemerging
ofproductfeaturesets.Theseblendedofferingswillbegintopresentadifferentvalueproposition,
withSWG/IDaaS/CASBavailablefromthesameprovider.Regardlessofconsolidation,ITsecurity
leaderswillstilldemandcompetitivefeaturesets,leavingroomforpureplayvendorstocontinueto
leadthemarket.
CASBcapabilitiesaremorematureandtargetedforSaaSthanforIaaSandPaaStoday.Gartner
expectsCASBvendorstoevolvetheircoverageacrossthefourpillarsforIaaSandPaaSinthe
coming12to24monthperiod(seeTable1),whileimprovingcoverageforotherapplications,such
asbusinessintelligence(BI)andindustryspecific(e.g.,healthcare)SaaSapplications.However,
therewillbea"lineinthesand"forCASBinrelationtoIaaSandthelargearrayofpubliccloud
nativeandthirdpartysecuritysolutions.GartnerdoesnotexpectCASBtoenterthevirtualmachine
(VM)persetosupplementexistingpubliccloudagentbased(firewall,DLP,antimalware,etc.)or
virtualappliancebasedsolutions,suchasfirewallsorintrusiondetectionsystems/intrusion
preventionsystems(IDSs/IPSs).However,CASBswillleverageIaaSAPIsforarangeofsecurityuse
cases.

Table1.CASBWillEvolvetoCover
SaaS,PaaSandIaaS
SaaS

PaaS

IaaS

Visibility

C ompliance

DataSecurity

ThreatProtection

Source:Gartner(October2015)

MarketAnalysis
Thismarketisdominatedbystartupsthathavebeenunderwrittenbyaconsiderableamountof
venturecapitalfundingduringthepastthreeyears.Vendorsarestartingtomakeacquisitionsor
partnerwiththeseCASBproviders.CASBcouldalsobeadriverforvendorsinadjacentmarkets
enteringthefrayforexample,enterprisemobilitymanagement(EMM)orothercloudsecurity
deliveryvendors.
GartnerseesthreemacroITtrendsdrivingtheexpansionandmaturationoftheCASBmarket:
Enterprises'movetoadoptnonPCformfactorsThemassiveenterpriseadoptionof
tabletsandsmartphonesforcorebusinessprocessescreatessecurityrisksthatcanbe
mitigatedeffectivelywiththeassistanceofaCASB.Theaverageenterpriseenduseris
spendingsignificantlymore"screentime"onthesenonPCformfactors,andCASBhelps
securethecloudapplicationandtheservicesideofthisequation.
ThemovetocloudservicesThisissignificantlyaccelerating,withSaaSbeingapproximately
2.5timesbiggerthanIaaSinspending(see"Forecast:PublicCloudServices,Worldwide,
20132019,2Q15Update").Itisdrivingtheneedtohavesecuritytechnologycapableof
providingsimilarsecurityfunctions,butforadifferentmodelofcomputing.Significantamounts
ofspendingandcomputingwillaggregatearoundthetopcloudserviceproviders.Thiswill

http://www.gartner.com/technology/reprints.do?id=12RUEH70&ct=151110&st=sb

4/8

29/1/2016

MarketGuideforCloudAccessSecurityBrokers
haveanimpactononpremisesbasedtechnologyinthelongterm,includingthesecurity
softwareandappliancemarkets.
HeavycloudinvestmentsMostlargeenterprisesoftwareproviders,suchasOracle,IBM,
MicrosoftandSiebel,arenowheavilyinvestedincloud,andareactivelydrivingtheirlarge
clientbasestousetheircloudservices.Theenterprisesoftwareupgradecyclewillorganically
leadenterprisestothecloudasanaturalevolution.EnterprisesecurityteamswillneedCASB
likefeaturestodealwiththesecurityimplicationsofthatevolution.

Theforcesofcloudandmobilityfundamentallychangehow"packets"(andthedatainthem)move
betweenusersandapplications.Thiscausesaneedtoadjustthelistandtheprioritiesof
investmentinsecuritycontrolsforanorganizationconsumingcloudservices.
However,theclimateforcloudisshowinggeographicaldifferences(see"SurveyAnalysis:
GeographicDifferencesAmongBuyersCloudServicesPlanning,AdoptionandStrategy,2015").
AlthoughtheU.S.isconsumingthemostcloudtoday,partsofLatinAmericaandtheAsia/Pacific
regionhavethehighestpercentageofendusersexpectingtosignificantlyincreasetheircloud
spending.CASBwillalwaystightlyfollowgeographicalandorganizationspecificcloudadoption
patterns,whichrequirecloudusagetoexist(orbeplanned)priortoCASBadoption.
Thesecurityindustryhasahistoryofstartupsquicklyenteringmarketsandperformingalevelof
disruptionthathasn'tbeenimmediatelycounteredbyincumbentvendors.Thishasbeenthecase
fortheCASBmarket.TheleadingCASBprovidersareseeingvaluationsofmorethan$300million,
makingthemrelativelylargeacquisitionsforexistingproviders.

RepresentativeVendors
ThevendorslistedinthisMarketGuidedonotrepresentanexhaustivelist.Thissectionisintendedto
providemoreunderstandingofthemarketanditsofferings.Itisnot,norisitintendedtobe,alistofall
vendorsorofferingsonthemarket.Itisnot,norisitintendedtobe,acompetitiveanalysisofthe
vendorsdiscussed.
Atthisstageofthemarket'sevolution,wehavetworoughgroupsofproviderscategorizedby
multipletiers.TheTier1CASBprovidershaveestablishedthemselvesintheCASBmarketand
frequentlyappearonshortlistsindiscussionswithGartnerclients,acrossawiderangeofindustry
verticals.SeveralwereearlypioneersinspecificCASBusecases.Theyhavealsogainedlarger
marketadoptionthanothermarketplayers.Severalhavepartneredwithlargerproviders,suchas
HPandCisco,andonewasrecentlyacquiredbyMicrosoft.
TheothertierofCASBsareoftencompetitivewiththeTier1providersforspecificusecases.The
differentiatorsbetweenthetiersarecategorizedbythematurityoftheproduct,itsabilitytoscale,
partnershipsandchannels,timeinthemarket,abilitytoaddressamajorityofpopularusecasesin
mostindustries,geographicalconstraints,marketshareandvisibilityinGartner'sclientbase.

Bitglass
BitglasswasfoundedinJanuary2013andhasbeenshippingaCASBproductsinceJanuary2014.
Bitglassintegratesseveralmobiledatamanagement(MDM)andIAMcapabilitiesintoitsoffering,
suchasremotewipeandsinglesignon(SSO)andSecurityAssertionMarkupLanguage(SAML)
proxy,providingbasicMDMandIDaaScapabilities.Italsointegratesseveraldatasecuritypolicy
capabilities,inadditiontointegratingwithsomeDLPvendorsolutions.Withafocusonsensitive
datadiscovery,classificationandprotection,italsoincludesseveraldocumentmanagement
protectioncapabilities,suchaswatermarkingandencryptionmethodsthatsupportsearchand
sort.BitglassprovidescloudapplicationdiscoveryandalimitedSaaSsecuritypostureassessment
database.BitglassisnowamultimodeCASB,withtherecentadditionofAPIsupportontopof
forwardandreverseproxymodesoriginallydelivered.

BlueCoatSystems(Perspecsys)
BlueCoatwasfoundedin1996andhasbeenshippingaCASBproductfromJuly2015,withthe
acquisitionofPerspecsys.PerspecsyswasanearlyentrantintotheCASBmarket,offeringafocus
ondataresidencyandprotectionwiththetokenizationofdatainvariouscloudservices,suchas
Salesforce,ServiceNowandSuccessFactors.Itoffersitsownproprietarytokenizationmethodsand
hasauniquemodeltoofferintegrationwiththeenterpriseschosendataprotectionsuite,which
mayalreadybedeployedonpremises.ThisismostfrequentlydeployedwithproductsfromHP's
Voltage,GemaltoSafeNetandtheJavaAES256module.
PerspecsyshasnotyetdeliveredacloudapplicationdiscoveryandSaaSsecurityposture
assessmentdatabasehowever,itisavailablefromtheBlueCoatSWGproduct.Itsimplementation
modelisreverseproxybased,usinganonpremisesphysicalorvirtualappliance.BlueCoathasnot
yetpubliclydisclosedaroadmapfortheintegrationofthesetechnologiesintoacommonsecurity
policyandprocessingfabric.

CensorNet
CensorNetwasfoundedinFebruary2007andhasbeenshippingaCASBproductsinceApril2015.
CensorNetisoneofthenewestentrantsintotheCASBmarket.BasedonitsexistingSWGplatform,
CensorNetisalreadypositionedtocapturetrafficandseetheflowofdatatoandfromSaaS
applications.LikemostSWGs,CensorNetisbasedonaforwardproxyarchitecture,usingon
premises,physical/virtualappliances.CensorNetcanalsosupportdeploymentsofthetechnologyin
thecloud.TheinitialofferingisfocusedonvisibilityandSaaSapplicationuserandpolicycontrol.

CipherCloud
http://www.gartner.com/technology/reprints.do?id=12RUEH70&ct=151110&st=sb

5/8

29/1/2016

MarketGuideforCloudAccessSecurityBrokers

CipherCloud
CipherCloudwasfoundedinOctober2010andhasbeenshippingaCASBproductsinceMarch
2011.CipherCloudwasanearlypioneerintheCASBmarket,withaninitialfocusontheencryption
andtokenizationofdatainsomepopularenterprisecloudapplications.CipherCloudiswellknown
forthisinitialusecaseandcanintegratewithonpremiseskeymanagement,DLPandDCAP
solutions.Ithasexpandeditsdataprotectioncapabilitiestoabroadrangeofstructuredand
unstructureddatawithinSaaSapplications.
In2013,CipherCloudaddedcontentandusermonitoringand,morerecently,clouddiscoveryand
SaaSsecuritypostureassessment.CipherCloudusesaprimaryimplementationmodelbasedona
reverseproxymodelforsalesforcedataprotection.Italsosupportsforwardproxyimplementations
forexample,withSAP,alongwithAPIsupportforsomeapplications.Althoughitisavailableinthe
cloud,CipherCloudispredominantlydeployedonpremisesasaphysicalorvirtualappliance.

CloudLock
CloudLockwasfoundedinJanuary2011andhasbeenshippingaCASBproductsinceOctober
2013.CloudLockisoneoftheAPIonlyCASBsandcanalsotakelogfilesforcloudserviceusage
purposes,aswellasprovideintegrationswithproxyandfirewallvendors.CloudLockhasalready
establishedasubstantialclientbaseinmultipleindustryverticals.CloudLockdeliversacompetitive
setofusecasefeatures,suchasUEBAforimprovedthreatdetection,cloudmalware,DLP,DCAP,
dataprotectionofstructuredandunstructuredSaaS,compliance,forensicsandsecurityoperations.
CloudLockalsousesitsenduserstohelp"crowdsource"ratingsforcloudservicesforalarge
numberofcloudservices.Thiscommunitytrustratingalsoenablesenduserstoseeacurrentrating
aboutwhyaservicehasbeenblockedfromuseatanorganization.CloudLocksupports
homegrownandmarketplaceapplicationsbuiltonpublicIaaSorPaaS,suchasAmazonWeb
Services(AWS)andForce.combyenablingcustomerstoembedCloudLockservicesintotheirown
applicationsviaAPIs.

Elastica
ElasticawasfoundedinJanuary2012andhasbeenshippingaCASBproductsinceFebruary2014
ElasticaisaCASBplatformproviderwithcrediblecapabilitiesindatascience,machinelearningand
deepcontentinspectionprovidingDLPfeatures,applicationdiscoveryvialogsandcloudapplication
traffic,cloudserviceassessmentratings,usageanalytics,remediation,reportingandvisualization.
ItusesaforwardproxybasedandAPIarchitecturesupportingagentlessmethods,aswellas
agentsforWindows,MacandiOSendpointswithsupportforamajorcloudservices.Itsdistributed
cloudbasedsolutionisbasedprimarilyinAmazon,RackSpaceandCiscodatacenters.In2015,
CiscoenteredintoareselleragreementwhereElasticaappearsonCiscopricelistandcanbesold
bythegeneralCiscosalesforce.

FireLayers
FireLayerswasfoundedinNovember2013andhasbeenshippingaCASBproductsinceApril2014.
FireLayersisareverseproxybasedCASBproviderthatalsousesAPIs.Itdoesnotprovidecloud
applicationdiscoveryandSaaSsecuritypostureassessments.Instead,itfocusesonthreat
protection,contextualaccesscontrolanddetailedactivitymonitoring(withafocusonprivileged
accountmonitoring)forsupportedSaaSapplicationsandsomeIaaSservices.FireLayers'preferred
deploymentoptionusesareverseproxymodelwithAPIs,butithassupportforforwardproxy
deployments.FireLayerscanalsointerjectusersessioncentricauthenticationmitigationmethods,
suchastwofactorauthentication(2FA),usingSMSandcaptchaforactionsincloudapplications.
Thisisbasedonapolicyinwhichthecloudserviceitselfdoesn'tsupport2FAordoesn'tsupportthe
granularuseof2FAforcertainhighriskuserandadministrativeactions.FireLayersdeliversits
CASBservicesfromAWSoronpremiseswithavirtualappliance.

Imperva
ImpervainwasfoundedinNovember2002andhasbeenshippingaCASBproductfromJanuary
2014,whenitacquiredSkyfence.Imperva'svisionistoprovidefullvisibilityandprotectionofdata,
whetherinonpremisesdatabases,websites,fileshares,SharePointorinSaaSapplications.
Impervafocusesonprovidingdetaileduseractivitymonitoring,cloudDLP,accesscontrolandthreat
protection.Imperva'sCASBisprovisionedwithinitsexistingDDoSandIncapsulacloudWAFand
contentdeliverynetwork(CDN)offeringasSaaS.Anonpremisesphysicalorvirtualversionisalso
available.Imperva'sprimaryimplementationmodelisreverseproxybased,whichisagoodfitwith
theexpertiseImpervadevelopedwithitsWAF(see"MagicQuadrantforWebApplicationFirewall").
ItusesreverseproxyplusAPIs.Impervaalsointendstousethistechnologyforthecoverageof
internallydevelopedSaaSapplicationsontopofpubliclyavailableSaaSservicesasanintegral
componentofitsDCAPoffering.

Microsoft(Adallom)
Adallomwasfoundedin2012andhasbeenshippingaCASBproductsinceearly2013.Adallomisa
CASBplatformproviderthatwasanearlypioneerinaddingAPIbasedclouddiscoverycapabilities
intoitsCASBreverseproxyplatformforextendedvisibility,includingtheuseofaWAFintheproxy
fabricitself.Adallomuseswhatitreferstoasan"adaptivereverseproxymodel"foritsdistributed
architecture.Thisishostedinmultipleclouddatacentersworldwide,withproviderssuchas
Amazon,EquinixandRackspacehowever,itisdeliveredtoorganizationstransparentlyasSaaS.
AdallomalsosupportsAPIandforwardproxymethods.Itsupportsanonpremises,virtual
applianceimplementationandcloudapplicationdiscovery,anditprovidessecurityposture
assessments.In2015,AdallomannouncedapartnershipbyHP.InSeptember2015,Microsoft

http://www.gartner.com/technology/reprints.do?id=12RUEH70&ct=151110&st=sb

6/8

29/1/2016

MarketGuideforCloudAccessSecurityBrokers

completeditsacquisitionofAdallomasanassettostrengthenitsAzureandOffice365capabilities.
MicrosofthasstateditsintentiontocontinuetoprovideAdalllom'sCASBservicesfornonMicrosoft
cloudservices,suchasSalesforce,ServiceNowandGoogleApps.Inaddition,Adallomoffers
encryptionoffilesthroughpartnershipswithSecureIslands,HPAtallaandCheckpointCapsule.It
canalsoleveragecloudproviders'APIstoofferdataclassificationanddiscoverytoolsthroughits
DLPenginetoapplycontrolstonewlydiscoveredfilesatrestorinmotionthroughitshosted
service.

Netskope
NetskopewasfoundedinOctober2012andhasbeenshippingaCASBproductsinceOctober2013.
NetskopewasoneofthefirstCASBproviderstoemphasizecloudapplicationdiscoveryandSaaS
securitypostureassessmentsasaninitialusecaseforCASBadoption.Ithasdevelopeddeep
visibilityintouseractions,includinguserbehavioranalytics,withinmanagedandunmanagedSaaS
applications,includingextensiveuseractivitymonitoringandDLP/DCAPcapabilities.Thisalso
includesintegrationwithonpremisesDLPsystemsviaInternetContentAdaptationProtocol(ICAP).
Netskope'sprimaryimplementationmodelisforwardproxy(withorwithoutagents,dependingon
theusecaserequired)orforwardproxychaining.Itaddedsupportforreverseproxycapabilitiesin
2014andalreadysupportedAPIs.Netskope'sagentsallowforthemonitoringandcontrolofnative
mobileapplicationsandsyncclients,etc.Itoffersobjectlevelencryptionandsupportforfieldlevel
encryptiononlywithSalesforce.TodeliveritsCASBservices,itusesagloballydistributedcloud
basedfabricwithpointsofpresence,usingitsownhardwarestackplacedinEquinixdatacentersin
NorthAmerica,EuropeandAsia.Italsooffersanonpremisesvirtualorphysicalappliance
deploymentoption.

Palerra
PalerrawasfoundedinJuly2013andhasbeenshippingaCASBproductsinceJanuary2015.
PalerraisanotheroftheAPIcentricCASBs.ItsofferingcoversSaaS,PaaSandIaaS.Someofitskey
featuresincludedeliveryofuserandriskanalytics,incidentresponse,casemanagement,threat
intelligenceintegrationandconsentdrivenremediation.PalerraalsodeliversSaaSplatformsecurity
management(SPSM)featuresthatenableorganizationstocontroltheconfigurationofSaaSand
othercloudservicespoliciescentrallyfromonelocation.PalerraisdeliveredfromAmazonasSaaS
orfromadedicatedappliancehostedthere.

PaloAltoNetworks
PaloAltoNetworkswasfoundedin2005andhasbeenshippingaCASBproductsinceSeptember
2015.InMay2015,PaloAltoNetworksacquiredCirroSecure,anAPIonlybasedCASBprovider
morefocusedatSPSM.ThenewofferingiscalledAperture.PaloAltoNetworkshadalreadybeen
deliveringcloudapplicationdiscoverycapabilitiestoitscustomers,soexpandingitsvisibilityusing
APIsisanextensionofitscloudprotectionstrategyforuserswhoareoffpremises.Thedataflows
arenotvisibletoonpremisesbasedPaloAltoNetworksdeviceswithouttheforceduseofaVPNto
theonpremisesappliances.Aperturewillalsoprovideadditionalfieldandfilelevelobjectvisibility
intocloudservices,ontopofwhatisavailablefromitsexistingproductrangeforcloudservices.
Theseincludecontentscanning,remediation,analytics,riskidentificationandreporting.

SkyhighNetworks
SkyhighNetworkswasfoundedinDecember2011andhasbeenshippingaCASBproductsince
January2013.SkyhighNetworkswasoneofthefirstCASBproviderstoemphasizetheshadowIT
problemwithcloudapplicationdiscovery,andSaaSsecuritypostureandriskassessmentsasa
primaryinitialusecaseforCASBplatforms.Ithasbuiltalargeinstalledbaseandisamultimode
CASB.IthassinceexpandedintodatasecuritywithDLP/DCAPpolicies,suchasuseractivity
analyticsandmonitoringand,morerecently,encryptionandtokenizationofdataforanumberof
SaaSapplicationssuchasSalesforce.
SkyhighusesaprimaryimplementationmodelofareverseproxyandAPIs,aswellassupporting
forwardproxyimplementations.Itusesadeploymentmodelofdistributedproxiesrunningin
multipleAWS,EquinixandIBMSoftLayerdatacentersworldwide.Skyhighoffersanonpremises
virtualapplianceoption,withaninnovativemodelforonpremisesdataacquisitionviastandard
logs.Italsoprovidesnetflowforadditionalclouddiscoveryusageoptions,whileofferingclientdata
protection,sothatSkyhighhasnovisibilityintoanorganization'sdata.

Vaultive
VaultivewasfoundedinJanuary2009andhasbeenshippingaCASBproductsinceMay2012.
VaultiveisaCASBproviderthathasfocusedontheprotectionofdatainMicrosoft'sOffice365suite
ofSaaSapplications,usingproprietarysearchableencryption.Ithasdevelopedextensiveexpertise
inthehandlingofMicrosoft'sdisparateprotocolsusedinOffice365forexample,SMTP,IMAP,
ActiveSync,archivingandeDiscovery.ItisalsoabletoencryptdatainMicrosoft'sOneDriveand
SharePointonlineofferings.Recently,ithasexpandeditscloudportfoliotootherMicrosoftSaaS
applications,suchasDynamicsOnlineandYammer.OthercloudservicesincludeSalesforce,
ServiceNow,SuccessFactors,Workday,GoogleAppsandBox.Itsprimaryimplementationmodelis
forwardproxybasedhowever,itsupportsreverseproxyimplementationsaswell.
ThefollowingvendorsprovidefeaturesthatcanalsobeconsideredCASBfunctionality:
Armor5
BetterCloud

http://www.gartner.com/technology/reprints.do?id=12RUEH70&ct=151110&st=sb

7/8

29/1/2016

MarketGuideforCloudAccessSecurityBrokers
IBM
IonicSecurity
ProtegrityUSA
Saviynt
SkyFormation
Vormetric
TrendMicro

MarketRecommendations
ITsecurityleadersshould:
Immediatelyreviewtheirenterpriseapplicationproviders'cloud,mobileandonpremises
enterprisesoftwareroadmapsforthecloudtounderstandtheirorganizations'directionand
velocityandhowthey'realigningwiththeirsecurityarchitecturesandbudgetingstrategies.
Facilitateandsupporttheseplans,butplayasignificantroleinleadingtheshiftofapplications
andservicestothecloud.Therefore,ITsecurityleaders'goalshouldbetoavoidbeingthe
"no"team"instead,theyshouldbethe"yeswecanandhere'show"team.
GetyourIDaaShouseinorderpriortoorduringtheselectionofCASBs,becauseit'sa
foundationalcontrolthatwillmakecloudserviceadoptionmoreefficientandsecure.Some
CASBsprovideentrylevelcapabilitiestostretchActiveDirectoryintothecloudhowever,this
islikelytobemoreofastopgapmeasure,untilacomprehensiveIDaaSstrategycanbe
delivered.
ConsiderthedifferencesofCASBsthataremultimodeversusthosethatareAPIonlyto
ensureasuccessfuldeployment.
Startwithaninvestigationofwhatcloudservicesarebeingusedinyourenvironment.Thiswill
helplevelset"howbigtheproblemactuallyis"(orisn't)andprovideinsightintohowmany
cloudservicesyouhavetosanction,remediate,control,monitororblock.
Establishenterprisewidedatasecuritygovernancepoliciesthatprioritizetheprotectionof
sensitivedataandestablishtheappropriatedatasecuritycontrolsfromaCASBbeforeusinga
SaaS.
Lookforwaysnottostopcloudusage,but,instead,toencourageitsusebyencouragingthe
useofcloudservicesthatare"enterpriseready"
LookforCASBsthat:
Supportthewidestrangeofcloudapplicationsservicesthatyouarerunningtodayand
plantoconsumeinthecoming12to18months.
Supportyourmobilecomputingusagepatterns(managedversusBYOD,etc.).
Workeffectivelywithyournetworktopology.
Allowforanaccelerationofcloudserviceadoptionbyeffectivelycontrollingsanctioned
cloudservicesandaidintheselectionofproposednewcloudservicesthatare
enterpriseready.
Easeyourcomplianceburdenforcloudservices.
Supportthemodesofoperationthatalignwithyourcoreusecases.Forexample,anAPI
onlyCASBcouldbesufficientforyourneedsor,alternatively,inlinefeaturesmayneedto
bedeployedforyourorganization,soanAPIonlyCASBwillonlypartiallymeetthese
needs.
Integratewithyourexistingcontrolsforexample,IAM,SWGandeventsgoinginto
yourcentrallogmanagementorSIEM
ConsiderothercloudusagepatternsofB2BandB2Cbasedcloudservicesinwhichyouhave
sporadicusehowever,youshouldmaintaincontrol,andaCASBmaybeabletocoverthese
interactionswithyourorganization'sdata,bypeopleoutsideyourorganization.

2015Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.oritsaffiliates.Thispublicationmaynotbe
reproducedordistributedinanyformwithoutGartnerspriorwrittenpermission.Ifyouareauthorizedtoaccessthispublication,youruseofitissubjecttothe
UsageGuidelinesforGartnerServicespostedongartner.com.Theinformationcontainedinthispublicationhasbeenobtainedfromsourcesbelievedtobereliable.
Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformationandshallhavenoliabilityforerrors,omissionsorinadequacies
insuchinformation.ThispublicationconsistsoftheopinionsofGartnersresearchorganizationandshouldnotbeconstruedasstatementsoffact.Theopinions
expressedhereinaresubjecttochangewithoutnotice.AlthoughGartnerresearchmayincludeadiscussionofrelatedlegalissues,Gartnerdoesnotprovidelegal
adviceorservicesanditsresearchshouldnotbeconstruedorusedassuch.Gartnerisapubliccompany,anditsshareholdersmayincludefirmsandfundsthat
havefinancialinterestsinentitiescoveredinGartnerresearch.GartnersBoardofDirectorsmayincludeseniormanagersofthesefirmsorfunds.Gartnerresearch
isproducedindependentlybyitsresearchorganizationwithoutinputorinfluencefromthesefirms,fundsortheirmanagers.Forfurtherinformationonthe
independenceandintegrityofGartnerresearch,seeGuidingPrinciplesonIndependenceandObjectivity.

AboutGartner|C areers|Newsroom|Policies|SiteIndex|ITGlossary|C ontactGartner

http://www.gartner.com/technology/reprints.do?id=12RUEH70&ct=151110&st=sb

8/8