Barely five years old, the Cloud Access Security Broker (CASB) market is undergoing its second major shift in primary usage. The first CASBs to hit the market way back in 2013-2014 primarily provided visibility into Shadow IT. Interest in that visibility use case quickly waned in favor of data protection (and later threat protection) for sanctioned, well-known SaaS applications like Office 365 and Box -- this was the first major shift in the CASB market.
The second major shift, the one that we're currently undergoing, doesn't replace this use case, but adds on to it. As IT and security teams have gotten comfortable with cloud applications like Office 365, the business has responded with demands for more applications. Sometimes that means other SaaS apps; sometimes it means custom apps or packaged software moving to the cloud. Regardless, what started as a relatively small, defined set of applications has exploded to a much broader demand over the past year or so, and is showing no signs of slowing down -- this is the second major shift and we're seeing it in every industry and across organizations of all sizes.
The quandary here is trying to sort out whether the CASBs that you're evaluating will meet not only your current needs, but the needs of your business down the road as well. A really interesting approach that I have seen several times now is the concept of surprise apps in a proof of concept (PoC). When calling vendors in for the PoC, the enterprise will enumerate some of the applications to be tested, but leave others as a surprise for the vendor. The objective is to test whether the CASB will be able to meet their organization's future cloud security needs, whatever those might be.
Most CASB vendors still rely on a fixed catalog of applications that they support and you don't want to be waiting months (or longer) for a new app to be added to their roadmap when you have the GM of your company's biggest line of business breathing down your neck to deploy that new application they so desperately need.
BTW, Bitglass' Zero-day CASB Core provides the flexibility to handle ANY application, with no custom development necessary. We'll gladly take on your surprise app challenge!