Top 8 Cloud Access Security Brokers (CASB)

Cisco UmbrellaMicrosoft Defender for Cloud AppsNetskope CASBSkyhigh SecurityPrisma SaaS by Palo Alto NetworksSaviyntSymantec CloudSOC CASBLookout
  1. leader badge
    It has certainly saved us time. If we go and look at what's rejected on the requests from the hospital itself, it has saved about 5% or 6% time.The integration features within, for example, the Cisco VPN product and the Umbrella module are valuable.
  2. leader badge
    One of the most valuable features is auditing. Some of the other protection services have issues with auditing. Microsoft Defender for Cloud has an excellent auditing technique that helps us avoid the risk of filtering or information loss. You can use different tools to guarantee these things. It allows you to conduct an in-depth exploration of applications, users, and files that are harmful or suspicious. You can also enhance your security setup by creating personalized rules or policies that help you better control traffic in the cloud.
  3. Buyer's Guide
    Cloud Access Security Brokers (CASB)
    March 2023
    Find out what your peers are saying about Cisco, Microsoft, Netskope and others in Cloud Access Security Brokers (CASB). Updated: March 2023.
    686,748 professionals have used our research since 2012.
  4. The solution offers a better understanding of the real scenario and identifies the cloud apps that are being utilized.The detection capability is very nice and lightweight.
  5. The feature I found most valuable is the API.The management is very good.
  6. Overall, the cost savings, ease of deployment, and better VPN user experience and performance are valuable.The stacked policies, event policies, and routing policies are easy to understand for someone with general knowledge.
  7. It is a flexible tool because it works on JSON.The most valuable features of Saviynt are database utility and report generation. These two features have a major impact, particularly when you are trying to create a report because, in other systems, you need to use a third-party utility such as a BI tool or any other reporting tool to fetch the data and send out the report to a third party team. In Saviynt, it's a system within a system, so you don't have to use any third-party tool because you can directly do your query and write that code on Saviynt and then send that report to the team.
  8. report
    Use our free recommendation engine to learn which Cloud Access Security Brokers (CASB) solutions are best for your needs.
    686,748 professionals have used our research since 2012.
  9. The value in some of these solutions is just the integration of technologies with their on-prem DLP solution. So, you can tie on-prem and cloud DLP policies together. You can apply on-prem policies to the cloud to have consistent policies in a hybrid environment. So, it works very well in that hybrid environment of on-prem and cloud.
  10. The protection offered by the product is the most valuable feature. It detects vulnerabilities or traps on our users' phones and then prompts them to clean up their devices. Tools we used previously would only discover, which required us to gather information on the backend, so Lookout is a welcome upgrade.

Advice From The Community

Read answers to top Cloud Access Security Brokers (CASB) questions. 686,748 professionals have gotten help from our community of experts.
Netanya Carmi - PeerSpot reviewer
Netanya Carmi
Content Manager at PeerSpot (formerly IT Central Station)

What are the most important features?

Netanya Carmi - PeerSpot reviewer
Netanya Carmi
Content Manager at PeerSpot (formerly IT Central Station)

What benefits have you seen from CASB tools?

Shibu Babuchandran - PeerSpot reviewer
Shibu BabuchandranCloud Access Security Brokers (CASB) are a security application that helps… more »
4 Answers
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)

Hi infosec professionals,

Can you share your best practices and advice to follow (by an enterprise) when implementing IAM in the Cloud?

Thanks for your help in educating our community!

Ladislav Nyiri - PeerSpot reviewer
Ladislav NyiriIdentity and access management in the cloud - there are more interpretations of… more »
6 Answers

Cloud Access Security Brokers (CASB) Articles

Janet Staver - PeerSpot reviewer
Janet Staver
Tech Blogger
As more organizations shift to the cloud, securing those cloud environments has become a top priority. With cloud environments, companies are facing challenges, with more regulations, a higher rate of data loss, and an increase in the number of attacks. To handle these challenges, organizations...
Read More »
Janet Staver - PeerSpot reviewer
Janet Staver
Tech Blogger
If you are like the majority of other companies, you most likely use cloud environments or multi-cloud implementations. Even though cloud computing has become increasingly popular, it introduces security threats such as contract breaches, compliance problems, and APIs that are not secure or are m...
Read More »
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microso...
Read More »
Shibu Babuchandran - PeerSpot reviewer
Shibu Babuchandran
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
What Is SASE? Secure Access Service Edge, or SASE (pronounced “sassy”), is an emerging cybersecurity concept that Gartner first described in the August 2019 report. SASE is the convergence of wide-area networking or WAN, and network security services like CASB, FWaaS and Zero Trust, into a si...
Read More »

Cloud Access Security Brokers (CASB) Topics

Cloud access security brokers - Tackling shadow IT usage

In many large enterprises, the traces of shadow IT can be hard to track without having a dedicated software or tool in place to monitor all of the activity that happens from within an on-premise server or proxy address.

It has been reported that only around 8 per cent of cloud services publicly available today meet enterprise data security & privacy requirements, that leaves a huge chunk of services that may go unnoticed by IT departments if they don’t have the necessary security controls put into place.

Without a cloud access security broker, unauthorized use of public cloud services cannot be tracked. A good way to visualize it within your own business is to imagine if one of your employees claims to have found a better application for file-sharing than the one you currently provide to each of your staff. They most likely won’t raise this discovery with senior members in your organization, but there is a high chance they will share it with their co-workers.

When this adoption of a cloud service goes unnoticed, data can be shared via applications that don’t meet the minimum safety standards that would otherwise be controlled with a CASB in place. Data can be breached thanks to account hijacking, and unfortunately, your employees might not even know their account has been accessed, because their details aren’t stored anywhere but on their local, on-premise device.

As a result of this kind of breach occurring, your data security becomes compromised without your IT department having any real knowledge about the usage of that certain unsanctioned cloud service.

What does a CASB do to protect your business against shadow IT usage?

Here are 3 ways you can use a cloud access security broker to prevent shadow IT usage from making your cloud data vulnerable:

1. Target all unsanctioned cloud services in use

The first measures put in place with a cloud access broker can help determine how heavily shadow IT usage is being used within the business. CASB solutions collate firewall as well as proxy logs, and from the analysis of these logs, IT departments are able to discover any cloud services being used by employees and business units. From there on, IT staff can determine which cloud services do not meet minimum requirements in relation to data security. The hard part without a CASB is that IT departments can’t monitor all of the activity carried out by everyone in the organization. The use of personal devices and mobiles makes it difficult to track and flag some cloud services in use by employees, as they may be using personal emails to share files and messages between fellow members of staff.

Obviously this is a high-risk form of activity, but it does happen when workers are based at home, or doing work on-the-road and need a cloud service at their fingertips. Sometimes staff do this simply because they feel a certain unsanctioned cloud service will help them more than the service their company has provided them with.

The problem here is that they don’t want their administrators or senior managers noticing they have made an account, so they sign up using their own personal details instead of using their work email address like they would normally do for using cloud services in an enterprise setting.

2. Calculate the risks involved with each cloud service being used

Thanks to the ever-changing technology in the cloud security industry, cloud access security brokers are able to keep up to date registries of every cloud service any member of staff within an organisation registers to. The cloud access security broker takes each service and assesses the risk value based on 50 attributes, and more than 260 sub-attributes.
Examples of sub-attributes include a cloud service claiming ownership of data uploaded, a cloud service sharing the user’s data to third parties without authorization or acknowledgement from the user, and the encryption of data in rest storage (in other words not moving between accounts and device e.g. on a laptop or hard drive).
It is very easy for any member of staff to utilize another third-party cloud service without realizing the small-print, and the risks associated with that. Let’s say one of your staff find a convenient tool online to convert JPEG images or Microsoft Word documents into PDF documents.

A common risk associated with this is that the cloud service will list in their terms and conditions that they will claim ownership of any files uploaded to their portal. It wouldn’t matter if the files were something as simple as a receipt for an order, or a datasheet containing dozens of customer’s personal details or credit card information, either way, you won’t want to be sharing that stuff…

3. The application of cloud governance policies

Once the CASB has calculated all of the risk assessments attached to each cloud service being used, the IT department and senior staff within the company can put the appropriate cloud governance policies into place.

The main benefit of this to a large organization is that the riskier cloud applications will be blacklisted, providing the opportunity for the safer cloud services and cloud applications to be actively promoted across the entire organisation. This works by aligning the CASB with the company’s existing proxy logs and firewall, so that the dangerous cloud services can be blocked on the devices in use.

What are the three categories of cloud services?

As a general rule of thumb, you can separate cloud services into three distinct categories based on their risk level. This method helps to maximize data protection when deciding on which cloud applications to utilize within the business.

1. The first category contains IT-sanctioned services - These cloud applications are deemed safe and useful, and can also leverage the security capabilities for a large company.

2. The second category can be referred to as the permitted services, these cloud applications can be beneficial to staff as they are generally just as, if not more efficient than sanctioned cloud applications, but they lack the security compliance of IT-sanctioned services.

3. The third category contains prohibited services. These are the services that pose the real threats to a large company’s data security, as they have little or no safety provisions. It is important that your company utilities a cloud access security broker, to ensure the correct restrictions are put in place to avoid shadow IT activity occurring, because as we know, shadow IT usage triggers the adoption of dangerous cloud applications that aren’t already restricted by your IT department’s firewall.

To give you an insight into these categories of cloud applications, check out the table below:

IT-Sanctioned Cloud Services Permitted Cloud Services Prohibited Cloud Services
Office 365
Jive Software

From this information, you can take onboard which cloud services to recommend. For any large business, a cloud access security broker will help to unify different services across all departments. You will find it is much easier to govern your cloud security when all of your staff are carrying out their work on the platforms you actively encourage them to use.

If you don’t have a cloud security broker in place, it can be easy for shadow IT usage to be exploited, as your staff have no direction as to which cloud-based tools they should be making use of. The governing and restriction of prohibited cloud-based applications allows you to encourage the adoption of the more secure and useful ones, essentially helping your organisation to leverage the immense benefits of cloud-based working.

As your portfolio of data continues to grow, it becomes an increasingly difficult task to protect every last spec of it, but with a cloud access security broker, it is all automated. Built into every device, you can rely on the tool to successfully govern, restrict and notify any suspicious activity which might be putting data security at risk.

Which CASB should I choose & what questions should I ask them?

You’ll be glad to know that the market for CASBs is pretty diverse, and you should be able to find a broker that offers API level support for your main cloud application/s. You can choose from a whole host of options including Microsoft Cloud App Security (For cloud services such as Microsoft Azure), McAfee MVISION Cloud, or even Saviynt.

A few of our popular comparisons are:

Prisma SaaS vs Zscaler Internet Access

Cisco Umbrella vs Infoblox Secure DNS

When it comes to choosing the right broker, you want to ensure you know whether you want your service to run via a reverse proxy or forward proxy, or both. Reverse proxies work like web pages, where resources are retrieved from multiple servers to the client. A forward proxy involves a firewall, and restricts outside traffic, while governing activity within the firewall.

If you have found a few cloud access security brokers that interest you, you want to check how they operate to perform the tasks you will require, such as:

  • How new cloud services are spotted - Where are they logged?
  • How are the risk scores of cloud applications generated and calculated?
  • Does the broker offer sensitive data discovery - How is this data then protected inside the company’s server?

Ultimately you want to see if the main cloud services you use have a recommended broker, as that way, the services can be tailored towards the data you may be looking to protect further. The last thing you want is to invest in a broker that offers no added value to cloud security, or investing in a broker that isn’t tailored to the apps you focus on, even if it has received high ratings.

Cloud security is just as important as the cloud services your use as a business, and with the right research, you’ll find yourself leveraging security benefits that will make both shadow IT and data security threats something to leave behind in the past.

Buyer's Guide
Cloud Access Security Brokers (CASB)
March 2023
Find out what your peers are saying about Cisco, Microsoft, Netskope and others in Cloud Access Security Brokers (CASB). Updated: March 2023.
686,748 professionals have used our research since 2012.