Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Cisco’s Acquisition of CloudLock Puts Spotlight on CASB Market

Cisco has announced its intention to acquire CloudLock Inc, a privately held cloud access security broker (CASB) based in Waltham, Massachusetts. Cisco will pay $293 million in cash and assumed equity awards, and will pay additional retention incentives to retain the existing CloudLock employees.

Cisco has announced its intention to acquire CloudLock Inc, a privately held cloud access security broker (CASB) based in Waltham, Massachusetts. Cisco will pay $293 million in cash and assumed equity awards, and will pay additional retention incentives to retain the existing CloudLock employees. The acquisition is expected to close early in fiscal 2017.

CASBs provide security and visibility for companies moving to the cloud. They logically or physically sit between the customer and whichever cloud services it uses. Martin Zinaich, information security officer for the city of Tampa, summarizes their function and purpose:

“Cloud access security brokers are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. They increasingly support the control of enterprise social networking use, and popular infrastructure as a service (IaaS) and platform as a service (PaaS) providers.” This, Zinaich added, “is a smart play for Cisco.”

Cisco Acquires CloudLockCisco’s move confirms that the security industry considers CASBs to be the way forward in cloud security. Last year Microsoft bought Adallom and turned it into its Cloud App Security service launched in April 2016. In 2014 Imperva bought Skyfence; in 2015, Palo Alto Networks bought CirroSecure; and in November 2015 Blue Coat (now itself being acquired by Symantec) bought Elastica.

The emergence of CASBs has been recent and rapid. Bill Burns, CISO at Informatica, has been involved in two recent studies on CASBs in 2014 and 2015. “One of the surprises in the first study,” he told SecurityWeek, “was that CASBs were a relatively unknown technology, but the problem they addressed one of the most worrisome areas that needed to be addressed. This year’s results showed much more awareness for the CASB solutions.”

He believes that CASBs will become part of the security infrastructure of the future. “I see CASBs like CloudLock as being features of other critical chokepoints of next generation security: they will be part of infrastructure like identity providers, built into secure tunnels and tightly coupled with critical SaaS applications. This is the natural evolution for security technologies; to be most effective, new security advancements like CASBs need to become the default so that ‘the easy route’ is also ‘the more secure route’ for data and transactions to pass.”

Drew Koenig, security solutions architect at Magenic, has also been watching CASBs. He believes the purchase of CloudLock to be a solid strategic move by Cisco, transforming it into an enterprise security company rather than just IT. “Along with other security acquisitions such as SourceFire, this will give Cisco a broader security offering and provide greater integration opportunities for its customers to gain extended visibility, control and security around sensitive data moving between the internal network and cloud services through one security suite.” The question, he adds, will be how quickly and easily can Cisco integrate the benefits into the existing Cisco install base.”

Cisco’s purchase of CloudLock further reduces the remaining pool of independent CASBs — the three main ones being Skyhigh Networks, CipherCloud and Netskope.

“Cisco’s acquisition of CloudLock is testament to the fact that CASB is a strategic, must-have capability for organizations who are realizing that in order to meet their security, compliance, and governance requirements they need to have visibility and control of their data in cloud services,” Rajiv Gupta, CEO at Skyhigh told SecurityWeek.

But it’s not as simple as it may seem.

“There is a rub,” explains Zinaich. “If you do not utilize an on-premise CASB solution, then you have to utilize a cloud-based one. This in essence puts one more unknown cloud vendor between you and the risk. How much do you trust this second CASB vendor?  If you do an on-premise solution, what are the chances the SaaS/IaaS/PaaS vendor will support that configuration?” 

Part of the problem is that there are no standards. “As usual in Information Security, the technology comes first and the standards rush to plug the gap,” he said. “The Cloud Security Alliance (CSA) teamed up with CipherCloud to form the Cloud Security Open API Working Group. Without a framework, cloud vendors cannot be flexible and they will be less likely to support on-premise solutions. Having a player like Cisco in the mix can only be beneficial to the growth and standards.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.


More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Forty cybersecurity-related M&A deals were announced in January 2023.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.