Cisco has announced its intention to acquire CloudLock Inc, a privately held cloud access security broker (CASB) based in Waltham, Massachusetts. Cisco will pay $293 million in cash and assumed equity awards, and will pay additional retention incentives to retain the existing CloudLock employees. The acquisition is expected to close early in fiscal 2017.
CASBs provide security and visibility for companies moving to the cloud. They logically or physically sit between the customer and whichever cloud services it uses. Martin Zinaich, information security officer for the city of Tampa, summarizes their function and purpose:
“Cloud access security brokers are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. They increasingly support the control of enterprise social networking use, and popular infrastructure as a service (IaaS) and platform as a service (PaaS) providers.” This, Zinaich added, “is a smart play for Cisco.”
Cisco’s move confirms that the security industry considers CASBs to be the way forward in cloud security. Last year Microsoft bought Adallom and turned it into its Cloud App Security service launched in April 2016. In 2014 Imperva bought Skyfence; in 2015, Palo Alto Networks bought CirroSecure; and in November 2015 Blue Coat (now itself being acquired by Symantec) bought Elastica.
The emergence of CASBs has been recent and rapid. Bill Burns, CISO at Informatica, has been involved in two recent studies on CASBs in 2014 and 2015. “One of the surprises in the first study,” he told SecurityWeek, “was that CASBs were a relatively unknown technology, but the problem they addressed one of the most worrisome areas that needed to be addressed. This year’s results showed much more awareness for the CASB solutions.”
He believes that CASBs will become part of the security infrastructure of the future. “I see CASBs like CloudLock as being features of other critical chokepoints of next generation security: they will be part of infrastructure like identity providers, built into secure tunnels and tightly coupled with critical SaaS applications. This is the natural evolution for security technologies; to be most effective, new security advancements like CASBs need to become the default so that ‘the easy route’ is also ‘the more secure route’ for data and transactions to pass.”
Drew Koenig, security solutions architect at Magenic, has also been watching CASBs. He believes the purchase of CloudLock to be a solid strategic move by Cisco, transforming it into an enterprise security company rather than just IT. “Along with other security acquisitions such as SourceFire, this will give Cisco a broader security offering and provide greater integration opportunities for its customers to gain extended visibility, control and security around sensitive data moving between the internal network and cloud services through one security suite.” The question, he adds, will be how quickly and easily can Cisco integrate the benefits into the existing Cisco install base.”
Cisco’s purchase of CloudLock further reduces the remaining pool of independent CASBs — the three main ones being Skyhigh Networks, CipherCloud and Netskope.
“Cisco’s acquisition of CloudLock is testament to the fact that CASB is a strategic, must-have capability for organizations who are realizing that in order to meet their security, compliance, and governance requirements they need to have visibility and control of their data in cloud services,” Rajiv Gupta, CEO at Skyhigh told SecurityWeek.
But it’s not as simple as it may seem.
“There is a rub,” explains Zinaich. “If you do not utilize an on-premise CASB solution, then you have to utilize a cloud-based one. This in essence puts one more unknown cloud vendor between you and the risk. How much do you trust this second CASB vendor? If you do an on-premise solution, what are the chances the SaaS/IaaS/PaaS vendor will support that configuration?”
Part of the problem is that there are no standards. “As usual in Information Security, the technology comes first and the standards rush to plug the gap,” he said. “The Cloud Security Alliance (CSA) teamed up with CipherCloud to form the Cloud Security Open API Working Group. Without a framework, cloud vendors cannot be flexible and they will be less likely to support on-premise solutions. Having a player like Cisco in the mix can only be beneficial to the growth and standards.”