Where have all the CASBs gone?


This post was originally published here by   Nat Kausik .

The CASBmarket started out with a fistful of companies five years ago.  Now there are just a couple left. What happened?

When the CASB market was nascent, most enterprises were skeptical of the cloud.  Indeed, companies in regulated enterprises were downright terrified of the cloud.  The most pressing issue was to find all cloud apps used in their enterprise and block them at the firewall.   It was all about identifying “Shadow IT.”   As a result, the early CASB were focused exclusively on this problem.    This is essentially a management capability, i.e. clean up risky events after the fact.

Then, some enterprises began to adopt cloud apps for non-critical uses, such as a file-sharing app for extranet use.  They wanted to identify the leakage of sensitive data into the cloud, using out-of-band API inspection.  CASBs that offered Shadow IT quickly added API inspection.  Another management capability in that it cleans up after risky events.  

Then came Office 365, with Microsoft forcing enterprises to move to the cloud en masse for their backbone productivity suite.  Now enterprises were no longer satisfied with management, cleaning up after risky events.   Enterprises wanted security,  real-time inline capabilities that prevent risky events before the fact. 

Operating inline is an entirely differrent technical challenge from operating out-of-band.   Not every CASB had the technical chops to make this transition.  At this point, most CASBs had to throw in the towel and exit via acquisitions, leaving the acquirers holding the bag with products that are not really ready for prime time.

Only two CASBs remain independent.  Both offer inline security. 

  • One requires proxy agents on every device, is not interoperable with existing infrastructure like Secure Web Gateways and can be stubbornly undeployable after years of trying.  
  • The other is a Next-Gen CASB with a unique agentless architecture that deploys in a few days.  Zero-Day threat and data protection on any device anywhere.

In the security business, inline products deliver automated protection, hence are valued highly by customers and Wall Street alike.  Provided you can deploy them of course. 

Photo:Cybersecurity Insiders


No posts to display