freshidea - Fotolia

CASB market surging behind acquisitions, investments

Startups are dominating the suddenly-hot cloud access security broker market. Now larger vendors are eager to join the party, but will they buy a CASB or build their own cloud security gateway?

The cloud access security broker (CASB) market has been booming this year, and startups in the space say it will be difficult for larger traditional security vendors to catch up and establish their own CASB offerings.

The CASB market, which is dominated entirely by startups, has seen a number of high-profile partnerships, investments and acquisitions in recent months that have put CASBs, also known as cloud security gateway providers, at the forefront of the growing cloud security space. For example, during RSA Conference 2015 Hewlett-Packard and Cisco Systems formed reseller alliances with Adallom Inc. and Elastica Inc., respectively, to integrate their security products with the CASB's cloud security gateway technology. Adallom and Elastica each closed on $30 million in venture capital funding prior to RSA Conference (Hewlett-Packard Ventures participated in Adallom's funding round).

In addition, cybersecurity firm Imperva Inc., which acquired CASB startup Skyfence last year, formed a technology licensing and joint marketing partnership last month with Raytheon Websense that will embed the Skyfence cloud security gateway products into Raytheon Websense's Web security gateway line.

Also last month, multiple media outlets reported that Microsoft had acquired Adallom for $320 million. And most recently, Blue Coat Systems, Inc. announced an agreement to acquire Perspecsys, a CASB based in McLean, Virginia. Terms of that deal were not disclosed.

Pete Lindstrom, research director of security products at market research firm IDC in Framingham, Massachusetts, said cloud security gateways have become increasingly desirable for enterprises that have increased their cloud usage; the gateways act almost like VPNs or Web security gateways for SaaS and cloud services.

An IDC report last year co-authored by Lindstrom listed the top cloud security gateway vendors in the space, including SkyHigh Networks, CipherCloud, Netskope, Elastica, Imperva, and Adallom. The report also predicted that only one or two vendors will have stand-alone success while three or four other vendors will be acquired by "opportunistic larger players." The rest will falter without venture capital support. Lindstrom said he believes those predictions are coming to fruition this year.

I think you're going to see a lot of success and a lot of failure here because there's way too much VC money in this space for every company to succeed.
Michael Feypresident and COO of Blue Coat Systems, Inc.

"It's an exciting space," Lindstrom said. "[But] it's not a big market. There are only around a dozen players, and it's going to get very competitive because the barrier to entry is low."

Blue Coat Systems, Inc. president and COO Michael Fey said he expects interest in CASBs from traditional security vendors to increase very quickly.

"If you're a network security player," Fey said, "you're going to have to invest in this space one way or another."

CASB competition

CASBs say it will be difficult for larger vendors and traditional security players to develop their own cloud security gateway offerings without making some kind of acquisition.

"The very large security companies, if they're trying to build it themselves, are probably going to end up on the lower, checkbox end of the market," said Sanjay Beri, CEO of Netskope. "The reality is, they're probably not going to build it from scratch."

Willy Leichter, global director of cloud security at CipherCloud Inc., agreed and said there's a reason why the CASB space has been dominated by cloud security startups.

"There's a strong case to show that cloud gateways are different than network security products," he said. "I think that's probably why a lot of big vendors have been slow to get into this space and are making acquisitions."

Fey said getting into the cloud security gateway space made perfect sense for Blue Coat, given the company's strong presence in web security gateway market. Blue Coat, according to Fey, had two options for breaking into the CASB market: build its cloud security gateway offering or acquire a company that had the right intellectual property, patents, and hard-to-develop technology like Perspecsys.

Fey said Blue Coat took door number two because Perspecsys had patented technology in a key area for cloud security gateways.

"One of the areas where it was a challenge for us to build from the ground up was the tokenization and encryption component," Fey said. "That's what the Perspecsys buy was all about."

While spinning up some kind of cloud security gateway may not seem overly complex or difficult to do, CASBs say there's more to it that just developing basic policy controls for SaaS use and performing discovery for "shadow cloud" services that are being used by enterprise employees without approval of IT departments. Providing encryption for corporate data flowing from on-premise infrastructure to hundreds of different cloud apps and services -- without impacting performance or usability -- is just one piece of the puzzle, according to Leichter.

"Encryption is complicated, and it can be hard to do without breaking stuff," Leichter said. "You have to apply security evenly across the board to all these different cloud services, and that's not easy to do."

With more enterprises -- and enterprise employees -- ramping up their use of cloud apps and services, Beri said demand for cloud security gateways will only go up as hackers increasingly target cloud account credentials with phishing schemes and other attacks.

"Most cloud apps and services don't have basic security features like multifactor authentication," Beri said. "Customers are looking for more granular access control for the cloud. And the question for them is: how do you take thousands of these cloud apps and get that granular control?"

In the meantime, CASBs expect more venture capital funding to flow into the burgeoning market to capitalize on what Leichter called "a perfect storm" of cloud adoption growth and increased security concerns.

"It's become a bit hyper as a lot of investors are putting money into this space -- maybe too much money," he said.

Fey agreed, saying the CASB market will eventually experience a shake out at some point down the road.

"We're still in the early stages of this market," he said. "I think you're going to see a lot of success and a lot of failure here because there's way too much VC money in this space for every company to succeed."

Next Steps

Find out why account credentials emerge as a weak spot for cloud app security

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security