Time flies quickly in the cloud era; yet, the security issues that arise from adoption of cloud services are slow to be addressed. Back in 2011, Stratecast noted the visibility and control gap that organizations would encounter in the use of cloud services. We also noted that a new visibility and control mechanism situated between cloud users and cloud services would be required. At that time, we coyly dubbed this new mechanism the “Cloud Security Bridge”: the bridge between users and cloud services with the primary goal of providing organizations with the security policy controls and visibility that they have grown accustomed to in private data centers, but applied to the cloud.2
Alas, the concept of the Cloud Security Bridge was premature. A primary reason was poor visibility. Back in 2011, the publication of Application Program Interfaces (APIs) and Software Development Kits (SDKs) were not as prevalent as now. Without cloud services’ APIs and SDKs, visibility on the who, what, and when of users’ interactions with cloud services lacked fidelity. Consequently, the security policy controls, needed to balance an organization’s risk management requirements with its desire and need to use cloud services, were too coarse to be effective. Although poor visibility was a primary reason for failure, other risk management technologies were not up to the task either because they were technically immature, not broadly accepted in the market, or too costly.
Fast forward to today, and a new category name for the Cloud Security Bridge has gained a foothold: the Cloud Access Security Broker (CASB). More importantly, many of the technical and usability shortcomings of “first generation” solutions have been mitigated. Additionally, cloud adoption is at a much higher level than years ago; and, with that, addressing the risks associated with cloud usage has risen in priority among IT and security organizations. Simply, IT and security organizations cannot afford to ignore the risk. Lastly, CASBs have a narrower solution focus. Rather than aim to have visibility and apply policy controls on users’ interactions across all types of “as a Service” cloud services (Software, Infrastructure, and Platform), most CASBs focus exclusively on Software as a Service (SaaS) or, as used in this SPIE, cloud apps.
By all accounts, this security category is growing in stature or, at minimum, is prepping for future growth. In the last two years, a significant number of start-ups have launched products; additional funding rounds have been completed (e.g., Netskope closed a $ million funding round this month); a subset of start-ups have been purchased (Imperva acquired Skyfence in 2014, Microsoft acquired Adallom earlier this year); and larger, established companies are active either through reseller agreements (e.g., Cisco in a reseller partnership with Elastica, Raytheon Websense partnering with Imperva Skyfence); or, more recently, in developing their own CASBs (e.g., IBM’s September launch of its organically-built Cloud Security Enforcer hosted in the IBM cloud).
Electronic Access - Site License Fulfilled By Publisher
Electronic Access - Global site License Fulfilled By Publisher