Can the CASB Unify Cloud Security Policy Enforcement?
The Cloud Access Security Broker (CASB) is an architectural concept become an over-sized security market category. Many of the pieces in the CASB model are necessary for coherent cloud security policy enforcement. But is a unified CASB solution as presently defined really viable?
A number of vendors are pitching the Gartner concept of a “CASB platform” along the lines of my rendition in the figure above. (For more information on the analyst take check out this free reprint of Gartner’s Market Guide for CASB’s (registration required) or Forrester’s similar coverage).
CASB rationale: Many enterprises are running headlong towards shadow IT, in which any employee with a credit card can order cloud-based based software (SaaS) or do-it-yourself IaaS and PaaS. Wouldn’t it be nice if the security department could just throw a box into the network to regain centralized visibility, threat protection, compliance reporting and data security?
The Case for Consolidation
Today, enterprises already deploy a number of security policy enforcement points (PEPs) to monitor and control user activity on the Internet. PEP vendors and enterprises are starting to apply these tools to the cloud. The PEPs may themselves be provided as cloud services, or they may be deployed as security gateway products on the customer premises. The following describes functionality some types of PEPs for the cloud offer:
- Cloud usage discovery: Monitor network traffic from devices, or to cloud service providers (CSPs) themselves. Identify and quantify what users and business units are doing.
- Cloud single sign-on (SSO): Authenticate all enterprise users whenever they log into a cloud service to do enterprise work. SSO can be convenient, add assurance, and provide a way to audit activity.
- Secure web gateways: Monitor all enterprise user traffic from web sites (including CSPs’) for malware and, in some cases, enforce appropriate use policies.
- Network data leakage prevention (DLP): Monitor all enterprise user traffic to or from web sites (including CSPs) for sensitive data access, or transfers.
- Cloud encryption gateways (CEGs): Encrypt data on the fly at the field- or file-level to/from cloud-based data repositories from popular services such as Salesforce, Google Drive or Office365.
The most economical way to gain centralized visibility and control of user activity on the Internet, or in the cloud, is to deploy the PEPs in the network. They fall into complicated “proxy” – or network intermediary – topologies, simplistically described as:
- Forward proxy (from the user to services)
- Reverse proxy (from the service to the users)
- API proxy (forward and/or reverse proxy designed for application-level interaction)
A chain of proxies: Now, imagine if all these proxies, or gateways, had to be deployed for user interactions with CSPs. Just a simple transaction – like a user querying personal information in a SaaS database – could result in over a dozen network round trip interactions as shown in the figure below. Wouldn’t it amazing if we got any work done at all?
I know I may have mangled the topology or the description of the proxies a bit in trying to make a point. Optimizations are possible, that’s why we have cookies. But still, the “chains of proxies” can get so complex that organizations will have to turn some off or never deploy them in the first place. Moreover, trying to avoid undesirable product overlaps, inconsistent policies, or duplicated of configuration efforts can be quite a challenge. This is why Gartner makes makes the following strategic planning assumption:
The Market Reality
Per the CASB market landscape figure immediately below, a clump of existing market categories roughly correspond to elements of the CASB pillars that could (sort of) come together in a unified framework. There have been some vendor acquisitions (e.g. Adallom by Microsoft, Perspecsys and Elastica by Bluecoat) that seem to support the case for consolidation.
But I’m a bit of a CASB skeptic. I see CASB as an artificial market category, itself a subset of a more nebulous cloud service broker (CSB) category preceding it from Gartner.
Definitionally impossible CASB? The Internet was the original “cloud.” What is new and different about “cloud computing” above “Internet?” Drue Reeves, a colleague of mine form Gartner once said this very well: “We’re putting IT itself into the cloud [to get cloud computing].” Well, enterprises rarely ever had “unified security policy enforcement” of IT even when they had control of IT. Can they now achieve, in the hybrid multi-cloud environment, what had been almost impossible in the IT environment?
Large / platform vendors killing CASB? There’s lots of investment in CASB and the early stage players like Ciphercloud or Zscaler will get bigger. But Microsoft’s (and other large platform vendor’s) entry into the market may take some air out of the balloon. Microsoft is the master of the 80-20 rule, create the basic pieces 80% of the market needs and undersell the existing market leaders. Microsoft is often successful when the opposition is fragmented.
Too big NOT to fail? All of the existing PEPs and the self-styled CASB products are quite complex. After you finish this article, check out this Active Cyber article or the Cloud Security Alliance’s Defined Categories of Service 2011. Does CASB have too many moving parts? Once a unified solution CASB really combined the bulk of the features found in all the best of breed category solutions, I think it could end up bloated and hard to maintain. It could become vulnerable to new market entrants with simplified, updated approaches.
It will take many products and much more innovation before we master the art of cloud security policy enforcement. I think we should make one thing clear: The “Cloud Access Security Broker” is really the “SaaS Access Security Broker.” That’s because security policy enforcement for IaaS is very different than for SaaS, and it involves a separate group of vendors.
When it comes to software-as-a-service (SaaS) I believe the “unified CASB” will be one of the actual market categories. But the unified CASB can’t be all things for all customers, and it won’t be for everyone.
Sip the CASB koolaid, but don’t swallow it whole. Assess your requirements for cloud security policy enforcement carefully, and develop a smart architecture that combines the best elements of unified CASB with a best of breed approach where necessary to optimize functionality and reduce cost.