Given the rapid growth of cloud computing, large enterprises and government agencies, especially those in critical sectors like banking and healthcare, are wary about going all out on the public cloud. The biggest bugbear is security – or lack of it. How do you ensure your workloads on the cloud are secure against malware and hackers?

That’s where CASB, or “casbee” as it’s pronounced, comes in. CASB is short for Cloud Access Security Broker and refers to an on-premise or cloud-based security policy API that connects cloud service consumers and cloud service providers to enforce security policies.

In 2012, Gartner coined the term CASB to address security gaps in cloud usage. But even before that, Skyhigh Networks was the first to market with a CASB product. In Jan 2018, McAfee, one of the world’s largest pure-play cybersecurity companies, completed the acquisition of Skyhigh Networks to create the world’s preeminent cyber security company. Gartner commissioned a highly rigorous process in 2019 to compile its CASB Magic Quadrant and introduced IaaS (Infrastructure-as-a-Service) and PaaS (Platform-as-a-Service) security as evaluation criteria.

“McAfee was the first CASB vendor to provide support for enterprise data, workloads, and application in the public cloud and we were delighted to see IaaS and PaaS becoming part of the Magic Quadrant criteria,” Jonathan Andresen, McAfee’s APJ Director of Marketing & Products, said at a CIO Roundtable organised by CIO Academy Asia in Kuala Lumpur on Aug 6. “McAfee’s CASB and MVision Cloud offer the ideal solution for hybrid and public cloud environments.”

CASB is all the more relevant in Asia today. On Aug 6, the Monetary Authority of Singapore (MAS) announced a new set of requirements to raise cybersecurity standards and strengthen cyber-resilience of the financial sector. The legally binding notice on cyber-hygiene sets out measures that organisations must take to mitigate the growing risk of cyber-threats. Key elements in the existing MAS Technology Risk Management Guidelines will be made compulsory when the refreshed guidelines go into effect next year.

As for Malaysia, the country has defined ten sectors as being under CNII (Critical National Information Infrastructure) and must have the highest possible standards for cybersecurity. In alphabetical order, they are banking and finance; energy; emergency services; food and agriculture; government services; health services; information and communications; national defence and security; transportation; and water.

“We live in a VUCA world where volatility, uncertainty, complexity and ambiguity define our existence,” CIOAA’s CEO Mr P Ramakrishna said at the roundtable. “In the enterprise cyber-security space, there are two kinds of companies – those who know they’ve been hacked, and those who’re not sure. Enterprises need therefor to strive to be resilient, and as more workloads go on the cloud, the need for agility and cyber-resilience is all the more pertinent and critical.”