A cloud access security broker (CASB) solution sits between users and cloud services to protect data and enforce security policies.
In recent years, CASB solutions have become part of broader secure access service edge (SASE) technology as edge and cloud security risks have expanded to include all threats outside the network perimeter, including edge computing, IoT, mobile, cloud, web, email and more.
But an organization looking to protect itself from SaaS application and shadow IT risks still has much to gain from a standalone CASB. We’ve surveyed the CASB market to provide our recommendations for the top CASB vendors, along with buying guidance for those in the market for a CASB solution.
Table of Contents
- Broadcom Symantec CloudSoc CASB: Best for compliance
- Censornet:Best for reporting
- Forcepoint: Best for risk analysis
- iBoss: Best for zero trust
- Lookout: Best for protecting highly sensitive data
- Skyhigh Security CASB: Best for access controls
- Microsoft Defender for Cloud Apps: Best for Windows environments
- Netskope: Best for security integrations
- Palo Alto Networks Next-Gen CASB: Best for Prisma Cloud and Palo Alto NGFW customers
- Proofpoint: Best for employee protection
- 5 Features of CASB Solutions
- Why Do You Need a CASB?
- CASB Benefits
- Best Practices for Implementing CASB
- How to Choose the Best CASB
- 3 Types of CASB Deployment
- Frequently Asked Questions (FAQs)
- How We Evaluated CASB Solutions
- Bottom Line: CASB Solutions
Broadcom
Best for compliance
Broadcom’s solution for addressing visibility into cloud application security is the Symantec CloudSOC CASB. Big cybersecurity acquisitions of Blue Coat Systems and Symantec in the last decade provided the roots of Broadcom’s CASB offerings. Paired with the Symantec cloud data loss prevention (DLP) solution, the Symantec DLP Cloud includes CASB Audit, CASB for SaaS and IaaS, and CASB Gateway.
Pricing
Contact Broadcom’s sales team for pricing details or find an official distributor or consulting services partner.
Key features
- Deep content inspection and context analysis for visibility into how sensitive data travels
- API-based inline deployment for fast risk scoring, behavioral analysis, and detection
- Continuous monitoring of unsanctioned applications, malware, and security policies
- Central policy engine for controlling how users and apps access and use data
Pros
- Multiple deployment routes, including endpoints, agentless, web, proxy chaining, and unified authentication
- Compliance focus for organizations with strict data protection needs
Cons
- No free trial
- Limited support contact options
Censornet
Best for reporting
A part of the vendor’s Autonomous Security Engine (ASE) solution, Censornet Cloud Access Security Broker comes integrated with adaptive multi-factor authentication, email security, and web security. Censornet’s CASB also offers Identity as a Service (IDaaS) for secure user authentication.
Censornet offers extensive reporting capabilities, including pre-built trend reports. Users can download and email reports to other members of the organization or to customers. Multiple report views allow security teams to report by device, threat level, user, and other views.
Pricing
The email security plan starts at £1.70 per user/month. The web security and antivirus plan starts at £2.30 per user/month. The CASB plan starts at £2.50 per user/month. To receive an exact quote for your business, contact the sales team.
Key features
- Risk assessment, rating, and categorization for cloud applications
- Granular policy-setting control by user, role, device, network, and function
- Audit reports with multiple criteria, including app class, risk level, and threat type
- Security awareness training product
Pros
- Multiple customers have praised the technical support team
- Extensive reporting options
- Free trial
Cons
- Might take time for inexperienced teams to fully customize
Read more about application security
Forcepoint
Best for risk analysis
Forcepoint’s CASB products focus on protecting sensitive data and critical applications. Forcepoint’s cloud audit and protection capabilities are designed for real-time activity monitoring and analytics. Forcepoint has added to its CASB offerings with technology acquisitions from Imperva and Bitglass.
It uses malware engines from CrowdStrike and Bitdefender to halt malware that’s transferred between users to SaaS applications.
Pricing
Forcepoint offers a demo to potential customers. Contact its sales team for a specific quote for your enterprise.
Key features
- Native user behavioral analysis for profiling app risks and business impact
- Customizable and advanced risk metrics for evaluating cloud app threat posture
- Interoperability with Identity-as-a-Service (IDaaS) partners like Okta, Ping, and Centrify
- MFA for user identification
Pros
- Detects unmanaged SaaS solutions being used by employees and allows admins to block those applications
- Integrates CASB data in Common Event Format, a security logging system, for existing SIEM environments
- Integrates with other Forcepoint solutions, including web security and NGFW
Cons
- Customer support is priced as an add-on
iBoss
Best for zero trust
iBoss offers CASB as a product in the Application and Data Discovery capabilities of its zero trust platform. iBoss restricts data transfers in corporate systems, redirecting file uploads and other transfers to company accounts if a user tries to send business data to a personal account. iBoss’s CASB offerings are particularly useful for social media and Google and Microsoft cloud applications. The product is well rated by users and analysts alike.
Pricing
iBoss has three zero trust plans, only one of which includes both inline and out-of-band API CASB features (Zero Trust Complete). The least expensive plan requires add-on pricing for both of the CASB features, while the median plan requires add-on pricing for out-of-band API CASB.
Key features
- Out-of-band deployment options via APIs from MS365, Google, and Box
- Policy management based on users, groups, and information accessed for data security
- Native integration with Microsoft Azure, Office 365, and Microsoft Defender for Cloud Apps
- Policy-based application controls for social media sites like Facebook, Twitter, and LinkedIn
Pros
- Easy-to-use dashboard displaying usage and application data
- Highly useful for Office 365 and Google applications
Cons
- iBoss doesn’t have a standalone CASB, and users must pay additional fees for CASB functionality in some plans.
Lookout
Best for protecting highly sensitive data
Bolstered by the acquisition of CipherCloud, Lookout boasts a number of advanced CASB features like DLP, UEBA, zero trust, and integrated endpoint security. Users can scan historical cloud data to find open file shares and unprotected information. Lookout analyzes encrypted traffic from approved applications as well as unapproved ones and detects application activity even from administrators for potential malicious activity. Another highlight is digital rights management, which allows security teams to encrypt data and limit access to that data based on which applications and services are permitted to see it.
Pricing
Lookout offers a CASB buyer’s guide for customers who want to learn more about the Secure Cloud Access product. To receive an exact quote from Lookout, contact the sales team.
Key features
- Digital rights management
- Integration with enterprise mobility management (EMM) solutions for endpoint policies
- Context-aware tags, including user, group, location, device type, OS, and behavior
- Notifications when application users access and share sensitive data
Pros
- Built-in user and entity behavior analytics (UEBA) assessing traffic, devices, and users
- Data protection that integrates with company email accounts and identifies potential anomalies when emailing sensitive information
Cons
- Customers must pay for an additional support program to receive technical support. Note that you must pay for at least the second plan, Premium, to get 24/7 support.
Skyhigh Security CASB
Best for access controls
Skyhigh Security’s CASB solution supports data loss prevention policies and blocks attempts to download corporate information to employees’ personal devices. Skyhigh uses both forward and reverse proxy for inline deployment. It provides integrations via API for a variety of business applications, including Slack, Zoom, and GitHub, as well as multiple identity and access management tools. Skyhigh — which comprises McAfee’s former cloud business — includes the CASB tool as part of its SASE platform.
Pricing
Skyhigh offers a demo for potential customers. It has three plans: Essential, Advanced, and Complete. Note that the Essential plan doesn’t have endpoint data loss prevention. To receive an exact quote, contact Skyhigh’s sales team.
Key features
- Central policy engine with options for templates, importing, and custom policy creation
- Integrations with existing security software like SIEM, secure web gateways (SWG), NGFWs, and EMM
- User behavior analytics to identify potential insider threats
- Shadow IT Cloud Registry, which assesses potential risks for cloud applications that employees might want to use
Pros
- Gives customers access to 261-point risk assessments and ratings of pertinent cloud applications
- Offers highly granular access policies based on IP address, location, activity, and other criteria
- Detects malicious or negligent behavior with machine learning
Cons
- No free trial
- Might be challenging for inexperienced analysts to fully learn because of its granular policies and advanced risk assessments
Microsoft Defender for Cloud Apps
Best for Windows environments
Microsoft Defender for Cloud Apps addresses DLP, compliance, discovery, access and other security functions across business environments like social media, SaaS apps, and email. Office 365 is, of course, a particularly strong use case.
Defender for Cloud Apps supports blocking downloads on untrusted devices. Admins can also label files based on the sensitivity of the data in the file, creating protective rules that limit how the data can be accessed and shared.
Pricing
Note that unlike most of Microsoft’s security solutions, Defender for Cloud Apps doesn’t have a free trial specific to its product. Contact Microsoft’s sales team for further pricing information.
Key features
- Add-on application governance for OAuth-enabled apps in Azure’s Active Directory instance
- Central view of cloud security configuration gaps with remediation recommendations
- Download blocking for untrusted devices
Pros
- Provides real-time controls for remediating threat behavior identified at access points
- Over 90 risk factors and 26,000+ available app risk and business assessments
- Good choice for Microsoft cloud environments
Cons
- Limited third-party SaaS integrations
- No free trial
Netskope
Best for security integrations
Netskope has long been a leader in CASB technology, with continuous security assessment and compliance. The company has also packaged together a number of offerings as a SASE solution. Highlights of the CASB solution include the Cloud Exchange for tech integrations, including third-party security solutions like EDR and SIEM, and malware blocking for both email and storage service.
Pricing
Potential customers can request a demo from Netskope and request an executive briefing to create specific business solutions custom to their organization. For exact pricing, contact the sales team.
Key features
- Encryption at rest or managed in real time with certified FIPS 140-2 Level 3 key management systems
- Integrations with productivity, SSO, cloud storage, EMM, and security applications
- Dashboard aggregating all traffic, users, and devices for SaaS, IaaS, and web activities
- Role-based access control for administrator, analyst, and other privileged user roles
Pros
- Netskope offers regular technical account management sessions for customers
- Access to 40 threat intelligence feeds informing the detection of anomalous behavior
Cons
- No free trial
- 24/7 support and phone call customer service is only available through additional cost
Palo Alto Networks Next-Gen CASB
Best for Prisma Cloud and Palo Alto NGFW customers
Palo Alto Networks has brought its considerable security expertise to bear on the CASB and SaaS protection market with an offering that includes SaaS monitoring, compliance, DLP and threat protection. Palo Alto’s SaaS Security and Enterprise DLP products combine to create the CASB. The Next-Generation CASB also has strong integrations with Palo Alto firewalls and access solutions, making it a good choice for businesses that already use Palo Alto security products.
Pricing
The Next-Gen CASB has a lengthy free trial for potential buyers. Contact Palo Alto’s sales team for an enterprise-specific quote.
Key features
- Advanced DLP functionality via deep learning, NLP, and optical character recognition (OCR)
- Activity monitoring through scans of traffic, ports, protocols, HTTP/S, FTP, and PrivateVPN
- Built-in data security reporting for compliance auditing such as GDPR
- Application controls for setting risk attributes and policy
Pros
- Native integration with PAN’s VM-Series, NGFW, and Prisma Access solutions
- 60-day free trial for the Next-Gen CASB solution
Cons
- May be challenging for smaller, less experienced teams to learn and implement
Proofpoint
Best for employee protection
Enterprise cybersecurity company Proofpoint’s CASB is a user- and DLP-focused solution for revealing shadow IT activity and managing the use of third-party SaaS applications. Proofpoint offers multiple security integrations and helps teams identify the employees most likely to be attacked. It’s a good choice for businesses that want to closely track their organization’s biggest targets.
Pricing
The CASB solution has a live demo available for potential customers. Contact sales to receive a specific quote.
Key features
- More than 46,000 apps categorized by type and risk attributes
- Identify VAPs (Very Attacked People) and set appropriate privileges for sensitive access
- Deployment integrations with SOAR, IAM, and cloud-service APIs
- Continuous DLP controls and policies across endpoints, web, email, and cloud applications
Pros
- Threat detection is based on user-specific contextual data
- API integration options with multiple other enterprise solutions, including SOAR, SIEM, and ticketing tools
- Free trial
Cons
- Administration could be more straightforward for using multiple Proofpoint solutions in one organization.
5 Features of CASB Solutions
CASBs play the critical role of enforcing enterprise security policies for accessing cloud services. The following security features included in CASB solutions are important for businesses that use multiple cloud applications, have remote employees, and need to improve their compliance posture.
Authentication, authorization, and SSO
Correctly identifying users’ identities and making sure they’re actually permitted to use an application helps organizations decrease cyberattacks that come from unauthorized access. Authentication differs from authorization — while authentication reveals a user’s identity, authorization allows them to enter and use. Single sign-on technologies provide authentication for an organization’s set of cloud applications. When a user logs in to the SSO platform, they can securely access all applications for that session with one click.
Malware detection and prevention
Malware is one of the biggest threats to enterprises’ day-to-day operations. CASB solutions detect anomalies across cloud applications that could indicate the presence of malware or malicious activity. Examples of anomalies include an attempt to download customer data from Salesforce at a strange time or unfamiliar files that are randomly shared with employees’ Google accounts. CASBs alert security admins to this behavior so they can identify and halt potential threats.
Device profiling
Security teams need to know what their organizations’ devices are doing. Device profiling compiles data for each device, like behavioral data (like device traffic) and specification data (like device operating system). This helps teams create a comprehensive view of the device and its presence and behavior on networks, whether company or home networks. Device profiling makes it easier for security teams to identify device-specific threats.
Logs and alerts
CASB logs track and store data from behavior within the cloud environment. These logs should provide device, user, and application information that can be used to detect and identify threats. Alerts notify security teams when a potential threat has been identified within the cloud environment. Alerts should happen instantaneously to give personnel time to mitigate the threat before it spreads or causes more damage.
Encryption and tokenization
Encryption protects data as it’s stored in cloud solutions and transmitted between them. Encrypting data shields the information from any user who attempts to view it without the decryption key. Tokenization shields employee or user data from view by using symbols, or tokens, to represent personally identifiable information.
Why Do You Need a CASB?
The explosion in internet-enabled technology has created a reliance on digital advancements like cloud computing. However, the increase in internet-accessible resources comes with the inherent security risks posed by the worldwide web. Enterprise firewalls, web gateways (SWGs), and web application firewalls (WAF) all strengthen organizations’ security posture, but they fail to offer cloud-specific security.
Also Read: Cloud-based security: SECaaS
Protecting applications
Data and applications are moving away from private data centers and leaving behind a stack of on-premises security solutions that offer network visibility, access, data loss prevention (DLP), threat protection, and breach logging. The cloud’s introduction of SaaS products has moved data from private, on-premises DCs to cloud-based operations.
Similarly, users have widely adopted cloud applications because accessing these tools outside of work and remotely is easier than ever. The added risk to applications and data on the network edge makes tools like CASB essential for cloud-based security.
Also Read: SaaS Security Risks: It’s the Users, Stupid
Remote work and BYOD
The consequence of cloud and mobile proliferation means data and users live beyond the on-premises security infrastructure. Where legacy security systems could effectively monitor local network traffic, CASBs have taken the mantle of monitoring and authenticating access in the cloud.
As organizations have adopted remote work and permitted personal devices (BYOD) for staff, the cloud offers open access to unmanaged or unsanctioned devices that the user can authenticate. This makes data vulnerable because it lives in the pertinent cloud applications and can be downloaded with little effort. Without a CASB in place, struggling to identify all access points is a significant roadblock to improving security.
Auditing network applications
Outside of every IT department lives unsanctioned technology known as shadow IT. Wandering personnel using unsanctioned tools pose a security risk to the organization. IT departments evaluate the network security posture, pertinent configurations, and user training needed to deploy the product best before implementing applications.
Without these steps and close attention to detail, employees could be agreeing to terms of use and downloading applications that are in direct conflict with the organization’s internal or compliance standards. CASB solutions help decrease the effects of shadow IT.
Also Read: Remote Work Security: Priorities & Projects
CASB Benefits
CASB solutions aren’t a one-size-fits-all product. SaaS applications today have specialized APIs that require a compatible CASB to protect the application’s specific traffic. Enterprise organizations can have a suite of CASB solutions to cover the network’s cloud application traffic.
While CASB products don’t provide perfectly comprehensive security for all cloud systems, they’re a beneficial tool for managing access to business applications. Consider the benefits and limitations of CASB tools before implementing one in your organization’s security infrastructure.
CASBs control cloud application and data access by combining a variety of security policy enforcement requirements. They can manage single sign-on, logging, authentication and authorization, device profiling, encryption, and tokenization. They can detect, alert, and prevent malware attacks. Benefits of deploying a CASB include:
- Restricting unauthorized access
- Identifying account takeovers
- Uncovering shadow cloud IT
- Preventing cloud data loss
- Managing internal and external data access controls
- Recording an audit trail of risky behavior
- Identifying loud phishing and malware threats
- Continually monitoring for new cloud risks
Other benefits noted by industry adopters include reduced costs and increased agility, and outsourced hardware, engineers, and code development.
Also Read: Cloud Security Requires Visibility, Access Control: Security Research
Best Practices for Implementing CASB
A CASB is an unusual security solution in that it spans the cloud and on and off-premises users, so deployment can be tricky. For a successful rollout, keep the following best practices in mind.
1. Build visibility
The first step is to gain visibility into current cloud usage. This means diving into cloud application account usage and identifying activity by user, application, department, location, and devices used. Analyzing web traffic logs will offer a good reference point and will allow you to evaluate what enterprise or SMB CASB is appropriate.
2. Forecast risk
The second step is to develop a cloud risk model based on the network’s standard usage patterns. Whether a hacker has gained access with leaked credentials or a former employee still has access to the organization’s cloud applications, these are both instances of risk that the network administrator must consider.
Unsanctioned access can be dangerous when users have malicious intent and the ability to steal or delete critical data. Organizations can extend existing risk models or develop specialized risk models based on the needed security configurations.
3. Deploy the CASB
The third and final step involves applying the risk model to the current shadow cloud usage and deploying your CASB for action. With the risk model defined, the enterprise can enforce use policies across all cloud services. The IT team can assign risk scores and categorize cloud services for even more visibility into network services moving forward. When onboarding the CASB is complete, administrators can rest assured that their network and cloud infrastructure monitor traffic, protect against threats, fill the DLP gap, and ensure compliance with data privacy and security rules.
After deployment, network administrators and security analysts must give attention to CASB activity and ensure it’s functioning properly for its intended use. Many organizations start small on this process by integrating CASB for an initial application and analysis before integration across the network.
Read more about best business practices for cloud security.
How to Choose the Best CASB for Your Business
Cloud access security solutions aren’t typically one-size-fits-all. To successfully analyze CASBs and choose a suitable product for your organization, consider the following points.
Play to your strengths
Different security teams have varied skillsets, sizes, and levels of expertise. Choose a CASB that’s suitable for the security team that will be using it. An experienced and tenured team will likely benefit from a highly configurable solution, while a team of junior security personnel will want an easy-to-navigate interface and some out-of-the-box templates.
Know your budget
Narrow your list of potential CASBs down to a few choices and contact the sales team for each, getting a specific quote based on your business’s needs. Then analyze with your buying committee to determine which solution is the best combination of affordable and appropriate.
Keep integrations in mind
When shopping for a CASB, make sure the solutions you’re considering support all of the cloud applications that your business needs to protect. For example, if you want to monitor Slack access and behavior, look at CASB products that integrate with Slack.
Don’t forget customer support
Different security teams will need different levels of technical support from the vendor. Less experienced or small teams should select a CASB solution with highly rated, responsive customer support. Larger security teams with years of experience may not need quite as intensive technical services.
3 Types of CASB Deployment
There are three primary deployment methods for CASB solutions: forward proxies for inline deployment, reverse proxies for inline deployment, or APIs for out-of-band deployment.
Inline deployment: Forward proxies
A forward proxy is positioned closer to users and can proxy traffic to multiple cloud services. CASBs inspect cloud traffic for users and employ an SSL man-in-the-middle technique to steer traffic to the CASB forward proxy.
The downside of using a forward proxy is that each device accessing the proxy requires the installation of self-signed certificates. An excess of users can also cause latency. For relevant devices, traffic is redirected to PAC files, unique DNS configurations, third-party agents, advanced forwarding, chaining, or TAP mechanisms.
Inline deployment: Reverse proxies
A reverse proxy is positioned closer to the cloud application and can integrate with Identity-as-a-Service (IDaaS) and IAM solutions. It doesn’t require particular configuration or certificate installation. Reverse proxies receive requests from the cloud application, apply predefined security rules, and pass the user’s request.
Also Read: Application Security Vendor List
Out-of-band deployment: API-based
CASBs typically sit in the traffic path between users and cloud platforms; however, out-of-band deployment uses asynchronous APIs to do the job. APIs receive all cloud traffic from log events to the configuration state necessary to create and enforce the appropriate security policies. Out-of-band CASB deployment enables frictionless change for application behavior, north-south and east-west traffic coverage, and retrospective policy enforcement for data-at-rest and all new traffic.
Gartner points out that APIs’ development and their ability to offer real-time visibility and control could mean the end of proxy-based methods for deploying CASB.
Frequently Asked Questions (FAQs)
You might still have questions about using CASB solutions or need to provide further information to executive team members or a buying committee. These questions help explain the importance of CASB technology and the ways it’s different from other security solutions.
If I already have a firewall, do I need a CASB?
Whether you need a CASB depends on your business’s overall needs. Do you have a large number of cloud-based applications or many users? Are your employees constantly sharing files or accessing sensitive information?
Regardless of whether you need a CASB, know that a firewall is not enough for most enterprises. You’ll at least need a next-generation firewall, and aside from that, it’s important to invest in a security solution that hunts for threats and vulnerabilities within your infrastructure. Because firewalls are at the perimeter of a network, server, or application, they won’t be able to halt an attack if it gets through the initial barrier.
What is the difference between CASB and SIEM?
While CASB focuses specifically on cloud applications, SIEM can encompass a broader range of enterprise technology, including hardware. SIEM solutions typically generate events or alerts from cloud solutions as well as other on-premises environments.
What is the difference between CASB and DLP?
DLP is often a single feature of advanced CASB solutions: CASB not only provides data loss prevention but also other capabilities under its umbrella. Data loss prevention is specifically designed to protect sensitive data from being leaked or stolen. While CASB solutions have features that shield data, that’s not the only goal of cloud access security software.
What is the difference between CASB and SASE?
Both CASB and SASE protect cloud environments. However, SASE includes large-scale networking security for remote users and locations, while CASB usually covers just SaaS protection. SASE also requires more time to deploy, typically necessitating a full overhaul of existing network security infrastructure. CASB takes less time to implement.
How We Evaluated CASB Solutions
We evaluated a wide range of CASB vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths, and limitations. Independent tests, user reviews, vendor information, and analyst reports were among the sources used in our analysis.
Bottom Line: CASB Solutions
Cloud access security brokers help enterprises manage the wealth of cloud apps needed for everyday business operations. The more applications a company uses, the more vulnerable its security posture can be. CASBs help mitigate the threats that besiege cloud applications, including phishing attacks, unauthorized access, and malware. These top-of-the-industry solutions will help your organization become more aware of its cloud vulnerabilities and secure its most important applications.
Considering a variety of cloud solutions? Read about our picks for the top cloud security providers next.
Jenna Phipps contributed to this report.