Cloud Access Security Brokers are products that can be described as firewall plus identity management plus anti-malware plus DLP plus encryption control/implementation plus threat management.
CASB products have becoming increasingly important as enterprises look to extend their on-premises security policies to their cloud-based assets. We looked at three products -- CipherCloud, Bitglass, and Netskope. Each one takes a different, yet ingenious, approach to the task of stopping unauthorized, inappropriate, or uncontrolled cloud asset access and manipulation.
+ MORE ON CASB: What is a cloud access security broker (CASB) and why do I need one? +
Security brokers require varying degrees of work, we found in our review, but they pay off in important ways. While it’s impossible for us to test all use cases and to scale as high as vendor claims, we were able to get a good feel for both the features of these products and for potential scalability.
- If you’re part of a huge organization, a multinational, with many users in difficult locales, we’d choose CipherCloud for its sheer depth and the power of its encryption techniques.
- Bitglass also has interesting features and a lot of control to back up specific popular SaaS apps. Also, Bitglass can watermark files in such a way as to trace exfiltration forensically.
- Netskope scored the highest in our review, just edging out CipherCloud and Bitglass. It has a complex setup, but widely and deeply covers sanctioned brand-name SaaS sources, using gradients of multi-faceted, bolt-things-down methodology.
Another thing to keep in mind: CASB is a critical security resource, so it requires administration, monitoring, and help desk personnel, along with astute installation. Adopting one is important, but non-trivial.
Here are the individual reviews:
|PRODUCT||Netskope GoScope Platform||CipherCloud Trust Platform||Bitglass|
|PRICE||Starts at $8 per user per month for Discovery, $15 per month for the Active Platform. Options such as DLP, Encryption, and Malware Protection are priced separately.||Starts at $2/month to $30/user month + maintenance costs/help desk costs + those that use a gateway with on-premises can be $30-150K depending on complexity.||Breach Discovery + Log analysis, $2/user/mo. Add Mobile-only protection, $5/user/mo. Standard edition (mobile+web+DLP) $10/user/month, Enterprise (includes encryption and specific app control) $30/user/month).|
|PROS||Detailed platform with very good analytics and administrative tracking; flexible and deep cloud app intelligence, high potential programmability||Extreme encryption flexibility and with it, DLP control for large organizations needing international regulatory compliance||Detailed and broad canned application control, graduated services|
|CONS||Docs could use work; a la carte pricing and configuration potentially inconvenient||Requires platform dedicated work costs; potential additive cloud app coverage costs||Comparatively less programmability, cloud-based forward proxy only.|
CipherCloud Trust Platform
CipherCloud provides a hypervised gateway appliance priced per user. Inside the appliance are three functional components, administrative, security, and connectors specific to managed CASB resources. Pricing, like the other products in this review, is based in gradients of services provided.
CipherCloud is a construction set with many pre-fab pieces, and it requires significant planning to deploy in order to gain full effectiveness. It’s in use by some of the largest financial institutions in the world.
+ ALSO ON NETWORK WORLD 5 cloud security companies to watch +
The strong upside is its ability to establish strong flexible encryption to the record/field level, and with it, strong DLP controls for its list of covered applications. A hidden cost is integration and adaptation of specific cloud app platforms, like Salesforce. With some work, it can be come annealed to a target application like no other, because of its data protection schemes.
We installed the gateway as an Amazon Web Services VM. Multiple instances of the gateway appliance VM can be used in redundant instances as a reverse proxy gateway between users and cloud resources. Once set, and platforms are encrypted, so it renders AES-256 gibberish of any access that doesn’t use the gateway and its decryption resources. Once accessed through the controls set in CipherCloud’s trust platform, it’s possible to set encryption that allows searches and field-level data loss prevention (DLP) flagging and control.
We like CipherCloud for its certificate key control, staggering varieties of stateful/stateless encryption, tokenization possibilities and breadth of popular SaaS app coverage. (CipherCloud doesn’t cover every app found in the cloud.)
We also like it for its strong flexibility for varying deployment designs for larger organizations. BitDefender services are available as an additional intermediary for streams flowing through, although streaming data examination isn’t totally perfect.
Architecturally, the VM is a reverse proxy gateway appliance that’s licensed by user count, so multiple instances can be generated and deployed without additional cost. The gateway, which requires healthy server-allocation resources, serves as a deep-inspector, even with many pre-set encrypted data flows filtering through it, using AES-256 encryption.