Security "Bits"

The Whole Enchilada (aka CASB)

By Nat Kausik | November 11, 2015 at 9:26 AM

Traditional security products are purchased as software or hardware appliances.  Network data centers at enterprises daisy-chain many such point products, each of which have a single, surgical function.   Euphemestically, each of these products are called "best-of-breed."   Some enterprises even lash together multiple products in the same "breed" for added protection.   For example, an engineer from FireEye we interviewed yesterday told me that customers were buying multiple products for malware and APT protection and using them in series connections for maximum security.   They still get breached cause of phishing and mobile intrusions, but that is a topic for another day. Today we discuss the CASB solution stack.

But when it comes to CASB, you cannot chain together multiple products.  Each product inserted into the chain adds a WAN latency of about 30ms, and if you insert multiple CASBs in series, the user experience is damaged completely.   Customers need a single complete CASB solution that offers the broadest data protection - in the cloud, at access and on mobile devices.   After all, cloud and mobile are inseparable as we noted in an earlier blog post.  The figure below shows the full CASB technology stack spanning (1) Breach Discovery - ShadowIT and data exfiltration analysis at the bottom of the stack, (2) API visibility and control of data-at-rest in cloud applications (3) Integrated SSO and SAML proxy access control during login. (3) Mobile security via ActiveSync proxy for the all-important email application that is the backbone of the modern enterprise, (4) Contextual access control for web and thick client applications on managed devices via forward proxy and unmanaged devices via reverse proxy.  In the latter case, virtualized handling of client-side AJAX via AJAX-VM technology is a must-have for robust support of modern applications, (5) Data-leakage protection via integrated DLP engine.  Remote ICAP calls to on-premise DLP engines are fine for demo, but simply add more latency and WAN loads in production systems, and (6) Searchable, sortable true encryption of data in SaaS applications.  


Customers need the whole enchilada from a single CASB vendor for integrated management and superior user experience.  Best-of-breed products cannot be chained together on the WAN.  

Only Bitglass offers the complete CASB solution. 



see all