Comparing the Top 10 Leading CASB Vendors and Providers

The cloud access security broker (CASB) has a long history for being the main SaaS security solution.  In the early days the growth of cloud computing created the situation where data was no longer on premises on a secure piece of hardware but rather in the cloud on hardware managed by somebody else.  CASBs provided the visibility and control of data and access required to protect enterprise data and monitor activity for compliance.  

The world has changed drastically since the introduction of CASBs.  Over the years, SaaS applications have become prolific, and now every employee in a company is using some sort of SaaS to do their job.  There are now tens of thousands of SaaS applications available with more coming online nearly every day, and business-ledIT, which some people refer to as shadow IT, is starting to gain traction as a legitimate IT strategy. CASBs have evolved with the market, but their primary discovery method is to use network data, which means they do have some blind spots or limitations.   

Four Examples of CASB Blind Spots or Limitations

· Business-led SaaS using local app credentials: CASBs can show you that employees have visited a site, but they can’t trigger alerts based on account creation.  You’ll get a high volume of alerts that an analyst will have to triage to determine whether account creation has occurred.

· SaaS access using unmanaged devices: Unless the SaaS app is governed by SSO or an IdP, you don’t have visibility and are unable to secure business-led SaaS on unmanaged devices.  

· Zero-day SaaS visibility and control: There are so many new SaaS apps coming online every day, and CASBs can’t detect them until they are in their SaaS library.

· Single sign on (SSO) prioritization: SaaS risk really starts with account creation, and SSO prioritization based on user account creation that factors in user knowledge of security or risk policies, growth in user accounts, or use of local application credentials is not easily possible with CASBs.

Despite the limitations, CASBs are currently the product of choice, and there is a robust set of vendors to serve the market.  However, alternative products such as SaaS Security Control Plane (SSCP) solutions are coming to the market and redefining the SaaS security market—saving time, money, and improved security outcomes.  Grip’s SSCP solution addresses the CASB blind spots listed above and helps security teams by reducing their workload through automation.  Contact us for a demo and a free shadow SaaS assessment.  

How a SaaS Security Control Plane Addresses CASB Blind Spots and Limitations

As CASBs have become more complex, companies are finding the time to value has extended to months. Today, a simple objective of discovering, monitoring, and securing shadow SaaS cannot be achieved without transforming your network and considering additional products like secure web gateways (or proxies) and zero trust network access. As a result, alternatives to CASBs are becoming more popular because they can address the CASB blind spots and deliver value more quickly.

·  Discover all accounts even when local app credentials are used

·  Secure SaaS access on unmanaged devices

·  Detect and secures zero-day SaaS with no integration required

·  Assess SaaS risk based on business factors with verified account creation and usage

What is the Best CASB?

With the multitude of CASB vendors, there is a lot of noise, and it is not easy to evaluate the best CASB on the market.  One method that could be an input into the evaluation of a CASB purchase are product review sites.  The results from evaluating the data in the three leading software review sites shows that the data from these sites does not help differentiate the leading products.

 Some issues encountered were:

·  Product category definitions were inconsistent.  Gartner for example does not have a CASB category but rather puts everything under a Secure Service Edge category.  This is their view of the market.

·  Product names are inconsistent.  None of the sites seem to reflect the latest company or product names.  McAfee, fore example has rebranded their enterprise security business to Trellix.  However, in many cases, the McAfee products are listed.

·  Number of reviews vary widely.  The value of any reviews site is the number of reviews it has collected.  In some cases, products only had one or a few reviews, which makes the actual rating unusable.

With all these shortcomings, some people do find this data interesting.  Below is a summary of the top ten CASB vendors with their ratings from three leading IT or software review sites. As the table shows, the larger, more well-known companies are rated pretty closely, which makes sense given that CASB is a mature market and there has not been significant innovation in that category in many years.  

Top 10 CASB Comparison

‍

Ratings sites

Each rating site has its own approach with services that cater to buyers, sellers, or both.  Below is a summary of the rating sites used for the data in this write up.

Gartner Peer Insights

A Gartner peer-driven review ratings and reviews site for enterprise IT solutions.  Data is used by analysts to evaluate products and factored into their key reports such as MagicQuadrants.   Product categories align with Gartner’s market view.

G2

Positions itself as the world’s largest and most trusted tech marketplace for people to discover, review, and manage the software they need.  The site is for buyers and sellers and provides lead generation services for people interested in a company’s products.

TrustRadius

Describes itself as a trusted research and review platform for business leaders to find and select the right software.  The site serves buyers and sellers and provide demand generation services for sellers.

‍