Market Guide for Cloud Access Security

Brokers
Published: 24 October 2016 ID: G00293664

Analyst(s): Craig Lawson, Neil MacDonald, Brian Lowans, Brian Reed

The cloud access security broker market is still rapidly evolving, with
vendors providing a range of capabilities and delivery options to help secure
usage of the cloud. Security leaders should use this research to understand
the CASB market.

Key Findings
■ The wide adoption of identity and access management into the cloud, delivering cloud single
sign-on, has reduced the friction in adopting cloud services and related security controls like
cloud access security brokers (CASBs).
■ Many enterprise business units are acquiring cloud services directly without IT's involvement.
This form of "shadow IT" is fueling growth in cloud service adoption as well as security risks.
■ The CASB market has evolved rapidly since its gestation period in 2012 and includes a number
of high-profile acquisitions. It has quickly become a compelling cloud security control platform
for organizations of all sizes adopting cloud services.
■ Today, CASBs primarily address back-office applications delivered as SaaS (for example, CRM,
ERP, HR, productivity, file sharing, service desk). Applications focused on specific industry
sectors, such as healthcare and general cloud services (for example, business intelligence), are
not well-covered. Continued growth of reported data breaches and new regulations in Europe
are fueling needs to meet increasingly complex data residency requirements.
■ The continued and growing significance of SaaS, combined with persistent concerns about
security, privacy and compliance, continues to increase the urgency for control and visibility of
cloud services.

Recommendations
■ Deploy CASBs for the centralized visibility and control of multiple cloud services that would
otherwise require individual management.
■ Use Gartner's four pillars of CASB definition and CASB evaluation framework as guides for
selecting the provider that best addresses your cloud service security use cases.
 ■ Be cautious when entering into long-term contracts due to continued market acquisitions and
feature evolution. Build in flexibility, because you may need more than one CASB or you may
need to transition from your current provider to one that will deliver a complete set of your use
cases during the next two years.

Strategic Planning Assumptions

Through 2020, 95% of cloud security failures will be the customer's fault.

By 2020, 85% of large enterprises will use a cloud access security broker platform for their cloud
services, which is up from less than 5% today.

Market Definition
Cloud access security brokers address security gaps in organizations usage of cloud services (see
"Mind the SaaS Security Gaps"). This technology is the result of the need to secure the significantly
increased adoption of cloud services and access to them from users both within and outside of the
traditional enterprise perimeter. They deliver capabilities that are differentiated and generally aren't
available as a feature in security controls, such as web application firewalls (WAFs), secure web
gateways (SWGs) and enterprise firewalls. CASBs understand that, for cloud services, the
protection target is different: It's still your data, but stored in systems that you don't own. CASBs
provide consistent policy and governance concurrently across multiple cloud services, for users or
devices, and provide granular visibility into and control over user activities.

CASBs primarily address SaaS back-office enterprise applications today, such as enterprise file
synchronization and sharing (EFSS), CRM, HR, ERP, service desk and productivity applications (for
example, Google's G Suite and Microsoft Office 365). They increasingly support control of
enterprise social networking use, and are moving to cover the consoles for popular infrastructure as
a service (IaaS) offerings. Support for platform as a service (PaaS) services is immature today. In
addition, some vendors provide the ability to deploy in front of enterprise applications to bring these
under a consistent cloud service management framework. Because of the rapid adoption of cloud
services by enterprises, we anticipate a battle for control of this growing CASB market, and larger
vendors will likely acquire rather than build a CASB offerings during the next three years as a way to
catch leading stand-alone players.

CASBs deliver functionality around four pillars of functionality, which are of equal importance (see
"Technology Overview for Cloud Access Security Broker"):

■ Visibility — CASBs provide both shadow and sanctioned IT discovery, as well as a

consolidated view of an organization's cloud service usage and the users who access data from
any device or location. Leading CASBs take this further with a cloud service security posture
assessment database to provide visibility into the "trustability" of the cloud service provider
(CSP; see "Unsanctioned Business Unit IT Cloud Adoption Will Increase Financial Liabilities").

Page 2 of 23 Gartner, Inc. | G00293664

 ■ Compliance — CASBs assist with data residency and compliance with regulations and
standards, as well as identify cloud usage and the risks of specific cloud services. Organizations
still need to prove they can meet internal and external compliance mandates and show how
they can show the five W's of who, what, when, where and why. CASBs also help by controlling
access to cloud.
■ Data Security — CASBs provide the ability to enforce data-centric security policies to prevent
unwanted activity based on data classification, discovery and user activity monitoring of access
to sensitive data or privilege escalation. Policies are applied through controls, such as audit,
alert, block, quarantine and delete. Several CASBs provide the ability to encrypt/tokenize and
redact content at the field and file level in cloud services. Encryption key management may be
integrated with any on-premises products. Data loss prevention (DLP) features are both natively
included in CASB products, as well as available from on-premises network DLP products via
ICAP integration. Data-centric audit and protection (DCAP) features are also being addressed
natively by some CASBs, as well as traditional on-premises DCAP providers now covering
cloud usage use cases.
■ Threat Protection — CASBs prevent unwanted devices, users and versions of applications
from accessing cloud services by providing adaptive access controls. Other examples in this
category are user and entity behavior analytics (UEBA) for determining anomalous behavior, the
use of threat intelligence, and malware identification. In some cases, CASB providers have their
own analyst teams researching cloud-specific and cloud-native attacks.

CASB technology is available as a SaaS application or on-premises via virtual or physical

appliances, or both using a hybrid combination of on-premises and cloud-based policy enforcement
points. The SaaS form factor is appreciably more popular than the on-premises "flavors" of this
technology, and it is increasingly the preferred option for most use cases. However, the on-premises
versions are meeting specific use cases in which regulatory and/or data sovereignty require an on-
premises answer.

Organizations need to look past CASB providers' "list of supported applications and services,"
because there are (sometimes substantial) differences in the capabilities supported for each specific
cloud service, based on its features, the CASB architecture used and the organization's end-user
computing model. For example, one CASB version's "support for Salesforce or Office 365" can be
markedly different from another's, depending on bring your own device (BYOD) use cases, even
though both "on paper" support these applications. Proxy or API architectures from a CASB have
different abilities to perform different actions, which have various implications for how that provider
delivers the four pillars for a specific cloud service.

Cloud service APIs available to end users in the long term should help obviate the need to intercept
traffic with proxies if they mature not just in breadth and depth, but also in availability and
performance. However, today the maturity level of APIs across cloud service providers is wildly
divergent. Gartner expects leading cloud application and service providers to develop their APIs
significantly during the next two to three years, even if they are not pursuing compliance with an
industry or recommended standard like the Cloud Security Alliance's Open API Charter. APIs will
increasingly deliver more utility, supporting the potential for newer security use cases not yet

Gartner, Inc. | G00293664 Page 3 of 23

 thought of. Smaller SaaS providers might never develop useful APIs for visibility and control, so it's
unlikely that the need for proxy capability will ever disappear completely.

Architectural Choices
Initially, the market was segregated between providers that delivered their CASB features via
forward- and/or reverse-proxy modes and others that used API modes exclusively. Increasingly, a
growing number of CASBs offer a choice between the proxy modes of operation and also support
APIs. Gartner refers to this as "multimode CASBs." They give their customers a wider range of
choices in how they can control a larger set of cloud applications (see "Select the Right CASB
Deployment for Your SaaS Security Strategy" for more details on this critical deployment
consideration):

■ Reverse proxy — This can be deployed as a gateway on-premises or as the more popular
method, as SaaS. This is performed by changing the way authentication works by telling the
cloud service that the CASB (not the identity and access management as a service [IDaaS])
solution is the source of authentication. The CASB then passes the authentication onto the
IDaaS provider, but, importantly, leaves the URL as belonging to the CASB and not the cloud
service. This is one way to provide the ability to insert the CASB in front of end users accessing
the SaaS service (with the exception of mobile native apps using certificate pinning) without
having to touch the endpoint's configuration. It also allows for control over key management
and application of cryptography solutions on-premises with no access by a cloud-based CASB
or cloud service provider. With hosted reverse proxy, there may be indirect access to the key
management system and keys/tokens being used in the cloud by the CASB and/or CSP.
■ Forward proxy — This can be deployed as a cloud or on-premises, and some vendors may
deploy software agents on endpoint devices or pass profiles for enterprise mobile management
(EMM) to enforce or use other methods like DNS and proxy auto-configuration (PAC) files. It is
the most intrusive deployment method from an end-user computing point of view, as you have
to force traffic to the CASB. Some CASB agents can then actually employ the cryptographic
services. The CASB typically provides encryption-standard-compliant keys/tokens to the
endpoints using asymmetric key distribution techniques or VPN connections. It may use self-
signed digital certificates or supported third parties, or it may provide key management
solutions that are managed by the enterprise.
■ API mode — This leverages the native features of the SaaS service itself by giving the CASB
permission to access the service's API directly. This mode also allows organizations to perform
a number of functions like log telemetry, policy visibility and control, and data security
inspection functions on all data at rest in the cloud application or service. The CASB may offer
on-premises or hosted key management options. API mode makes it possible to take
advantage of both CASB-native, and a growing number of SaaS service data protection,
features offered by the SaaS provider itself (for example, Salesforce Shield), whereby it performs
encryption/tokenization functions, but the end users still control the keys. However, the SaaS
provider still has access to the keys, and data is unencrypted while used by the application. If
the SaaS is hosted by another CSP's infrastructure (for example, Amazon, Microsoft), it is
available in the memory of the IaaS provider and may not meet strict data residency or
compliance requirements (see Figure 1 and Table 1).

Page 4 of 23 Gartner, Inc. | G00293664

 Table 1. Pros and Cons of CASB Deployment Modes

Reverse Proxy Forward Proxy API Mode

Advantages ■ Personal data ■ All traffic from ■ IT can gain granular

privacy concerns managed devices visibility into user
addressed as not goes through the behavior in the SaaS
all traffic goes CASB, giving IT application
through the more visibility into
CASB unsanctioned
■ Can be used in a
SaaS usage complementary
■ Transport-layer manner with the
security can ■ Covers RESTful proxy approaches
require certificate and JSON-based
rewriting access
■ Nonintrusive solution
that is not in the data
■ BYOD scenarios ■ Transport-layer path of the SaaS
are addressed encryption is application
without making handled
configuration reasonably well
■ Allows for content-
changes on due to forward- based controls for
endpoint proxy architecture activities involving
data that has already
■ Existing SWG been uploaded to the
deployment can cloud
be used to
redirect traffic to
■ Provides reliable
the CASB via information on what
proxy chaining data is in the cloud,
permissions
associated with that
data, and activity logs
of all activity by both
administrators and
users
■ Supports BYOD
scenarios

Disadvantages ■ Risk from ■ Personal data ■ Not all SaaS

unsanctioned
SaaS app usage
is not addressed
■ Transport-layer
encryption (e.g.,
SSL/TLS) is hard
to handle due to
reverse-proxy ■ CASB becomes
architecture
privacy concerns applications offer API
exist because all support and, of those
traffic from that do, capabilities
managed differ across
endpoints goes providers
through the
CASB
■ SaaS applications
that do have APIs
may not yet support a
single point of full feature set for
failure, making

Gartner, Inc. | G00293664 Page 5 of 23

 Reverse Proxy Forward Proxy API Mode
■ URLs are the SaaS usage implementing CASB
rewritten with vulnerable to features
reverse-proxy DDoS risk and
method; this latency
■ For some SaaS
makes it hard to applications, a hybrid
enforce for
■ Hard to address approach (API plus
mobile SaaS BYOD scenarios gateway) may be
apps that use and unmanaged needed for some
hard-coded URLs devices in general CASB features, for
example, encryption
■ CASB becomes and tokenization
single point of
failure, making
the SaaS usage
vulnerable to
DDoS risk and
latency

SSL: Secure Sockets Layer; TLS: Transport Layer Security; DDoS: distributed denial of service.

Source: Gartner (October 2016)

Page 6 of 23 Gartner, Inc. | G00293664

 Figure 1. Logical Overview of CASBs

Source: Gartner (October 2016)

Enterprise Integration
CASBs provide a number of critical points of integration with an existing enterprise security
infrastructure. These integration points play an important role in preventing enterprise security
delivery from becoming yet another silo. CASB integration points cover identity and access
management (IAM) and IDaaS, reuse of existing DLP security policies for the cloud, integration with
on-premises encryption key management, and event integration with technologies such as security
information and event management (SIEM) for a single view of an organization's security telemetry.
Additionally, they support a number of existing security processes, like incident response and
compliance. CASBs themselves also offer APIs that can be used by enterprises to take advantage
of automation and integration opportunities, and to instrument and integrate them with other
enterprise management tools.

Gartner, Inc. | G00293664 Page 7 of 23

 Cross-Over Technologies in CASB
Although CASBs deliver a number of net-new features to the security technology landscape, they
are also delivering features that have been found historically in other technology silos or solution
sets. Primarily, these come in the form of access control, tokenization, encryption, data loss
prevention and analytics. In some areas, like DLP and UEBA, the capabilities available in CASB do
not fully match those of best-of-breed vendors in those markets, but they are still often sufficient for
many organizations.

Enterprises must not treat data used in cloud SaaS applications in isolation from on-premises data
environments. There is a critical need to establish enterprisewide data security policies and controls
based on data security governance processes.

Security Analytics and UEBA

A number of CASBs employ advanced analytics, using techniques such as machine learning and
anomaly detection, to analyze user interactions with cloud services to identify malicious or
anomalous behavior. Scalability of analytics is efficiently supported in the cloud, due to its ability to
scale horizontally to enable high ingest rates and timely responses. CASBs are using this scalability
as an advantage in delivering outcomes that monitor dozens of attributes (such as cloud service,
field, file, object, user, location, device and action requested) against behavior and usage patterns.
This gives CASBs the ability to perform sophisticated threat and misuse detection, which then
enables blocking options at the user, object and device level (or combinations of all of these). This
clearly shows another approach embedded in CASB platforms to perform security analytics and
embedded UEBA (see "Market Guide for User and Entity Behavior Analytics"). Several on-premises
UEBA vendors are also extending their UEBA solutions to the cloud via APIs, for example, Saviynt
and Gurucul.

DLP and DCAP

Many CASBs provide data classification and discovery capabilities with built-in policy templates, as
well as document controls, such as fingerprinting and watermarking, which are merging capabilities
from both DLP and DCAP (see "Market Guide for Data-Centric Audit and Protection")
methodologies. Policies can enable automatic blocking, quarantining, encryption/tokenization, and
so on, before data is loaded into a SaaS, or as a forensic capability after the fact. Some SaaS
applications are beginning to offer DLP-like functionality. Several CASB products, via their own DLP
engines, can also integrate directly with enterprise DLP products through APIs to ensure policy
uniformity between on-premises network DLP and CASB DLP policies (see "Overcome the
Limitations of DLP for Mobile Devices"). CASBs do this regardless of whether the cloud service has
these capabilities via proxies and/or the use of APIs.

In addition, cloud applications and service providers are also building DLP functionality into the
application or service itself. One example is Microsoft adding DLP to multiple areas of the Office
365 platform (see "Data Loss Prevention in Microsoft Office 365"). An advantage of a CASB over
native DLP capabilities is consistency — for example, one can apply a set of common DLP policies
that extends to multiple services and even multiple providers, reducing the overall time required for
developing and enforcing policies.

Page 8 of 23 Gartner, Inc. | G00293664

 Encryption and Tokenization
CASBs can provide a single common control point for encryption and tokenization for cloud
applications and services. This reinforces the need to understand the level of data security provided
in context with potential trade-offs in functionality and compliance. A number of providers offer the
ability to encrypt file objects now. Relatively few offer the ability to encrypt and/or tokenize data at
the field level in wide range of SaaS applications. However, functionality provided by the target
SaaS will be affected unless the vendor offers API mode. It is also important to note that the
selection of a particular mode of operation has an effect on the cryptography and data security
mechanisms available.

The selection of particular cryptographic algorithms and key management will also affect the level of
data security provided as a direct trade-off to functionality that has been enabled. For structured
data types, it may still be possible to achieve search and sort, even if the fields are encrypted or
tokenized, but other SaaS functions will be lost. For unstructured files that are encrypted through a
proxy, search and document preview functionality will be lost.

Additionally, the choice of encryption algorithm or tokenization method applied may affect the ability
to achieve compliance, because preserving SaaS functionality may have been traded off against the
strength of cryptography — for example, by weakening the algorithm, adding external metadata or
creating cached copies of indexes. The use of cloud-based key management solutions raises the
potential for application administrators, who often aren't members of the security team, or even the
IT team, accessing the encryption keys/tokens in "the clear" (unencrypted) state.

Market Direction
The CASB market has evolved quickly from its gestation period in 2012. Although most of the
providers are still startups running off venture capital funding, the market is suddenly looking as if it
will mature rapidly. Gartner sees signs of three movements in this market:

■ Continued consolidations via acquisitions

■ Go-to-market partnerships with CASB providers from established vendors
■ CASB feature delivery from vendors expanding features organically or with new product
releases

Some notable events that align with these market evolution trends include:

■ Oracle acquired Palerra (September 2016)

■ Symantec acquired Blue Coat (June 2016), which includes Elastica and Perspecsys
■ Cisco acquired CloudLock (June 2016)
■ Imperva announces CounterBreach — an integrated DCAP behavior analytics product
integrating its Skyfence CASB and on-premises SecureSphere products (March 2016)

Gartner, Inc. | G00293664 Page 9 of 23

 ■ Check Point partnership with FireLayers (October 2015)
■ IBM's entry into the CASB market (September 2015)
■ Microsoft acquisition of Adallom (September 2015) and the launch of Microsoft Cloud App
Security (general availability April 2016)
■ Deloitte's partnership with Bitglass (September 2015)
■ Imperva's partnership with Forcepoint (then Websense) (July 2015)
■ Blue Coat's acquisition of both Perspecsys (July 2015) and Elastica (November 2015)
■ Palo Alto Networks' acquisition of CirroSecure (April 2015)
■ Cisco's reseller arrangement with Elastica (May 2015)
■ HP's partnership with Adallom (April 2015)
■ Akamai's investment in FireLayers (2014)
■ Imperva's acquisition of Skyfence (April 2014)
■ Centrify's partnership with Elastica (February 2014)

In last year's Market Guide, we called out the possibility of the SWG, IDaaS and CASB intersecting,
as well as other cloud services combining like DDoS, WAF and CASB. This is now becoming
increasingly less likely, and Gartner believes that CASB is now a market in its own. The focus and
postacquisition strategies of larger acquiring vendors, as well as those remaining pure players, are
now showing that convergence is less likely. Additionally, CASB is also now further pivoting to cover
IaaS and some PaaS services, moving it away from markets like SWG.

The merger and acquisition activities will be an interesting area of development, as providers that
have been acquired to date now have significantly improved routes to market with larger sales
forces and channels, as well as funding for roadmap expansion. This is likely to shake up the market
landscape and, in some cases, will inhibit the growth of smaller, still venture capital (VC)-backed
CASBs that haven't yet established a beachhead in the market.

Additionally, the intersection of CASBs with data security markets (such as encryption, DLP and
DCAP) is also driving the evolution toward solutions that protect data wherever it resides within the
enterprise — in the cloud, on-premises and on the endpoint.

The CASB feature set described by the four pillars in existing Gartner research will remain as
compelling features for the foreseeable future, regardless of provider consolidation or product
feature set merging. These blended offerings will also begin to present a different value proposition
of having SWG/IDaaS/CASB from the same provider. Regardless of any consolidation, IT security
leaders will still demand competitive feature sets leaving room for pure-play vendors to continue to
lead the market.

CASB capabilities are more mature and targeted for SaaS than for IaaS and PaaS today. Gartner
expects CASB vendors to evolve their coverage across the four pillars for IaaS and PaaS in the
coming 12- to 24-month period, while improving coverage for other applications, such as business

Page 10 of 23 Gartner, Inc. | G00293664

 intelligence (BI) and industry-specific (for example, healthcare) SaaS applications. However, there
will be a "line in the sand" for CASB in relation to IaaS and the large array of public cloud-native and
third-party security solutions. Gartner does not expect CASB to enter the virtual machine (VM) or
container markets (see "Market Guide for Cloud Workload Protection Platforms"). However, CASBs
will leverage IaaS APIs for a range of security use cases regarding governance, risk reporting and
configuration monitoring.

Market Analysis
A large amount of VC funding, many hundreds of millions now, fueled the initial growth of CASBs.
Recent acquisitions by large vendors are showing how the market is maturing, and startups are now
being acquired to take their place as part of bigger vendors' portfolios. Other vendors in adjacent
markets (like IDaaS and EMM) are also starting to partner with these CASB providers. CASB could
also be drivers for vendors in adjacent markets to enter the fray with further acquisitions — for
example, enterprise mobility management, secure web gateway, firewall or other vendors who want
to, or are already, delivering cloud security.

One thing that has become clear, though, is that there are two parts to "cloud security." There is
"delivering security from the cloud." Examples are existing technologies like email and web filtering
being delivered from the cloud and, more recently, we see examples of firewalls moving to be
delivered that way. The second is "securing access to cloud services." This is where capabilities like
CASB and IDaaS come into play. These are similar — different sides of the same coin perhaps —
but fundamentally different in their approaches and in problems being addressed for end users.

Gartner sees three macro IT trends driving the expansion and maturation of the CASB market:

■ Enterprises' move to adopt BYO traditional PC and non-PC form factors, and usage
increases from unmanaged devices access: The massive enterprise adoption of tablets and
smartphones for core business processes creates security risks that can be mitigated effectively
with the assistance of a CASB. In addition, there is an increase in BYOPCs by employees, as
well as business partners who are also accessing your data inside cloud services. The average
enterprise end user is spending significantly more "screen time" on these non-PC form factors,
and CASB helps secure the cloud service side of this equation.
■ The enterprise moves to cloud services: This is significantly accelerating, with SaaS being
approximately 1.5 times bigger than IaaS in spending (see "Forecast: Public Cloud Services,
Worldwide, 2014-2020, 2Q16 Update"). This is driving the need to have security technology
capable of providing similar security capabilities to what you have now, but for this different
model of computing. Significant amounts of spending and computing will aggregate around
cloud service providers. This affects on-premises-based technology in the long term, including
the security software and appliance markets.
■ Heavy cloud investments by vendors: Most large enterprise software providers, such as
Oracle, IBM, Microsoft, SAP and Oracle et all are now heavily invested in cloud, and are actively
driving their large client bases to use their cloud services versus their on-premises versions. The

Gartner, Inc. | G00293664 Page 11 of 23

 enterprise software upgrade cycle will organically lead enterprises to the cloud as a natural
evolution. Enterprise security teams will need CASB-like features to deal with the security
implications of that evolution.

The forces of cloud and mobility fundamentally change how "packets" (and the transactions and
data they represent) move between users and applications. This causes a need to adjust the list and
the priorities of investment in security controls for any organization that is consuming cloud
services.

However, the climate for cloud is showing geographical differences (see "Survey Analysis:
Geographic Differences Among Buyers — Cloud Services Planning, Adoption and Strategy, 2015").
Although the U.S. is consuming the most cloud services today, parts of Latin America and the Asia/
Pacific region have the highest percentage of end users expecting to significantly increase their
cloud spending. CASBs will always tightly follow geographical and organization-specific cloud
adoption patterns, which require cloud usage to exist (or be planned) prior to CASB adoption.

Some SaaS vendors — Microsoft is a prime example — discourage the placement of certain
products like proxies, caches and WAN optimizers "in front of" their applications. The worry is that
performance or availability issues lying entirely within the other product will be perceived as issues
with the cloud service itself. Don't let this dissuade you from evaluating and deploying a CASB.
SaaS vendors can't place restrictions on how their customers consume their services. Instead, they
need to make sure that they present a range of APIs that support enterprise integration and security
use cases. Additionally, they need to have better performance and availability SLAs for their API
gateways. These two things will help negate the need for having to place proxies in front of their
services. Also, realize that troubleshooting any issues will require you to include the CASB in your
investigations. In a number of cases, CASBs can help this troubleshooting process, rather than
hinder it.

Representative Vendors
The vendors listed in this Market Guide do not represent an exhaustive list. This section is intended
to provide more understanding of the market and its offerings. It is not, nor is it intended to be, a list
of all vendors or offerings on the market. It is not, nor is it intended to be, a competitive analysis of
the vendors discussed.

Bitglass
Bitglass was founded in January 2013 and has been shipping a CASB product since January 2014.
Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering,
such as remote wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML)
proxy, providing basic MDM and IDaaS capabilities. It also integrates several data security policy
capabilities, in addition to integrating with some DLP vendor solutions. With a focus on sensitive
data discovery, classification and protection, it also includes several document management
protection capabilities, such as watermarking and encryption methods that support search and sort.
It uses an agentless Ajax-VM technology within the user's browser to support real-time data
protection in specific scenarios, including unmanaged devices. Bitglass provides cloud application

Page 12 of 23 Gartner, Inc. | G00293664

 and breach discovery, and a limited SaaS security posture assessment database. Bitglass is a
multimode CASB, with the addition of API support on top of forward- and reverse-proxy modes
originally delivered. Bitglass can be consumed as SaaS or deployed on-premises, and, in either
case, the Key Management Interoperability Protocol (KMIP) interfaces for encryption keys are
supported.

CensorNet
CensorNet was founded in February 2007 and has been shipping a CASB product since April 2015.
CensorNet is one of the newer entrants into the CASB market, and its CASB offering complements
its existing email and web security products. It also recently acquired a two-factor authentication
company (SMS Passcode) to complement its product portfolio. Based on its existing SWG platform,
CensorNet is already positioned to capture traffic and see the flow of data to and from SaaS
applications. Like most SWGs, CensorNet is based on a forward-proxy architecture, using on-
premises physical/virtual appliances. It now also has a cloud-delivered option. CensorNet can also
support deployments of the technology in the cloud. The initial offering is focused on visibility and
SaaS application user and policy control, and has improved in the past year to deliver more
capabilities to a larger number of cloud services.

CipherCloud
CipherCloud was founded in October 2010 and has been shipping a CASB product since March
2011. CipherCloud was an early entrant in the CASB market, with an initial focus on the encryption
and tokenization of data in popular enterprise cloud services, like Salesforce. Its most popular
deployment is software or virtual on-premises appliance(s) that encrypt/decrypt content before it
enters a cloud service to maintain complete data sovereignty for an organization within the end
users' data centers. A hosted option is also available. CipherCloud is well-known for this use case
and can integrate with on-premises key management, DLP and DCAP solutions. It has expanded its
data protection capabilities to cover a broader range of structured and unstructured data within
SaaS applications.

CipherCloud also supports content and user activity monitoring, cloud discovery and SaaS security
posture assessment. CipherCloud uses a primary implementation model based on a reverse-proxy
model for Salesforce and other popular services. It also supports forward-proxy implementations,
for example, with SAP, along with API support for other services. Although it is most often deployed
on-premises, it is available in the cloud with the cloud-based service providing API-only integration
with a range of services. There is a delta between what the multitenanted cloud service delivers
versus its traditional software and appliance-based solution as both have different management
interfaces.

Cisco CloudLock
In 2016, Cisco announced its acquisition of CloudLock. CloudLock was founded in January 2011
and has been shipping a CASB product since October 2013; it was acquired by Cisco in June 2016.
Cisco CloudLock is one of the more successful CASBs, with a large client base, and it uses an API-
only approach to the CASB market. It leverages APIs from cloud services (SaaS, PaaS, IaaS), in

Gartner, Inc. | G00293664 Page 13 of 23

 addition to providing its own API framework that other independent software vendors (ISVs) can
integrate into their own cloud services. The company also ingests log files from a range of existing
firewall and proxy providers. CloudLock delivers a wide range of use-case features, such as UEBA
for improved threat detection, malware detection, DLP, and data protection for compliance,
forensics and security operations. Its protection of structured and unstructured data leverages its
API control of native encryption provided by SaaS services that support it. CloudLock can also
leverage other APIs in existing technologies like firewalls, SIEM and other technologies that enable
levels of two-way signaling.

CloudLock also uses its end users to help "crowdsource" ratings, risky or otherwise, for a large
number of cloud services. This community trust rating also enables end users to see a current rating
about why a service has been blocked from use at an organization. CloudLock supports
homegrown and marketplace applications built on public IaaS or PaaS, such as Amazon Web
Services (AWS) and Force.com, by allowing customers to embed their software development kit
(SDK) into their own applications via APIs. The company launched an integration with Cisco's
FirePOWER product in August and released an integration with Cisco's OpenDNS cloud security
offering in early October.

FireLayers
FireLayers was founded in November 2013 and has been shipping a CASB product since April
2014. FireLayers is a multimode CASB delivering API, forward and reverse proxy, plus a SAML
gateway. It provides cloud application discovery, but not SaaS service security posture
assessments. Instead, it focuses on threat protection, behavior analytics, contextual access control
and detailed activity monitoring (with a focus on privileged account monitoring) for supported SaaS
applications and some IaaS services. It is also improving its email inspection capabilities for Office
365 to include phishing, encryption, URL and file inspection.

FireLayers can also interject user-session-centric authentication methods like two-factor

authentication (2FA), SMS and captcha for actions in cloud applications in which the cloud service
itself either doesn't support 2FA or doesn't support the granular use of 2FA for certain high-risk user
and administrative actions. This allows for the ability to have dynamic trust levels, where step-up
authentication can be required to perform sensitive data access or on the detection of a suspicious
session. FireLayers delivers its CASB services from AWS or on-premises with a virtual appliance.

In late October 2016, Proofpoint announced its intention to acquire FireLayers.

Imperva
Imperva was founded in November 2002 and has been shipping a CASB product since January
2014, when it acquired Skyfence. Imperva's vision is to provide full visibility and protection of data
for databases, websites, file shares, SharePoint or in SaaS applications. Imperva focuses on
providing detailed user activity monitoring, cloud DLP, access control and threat protection.
Imperva's CASB, called Imperva Skyfence Cloud Gateway, is provisioned within its existing DDoS
and Incapsula cloud WAF and content delivery network (CDN) offering as SaaS. It can also now
leverage its threat intelligence service, ThreatRadar. An on-premises physical or virtual version is
also available. Imperva's primary implementation model is API and/or reverse proxy, which is a good

Page 14 of 23 Gartner, Inc. | G00293664

 fit with the expertise Imperva developed with its WAF (see "Magic Quadrant for Web Application
Firewalls"). Imperva also intends to use this technology for the coverage of internally developed
SaaS applications on top of publicly available SaaS services as an integral component of its DCAP
offering. To further leverage its CASB, Imperva has launched a new breach detection product called
CounterBreach, which uses behavior analytics on the outputs from Skyfence and SecureSphere
(on-premises), as well as deception methods to identify unwanted activity.

Microsoft (Adallom)
In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping
since early 2013. This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and
added new capabilities to Office 365. Developed from Adallom's technology, Microsoft Cloud App
Security (MCAS) today is an API-only CASB that emphasizes three capabilities: discovery, data
control and threat protection. The roadmap plan is to return proxy capabilities back to MCAS this
year. Through analyzing logs from firewalls and proxy servers, MCAS generates reports showing
which SaaS applications an organization is using, helps identify anomalous activity and can rank the
risk of SaaS applications according to 60 attributes. MCAS offers control over sanctioned SaaS
applications via predefined and custom policies. Policies can include DLP, but not in real time as
MCAS (in its current incarnation) has no proxy mode. MCAS observes how users interact with SaaS
applications and can detect risky or abnormal behavior that indicates possible attack.

For all new customers, MCAS is delivered as SaaS from Azure data centers. No endpoint agents or
on-premises editions are available. With the exception of DLP, certain Office 365 subscriptions
include a subset of MCAS capabilities called Office 365 Advanced Security Management, designed
to protect an Office 365 tenant only (not other SaaS applications).

Netskope
Netskope was founded in October 2012 and has been shipping a CASB product since October
2013. Netskope was one of the early CASB providers that emphasized cloud application discovery
and SaaS security posture assessments as an initial use case for CASB adoption. It has developed
deep visibility into user actions, including user behavior analytics, within managed and unmanaged
SaaS applications, including extensive user activity monitoring and DLP/DCAP capabilities. This
also includes integration with on-premises DLP systems via ICAP. Netskope is one of the few
CASBs that deploy and run their own distributed proxy fabric and don't rely on an IaaS provider like
Amazon for their offering.

Netskope's primary implementation model is forward proxy (with or without agents, depending on
the use case required) or forward-proxy chaining. It added support for reverse-proxy capabilities in
2014 and already supported APIs. Netskope's agents allow for the monitoring and control of native
mobile applications and sync clients, and file-level encryption. It has further expanded its threat
protection features by adding native in-line and API-based inspection of content for malware.

Gartner, Inc. | G00293664 Page 15 of 23

 Palerra
Palerra was founded in July 2013 and has been shipping a CASB product since January 2015. In
September 2016, Oracle announced its intention to acquire Palerra. Palerra takes an API-based
approach to CASB and covers SaaS, PaaS and IaaS services. Palerra offers two products: Loric
Discovery for shadow IT and Loric for sanctioned cloud apps. Loric Discovery provides visibility on
SaaS applications by analyzing logs for cloud service activity, as well as identifying risky
applications installed from Salesforce's AppExchange plus custom apps running on PaaS. Loric for
sanctioned cloud apps addresses uses cases such as security monitoring, threat protection and
incident response.

The user behavior analytics features in Loric incorporate analytics from access and in-application
activity, support for threat intelligence feeds, and custom enterprise threat modeling to assist with
threat detection. Incident response includes case management, multilevel alerting and notification,
and support for external ticketing systems with orchestration for consent-driven remediation.
Palerra also delivers features that allow organizations to control the configuration of SaaS and other
cloud service policies centrally from one location (SaaS platform security management [SPSM]).
Palerra is currently delivered from a global multiregion data center backbone as SaaS, or available
as a dedicated cloud-based appliance.

Palo Alto Networks

Palo Alto Networks was founded in 2005 and has been shipping a CASB product since September
2015. In May 2015, Palo Alto Networks acquired CirroSecure, an API-only based CASB provider
more focused on discovery, SaaS policy and security management for the product now called
Aperture. Palo Alto Networks had already been delivering cloud application discovery capabilities to
its customers for some time, so expanding its visibility using APIs is an extension of its cloud
protection strategy for users who are either on- or off-premises, or also where BYOD is in use. The
API augmentation of Aperture is critical, as some data flows are not visible to Palo Alto Networks'
appliances without the forced use of a VPN or routing to the physical or virtual appliances,
especially data at rest within a cloud service. Today, with this architecture, you are required to run
Palo Alto's firewall(s) as part of the mix to deliver CASB-like features that include interception of
traffic. Aperture will also provide additional field- and file-level object visibility into cloud services, on
top of what is available from its existing product range for cloud services. These include content
scanning, WildFire malware detection, remediation, analytics, risk identification and reporting.

Skyhigh Networks
Skyhigh Networks was founded in December 2011 and has been shipping a CASB product since
January 2013. Skyhigh was one of the first CASB providers to emphasize the shadow IT problem
with a large cloud service discovery database; and cloud service security posture and risk
assessment was an initial and still critical use case for CASB technology. It has built a large installed
base with its multimode CASB that supports the control of a broad range of cloud services. It has
since expanded further into data security with DLP/DCAP features, such as, encryption and
tokenization of structured and unstructured data for a number of SaaS applications such as
Salesforce and Office 365. Skyhigh is continuing to improve its security analytics with user activity
analytics and monitoring (that is, UEBA) capabilities.

Page 16 of 23 Gartner, Inc. | G00293664

 Skyhigh uses a primary implementation model of a reverse proxy and APIs, as well as supporting
forward-proxy implementations. It uses a deployment model of distributed proxies running in
multiple cloud providers worldwide, as well as support for an on-premises virtual appliance. It has
also achieved FedRAMP certification.

Symantec (Blue Coat)

Symantec acquired Blue Coat in June 2016, and one of the motivations for the acquisition was Blue
Coat's CASB assets. Blue Coat, best known for its Secure Web Gateway offering, has been
shipping a CASB product since July 2015, with the acquisition of Perspecsys and, subsequently,
Elastica. Perspecsys was an early entrant into the CASB market, with a focus on data residency and
protection with the tokenization and encryption of data in various SaaS services. It offers its own
proprietary tokenization methods and has a model to offer integration with an enterprise's chosen
encryption suite, which may already be deployed on-premises. When encryption is used, it is most
frequently deployed with encryption products from Symantec, HPE's Voltage, Gemalto SafeNet and
the Java AES-256 module.

The 2015 Elastica acquisition is best-known for providing Blue Coat with its data science, machine
learning and deep content inspection with DLP features. Application discovery is performed via
access to logs and cloud application usage. This allows for cloud service assessment ratings, cloud
usage analytics, user behavior analytics, malware analysis, remediation actions and reporting.
Combined, Symantec offers a complete multimode CASB platform with optional data encryption/
tokenization using the Perspecsys technology. It has already integrated its cloud application
discovery and security posture assessment capabilities into its traditional Blue Coat management
console for its SWG customers, creating an upsell opportunity to its full CASB services. Symantec
has also integrated its existing DLP solution into Blue Coat for consistent sensitive data discovery
and protection policies across on-premises and cloud services. However, this is different console
and requires licensing.

Other CASB Vendors

The following vendors also provide features that offer partial or more complete CASB functionality:

■ Digital Guardian
■ Centraya
■ BetterCloud
■ Eperi
■ Ionic Security
■ IBM
■ StratoKey
■ Protegrity

Gartner, Inc. | G00293664 Page 17 of 23

 ■ Saviynt
■ SkyFormation
■ Vormetric
■ Vaultive
■ Trend Micro

Market Recommendations
IT security leaders should:

■ Immediately review vendors' cloud, mobile and on-premises enterprise software roadmaps for
the future, so they can gain an understanding of vendors' intentions for cloud and how that is
aligning to the security architecture and budgeting cycle.
■ Facilitate and support the shift of applications and services to the cloud. IT security leaders
should avoid being the "no" team; instead, they should be the "yes we can and here's how"
team.
■ Organize their IDaaS program prior to or during the selection of CASBs, because open-
standards-based IDaaS is a foundational control that will make all cloud service adoption more
efficient and secure.
■ Tactically deploy the entry-level IDaaS capabilities of their CASB to stretch their Active Directory
into the cloud, if a stopgap measure is needed until a more comprehensive IDaaS strategy can
be delivered.
■ Avoid contracts that are longer than two years at this point in time, as features and vendors are
still evolving their offerings.
■ Consider the differences of CASBs that are multimode versus those that are API only, not only
to ensure a successful deployment today, but also to account for future use-case scenarios as
organizations adopt more cloud services.
■ Start with an investigation of what cloud services are being used in their environments in order
to determine how many cloud services must be sanctioned, remediated, controlled, monitored
or blocked.
■ Identify cloud services your organization is running (like Office 365 and Salesforce) that need
treatment immediately, and develop a tactical plan to start applying control to these "known"
cloud services.
■ Establish enterprisewide data security governance policies that prioritize the protection of
sensitive data and establish the appropriate data security controls from a CASB before using a
SaaS.

Page 18 of 23 Gartner, Inc. | G00293664

 ■ Review whether the security requirements for encryption of particular datasets make the use of
the SaaS unattractive. Encryption and/or tokenization of data outside of the SaaS provider may
affect the functionality of the cloud service (for example, breaking indexing, search and
document preview). The external encryption or tokenization of data may also impact latency
and create a single point of failure for cloud service access.
■ Evaluate usage patterns of sporadically accessed B2B- and B2C-based cloud services and
utilize a CASB to maintain control of these interactions with their organization's data by people
outside their organization.
■ Investigate the ability of internally developed SaaS applications to build in CASB support in the
mix of controls they deploy to help secure that application or service.
■ Look for CASBs that:
■ Support the widest range of cloud services that your organization is running today and plan
to consume in the coming 12 to 18 months.
■ Support your organization's end-user computing usage patterns (for example, managed
versus BYOD).
■ Work effectively with existing network topology.
■ Allow for a level of cloud adoption that is in-line with the business's and the rest of IT's
cloud strategy by controlling sanctioned cloud services, and that aids in the selection of
proposed new cloud services that are enterprise-ready.
■ Ease the compliance burden for cloud services.
■ Support the modes of operation that align with core use cases. For example, an API-only
CASB could be sufficient or, alternatively, in-line features may need to be deployed when an
API-only CASB will only partially meet these needs.
■ Integrate with existing controls — for example, IAM, web gateway and events going into
central log management or SIEM.

Additional contributions to this research were provided by Jay Heiser, Ramon Krikken, Steve Riley,
Sid Deshpande and Mark Nicolett

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

"How to Evaluate and Operate a Cloud Access Security Broker"

"Clouds Are Secure: Are You Using Them Securely?"

"Everything You Know About SaaS Security Is Wrong"

Gartner, Inc. | G00293664 Page 19 of 23

 "Developing Your SaaS Governance Framework"

"Mind the SaaS Security Gaps"

"Budgeting for the SaaS Security Gap"

"Select the Right CASB Deployment for Your SaaS Security Strategy"

"Technology Overview for Cloud Access Security Broker"

"CASBs Must Not Be Data Security Islands"

"Securing SaaS Using Cloud Access Security Brokers"

"Magic Quadrant for Enterprise File Synchronization and Sharing"

Evidence

Proofpoint to Acquire FireLayers

"Proofpoint Signs Definitive Agreement to Acquire FireLayers, Extending Targeted Attack Protection
(TAP) to SaaS Applications," Yahoo Finance.

Oracle Acquires Palerra

"Oracle Buys Palerra to Boost Its Security Stack," TechCrunch.

Symantec Acquires Blue Coat

"Symantec Acquires Blue Coat: Defining the Future of Cyber Security," Symantec.

Microsoft (Adallom)

"Microsoft to Buy Israeli Cyber Security Firm Adallom: Report," Reuters.

"Microsoft Plans to Buy Israeli Cloud-Security Firm Adallom for $320 Million," The Wall Street
Journal.

"Microsoft Reportedly Acquires Cloud Security Firm Adallom for $320 Million," TNW.

"Microsoft to Buy Adallom for $320M," Seeking Alpha.

Check Point-FireLayers

"FireLayers and Check Point Bring Security to Enterprise Cloud Apps," BetaNews.

Page 20 of 23 Gartner, Inc. | G00293664

 Blue Coat (Perspecsys)

"Blue Coat Acquires Perspecsys to Make the Public Cloud Private," Blue Coat.

Imperva Skyfence

"Imperva Skyfence Cloud Gateway," Imperva.

Elastica-Centrify

"Centrify and Elastica Partner to Provide Comprehensive Cloud Security Solution for SaaS
Applications," Elastica.

"Centrify Partners With Elastica for a Comprehensive SaaS Security & Analytics Solution," Centrify

Elastica-Cisco

"Cisco, Elastica Join Forces on Cloud Security Monitoring," Business Cloud News.

"Elastica Announces Reseller Partnership With Cisco to Deliver Cloud Access Security Broker
(CASB) Solutions to Global Enterprises," Elastica.

Bitglass

"Become a Partner," Bitglass.

Palo Alto Networks (Aperture)

"Palo Alto: Teams Up With Cyber Security Agency of Singapore to Strengthen the Nation's Cyber
Defense," 4-traders.com.

Cloud Security Alliance

"CipherCloud and Cloud Security Alliance Forge Cloud Security Working Group," The Cloud
Security Alliance.

"Open API Working Group," The Cloud Security Alliance.

Note 1 Endpoint-Based Cloud Data Protection Solutions

These vendors, which fall outside the scope of this research, use an endpoint-based approach. This
is typically an agent or browser plug-in, used to gain visibility of traffic to and from cloud-based
SaaS applications and for the protection of cloud data. Most of the vendors focus on SaaS EFSS
applications, such as Box, Dropbox, Microsoft OneDrive and Google Drive. If the primary
requirement for the organization is the protection of data in an EFSS application, these vendors offer
an alternative approach to the mediation-based approach via proxies and APIs of the CASB
platform providers. The following vendors provide solutions in this area:

Gartner, Inc. | G00293664 Page 21 of 23

 ■ Boxcryptor
■ CenterTools Software
■ CloudCrypt
■ Covata
■ Cryptzone
■ Fasoo
■ nCrypted Cloud
■ Ohanae
■ SearchYourCloud
■ Azure Information Protection (based on the Secure Islands Technologies acquisition)
■ SecureAge Technology
■ Sookasa
■ Sophos
■ Vera
■ PKWARE (Viivo)

Note 2 Cloud Application Discovery

These vendors do not supply CASB platforms, but provide visibility into cloud application usage:

■ DNS solutions like Cisco's OpenDNS, Infoblox, BlueCat

■ Most enterprise firewall vendors
■ Most secure web gateway vendors

Page 22 of 23 Gartner, Inc. | G00293664

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2016 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see “Guiding Principles on Independence and Objectivity.”

Gartner, Inc. | G00293664 Page 23 of 23