This blog is the first of a series that will guide the reader through technology requirements, product comparisons and recommendations in order to cut through the vendor fluff and determine what is really needed to secure your enterprise in a cloud enabled world. We will also discuss the frameworks of modern SASE and its improved approach over fragmented legacy solutions such as SWG, Next-Gen SWG, traditional CASB, and Traditional DLP, with a look to the future of the required next-generation capabilities. Join us in this multi-part series on CASB and what is needed to put you back in the driver's seat. Let’s get started.
Why True Next Gen is SASE with Integrated CASB
What we have learned during this pandemic is that the cloud is here to stay. With the adoption of a new work-from-anywhere business model that organizations had to embrace, cloud applications have been proved to be one of the easiest and most efficient ways to keep running our businesses in and out of the premises, even from people’s homes.
We have also learned that keeping our businesses secure from cyber-threats has suddenly become very challenging as sensitive information is increasingly stored and shared across a growing number of public cloud services. In many cases highly sensitive data is created by employees directly in the cloud and not necessarily transferred to it from the on-prem infrastructure, and this trend certainly doesn’t seem to stop.
Securing SaaS applications requires a comprehensive and integrated platform approach that cannot be achieved through fragmented controls such as SWG, Next-Gen SWG, traditional CASB, and traditional DLP. These solutions also present complex deployment challenges, low security effectiveness, high cost of ownership and convoluted licensing models. Comprehensive SASE with integrated CASB is the future.
Did someone mention SWG? Gateways aren’t enough
The difficult task for cybersecurity providers is to enable security and data protection for their customers beyond the traditional premises in a more cloud-centric digital environment.
However many security vendors are struggling to do so because they are lacking comprehensive platforms, shared intelligence, and frankly have a limited view meaning it's impossible to rapidly scale their products. A vendor offering a single solution may bring in an innovative feature, but lack context into the full threat landscape, making it difficult to adequately keep up.
Other approaches swim upstream, moving the attention back to solutions that only solve part of the problem like, next-gen secure web gateways (next gen, sounds familiar...). Gateways are not enough in a corporate world with encrypted channels and APIs. Such solutions in fact only take into account some of the traffic that is traversing the network edge. But what about all the data that today is born and lives in the cloud, that may be exposed in SaaS applications, accessed by unintended users and by unmanaged devices and therefore is at the complete mercy of cyber-adversaries. As more and more data lives in the cloud, security should shift towards a methodology that also integrates within the different SaaS and public cloud providers.
SWG is not the only answer here, you still need a great CASB as they solve different problems - securing traffic traversing the internet edge and securing data within SaaS applications. This is the way to go.
Have you thought about data protection?
Data protection must be taken into account when developing an enterprise security strategy for the cloud-enabled enterprise because sensitive data leaves the corporate premises and is exponentially exposed in the cloud. An effective data protection approach must encompass every environment and every possible egress point for data including SaaS applications, IaaS, data centers, branches and remote workers.
SWGs don’t provide native integration with enterprise data loss prevention and basically only look for threats, letting confidential data flow unsupervised in and out the network. Integration with 3rd party enterprise DLP solutions is complex and costly to implement and doesn’t come without limitations. Traditional CASBs only provide cloud data protection but have similar challenges when it comes to integration with enterprise DLP solutions.
Traditional CASB Needs to Evolve
Cloud access security brokers surely offer a more comprehensive approach to cloud application security than SWG, as they take into account both inline traffic and what lives already across SaaS applications and other public cloud services. The SWG use case is naturally part of a multimode CASB, and not the other way around.
CASB solutions however have their own challenges. Most of all, they are disjointed from the rest of the infrastructure and have to rely on on-prem components that create deployment and integration complexity.
New Generation of CASB?
As global cybersecurity leaders, at Palo Alto Networks we strongly believe in security consolidation and integration rather than piecemeal approaches. Modern organizations can fight adversaries more effectively through a comprehensive security strategy that lays its foundations on interconnected components. Control points on prem, in the cloud or for the cloud should share threat intelligence, offer cloud scalability, ease of integration and unification of consoles. With the increased adoption of cloud services, this approach needs to expand in the cloud more so.
Traditional CASB needs to evolve into next-generation CASB, an integrated solution that doesn’t need extra components in order to gather traffic logs from the network and from user devices, a solution that is integrated and not disjointed, that extends highly reliable threat prevention and data security capabilities towards and into SaaS applications and that ensures consistency across the entire enterprise.
Where to Next, SASE?
For those looking to secure the internet edge at large traditional sites like campus and datacenter, the NGFW is still your only real option, offering all the capabilities of SWG with much higher security efficacy and no limitations. At the branch and for remote workers, it's SASE, which offers the broadest coverage and is superseding SWG. For Cloud-native environments its Cloud Security Posture Management offers consistent vendor neutral security for all cloud providers. And of course, to secure applications its CASB.
The one thing tying all these together is the security they offer, all locations should be able to block the same threats everywhere and protect data consistently anywhere it flows and it’s stored, so you are not left gap filling security policy, console hoping to assess risk and manage day-to-day, or creating an inconsistent poor user experience that leads to a higher and invisible attack surface.
Join us on this journey
Palo Alto Networks’s vision involves an all-encompassing Zero Trust approach to network security that is critical for safeguarding productivity in the modern reality, an approach that protects against emerging threats while enabling employee productivity and cloud adoption – and secure a world where any user can work anywhere without restrictions.
Join us in the coming week as we break down what it takes to be a great CASB.
SASE with integrated CASB is the future. So looking ahead at vendor selection, you need to weigh up if that vendor simply has a NG SWG or a full SASE solution, how do the initial costs and deployment complexity compare, then the costs associated with the multiple facets of adoption, and finally hidden operational costs and maintenance fatigue that only come afterwards. We will help you avoid buyer's remorse by breaking this out for you.
Traditional CASB and NG SWG solutions offer a disjointed approach, one that is separate from the rest of your security infrastructure, policies and procedures. When planning for your enterprise security strategy, understanding the depth and breadth of your security tools is the way to quantify risks - you are only as strong as your lowest common denominator. Implementing standalone tools with weak security capabilities puts you at risk, creating gaps in policies and controls, and leaving your security team to pick up the slack.
- Blog 4: A fresh approach to achieve the best defense for your SaaS apps
Security teams are challenged with protecting an ever-increasing number of sanctioned and unsanctioned SaaS applications, while at the same time stopping ever-evolving cloud threats to their sensitive information, their users and their resources. Traditional CASB vendors don’t innovate their outdated capabilities to address modern requirements, yet they focus on marketing buzz announcing new features for their products. CASB solutions need to get better at covering the bases of SaaS security first. A fresh approach is required.
To learn more about how Palo Alto Networks' integrated CASB addresses core cloud application challenges most organizations face today, get a copy of the "Evolution of Cloud Access Security Brokers" white paper.