Zscaler is a Leader and highest in “Ability to Execute” in the 2022 Gartner Magic Quadrant for Security Service Edge.
With increased cloud adoption, CASBs have become attractive to enterprise security for their various cybersecurity, access control, and data protection functions. They give you back control over corporate data, in motion or at rest, in cloud platforms and apps. Today, CASBs are critical because:
An effective CASB solution is constructed with four core features in mind:
Remote work and BYOD are creating a greater need for organizations to know what’s happening in their cloud environments. Unmanaged devices abound, and without proper visibility into your deployments, you run the risk of allowing unwanted access. A CASB discovers your organization’s cloud app usage, creates reports on cloud spend, and performs risk assessments to let you decide whether an app should be blocked.
Cloud computing services require that an inordinate amount of compliance regulations be met in order to operate at an organizational level. This is particularly true in the public sector as well as the financial services and healthcare industries. With a CASB, you can identify the greatest risk factors in your industry and set stringent data protection policies to achieve and maintain compliance across your organization.
Every two years, the volume of the world’s data doubles in size. This exponential increase in data has seen bad actors become craftier than ever before. Combining a CASB with cloud DLP lets you not only see potential data risks but stop them, too. What’s more, you have visibility into sensitive content traveling to or from the cloud or between clouds, giving you the best chance to identify incidents, apply appropriate policy, and, above all, keep data secure.
Cloud threats and malware are rampant in today’s IT ecosystem, and in most cases, cloud resources are the most vulnerable. A CASB gives you the power of behavior analytics and threat intelligence to turbocharge your cloud security. With these advanced capabilities, you can quickly identify and remediate suspicious activity, keep cloud applications and data secure, and bolster your organization’s overall cloud security posture.
Tom Henderson, Computerworld
CASB solutions can take the form of on-premises hardware or software, but they’re best delivered as a cloud service for greater scalability, lower costs, and easier management. Whatever the form factor, CASBs can be set up to use proxying (forward proxy or reverse proxy), APIs, or both (which is called “multimode”—more on that a bit later).
CASBs need to operate in the data path, so the ideal CASB is founded on a cloud proxy architecture. Forward proxies are more commonly used with CASB, ensuring users’ privacy and security from the client side. Reverse proxies, on the other hand, sit with internet servers and are prone to performance degradation and request errors.
A forward proxy intercepts requests for cloud services en route to their destination. Then, based on your policy, the CASB enforces functions like credential mapping and single sign-on (SSO) authentication, device posture profiling, logging, alerting, malware detection, encryption, and tokenization.
While an inline proxy intercepts data in motion, you need out-of-band security for data at rest in the cloud, which CASB vendors provide through integrations with cloud service providers’ application programming interfaces (APIs).
Gartner first defined CASB in 2012, and organizations used it primarily to control shadow IT. CASBs have evolved since then, moving beyond just securing SaaS apps, to become broadly applicable across platform- (PaaS) and infrastructure-as-as-service (IaaS) delivery models in a variety of new use cases.
Over time, CASB benefits and capabilities began overlapping more with secure web gateway (SWG) capabilities. That’s partly why Gartner defined a new term in 2019: secure access service edge (SASE), a framework of cloud-delivered services that provide “comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.”
In 2021, Gartner distilled this further, identifying the security-centric slice of SASE as the security service edge (SSE). This reflects growing efforts worldwide to streamline complex, disjointed security stacks, with Gartner predicting that 30% of enterprises will have adopted SWG, CASB, ZTNA, and firewall as a service (FWaaS) capabilities from the same vendor by 2024.
In proxy mode, CASBs provide inline policy enforcement that stops leakage and malware in real time. They can also integrate with APIs to scan SaaS apps’ contents, enabling them to find and respond to sensitive data patterns as well as threats such as ransomware. More recently, API integrations have been used for SaaS security posture management (SSPM), by which CASBs remediate misconfigurations in applications.
CASBs that offer both proxy and API-based modes are called multimode CASBs. Beyond securing SaaS, they can protect IaaS such as Microsoft Azure and AWS S3. And rather than deploying a CASB as another point product, you can deploy it as part of an SSE platform to ensure consistent security, enhanced performance, and consolidated administration.
When your users store and share corporate files and data in unsanctioned cloud apps, your data security suffers. To counteract this, you need to understand and secure cloud usage in your organization.
Zscaler CASB automatically discovers shadow IT, revealing the risky apps visited by users. Automated, easily configurable policies then enforce various actions (e.g., allow or block, prevent upload, restrict usage) on individual apps and app categories.
Users may simultaneously use both sanctioned and unsanctioned instances of apps like Google Drive. Responding with a one-size-fits-all approach—either allowing or blocking the app entirely—can encourage inappropriate sharing or hamper productivity, respectively.
Zscaler CASB can distinguish between your sanctioned SaaS tenants and unsanctioned instances belonging to external parties, applying appropriate policy enforcement to each. Preconfigured SaaS tenancy controls deliver automated, real-time remediation.
Cloud apps enable unprecedented sharing and collaboration. As a result, your security teams need to know who’s sharing what in sanctioned apps, lest you risk letting dangerous parties get hold of your data.
Collaboration management is a key capability of any leading CASB. Zscaler CASB quickly and repeatedly crawls files in your SaaS tenants to identify sensitive data, check the users with whom files are shared, and automatically respond to risky shares as needed.
When deploying and managing a cloud application, precise configuration is key to ensure the app functions properly and securely. Misconfigurations harm your security hygiene and can easily expose sensitive data.
Zscaler SSPM integrates with your SaaS tenants via API to scan for misconfigurations that could jeopardize regulatory compliance. It’s one component of Zscaler Workload Posture alongside CSPM and CIEM.
In addition to cloud resource misconfigurations that could enable data breaches and leaks, you need to identify and control sensitive data patterns in the cloud. A vast amount of such data is regulated under frameworks like HIPAA, PCI DSS, GDPR, and many others.
The Zero Trust Exchange, our cloud native security platform, provides unified data protection with cloud DLP and CASB capabilities. It ensures cloud apps are properly configured to stop data loss and noncompliance, backed up with advanced data classification techniques like exact data match (EDM) and indexed document matching (IDM) to identify and secure sensitive data wherever it goes.
Once an infected file gets past your organization’s security into one of your sanctioned cloud apps, it can quickly spread to connected apps and other users’ devices. That’s why you need a way to defend against threats in real time both at upload and at rest.
Zscaler CASB thwarts malware’s advances with advanced threat protection (ATP) capabilities, including:
Zscaler delivers multimode CASB as a service along with SWG, ZTNA, and more as part of our comprehensive Zscaler Zero Trust Exchange™ platform to help you eliminate point products, reduce IT complexity, and inspect traffic in a single pass. Your administrators simply configure one automated policy for consistent security across all cloud data channels.
High-performance forward proxy and SSL inspection provide critical real-time protection:
API-based scanning of SaaS apps, cloud platforms, and their contents automatically enhances your security:
Safeguarding Your Data in a Work-from-Anywhere WorldRead our ebook
The Benefits of Adopting Zscaler's Multimode CASBRead the blog post
Zscaler Data Protection
2022 Gartner Magic Quadrant for Security Service EdgeSee the Gartner report
Zscaler Security Service Edge InfographicTake a look
Security Transformation: Preventing Data ExposureVisit our page