Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Understand CASB technology before you buy

CASB technology offers threat protection, increased visibility and policy enforcement. Explore how these tools protect access to cloud applications, and then compare some of the top products.

With the cloud here to stay, organizations need to ensure cloud applications are secure, are accessible only to authorized users and conform to company policies. One platform that addresses this all is a cloud access security broker, or CASB. These systems sit between users and cloud services applications and resources and are typically available as cloud services.

CASB tools first emerged as a way to monitor shadow IT. Now, they actively intervene in user-to-cloud application sessions by intercepting session traffic, where they then scan and modify session traffic if necessary. In the most general terms, CASBs help monitor and enforce company security policies for each cloud application.

In this relatively new market, newer companies, like Bitglass and Netskope, offer CASB technology products, as well as long-standing security vendors, like McAfee and Symantec, which have acquired CASB startups.

How do CASBs work?

Several elements make CASBs work. The most important is implementing API support for a cloud app, like Dropbox, for example. In order to scan data objects or documents, the CASB needs to implement the API of each specific app that is accessed by users.

All CASB traffic ultimately originates in the user's endpoint. It is the endpoint -- or rather the user at the endpoint -- that logs in to a cloud app. Thus, the endpoint -- or the user device -- plays an important role in the CASB interaction.

User devices that can access the cloud generally fit into two categories: managed and unmanaged endpoints.

The IT department controls managed endpoints where CASB agents are installed. This provides for the most control for the organization and enables IT to install a traditional endpoint security platform if available from the CASB vendor. A forward proxy sends the traffic to the CASB, which serves as a gateway that communicates with the cloud app on behalf of each client.

Unmanaged devices can include employees' personal tablets, phones or computers or a device used by a partner or contractor to access the company's cloud apps. Unmanaged endpoints are devices used in an organization's environment, but since IT doesn't have direct control over them, they can't install a CASB software agent.

The user sign-in process to a cloud service or application will trigger CASB interaction. A user with an unmanaged device is "captured" on unmanaged devices during login, and the CASB monitors the session without the benefit of an agent.

The most basic way to trigger the CASB is the use of a reverse proxy. With this process, the CASB device terminates the session for the unmanaged device and creates a separate session into the target application. Some vendors advocate using a gateway approach instead because some applications have problems with rewriting the URL, which is part of the reverse proxy mechanism.

What are the main CASB use cases?

Since their inception, CASB use cases have grown to include the following.

Compliance and data security. Addressing compliance and data security issues is at the heart of what most CASB products are designed to do. The CASB can examine or scan data objects, like files and documents, in the session to ensure the data is in compliance with company and government standards. The CASB can also take various actions if violations are discovered. These include watermarking, removing or quarantining content. Data loss prevention (DLP) is a key part of CASB benefits.

Added threat protection. A more advanced and growing use of a CASB is as an additional threat protection layer. The CASB scans data flowing to the corporate user and can detect viruses, malware and potentially more sophisticated threats. This use will continue to evolve as more threats target cloud application environments.

Visibility into app usage. CASBs enable IT to view all sanctioned and shadow IT apps accessed by users. This use case alone is often justification enough to implement a CASB.

Cloud application usage tracking. Finally, CASBs can provide a way to view cloud application usage, making it easier to identify abuse and usage patterns. If one service is being overused, companies can take action to save money by switching to a more appropriate plan. If other cloud services are getting little or no usage, they can be cancelled to cut excess costs.

Key features and comparison

For a meaningful comparison of products, it is important to know each product's features and pricing to determine the best fit and value. In the past, a data sheet was only a few clicks away, and pricing was easy to come by. But this is no longer the case.

Five of six vendors discussed below were forthcoming in responding to our request for information. All too often, the information isn't easily accessible from their public websites. Some vendors provide links to their data sheets, but the pages often contain vague, high-level information about the product, which isn't enough to build a comparison.

Deployment model

The following CASB products are available as cloud-based -- SaaS -- services. Most vendors provide few details on their cloud, although Bitglass noted its CASB is hosted on AWS.

Bitglass, McAfee and Netskope also noted their CASBs can be deployed on  premises and as virtual appliances.

Given that the target application is always in the cloud, there should be few performance differences based on deployment mode.

Still, it's helpful to ask a prospective vendor how the SaaS is managed and scaled. Prospective buyers should ask if the CASB is a multi-tenant system or if it provides a dedicated cloud-based virtual appliance for customers.

Target customer segments

While core CASB features are applicable to all customer segments, application support and other characteristics might favor specific customer segments. For example, Bitglass noted it is focused on heavily regulated industries, like financial services and healthcare. CipherCloud has a similar focus and includes large enterprises. McAfee focuses on enterprises with 1,000+ employees. Symantec's target customers are similar to the vendors above.

Of the vendors profiled, only Netskope and Proofpoint seem to target a range of companies from SMBs to large enterprises.

Product update cycles

Product profiles usually refer to specific software versions or product releases. With SaaS, references to versions are used rarely.

In fact, none of these vendors cited a specific version. When logging on to a CASB, customers use whatever software the vendor has decided to put online. Presumably, the service provider updates agent code automatically. Unlike typical application updates, many security packages simply update automatically whenever the new code is available. Netskope noted it typically updates its CASB software twice a month, and changes are automatically pushed to users.

Licensing and pricing models

Asking how much a CASB costs is a simple question with no simple answer. Most CASB vendor websites presented no useful results on pricing or licensing. None of the vendors provide actual prices on their sites, only general pricing formulas.

All of the CASB tools featured below are available on an annual subscription basis. They are sold on a per-user, rather than a per-device, basis.

Several of the vendors offer different suite packages to address different customer needs. Proofpoint offers three options, each of which is priced differently. McAfee noted pricing can be obtained upon request.

One vendor noted its price was not affected by data volume. Presumably, some vendors factor data volume into pricing.

Vendors might also charge differently for on-premises deployment or dedicated services rather than shared SaaS implementations, so it's important to verify the details of a CASB deployment cost. A cloud multi-tenant service should cost less than a dedicated virtual appliance.

API-supported cloud applications

Some vendors list about half a dozen applications they support, while McAfee lists more than two dozen. What matters is whether the product supports a potential customer's applications.

All six vendors below support the most well-known and common cloud applications, which include Dropbox, Salesforce, Microsoft Office 365 and the three major cloud providers -- AWS, Microsoft Azure and Google Cloud Platform (GCP). Some vendors support products like Jive, Slack and Egnyte, so it's important to ask potential vendors about them when considering a purchase.

Weighing app support by just comparing the number of applications a vendor supports can be misleading. Some vendors count Office 365 and its major components, like Outlook, SharePoint and OneDrive, as a single app, while other vendors count each one separately.

If a particular CASB is to have API support for an application important to the organization, customers or potential customers can ask the provider to add it. One vendor said it takes about a month to work up an API. A big enough customer might be able to get it done. The CASB vendor can then also use the new app support for other customers, which could make it a win-win.

DLP options

As noted earlier, some vendors have reduced functionality when dealing with unmanaged devices using the reverse proxy approach. For any essential DLP and data security features, potential customers should ask the vendor whether the capability is available only to managed, agent-based devices or to unmanaged devices as well.

Customers should consider whether a CASB has a native DLP product or is bringing a partner into the equation. Symantec noted its CASB integrates into the existing Symantec DLP product. That simplifies administration and management for existing Symantec DLP customers to go with Symantec's CASB.

DLP setup can be complex and time-consuming. A misconfigured DLP might not catch the data it is supposed to prevent from leaving your organization. Proofpoint comes with 80 predefined security policies and can scan 300 file types, for example. Bitglass has predefined policies and can import DLP policy from several leading DLP vendors.

Once your DLP catches data that violates guidelines, it's imperative to know what actions the product can take. Bitglass provided the most detail, noting its system can watermark, quarantine, redact, encrypt, notify and block data. Several options are available for dealing with violations. Vendors should outline the specific actions their product can take to detect suspicious data.

Endpoint security options

Management is simpler if IT can combine agents on the client and integrate endpoint security and CASB agents. Companies like McAfee and Symantec provide endpoint security options that can integrate with their CASBs. Before buying, customers should make sure integration is at the management level or extends to have a single agent footprint that can handle both functions.

Most of the other vendors profiled reference third-party endpoint security partners. Here, too, potential customers should determine if this is just a referral to another vendor or if the CASB offers management or agent integration.

CASBs all set out to do the same job, but they do it in different ways. Unlike LAN switches or Wi-Fi, where the core features are defined by standards committees, CASBs are the Wild West of technology. Providers have no constraints on how they architect their platforms, no requirements for features they need to include and no required list of applications they need to support. Yet, they are essential elements of corporate cloud security. So, potential customers should be sure to set aside sufficient time to drill down to find relevant differences before choosing a product.

Vendor and product profiles


Product name: Bitglass Cloud Access Security Broker
Release date: January 2014
Target customer segments: Special focus on heavily regulated industries, like financial services and healthcare.
Licensing/pricing: Based on number of users and applications it secures (no dollar amounts available).
Deployment model: Primarily cloud. Hosted on AWS. Optional on-premises model.
Use cases: Unavailable
API-supported applications: AnyApp, Office 365, Salesforce, AWS, Azure, GCP.
DLP options: Yes. Extends to any device, including personal phones. Real-time DLP, remediation actions include watermark, quarantine, redaction and removal.
Endpoint security: Unknown


Product name: CipherCloud CASB+ Platform
Release date: Unknown
Target customer segments: Large enterprises and service providers. Special focus on banks, government and healthcare.
Licensing/pricing: Unknown
Deployment model: Cloud-based
Use cases: Visibility, data protection, threat protection and compliance.
API-supported applications: AWS, Office 365, Azure, Adobe Analytics, Google G Suite, GCP, ServiceNow, Salesforce, SAP, Slack, Dropbox and AnyApp.
DLP options: Yes, also integrates with third-party platforms, like Symantec.
Endpoint security: Antivirus and antimalware (implementation method unknown).


Product name: McAfee MVISION Cloud
Release date: 2013
Target customer segments: Enterprise (customers with 1,000+ employees)
Licensing/pricing: Available upon request.
Deployment model: SaaS (cloud) or virtual appliance (on premises) by request.
Use cases: Visibility, data protection, threat protection and compliance.
API-supported applications: Office 365 and Teams, Box, Salesforce, Slack, ServiceNow, AWS, Azure, GCP, Aprimo, Atlassian Jira, Cisco Spark, Clarizen, Confluence, Ctera, Dropbox, Egnyte, GitHub, Intralinks, Jive, Okta, OneLogin, SAP Concur, ShareFile, Smartsheet, Trello, Webex Teams, Workplace by Facebook and Zendesk.
DLP options: Yes
Endpoint security: Yes, broad portfolio of threat detection and DLP for endpoints is available.


Product name: Netskope Security Cloud Platform
Release date: Unknown
Target customer segments: Enterprise and SMBs. Special focus on financial, government and tech industries.
Licensing/pricing: Per user, per year.
Deployment model: Cloud-based, virtual or on premises.
Use cases: Visibility, data protection, threat protection and compliance.
API-supported applications: AWS S3, Box, Cisco, Webex Teams, Dropbox, Egnyte, GitHub, Google Drive, Gmail, G Suite and G Suite Business, Jive, Azure Blob Storage, Microsoft OneDrive and OneDrive for Business, Office 365, Outlook, SharePoint, Salesforce, ServiceNow, ServiceNow Unstructured Data, ServiceNow Chatter, Slack (Standard and Plus), Slack Enterprise Grid and Workplace by Facebook.
DLP options: Yes
Endpoint security: Via third parties, including CrowdStrike, Carbon Black, Cylance and SentinelOne.


Product name: Proofpoint Cloud App Security Broker (CASB)
Release date: 2018
Target customer segments: Small to large enterprises.
Licensing/pricing: Per user, per annum.
Deployment model: Cloud-hosted
Use cases: Threat protection, data security and compliance, cloud and third-party applications governance.
API-supported applications: Microsoft Office 365 and Teams, Google G Suite, Salesforce, Box, Dropbox, Slack, AWS and Okta.
DLP options: Yes, built-in classifiers. Scan 300 files types out of box.
Endpoint security: Yes, web isolation and zero-trust networks.


Product name: CloudSOC Cloud Access Security Broker
Release date: 2014
Target customer segments: Large enterprises, partners, security integrators, hosted full-service providers, finance, insurance, healthcare or any other highly regulated industry.
Licensing/pricing: Per user, per annum.
Deployment model: Cloud-hosted
Use cases: Visibility, data security, threat protection.
API-supported applications: AWS, Box, Cisco Webex Teams, DocuSign, Dropbox, GitHub, G Suite, Jive, Azure, Office 365, Salesforce, ServiceNow, Workday, Workplace by Facebook and Yammer.
DLP options: Offers stand-alone CloudSOC DLP or Symantec DLP Cloud for a single, centralized DLP platform for the entire enterprise, covering data in the cloud, on premises and everywhere enterprise data is located.
Endpoint security: Yes, Symantec Endpoint Protection.

Editor's note

Using extensive research into CASBs, TechTarget editors focused on vendors featured in the 2018 Gartner Magic Quadrant as "Leaders" and as "Visionaries." A common basis is required to make any comparison. The author researched these six products and built basic product profiles. Unfortunately, some of the vendor websites provided scarce technical information about their products. To ensure accuracy and completion, we shared the profile with the vendors. Five of the six vendors provided detailed information and/or reviewed our existing product information. Only CipherCloud chose not to participate (by not responding to our inquiry).

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What are the main advantages of accessing cloud services and applications via a CASB?