Survey Report:

Evolution of the CASB

© 2020 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 2

Survey Creation And Methodology
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to widely promote
best practices for ensuring cyber security in cloud computing and IT technologies. CSA is also
tasked with educating various stakeholders within these industries about security concerns in
all other forms of computing. CSA’s membership is a broad coalition of industry practitioners,
corporations, and professional associations. One of CSA’s primary goals is to conduct surveys that
assess information security trends. These surveys help gauge the maturity of information security
technology at various points in the industry, as well as the rate of adoption of security best practices.

Proofpoint commissioned CSA to develop a survey to a better understand CASB user expectations
and needs, and to prepare this report of the survey’s findings. Proofpoint financed the project and co-
developed the initiative by participating with CSA in the development of survey questions addressing
CASB usage, expectations, and desired capabilities. The survey was conducted online by CSA, from
March to May 2020, and was submitted to over 200 IT and security professionals from a variety of
organization sizes and locations. The data analysis here was performed by CSA’s research team.

Acknowledgments
Authors:
Hillary Baron
Sean Heide
Alex Kaluza
Shamun Mahmud
John Yeoh

Reviewers:
Frank Guanco
Courtney Stiven

Designers:
Stephen Lumpe (Cover)
AnnMarie Ulskey (Layout)

Special Thanks:
Joel Borgmeier
Itir Clarke

© Copyright 2020, Cloud Security Alliance. All rights reserved. 3

Table of Contents
Overview.............................................................................................................................................5
Visibility...............................................................................................................................................8
Expectations/Promises..................................................................................................................8
Current Assessment......................................................................................................................9
Gaps............................................................................................................................................ 11
Next evolution............................................................................................................................. 12
Compliance........................................................................................................................................ 12
Expectations/Promises................................................................................................................ 12
Current Assessment.................................................................................................................... 13
Gaps............................................................................................................................................14
Next evolution............................................................................................................................. 16
Data Security..................................................................................................................................... 16
Expectations/Promises................................................................................................................ 16
Current Assessment.................................................................................................................... 17
Gaps............................................................................................................................................ 18
Next evolution.............................................................................................................................20
Threat Protection............................................................................................................................... 21
Expectations/Promises................................................................................................................ 21
Current Assessment.................................................................................................................... 21
Gaps............................................................................................................................................24
Next evolution............................................................................................................................. 25
Conclusions: Future of CASB............................................................................................................. 25
Demographics.................................................................................................................................... 27

© Copyright 2020, Cloud Security Alliance. All rights reserved. 4

Overview
The use of cloud and virtual services continues to increase in the enterprise. Digital transformation
with these services has been reshaping businesses for years which has also opened the door to
new threat vectors and greater risk for those moving quickly towards the digital world. This initially
drove the creation and adoption of the Cloud Access Security Broker (CASB) 1 to specifically address
security gaps in an organization’s use of cloud services and gain visibility into shadow IT.

In the wake of the public health crisis of 2020, work-from-home orders issued by most companies
and governments have further accelerated this digitalization and adoption of remote services. The
expansion of the virtual workforce and adoption of cloud has emphasized the need for security and
compliance in the enterprise. In Q1 of 2020, Cloud Security Alliance (CSA) collected 216 responses
from security professionals across three major regions for sixty days to evaluate the use of CASBs for
cloud security.

What are your top 3 security projects to implement or improve by type?

(Select up to three)

100%

90%

80%
83%

70%

60%

50%

40%
43%

37%

30%
36%

30%

20%
25%

18%

10%
3%
13%

0%
Em cu
Cl

Ap cu

En cu

Co

N cu

Se ain

In ana

O
et ri

th cify
si
ou urit

cu ing
dp rit

m
pl rity

Se
Se

Se

Se

Se

Tr

Sp
ai rity
de e
w ty

er )
d y

ic

pl

rit

l
oi y
c

e
or

r T me
at

(P
ia
nt

y
k
io

nc

g
hr nt

le
Aw
n

as
ea
e

ar

e
t
en
es
s

Figure 1

The following report revealed that 83% of organizations have security in the cloud as a top project
for improvement. To the point that 89% of organizations are already using or researching the use
of a CASB within their organizations. While CASBs can provide tremendous value, the intention of

1
https://www.proofpoint.com/us/corporate-blog/post/what-cloud-access-security-broker

© Copyright 2020, Cloud Security Alliance. All rights reserved. 5

the report was to discover the effectiveness in customer use of CASBs across the four main pillars
of functionality outlined by Gartner2. The expectations, technical implementations, and challenges
of CASBs for visibility, compliance, data security, and threat protection from a customer perspective
were assessed. The analysis reviewed unrealized gaps between the rate of implementation or operation
and the effective use of the capabilities within the enterprise. Half of the organizations (50%) surveyed
don’t have the staffing to fully utilize cloud security solutions and just over one-third (34%) find solution
complexities an inhibitor in fully realizing the potential of the vendor solution. More training and clear
goals are needed to make sure companies are getting full effectiveness of CASB products.

What inhibitors has your organization encountered in adopting or fully utilizing

your cloud security vendor's technology? (Check all that apply)

100%

90%

80%

70%

60%

50%
50%

40%

30%
34%

34%

29%

27%

27%

20%

8%
19%

6%
10%
13%

0%
In

So m

Co ltu

La atu

Co se

In dg

So ab

Po pp

N
on
th cify
ad taf

ad e
ck re
lu ple

lu ilit

or or
m re

m ttin
or

co

cu

fe

in

Bu

us

su

sp

er )

e
eq f e

eq t
tio xi

tio y
pa

pl g
of se

e
s

(P
ex u
ua xp

ua
n ty

n
ny

co t

le
ity p
te ert

te

t
m

as
st ise

pl

e
af

et
fin

e
g

Figure 2

As cloud technologies and the need for them evolve, securing cloud services must also remain
dynamic. This report continued to evaluate the core CASB features and functions towards the use
and needs of the customers. Some of these focuses include:

• The visibility of cloud services used within an organization that expand to the growing list of
users and devices that are accessing these services.
• Access controls and policies that can be automated across sanctioned and unsanctioned
cloud applications.
• Bringing cloud services to meet regulatory and unique customer compliance requirements.
• Data protection controls and user behavior analysis that operate in complex multi-cloud
environments.
2
https://www.gartner.com/doc/reprints?id=1-1XO56V9F&ct=191022&st=sb

© Copyright 2020, Cloud Security Alliance. All rights reserved. 6

 How many CASBs have you deployed?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

0
4%
1
49%
2+
29%
Unsure
18%

Figure 3

With at least 29% of organizations having to use multiple CASBs to meet their security needs
the four main pillars must evolve. This could mean that organizations are utilizing multiple CASBs
simultaneously or are switching CASB providers to find a solution that meets their needs. In today’s
security environment, the needs of the end user must lead the way for the effective and confident use
of cloud and security services in the cloud. CASB and the emergence of Secure Access Service Edge
(SASE)3 technologies have combined to add comprehensive network security functions to support the
user-centric and dynamic secure access needs of digital enterprises. The technology around cloud
security is still new and evolving. The outcome of this report will highlight the customer needs that will
drive the roadmap for the evolution of CASBs and SASEs.

3
https://www.cloudmanagementinsider.com/what-is-sase-secure-access-service-edge-gartner/

© Copyright 2020, Cloud Security Alliance. All rights reserved. 7

 Where is your organization in the CASB procurement lifecycle?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Operational
21%
Implementation
13%
POC/Pilot
13%

Evaluating Vendors
15%
Initial Research
27%

Figure 4

Visibility
Expectations/Promises
One of the greatest challenges encountered with cloud deployments and SaaS products is the lack of
visibility. Instead, organizations often must lean more heavily on contracts, audits, and assessments.
As a result, cloud apps and services used without the explicit approval of IT, also known as Shadow
IT, are often rampant and unchecked within organizations. In 2019, the average enterprise used 1,9354
different cloud services with most of them unknown to IT departments. Organizations also struggle
with excessive sharing of files and cloud account compromise due to a lack of visibility. Visibility is one of
four pillars CASBs are designed to assist users with. Gartner defines this pillar as:

CASBs provide shadow IT discovery and sanctioned application control, as well as a consolidated
view of an organization›s cloud service usage and the users who access data from any device or
location.

Often this increased visibility offered by CASBs is achieved through a dashboard which allows users to
see all cloud usage, users, devices, locations, etc., and traffic logs or environment scans which identify
shadow IT, sharing of files, and cloud account compromise.

4
https://www.skyhighnetworks.com/cloud-computing-trends-2019/

© Copyright 2020, Cloud Security Alliance. All rights reserved. 8

Current Assessment
Security professionals responded to a series of questions about the usage and effectiveness of CASBs
as it relates to gaining visibility.

Security professionals were asked about where they kept Organizations with under 5000 employees
their sensitive data. The number one use case selected (42%) were more likely to report using Google
was Microsoft Sharepoint Online/OneDrive. However, it Drive than organizations over 5000 employees
should be noted that 84% of respondents selected more (13%). Those larger organizations were more
than one location. This indicates that the sensitive data likely to be using Microsoft and AWS.
that security professionals are aware of is spread out
among multiple cloud services. Only 8% selected other cloud services outside of the top eight. This
is a large discrepancy between the estimated 1,935 different cloud services used within an enterprise
and the top eight used cloud services. Additionally, 5% of respondents were unsure of where their
sensitive data was kept in the cloud.

To your knowledge, where do your users keep sensitive data in the cloud?
(Check all that apply)

100%

90%

80%

70%
69%

60%

50%
47%

40%
40%

30%
31%

31%

27%

20%
8%

8%
20%

5%
17%

10%

0%
M are e/

Az

AW

G rive

Sa

Se

Bo

N ga c

U
ns
oo

/A ni lo
th cify
ic

or
le

rv
ur

x
Sh nlin

sp

or th
ro po ne

er )

ur
sF

kd
gl

ic

- N zat ud
e

e
so in
O

in

e
e

eN
or

(P
ay

o ion
ft t

ce

le
ow

se al
e
as

ns d
e
O

iti ata
ve
D
riv
e

Figure 5

Security professionals were then asked to rate the CASB features that pertained to visibility. These
visibility features were rated relatively high with all the features averaging somewhere between high
and medium importance. Of the greatest importance were “discover sensitive data” and “locate

© Copyright 2020, Cloud Security Alliance. All rights reserved. 9

and track all cloud services access.” These features are both main features Gartner describes in its
definition of this pillar as well as common ways in which the product is marketed to end-users. This
indicates that shadow IT is still a relevant issue for many organizations.
Overall, there isn’t much variance between the importance of each of the features, indicating that
visibility on the whole is of high importance to security professionals.

Rate the importance of visibility features in CASB Services.

No Importance Low Importance Moderate Importance High Importance

Discover sensitive data

Locate and track all cloud services accessed

Direct user behavior activity

Assess cloud service compliance gaps

Detect cloud-to-cloud activity (e.g. OAuth)

Identify cloud usage by user or device

Detect data traffic and usage of cloud services

Figure 6

The same security professionals were also asked about how they utilize their CASB for visibility. The
top reported answers were “monitoring user behaviors” (55%) and “unauthorized access” (53%).
“Detect user behavior activity” was also rated as being of high importance to security professionals
on the previous question. Though there are many visibility features being leveraged with CASBs
and it is a common use case, few features are heavily utilized consistently. The top three visibility
features are only realized by around half of the users leaving some room for improvement.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 10

 Do you use CASB services for identifying any of the following?
(Check all the apply)

100%

90%

80%

70%

60%

50%
55%

53%

40%
48%

42%

41%

38%
30%

34%
20%

26%

8%
10%

13%
0%
U

U .g. ork

Co

U .g.

Co aa
D

O ec
se ivit

na lo ,

se p
at

at

at . c

ev

th ify
m

nfi S a
ac

(e w

(e

in
(e

sp
a

a on
rb y

r P riv

er )
ic
ut ca th

.
pl
t

I
Cl

Lo

se te

gu nd vel
g

e
ne

ho tio re

(P
eh

ro ile
ia
as

Ca
ns xt
ca

ra P
t

nc

le
fil ge
riz n, at)
av

si

tio aa
iti ua

te
tio

as
es )
e
ed

fic
io

vi l)

go
G

e
n
n
r

ty
ap
ac

er

riz
tio

le
ce

ro
s

at
n

rs
ss

io
s

n
Figure 7

Gaps
Interestingly, there are some common areas where security professionals do not appear to be taking
advantage of their CASBs functionality in particular with “device categorization” (13%). This could be
due in part to a great focus on the user behavior which was one of the top selected answers. (See
chart above) With the growth of user devices and the IoT5, device categorization could see more use
in the future.

Another area of concern is with regard to the effectiveness of CASBs with multi-cloud visibility
across IaaS and PaaS usage. The average rating to CASBs effectiveness in this area, was medium
(40%), but more concerningly was the large number of “Unsure” responses. Couple this finding with
the findings that organization’s sensitive data is stored in IaaS and PaaS platforms like AWS and Azure
(see Figure 5), This indicates that this is likely an area of confusion and security professionals may
be struggling to utilize their CASB for these purposes either due to the lack of staffing or expertise
or perhaps the complexity of the product (see Figure 1). Another potential explanation could be that
security professionals are simply more focused on visibility of SaaS usage, particularly with the huge
5
https://www.idc.com/getdoc.jsp?containerId=prUS45213219#:~:text=A%20new%20forecast%20
from%20International,these%20devices%20will%20also%20grow

© Copyright 2020, Cloud Security Alliance. All rights reserved. 11

and still increasing market of SaaS6 services. Organization’s may be seeking to identify sprawling data
in various unsanctioned SaaS services.

Rate how effective your CASB is with multi-cloud visibility across

IaaS and PaaS usage.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Unsure
34%
Low
15%
Medium
40%
High
11%

Figure 8

Next evolution
The most common response when security professionals were asked about what visibility features,
they would like to see from their CASB was interoperability (ex. with Security orchestration, automation,
and response (SOAR) products or other SaaS products) or cloud-to-cloud activity monitoring.

Compliance
Expectations/Promises
Companies face different compliance challenges depending on the industry and the regions in which
they operate. In order for a business to function within their vertical or state, they must maintain
compliance often to multiple regulations. Additionally, internal compliance requirements add
necessary measures to protect company and customer data when moving to a cloud environment.
This means that the cloud services hosting an organization’s data must meet the same compliance
standards as the organization itself. According to Gartner:

CASBs assist efforts to conform to data residency and regulatory compliance requirements
through various visibility, control, and reporting capabilities. CASBs can also add Cloud
Security Posture Management (CSPM) capabilities to assess and manage the security posture
of the cloud control plane across multiple public cloud providers for policy enforcement.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 12

CASBs give organizations the ability to maintain compliance in the cloud by providing visibility and
enforcement of compliance across cloud services. This gives organizations the ability to manage
cloud risk and govern the use of cloud services within the organization.

Current Assessment
Enterprises are using CASBs more for regulatory compliance (38%) than internal compliance (22%).
Often the move to implement CASB services are driven by the requirement to meet regulatory
requirements. Internal compliance is left “as-is”, so enterprises use their current tooling for those
requirements. The ability to see cloud services that are out of compliance may be beneficial but the
ability to enforce policies and compliance is not as effective according to 20% of the respondents.
CASBs either don’t offer the ability to or the solutions are too complex to tailor security requirements
effectively for 78% of the users.

Are you using a CASB effectively as your internal compliance tool?

22% 47% 31%

Yes No Unsure

Figure 9

Does your CASB effectively assist your organization in compliance with

regulations and standards?

38% 20% 42%

Yes No Unsure

Figure 10

Data residency is driven by region. Respondents in APAC (40%) and EMEA (46%) were more likely to
report “yes” their CASB effectively assists with data residency requirements compared with respondents
from the Americas (25%) where there are less regulatory requirements to do so. Americas respondents
(19%) were less likely to report GDPR as a standard their organization adheres to when compared
with EMEA respondents (56%). This is a larger gap than expected considering the global impact of
GDPR and the protection of European citizens.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 13

 Does your CASB effectively assist with data residency requirements?

34% 25% 41%

Yes No Unsure

Figure 11

Gaps
With the amount of Shadow IT in the enterprise, enforcing compliance across both sanctioned and
unsanctioned cloud services gives organizations the ability to properly migrate and operate in the
cloud. Knowing whether or not a cloud service being used is in compliance is a start but the ability to
enforce compliance requirements across all cloud services will allow organizations to operate based
off of regulator and sovereign security requirements.

Geographically, disparate individuals may understand regulations (subset) and compliance slightly
differently. APAC and EMEA sectors are more aware of data residency requirements as well as punitive
damages that can be incurred. As far as American-based enterprises are concerned, there do not
appear to be punitive damages looming. This will likely change once California Consumer Privacy Act
(CCPA) is fully enacted and operational.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 14

 Which standards and regulations does your organization adhere to?
(Check all that apply)

100%

90%

80%

70%

60%

50%

40%
42%

30%

20%
21%

21%

8%
7%

7%
16%

4%

4%
10%

2%
0%
G

IS

PC

CC

FI oD_

CS

O ec

N
D

IP
IS

on
SM 8
O

th ify
A
I-D

sp
PA
PR

AA
T

er )

e
CC
A/ 500
SS

(P
Fe .x

le
/S
dR

as
TA
AM

e
R
P/
Figure 12

There is an opportunity for enterprises to widen the scope of their current CASB deployments and as
an opportunity for enterprises to adapt their technology around processes. Further, there is a good
chance that processes will be modified as well. Future deployments will evolve to include internal
compliance.

Automation of policy enforcement Other interesting observations

rated as the most important compliance
feature. This may reflect on how internal
security teams are understaffed. While
security staffing is far beyond the scope
of this survey report, this (shortage of
personnel) will be a continuing trend.
Lack of training and understaffing resonates with
respondents. More training is needed to maximize the
benefits of CASBs. 31-42% of respondents were unsure
of the value certain compliance functionalities had. Many
enterprise users do not know what the CASB does for
compliance and are not taking advantage of the current
features. CASB training updates should be added to the
enterprises’ processes.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 15

 Rate the level of Importance for potential compliance features in a CASB.

No Importance Low Importance Moderate Importance High Importance

Automation of policy enforcement

Reporting compliance adherence

Bringing unapproved applications to compliance with regulation

Blocking of applications and services

Recommend compensating controls

Figure 13

Next evolution
The expectation for features such as bringing unapproved applications up to compliance with
regulation to be the highest rated feature. Making sure a company can properly operate by the
rules and regulations set in the industry is a core function of any business. Automation of policy
enforcement and reporting compliance adherence topped the list of importance. Bringing applications
to compliance and the blocking of applications and services wasn’t far behind. CASB users appear to be
more interested in controlling user access to cloud applications instead of bringing cloud applications
up to compliance for usage. This could be due to the large number of cloud applications available and
preferring the ability to have staff use approved products that meet specific security and compliance
requirements. The evolution of both the cloud and the end user will determine the proper approach for
meeting compliance in the cloud. Further, this is likely to change as more global enterprises recognize
the importance of data residency compliance regulations.

Data Security
Expectations/Promises
Data Security focuses on protecting against data leaks. The terms “data loss” and “data leak” are
related and are often used interchangeably. One of the key tenets of Data Security is Data Loss
Prevention (DLP). DLP is the practice of detecting and preventing data breaches, exfiltration, or
unwanted destruction of sensitive data. Organizations use DLP to protect and secure their data and
comply with regulations.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 16

Defined by Gartner:

CASBs provide the ability to enforce data-centric security policies to prevent unwanted
activity based on data classification, on data discovery, and on user activity monitoring of
access to sensitive data or privilege escalation. Policies are applied through controls, such
as audit, alert, block, quarantine, delete, and view-only.

DLP features are prevalent within the CASB services and are one of the most commonly deployed
controls after visibility. CASB DLP operates natively and in conjunction with enterprise DLP products
via Internet Content Adaptation Protocol (ICAP) or RESTful API integration. A few vendors now offer
a common DLP engine for their email, cloud, and on-premises products, which eliminates policy
duplication and overlap. Some CASBs provide the ability to encrypt, tokenize, or redact content at
the field and file level in cloud services.

Current Assessment
With organizations trying to balance usability and security, 46% of those surveyed are allowing file
sharing on an internal all-company domain. The study also revealed that 21% allow external sharing
and 10% sharing to the public. Less than a quarter have more strict file sharing configurations with
15% internal with individual members and 9% private only. Data security properties of CASBs will
apply across the board but are critical for the 77% of CASB users that have more open file sharing.
This is an opportunity to address and raise effectiveness of data security features such as granular
access controls based on device or location. A moderate rating was also given to control and monitoring
features stressing more importance that data security properties of CASBs meet the needs of open
file sharing in the cloud. The ability to discover, assess, and solve misconfigurations in PaaS and IaaS
environments was also moderately effective but will be key in using CASBs for data security in the cloud.
Many users were also unsure of the effectiveness of their data security capabilities with a CASB.

What level of file sharing in the cloud is allowed by your organization?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Internal with all company domain

46%
External
21%
Internal with individual members
15%
Public
10%

Private only
8%

Figure 14

© Copyright 2020, Cloud Security Alliance. All rights reserved. 17

Gaps
Reviewing the DLP survey questions show user
behavior rates, which were noted important to APAC respondents were (33%) more likely to
respondents, are moderately effective. Even select user behavior monitoring as a wanted
though detecting anomalies in user behavior and enhancement for DLP than respondents in
preventing the upload of sensitive data were the EMEA (12%) or Americas (6%).
slightly higher rated effective CASB features,
there appears to be internal policy issues where companies are able to see what is happening but not
able to take a more effective measure. The governing Shadow IT is also moderately effective even
though Shadow IT is rated as a top priority for respondents. Unsurprisingly, context-based controls
and risk-based controls are the top requested features to enhance DLP. Context and threat-based
data controls indicate the need for risk-aware DLP and granular policies.

Rate how effective your CASB is at the following...

Not Effective Less Effective More Effective Very Effective

Control user access from uncertain locations (countries, outside of corporate networks, etc.)

Control user Access from unmanaged devices

Discover/monitor sensitive data in the cloud (DLP)

Govern cloud applications (Shadow IT visibility, Oauth apps control)

Report on compliance gaps/violations

Discover, assess and solve IaaS/PaaS misconfigurations (Cloud Security Posture Management)

Figure 15

© Copyright 2020, Cloud Security Alliance. All rights reserved. 18

 Rate how effective your CASB is at the following...

Not Effective Less Effective More Effective Very Effective

Prevent data exfiltration for approved apps

Prevent data exfiltration for unapproved apps

Prevent upload of sensitive data

Prevent download of sensitive data

Detect anomalies in user behaviors

Protecting cloud users from account takeover

Figure 16

© Copyright 2020, Cloud Security Alliance. All rights reserved. 19

 Which of the below would most enhance your DLP program?

100%

90%

80%

70%

60%

50%

40%

30%

20%
23%

10%

8%
19%

6%

5%
10%

3%
13%

2%
11%

0%
Co vi ion

Ri tel cks

IT

Ri in

U iv

Su

Fe

Su n
se

se ile

th
SM
sk , u , e

sk cid ea

w
pe

pe age
nt ce, , e
(d cat

to d t

(p

m
in a

rb

r r ge

er
-b s

-a e t i

er
e

a
ex b tc

rio

rio m
an
lo

an

w nt nt

ol ,
as ers c.)
at

(P
eh

so
t- ro .)

ar s el

rc

r i en
e- VI
d
ed ,
t

le
ba w

av

lu
e ba lig

nc t
SI

ba P,

om

as
tio
h
se se

in
io
co targ

EM

id wo
r

se t

e
ci sed enc
r

p
d r, n

ns
nt et

en rk
s
m

d c.)

lia
de o e
in
co e

p
ro ed
t

t
co

t
on

ec
nc
te

nt n a

o
e
nt tw

ls

nt
gr

ify
ito

m
e
re cc
ro or

(t by

r
at

)
hr cy

ol
rin

flo
sp es
ls k,

na
io

an
s
ea b

on s
g

w
ge
ns

ag
t er

s
se con

em
(p di

en
rio tio

t
rit ns
ize
d

Figure 17

Next evolution
Even though users are finding value in CASBs, the effectiveness of CASB features doesn’t necessarily
meet the high demand for data security needs. More training on how to use the full spectrum of
CASB features and greater expertise in integration with other technologies will help. Context-based
controls (device, browser, network, location) at 23%, and risk-based controls (threat intel, users
targeted by cyberattacks) at 19% were the top responses for which would most enhance your DLP
program. User behavior monitoring (13%), ITSM and SIEM integrations (11%), and risk-aware incident
response (10%) were the next three top responses from the survey.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 20

Threat Protection
Expectations/Promises
Threat protection is being able to locate, remediate, and respond to ongoing threats within your
environment. In order to know how to respond appropriately and with what controls, businesses
need to know what devices are connected to their network. Gartner defines Threat Protection in
CASBs as:

CASBs have the ability to prevent unwanted devices, users, and versions of applications
from accessing cloud services by providing adaptive access controls (AACs).

Other examples of CASB capabilities in this category are embedded user and entity behavior
analytics for identifying anomalous behavior, detecting compromised cloud accounts, and the use
of threat intelligence, network sandboxing, and malware identification and remediation. Much of
this can be pulled from entity behavior analysis and being able to identify anomalous behavior on a
network. Such behavior can be categorized as malware identification, network sandboxing, as well as
threat intelligence.

Current Assessment
Threat protection for CASBs pertains to what cyber security controls are currently being used in
environments and how CASBs play a role as a threat protection mechanism. Security Professionals
were asked the type of mechanisms they use to prevent malicious or non compliant access. Multi-
factor authentication (MFA) for cloud applications and VPN is the number one mechanism with 38%
of respondents. It is important to note along with this figure that 55% of total respondents use an
MFA that is provided with their identity provider as opposed to a standalone product in the cloud
(20%). The trending Zero Trust models were used less than 9% of the time and the AAC provided by
CASBs are only used 8% of the time.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 21

 What type of security mechanism do you use to prevent malicious
or non-compliant access?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Multi Factor Authentication for VPN and cloud applications

38%
Multi Factor Authentication for VPN only
17%
Network based access control
15%
MDM/Device posture and hygiene compliance
11%

Zero Trust Network Access

9%
Adaptive access controls (Conditional access, risk-based authentication, etc.)
8%
Other (please specify)
2%

Figure 18

Security Professionals were asked next what identity and access management providers (IDaaS) they
are deploying, or are currently deployed in their environment. A robust 64% of respondents chose
Microsoft Azure AD and Microsoft ADFS (44%) as their IDaaS of choice.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 22

 Which identity and access management providers (IDaaS) do you deploy or plan
to deploy? (Check all that apply)

100%

90%

80%

70%

60%
64%

50%
44%

40%

30%
27%

20%

10%

8%
10%

4%

4%
15%

12%

1%
0%
M zur

Se

Au

Pi

Fo

ID
kt

th

ne
ic e

ic

ng

ap
cu

rg
t
A

sp
ro AD

ro

h0
a

er y)

Lo
e

tiv
re

Id

ec
so

Ro
(p
of

g
Au

en

e
if
ft

in
c
le
tD

tit

k
t

as
h

y
FS

e
Figure 19

Security Professionals were asked what cyber security mechanisms they use to control user access.
This was even across the board with secure web gateways (22%), next-gen firewalls (22%), and
traditional VPN appliances (20%). It is clear to see that businesses are using a combination of
products for layering their security.

For CASBs to be more effective, a key takeaway is that the integration of CASB solutions with identity
providers and MFA providers impacts more users than the native IAM features of the CASB. CASB
based user access controls account for approximately 17% of the mechanisms users are using for
secure access to services.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 23

 What cybersecurity mechanism do you use to control user access?

100%

90%

80%

70%

60%

50%

40%

30%

20%
22%

22%

20%

9%

5%

5%
10%

3%

3%
12%

0%
Se

Tr

Ze

CA ve

Cl

CA rw

O ec

CA ly)
ex

th ify ed
ad

ou
cu

ro

Re

Fo

sp

on
SB rse

SB rd

SB
er )
t

iti

d
-g
re

Tr

(A Pr

(A Pr

(A
on

ba

(P
en

u
W

a
st

PI ox

PI ox

PI
le
se
al
eb

fir

-b y)

-b y)

-b
/A

as
VP

d
ew

as

as

as
G

e
VP
w
N
at

ed

ed
ay
al

N
ew

ap
l

an

an
pl

O
ay

d
ia

n
nc

VP
e

Figure 20

Gaps
The effectiveness of CASB as a threat protection appliance also scored moderate overall. The main
detective features for threat protection are detecting data breaches and account takeover, identifying
malware and misconfigurations, and ingesting threat intelligence. MFA and federated identity are the
top security mechanisms being used for access control heavily favored over CASB access controls
and other methods. CASB integration with other user third party and cloud native tools will lessen
this gap and provide better usability and effectiveness for the end user.

Overall, CASBs perform well for visibility and detecting behavior anomalies in the cloud but have
yet to become practical as a tool for remediation or prevention. Cloud adoption and architecture
are still a growing process. The enterprises using traditional VPN’s, gateways, and next-gen firewalls
will more than likely find a place with a CASB when shifting more workloads to the cloud. Additional
integration with intelligence platforms like SIEM or SOAR platforms will allow organizations to
automate remediation end-to-end. Education and training surrounding the replacement, integration,
and proper use of CASB capabilities for threat protection is still missing.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 24

 Rate how effective your CASB is at threat protection to each of the following.

Not Effective Less Effective More Effective Very Effective

Detecting data breach

Idenitfying malware

Detecting cloud account takeover

Ingesting threat intelligence feeds

Identifying and monitoring misconfigurations

Figure 21

Next evolution
The growth of cloud will reflect the evolution of CASB usage as more businesses turn towards the
cloud. This is where detection and protection for systems may begin to play a larger role from a
trusted CASB.

MFA leads the group for security mechanisms and won’t be slowing down in the future. Identity
providers who offer an MFA mechanism are more likely to attract users who are using a third party
standalone MFA’s applications. There is a likely assumption that more IDP will have their own take
on having MFA capabilities for end users. Given the CASB capabilities for visibility in the cloud, using
Zero trust network access along with MFA and federated identity integrations could be the future
of controlling user access, authorization, and behavior monitoring in the cloud. This would be the
ultimate feature in data protection with a CASB.

Conclusions: Future of CASB

A benefit of CASBs has been in the flexibility of the deployment model but the real strength may be
in the position on the cloud service edge to meet the biggest needs from end users. More integration
with intelligence platforms (e.g. SIEM, SOAR) will give organizations the ability to automate policy
enforcement and threat detection capabilities across cloud applications helping enterprises allow
the usage of cloud applications for business productivity instead of blocking unapproved cloud
applications. The integration of Identity Provider Solutions for federated and MFA identity solutions,
along with CASB access control features, will give organizations the threat protection it needs to

© Copyright 2020, Cloud Security Alliance. All rights reserved. 25

identify, protect, and correct cloud activity across the organization. The speed and ability to apply
more granular context-based controls and risk-based controls across multiple cloud applications
will increase the efficiency of DLP. Improved cloud to cloud activity monitoring will allow enterprises
full visibility to meet organizational data security needs across all cloud environments. With the
application of CASBs across industry verticals facing multiple regulations, CSPM capabilities for
all cloud service models (SaaS, PaaS, IaaS) will aid in protecting data and adapting to the changing
regulatory landscape.

The technology solutions that fit in the CASB market don’t necessarily mirror the strengths in the
CASB defined pillars of visibility, compliance, data security, and threat protection. Around half (51%)
of CASB users rely on a single CASB to meet security needs with at least 30% using multiple. As
cloud adoption grows, these solutions must evolve to meet the needs and demands of the enterprise
end user. The ability to provide visibility to the hundreds of cloud services being used within the
enterprise is a clearly defined strength of a CASB. However, it is the training and knowledge of
product usage that must be a priority in order to meet the effectiveness of the service or solution.
There is still a lot of improvement for how to use CASB solutions that has led to the moderate
and unsure effectiveness of the compliance features and the data security and threat protection
capabilities within the service. Perhaps, the greatest future benefit of a CASB will not just be in its
delivery of the technology but in the services it provides to the customer to meet those capabilities.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 26

Demographics
A survey of 216 respondents was conducted from February to April 2020. Respondents were cloud
and security professionals from a variety of backgrounds.

What is the size of your organization?

1-50
8%

51-500
10,000+
13%
35%

501-1,000
13%

5,0001-10,000 1,001-5,000
10% 22%

Figure 22

What is your level of responsilbity?

C-level Executive
16%
Staff
35%

Manager
49%

Figure 23

© Copyright 2020, Cloud Security Alliance. All rights reserved. 27

 What region do you work in?

Americas APAC
45% (Asia, Pacific Islands)
34%

EMEA
(Europe, MiddleEast, Africa)
21%

Figure 24a

Most Common Countries Percentage Number of Participants

United States of America 31% 45

India 8% 11

Canada 7% 10

United Kingdom of Great Britain and 5% 7

Northern Ireland

Netherlands 4% 6

Australia 3% 5

Israel 3% 4

Italy 3% 4

Mexico 3% 4

Figure 24b

© Copyright 2020, Cloud Security Alliance. All rights reserved. 28

 Which of the following best describes the principal industry of your organization?

Education
1% Construction, Machinery...
2%
1% Food & Beverages
Insurance
1% Retail & Consumer Durables
3%
1% Transportation & Delivery
Utilities, Energy, and Extraction 1% Advertising & Marketing
3% 1% Entertainment & Leisure
Business Support & Logistics 1% Real Estate
3% 1% I am not currently employed
Manufacturing
5%
Telecommunications
Government 38%
6%

Healthcare &
Pharmaceuticals
7%

Financial services
24%

Figure 25

© Copyright 2020, Cloud Security Alliance. All rights reserved. 29

About the Sponsor

Proofpoint is a leading cybersecurity company that protects organizations’ greatest assets and
biggest risks: their people. With an integrated suite of cloud-based solutions, we help companies
around the world stop targeted threats, safeguard their data, and make their users more resilient
against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune
1000, rely on us for people-centric security and compliance solutions that mitigate their most critical
risks across email, the cloud, social media, and the web. More information is available at
www.proofpoint.com.

Sponsors are CSA Corporate Members who support the findings of the research project but have
no added influence on the content development or editing rights of CSA research.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 30