7 Best Cloud Access Security Brokers (CASB)

Today’s network infrastructure has become very fluid, now extending to the cloud with SaaS, IaaS, PaaS, and even more cloud applications. Whether sanctioned or unsanctioned by IT, are all added to the mix. In addition, an increasing number of dispersed devices and users fall under categories such as user-managed devices (BYOD), IoT, shadow IT, and remote workers. The traditional approach to security makes less sense in such highly diverse and distributed environments.

The ability to monitor and govern the usage of cloud applications has become essential to the goal of enterprise security. Rather than outrightly banning cloud services and potentially impacting employee productivity, organizations must adopt a new approach to overcome this deficiency and protect the modern infrastructure. The Cloud Access Security Broker (CASB) is an emerging security technology that specifically addresses the challenges that come with the cloud.

Here is our list of the seven best Cloud Access Security Brokers (CASB):

1. Skyhigh Cloud Access Security Broker (EDITOR’S CHOICE) This CASB implements both user authentication and device security scanning to protect cloud data. This system doesn’t stop its security services once the user has been allowed access – it continues to monitor throughout a session. Access a  demo.
2. Netskope Leading CASB solution that enables organizations to quickly identify and manage the use of cloud applications, regardless of whether they are managed or unmanaged.
3. ManageEngine Log360 Cloud This cloud-based SIEM collects logs and activity reports from AWS cloud services and protected sites, enabling it to analyze threats.
4. Microsoft Defender for Cloud Apps CASB solution that operates on multiple clouds.
5. Proofpoint CASB Comes with risk-based SAML authentication, web isolation, and zero-trust remote access features to help prevent cloud threats.
6. Symantec CloudSOC Multi-mode CASB with solid visibility, data security, and threat protection capabilities to mitigate malicious content in cloud apps, shadow IT, and compliance risks.
7. Lookout Secure Cloud Access Cloud-native CASB platform that provides integrated cloud security, data protection.

What is a Cloud Access Security Broker (CASB)?

According to Gartner, “cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed”. In a nutshell, a CASB is a cloud-hosted software or on-premises software or hardware that acts as an intermediary between users and cloud service providers.

The idea behind CASB is to allow businesses to safely use the cloud while protecting sensitive corporate data. It provides visibility and control over data and threats in the cloud. This is achieved by using auto-discovery to compile a list of all third-cloud applications, including the risk level associated with each application and those using them. It then uses the insights for policy setting and enforcement. With CASB, an organization can hope to achieve visibility, compliance, data security, and threat detection across their cloud services.  A CASB solution can be deployed either on-premises or in the cloud using either API-Control, Reverse Proxy, or Forward Proxy modes.

Choosing the Right CASB Solution for Your Business

The CASB market is rapidly evolving with new use cases and functionality to address the increasingly complex requirements of cloud security.  With a variety of CASB solutions, choosing the right one for your business can be challenging. What fits perfectly from a price, feature, and functionality standpoint for one organization may not fit for another.

You need to identify your CASB use cases and look specifically for the solutions that best address your needs. You also need to find out if CASB integrates with other existing security applications in your network, such as your DLP, SIEM, firewalls, and others.

Other factors worth considering include:

• What deployment mode best suits your environment—API Control, Reverse Proxy, or Forward Proxy?
• Is the CASB solution capable of identifying and classifying sensitive and confidential data?
• How does the CASB solution discover cloud services and determine risk scores?
• What cloud services does the CASB monitor out-of-the-box?
• Is vendor support available in your region, and to what extent?
• How geographically diverse are the vendor’s edge locations worldwide?
• What is the total cost of ownership?

In this article, we’re going to review the seven best CASB solutions in the market. Hopefully, this will guide you in the process of choosing the right one for your business.

The Best Cloud Access Security Brokers (CASB)

1. Skyhigh Cloud Access Security Broker (EDITOR’S CHOICE)

Skyhigh Cloud Access Security Broker is a recent relabelling of McAfee MVISION Cloud. While still under the McAfee brand, this tool was named was named a leader in the 2020 Gartner Magic Quadrant for CASB. This platform provides real-time analytics and AI-enabled threat intelligence capabilities, including alerts about user behavior. The product is best suited for large organizations such as financial, healthcare, and government agencies, and others with heavy cloud usage.

Key Features:

• Proxy Service: This is a filter that guards access to cloud-based services by your users
• Reverse Proxy: Examines all traffic coming out of your cloud accounts, looking for sensitive data movements
• Security Service Edge: Part of a wider hybrid system cloud security platform
• Also Provides CSPM: Includes preventative scanning for misconfigurations
• Shadow IT Detection: Lists the cloud systems that your users are accessing

Why do we recommend it?

Skyhigh Cloud Access Security Broker is part of a wider cloud-based virtual network security package. The CASB doesn’t limit itself to controlling access to SaaS systems, it also scans SaaS packages for misconfigurations, which is a cloud security posture management function. The tool is able to detect the unauthorized cloud services that your users access.

The Skyhigh approach allows for practically any deployment model you might desire, whether entirely cloud-based, on-premises, or some hybrid format. In addition, Skyhigh CASB is agent-based and can be deployed via API, forward, or reverse proxy methods.

Who is it recommended for?

This CASB is best approached as part of the Skyhigh Security Service Edge framework. This protects both on-premises and cloud-based systems. There is a lot of crossover between on-premises systems and cloud services because the permission to access SaaS packages relies on device security, which the framework also provides.

2. Netskope CASB

Netskope is a leading CASB solution that enables organizations to quickly identify and manage the use of cloud applications, regardless of whether they are managed or unmanaged. Netskope has been recognized as a leader in the 2020 Gartner Magic Quadrant for CASB; and a 2021 Gartner Peer Insights Customers’ Choice for CASB.

Key Features:

• Cloud Confidence Index: Scans traffic to discover cloud app usage and gives each a risk score
• Data Loss Prevention: A forward and reverse proxy that scans traffic to and out of your cloud apps for sensitive data
• Cloud XD: Imposes security controls
• Threat Intelligence: Scans user activities for anomalous behavior that could identify insider threats and account takeovers

Why do we recommend it?

Netskope CASB is a similar tool to the Skyhigh product because it is part of a Secure Service Edge platform. This is a cloud-hosted service that forms part of a proxy service. As with Skyhigh, the protection and constant scanning of endpoints provide the device assurance needed to keep cloud services malware free.

Netskope Security Cloud prevents sensitive data from being exfiltrated and eliminates blind spots by targeting and controlling activities across thousands of cloud (SaaS and IaaS) services. The data-centric approach adopted by Netskope Security Cloud allows it to deliver visibility and real-time data, and threat protection whenever a device connects to the cloud.

Netskope supports multimode deployment options from an API-only deployment mode to several real-time options, including an endpoint software to protect roaming users. In addition, it can be deployed 100% in the cloud, on-premises, or a hybrid form.

Who is it recommended for?

This platform competes directly with Skyhigh and provides almost exactly the same services. While Skyhigh publishes its plan structure, Netscope doesn’t. The platform will protect on-premises systems as well as cloud services. It includes a secure web gateway, a cloud firewall, and data loss prevention. Select each of the units that you need and they will run together on the same platform.

3. ManageEngine Log360 Cloud

ManageEngine Log360 Cloud is a cloud-based SIEM. The service collects logs from all on-site assets and also from AWS services. The tool can also be set up manually to receive logs from any source, so it could receive logs from other cloud systems. The package converts incoming into a common format and performs security searches. It looks for indicators of compromise to spot intruders and deploys user behavior analytics to identify insider threats.

Key Features:

• Tracks Cloud Application Usage: Discovers shadow IT
• Regulates Access to Sensitive Data: Watches data moving out as well as users going in
• Tracks User Activity: Spots insider threats and account takeovers

Why do we recommend it?

ManageEngine Log360 Cloud is a cloud-based SIEM that monitors activities on premises and on the cloud. The package includes a log manager that collects and sorts log messages. The system operates a CASB service for cloud SaaS applications. The tool is also able to raise alerts and initiate automated responses when threats are detected.

One function of this package is its Shadow IT Detection service. This extracts internet connection data from firewalls and browsers. It looks for web services and cloud platforms that the users connect to. These prevent a risk of data loss. The console of the tool presents a list of these sites and platforms. The administrator has the option to generate firewall rules to block the users from accessing those unexpected sites. There will be new sites added to the list all the time, so the administrator will have to check that screen regularly and take action.

Who is it recommended for?

This package is particularly useful for companies that operate both on-premises systems and use cloud-based SaaS systems. ManageEngine provides a Free edition with limited capacity and there are four paid plans as well, including one for managed security service providers. The platform has a wide audience.

ManageEngine offers the Log360 Cloud SaaS platform in four plans. The big difference between them is the amount of cloud storage for logs that is included and also the data retention period.  The first of these plans is the Free edition, which will interest small businesses. That plan provides 50 GB of storage and a 15-day retention period. You can try out the full package with a 30-day free trial.

4. Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a CASB solution that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across your Microsoft and third-party cloud services. It was named a leader in the 2020 Gartner Magic Quadrant for CASB.

Key Features:

• Discovers and Controls Cloud App Usage: Identifies unauthorized system usage as well as approved usage
• Protect Your Sensitive Data in the Cloud: Discovers, classifies, and protects the exposure of sensitive data
• Protects Against Cyber Threats and Anomalies: Detects unusual behavior

Why do we recommend it?

Microsoft Defender for Cloud Apps is a CASB service from Microsoft that will protect SaaS applications whilst also identifying the usage of unauthorized cloud-based apps by your staff. This package also protects sensitive data by tracking movements and limiting the connections of external apps to your data accessing and storing services.

The tool supports various deployment modes, including log collection, API connectors, and reverse proxy. In addition, this system natively integrates with leading Microsoft solutions and is designed with security professionals in mind.

Who is it recommended for?

Businesses that use cloud-based Microsoft SaaS services are going to be drawn to this package, particularly those that operate an all-Microsoft software policy. However, the tool isn’t limited to monitoring Microsoft systems, so it can be used with any SaaS service. The tool’s operating methods include log collection.

Microsoft Defender for Cloud Apps is a user-based subscription service, and a license is based on per user, per month model. It can be licensed as a standalone product or as part of several different licensing plans. The licensing cost varies by program, region, and agreement type. A free trial is available to enable you to test run before purchase.

5. Proofpoint CASB

Proofpoint CASB comes with risk-based SAML authentication, web isolation, and zero-trust remote access features to help prevent cloud threats. It also integrates with cloud-service APIs, hybrid identity management tools, and other security products (including Proofpoint Threat Response) to detect and contain threats.

Key Features:

• People-Centric Visibility: Tracks user activity and compiles tables of SaaS access activity for analysis
• Gain Insight into Cloud Usage: Identifies the use of unauthorized apps
• Proven Advanced Threat Protection: Combines user-specific risk indicators with cross-channel threat intelligence to detect anomalies in cloud apps.

Why do we recommend it?

Proofpoint CASB is provided by a highly respected cybersecurity brand. The company provides system-wide data loss prevention tools and the CASB slots into that framework. So, if you have a hybrid system, you will probably have to sign up for several Proofpoint products. The DLP in the CASB relies on data discovery and classification that is provided by another Proofpoint tool.

Proofpoint CASB combines machine learning-driven threat intelligence with user-specific risk indicators to analyze user behavior and detect anomalies across cloud apps and when a cloud account is compromised.

Who is it recommended for?

The Proofpoint system is strong at protecting Microsoft 365, Google Workspace, and Okta accounts from brute-force password guessing or disclosed credentials. The system is designed for large organizations and Proofpoint doesn’t publish its plans or price lists. The CASB will probably be part of a package of tools bought as part of the Proofpoint security framework.

A free 30-day trial is available to enable you to test run before purchase.

6. Symantec CloudSOC

The Symantec CloudSOC is a multimode CASB with solid visibility, data security, and threat protection capabilities to mitigate malicious content in cloud apps, shadow IT, and compliance risks. CloudSOC is ideal for medium to large enterprises using other Symantec cloud products and organizations with heavy cloud use.

Key Features:

• Traces SaaS App Usage: Lists all of the cloud platforms that users access
• Unauthorized Usage Tagging: Administrators identify which apps are unauthorized
• Blocks Access: Prevents users from accessing shadow IT

Why do we recommend it?

Symantec CloudSOC is a Broadcom product since that company took over the Symantec brand. However, the tool is still the same award-winning cloud protection system and retains its original name. This tool includes web and email security and can form part of a wider SASE cybersecurity package.

CloudSOC integrates seamlessly with other Symantec enterprise security products to provide enhanced security functionality in the cloud. Symantec claims to have the most robust cloud DLP solution due to its data science-driven ContentIQ DLP technology. It also comes with an intelligent UEBA and machine learning capabilities一allowing adaptive policy actions. Additionally, cloud SOA taps into the Symantec Global Intelligence Network (GIN) and benefits from threat data gathered across endpoint, email, and web traffic from the entire Symantec customer base.

Who is it recommended for?

Like the Proofpoint system, the Symantec CloudSOC is a range of cybersecurity products and the CASB is one of them. The package is most likely going to be subscribed to as part of a larger purchase – as the name of the platform explains, this is a service for a security operations center.

CloudSOC is subscription-based and can be purchased through Broadcom authorized distributors and partners in your region.

7. Lookout Secure Cloud Access (formerly CipherCloud)

Lookout Secure Cloud Access is a cloud-based suite of system security tools and it includes a CASB service. The CASB is focused on tracking the cloud apps used from within a protected business, identifying those systems that employees use that aren’t officially authorized. The package also performs extensive data loss prevention checks that extend to the continuous scanning of email and chat systems.

Key Features:

• Identifiers the Cloud Landscape: Examines traffic to discover all of the cloud apps used from a specific use group
• Rogue App Classification: Lists all apps for approval, enabling rogue apps to be highlighted
• Tracks Anomalous Activity: Spots both malware and unusual human activity

Why do we recommend it?

Lookout Secure Cloud Access is a typical CASB as it tracks user access to cloud SaaS packages, enabling the discovery of shadow IT, and it also performs security protection against both automated and manual malicious activity. The package includes data loss prevention measures that include email and chat app scanning.

The service can distinguish between corporate and personal accounts of the same SaaS package. For example, a business that uses Microsoft 365 for its productivity can expect that many of its employees also have personal accounts for home use with that platform. Malicious insiders could use the similarity in accounts to shift data from the corporate account into that private instance. Other anomalous behavior is tracked by Lookout and will be automatically blocked.

Who is it recommended for?

While other CASBs on this list form part of a wider platform of system cybersecurity services, this package focuses on cloud data security. So, the Lookout service will be of interest to companies that hold sensitive data exclusively on cloud systems. It would be an appropriate choice for distributed businesses that operate virtual offices.