MY TAKE: How ‘CASBs’ are evolving to close the security gaps arising from digital transformation

By Byron V. Acohido

The Cloud Access Security Broker (CASB) space is maturing to keep pace with digital transformation.

Related: CASBs needed now, more than ever

Caz-bees first took shape as a cottage industry circa 2013 to 2014 in response to a cry for help from companies reeling from new Shadow IT exposures: the risk created by early-adopter employees, quite often the CEO, insisting on using the latest smartphone and Software-as-a-Services tools, without any shred of security vetting.

A wave of acquisitions absorbed a half-dozen early CASB startups. One company still actively innovating as an independent CASB is San Jose, CA-based security vendor CipherCloud. I had the chance to visit with CipherCloud CTO Sundaram Lakshmanan at RSA 2019.

We discussed how the basic notion of flowing all data coming into a company’s network — from whatever device or web app — through a cloud gateway for security scanning has become elemental. For a full drill down, give the accompanying podcast a listen. Here are the key takeaways:

Shifting role

As with almost any security solution, the bottom line for CASBs is all about protecting the data — without detracting from users’ experience, and thus eroding productivity.  This is especially important within the cloud. CASBs began by closing glaring security gaps created by the rapid  adoption of mobile devices and cloud tools. Quite naturally, that role is now shifting and expanding.

Now that CASBs have been around for half a decade, companies are figuring out how to utilize them to reinforce specific silos within their IT and security teams. More enterprises are rethinking their internal processes, seeking a more centralized, convenient approach to securing web apps, Lakshmanan told me.

“At the end of the day, it is about business productivity and helping users get their job done,” he said. Enterprises are starting to understand that as they pursue velocity and scale, they also need to ensure a sufficient level of security.


Employers and employees like using the cloud, Lakshmanan pointed out, because it completely changes the paradigm of the user’s productivity. Everything they need is there. The security challenge, however, is now much more pronounced.

In the past, for example, companies could get away with using a default password, and depend on firewalls and other internal security tools to provide protection. That’s all out the window with the cloud—no wonder clouds are an increasingly favored attack target.

CASBs offer a security solution that covers the whole cloud and SaaS applications. “What it offers is a suite of enterprise controls to the SaaS and cloud applications, like deep monitoring, behavioral analytics, finding anomalous behaviors, checking for data leaks,” said Lakshmanan.

Deepening services

The cloud presents a dual risk. It creates many more possible ways to get at a company’s systems and data. What’s more threat actors have begun using cloud tools to leverage their malicious activities.

A lot of companies are worried about employees when they leave and the sensitive information that remains on their device, for example. These soon-to-be-former employees download a lot of intellectual property and contact information. Organizations need to protect the digital rights of this data, Lakshmanan observed.

A new use case of CASBs that’s emerging is the capacity to apply digital rights management on sensitive data. It can provide encryption and other protections on data so an employee has access when it is needed, or the access can be easily revoked.

CASBs can now provide protection of access to the data — and to applications – thus providing  protection from threats coming from the clouds, and protection of data on individual devices.

Zero-trust philosophy

While the concept of zero trust is relatively new, it fits very well with CASBs’ approach to security. Zero trust, as defined by CSO, is “a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”

At the heart of zero trust is identity, said Lakshmanan. Prove to me who you are before you access anything. Wide reliance on SaaS tools and services has made that proof of identity more important than ever. Because organizations don’t own or control the infrastructure, trust levels are very low, and maintaining an adequate level of security is made much more difficult, he said.

It is clear to me that, going forward, the policies and practices ushered in by CASBs are destined to become widely engrained. Embracing zero-trust, implementing flexible policies – practices made smarter over time, with the help of machine learning – must run deeper in order for digital commerce to become as private and secure as it needs to be. It will be interesting to watch which direction CASBs take things. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone