Market Guide for Cloud Access Security Brokers

29/1/2016

M ar ket Gui de for Cl oud Access Secur i ty Br oker s

Market Guide for Cloud Access Security S ecurity Brokers 22 October 2015 ID:G00274053 2015 ID:G00274053 Analyst(s): Craig Lawson, Neil MacDonald, Brian Lowans

VIEW SUMMARY

The cloud access security broker market is rapidly evolving, with wi th vendors providing a wide wi de range of  security features and multiple delivery options. CASB is a required security platform for organizations using cloud services, and security leaders should shoul d use this research to shortlist s hortlist CASB providers.

STRATEGIC PLANNING ASSUMPTIONS Through 2020, 95% of cloud security failures will be the customer's fault. By 2020, 85% of large enterprises will use a cloud access security broker product for their cloud services, which is up from fewer than 5% today.

EVIDENCE

Overview Key Findings The cloud access security broker market has evolved rapidly since its gestation period in 2012, and it has rapidly become a necessary cloud security control technology, regardless of the industry vertical, for organizations adopting multiple cloud services. CASBs primarily address back-office applications delivered as SaaS (e.g., CRM, ERP, HR, productivity and service desks). Applications focused on specific industry sectors, such as healthcare and general cloud services (e.g., business intelligence), are not well-covered. SaaS dominates CASB coverage, and infrastructure as a service support is improving; however, platform as a service coverage is limited. Saa S and IaaS are the main are as seeing service servic e support a nd feature im improvem provements. ents. Enterprise business units are acquiring cloud services d irectly without involving the IT organization. This is fueling growth in cloud service ado ption. The wide adoption of identity as a service and identity and access management into the cloud, meaning a single identity store, has reduced the friction in adopting CASBs and cloud  services. Providers in this market are mainly fueled by venture capital funding; therefore, the n umber of  providers will consolidate at approximately seven or fewer stand-alone vendors by 2 018.

Recommendations Security leaders should deploy CASB for the centralized control of multiple services that would otherwise require individual management. Security leaders should use Gartner's four pillars of CASB definition as a guide for selecting the providers that best address cloud service security use cases. Security leaders should be cautious when entering into long-term contracts. Build in flexibility, because you may need more than one CASB or you may need to transition from your current provider to one delivering a complete set of your use cases during the next two years.

Market Definition This document was revised on 26 October 2015. For more information, see the Corrections page. page .

CirroSecure/Palo Alto http://www.4-traders.com/PALO-ALTO-NETWORKSINC-11067980/news/Palo INC-11067980/new s/Palo -Alt -Alto-Netw o-Networks— orks— Acquires-CirroSecure-CirroSecure-20488890/ http://www.CirroSecure.com/ Adallom/HP https://www.adallom.com/partners/hp/ http://www8.hp.com/us/en/softwaresolutions/cloud-data-securitygovernance/index.html http://www8.hp.com/us/en/hp-news/pressrelease.html?id=1964113#.VgTmICCqpBc Adallom/Microsoft http://www.reuters.com/article/2015/07/20/usadallom-m-a-microsoft-idUSKCN0PU0I720150720 http://www.wsj.com/articles/microsoft-plans-tobuy-israeli-cloud-security-firm-adallom-for-320million-1437390286 http://thenextweb.com/microsoft/2015/07/19/mic rosoft-reportedly-acquires-cloud-security-firmadallom-for-320-million/ http://seekingalpha.com/news/2637425microsoft-to-buy-adallom-for-320m Check Point/FireLayers http://extendsecurity. http://extendsecur ity.firelayers.c firelayers.com/ om/ http://betanews.com/2015/10/05/firelayers-andcheck-point-bring-securit check-point-br ing-security-to-enterpr y-to-enterprise-cloudise-cloudapps/ Perspecsys/Blue Coat https://www.bluecoat.com/company/news/bluecoat-acquires-perspecsys-make-public-cloudprivate http://perspecsys.com/perspecsys-acquired-byblue-coat-systems/ Skyfence/Imperva

Cloud access security brokers (CASBs) address gaps in security resulting from the significant increases in cloud service and mobile usage. They deliver capabilities that are differentiated and generally unavailable today in security controls such as Web application firewalls (WAFs), secure Web gateways (SWGs) and enterprise firewalls. CASBs provide a single point of control over multiple cloud services concurrently, for any user or device.

http://www.imperva.com/Products/Skyfence Elastica/Centrify https://www.elastica.net/2014/02/centrify-andelastica-partner-to-provide-comprehensive-cloudsecurity-solution-for-saas-applications/

CASBs primarily address SaaS back-office enterprise applications today, such as CRM, HR, ERP, service desk and productivity applications (e.g., Google Apps for Work and Microsoft Office 365). They increasingly support the control of enterprise social networking use, and popular infrastructure as a service (IaaS) and platform as a service (PaaS) providers. However, we anticipate a battle for the control of this emerging technology class, and vendors will be acquiring or building CASB offerings during the next three years.

http://blog.centrify.com/centrify-partners-withelastica-for-a-comprehensive-saas-securityanalytics-solution/

CASBs deliver functionality around four pillars of functionality, which are of equal importance (see "Technology Overview for Cloud Access Security Broker"):

https://www.elastica.net/2015/04/cisco-to-offerelastica-shadow-it-and-casb-solution-toenterprises/

Visibility — CASBs — CASBs provide shadow IT discovery and sanctioned application control, as well as a consolidated view of an organization's cloud service usage and the users who access data

http://www.g ar tner .com/technol og y/r epr i nts.do?id= 1- 2RUEH70&ct= 151110&st= sb

Elastica/Cisco http://www.businesscloudnews.com/2015/04/22/ci sco-elastica-join-forces-on-cloud-secur sco-elastica-j oin-forces-on-cloud-securityitymonitoring/

Skyfence/Websense http://finance.yahoo.com/news/imperva-

1/8

29/1/2016

Market Guide for Cloud Access Security Brokers from any device or location. Compliance — CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services. Data security —  CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. Policies are applied through controls, such as audit, alert, block, quarantine, delete and encrypt/tokenize, at the field and file level in cloud services. Threat protection — CASBs prevent unwanted devices, users and versions of applications from accessing cloud services. Other examples in this category are user and entity behavior analytics (UEBA), the use of threat intelligence and malware identification.

This technology is available as a SaaS application or on-premises via virtual or physical appliance form factors (see "Technology Overview for Cloud Access Security Broker"). The SaaS form factor is appreciably more popular than the on-premises flavors of this technology, and it is increasingly the preferred option for most use cases. However, the on-premises versions are meeting specific use cases in which regulatory and/or data sovereignty require an on-premises answer. Initially, the market was segregated between providers that delivered their CASB features via forward and/or reverse proxy modes and others that used API modes exclusively. Increasingly, a growing number of CASBs offer a choice between proxy modes of operation and also support APIs. Gartner refers to this as "multimode CASBs." They give their customers a wider range of choices in how they can control a larger set of cloud applications. (See "Select the Right CASB Deployment for Your SaaS Security Strategy" for more details on this critical deployment consideration.) Organizations need to look past CASB providers' "lists of supported applications and services," because there are (sometimes substantial) differences in the capabilities supported for each specific cloud service, based on their features, the CASB architectures used and the organizations' enduser computing models. For example, one CASB version's "support for Salesforce or Office 365" can be markedly different from another's, depending on bring your own device (BYOD) use cases, even though both "on paper" support these applications. Proxy or API architectures from CASB have different abilities to perform different actions, which have various implications for how that provider delivers the four pillars for a specific cloud service. The maturity level of APIs across cloud service providers today is wildly divergent. Organizations such as the Cloud Security Alliance are trying to address this problem by working with the industry to develop a set of common, open API standards. Regardless of this work, Gartner expects cloud application and services providers to develop their APIs significantly during the next two to three years, even if they are not pursuing compliance with an industry standard. APIs will increasingly deliver more utility, supporting the potential for newer security use cases not yet thought of. In the long term, APIs have the potential to obviate having to intercept traffic with proxies if they mature to the point where real-time visibility and control become possible.

Enterprise Integration CASBs provide a number of critical points of integration with the environment, and these integration points play an important role in preventing enterprise security delivery from becoming yet another silo. CASB integration points cover identity and access management (IAM) integration; reuse of  data security policies for the cloud; and event integration with technologies such as security information and event management (SIEM) for a single view of an organization's security events, plus support for a number of existing security processes such as incident response. CASBs themselves offer APIs that can be used by enterprises to take advantage of automation and integration opportunities and to instrument them with other enterprise management tools.

skyfence-raytheon-websense-team110000104.html http://www.reuters.com/article/2015/07/27/idUSn GNX576Cgq+1c4+GNW20150727 Bitglass http://www.bitglass.com/company/partners Cloud Security A lliance Cloud Security Alliance working with industry on the cloud security open API working group https://cloudsecurityalliance.org/media /news/ciph ercloud-and-cloud-security-alliance-forge-cloudsecurity-working-group/ https://cloudsecurityalliance.org/group/open-api/

NOTE 1 ENDPOINT-BASED CLOUD DATA PROTECTION SOLUTIONS These vendors, which fall outside the scope of  this research, use an endpoint-based approach. This is typically an agent or browser plug-in, used to gain visibility of traffic to and from cloud-based SaaS applications and for the protection of cloud data. Most of the vendors focus on SaaS enterprise file synchronization and sharing (EFSS) applications, such as Box, Dropbox, OneDrive and Google Drive. If the primary requirement for the organization is the protection of data in an EFSS application, these vendors offer an alternative to the mediation-based approaches via proxies and APIs of the CASB platform providers. The following vendors provide solutions in this area: Boxcryptor CenterTools Software CloudCrypt Covata Cryptzone Fasoo nCrypted Cloud Ohanae SearchYourCloud Secure Islands Technologies SecureAge Technology Sookasa Sophos Vera Viivo (PKware)

NOTE 2 CLOUD APPLICATION DISCOVERY These vendors do not supply CASB platforms, but provide visibility into cloud application usage: Microsoft Azure Cloud App Discovery OpenDNS Intel Security (McAfee)

Cross-Over Technologies in CASB Although CASBs deliver a number of "net new" features to the security technology landscape, they are also delivering features that have been found historically in other technology siloes or solution sets. Primarily, these come in the form of tokenization, encryption, data loss prevention (DLP) and analytics. Enterprises should not treat data used in cloud SaaS applications in isolation from on-premises data environments. There is a critical need to establish enterprisewide data security policies and controls based on data security governance processes. However, data security capabilities should be integrated with on-premises enterprise data security solutions for DLP, data-centric audit and protection (DCAP), encryption, tokenization, user activity monitoring and analytics.

DLP and DCAP Many CASBs provide data classification and discovery capabilities with built-in policy templates, as well as document controls, such as fingerprinting and watermarking, which are merging capabilities from both DLP and DCAP (see "Market Guide for Data-Centric Audit and Protection") methodologies. Policies can enable automatic blocking, quarantining, encryption/tokenization, etc., before data is loaded into a SaaS or as a forensic capability after the fact, and some SaaS applications are beginning to offer DLP-like functionality. Via their own DLP engines, several CASB products can also integrate directly with enterprise DLP products through APIs to ensure policy uniformity between on-premises network DLP and CASB DLP policies (see "Overcome the Limitations of DLP for Mobile Devices"). CASBs are also developing overlapping DCAP policy capabilities, such as user activity monitoring that can detect anomalous data access or privilege changes, audit reports, and real-time security

http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb

2/8

29/1/2016

Market Guide for Cloud Access Security Brokers

alerts or blocking, etc. In addition, cloud application and services providers are also building DLP functionality into the application or service itself. One example is Microsoft adding DLP to multiple areas of the Office 365 platform (see "Data Loss Prevention in Microsoft Office 365"). An advantage of a CASB over native DLP capabilities is consistency— for example, one can apply a set of common DLP policies that extends to multiple services and even multiple providers, reducing the overall time required for developing and enforcing policies.

Security Analytics and UEBA A number of CASBs employ advanced analytics, using techniques such as machine learning and anomaly detection. Scalability of analytics is efficiently supported in the cloud, due to its ability to scale horizontally to enable high ingest rates and timely responses. CASBs are using this scalability to good advantage in delivering outcomes that monitor dozens of attributes (such as cloud service, field, file, object, user, location, device and action requested) against behavior and usage patterns. This gives CASBs the ability to perform sophisticated threat and misuse detection, which can then enable blocking options at the user, object and device levels. This clearly shows another approach embedded in the CASB platforms to perform security analytics and UEBA (see "Market Guide for User and Entity Behavior Analytics").

Encryption and Tokenization CASBs provide a common point of encryption and tokenization for cloud applications, making it another technology that organizations need to manage. Although it's an extra technology to manage, the benefit is that it's only one place for many cloud applications and services. This reinforces the need to understand the level of data security provided in context with potential trade-offs in functionality and compliance. The selection of a particular mode of operation has an effect on the cryptography and data security mechanisms available: Reverse proxy —  This can be deployed as a gateway on-premises or the more popular SaaS option. The on-premises option provides full physical control over key management and the application of cryptography solutions on-premises with no access by the CASB or cloud service provider (CSP). However, the functionality provided by the target SaaS will be affected. With hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP. Forward proxy —  This can be deployed as a hosted solution or on-premises, and some vendors may deploy software agents on endpoint devices that actually employ the cryptographic services. The CASB typically provides encryption keys/tokens to the endpoints using asymmetric key distribution techniques or VPN connections. It may use self-signed digital certificates or supported third parties, or it may provide key management solutions that are managed by the enterprise. API mode —  This effectively moves the encryption engine to the CSP itself. This mode also enables organizations to perform data security inspection functions on all data "at rest" in the cloud application or service. The CASB may offer on-premises or hosted key management options. API mode makes it possible to take advantage of a growing number of native data protection tools offered independently by the SaaS applications themselves (e.g., Salesforce), whereby they perform encryption/tokenization functions, but the end users still control the keys. Endpoint agent — No CASB can operate exclusively on the endpoint, but several vendors offer optional endpoint software for purposes such as cloud application discovery and tracking, routing to the proxy, and object encryption and decryption. The selection of a particular cryptographic algorithm and key management will also affect the level of data security provided as a direct trade-off to functionality that has been enabled. For structured data types, it may still be possible to achieve search and sort, even if the fields are encrypted or tokenized; however, other SaaS functions will be lost. For unstructured files that are encrypted through a proxy, search and document preview functionality will be lost. In addition, the choice of encryption algorithm or tokenization method applied may affect the ability to achieve compliance, because functionality may have been traded off against the strength of  cryptography — for example, by weakening the algorithm or adding external metadata. The use of  cloud-based key management solutions raises the potential for application administrators, who often aren't in the security or even in the IT team altogether, accessing the encryption keys/tokens in the clear.

Market Direction The CASB market has evolved quickly from its gestation period in 2012. Although most of the providers are still startups running off venture capital funding, the market is suddenly looking as if it will mature rapidly. Gartner sees signs of three movements in this market: Acquisitions Established vendors entering into go-to-market partnerships with CASB providers CASB feature delivery from vendors expanding features organically or with new product releases Some notable events that align with these market evolution trends include: Check Point Software Technologies' partnership with FireLayers (October, 2015) IBM's entry into the CASB market (September 2015) Microsoft's acquisition of Adallom (September 2015)

http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb

3/8

29/1/2016

Market Guide for Cloud Access Security Brokers Deloitte's partnership with Bitglass (September 2015) Imperva's partnership with WebSense (July 2015) Blue Coat Systems' acquisition of Perspecsys (July 2015) Palo Alto Networks' acquisition of CirroSecure (April 2015) Cisco's reseller arrangement with Elastica (April 2015) HP's entry into a reseller arrangement with Adallom (April 2015) Akamai's investment in FireLayers (2014) Imperva's acquisition of Skyfence (April 2014) Centrify's partnership with Elastica (February 2014)

In terms of the evolution of this market (as first called out in 2012, see "The Growing Importance of  Cloud Access Security Brokers"), Gartner believes that an intersection of an SWG, identity as a service (IDaaS) and a CASB is likely to arrive. This would be a new product category in which all three isolated feature sets become available from the same provider. There is also the possibility that the already-increasingly, paired-together cloud security services of distributed denial of service (DDoS) and WAFs will also have CASB delivered from those providers. Merger and acquisition activities will be an interesting area of development, as providers that have been acquired will have significantly improved routes to market, with larger salesforces and channels, as well as funding for roadmap expansion. This is likely to shake up the market landscape. In addition, the intersection with data security markets, such as DLP and DCAP, will also drive the evolution toward solutions that protect data wherever it resides in the enterprise, in the cloud, onpremises and on the endpoint. The CASB feature set described by the four pillars in existing Gartner research will remain as compelling features for the foreseeable future, regardless of provider consolidations or the merging of product feature sets. These blended offerings will begin to present a different value proposition, with SWG/IDaaS/CASB available from the same provider. Regardless of consolidation, IT security leaders will still demand competitive feature sets, leaving room for pure-play vendors to continue to lead the market. CASB capabilities are more mature and targeted for SaaS than for IaaS and PaaS today. Gartner expects CASB vendors to evolve their coverage across the four pillars for IaaS and PaaS in the coming 12- to 24-month period (see Table 1), while improving coverage for other applications, such as business intelligence (BI) and industry-specific (e.g., healthcare) SaaS applications. However, there will be a "line in the sand" for CASB in relation to IaaS and the large array of public cloud native and third-party security solutions. Gartner does not expect CASB to enter the virtual machine (VM) per se to supplement existing public cloud-agent-based (firewall, DLP, anti-malware, etc.) or virtual-appliance-based solutions, such as firewalls or intrusion detection systems/intrusion prevention systems (IDSs/IPSs). However, CASBs will leverage IaaS APIs for a range of security use cases.

Table 1.  CASB Will Evolve to Cover SaaS, PaaS and IaaS Sa aS

Pa aS

Ia aS

Visibility

X

X

X

C ompliance

X

X

X

Data Security

X

X

X

Threat Protection

X

X

X

Source: Gartner (October 2015)

Market Analysis This market is dominated by startups that have been underwritten by a considerable amount of  venture capital funding during the past three years. Vendors are starting to make acquisitions or partner with these CASB providers. CASB could also be a driver for vendors in adjacent markets entering the fray — for example, enterprise mobility management (EMM) or other cloud security delivery vendors. Gartner sees three macro IT trends driving the expansion and maturation of the CASB market: Enterprises' move to adopt non-PC form factors — The massive enterprise adoption of  tablets and smartphones for core business processes creates security risks that can be mitigated effectively with the assistance of a CASB. The average enterprise end user is spending significantly more "screen time" on these non-PC form factors, and CASB helps secure the cloud application and the service side of this equation. The move to cloud services —  This is significantly accelerating, with SaaS being approximately 2.5 times bigger than IaaS in spending (see "Forecast: Public Cloud Services, Worldwide, 2013-2019, 2Q15 Update"). It is driving the need to have security technology capable of  providing similar security functions, but for a different model of computing. Significant amounts of spending and computing will aggregate around the top cloud service providers. This will

http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb

4/8

29/1/2016

Market Guide for Cloud Access Security Brokers have an impact on on-premises-based technology in the long term, including the security software and appliance markets. Heavy cloud investments — Most large enterprise software providers, such as Oracle, IBM, Microsoft and Siebel, are now heavily invested in cloud, and are actively driving their large client bases to use their cloud services. The enterprise software upgrade cycle will organically lead enterprises to the cloud as a natural evolution. Enterprise security teams will need CASBlike features to deal with the security implications of that evolution.

The forces of cloud and mobility fundamentally change how "packets" (and the data in them) move between users and applications. This causes a need to adjust the list and the priorities of  investment in security controls for an organization consuming cloud services. However, the climate for cloud is showing geographical differences (see "Survey Analysis: Geographic Differences Among Buyers — Cloud Services Planning, Adoption and Strategy, 2015"). Although the U.S. is consuming the most cloud today, parts of Latin America and the Asia/Pacific region have the highest percentage of end users expecting to significantly increase their cloud spending. CASB will always tightly follow geographical and organization-specific cloud adoption patterns, which require cloud usage to exist (or be planned) prior to CASB adoption. The security industry has a history of startups quickly entering markets and performing a level of  disruption that hasn't been immediately countered by incumbent vendors. This has been the case for the CASB market. The leading CASB providers are seeing valuations of more than $300 million, making them relatively large acquisitions for existing providers.

Representative Vendors The vendors listed in this Market Guide do not represent an exhaustive list. This section is intended to  provide more u nderstanding of the market and its offerings. It is not, nor is it intended to be, a list of all  vendors or offerings on the market. It is not, nor is it intended to be, a competitive analysis of the vendors discussed. At this stage of the market's evolution, we have two rough groups of providers categorized by multiple tiers. The Tier 1 CASB providers have established themselves in the CASB market and frequently appear on shortlists in discussions with Gartner clients, across a wide range of industry verticals. Several were early pioneers in specific CASB use cases. They have also gained larger market adoption than other market players. Several have partnered with larger providers, such as HP and Cisco, and one was recently acquired by Microsoft. The other tier of CASBs are often competitive with the Tier 1 providers for specific use cases. The differentiators between the tiers are categorized by the maturity of the product, its ability to scale, partnerships and channels, time in the market, ability to address a majority of popular use cases in most industries, geographical constraints, market share and visibility in Gartner's client base.

Bitglass Bitglass was founded in January 2013 and has been shipping a CASB product since January 2014. Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote wipe and single sign-on (SSO) and Security Assertion Markup Language (SAML) proxy, providing basic MDM and IDaaS capabilities. It also integrates several data security policy capabilities, in addition to integrating with some DLP vendor solutions. With a focus on sensitive data discovery, classification and protection, it also includes several document management protection capabilities, such as watermarking and encryption methods that support search and sort. Bitglass provides cloud application discovery and a limited SaaS security posture assessment database. Bitglass is now a multimode CASB, with the recent addition of API support on top of  forward- and reverse-proxy modes originally delivered.

Blue Coat Systems (Perspecsys) Blue Coat was founded in 1996 and has been shipping a CASB product from July 2015, with the acquisition of Perspecsys. Perspecsys was an early entrant into the CASB market, offering a focus on data residency and protection with the tokenization of data in various cloud services, such as Salesforce, ServiceNow and SuccessFactors. It offers its own proprietary tokenization methods and has a unique model to offer integration with the enterprises chosen data protection suite, which may already be deployed on-premises. This is most frequently deployed with products from HP's Voltage, Gemalto SafeNet and the Java AES 256 module. Perspecsys has not yet delivered a cloud application discovery and SaaS security posture assessment database; however, it is available from the Blue Coat SWG product. Its implementation model is reverse-proxy-based, using an on-premises physical or virtual appliance. Blue Coat has not yet publicly disclosed a roadmap for the integration of these technologies into a common security policy and processing fabric.

CensorNet CensorNet was founded in February 2007 and has been shipping a CASB product since April 2015. CensorNet is one of the newest entrants into the CASB market. Based on its existing SWG platform, CensorNet is already positioned to capture traffic and see the flow of data to and from SaaS applications. Like most SWGs, CensorNet is based on a forward-proxy architecture, using onpremises, physical/virtual appliances. CensorNet can also support deployments of the technology in the cloud. The initial offering is focused on visibility and SaaS application user and policy control.

http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb

5/8

29/1/2016

Market Guide for Cloud Access Security Brokers

CipherCloud CipherCloud was founded in October 2010 and has been shipping a CASB product since March 2011. CipherCloud was an early pioneer in the CASB market, with an initial focus on the encryption and tokenization of data in some popular enterprise cloud applications. CipherCloud is well-known for this initial use case and can integrate with on-premises key management, DLP and DCAP solutions. It has expanded its data protection capabilities to a broad range of structured and unstructured da ta within SaaS applications. In 2013, CipherCloud added content and user monitoring and, more recently, cloud discovery and SaaS security posture assessment. CipherCloud uses a primary implementation model based on a reverse-proxy model for salesforce data protection. It also supports forward-proxy implementations for example, with SAP, along with API support for some applications. Although it is available in the cloud, CipherCloud is predominantly deployed on-premises as a physical or virtual appliance.

CloudLock CloudLock was founded in January 2011 and has been shipping a CASB product since October 2013. CloudLock is one of the API only CASBs and can also take log files for cloud service usage purposes, as well as provide integrations with proxy and firewall vendors. CloudLock has already established a substantial client base in multiple industry verticals. CloudLock delivers a competitive set of use case features, such as UEBA for improved threat detection, cloud malware, DLP, DCAP, data protection of structured and unstructured SaaS, compliance, forensics and security operations. CloudLock also uses its end users to help "crowdsource" ratings for cloud services for a large number of cloud services. This community trust rating also enables end users to see a current rating about why a service has been blocked from use at an organization. CloudLock supports homegrown and marketplace applications built on public IaaS or PaaS, such as Amazon Web Services (AWS) and Force.com by enabling customers to embed CloudLock services into their own applications via APIs.

Elastica Elastica was founded in January 2012 and has been shipping a CASB product since February 2014 Elastica is a CASB platform provider with credible capabilities in data science, machine learning and deep content inspection providing DLP features, application discovery via logs and cloud application traffic, cloud service assessment ratings, usage analytics, remediation, reporting and visualization. It uses a forward proxy-based and API architecture supporting agentless methods, as well as agents for Windows, Mac and iOS endpoints with support for a major cloud services. Its distributed cloud-based solution is based primarily in Amazon, RackSpace and Cisco datacenters. In 2015, Cisco entered into a reseller agreement where Elastica appears on Cisco price list and can be sold by the general Cisco sales force.

FireLayers FireLayers was founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers is a reverse-proxy-based CASB provider that also uses APIs. It does not provide cloud application discovery and SaaS security posture assessments. Instead, it focuses on threat protection, contextual access control and detailed activity monitoring (with a focus on privileged account monitoring) for supported SaaS applications and some IaaS services. FireLayers' preferred deployment option uses a reverse-proxy model with APIs, but it has support for forward-proxy deployments. FireLayers can also interject user-session-centric authentication mitigation methods, such as two-factor authentication (2FA), using SMS and captcha for actions in cloud applications. This is based on a policy in which the cloud service itself doesn't support 2FA or doesn't support the granular use of 2FA for certain high-risk user and administrative actions. FireLayers delivers its CASB services from AWS or on-premises with a virtual appliance.

Imperva Imperva in was founded in November 2002 and has been shipping a CASB product from January 2014, when it acquired Skyfence. Imperva's vision is to provide full visibility and protection of data, whether in on-premises databases, websites, file shares, SharePoint or in SaaS applications. Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection. Imperva's CASB is provisioned within its existing DDoS and Incapsula cloud WAF and content delivery network (CDN) offering as SaaS. An on-premises physical or virtual version is also available. Imperva's primary implementation model is reverse-proxy-based, which is a good fit with the expertise Imperva developed with its WAF (see "Magic Quadrant for Web Application Firewall"). It uses reverse-proxy plus APIs. Imperva also intends to use this technology for the coverage of  internally developed SaaS applications on top of publicly available SaaS services as an integral component of its DCAP offering.

Microsoft (Adallom) Adallom was founded in 2012 and has been shipping a CASB product since early 2013. Adallom is a CASB platform provider that was an early pioneer in adding API-based cloud discovery capabilities into its CASB reverse proxy platform for extended visibility, including the use of a WAF in the proxy fabric itself. Adallom uses what it refers to as an "adaptive reverse-proxy model" for its distributed architecture. This is hosted in multiple cloud data centers worldwide, with providers such as Amazon, Equinix and Rackspace; however, it is delivered to organizations transparently as SaaS. Adallom also supports API and forward-proxy methods. It supports an on-premises, virtual appliance implementation and cloud application discovery, and it provides security posture assessments. In 2015, Adallom announced a partnership by HP. In September 2015, Microsoft

http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb

6/8

29/1/2016

Market Guide for Cloud Access Security Brokers

completed its acquisition of Adallom as an asset to strengthen its Azure and Office 365 capabilities. Microsoft has stated its intention to continue to provide Adalllom's CASB services for non-Microsoft cloud services, such as Salesforce, ServiceNow and Google Apps. In addition, Adallom offers encryption of files through partnerships with Secure Islands, HP Atalla and Checkpoint Capsule. It can also leverage cloud providers' APIs to offer data classification and discovery tools through its DLP engine to apply controls to newly discovered files at rest or in motion through its hosted service.

Netskope Netskope was founded in October 2012 and has been shipping a CASB product since October 2013. Netskope was one of the first CASB providers to emphasize cloud application discovery and SaaS security posture assessments as an initial use case for CASB adoption. It has developed deep visibility into user actions, including user behavior analytics, within managed and unmanaged SaaS applications, including extensive user activity monitoring and DLP/DCAP capabilities. This also includes integration with on-premises DLP systems via Internet Content Adaptation Protocol (ICAP). Netskope's primary implementation model is forward-proxy (with or without agents, depending on the use case required) or forward-proxy chaining. It added support for reverse-proxy capabilities in 2014 and already supported APIs. Netskope's agents allow for the monitoring and control of native mobile applications and sync clients, etc. It offers object-level encryption and support for field-level encryption only with Salesforce. To deliver its CASB services, it uses a globally distributed cloudbased fabric with points of presence, using its own hardware stack placed in Equinix data centers in North America, Europe and Asia. It also offers an on-premises virtual or physical appliance deployment option.

Palerra Palerra was founded in July 2013 and has been shipping a CASB product since January 2015. Palerra is another of the API-centric CASBs. Its offering covers SaaS, PaaS and IaaS. Some of its key features include delivery of user and risk analytics, incident response, case management, threat intelligence integration and consent-driven remediation. Palerra also delivers SaaS platform security management (SPSM) features that enable organizations to control the configuration of SaaS and other cloud services policies centrally from one location. Palerra is delivered from Amazon as SaaS or from a dedicated appliance hosted there.

Palo Alto Networks Palo Alto Networks was founded in 2005 and has been shipping a CASB product since September 2015. In May 2015, Palo Alto Networks acquired CirroSecure, an API-only based CASB provider more focused at SPSM. The new offering is called Aperture. Palo Alto Networks had already been delivering cloud application discovery capabilities to its customers, so expanding its visibility using APIs is an extension of its cloud protection strategy for users who are off-premises. The data flows are not visible to on-premises-based Palo Alto Networks devices without the forced use of a VPN to the on-premises appliances. Aperture will also provide additional field- and file-level object visibility into cloud services, on top of what is available from its existing product range for cloud services. These include content scanning, remediation, analytics, risk identification and reporting.

Skyhigh Networks Skyhigh Networks was founded in December 2011 and has been shipping a CASB product since January 2013. Skyhigh Networks was one of the first CASB providers to emphasize the shadow IT problem with cloud application discovery, and SaaS security posture and risk assessments as a primary initial use case for CASB platforms. It has built a large installed base and is a multimode CASB. It has since expanded into data security with DLP/DCAP policies, such as user activity analytics and monitoring and, more recently, encryption and tokenization of data for a number of  SaaS applications such as Salesforce. Skyhigh uses a primary implementation model of a reverse-proxy and APIs, as well as supporting forward-proxy implementations. It uses a deployment model of distributed proxies running in multiple AWS, Equinix and IBM SoftLayer data centers worldwide. Skyhigh offers an on-premises virtual appliance option, with an innovative model for on-premises data acquisition via standard logs. It also provides netflow for additional cloud discovery usage options, while offering client data protection, so that Skyhigh has no visibility into an organization's data.

Vaultive Vaultive was founded in January 2009 and has been shipping a CASB product since May 2012. Vaultive is a CASB provider that has focused on the protection of data in Microsoft's Office 365 suite of SaaS applications, using proprietary searchable encryption. It has developed extensive expertise in the handling of Microsoft's disparate protocols used in Office 365 — for example, SMTP, IMAP, ActiveSync, archiving and e-Discovery. It is also able to encrypt data in Microsoft's OneDrive and SharePoint online offerings. Recently, it has expanded its cloud portfolio to other Microsoft SaaS applications, such as Dynamics Online and Yammer. Other cloud services include Salesforce, ServiceNow, SuccessFactors, Workday, Google Apps and Box. Its primary implementation model is forward-proxy-based; however, it supports reverse-proxy implementations as well. The following vendors provide features that can also be considered CASB functionality: Armor5 BetterCloud

http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb

7/8

29/1/2016

Market Guide for Cloud Access Security Brokers IBM Ionic Security Protegrity USA Saviynt SkyFormation Vormetric Trend Micro

Market Recommendations IT security leaders should: Immediately review their enterprise application providers' cloud, mobile and on-premises enterprise software roadmaps for the cloud to understand their organizations' direction and velocity and how they're aligning with their security architectures and budgeting strategies. Facilitate and support these plans, but play a significant role in leading the shift of applications and services to the cloud. Therefore, IT security leaders' goal should be to avoid being the "no" team"; instead, they should be the "yes we can and here's how" team. Get your IDaaS house in order prior to or during the selection of CASBs, because it's a foundational control that will make cloud service adoption more efficient and secure. Some CASBs provide entry-level capabilities to stretch Active Directory into the cloud; however, this is likely to be more of a stopgap measure, until a comprehensive IDaaS strategy can be delivered. Consider the differences of CASBs that are multimode versus those that are API-only to ensure a successful deployment. Start with an investigation of what cloud services are being used in your environment. This will help level set "how big the problem actually is" (or isn't) and provide insight into how many cloud services you have to sanction, remediate, control, monitor or block. Establish enterprisewide data security governance policies that prioritize the protection of  sensitive data and establish the appropriate data security controls from a CASB before using a SaaS. Look for ways not to stop cloud usage, but, instead, to encourage its use by encouraging the use of cloud services that are "enterprise ready" Look for CASBs that: Support the widest range of cloud applications services that you are running today and plan to consume in the coming 12 to 18 months. Support your mobile computing usage patterns (managed versus BYOD, etc.). Work effectively with your network topology. Allow for an acceleration of cloud service adoption by effectively controlling sanctioned cloud services and aid in the selection of proposed new cloud services that are enterprise-ready. Ease your compliance burden for cloud services. Support the modes of operation that align with your core use cases. For example, an APIonly CASB could be sufficient for your needs or, alternatively, in-line features may need to be deployed for your organization, so an API-only CASB will only partially meet these needs. Integrate with your existing controls — for example, IAM, SWG and events going into your central log management or SIEM Consider other cloud usage patterns of B2B- and B2C-based cloud services in which you have sporadic use; however, you should maintain control, and a CASB may be able to cover these interactions with your organization's data, by people outside your organization.

© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services  posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity .” 

About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner

http://www.gartner.com/technology/reprints.do?id=1-2RUEH70&ct=151110&st=sb

8/8