Gartner unveils top cloud access security brokers

By on
Gartner unveils top cloud access security brokers

Gartner has unveiled its first-ever Magic Quadrant for cloud access security brokers (CASB), which provide visibility into general cloud application usage, data protection and governance for enterprise-sanctioned cloud applications.

These companies deliver capabilities that are generally not available in other security controls such as web application firewalls (WAFs), secure web gateways (SWGs), and enterprise firewalls, according to Gartner.

Hundreds of millions of dollars fueled the intial growth of the CASB market, according to Gartner. The market has matured in recent years with eight of the 14 CASB startups formed since 2011 having been acquired, allowing this technology to become a piece of a bigger vendors' portfolio.

Less than 10 percent of large enterprises use a CASB today to govern cloud services, according to Gartner. But by 2020, that figure is expected to hit 60 percent.


The Gartner Magic Quadrant evaluates service providers on two sets of criteria: their success on delivering results today and into the future (ability to execute); and their service operating model and strategic plans for growth and service improvements (completeness of vision).

Three of the 11 firms Gartner evaluated are considered leaders, meaning they have a clear vision of the market's direction and develop competencies to maintain their relationship.

One is a visionary, meaning they have a clear vision of the market but need to improve their penetration. Two firms are classified as challengers, meaning they execute well but have less-defined views of the market.

And five providers emerged as niche players, meaning they focus only on a particular service or limited number of markets.

Leader: Netskope

Netskope was founded in October 2012 and began shipping a CASB a year later, according to Gartner.

The company was one of the first CASB providers to emphasise cloud application discovery and SaaS security posture assessments as initial use cases, Gartner found.

Netskope's data loss prevention engine rivals that of some on-premises tools and is frequently cited by clients as a reason for choosing the product, Gartner said. The company has in recent years added better user behaviour analytics and alerting within managed and unmanaged SaaS applications, Gartner found.

Netskope is one of the only CASBs to deploy and run its own distributed network fabric without relying on a public cloud provider, according to Gartner. On-premises physical and virtual appliances are also available, Gartner said.

Strengths: Netskope's risk database is comprehensive, with 44 criteria that include details about pricing, business risk and GDPR readiness across thousands of cloud services. The company's shadow IT discovery process included recommendations for improving cloud security posture. Netskope's device posture policies can also signal an endpoint protection tool such as Carbon Black to take various actions.

Cautions: Netskope's API support extends only to the most popular cloud services and isn't as broad as some other vendors. Gartner said customers requiring API inspection for more cloud services may need to augment with additional components. And Netskope's recommendation of a forward-proxy deployment for many use cases might negatively affect use cases that prefer API inspection.

Leader: Skyhigh Networks

Skyhigh Networks was founded in December 2011 and began shipping a CASB 13 months later, according to Gartner.

The company was one of the first CASBs to raise awareness of shadow IT, Gartner found, enabling customers to perform security posture and risk assessments of sanctioned and unsanctioned cloud services with one of the largest cloud service discovery databases.

Since then, Skyhigh has expanded further into data security with the addition of data loss prevention, encryption, and tokenisation of structured and unstructured data for popular SaaS applications, Gartner said. The company continues to improve its security analytics with user and entity behavior analytics capabilities, according to Gartner.

Skyhigh is the only CASB with a completed FedRAMP Authority to Operate in the market. McAfee announced its intention to acquire Skyhigh on 27 November.

Strengths: Skyhigh's data loss prevention tool is sophisticated enough that many organisations will not need to use existing data loss prevention tools for SaaS applications. Recent interface and dashboard improvements display important indicators of security posture along with recommended remediations. Skyhigh's policy engine keeps versioned copies as policies changes are made to simplify reverting. 

Cautions: Although Skyhigh recently reduced prices, Gartner said some clients continue to find Skyhigh's pricing unfavorable when compared with other vendors. Despite improvements to its data loss prevention, Skyhigh is not as well-known as some competitors for discovering and monitoring sensitive data. Few Gartner clients mentioned data loss prevention as a deciding factor for selecting Skyhigh.

Leader: Symantec

Symantec entered the CASB space through its June 2016 acquisition of Blue Coat, which had in turn acquired two CASBs of its own.

Perspecsys emphasised satisfying data residency requirements by tokenising or encrypting data stored in SaaS applications, Gartner said. The company was founded in 2009, and purchased by Blue Coat in July 2015.

Elastica was best-known for its data loss prevention, user and entity behavior analytics, and content inspection capabilities, Gartner said. The company was founded in 2012, then bought by Blue Coat in November 2015.

The renamed Symantec CloudSOC offers a complete multimode CASB with an optional data encryption/tokenisation gateway, according to Gartner.

The company incorporated cloud application discovery and security posture assessment capabilities into its traditional management console, creating an upsell opportunity to its full CASB.

Strengths: Symantec can produce a wide range of reports for different audiences including executive boards, auditors and security teams. CloudSOC's ability to tokenise and encrypt data at the field level for selected SaaS applications like Salesforce preserves functions like searching and sorting. User and entity behavior analytics capabilities include risk scoring from multiple events and suggested remediations.

Cautions: Symantec's tokenisation function is performed by a separate on-premises appliance and isn't yet integrated into the cloud-delivered product. Gartner said it will take some time for customers to develop useful dashboards for the information gleaned from the network and endpoint logs. Clients told Gartner that the Symantec data loss prevention connector is an expensive extra cost. 

Challenger: CipherCloud

CipherCloud was founded in October 2010 and began shipping a CASB just five months later, Gartner said. The company initially focused on encrypting and tokenising data at the field level in popular enterprise SaaS applications, according to Gartner.

Since then, Gartner said CipherCloud has expanded its data protection capabilities to cover a broader range of structured and unstructured data within SaaS applications. The company can integrate with on-premise key management, data loss prevention and data-centric audit and protection products, according to Gartner.

CipherCloud performs content and user activity monitoring, threat protection, cloud discovery and SaaS security posture assessment, Gartner said. The company's most popular deployment is as software or as a virtual on-premises appliance, according to Gartner.

Strengths: CipherCloud offers a thorough and well-defined policy configuration workflow for data security and compliance use cases. The company can manage keys for SaaS-native encryption services to preserve maximum application functionality, according to Gartner. CipherCloud can also tokenise and encrypt data outside SaaS applications while preserving functionality like searching and sorting.

Cautions: CipherCloud's on-premises and cloud-delivered versions vary with respect to features, policy creation and management interface. The management console lacks incident management, necessitating integration with third-party security information and event management tools. Clients have reported issues with CipherCloud negatively affecting SaaS application functionality, Gartner said.

Challenger: Cisco

Cisco acquired API-only only CASB Cloudlock in August 2016 and began integrating it only the rest of the company's security portfolio, which includes network and endpoint, client VPN, email and web security, identity-based networking, threat detection, and cloud security, according to Gartner.  

Cisco has been heavily investing in its range of products that deliver traditional security capabilities from the cloud and products that deliver cloud-native security services such as OpenDNS, Gartner found.

Customers of all Cisco security products, including Cloudlock, receive threat intelligence from Talos, Cisco's well-regarded threat research organisation, Gartner said. Cloudlock is currently in process for FedRAMP authority to operate at the moderate impact level, according to Gartner.

Strengths: Cloudlock was an early identifier of potential abuse via connected in-cloud apps. The company provides a mechanism for overriding permissions granted to OAuth tokens, thus blocking a growing form of cloud attack. Cloudlock's API inspection supports popular cloud services such as all 6000 applications on Salesforce's AppExchange and applications on Okta and OneLogin marketplaces.

Cautions: Cloudlock has no support for the tokenisation of data in SaaS application and cannot manage the keys for governed SaaS applications. The workload for investigating a particular user's activity on Cloudlock is cumbersome, Gartner found. And Cisco's cloud discovery database relies primarily on crowdsourced data and lacks the depth of coverage that competitors have, according to Gartner.

Visionary: Bitglass

Bitglass was founded in January 2013 and began shipping a CASB one year later, according to Gartner. The company is focused on sensitive data discovery, classification and protection, but also offers document management and protection capabilities such as watermarking and encryption methods that support search and sort, Gartner said.

Bitglass uses an agentless Ajax Virtual Machine abstraction layer that detects and reacts to changes in underlying SaaS applications that might otherwise bypass traditional reverse proxies. The company's CASB offers reverse proxy, forward proxy and API support of major SaaS applications.

Bitglass also offers basic mobile device management and identity and access management as a service capabilities, according to Gartner. It can either be consumed as SaaS or deployed on-premises; in either case, Gartner said the interface for encryption keys is supported.

Strengths: Bitglass' time to deployment is rapid for most supported cloud services. For midsize enterprises, Bitglass can replace the need for separate mobile device management and identity as a service tools by offering these capabilities directly. When users visit unsanctioned cloud applications, Bitglass can insert HTML messages to coach them toward sanctioned applications instead, Gartner said.  

Cautions: Bitglass lacks the market profile and channel partner reach of competing CASB-only vendors. Workflow through Bitglass' user interface can become unwieldy if governing a large number of SaaS applications, Gartner said. Bitglass' depth of API integrations is sufficient, but it lacks the breadth of support compared to other vendors. The company's discovery capabilities are adequate but basic.

Niche Player: Oracle

Palerra was founded in July 2013, began shipping a CASB product 18 months later, and was acquired by Oracle 20 months after that, according to Gartner.

Now called Oracle CASB Cloud Service, it offers capabilities to govern SaaS, PaaS and IaaS applications and are suitable for use cases such as security monitoring, threat protection and incident response, Gartner said.

Oracle's product provides visibility into SaaS applications by analyzing logs for cloud service activity and identifying risky applications, Gartner found, including those installed from Salesforce's AppExchange.

The company's CASB offers features that allow organisations to centrally control the native security configurations of SaaS applications and IaaS consoles, according to Gartner. The CASB is delivered as SaaS or sold as a managed cloud-based service, with no on-premises version available, Gartner said.

Strengths: Oracle's CASB can measure the configuration of native security controls in sanctioned apps and suggest improvements. The company's user and entity behaviour analytics stood out from the competition, with inappropriate behaviors linked to instructions that inform users how to avoid risky behavior. Incident response includes case management as well as multilevel alerting and notification.

Cautions: Gartner said clients don't typically view Oracle as a strategic vendor for cloud security or threat protection. Oracle sellers and channel partners lack experience selling products to security buyers, with a consistent approach to globally showing the value of the product not yet evident. The data loss prevention product lacks support for fingerprinting and similarity matching, Gartner said.

Niche Player: Saviynt

Saviynt was founded in January 2010 and began shipping a CASB 4.5 years later, according to Gartner. The company offers only API-based inspection for some common SaaS applications and for IaaS cloud infrastructure components, Gartner found.

Saviynt's CASB is derived from the company's identity and access governance platform, Gartner said, with available SaaS controls exhibiting a focus on identity. Visibility does not extend to unsanctioned applications or unmanaged devices, which can limit the overall set of available use cases, according to Gartner.

Saviynt is available either as SaaS or as an on-premise physical and virtual appliance, Gartner said.

Strengths: Saviynt includes controls for managing privileged access and separation of duties and focuses on compliance-driven use cases. The company's DLP engine can ingest policies from an existing on-premises DLP product. Saviynt gathers detailed event information and telemetry from sanctioned apps and generates reports with suggested remediation actions for security administrators and researchers.

Cautions: Saviynt has no native shadow IT discovery and no mechanism for blocking access to consumer versions of services. The company lacks tokenisation or encryption of data in SaaS applications, Gartner said. Saviynt also offers limited threat detection, no malware scanning either natively or through third-party engines, and lacks user and entity behavior analytics and other advanced analytics capabilities.    

Niche Player: Microsoft

Adallom began shipping a CASB in early 2013, was acquired by Microsoft in September 2015 and renamed Microsoft Cloud App Security (MCAS) at that time. It is an API-only CASB available standalone and as part of Microsoft's Enterprise Mobility + Security suite.

While MCAS on its own offers features that touch each of the four pillars, more complete functionality requires a suite of Microsoft services. The suite includes MCAS, Azure Active Directory, Azure Information Protection, Advanced Threat Analytics, and Intune.

MCAS is delivered as SaaS from Azure data centres, with no endpoint agents or on-premises editions available. Except for data loss prevention, certain Office 365 subscriptions include a subset of MCAS capabilities designed to protect only an Office 365 tenant and not other SaaS applications.

Strengths: MCAS's report ingestions works with more on-premises firewalls and proxy servers than most of its competitors. The CASB offers control over sanctioned SaaS applications via a policy engine that tracks how file access policies change over time, Gartner said. MCAS observes how users interact with SaaS applications and can detect risky or abnormal behavior that indicates possible attack, Gartner said.

Cautions: Most organisations will find that third-party data security providers are more robust than MCAS since they have larger predefined DLP policy libraries and more sophisticated detection methods.  Customers will likely need to deploy multiple Microsoft products alongside MCAS to improve functionality. Configuring products in the full suite often requires duplication of administrative effort.

Niche Player: CensorNet

CensorNet was founded in February 2007 and began shipping a CASB eight years later, according to Gartner. Its CASB complements existing email, web security and multifactor authentication products, Gartner said.

Derived from its existing secure web gateway platform, CensorNet is already positioned to capture traffic and see the flow of data to and from SaaS applications, Gartner found. It has a generalised policy engine through which a CASB administrator can define sensitive data based on content types, locations, users and other markets, according to Gartner.

CensorNet helps with compliance mandates by monitoring sensitive data and generating reports about what it sees, Gartner said. The offering is focused on visibility and SaaS application user and policy controls, Gartner found, and now delivers more capabilities for more cloud services.

Strengths: CensorNet's combination of CASB, secure web gateway, multifactor authentication and email security capabilities make the product well-suited to midsize firms. The company runs an automated tool that continuously probes the 50 most popular SaaS destinations to learn about and react to changes in application architecture. CensorNet sends only metadata about cloud requests for analysis.

Cautions: CensorNet lacks the market profile and channel partner reach of competing CASB-only vendors. The company does not currently support API models of operation, Gartner said. CensorNet has no encryption or tokenisation capability, no data loss prevention or document classification capabilities, and no form of native electronic discovery reference model integration, Gartner said.

Palo Alto Networks

CirroSecure was founded in July 2013, acquired by Palo Alto Networks in May 2015, and relaunched as Aperture with built-in threat intelligence, according to Gartner. The API-only CASB was released in September 2015, Gartner found.

Customers must run both Palo Alto Networks' firewall and Aperture to satisfy the most common CASB use cases, Gartner said. The intended market for Aperture is existing Palo Alto Networks customers seeking cloud visibility and governance not available through Palo Alto Networks' firewall alone, according to Gartner.

Additional features within Aperture include content scanning, sensitive data monitoring, malware detection and remediation, analytics, risk identification and reporting, Gartner said.

Strengths: Aperture provides improved cloud security for customers who are making the transition to more cloud services. The company's data loss prevention tool extends beyond keywords and common content types using classifications Palo Alto Networks developed with machine learning through acquired datasets from third parties. The API allow customers to investigate data that's already at rest.

Cautions: Aperture lacks encryption and tokenisation of data in SaaS applications. There is no integration between Panorama for managing in-line inspection through the firewall and Aperture for API inspection, meaning that is no common workflow and policy duplications may occur, Gartner said. Palo Alto Networks also lacks integration with an on-premises data loss prevention product.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Log In

Username / Email:
  |  Forgot your password?