Search This Blog

Tuesday 28 April 2015

Understanding Cloud Access Security Broker Services

Over the past 30 years, we the IT Security team have been promoting and building a "Defence in Depth" strategy to protect our corporate assets. 

This methodology was predicated on the fact that we need to assure our employees, customers, and shareholders that we were able to provide adequate Confidentiality, Integrity, and Availability (The CIA-Triad)  for the sensitive data/intellectual property residing in physical  data centers. 

We have installed Firewalls, Intrusion Prevention, AntiMalware,  Data Loss Prevention, Secure Email, VPN, etc... All with the intent on providing a stack of security capabilities to protect data withing our corporate network.  Within our corporate data centers.

Simultaneously, our lines of business are becoming more agile, more complex, and more attune to services available "in the cloud"Shadow IT is the new trend.  Lines of Business can and are spinning up new services at an aggressive rate to keep up with their online competition. Our ability to manage them "technically" as opposed to by policy has been almost non-existent.

We as Security Experts, are scrambling to augment our "bricks and mortar" based Defense in Depth strategy with Cloud Services, but the path is not presently clear.

Very recently
, a niche market has developed to fill this void. Several vendors identifying themselves as Cloud Access Security Brokers (CASBs) have defined a strategy to mitigate this problem.  CASBs are either on-premise, or cloud-based (or both) security policy enforcement points. Placed between your end users and the various cloud service providers, they can inspect traffic, manage and enforce policy, alert on anomalous behavior, and in most cases provide some level of DLP enforcement.

Either leveraging existing Single Sign On providers, or corporate Active directory services, these Cloud Access Security Brokers can identify individuals' access into Cloud Service Providers that are affiliated with the broker. Currently these number in the  hundreds if not thousands. For "Sanctioned" Cloud Applications (those services for which your enterprise has procured directly) end user access can be strictly enforced by context:
  • Who you are (Role based access)
  • Where you are coming from (corporate network, public Internet, wifi, geographic region)
  • What device you are using (Corporate laptop, Home PC, Tablet or phone)
  • What time of day you're working (Are you authorised to work during this time?)

This Context Awareness also allows the CASB providers to employ heuristic analysis on Cloud bound traffic, to do some form of anomaly detection to identify malicious or erroneous traffic.  This is an area that they are all investing heavily in today.
  Most of the Cloud Access Security Brokers provide granular encryption, but only three provide  Tokenization of your Corporate Data in the Cloud. This can be as coarse as entire records or documents, or as fine grained as a field in a form.  Adallom has also  leveraged the Right's Management functionality of Checkpoint's Capsule to secure data in the cloud, while allowing trusted collaboration.

For more on Tokenization vs encryption, please see my articles: Tokenization as a companion to Encryption and Toronto based PCI Compliance upstart Blueline brings holistic solution to Voice-Web-POS

One of the strengths of some of the Cloud Access Security Brokers is the ability to identify and report on employee access to  "Shadow IT" cloud services.  "Shadow IT" are described as services that the corporation has not subscribed to as a whole, or has not specifically provisioned for the user in question.  These typically include Cloud Storage facilities like Box or Dropbox.   Again, if the CASB has an affiliation with the cloud service provider, these can be managed by policy, otherwise they can be flagged and alerted on to your security operations team for manual remediation.

Several of these CASBs provide on-premise inspection and policy gateways to augment your corporate network controls and provide definitive logical access control to the cloud services from within the corporate network.  These on-premise gateways complement the cloud based CASB services and provide for a hybrid view of data movement.

Since their emergence in 2012, CASBs have grown in importance and today are the primary technical means of giving organizations more control over SaaS security. This technology will become an essential component of SaaS deployments by 2017.
 By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.

- Gartner, The Growing Importance of Cloud Access Security Brokers

Gartner has defined the four pillars of CASB as:
 Visibility, Data Security, Compliance and Threat Prevention.

 As of this time, there are about twelve companies playing in this space. I would like to highlight the leaders at the moment. 

(In alphabetical order, and in their own words. ie: pilfered from their websites.)

Adallom delivers an extensible platform to secure and govern cloud applications. In addition to discovering almost 13,000 cloud services in use, Adallom offers comprehensive controls for data sharing, data security, DLP, eDiscovery and access control. The Adallom platform also integrates with existing on-premises solutions such as SIEMs, MDMs, NACs and DLPs. Adallom has identified new malware attacks in the wild, including a Zeus variant attacking Salesforce, and an identity token hijacking vulnerability affecting Office 365On April 21st, Adallom announced an HP partnership where its platform will be resold on the HP price list, and offered with the HP Enterprise Security Products and Enterprise Security Services portfolio. 

the Total Data Protection company, is a Cloud Access Security Broker, founded in 2013, that delivers innovative technologies that transcend the network perimeter to deliver total data protection for the enterprise - in the cloud, on mobile devices and anywhere on the internet.  Bitglass delivers the security, visibility, and control that IT needs to enable mobile and cloud in the workplace, while respecting user privacy.

CipherCloud is a cloud security software suite that encrypts data during the upload process, and decrypts during download. The encryption keys used for this process remain within your business network; thus, unauthorized users accessing data in the cloud will only see indecipherable text.
CipherCloud also comes with built-in malware detection and data loss prevention. There are specific builds for commonly used cloud applications such as Salesforce, Office 365, Gmail and Box, as well as a variant that can be configured to work with any cloud-based applications your business uses.

Netskope is a leader in cloud app analytics and policy enforcement. Netskope aims to eliminate the catch-22 between being agile and being secure and compliant by providing visibility, enforcing sophisticated policies, and protecting data in cloud apps.  
Netskope is a service that discovers and monitors cloud apps and shadow IT used on your network. Netskope monitors users, sessions, shared and downloaded content as well as the shared content details, and provides detailed analytics based on this information.

Perspecsys' AppProtex Cloud Data Protection Platform provides a flexible cloud data control platform that enables organizations to identify and monitor cloud usage and then encrypt or tokenize data that it does not want to put in the cloud “in the clear”.  The Platform intercepts sensitive data while it is still on-premise and replaces it with a random tokenized or encrypted value, rendering it meaningless should anyone outside of the company access the data while it is being processed or stored in the cloud.

Skyhigh Networks enables organizations to adopt cloud services with appropriate security, compliance, and governance. Skyhigh supports the entire cloud adoption lifecycle, providing unparalleled visibility, analytics, and policy-based control. Specifically, Skyhigh shines a light on Shadow IT by giving a comprehensive view into an organization’s use and risk of all cloud services. Skyhigh analyzes the use of all cloud services to identify anomalous behavior indicative of security breaches, compromised accounts or insider threats. Finally, Skyhigh enforces the organization's policies on the use of over 12,000 cloud services by providing contextual access control, structured and unstructured data encryption and tokenization, data loss prevention, and detailed cloud activity monitoring for forensic and compliance purposes.

Zscaler is leading two fundamental transformations in the world of IT security. First—the shift from on-premise hardware appliances and software to Security as a Service. Second—the transition from point security solutions to broad unified security and compliance platforms. Both transformations exactly parallel what has happened in every other sector of information technology—CRM, ERP, HR, eCommerce, and personal productivity—all have evolved from on-premises point applications to comprehensive cloud—based platforms. 

While conducting this review of the CASB market, I looked at a number of Security Controls that I would expect a mature Access Broker to provide. I've laid this out in accordance with Gartner's four pillars: 
 Visibility, Data Security, Compliance and Threat Prevention.
If you think I have omitted your favorite Cloud Access Security Broker, or have mis-represented a control above, please have them forward details to me including their position on each of the items in the above controls list.  After validating each, I will gladly amend the list.

Although the CASB market space is still in it's infancy, the main players have done a good job defining - and meeting - most of the requirements of an off-premise security service. 
I'm interested to see what happens to this space over the next three years.   My money is on convergence of CASB, SSO, and Mobile Security providers.

Also Read: 

Standing at the Crossroads: Employee Use of Cloud Storage.


Gartner: The Growing Importance of Cloud Access Security Brokers
Gartner: Emerging Technology Analysis: Cloud Access Security Brokers
Bitglass: The Definitive Guide to Cloud Access Security Brokers
CipherCloud looks to stay at the head of the cloud security class 
Ciphercloud: 10 Minute Guide to Cloud Encryption Gateways
Ciphercloud: Cloud Adoption & Risk Report in North America & Europe – 2014 Trends

NetworkWorld: How the cloud is changing the security game
Adallom: The Case For A Cloud Access Security Broker
Adallom: Cloud Risk Report Nov 2014
Check Point Capsule and Adallom Integration 
HP - Adallom: Proven Cloud Access Security Protection Platform 
Adallom : to Offer Comprehensive Cloud Security Solution for Businesses With HP 
PingOne - Skyhigh: PingOne & Skyhigh Cloud Security Manager
ManagedMethods: Role of Enterprise Cloud Access Security Broker
Standing at the Crossroads: Employee Use of Cloud Storage. 
Cloud Computing: Security Threats and Tools 
SC Magazine: Most cloud applications in use are not sanctioned  


  1. You forgot Elastica!

  2. Under the DLP section "Integrate with Commercial DLP Providers" you have Netskope listed as "No". Netskope has recently released an ICAP integration capability and have it operational with the Symantec Vontu product at one account I am aware of.

    Could you please correct that in your chart?

  3. Enjoyed this briefing on the CASB market. Please contact me if you would like a briefing on a new participant.

  4. Thank's Mike. Please email me at unix_guru at hotmail dot com

  5. Great list of #2, #3, #4, #5, #N CASB. You'r missing #1. Elastica - - is a very long ways ahead of the group listed above. While you've mentioned that the market is in its infancy, the Elastica CloudSOC is complete, robust, and mature. Stop dragging us all down with this crawling nonsense and bring your CASB info up to speed.

  6. Great list of #2, #3, #4, #5, #N CASB. You'r missing #1. Elastica - - is a very long ways ahead of the group listed above. While you've mentioned that the market is in its infancy, the Elastica CloudSOC is complete, robust, and mature. Stop dragging us all down with this crawling nonsense and bring your CASB info up to speed.

    1. "Stop dragging us all down with this crawling nonsense and bring your CASB info up to speed." This is not a useful comment. Sounds like you are either a fanboy or affiliated with the company. I am appreciative of someone contributing to community. Where is yours?

    2. Elastica had refused to participate in this survey last year.
      I have arranged for Elastica to be included in this year's survey.

  7. i want to know the difference between CASB with VPN

  8. Great article Mike, summing the importance of Cloud Access Security Brokers. Would like to add Parablu, Inc. to the list-

  9. Hey, Dude your blog awesome, I am going to copy all these points for our next post
    access security