“Is there a Gartner Magic Quadrant for CASB?”
This is a question we get quite often these days— and it’s for good reason: A Gartner Magic Quadrant for any technology is considered a go-to resource for understanding a vendor’s strengths and weaknesses and how they compare to the competition. The good news is that Gartner has indicated that they will publish a CASB Magic Quadrant later this year and with this in mind, we wanted to provide a primer on how a Magic Quadrant works and what you can expect.
First, a little background on the cloud access security broker (CASB) category:
The CASB space formed officially in the spring of 2012 when Neil MacDonald and Peter Firstbrook published “The Growing Importance of Cloud Access Security Brokers,” and started to gain significant momentum in Fall of 2013 when analysts at Gartner Symposium/ITxpo in Orlando began to weave it into their talks. At that time Netskope was one of only a few CASB vendors in the space. Prior to that time, the primary use case was discovery. Since then a more sophisticated definition of what it means to be a CASB has formed and Gartner has surfaced some key requirements through their research. You can read the entire document, but we thought it would be helpful to point out some of the more poignant pieces of guidance they’ve provided in the Gartner Market Guide for Cloud Access Security Brokers.
- Visibility: “Organizations need to look past CASB providers' 'list of supported applications and services,' because there are (sometimes substantial) differences in the capabilities supported for each specific cloud service, based on its features, the CASB architecture used and the organization's end-user computing model. For example, one CASB vendor’s 'support for Salesforce or Office 365' can be markedly different from another's, depending on 'bring your own device' (BYOD) use cases, even though both may claim to support these applications 'on paper.' Proxy or API architectures from a CASB have different abilities to perform different actions, which have various implications for how that provider delivers the four pillars for a specific cloud service.”
- Compliance: “CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services. Organizations still need to prove they can meet internal and external compliance mandates and show how they can show the five W's of who, what, when, where and why. CASBs also help by controlling access to cloud.” In addition, “Increasingly, a growing number of CASBs offer a choice between the proxy modes of operation and also support APIs. Gartner refers to this as 'multimode CASBs.' They give their customers a wider range of choices in how they can control a larger set of cloud applications.”
- Data Security: “An advantage of a CASB over native DLP capabilities is consistency — for example, one can apply a set of common DLP policies that extend to multiple services and even multiple providers, reducing the overall time required for developing and enforcing policies.”
- Threat Protection: “CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behavior analytics (UEBA) for determining anomalous behavior, the use of threat intelligence, and malware identification. In some cases, CASB vendors have their own analyst teams researching cloud-specific and cloud-native attacks.”
Are these the things that will define the cloud access security broker Magic Quadrant from Gartner? It is too early to speculate on that, but it’s always a good idea to read what they’ve considered to be important in the past as a good indicator of how they’ll review the vendors in the space.
About the Magic Quadrant itself
If you’ve never used a Gartner Magic Quadrant in your vendor selection process, then it’s a good idea to familiarize yourself with how it works. As defined by Gartner:
“Magic Quadrants offer visual snapshots, in-depth analyses and actionable advice that provide insight into a market's direction, maturity, and participants. Understanding our methodology will help you when evaluating a market, choosing a technology or service provider or managing vendor relationships.”
There are four sections of an MQ:
- Leaders
- Visionaries
- Niche Players
- Challengers
You can read how these are defined directly on Gartner’s website where they give a very thorough review of the rigor and methodology that goes into an MQ.
Where a vendor gets placed on the MQ is based on the two axes:
- Completeness of vision: Reflects the vendor's innovation, whether the vendor drives or follows the market, and if the vendor's view of how the market will develop matches Gartner's perspective.
- Ability to execute: Summarizes factors such as the vendor's financial viability, market responsiveness, product development, sales channels and customer base.
Of course, there are several factors involved in how Gartner evaluates a given category — all of which Gartner expounds upon in any given MQ.
We hope this has been helpful and we look forward to sharing more information about the Gartner CASB Magic Quadrant later this year.
