This blog is the fourth of a series that will guide the reader through technology requirements, product comparisons and recommendations in order to cut through the vendor fluff and determine what is really needed to secure your enterprise in a cloud enabled world. We will also discuss the frameworks of modern SASE and its improved approach over fragmented legacy solutions such as SWG, Next-Gen SWG, traditional CASB, and Traditional DLP, with a look to the future of the required next-generation capabilities. Join us in this multi-part series on CASB and what is needed to put you back in the driver's seat. Let’s get started.
If you missed the first blog of the series “Beyond Next Gen SWG, A NEW ERA OF CASB”, you can find it here. The second blog of the series "Understanding the Total Cost of Ownership When Purchasing a CASB" can be found here. The third blog of the series "Overcoming the SaaS Security Piecemeal Approach" can be found here.
CASB Innovation and the Leaving Behind of Unmet Customer Needs
When the Cloud Access Security Broker or CASB first arrived on the security scene about a decade ago, it arrived with a bang! Thanks to the compelling use cases it was designed to support, and much to the delight of enterprise customers, many of whom were at an inception point in their nascent journey to the cloud.
One of the primary values of CASBs arose out of their ability to analyze the network traffic flowing between on-prem and cloud environments, providing discovery into which cloud applications were being used by a user on the corporate network to potentially transfer information, application categorizations and risk-based insights. In short, they became crucial to identifying shadow IT practices, including risky and tolerated unsanctioned cloud apps, and thereby the users of those apps. For sanctioned apps, CASBs mainly ensured that the sensitive data stored and shared across company-adopted SaaS applications complied with the organization's security policies and industry regulations thereby providing the necessary visibility into what was happening with the information stored on the sanctioned apps, with automatic remediation to policy violations. Security was not a big focus of CASB security providers back then as cloud-based threats were not a major concern yet and SaaS applications were believed to be quite safe.
As time passed, much changed in the cloud application world. Today, public cloud services and mainly SaaS applications have become indispensable to every organization's infrastructure and provide a myriad of services in every aspect of business where people use software solutions. SaaS is becoming increasingly popular among software vendors who want to enable enterprise IT teams to deliver remote business applications to their enterprise end-users via the web.
The Initial ‘Big Idea’ of CASB and Why CASBs Are Falling Behind
Going back to the beginning of this article, when CASB products were initially designed, many modern challenges that enterprises face today with cloud apps were simply not taken into account. Most importantly, the never-ending influx of ‘net new’ SaaS applications entering the enterprise ecosystem was not thought through.
But back when they were initially designed, no one anticipated an exponential growth in SaaS and thus legacy CASB solutions were technically designed to leverage only static application libraries. A SaaS app was not discoverable and therefore not visible to the enterprise IT team without the application’s signature that had to be provided by the CASB vendor. This dependence on the SaaS vendor and reliance on static application libraries was not conducive to managing the surge in the use of SaaS. When we say ‘surge’, we are referring to not a few hundred but the constant influx of thousands of unsanctioned, risky and tolerated apps being rapidly introduced in the enterprise ecosystem. Now imagine waiting on the SaaS app vendor to manually provide application library updates “for every one of these apps in use in your organization”.
In addition to foundational CASB technology, data protection as a security concept needs to evolve as well. This is because more and more sensitive data is being stored across hordes of SaaS applications—not just the one or two SaaS apps as it was initially. Sensitive data has evolved into multiple data types as well which now includes hundreds of different kinds of personally identifiable information such as country-based identification, industry-specific data et cetera and totally unstructured intellectual property such as sensitive documents, proprietary technology, financial plans, designs, source code et cetera.
Data can now also be found in varying formats including images of scanned documents and picture IDs. Often, pure conversations on modern collaboration applications like Slack and Microsoft Teams can be sensitive in nature. A CASB solution must be able to keep up with all this. The accuracy and the performances of CASB-based DLP have traditionally been based as a subset of an Enterprise DLP solution deployed on the network while being totally disjointed from it. Therefore, when it comes to data loss prevention, organizations are required to deploy separated DLP solutions for their on-premises environments that are different from their cloud data protection tools. This leaves organizations to end up having to deal with two DLP solutions—one for the enterprise, very robust, and yet another for the cloud, not as good as the other one.
Another thing to think about are cloud-based threats. Malicious actors are targeting SaaS applications more and more and we can't rely on the application providers to provide security. Unknown malware is deployed every day and signature-based security—just like the SaaS application libraries—need to be able to scale at an incredible speed, certainly not what CASB products are designed to do. Today, third-party integrations with sandboxing solutions are necessary to protect SaaS environments from known and unknown threats. This is not an ideal approach.
Misdirected Priorities of CASB Vendors
Even though CASB technology has evolved manyfold over these years, we see a lot of CASB vendors focusing on secondary capabilities like SaaS Security Posture Management or (SSPM), as an example. According to Gartner, SSPM is defined as “tools that continuously assess the security risk and manage the security posture of SaaS applications. Core capabilities include reporting native SaaS security settings' configuration and offering suggestions for improved configuration to reduce risk."
While this example of CASB innovation is entirely valid from a compliance and protection for critical workloads perspective, what we don’t hear from CASB vendors are steps being taken to improve and enhance the foundational primary capabilities of CASB. Something that enterprise customers today desperately need.
Many CASB vendors do application discovery and categorization still very manually, they don’t crowdsource intelligence from a large community, their data protection mechanism is not enterprise grade and disjointed from the on-prem environments, and their threat prevention is basic at best with no mechanism in place to detect unknown threats such as new malware targeting the apps, often relying on third party integrations to fill some gap.
CASB Needs a Refresh at the Foundational Level
We believe tacking on new CASB features is not in the best interest of the customer unless the basic foundational capabilities that should be inherent to the technology are improved upon first.
The core focus of CASB innovation should address modern enterprise requirements with continuous visibility of new SaaS applications at scale at its core with a data protection mechanism that is reliable, accurate, and 100% integrated with the network DLP. It should be deployed as a unified DLP platform across all control points with built-in advanced threat protection that detects and prevents known as well as unknown threats that target both data and users in the cloud.
At Palo Alto Networks, we believe an enterprise customer should never be left behind from having a crystal clear view of all apps being used in their organization and the risks associated with them.
A fresh approach to CASB that addresses the unmet needs of today’s enterprises is one that automatically discovers new SaaS apps by leveraging the power of machine learning and crowdsourced intelligence from the large global community, allowing customers to always stay in the know. Continuous identification of new SaaS apps ensures applications are discovered automatically as they become popular. Moreover, preventing all threats both known as well as unknown, including zero-days in real-time and without requiring third-party security tools is another important aspect. Built-in data protection is yet another important aspect. Data in all SaaS apps must be protected consistently and throughout the rest of the enterprise, across clouds and on-premises networks—basically wherever users and data reside for most consistent compliance controls and breach prevention.
The Palo Alto Networks team prides itself in continuous innovation. But innovation should be layered on top only when the base beneath it is perfected. Our current focus is on making sure a next-generation of CASB promises what it is meant to actually deliver. We are reinforcing the foundations of original CASB technology to solve pressing real-world problems that are most immediately relatable to customers—keeping up with new saas apps and staying on top of new emerging threats, new types of data and new types of channels where that data can be exchanged.
Lastly, we also believe in taking a single unified integrated platform approach for both security and data protection. One that scales at the pace of exploding SaaS.
Thank You for Joining Us on This Journey
Palo Alto Networks’s vision involves an all-encompassing Zero Trust approach to network security that is critical for safeguarding productivity in the modern reality, an approach that protects against emerging threats while enabling employee productivity and cloud adoption – and secure a world where any user can work anywhere without restrictions.
Read the first three blogs from this series where we break down what it takes to be a great CASB.
Securing SaaS applications requires a comprehensive and integrated platform approach that cannot be achieved through fragmented controls such as SWG, Next-Gen SWG, traditional CASB, and traditional DLP. These solutions also present complex deployment challenges, low security effectiveness, high cost of ownership and convoluted licensing models. Comprehensive SASE with integrated CASB is the future.
SASE with integrated CASB is the future. So looking ahead at vendor selection, you need to weigh up if that vendor simply has a NG SWG or a full SASE solution, how do the initial costs and deployment complexity compare, then the costs associated with the multiple facets of adoption, and finally hidden operational costs and maintenance fatigue that only come afterwards. We will help you avoid buyer's remorse by breaking this out for you.
Traditional CASB and NG SWG solutions offer a disjointed approach, one that is separate from the rest of your security infrastructure, policies and procedures. When planning for your enterprise security strategy, understanding the depth and breadth of your security tools is the way to quantify risks - you are only as strong as your lowest common denominator. Implementing standalone tools with weak security capabilities puts you at risk, creating gaps in policies and controls, and leaving your security team to pick up the slack.
To learn more about how Palo Alto Networks' integrated CASB addresses core cloud application challenges most organizations face today experience our product in action. Start a free product trial today!