Overcoming the SaaS Security Piecemeal Approach

In this blog, we go over the pitfalls of taking a piecemeal approach to securing SaaS. Traditional CASB and NG SWG solutions offer a disjointed approach, one that is separate from the rest of your security infrastructure, policies and procedures. Implementing standalone tools with weak security capabilities puts you at risk, creating gaps in policies and controls, and leaving your security team to pick up the slack.

When planning for your enterprise security strategy, understanding the depth and breadth of your security tools is the way to quantify risks—you are only as strong as your lowest common denominator.

This is the third blog of a series that guides the readers through technology requirements, product comparisons and recommendations to determine what is really needed to secure your enterprise in a cloud-enabled world. If you missed the second blog of the series “Understanding the Total Cost of Ownership When Purchasing a CASB”, you can find it here.


Security practitioners today are faced with the difficult task of chasing new security risks, threats and new threat vectors that arise on the horizon every other day. Their organizations have expanded outside of the margins of the headquarters, where in years past, network security tools were simply enough to contain the good stuff in and prevent the bad stuff from getting inside.

In today’s digitally transformative climate, as organizations continue to adopt cloud services, their employees are becoming more distributed across branch offices and unmanaged remote locations, and the unmanaged devices they use to get work done can easily access corporate cloud services. On top of that, sensitive corporate data like PII and intellectual property is transferred, used, created and shared more and more through public cloud services like SaaS applications.

Security teams have been taking the security issues arising from these new trends very seriously and are trying to find ways to extend protections outside of the corporate premises—especially to the cloud. Taking advantage of this trend, many new security vendors have emerged in recent years after realizing the opportunity to sell cloud security services.

By the same token, cloud-based security web gateways (SWG) came to the rescue as a logical means to protect all users, including those in the branches and those remote, as they access web services. On the contrary, organizations are leaning more and more towards using hundreds of SaaS applications today causing what is aptly called the SaaS explosion.

With vast volumes of data now residing in the cloud, the thought process around security should shift towards a methodology that also integrates within the different SaaS and public cloud providers. Today, standard gateways are simply not enough to help usher in the mind shift in an enterprise ecosystem that must take into account encrypted channels and APIs. And while the next generation of SWG only added more capabilities, interestingly, its limitations in use cases and coverage have stayed the same.
Such solutions can only see the traffic that is traversing the network edge (and not even all of it). But what about all the data that is born and lives in the cloud today, that may be exposed in SaaS applications, accessed by unintended users and by unmanaged devices? Data that is at the complete mercy of cyber-adversaries?

These questions have justified the advent of CASB-only vendors. CASB architecture in fact is based on an inline gateway (yes, another gateway) and APIs to secure specific cloud services. Given that, SWG or the newer Next-Generation SWG can be only considered a subset of what a CASB can deliver.

The problem with standalone CASB, SWG, NG-SWG is that point controls are difficult to manage and end up creating only “piecemeal security” with inconsistent coverage of policies because security teams need to add them on top of their existing network security defense (NGFW). Security practitioners end up dealing with policies that are different between their on-premises network tools and their cloud security tools, and often even from app to app. They have to then define these policies in different places and manage incident response in an inconsistent way. As new threats or new compliance regulations come into place, they have to keep defining novel policies and rules in all these different places.

The other problem is that CASB products (and more so the SaaS application-native security features) offer basic security capabilities that are limited in breadth and depth. Such solutions are not designed to detect the endless variants of threats that adversaries are constantly creating to evade security systems. 3rd-party security tools like sandboxing solutions are often required to fill these huge gaps. Practically, organizations will have great network security defense (NGFW) but weak cloud security. And you are only as strong as your lowest common denominator.

When it comes to data loss prevention, CASB and SWG are limited to cloud environments only, and certainly don’t offer an  enterprise-grade data protection implementation, potentially creating just lots of false positives. Organizations are required to deploy separated DLP solutions for their on-premises environments that are different from their cloud data protection tools.

  1. Organizations need a new approach to security and data protection solutions that:
  2. Is consistent across every environment and offers best-in-class capabilities ensuring high accuracy in detecting new threats and new data leaks.
  3. Consistently protects data everywhere throughout the organization, stops risky shadow IT, and aids in compliance uniformly across all applications, on-premises and in the cloud.

Offers shared intelligence across all these security controls and even across the global user community. This capability needs to be factored as a must-have as it is much needed in today’s world. Crowdsourcing a shared intelligence allows one to automatically and constantly keep up with new threats, emerging SaaS applications and new anomalous behavior.

SASE with integrated CASB is the way to go. Palo Alto Networks is the only vendor that provides a comprehensive integrated framework to deliver consistent security across every network, cloud and user. Covering all on-premises and all SaaS applications in the same way, our integrated solution natively integrates Enterprise DLP and the most comprehensive suite of security services with the Next-Generation Firewall and Prisma Access to consistently protect data and ensure compliance, while stopping all unknown and known threats across all discovered SaaS applications.

Join Us on This Journey

Palo Alto Networks’s vision involves an all-encompassing Zero Trust approach to network security that is critical for safeguarding productivity in the modern reality, an approach that protects against emerging threats while enabling employee productivity and cloud adoption—and secure a world where any user can work anywhere without restrictions.

Join us in the coming week as we break down what it takes to be a great CASB.

Blog 4: A fresh approach to achieving the best defense for your SaaS apps
Security teams are challenged with protecting an ever-increasing number of sanctioned and unsanctioned SaaS applications, while at the same time stopping ever-evolving cloud threats to their sensitive information, their users and their resources. Traditional CASB vendors don’t innovate their outdated capabilities to address modern requirements, yet they focus on the marketing buzz announcing new features for their products. CASB solutions need to get better at covering the bases of SaaS security first. A fresh approach is required.