Professional Documents
Culture Documents
Acknowledgments
Authors:
Hillary Baron
Sean Heide
Alex Kaluza
Shamun Mahmud
John Yeoh
Reviewers:
Frank Guanco
Courtney Stiven
Designers:
Stephen Lumpe (Cover)
AnnMarie Ulskey (Layout)
Special Thanks:
Joel Borgmeier
Itir Clarke
In the wake of the public health crisis of 2020, work-from-home orders issued by most companies
and governments have further accelerated this digitalization and adoption of remote services. The
expansion of the virtual workforce and adoption of cloud has emphasized the need for security and
compliance in the enterprise. In Q1 of 2020, Cloud Security Alliance (CSA) collected 216 responses
from security professionals across three major regions for sixty days to evaluate the use of CASBs for
cloud security.
100%
90%
80%
83%
70%
60%
50%
40%
43%
37%
30%
36%
30%
20%
25%
18%
10%
3%
13%
0%
Em cu
Cl
Ap cu
En cu
Co
N cu
Se ain
In ana
O
et ri
th cify
si
ou urit
cu ing
dp rit
m
pl rity
Se
Se
Se
Se
Se
Tr
Sp
ai rity
de e
w ty
er )
d y
ic
pl
rit
l
oi y
c
e
or
r T me
at
(P
ia
nt
y
k
io
nc
g
hr nt
le
Aw
n
as
ea
e
ar
e
t
en
es
s
Figure 1
The following report revealed that 83% of organizations have security in the cloud as a top project
for improvement. To the point that 89% of organizations are already using or researching the use
of a CASB within their organizations. While CASBs can provide tremendous value, the intention of
1
https://www.proofpoint.com/us/corporate-blog/post/what-cloud-access-security-broker
100%
90%
80%
70%
60%
50%
50%
40%
30%
34%
34%
29%
27%
27%
20%
8%
19%
6%
10%
13%
0%
In
So m
Co ltu
La atu
Co se
In dg
So ab
Po pp
N
on
th cify
ad taf
ad e
ck re
lu ple
lu ilit
or or
m re
m ttin
or
co
cu
fe
in
Bu
us
su
sp
er )
e
eq f e
eq t
tio xi
tio y
pa
pl g
of se
e
s
(P
ex u
ua xp
ua
n ty
n
ny
co t
le
ity p
te ert
te
t
m
as
st ise
pl
e
af
et
fin
e
g
Figure 2
As cloud technologies and the need for them evolve, securing cloud services must also remain
dynamic. This report continued to evaluate the core CASB features and functions towards the use
and needs of the customers. Some of these focuses include:
• The visibility of cloud services used within an organization that expand to the growing list of
users and devices that are accessing these services.
• Access controls and policies that can be automated across sanctioned and unsanctioned
cloud applications.
• Bringing cloud services to meet regulatory and unique customer compliance requirements.
• Data protection controls and user behavior analysis that operate in complex multi-cloud
environments.
2
https://www.gartner.com/doc/reprints?id=1-1XO56V9F&ct=191022&st=sb
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
0
4%
1
49%
2+
29%
Unsure
18%
Figure 3
With at least 29% of organizations having to use multiple CASBs to meet their security needs
the four main pillars must evolve. This could mean that organizations are utilizing multiple CASBs
simultaneously or are switching CASB providers to find a solution that meets their needs. In today’s
security environment, the needs of the end user must lead the way for the effective and confident use
of cloud and security services in the cloud. CASB and the emergence of Secure Access Service Edge
(SASE)3 technologies have combined to add comprehensive network security functions to support the
user-centric and dynamic secure access needs of digital enterprises. The technology around cloud
security is still new and evolving. The outcome of this report will highlight the customer needs that will
drive the roadmap for the evolution of CASBs and SASEs.
3
https://www.cloudmanagementinsider.com/what-is-sase-secure-access-service-edge-gartner/
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Operational
21%
Implementation
13%
POC/Pilot
13%
Evaluating Vendors
15%
Initial Research
27%
Figure 4
Visibility
Expectations/Promises
One of the greatest challenges encountered with cloud deployments and SaaS products is the lack of
visibility. Instead, organizations often must lean more heavily on contracts, audits, and assessments.
As a result, cloud apps and services used without the explicit approval of IT, also known as Shadow
IT, are often rampant and unchecked within organizations. In 2019, the average enterprise used 1,9354
different cloud services with most of them unknown to IT departments. Organizations also struggle
with excessive sharing of files and cloud account compromise due to a lack of visibility. Visibility is one of
four pillars CASBs are designed to assist users with. Gartner defines this pillar as:
CASBs provide shadow IT discovery and sanctioned application control, as well as a consolidated
view of an organization›s cloud service usage and the users who access data from any device or
location.
Often this increased visibility offered by CASBs is achieved through a dashboard which allows users to
see all cloud usage, users, devices, locations, etc., and traffic logs or environment scans which identify
shadow IT, sharing of files, and cloud account compromise.
4
https://www.skyhighnetworks.com/cloud-computing-trends-2019/
Security professionals were asked about where they kept Organizations with under 5000 employees
their sensitive data. The number one use case selected (42%) were more likely to report using Google
was Microsoft Sharepoint Online/OneDrive. However, it Drive than organizations over 5000 employees
should be noted that 84% of respondents selected more (13%). Those larger organizations were more
than one location. This indicates that the sensitive data likely to be using Microsoft and AWS.
that security professionals are aware of is spread out
among multiple cloud services. Only 8% selected other cloud services outside of the top eight. This
is a large discrepancy between the estimated 1,935 different cloud services used within an enterprise
and the top eight used cloud services. Additionally, 5% of respondents were unsure of where their
sensitive data was kept in the cloud.
To your knowledge, where do your users keep sensitive data in the cloud?
(Check all that apply)
100%
90%
80%
70%
69%
60%
50%
47%
40%
40%
30%
31%
31%
27%
20%
8%
8%
20%
5%
17%
10%
0%
M are e/
Az
AW
G rive
Sa
Se
Bo
N ga c
U
ns
oo
/A ni lo
th cify
ic
or
le
rv
ur
x
Sh nlin
sp
or th
ro po ne
er )
ur
sF
kd
gl
ic
- N zat ud
e
e
so in
O
in
e
e
eN
or
(P
ay
o ion
ft t
ce
le
ow
se al
e
as
ns d
e
O
iti ata
ve
D
riv
e
Figure 5
Security professionals were then asked to rate the CASB features that pertained to visibility. These
visibility features were rated relatively high with all the features averaging somewhere between high
and medium importance. Of the greatest importance were “discover sensitive data” and “locate
Figure 6
The same security professionals were also asked about how they utilize their CASB for visibility. The
top reported answers were “monitoring user behaviors” (55%) and “unauthorized access” (53%).
“Detect user behavior activity” was also rated as being of high importance to security professionals
on the previous question. Though there are many visibility features being leveraged with CASBs
and it is a common use case, few features are heavily utilized consistently. The top three visibility
features are only realized by around half of the users leaving some room for improvement.
100%
90%
80%
70%
60%
50%
55%
53%
40%
48%
42%
41%
38%
30%
34%
20%
26%
8%
10%
13%
0%
U
U .g. ork
Co
U .g.
Co aa
D
O ec
se ivit
na lo ,
se p
at
at
at . c
ev
th ify
m
nfi S a
ac
(e w
(e
in
(e
sp
a
a on
rb y
r P riv
er )
ic
ut ca th
.
pl
t
I
Cl
Lo
se te
gu nd vel
g
e
ne
ho tio re
(P
eh
ro ile
ia
as
Ca
ns xt
ca
ra P
t
nc
le
fil ge
riz n, at)
av
si
tio aa
iti ua
te
tio
as
es )
e
ed
fic
io
vi l)
go
G
e
n
n
r
ty
ap
ac
er
riz
tio
le
ce
ro
s
at
n
rs
ss
io
s
n
Figure 7
Gaps
Interestingly, there are some common areas where security professionals do not appear to be taking
advantage of their CASBs functionality in particular with “device categorization” (13%). This could be
due in part to a great focus on the user behavior which was one of the top selected answers. (See
chart above) With the growth of user devices and the IoT5, device categorization could see more use
in the future.
Another area of concern is with regard to the effectiveness of CASBs with multi-cloud visibility
across IaaS and PaaS usage. The average rating to CASBs effectiveness in this area, was medium
(40%), but more concerningly was the large number of “Unsure” responses. Couple this finding with
the findings that organization’s sensitive data is stored in IaaS and PaaS platforms like AWS and Azure
(see Figure 5), This indicates that this is likely an area of confusion and security professionals may
be struggling to utilize their CASB for these purposes either due to the lack of staffing or expertise
or perhaps the complexity of the product (see Figure 1). Another potential explanation could be that
security professionals are simply more focused on visibility of SaaS usage, particularly with the huge
5
https://www.idc.com/getdoc.jsp?containerId=prUS45213219#:~:text=A%20new%20forecast%20
from%20International,these%20devices%20will%20also%20grow
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Unsure
34%
Low
15%
Medium
40%
High
11%
Figure 8
Next evolution
The most common response when security professionals were asked about what visibility features,
they would like to see from their CASB was interoperability (ex. with Security orchestration, automation,
and response (SOAR) products or other SaaS products) or cloud-to-cloud activity monitoring.
Compliance
Expectations/Promises
Companies face different compliance challenges depending on the industry and the regions in which
they operate. In order for a business to function within their vertical or state, they must maintain
compliance often to multiple regulations. Additionally, internal compliance requirements add
necessary measures to protect company and customer data when moving to a cloud environment.
This means that the cloud services hosting an organization’s data must meet the same compliance
standards as the organization itself. According to Gartner:
CASBs assist efforts to conform to data residency and regulatory compliance requirements
through various visibility, control, and reporting capabilities. CASBs can also add Cloud
Security Posture Management (CSPM) capabilities to assess and manage the security posture
of the cloud control plane across multiple public cloud providers for policy enforcement.
Current Assessment
Enterprises are using CASBs more for regulatory compliance (38%) than internal compliance (22%).
Often the move to implement CASB services are driven by the requirement to meet regulatory
requirements. Internal compliance is left “as-is”, so enterprises use their current tooling for those
requirements. The ability to see cloud services that are out of compliance may be beneficial but the
ability to enforce policies and compliance is not as effective according to 20% of the respondents.
CASBs either don’t offer the ability to or the solutions are too complex to tailor security requirements
effectively for 78% of the users.
Yes No Unsure
Figure 9
Yes No Unsure
Figure 10
Data residency is driven by region. Respondents in APAC (40%) and EMEA (46%) were more likely to
report “yes” their CASB effectively assists with data residency requirements compared with respondents
from the Americas (25%) where there are less regulatory requirements to do so. Americas respondents
(19%) were less likely to report GDPR as a standard their organization adheres to when compared
with EMEA respondents (56%). This is a larger gap than expected considering the global impact of
GDPR and the protection of European citizens.
Yes No Unsure
Figure 11
Gaps
With the amount of Shadow IT in the enterprise, enforcing compliance across both sanctioned and
unsanctioned cloud services gives organizations the ability to properly migrate and operate in the
cloud. Knowing whether or not a cloud service being used is in compliance is a start but the ability to
enforce compliance requirements across all cloud services will allow organizations to operate based
off of regulator and sovereign security requirements.
Geographically, disparate individuals may understand regulations (subset) and compliance slightly
differently. APAC and EMEA sectors are more aware of data residency requirements as well as punitive
damages that can be incurred. As far as American-based enterprises are concerned, there do not
appear to be punitive damages looming. This will likely change once California Consumer Privacy Act
(CCPA) is fully enacted and operational.
100%
90%
80%
70%
60%
50%
40%
42%
30%
20%
21%
21%
8%
7%
7%
16%
4%
4%
10%
2%
0%
G
IS
PC
CC
FI oD_
CS
O ec
N
D
IP
IS
on
SM 8
O
th ify
A
I-D
sp
PA
PR
AA
T
er )
e
CC
A/ 500
SS
(P
Fe .x
le
/S
dR
as
TA
AM
e
R
P/
Figure 12
There is an opportunity for enterprises to widen the scope of their current CASB deployments and as
an opportunity for enterprises to adapt their technology around processes. Further, there is a good
chance that processes will be modified as well. Future deployments will evolve to include internal
compliance.
Figure 13
Next evolution
The expectation for features such as bringing unapproved applications up to compliance with
regulation to be the highest rated feature. Making sure a company can properly operate by the
rules and regulations set in the industry is a core function of any business. Automation of policy
enforcement and reporting compliance adherence topped the list of importance. Bringing applications
to compliance and the blocking of applications and services wasn’t far behind. CASB users appear to be
more interested in controlling user access to cloud applications instead of bringing cloud applications
up to compliance for usage. This could be due to the large number of cloud applications available and
preferring the ability to have staff use approved products that meet specific security and compliance
requirements. The evolution of both the cloud and the end user will determine the proper approach for
meeting compliance in the cloud. Further, this is likely to change as more global enterprises recognize
the importance of data residency compliance regulations.
Data Security
Expectations/Promises
Data Security focuses on protecting against data leaks. The terms “data loss” and “data leak” are
related and are often used interchangeably. One of the key tenets of Data Security is Data Loss
Prevention (DLP). DLP is the practice of detecting and preventing data breaches, exfiltration, or
unwanted destruction of sensitive data. Organizations use DLP to protect and secure their data and
comply with regulations.
CASBs provide the ability to enforce data-centric security policies to prevent unwanted
activity based on data classification, on data discovery, and on user activity monitoring of
access to sensitive data or privilege escalation. Policies are applied through controls, such
as audit, alert, block, quarantine, delete, and view-only.
DLP features are prevalent within the CASB services and are one of the most commonly deployed
controls after visibility. CASB DLP operates natively and in conjunction with enterprise DLP products
via Internet Content Adaptation Protocol (ICAP) or RESTful API integration. A few vendors now offer
a common DLP engine for their email, cloud, and on-premises products, which eliminates policy
duplication and overlap. Some CASBs provide the ability to encrypt, tokenize, or redact content at
the field and file level in cloud services.
Current Assessment
With organizations trying to balance usability and security, 46% of those surveyed are allowing file
sharing on an internal all-company domain. The study also revealed that 21% allow external sharing
and 10% sharing to the public. Less than a quarter have more strict file sharing configurations with
15% internal with individual members and 9% private only. Data security properties of CASBs will
apply across the board but are critical for the 77% of CASB users that have more open file sharing.
This is an opportunity to address and raise effectiveness of data security features such as granular
access controls based on device or location. A moderate rating was also given to control and monitoring
features stressing more importance that data security properties of CASBs meet the needs of open
file sharing in the cloud. The ability to discover, assess, and solve misconfigurations in PaaS and IaaS
environments was also moderately effective but will be key in using CASBs for data security in the cloud.
Many users were also unsure of the effectiveness of their data security capabilities with a CASB.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Private only
8%
Figure 14
Control user access from uncertain locations (countries, outside of corporate networks, etc.)
Discover, assess and solve IaaS/PaaS misconfigurations (Cloud Security Posture Management)
Figure 15
Figure 16
100%
90%
80%
70%
60%
50%
40%
30%
20%
23%
10%
8%
19%
6%
5%
10%
3%
13%
2%
11%
0%
Co vi ion
Ri tel cks
IT
Ri in
U iv
Su
Fe
Su n
se
se ile
th
SM
sk , u , e
sk cid ea
w
pe
pe age
nt ce, , e
(d cat
to d t
(p
m
in a
rb
r r ge
er
-b s
-a e t i
er
e
a
ex b tc
rio
rio m
an
lo
an
w nt nt
ol ,
as ers c.)
at
(P
eh
so
t- ro .)
ar s el
rc
r i en
e- VI
d
ed ,
t
le
ba w
av
lu
e ba lig
nc t
SI
ba P,
om
as
tio
h
se se
in
io
co targ
EM
id wo
r
se t
e
ci sed enc
r
p
d r, n
ns
nt et
en rk
s
m
d c.)
lia
de o e
in
co e
p
ro ed
t
t
co
t
on
ec
nc
te
nt n a
o
e
nt tw
ls
nt
gr
ify
ito
m
e
re cc
ro or
(t by
r
at
)
hr cy
ol
rin
flo
sp es
ls k,
na
io
an
s
ea b
on s
g
w
ge
ns
ag
t er
s
se con
em
(p di
en
rio tio
t
rit ns
ize
d
Figure 17
Next evolution
Even though users are finding value in CASBs, the effectiveness of CASB features doesn’t necessarily
meet the high demand for data security needs. More training on how to use the full spectrum of
CASB features and greater expertise in integration with other technologies will help. Context-based
controls (device, browser, network, location) at 23%, and risk-based controls (threat intel, users
targeted by cyberattacks) at 19% were the top responses for which would most enhance your DLP
program. User behavior monitoring (13%), ITSM and SIEM integrations (11%), and risk-aware incident
response (10%) were the next three top responses from the survey.
CASBs have the ability to prevent unwanted devices, users, and versions of applications
from accessing cloud services by providing adaptive access controls (AACs).
Other examples of CASB capabilities in this category are embedded user and entity behavior
analytics for identifying anomalous behavior, detecting compromised cloud accounts, and the use
of threat intelligence, network sandboxing, and malware identification and remediation. Much of
this can be pulled from entity behavior analysis and being able to identify anomalous behavior on a
network. Such behavior can be categorized as malware identification, network sandboxing, as well as
threat intelligence.
Current Assessment
Threat protection for CASBs pertains to what cyber security controls are currently being used in
environments and how CASBs play a role as a threat protection mechanism. Security Professionals
were asked the type of mechanisms they use to prevent malicious or non compliant access. Multi-
factor authentication (MFA) for cloud applications and VPN is the number one mechanism with 38%
of respondents. It is important to note along with this figure that 55% of total respondents use an
MFA that is provided with their identity provider as opposed to a standalone product in the cloud
(20%). The trending Zero Trust models were used less than 9% of the time and the AAC provided by
CASBs are only used 8% of the time.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Figure 18
Security Professionals were asked next what identity and access management providers (IDaaS) they
are deploying, or are currently deployed in their environment. A robust 64% of respondents chose
Microsoft Azure AD and Microsoft ADFS (44%) as their IDaaS of choice.
100%
90%
80%
70%
60%
64%
50%
44%
40%
30%
27%
20%
10%
8%
10%
4%
4%
15%
12%
1%
0%
M zur
Se
Au
Pi
Fo
ID
kt
th
ne
ic e
ic
ng
ap
cu
rg
t
A
sp
ro AD
ro
h0
a
er y)
Lo
e
tiv
re
Id
ec
so
Ro
(p
of
g
Au
en
e
if
ft
in
c
le
tD
tit
k
t
as
h
y
FS
e
Figure 19
Security Professionals were asked what cyber security mechanisms they use to control user access.
This was even across the board with secure web gateways (22%), next-gen firewalls (22%), and
traditional VPN appliances (20%). It is clear to see that businesses are using a combination of
products for layering their security.
For CASBs to be more effective, a key takeaway is that the integration of CASB solutions with identity
providers and MFA providers impacts more users than the native IAM features of the CASB. CASB
based user access controls account for approximately 17% of the mechanisms users are using for
secure access to services.
100%
90%
80%
70%
60%
50%
40%
30%
20%
22%
22%
20%
9%
5%
5%
10%
3%
3%
12%
0%
Se
Tr
Ze
CA ve
Cl
CA rw
O ec
CA ly)
ex
th ify ed
ad
ou
cu
ro
Re
Fo
sp
on
SB rse
SB rd
SB
er )
t
iti
d
-g
re
Tr
(A Pr
(A Pr
(A
on
ba
(P
en
u
W
a
st
PI ox
PI ox
PI
le
se
al
eb
fir
-b y)
-b y)
-b
/A
as
VP
d
ew
as
as
as
G
e
VP
w
N
at
ed
ed
ay
al
N
ew
ap
l
an
an
pl
O
ay
d
ia
n
nc
VP
e
Figure 20
Gaps
The effectiveness of CASB as a threat protection appliance also scored moderate overall. The main
detective features for threat protection are detecting data breaches and account takeover, identifying
malware and misconfigurations, and ingesting threat intelligence. MFA and federated identity are the
top security mechanisms being used for access control heavily favored over CASB access controls
and other methods. CASB integration with other user third party and cloud native tools will lessen
this gap and provide better usability and effectiveness for the end user.
Overall, CASBs perform well for visibility and detecting behavior anomalies in the cloud but have
yet to become practical as a tool for remediation or prevention. Cloud adoption and architecture
are still a growing process. The enterprises using traditional VPN’s, gateways, and next-gen firewalls
will more than likely find a place with a CASB when shifting more workloads to the cloud. Additional
integration with intelligence platforms like SIEM or SOAR platforms will allow organizations to
automate remediation end-to-end. Education and training surrounding the replacement, integration,
and proper use of CASB capabilities for threat protection is still missing.
Idenitfying malware
Figure 21
Next evolution
The growth of cloud will reflect the evolution of CASB usage as more businesses turn towards the
cloud. This is where detection and protection for systems may begin to play a larger role from a
trusted CASB.
MFA leads the group for security mechanisms and won’t be slowing down in the future. Identity
providers who offer an MFA mechanism are more likely to attract users who are using a third party
standalone MFA’s applications. There is a likely assumption that more IDP will have their own take
on having MFA capabilities for end users. Given the CASB capabilities for visibility in the cloud, using
Zero trust network access along with MFA and federated identity integrations could be the future
of controlling user access, authorization, and behavior monitoring in the cloud. This would be the
ultimate feature in data protection with a CASB.
The technology solutions that fit in the CASB market don’t necessarily mirror the strengths in the
CASB defined pillars of visibility, compliance, data security, and threat protection. Around half (51%)
of CASB users rely on a single CASB to meet security needs with at least 30% using multiple. As
cloud adoption grows, these solutions must evolve to meet the needs and demands of the enterprise
end user. The ability to provide visibility to the hundreds of cloud services being used within the
enterprise is a clearly defined strength of a CASB. However, it is the training and knowledge of
product usage that must be a priority in order to meet the effectiveness of the service or solution.
There is still a lot of improvement for how to use CASB solutions that has led to the moderate
and unsure effectiveness of the compliance features and the data security and threat protection
capabilities within the service. Perhaps, the greatest future benefit of a CASB will not just be in its
delivery of the technology but in the services it provides to the customer to meet those capabilities.
1-50
8%
51-500
10,000+
13%
35%
501-1,000
13%
5,0001-10,000 1,001-5,000
10% 22%
Figure 22
C-level Executive
16%
Staff
35%
Manager
49%
Figure 23
Americas APAC
45% (Asia, Pacific Islands)
34%
EMEA
(Europe, MiddleEast, Africa)
21%
Figure 24a
India 8% 11
Canada 7% 10
Netherlands 4% 6
Australia 3% 5
Israel 3% 4
Italy 3% 4
Mexico 3% 4
Figure 24b
Education
1% Construction, Machinery...
2%
1% Food & Beverages
Insurance
1% Retail & Consumer Durables
3%
1% Transportation & Delivery
Utilities, Energy, and Extraction 1% Advertising & Marketing
3% 1% Entertainment & Leisure
Business Support & Logistics 1% Real Estate
3% 1% I am not currently employed
Manufacturing
5%
Telecommunications
Government 38%
6%
Healthcare &
Pharmaceuticals
7%
Financial services
24%
Figure 25
Sponsors are CSA Corporate Members who support the findings of the research project but have
no added influence on the content development or editing rights of CSA research.