Catching a CASB Key to Securing SaaS
Increased concern about application-level attacks and the security threats around software-as-a-service is giving rise to new interest by managed service providers in the growing cloud access security broker field.
CASB software, as it is known, is deployed as an in-line proxy or via an out-of-band applications programming interface and provides visibility into cloud-based applications and how they are being used. CASB technology is thus growing in importance as more enterprise applications move to the cloud, where data resides and is processed on a variety of platforms that the enterprise doesn't control or own.
According to a recent Gartner report, about 60% of large enterprises are using CASBs, primarily to "govern SaaS back-office enterprise applications" including content collaboration, enterprise resource planning, customer relationship management and productivity applications. As the report indicates, there is now a lot of diversity among CASBs in what is becoming a very competitive field that includes both products and services, as well as on-premises and cloud-based approaches. The variety of vendors offer either the proxy-based CASBs, API-based CASBs or a multimode version that combines the two.
Managed service providers are looking to CASB technology to provide visibility into SaaS applications as part of the protection services they sell to businesses.
As Patrick Donegan, principal analyst with HardenStance, a UK-based consultancy, points out, however, CASBs are one tool but not the only one, for extending security into the cloud.
"In many cases, CASBs, as they've been defined, are a very important product line and a key tool for enabling secure cloud migration," he comments. "However, you do have to be watch for the old analogy about having a hammer and everything looking like a nail. In the case of those companies that have invested heavily in SIEMs [security information and event management], and deriving value from those SIEMs, there are ways of extending the management reach of those SIEMs into the cloud that can potentially be as good or better than investing in new CASB platforms. Companies should be examining all available options in the context of their unique environment rather than just automatically running with the CASB herd."
Masergy Communications Inc. is one company that is looking to CASBs to provide key analytics that will enable the service provider to provide SaaS protection as part of its managed services portfolio, says Jay Barbour, director of Security Product Management. Masergy recently announced an extension to its Masergy Unified Enterprise Security (UES) security platform to include a Microsoft Office 365 security monitoring service.
"A vendor such as Microsoft that is well-respected and well-resourced has the expertise and scale to integrate security analytics into the application itself," Barber explains in an interview. "So our approach to securing Office 365 is leveraging Microsoft security analytics, adding our industry-leading security and response capability as well as adding some additional analytics that can correlate what happens in the office environment into other environments."
The problem is that many SaaS vendors aren't large or resourceful enough to bake in security analytics, he adds, and that's where CASBs come in.
"There are an awful lot of SaaS companies that don't have the economics or maturity or scale to integrate analytics, and that is why you get a lot of risk with those applications," Barber says.
The lack of visibility into the cloud-based application is a risk in and of itself, he says, because it limits the ability to audit is happening. But providing some visibility, in the form of event data, is not enough, there is also the need for analytics.
"Many of these third-party SaaS vendors have the ability to export basic security event data," Barber adds. "That's why for the second category, the evolution of point solutions for SaaS is coming from CASBs. They take all this third-party event data, then add the analytics and make a platform at scale."
Masergy is working with the companies he identifies as the market leaders in the CASB space, such as Netskope, Skyhigh Networks and Bitglass. All three are also named ranked highly in the Gartner Magic Quadrant report on CASBs.
CenturyLink is also incorporating CASB technology into its next-generation of security gateways, acquiring the technology from vendors and building it into the services it delivers.
"We have some CASB functionality built into our adaptive security network gateway product, it is our next-generation gateway product," says Chris Richter, vice president of Global Security Services for CenturyLink. "That also is a feature set we are building out this year as well. We are building it out ourselves using best-in-class technology, not other service providers, but other security product developers." (See CenturyLink Launches Adaptive Network Security Mobility .)
Richter sees application software as likely to be a continuing source of security challenges, given the pace at which new applications are coming into the market.
"The biggest challenge is the code itself," he says. "This has been a problem for many years, the code comes out so quickly from code factories in the US and abroad that it is riddled with vulnerabilities the instant it is turned up. Companies are so aggressively pushing to build applications to grow their revenue that I don’t believe they thoroughly examine and audit their own code for security and application vulnerability."
That is creating the demand for web application firewalls and other basic elements to protect enterprises deploying the software, Richter says.
At this point, CenturyLink is not identifying the vendors with whom it is working. Among the other companies named by Gartner in its CASB report are Cisco (through the acquisition of CloudLock), Palo Alto Networks (through the acquisition of CirroSecure) and Symantec (through the acquisition of Blue Coat).
— Carol Wilson, Editor-at-Large, Light Reading