Best Cloud Access Security Brokers (CASB)

Today’s network infrastructure has become very fluid, extending to the cloud—SaaS, IaaS, and PaaS; and more and more cloud applications—whether sanctioned or unsanctioned by IT—are added to the mix. In addition, an increasing number of dispersed devices and users fall under categories such as user-managed devices (BYOD), IoT, shadow IT, and remote workers. The traditional approach to security makes less sense in such highly diverse and distributed environments.

The ability to monitor and govern the usage of cloud applications has become essential to the goal of enterprise security. Rather than outrightly banning cloud services and potentially impacting employee productivity, organizations must adopt a new approach to overcome this deficiency and protect the modern infrastructure. The Cloud Access Security Broker (CASB) is an emerging security technology that specifically addresses the challenges that come with the cloud.

Here is our list of the seven best Cloud Access Security Brokers (CASB):

  1. McAfee MVISION A mature CASB that provides visibility and control over data and threats across public, private, and hybrid cloud environments.
  2. Netskope A leading CASB solution that enables organizations to quickly identify and manage the use of cloud applications, regardless of whether they are managed or unmanaged.
  3. Microsoft Defender for Cloud App A CASB solution that operates on multiple clouds.
  4. Proofpoint CASB Comes with risk-based SAML authentication, web isolation, and zero-trust remote access features to help prevent cloud threats.
  5. Symantec CloudSOC A multimode CASB with solid visibility, data security, and threat protection capabilities to mitigate malicious content in cloud apps, shadow IT, and compliance risks.
  6. Lookout CASB A cloud-native CASB platform that provides integrated cloud security, data protection.

What is a Cloud Access Security Broker (CASB)?

According to Gartner, “cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed”.  In a nutshell, a CASB is a cloud-hosted software or on-premises software or hardware that acts as an intermediary between users and cloud service providers.

The idea behind CASB is to allow businesses to safely use the cloud while protecting sensitive corporate data. It provides visibility and control over data and threats in the cloud. This is achieved by using auto-discovery to compile a list of all third-cloud applications, including the risk level associated with each application and those using them. It then uses the insights for policy setting and enforcement. With CASB, an organization can hope to achieve visibility, compliance, data security, and threat detection across their cloud services.  A CASB solution can be deployed either on-premises or in the cloud using either API-Control, Reverse Proxy, or Forward Proxy modes.

There are three types of CASB:

  • API-Only: Delivers only management, no security, and Zero-Day protection
  • Multi-mode First-Gen: Delivers management and security, but not Zero-Day protection.
  • Multi-mode Next-Gen: Delivers management, security, and Zero-Day protection.

Choosing the Right CASB Solution for Your Business

The CASB market is rapidly evolving with new use cases and functionality to address the increasingly complex requirements of cloud security.  With a variety of CASB solutions, choosing the right one for your business can be challenging. What fits perfectly from a price, feature, and functionality standpoint for one organization may not fit for another.

You need to identify your CASB use cases and look specifically for the solutions that best address your needs. You also need to find out if CASB integrates with other existing security applications in your network, such as your DLP, SIEM, firewalls, and others.

Other factors worth considering include:

  • What deployment mode best suits your environment—API Control, Reverse Proxy, or Forward Proxy?
  • Is the CASB solution capable of identifying and classifying sensitive and confidential data?
  • How does the CASB solution discover cloud services and determine risk scores?
  • What cloud services does the CASB monitor out-of-the-box?
  • Is vendor support available in your region, and to what extent?
  • How geographically diverse are the vendor’s edge locations worldwide?
  • What is the total cost of ownership?

In this article, we’re going to review the seven best CASB solutions in the market. Hopefully, this will guide you in the process of choosing the right one for your business.

The Best Cloud Access Security Brokers (CASB)

1. McAfee MVISION

McAfee MVISION
Figure 1.0 | Screenshot showing McAfee MVISION dashboard

McAfee MVISION Cloud is a mature CASB that provides visibility and control over data and threats across public, private, and hybrid cloud environments. It is one of the leading CASB products and was named a leader in the 2020 Gartner Magic Quadrant for CASB. MVISION Cloud provides real-time analytics and AI-enabled threat intelligence capabilities, including alerts about user behavior. The product is best suited for large organizations such as financial, healthcare, and government agencies, and others with heavy cloud usage. In addition, the McAfee CASB Connect Catalog includes dozens of pre-integrated applications such as Office 365, AWS, Box, Slack, Salesforce, etc., that make it easy to adopt any cloud service securely.

The MVision approach allows for practically any deployment model you might desire, whether entirely cloud-based, on-premises, or some hybrid format. In addition, MVISION Cloud is agent-based and can be deployed via API, forward, or reverse proxy methods.

Key features include:

  • Detect: Gain complete visibility into data, context, and user behavior across all cloud services, users, and devices.
  • Protect: Applies continuous protection to sensitive information wherever it goes inside or outside the cloud.
  • Correct: Take real-time action within cloud services to correct policy violations and stop security threats.
  • Machine-driven user and entity behavior analytics (UEBA) to identify threats to cloud environments
  • API integration to cloud services for real-time control over user access, collaboration, and data, along with forward and reverse proxy modes to enforce control over shadow IT and personal device access to the cloud.

2. Netskope CASB

Netskope CASB
Figure 2.0 | Screenshot showing Netskope CASB deployment options | Image credit: Netskope

Netskope is a leading CASB solution that enables organizations to quickly identify and manage the use of cloud applications, regardless of whether they are managed or unmanaged. Netskope has been recognized as a leader in the 2020 Gartner Magic Quadrant for CASB; and a 2021 Gartner Peer Insights Customers’ Choice for CASB. Netskope Security Cloud prevents sensitive data from being exfiltrated and eliminates blind spots by targeting and controlling activities across thousands of cloud (SaaS and IaaS) services. The data-centric approach adopted by Netskope Security Cloud allows it to deliver visibility and real-time data, and threat protection whenever a device connects to the cloud.

Netskope supports multimode deployment options from an API-only deployment mode to several real-time options, including an endpoint software to protect roaming users. In addition, it can be deployed 100% in the cloud, on-premises, or a hybrid form.

Key features and capabilities include:

  • Cloud app risk scoring: Netskope’s Cloud Confidence Index (CCI) automatically audits your traffic to discover your overall risk profile across applications used within your environment.
  • Netskope DLP: Netskope DLP provides contextual awareness of content being used in the cloud, including real-time, inline enforcement of security policies to prevent data loss
  • Visibility and control: Netskope Cloud XD provides granular visibility and control of your cloud services and performs big data analytics to eliminate blind spots.
  • Streamlined operations: Netskope threat intelligence Identifies, mitigates and remediates insider/outsider threats, compromised accounts, and privileged user threats cloud applications.
  • Customizable Dashboard: A customizable view of all SaaS, IaaS, web activities, users, and devices.

3. Microsoft Defender for Cloud App

Microsoft Defender for Cloud App
Figure 3.0 | Microsoft Defender for Cloud App architecture | Image credit: Microsoft

Microsoft Defender for Cloud App (formally Microsoft Cloud App Security) is a CASB solution that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across your Microsoft and third-party cloud services. It was named a leader in the 2020 Gartner Magic Quadrant for CASB.

It supports various deployment modes, including log collection, API connectors, and reverse proxy. In addition, Microsoft Cloud App Security natively integrates with leading Microsoft solutions and is designed with security professionals in mind.

Key features and benefits include:

  • Discover and control the use of Shadow IT: Identify the cloud apps, IaaS, and PaaS services used by your organization.
  • Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive data at rest.
  • Protect against cyber threats and anomalies: Detect unusual behavior across cloud apps to identify rogue applications and compromised users and remediate them automatically
  • Assess the compliance of your cloud apps: Assess if your cloud apps meet relevant compliance requirements
  • Govern access to apps and resources: Discover and manage shadow IT in your organization.

Microsoft Cloud App Security is a user-based subscription service, and a license is based on per user, per month model. It can be licensed as a standalone product or as part of several different licensing plans. The licensing cost varies by program, region, and agreement type. A free trial is available to enable you to test run before purchase.

4. Bitglass CASB

Bitglass CASB
Figure 4.0 | Diagram showing Bitglass architecture | Image credit: Forcepoint

Bitglass (recently acquired by Forcepoint) is an American cloud security software company founded in 2013. It is a cloud-native agentless multi-mode next-gen CASB solution targeted at SMBs to large enterprises. Bitglass is among the leading CASB products in the market. It was named a leader in the 2020 Gartner Magic Quadrant for CASB. Bitglass combines forward and reverses proxies to detect threats that network-based reverse proxies might miss. In addition, Bitglass is capable of generating alerts in real-time to aid incident management and response.

Key features include:

  • Protect data in motion: With a robust cloud DLP engine and Zero-day Threat Protection capabilities
  • Visibility and analytics: Bitglass gives you a single-pane, cross-app view into the details of your employees’ cloud usage and other user behavior analytics
  • Agentless protection: Bitglass’ agentless proxies intermediate traffic between the cloud and any endpoint
  • Shadow IT discovery: Bitglass leverages AI and machine-learning technologies to automatically index and classify known and unknown cloud apps
  • API management: Bitglass delivers API management for all significant SaaS apps
  • Identity Management: Bitglass incorporates identity management services such as SAML, SSO, Active Directory authentication, contextual MFA, and more

Bitglass is known for its simplicity, robust security features, and excellent support service. However, some customers are concerned that it stores data on a third-party cloud, leading to security and compliance issues. A free trial is available to enable you to test run before purchase.

5. Proofpoint CASB

Proofpoint CASB
Figure 5.0 | Screenshot showing Proofpoint CASB dashboard

Proofpoint CASB comes with risk-based SAML authentication, web isolation, and zero-trust remote access features to help prevent cloud threats. It also integrates with cloud-service APIs, hybrid identity management tools, and other security products (including Proofpoint Threat Response) to detect and contain threats.

Proofpoint CASB combines machine learning-driven threat intelligence with user-specific risk indicators to analyze user behavior and detect anomalies across cloud apps and when a cloud account is compromised.

Key features and benefits include:

  • People-centric visibility: Gain insight into cloud usage at the global, app, and user level
  • Proven Advanced Threat Protection: combine user-specific risk indicators with cross-channel threat intelligence to detect anomalies in cloud apps.
  • Risk-aware data security: Proofpoint CASB helps identify data that’s at risk, orphaned or compromised accounts.
  • Third-party apps control and Shadow IT: Proofpoint CASB helps you discover and manage malicious third-party apps and other security gaps in your cloud applications.

A free 30-day trial is available to enable you to test run before purchase.

6. Symantec CloudSOC

Symantec CloudSOC
Figure 6.0 | Screenshot showing Symantec CloudSOC dashboard

The Symantec CloudSOC is a multimode CASB with solid visibility, data security, and threat protection capabilities to mitigate malicious content in cloud apps, shadow IT, and compliance risks. CloudSOC is ideal for medium to large enterprises using other Symantec cloud products and organizations with heavy cloud use.

CloudSOC integrates seamlessly with other Symantec enterprise security products to provide enhanced security functionality in the cloud. Symantec claims to have the most robust cloud DLP solution due to its data science-driven ContentIQ DLP technology. It also comes with an intelligent UEBA and machine learning capabilities一allowing adaptive policy actions. Additionally, cloud SOA taps into the Symantec Global Intelligence Network (GIN) and benefits from threat data gathered across endpoint, email, and web traffic from the entire Symantec customer base. CloudSOC is subscription-based and can be purchased through Broadcom authorized distributors and partners in your region.

7. Lookout CASB (formally CipherCloud)

Lookout CASB (formally CipherCloud)
Figure 6.0 | Screenshot showing Lookout CASB dashboard

Lookout CASB is a cloud-native CASB platform that provides integrated cloud security, data protection. Lookout CASB works in all the modes–API-based, reverse, and forward proxy, offering maximum use case coverage, visibility, and control over all users, devices, and cloud services. In addition, it has over 20,000 cloud apps profiled in its onboard knowledge base, enabling it to assess the risk of each cloud service being used.

The Lookout CASB Policy Engine allows administrators to enforce centralized data protection policies. The centralized procedures executed through Lookout CASB further monitor, detect, classify and remediate sensitive data exposures across cloud apps and enforce automated remediation actions. In addition, with classifieds. Lookout’s User and Entity Behavior Analytics (UEBA) engine, continuous monitoring of users, devices, and application activities, to detect anomalous behavior are performed across multiple sanctioned cloud apps and prevent accounts from getting compromised by malicious insiders and external threats.

A free 90-day trial is available to enable you to test run before purchase. The free trial requires at least 100 devices to protect, along with a business email address.