The Cloud Security Alliance (CSA), an organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, announced the release of its latest survey report, The Evolution of the CASB. The study, which queried more than 200 IT and security professionals from a variety of organization sizes and locations, examined the expectations, technical implementations, and challenges of using cloud security access brokers (CASB). The results reveal unrealized gaps between the rate of implementation or operation and the effective use of the capabilities within the enterprise.

“CASB solutions have been underutilized on all the pillars but in particular on the compliance, data security, and threat protection capabilities within the service,” said Hillary Baron, lead author and research analyst, Cloud Security Alliance. “It’s clear that training and knowledge of how to use the products need to be made a priority if CASBs are to become effective as a service or solution.”

Commissioned by Proofpoint, Inc., a cybersecurity company and CASB solution provider, the paper found that while nearly 90% of the organizations surveyed are already using or researching the use of a CASB, half (50%) don’t have the staffing to fully utilize cloud security solutions, which could be remediated by working with top CASB vendors.

Further, more than 30% of respondents reported having to use multiple CASBs to meet their security needs and just over one-third (34%) find solution complexities an inhibitor in fully realizing the potential of CASB solutions. Overall, CASBs perform well for visibility and detecting behavior anomalies in the cloud but have yet to become practical as a tool for remediation or prevention.

Additionally, the report found that when it comes to utilizing CASBs, of those surveyed:

  • 83% have security in the cloud as a top project for improvement
  • 55% use their CASB to monitor user behaviors, while 53% use it to gain visibility into unauthorized access
  • 38% of enterprises use their CASB for regulatory compliance while just 22% use it for internal compliance
  • 55% of total respondents use multi-factor authentication that is provided by their identity provider as opposed to a standalone product in the cloud (20%)

Brendan O’Connor, CEO and Co-Founder of AppOmni, says that attackers have realized that sensitive data now lives in the cloud. "This makes a proper, cloud-focused security stack more critical than ever for today’s security organizations. CASBs have evolved to counter the growing attacks but they are only a piece of a larger security puzzle. In fact, the rise in the attacks as well as the increasing sophistication of cloud services have given rise to complementary security solutions."

Security teams are complementing CASBs with solutions to address the growing number of attacks against the multi-cloud stacks that today's modern enterprise makes use of, O'Connor adds. "Security teams also need to put in place cloud-native protections such as Cloud Security Posture Monitoring (CSPM) solutions for IaaS clouds and SaaS Security Posture Monitoring (SSPM) solutions for SaaS clouds. As attacker methodologies evolved against on-premise services and endpoints, the security stack necessarily evolved to a set of tools designed for each category of data, service, or hardware to be protected. We see the same evolution underway in cloud services - there is no one-size-fits-all piece of security technology to secure the multi-cloud stack. Rather, security teams need defense-in-depth strategies for each part of that stack."

 O'Connor notes that CASBs are great in their areas of strength. "For any use case that requires detection of rogue apps or network monitoring, a CASB is an ideal solution - that’s what they are built for and where their strength lies. Where we see a misalignment between buyer (security team) expectations and CASB capabilities is when CASBs are used for purposes that are not core to their design and strengths. A great example of this is using a CASB, not for a core use case such as DLP content scanning but to monitor SaaS security posture. The value of CASBs by design is to provide broad coverage across a wide range of services. They are not designed to have the depth of understanding of the configuration and security posture of SaaS applications which are better suited for a different category of solutions."

"Use of multiple CASBs could be a telltale sign of organizations deploying different solutions in an attempt to address different challenges - multiple square pegs for multiple round holes. Instead of procuring multiple CASBs, we would encourage security leaders to evaluate a variety of tools for the variety of security needs they have - CASB for network, CSPM for IaaS, and SSPM for SaaS," O'Connor concludes. 

Tim Wade, Technical Director, CTO Team at Vectra, notes that the maturity around cloud security itself has evolved such that the compliance and data loss prevention capabilities that CASBs are primarily limited to performing effectively has been supplemented by a larger market category ecosystem that include Cloud/Network Detection and Response as a separate investments.

"The genesis of this shift in understanding is primarily the result of organizations realizing the importance of moving past the compliance-based security offered by CASBs into the cyber-resilience driven security of Cloud/Network Detection and Response. It’s important to note that attacks against the modern hybrid enterprise may move through both an organization’s classical IT infrastructure and cloud presence over the course of a single attack.  CASBs may play a role in elements of compliance or data-loss prevention associated with one part of one leg of that, but the onslaught of attacks have actually demonstrated that unified coverage across the entirety of the attack surface is necessary, not just the cloud side of the equation.  Modern SOCs face the very real threat of both cloud and traditional IT risk, and tracking attack progression through that attack surface is critical," says Wade. "In reading this report, it’s important to note that the hallmark of modern security isn’t strictly data compliance or further investments in the diminishing returns of preventative technology, but the resilience against attacks when compliance is insufficient and prevention technology fails – organizations require investments in the timely detection of attacks in progress and meaningful response to interdict an attack before damage is done."

Nic Morris, Managing Principal, Cyber Engineering at Coalfire, notes, "Continued attacks have been great in terms of helping to develop the capabilities of the CASB, helping mature a once single-dimensional tool into what can be marketed into an all-in-one solution by many vendors.

"Many of the features that have continued to appear are necessary to help combat the advanced threats that continue to mature and morph themselves. But, I point here to the 5th question, where I notate that just because the solution seems to do it all, does not mean that it covers the entire defense-in-depth strategy alone," Morris explains. "The best CASB available is the best CASB for your needs as they are not one size fits all, even as the market becomes more commoditized. The most important thing to consider it simply knowing your scenario and what you need to solve. Considering this question should not be a point in time approach however, as you should consider the use cases that may arise over the next several years, as the capital expenditure of this effort should be well used. Knowing your needs across visibility, compliance, data security, and threat protection will help you align to the capabilities that many of these tools offer and allow you to balance this with budgeting. Keep in mind the level of maturity of these capabilities, and how those may translate over the next 5 years with massive growth in the areas of distributed cloud infrastructure, third-party applications, data analytics, IoT, and machine learning."

Morris adds, "The modern CASB seems too often to be marketed as an all-in-one solution to security, with capabilities across discovery, monitoring, protection, authentication, etc… However, these capabilities are heavily focused on the service and endpoint device aspect of the stack. While there are great needs at these levels to protect data, there are areas left out by the CASB, like the underlying infrastructure itself and its associated configuration. Also, Application Security in terms of development and vulnerability management isn’t really taken into account by the CASB, but only a more reactive measure is put in place should any type of malicious activity be detected. While CASB has helped to optimize certain domains of security, the basic tenets of security should not be ignored in favor of an all-in-one solution. Defense-in-depth is still center of the information security approach, and the right tools and capabilities should be evaluated and enacted given the uniqueness of every environment and scenario."