Almost all organization’s today use software as a service (SaaS) apps to store or share sensitive business data. Many companies continue to rely on on-prem apps (at least partly, if not wholly) to operate business. The emergence of the post-pandemic hybrid workforce, where employees can now work from anywhere across the corporate, branch, home office or on the road, clearly points to cloud-based SaaS apps as the viable option for most businesses. This digitally transformative trend has accelerated the change in how and where business is done, thereby increasing the use of SaaS to sustain current modern business models. Collaboration applications like Slack, Zoom, Confluence, Jira and others have become vital to enable the new way of conducting business from any location.
That said, SaaS adoption has fundamentally changed user-access patterns and tolerated security-risk levels in the enterprise. During the early stages of the “app” revolution, employees would log in mainly from in-person office sites and use a handful of SaaS apps for a limited number of reasons. Fast forward to now, we are looking at thousands of SaaS apps available today.
In addition to SaaS apps growing exponentially in numbers, data is growing exponentially in volume and becoming ubiquitous by the day.
Today, large volumes of sensitive data are directly created in the cloud or stored and shared across an increasingly wide number of applications, and it’s not just a few apps as it was initially.
The explosion of apps and data has created a complex web of interactions that has put enterprise-data security at extreme risk. The sprawl of SaaS is clearly a major challenge for IT teams, who must vet and sanction their authorized use. The transfer of sensitive data on unsanctioned apps is even more difficult for IT teams to monitor, given the lack of awareness of the apps in use themselves. To add to that, the user behavior of a hybrid workforce creates another concern for security teams. Any unapproved sharing or leaking of data, due to their negligent or malicious actions, can result not only in a data breach, but also in serious data privacy violations. This puts organizations at high risk of non-compliance with regulations, like the General Data Protection Regulation (GDPR).
Increased sophistication of threats in the cloud that target both cloud apps and data is also a never-ending concern. Malware-infected apps put all stakeholders in the enterprise ecosystem at grave risk. While business users are often the primary targets, malware attacks can harm and expose businesses as indirect participants in the cloud app ecosystem. Victims of malware attacks are defrauded by cybercriminals, have their privacy and sensitive data compromised, and become targets of complex multi-step campaigns that allow cybercriminals to carry out a variety of malicious actions.
Standard CASBs Are Very Reactive to SaaS and Data Security
Standard cloud access security brokers (CASBs) were created to compensate for the concerns that came with using SaaS apps, but the downside of first-generation CASBs has been their inability to keep up with the needs of the modern enterprise. These CASB technologies fail to adopt new applications quickly as they rely on static application libraries that are manually populated only after end-user notifications or a catalyst event, which is often too late. Modern collaboration apps like Slack, Zoom, Confluence, Jira etc, where users spend most of their time today sharing sensitive information, are typically not covered by their API protections.
Their malware detection capabilities are generally untested and not designed to protect against the endless variants of threats that constantly keep coming into play across cloud environments. Confined to cloud environments only, their data loss prevention (DLP) features fail to span the entire enterprise, public cloud infrastructures, on-premises networks or hybrid/remote workforce locations —basically, everywhere that data flows and lives.
The piecemeal approach of CASBs, as you know them, forces security teams to manage multiple data protection products, disparate compliance policies, and handle multiple time-consuming false-positive triages using a patchwork of additional tools. First-generation CASB products also use a layered approach that makes its deployment unnecessarily complex and costly.
To safely embrace the cloud, companies need a single, consistent way to protect their users, applications and data across every corporate environment, whether in-office or as a remote and hybrid workforce.
To actualize this, the core focus of CASB innovation should address modern enterprise requirements with continuous and automatic visibility of new SaaS applications at scale, with a built-in data protection mechanism that is reliable, accurate and 100% integrated with the network DLP.
The reformulated CASB should be available to enterprises as a unified platform across all control points with advanced threat protection that consistently spans every environment, while detecting and preventing all threats (known as well as unknown) that target the enterprise in the cloud.
CASB should protect all types of structured and unstructured data across all apps (whether SaaS-based apps or on-prem apps) for uniform compliance controls and breach prevention. It should enable safe collaboration app use across all users, regardless of their location, by detecting the context of conversation-based data using real-time, natural language processing-based detection methods. Lastly, a reimagined CASB should natively promote the convergence of networking and security to lift away the IT and security organizational silos that create operational gaps and impede progress.
Securing SaaS applications, sensitive data and your growing hybrid workforce with legacy, outdated approaches is daunting and riddled with risk. It’s time for a new CASB approach as part of your SASE strategy to contain the SaaS explosion and regain control. Join us at Ignite 2021 to learn more about how Palo Alto Networks is improving CASB technologies as you currently know them.