I am fascinated with terms industry analysts introduce to the market. Oftentimes, these terms confuse the market more than they help. The risk is that these terms become outdated even before an analyst publishes their paper. It then takes an act of congress or something similar for an analyst firm to update their market term definitions. This has been causing innovators heartburn for decades.
Let’s take Cloud Access Security Broker (CASB) as an example. It makes an unfortunate assumption that the best way to protect your cloud app use is by using a broker. This was true back in 2012, before Application Programming Interfaces (API) became the powerhouse that they are now. Today, it is hard to find a cloud app that does not have published REST APIs.
If you recall, a cloud in 2012 was a virtual machine hosted by someone else, and the state of the art security was hosting a firewall in such VMs, so it made sense for a broker. Original CASB promoted brokers to discover shadow IT and scare IT managers. A lot has changed in last 6 years. Most of that functionality is now available from firewalls.
Using a broker model CASB is problematic. Take G Suite for example. It is globally distributed and is running on global Google infrastructure. If you throttle access to G Suite by routing all the traffic through a broker, you end up impacting your end user experience. In fact, Microsoft cautions against using proxy based approaches to access Office 365.
Does this mean that the original CASB model is dead? Well, the answer is yes and no. Broker-based models are becoming less useful, while API-based approaches are delivering compelling value.
The API-based model of a CASB is user friendly and easy to get started with, but it’s not a broker. The term CASB is no longer appropriate… or relevant. Instead, we need to discuss Cloud Application Security Platforms (CASP). CASP is the future of this market because they leverage APIs and do not get in the way of user experience. CASPs focus on detection, remediation and user education instead of in-line inspection of cloud application traffic. This use case is far more applicable to mid-market organizations.
Mid-market customers do not have the same requirements as that of a Fortune 100 company. Fortune 100 companies have complex requirements and legacy baggage. Mid-market companies can be agile in cloud adoption and can adopt modern cloud security platform. This is one reason why mid-market companies that ignored CASB in last few years are well positioned to solve their cloud security problems using an API-based solution for future. Their counterparts on Fortune 1000 are still struggling to implement broker based CASB products they bought several years ago.
TL;DR: Adopt Cloud Application Security Platforms, Not Brokers