CASBs are a category of security tools that work by ensuring that network traffic between cloud apps and users complies with an organisation's security policies. CASBs run either on-premises or are cloud-based, and provide a consolidated layer of security features for using the cloud. These include authentication, single sign-on, authorisation, credential mapping, device profiling, encryption and malware detection/prevention.

Early CASBs were largely the industry’s response to the adoption of cloud in the enterprise. This posed new and unexpected challenges to IT departments, mainly around solving the threat of shadow IT. The ability to deliver insights into application use across cloud platforms and identify unsanctioned usage was especially important in regulated industries.

The need for CASB solutions really became clear when companies like Google and Microsoft started to make significant investments in cloud technology, with the availability of applications like Google Drive and Office 365. At the same time, tools like Dropbox, Box and Salesforce grew in popularity.

This first generation of CASBs solved the problem of shadow IT by providing much-needed visibility into the use of unsanctioned cloud applications, and highlighting exactly where company data was going.

Whilst early CASBs helped to address the challenge of shadow IT, their functionality was still relatively basic. However, the addition of APIs meant that organisations were not only able to manage their shadow IT problem - but they could also receive alerts on sensitive data moving outside the corporate network.

Sounds great, right? Unfortunately, these solutions, based upon APIs, had a few downsides too. They weren’t able to offer real-time protection. They were also invasive to user privacy, and forced users to stay within the corporate network to ensure visibility.

The result was that organisations began requesting a CASB solution that delivered not only visibility and control, but also total data protection. Fast forward to today, and we’re seeing the emergence of proxy-based CASBs that deliver on the promise of full visibility and control, without being invasive.

CASB capabilities vary from one vendor to the next. A complete solution protects corporate data throughout its life cycle – in the cloud, at access, on the device, and on the corporate network. Most vendors have a primary proxy mechanism upon which its architecture is built—either a forward a reverse proxy mode, though many rely on both types of proxies, depending on the use case.

It is important to consider how the various CASBs are deployed and managed, as it can have a big impact on the application and device types that can be supported, and on the amount of operational overhead associated with managing the system.

Best in breed CASB solutions are agentless (ie they do not install an agent on the endpoint as with Mobile Device Management solutions), with support for any application and device, integrated identity and access management (IAM) and mobile data protection. The solution should support major enterprise cloud applications, plus SaaS, IaaS and custom applications.

It is also important to keep in mind that web/HTTPS traffic is only one piece of the overall puzzle. For example, a cloud-based email system like Office 365 can be accessed via the web, but also via Microsoft Outlook, Mac OS, X Mail, and just about every smartphone and tablet via Activesync. If a CASB can’t secure these alternative access types, then protection is incomplete. 

The market for CASBs is fast-moving, with mergers and acquisitions changing the landscape. Players in this market must innovate quickly to keep pace, and differentiate themselves from the competition. API-only CASBs have fallen behind, as there is a lot of pressure to have a full suite of capabilities, including mobile security.

Right now, CASBs are now starting to build in capabilities to proactively identify suspicious employee activity. For example, some solutions can identify simultaneous logins from different locations, flag up zero-day unsanctioned applications, or a user that is downloading large amounts of sensitive data. The market is moving towards a more automated model, based on machine learning and AI.

Looking even further forward, CASBs are expected to take over from niche product vendors that only have one core capability, like Identity as a Service or Enterprise Mobility Management. 

Over time, many CASB providers will start building these functionalities into their platforms. The benefit for customers is that instead of purchasing many different security solutions for different security needs, they will be able to buy one solution that delivers comprehensive cloud security.

CASBs are quickly emerging as a must-have security solution for organisations that have already or are looking to adopt cloud-based applications. In fact, industry analyst, Gartner, estimates that by 2020, 85% of enterprises will use a CASB to secure cloud data. 

CASBs are filling in the gaps that cloud application vendors have left to the enterprise to solve – visibility and data security. Solutions are needed that can secure cloud data wherever it goes, from the cloud to the device. 

Organisations that have deployed cloud applications or are planning to, should educate themselves on the offerings available, and ensure that the IT budget includes a CASB deployment to coincide with the rollout of these cloud applications.