I just returned from the Gartner Security & Risk Management Summit that was held last week in National Harbor, Maryland, near Washington DC. The Gartner Summit is always a great event, and the Netskope team had a blast telling our story to the people we met there. When I joined Netskope I already believed that the cloud access security broker (CASB) market was becoming a hot space in security. This past week with Gartner was a tremendous validation of that belief.
During the event, I made a point to attend some of the higher level sessions where Gartner discusses the big trends in information security and their predictions for the future. In those sessions, I was repeatedly struck by how much I heard about cloud security challenges like the risks posed by shadow IT, and about CASBs in particular. And out on the show floor, it was also clear that cloud security is a very hot topic. Beyond the CASBs like Netskope at the event, many other security vendors are also talking about cloud security to try to connect to this important trend in the security industry.
Last Wednesday, Gartner issued a press release identifying the top 10 technologies for information security in 2016, with cloud access security brokers at the top of that list. Here’s what Gartner said about CASBs in their press release:
Cloud Access Security Brokers
Cloud access security brokers (CASBs) provide information security professionals with a critical control point for the secure and compliant use of cloud services across multiple cloud providers. Many software as a service (SaaS) apps have limited visibility and control options; however, SaaS adoption is becoming pervasive in enterprises, which exacerbates the frustration of security teams looking for visibility and control. CASB solutions fill many of the gaps in individual cloud services, and allow chief information security officers (CISOs) to do it simultaneously across a growing set of cloud services, including infrastructure as a service (IaaS) and platform as a service (PaaS) providers. As such, CASBs address a critical CISO requirement to set policy, monitor behavior and manage risk across the entire set of enterprise cloud services being consumed.¹
At Netskope, we certainly agree with Gartner that CASBs will become a critical control point for visibility and control of cloud app usage across the enterprise. And based on the hundreds of people that the Netskope team connected with last week at the Gartner Summit, it appears that many are looking much more closely at deploying a CASB in their organization.
In addition to the top technologies press release, an item in Gartner’s Top 10 Security Predictions 2016, also released last Wednesday, caught my eye. The second strategic planning assumption highlighted by Gartner in their predictions focused on the shadow IT challenge:
By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
Recommended Action: Business units deal with the reality of the enterprise and will engage with any tool that helps them do the job. Companies should find a way to track shadow IT, and create a culture of acceptance and protection versus detection and punishment.²
This prediction struck a chord with me for two reasons. First, I absolutely agree that unsanctioned cloud apps are a very attractive target for attackers because enterprise security teams lack visibility and control of these apps and the data that flows into them. Second, I really appreciate the approach that Gartner recommends. Rather than “create a culture of detection and punishment” by taking a black and white, allow or block approach to unsanctioned cloud apps, they recommend creating a “culture of acceptance and protection.”
My take on this recommendation is that enterprise security teams need to acknowledge that some unsanctioned cloud apps have real business value. So, the ability to take a more nuanced approach to these cloud apps will put enterprise security teams in a much better position with their business units. That is, rather than simply say no and block a cloud app, can you find a way to control the specific activities or data in that cloud app to mitigate the risk?
At Netskope, we firmly believe in this approach and have made it one of the guiding design principles behind our solution.