Cloud Access Security Brokers and Mobile Device Management: A Yin and Yang of Cloud Security


Since it’s Lunar New Year, we thought we’d have a little fun with this blog post in explaining the differences between the Cloud Access Security Broker (CASB) and Mobile Device Management (MDM) markets.

“In Chinese philosophy, yin and yang describes how opposite or contrary forces are actually complementary, interconnected, and interdependent in the natural world, and how they give rise to each other as they interrelate to one another.” – Wikipedia

When it comes to the CASB and MDM security markets, there’s much confusion about whether these two markets compete or complement each other. As a CASB vendor, we’re often asked, “Do you guys compete against the MobileIrons and AirWatches of the world?”

Quite simply, the answer is “No.”

In fact, we’re quite complementary, hence, the “yin and yang” reference. Truth be told, the CASB space is evolving so quickly that it’s understandable for folks tasked with managing IT security to get confused. So, we’re gonna clear the air, if you will, and explain how the two go hand-in-hand.

The Yin: Mobile Device Management  

MDM solutions are defined by Gartner as “a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, possibly for personal use — enforcing policies and maintaining the desired level of IT control across multiple platforms.” In other words, it’s a way for IT to let employees use the devices they’d like to use to get work done without losing total control over data security.

MDM solutions typically can do the following:

  • Block jailbroken or non­compliant devices from accessing corporate resources
  • Protect data via device encryption and data loss prevention (DLP) policies
  • Quarantine or selectively wipe business data from non-compliant devices
  • Prevent man­in­the­middle exploits with certificate­based authentication
  • Help locate a device when lost or stolen and enforce that a PIN be used
  • Deploy applications and settings from a centralized management console

The Yang: Cloud Access Security Brokers  

CASBs represent one of the fastest-growing segments of security. Last year, Gartner delineated four key pillars of functionality for CASBs:

  • Visibility – Provide a consolidated view of data, devices, users, and activities and identify sanctioned and unsanctioned cloud apps used in the organization
  • Compliance – Facilitate compliance with regulations, industry standards, and best practices
  • Data security – Enforce policies to protect data (e.g., DLP for data in transit and at rest)
  • Threat prevention – Mitigate risk from both internal and external sources through the use of access controls

Yin and Yang Doing the Dance

CASBs like Imperva Skyfence are complementary in that they can apply granular policies on endpoint devices enrolled through an MDM solution. In fact, Imperva Skyfence goes one step further by being able to distinguish between managed (corporate-owned or corporate-controlled) and unmanaged (BYOD) devices and then applying granular cloud application policies on top of that. That’s an area where CASBs are crucial to augmenting the capabilities of MDMs.

For example, for iOS devices, Skyfence uses a corporate-issued certificate and key pushed to the device by the MDM solution to ensure the device can be identified as “managed” (i.e., corporate-controlled). An MDM combined with a CASB solution like Skyfence makes it possible to direct mobile app traffic through Skyfence without the need to modify the mobile apps themselves or change the way end users access their apps and data.

Here are some sample scenarios where MDM functionality needs the help of a CASB to fully protect an organization’s valuable data in the cloud:

Granular access controls for unmanaged devices:

  • Allow unmanaged devices read-only access to cloud file sharing with no ability to download
  • Block data uploads from unmanaged devices (similar to an anti-malware use case)
  • Allow/block usage of specific Office 365 services from unmanaged devices, such as blocking access to Outlook and OneDrive to prevent auto-syncing of corporate data and data exfiltration

Advanced threat prevention capabilities:

  • Automatically detect anomalous activity based on “learning” a user’s typical behavior with respect to access patterns (devices, locations, hours, etc.)
  • Enforce risk-based multi-factor authentication (via a one-time passcode to the mobile device of record) for high-risk or anomalous activities, such as accessing a OneDrive account from an unusual location

Real-time monitoring and control of user and admin activity:

  • Track, monitor, and report all administrative and privileged user activity, including data access, configuration changes, and user permission modifications
  • Block or limit admin access from managed or unmanaged devices

Prevention of data proliferation:

  • Block sharing of sensitive data outside of the organization
  • Block downloads of sensitive files only to unmanaged devices

This is, of course, just a high-level introduction as to how the MDM and CASB markets differ. If you’d like more information on how CASBs can help you secure your data and apps in the cloud, visit or click here to get in touch with a Skyfence specialist.