As enterprises transform their IT operations into the cloud, data travels from third-party servers, via third-party networks to BYO devices. The only thing the enterprise owns is the data, and protecting this data is vitally important. Incumbent vendors offering security as software and hardware are rendereded obsolete, since there is no place to hang such products.
Two recent examples are illustrative of the situation. In one case, a financial services customer sought to encrypt data on their Salesforce.com application using a CASB. Their incumbent Anti-Virus vendor had acquired a "CASB," and now offered them the software free as part of their enterprise license. But that "CASB" solution has a number of known limitations as below:
- requires on-premise installation
- single-tenant architecture, hence one installation per instance of Salesforce
- does not support Salesforce Lightning or Salesforce Mobile
- breaks early and often at each new release or update of Salesforce
Other than that, it is indeed a great product.
Likewise, in another example, a technology company in the aerospace industry wanted to deploy a CASB to secure Office365. Since many of their customers are in the defense sector, data protection is important to them. Their incumbent firewall vendor had acquired a "CASB" and offered them the software for free. This "CASB" was API-only and had the following limitations
- no real-time data protection
- only monday-morning alerts after data leakage events
- no access control for managed and unmanaged devices
- no BYO security
Ironically, firewalls are all about real-time inline security. Rather odd for a firewall vendor to peddle monday-morning alerts as security. Free software that tells you after your data appears on WikiLeaks does not appear particularly useful.
Free software is a like a free puppy - makes quite a mess!