Contain the SaaS Explosion in Your Enterprise with a Redefined Approach to CASB

Working remotely is the new normal. But it has changed everything.

The worldwide move to remote work has undoubtedly demonstrated our ability to adapt and maintain business continuity and employee productivity. The availability of cloud-based SaaS apps have been instrumental in this shift, finding efficiency for the new world, but the increasing dependence has challenged every organization’s data security strategy.

During the early stages of the SaaS revolution, employees logged in mainly from standard in-person office sites, only used a handful of apps—and for a finite number of reasons. Fast forward to today, and thousands of purpose-made SaaS apps are available to support any role in an organization, and more are being created daily.

Since the pandemic, the SaaS sprawl has become a major challenge for IT teams, who vet and sanction a number of apps for authorized use. In fact, running a discovery of all approved SaaS apps across every team and department would uncover several hundred. With different employee teams using different apps based on their function, there is another category of apps paid for by the organization but not approved by IT and only “tolerated”. The numbers here run in the thousands.

Sanctioned and tolerated apps are only one half of the problem. Besides using them, well-intended employees end up circumventing the rules and using a number of unapproved SaaS apps to meet a business need. This becomes the other half of the problem. The practice of accessing unsanctioned apps creates Shadow IT problems, given that the unsanctioned apps are managed by the employees themselves without the explicit knowledge and approval of the IT department.

To be frank, in every enterprise, employees use more SaaS apps than assumed—the unsanctioned ones serve to further complicate the problem by tacking on hidden risks of data loss, expanding the threat landscape and widening SaaS governance problems. A significant shortcoming to note here is that employees can access any SaaS app—sanctioned, tolerated or unsanctioned—from their remote work-from-home sites without connecting to the corporate VPN connection.

Another case in point. All SaaS apps—whether sanctioned, tolerated or unsanctioned—run in the cloud, are delivered from the cloud, and therefore by definition, are highly distributed in countless cloud provider environments.

The clutter created by these apps is responsible for bringing every organization’s cloud-shift transformation to a critical crossroad. On the one hand, employees are unavoidably dependent on SaaS apps to get work done, while on the other, organizations at the cusp of transformation are finding themselves caught in a metaphorical storm of hundreds of apps “raining down” from different cloud provider environments.

The situation—aptly termed the “SaaS Chaos”—does not bode well for security.

For one, IT teams are fundamentally concerned about the lack of visibility into the true number of applications used by the workforce and the underlying risks and security posture of the apps themselves.

Secondly, as SaaS adoption continues to swell, so does the uploading, storing, and sharing of business information through these apps. Safe to say that most business data transferred through the apps is sensitive or proprietary in nature. While SaaS apps indeed make information easy to share between users and apps, their exploding numbers create a complex web of interactions that puts data security at extreme risk. The transfer of business data on unsanctioned apps is even more difficult for IT teams to monitor, given the lack of awareness of the app in use itself.

A third contributing factor is the user behavior of the employees, especially if they are remote. Remote employee user behavior is harder to supervise. Any transfer of data due to their non-compliant behavior can result in serious security violations putting the organization at high risk of data loss.

Managing the SaaS chaos to protect your data requires a redefined approach to security that keeps pace with exponential SaaS growth.

A single, consistent SaaS security offering must protect users, apps, and data in a manner that is clear, comprehensive, and easy. It should alleviate the IT team’s shadow IT burdens by automatically allowing them full sight and thorough control over all their shadow IT risks. Providing the broadest API support to control the largest number of sanctioned SaaS apps, it should maintain compliance consistently in the cloud while preventing the ever-evolving threats to sensitive information.

And most of all, a disruptive SaaS Security offering should be easy to implement and manage, without adding unnecessary complexity and costs for infrastructure or security teams. Unlike today’s legacy approaches such as Cloud Access Security Brokers (CASB), Secure Web Gateways (SWG), and built-in SaaS security capabilities, a redefined approach to SaaS security should provide integrated and holistic defense that does not depend on point controls.

The explosion of SaaS in your enterprise may be complex but containing it using a new approach to security can be simple. Stay tuned to learn more about how Palo Alto Networks is redefining SaaS Security.