As enterprises move more workloads to the cloud, securing this environment becomes priority no. 1. This need is being filled by cloud access security broker (CASB) vendors.
CASB is a relatively new technology, but it’s booming. Gartner, which coined the term, has called it “the fastest growing security category ever.”
Late last year Gartner published its first CASB Magic Quadrant. The firm predicts that by 2020, 60 percent of large enterprises will use a CASB to govern cloud services, up from less than 10 percent today.
“CASBs are becoming as important to cloud as firewalls became to data centers,” said Gartner analyst Steve Riley, who co-authored the Magic Quadrant. “With your firewall: the whole purpose was to protect your data on your systems. In cloud it’s still your data, but it isn’t your system anymore. CASBs are the thing that helps you protect your data on somebody else’s systems.”
The three “leaders” in the Magic Quadrant are Symantec, Skyhigh Networks (recently acquired by McAfee), and Netskope. The report defines CASB functionality in four pillars: visibility, data security and encryption, threat protection, and compliance. The three leading vendors earned their titles by providing products that address all four CASB functionality pillars and by executing well in the market.
“The leaders have well-rounded offerings, they’ve got good capabilities and features, and they’ve done well marketing their products,” Riley said.
What Is CASB?
CASB is on-premises or cloud-based software that sits between cloud-service consumers and cloud-service providers. It enforces security and governance policies for cloud applications, allowing companies to extend their on-premises policies to the cloud.
In the early days, CASBs provided a cloud visibility and discovery tool. “The assumption was, ‘we’re using maybe five or six cloud services.’ And the reports would come back showing hundreds of cloud services,” Riley said. “For a lot of folks it served as a wake-up call that it’s time to get a better handle on what our SaaS utilization is.”
Companies quickly realized, however, that the technology also addressed cloud security challenges.
“It’s not just about discovering shadow IT, but how do you put controls in place to govern the content that is flowing in and out of the cloud; how do you look out for malicious activity; how do you look for people hijacking accounts,” said Eric Andrews, VP of marketing for cloud security at Symantec. “We came out of the gate with a very comprehensive solution that addresses all of those.”
Hot M&A Targets
Andrews is talking about the CASB service that Elastica rolled out in 2014, before being acquired by Blue Coat Systems a year later. Blue Coat, and its CASB technology, was then purchased by Symantec for $4.65 billion in 2016. Andrews stayed on as VP of marketing at all three companies.
Merger and acquisition activity in the sector has been on the upswing as companies increasingly adopt cloud applications and services.
“This [CASB] market is basically following that trend,” Andrews said. “You see a lot of bigger players like Symantec and others moving into this space because they realize it’s going to be a core part of security infrastructure.”
Shortly after Symantec acquired Blue Coat, Cisco agreed to pay $293 million for Cloudlock, another CASB. And in January 2017, CASB startup Bitglass announced a $45 million Series C round, bringing its total funding to $80 million.
Late last year McAfee reached a deal to buy Skyhigh Networks for an undisclosed amount and bring its CASB technology under a new cloud business unit. Former Skyhigh CEO Rajiv Gupta is now SVP of McAfee’s cloud security business unit. He said the opposite of security isn’t insecurity — it’s convenience. And employees will choose convenience over security every time.
‘Cloud Is a Big Deal’
CASBs address this by only allowing employees and partners to use approved cloud services and making sure they steer clear of high-risk ones. Additionally, the technology protects data that lives in cloud service providers’ servers.
“The SaaS providers like Microsoft or IaaS providers like AWS do a good job, but there is a new shared responsibility model where they are responsible for protecting the servers, but I am responsible for protecting my data,” Gupta explained.
When he and his co-founders started Skyhigh about six years ago, “We had made a bold prediction this cloud thing is going to be a big deal,” Gupta said.
Based on this bold prediction, Gupta and the other co-founders decided to “start thinking of cloud as a first-class citizen — you cannot think of cloud as a wart that people are not going to use. You have to think ‘my IT environment now extends to the cloud,’” he said.
So they built their technology accordingly, with an eye on protecting data that moved into and out of companies’ cloud environments, he said. As employees bring their own devices and work from home, or from a coffee shop, traditional perimeter security isn’t sufficient.
“The solution has to be cloud native,” Gupta explained. “Our perspective has been that network-based controls are not relevant in this new world. The network is the Internet.”
What’s Next in 2018?
Now that McAfee completed its Skyhigh acquisition, Netskope is the only CASB “leader” that hasn’t been scooped up by a major security vendor. It is worth noting, however, that Bitglass, which Gartner called a “visionary” in the Magic Quadrant, also has not been purchased.
“The big question that remains for 2018: who is the next CASB that’s going to get acquired?” Gartner’s Riley said. “Only two significant ones remain: Bitglass and Netskope. One or both is likely to get acquired in 2018.”
Netskope is not for sale, said CEO Sanjay Beri.
“We’re not interested [in being acquired],” he said. “Everybody who has acquired someone called Netskope first and we gave them the same answer: ‘we’re not interested.’ We’re in the early innings of our platform, and we have many more modules to release.”
CASB was the first module. The next one is “governance of the entire web,” Beri said, adding that he expects to see other security vendors follow suit and employ CASB-like technology to secure more than IaaS, PaaS, and SaaS data.
“It’s not just SaaS, IaaS, and Paas,” he said. “This will hit other markets. This idea that people are using arcane tools to deal with other types of traffic like the web. In 2018 you’ll see people extending the platform and using it for more than cloud.”