Understanding the Total Cost of Ownership When Purchasing a CASB

In this blog, we go over technology requirements, implementation and costs of traditional Cloud Access Security Brokers (CASB). We also discuss product comparisons and recommendations of a modern integrated CASB with comprehensive SASE for simpler, better and more cost-effective security—one that offers an improved approach over fragmented legacy solutions such as Secure Web Gateways (SWG), Next-Gen SWGs, traditional CASB, and traditional Data Loss Prevention (DLP) solutions.
This is the second blog of a series that guides the reader through technology requirements, product comparisons and recommendations in order to cut through the fluff and determine what is really needed to secure your enterprise in a cloud-enabled world. If you missed the first blog of the series, Beyond Next Gen SWG, A NEW ERA OF CASB, you can find it here.


The Origins of CASB

The wide adoption of Software-as-a-Service (SaaS) applications in the last decade has pushed many organizations to look for security solutions that could protect their sensitive data and their users in cloud environments. Compliance requirements have also been a big driver for security investments in cloud applications as regulated data has been increasingly stored and exposed across a variety of SaaS applications.

First defined in 2012 by Gartner, a cloud access security broker or CASB, has quickly become a solution of choice for cloud application security. In fact a CASB consolidates multiple types of security policy enforcement and several key capabilities in order to regulate the use of cloud resources, assess cloud application risks, mitigate shadow IT problems and protect data from cloud-based threats.

Back in those days, a few vendors rode the wave, delivering CASB products to address the needs of the cloud-first era, establishing themselves as leaders in the space.

Today’s Limitations of Legacy CASB

Since the CASB’s inception about a decade ago, the world has changed dramatically, while not much has changed in the CASB approach and its original architecture. Some new trends and security challenges include the explosive growth of risky unsanctioned SaaS applications, the increased sophistication of cloud-based threats, the new work-from-anywhere business practices, the global expansion of the modern enterprises, the incredible ubiquity of data, new data privacy regulations and more unpredictable user behaviors. In all of this, traditional CASB solutions have become point products that only address part of the problems. Most importantly, their old architecture forces organizations today to bear high costs of ownership.

The Middleman

Let’s start with the name: cloud access security broker. That’s right, CASB is another broker, or an additional gateway that you need to consider to route corporate traffic to the cloud. In a modern, highly distributed enterprise with multiple sites and mobile users this approach becomes difficult to scale, costly and therefore, unsustainable.

But let’s rewind and analyze step by step the legacy CASB methodologies that are still in use today:

The Cost of Ownership of an Outdated Architecture
  • The Layering of Log Collectors: When CASB vendors first started looking at the problem, they took the easy approach. Customers were asked to use firewalls on-premises to gather logs or to place a log forwarder appliance and send these logs to a CASB service. The CASB service then creates a Shadow IT report showing applications that customers didn’t know their users were accessing on their network.
  • The Complexity of Traffic Redirections: The next step was to add a traffic forwarder appliance or to spend countless hours forwarding the firewall traffic to the CASB cloud-based proxy in order to enforce policy in-line, not without many failures along the process.
  • The Collection of Identities: Next, because the policies need to be user-aware, customers needed to add an AD connector to start enforcing policies by user ID or AD Group, which requires another appliance.
  • The Deployment of Endpoint Agents: Also, since CASB products use a proxy, PAC files may have to be pushed out to all the users' machines. This was already a challenge when organizations were all based on a single on-premises location. With multiple sites, you have to duplicate this infrastructure over and over again.Today, with users working also from remote locations, customers have to deal with extra endpoints that need PAC file installations or possibly even additional VPN agents to route their traffic through the cloud- based proxy.

The high cost of such a complex deployment, the man hours spent to make the system work and the maintenance costs to keep up with this architecture are just part of the equation. In fact gateways are not enough in a corporate world with encrypted channels and APIs.

A lot of data today is generated in the cloud, across hundreds of SaaS applications. Such data can be accessed by illegitimate users and by unmanaged devices and be exposed to cyber-adversaries. With that in mind, CASB solutions also provide APIs to connect out-of-band directly to a number of SaaS applications, with the ability to scan them for threats and to protect data at-rest. That’s why SWG or the new so-called Next-Generation SWG can be only considered a subset of what a CASB can deliver.

The Costs of CASB API Licensing

Now, when it comes to CASB API’s licensing costs, unfortunately many vendors still charge per application (like Office 365, Salesforce or Box), in addition to a per-user licensing meter. This may have made sense in the beginning when organizations started adopting one or two SaaS applications, but today enterprises use hundreds of different SaaS apps across their business. The CASB costs per API are illogical in the modern world and can easily become unsustainable for many businesses.

The Additional Costs of a Broken Security Approach

Complex deployments, outdated architecture and licensing costs are not the only problem with legacy CASBs. There are many other hidden costs to take into account for CASB solutions, such as:

  • Their security capabilities are quite basic and limited in breadth and depth, certainly not designed for the modern, ever-evolving threat landscape. Often they require the adoption of third-party security tools to detect new threats like sandboxing products.
  • Their data protection implementation is not enterprise-grade and is limited to cloud-based data only. Organizations are forced to purchase expensive on-prem Enterprise DLP solutions in addition to the CASB DLP in order to protect their sensitive data across every environment. And because they can’t deal with disparate policies and consoles between on-prem DLP and CASB DLP, they have to work out ICAP integrations or use cloud connectors, which are usually unreliable approaches.
  • They rely on a reactive Shadow IT discovery, that is a signature-based approach for SaaS applications via libraries that are often populated out of context and in retrospect, rather than leveraging a global community to inform a proactive mechanism to uncover emerging applications and risks before they become real problems.
  • Their cloud-based proxy doesn’t see all traffic, and only addresses web based protocols. Apps like Bittorrent, Tor, FTP, Private VPN all completely bypass the proxy and are an equally valid method of data exfiltration.

Securing cloud-enabled organizations requires a comprehensive and integrated platform approach that cannot be achieved through fragmented controls such as SWG, Next-Gen SWG, traditional CASB, and traditional DLP. These solutions also present complex deployment challenges, low security effectiveness, high cost of ownership and convoluted licensing models. Comprehensive SASE with integrated CASB is the future.

Palo Alto Networks Leads the Next CASB Generation

Palo Alto Networks SaaS Security has been designed and architected for the modern world. Released in May 2021, it is the first integrated CASB that automatically sees and secures new SaaS applications, protects data and prevents zero-day threats across the enterprise, at the lowest TCO.

    • It’s seamlessly integrated directly with the Palo Alto Networks firewall platforms (NGFW and Prisma Access) eliminating the legacy CASB requirements to deploy another gateway for in-line security, log collectors, unnecessary traffic redirections from the firewall to the proxy, PAC agents etc.
    • Its App-ID technology crowdsources the PANW global community and uses ML to provide continuous discovery, categorization, and control of new and emerging SaaS applications.
    • Its DLP service is enterprise-grade, natively integrated across SaaS in-line, SaaS API, IaaS, on-prem networks, branch offices and remote workforces.
    • It delivers advanced security and ML-based attack prevention, trained by the largest datasets to stop new and unknown threats, which means that it doesn’t require third-party security tools.

This approach results in a 5x time saving to deploy compared to traditional CASB products and up to 50% lower TCO based on a lean architecture.

Join Us on This Journey

Palo Alto Networks’s vision involves an all-encompassing Zero Trust approach to network security that is critical for safeguarding productivity in the modern reality, an approach that protects against emerging threats while enabling employee productivity and cloud adoption—and secure a world where any user can work anywhere without restrictions.

Join us in the coming week as we break down what it takes to be a great CASB.

      • Blog 3: Overcoming the SaaS Security piecemeal approach

Traditional CASB and NG SWG solutions offer a disjointed approach, one that is separate from the rest of your security infrastructure, policies and procedures. When planning for your enterprise security strategy, understanding the depth and breadth of your security tools is the way to quantify risks —you are only as strong as your lowest common denominator. Implementing standalone tools with weak security capabilities puts you at risk, creating gaps in policies and controls, and leaving your security team to pick up the slack.

      • Blog 4: A fresh approach to achieve the best defense for your SaaS apps

Security teams are challenged with protecting an ever-increasing number of sanctioned and unsanctioned SaaS applications, while at the same time stopping ever-evolving cloud threats to their sensitive information, their users and their resources. Traditional CASB vendors don’t innovate their outdated capabilities to address modern requirements, yet they focus on marketing buzz announcing new features for their products. CASB solutions need to get better at covering the bases of SaaS security first. A fresh approach is required.