CASB vendors have been around for the past 5-7 years, VCs have invested over $500M into these companies and Gartner has been promoting them with very bullish growth predictions. But still, a recent report shows only 7% of companies have adopted CASBs as a security solution and all CASB vendors combined have sales somewhere between $50M to $100M a year, making it a very small market. So, what's wrong with all these CASBs?
A report sponsored by several CASB vendors and published last week gives us a hint (download, requires email). Spoiler - The report provides a good description of the different cloud security threats, but the inevitable conclusion is not stated: Most CASBs do not address the security threats described in the report. Here's why.
Most CASBs Don't Solve the Biggest Problem: SaaS Email
If only 7% of enterprises implemented a CASB solution then maybe the threat isn't there? But the report actually shows 81% of the 1,900 CISOs survayed are concerned about cloud security.
The report shows only 24% have any plans to look into CASBs in the future. So, what is wrong? Where is everyone else?
The report gives us a hint. It tells us that the most commonly adopted corporate SaaS application is email, by a total of 44% of the organizations surveyed:
As we know from numerous other reports, email is indeed the top source of the attacks companies are experiencing. For example the recent Verizon Data Breach Investigations Report points to email as “the road most traveled to deliver malware into organizations” and finds that most data loss begins with a phishing email.
So the most of these CASBs, the companies that claim to secure your SaaS, don't solve the biggest security threat on the most common SaaS application we are using? Can we then trust them with the rest? This is probably why most customers that have deployed a CASB perceive it as a nice-to-have visibility tool and not a security prevention solution. At the end most of their customers use them mainly to provide "Shadow IT" reports. No wonder they are not taking off.
Proxy-based DLP has critical blind-spots
The report describes a CASB as a proxy “placed between cloud service consumers and cloud service providers”, which is a good description for the sponsoring vendors although it excludes Avanan, because although we consider ourselves to be a CASB, we do not use a proxy. Proxies are a powerful limitation when trying to address the biggest security concerns in public clouds.
Proxies also have limited visibility to your cloud:
- Proxies can only see data from employees from within the company but miss files that are shared by non-corporate collaborators like customers or partners.
- Proxies cannot understand the context of a shared file: is it dropped into a private folder or folder accessible by anyone, etc.
- Proxies cannot monitor or are limited in monitoring desktop agent. A single malicious file or confidential document will be synced to every users’ phone or desktop via the native app with the proxy being none the wiser.
- Proxies cannot monitor API connections to third party SaaS. It is easy for a user to grant third-party access to files and contacts via connections that will never pass through the proxy.
The greatest irony is that if the proxy goes down, only outside collaborators will have access to your data.
Most CASBs are Hard to Install
The report describes CASB deployment as “not trivial”:
“CASBs require significant understanding of an organization’s use cases to be effective as well as trained cloud security personnel to implement them properly.”
So, CASBs don't solve the customer's biggest concern, what they claim to solve they don't solve well, and then they are hard to install?
In our SaaS era, the idea of proxying all traffic is an outrageous notion. When cloud services communicate via ready-to-use app-store extensions and OAuth-tokens, the idea of sending all the traffic through a choking point is not acceptible by most customers and end-users. Here's what the report tells us are the main drivers for considering cloud-based security solutions:
With time to deploy being key for 52%, proxy and agent based solutions are out. Companies expect security to be implemented transparently into the SaaS or IaaS, activated with a single On/Off switch, and any end-user interaction to be native within the SaaS app. This is becoming possible through the growing richness of the APIs provided by the SaaS vendors but the proxy-based CASBs have vested too much into proxies from when API-based security was still not possible that it's just too hard for them to shift.
Once you take the proxy or agent away, these CASBs solve NONE of the concerns introduced by the report they funded:
- Email Threats
- Data Leakage Protection
- Misconfiguration of the Cloud Service
The Right Cloud Security Approach
Avanan has partnered with the leading security vendors to create a complete security stack, addressing every single one of the security concerns mentioned in the report, including email security/anti-phishing and data leakage prevention. We know no single vendor can solve it all, so that's why we partnered with all leading vendors and made it a single click of a button to implement any security solution on any SaaS.
Avanan uses cloud-native APIs to implement these security solutions without the use of a proxy. No proxy means implementation takes one click with no effect on end-users.
The report hinted at Avanan’s capabilities when it asked respondents whether they believe their legacy security solutions are capable of functioning fully in the cloud.
Avanan has cloudified the technology you trust to offer the best protection in the cloud. They can protect their data in the cloud with the same variety of tools they had within their data center, only now it's much easier - it only takes a click of a button.
You have a cloud security problem but it is not solved by the CASBs using proxies. Learn more about how Avanan solves the cloud security problem.