Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I spoke to David Canellos, the former President and CEO of Perspecsys, the cloud access security broker which was acquired by Blue Coat in July. David is now a senior vice president in Blue Coat’s Advanced Technology Group. The views expressed in this article are David’s and not necessarily those of Blue Coat. Thanks for reading!
It seems like there are CASBs sprouting up all over the place nowadays. What are the key differentiating features between providers? Is it possible to divide the CASB space into sub-sectors?
There are several aspects to CASB. From my perspective, it’s about the following:
1. Cloud visibility and intelligence:
- Discover unsanctioned cloud access by an enterprise’s users. With the proliferation of network accessible devices, the ability to interact with cloud services by individual users is frictionless. Capturing what the organization’s users are accessing, what data is being exchanged, and so on.
- Once the data is captured and logged, the capability to analyze cloud applications, data and users is paramount. This forms the foundation to allow the profiling of cloud risk and threats to the business. This is where behavioral analysis and machine learning comes into play for risk assessment and identification of anomalous activities.
- Finally, the requirement to record cloud network traffic for forensic evidence. If a breach occurs, the CASB must have the data to respond to incidents and the system should provide intelligence on the what, why, how, when, where and who.
2. Cloud Access Security:
- Policy enforcement to restrict/control cloud access based on data collected. Organizations need controls to set how their users will interact with cloud services, and to determine what (sensitive) data may and may not be exchanged.
- Cloud application scanning to detect and remediate non-compliant behavior when the user is accessing the cloud service from out-of-band (i.e., off the corporate network).
- In order to secure the enterprise, the CASB must have the ability via comprehensive policy enforcement to layer in multiple security controls: Data Loss Prevention (DLP) on the sensitive data; malware & advanced threat prevention to minimize and avoid breaches; and the ability to analyze SSL encrypted traffic coming into the network to properly inspect content and execute policies.
3. Data Protection, Compliance and Residency:
- Tokenize or encrypt sensitive data in cloud applications. This is crucial throughout all three phases of the data lifecycle: data at rest, data in motion and data in use. The enterprise must have sole ownership and control of the encryption keys and token vault as opposed to outsourcing that security responsibility to a third party such as the cloud service providers.
- While implementing data security, a CASB must preserve crucial cloud functionality. The ability to search, sort on data, use email services, and run reports must be maintained, even when using encrypted or tokenized information. The usability of the cloud application should be seamless to the end users.
- With increasingly strict global and industry compliance requirements and data residency regulations, sensitive data (e.g., personally identifiable information, protective health information, cardholder data) often needs to remain physically located in the enterprise and cannot be sent to the cloud provider’s data center’s in the clear.
Finally, to complete the CASB footprint, the product should have:
- Deeply integrated access to an enterprise-grade, proxy-based gateway that serves as the backbone to the cloud security services
- The ability to be delivered as either an on-premise set of technologies, cloud-based, or in a hybrid fashion.
If a CASB solution can provide the above, an enterprise has covered it’s cross-cloud needs (policy definition and enforcement; visibility and intelligence of cloud services;) as well as deep cloud-specific data control and protection needs via API-based scanning as well as encryption and tokenization of sensitive data while preserving the functionality of the cloud application. That is the game changer.
Microsoft just bought Adallom for $320M. Previously, there hadn’t been much M&A in the CASB space. Is this where the floodgates open? (Note: I originally asked this question before Perspecsys was acquired).
There seems to be a consolidation occurring in the CASB space. In addition to the Adallom acquisition by Microsoft, visible CASB acquisitions include: the Elastica acquisition by Blue Coat in November 2015; the Perspecsys acquisition by Blue Coat in July 2015; the CirroSecure acquisition by Palo Alto Networks in May 2015; and the Skyfence acquisition by Imperva in February 2014.
I suspect there will be more acquisitions of the current crop of CASB niche vendors as the growth rate is expected to explode as more companies move their workloads to the cloud. Mark Hurd, CEO of Oracle recently highlighted his Top Predictions for 2025 and #1 was that by 2025, 80% of all production applications will be in the cloud. Sensitive data and application controls will be needed to address this wave.
As data continues to move to the cloud do you see traditional DLP companies buying CASBs to provide cloud DLP? Do you see Perspecsys branching out into traditional DLP, given that a significant amount of sensitive data may never move to the cloud?
There are certainly use cases for DLP as unstructured, sensitive data moves to and from cloud services. Blue Coat has invested in the Cloud DLP area to complement its other cloud data control capabilities and offers the only truly end-to-end CASB platform to enable the secure adoption of enterprise clouds.
Do you sell primarily to the compliance parts of an organization or the security side? What’s the biggest barrier to adoption for the organizations that you’re selling to?
We address three main stakeholders: (1) the lines of business who love the cloud, and can operate at cloud speeds; (2) IT/Info Sec who love the operating model, but need to understand the evolving role of IT and how specifically they retain control of their data and (3) Compliance and Legal who need to ensure that the myriad of laws, policies and industry directives are followed as the enterprise adopts cloud services.
The biggest barrier to adoption has been separating the marketing hype from real, production-ready solutions. Many vendors use their capital in order to market themselves as a one size fits all solution but a look under the covers often disappoints. Our industry needs to be transparent with organizations with what is available out-of-the-box vs what is roadmap and vision.
How much have CASBs penetrated the market? Are most organizations completely shutting cloud applications down, are they doing nothing, or do most seem to have some kind of cloud security in place?
My own estimates impute in 2014 about $250M had been spent on this segment with expected growth crossing $2B in annual spend in 2020. So while it’s still early days in some respects, CASB is one of the fastest growing tech verticals in the enterprise. The security conscious organizations are generally doing one of three things: (1) using CASBs to enable their cloud adoption; (2) blocking cloud access for those clouds that aren’t sanctioned; or (3) enabling cloud services in part, in that users can only use data that isn’t deemed sensitive.
- Trustar allows companies to anonymously compare notes on cyber threats. The company just raised $2 million in seed money.
- The company provides “cloud network DVR” which it likens to a security camera pointed at a company’s network at all times. They also hired the graphic designer behind movies like Tron to give their product a kind of sci-fi feel.
- Blackberry’s position is at odds with most of Silicon Valley, which believes that creating backdoors for good guys also creates a backdoor for bad guys. Also see Our National Encryption Debate, In Quotes.
- Government Security News (GSN) announced finalists and award winners across categories such as “Best Anti-Malware Platform” and “Best Identity Management Platform.”
- Writing in the Economist, Edward Lucas argues that “cybersecurity will start working in 2016” because the tools that are necessary for an effective defense are falling into place.
- LivingSocial is a case study in the downsides of a growth at all costs strategy. The company was once worth $4.5 billion and had 4500 employees. It now has just 800.