SaaS SECURITY: A Next-Generation Platform Approach

A cloud access security broker – commonly referred to as CASB – accesses cloud-based services, primarily focusing on addressing security gaps within highly collaborative software as a service (SaaS) applications, such as Box®, Dropbox™, GitHub, Google® Drive, and®.

Businesses can deploy CASB as a SaaS application or on premises via a virtual or physical appliance form factor  to gain centralized control  of multiple cloud services  concurrently – for any user or device – that would otherwise require  individual management. CASBs consolidate multiple types  of security  policy enforcement, including authentication, single sign-on, authorization, credential mapping, device profiling, malware  detection and so on.

Reducing risk in SaaS applications, where oftentimes organizations’ most sensitive data resides,  is a keystone of securing  enterprise IT infrastructures of the future. This has resulted in such a rapid evolution and adoption of the CASB market.  However, while a useful tool to mitigate risks within SaaS environments, CASB often  becomes another disparate, point security  tool to administer, featuring operational complexity  and increased costs  that negatively impact IT administration overhead.

 Alternatively, a natively integrated next-generation security  platform  – comprised of a next-generation firewall; a threat intelligence cloud; an application programming interface (API)-based SaaS security  service; and advanced endpoint protection – minimizes risk by enabling greater security  and operational efficacy, with the added benefit of reducing  the total cost of ownership.

What follows are primary CASB offerings, alongside a detailed analysis of inherent benefits and specific “value-add” that enterprises can experience when  these measures are leveraged as part of an integrated, prevention-first, next-generation platform approach to security.

1. SaaS Visibility Reports

 CASB SaaS application usage reports are helpful; however, because they are based  on another vendor’s firewall logs, they only include IP/port information, rather than application-specific details. In addition,  assigned SaaS application risk scores  do not accurately represent risks related to specific SaaS applications. When  leveraged alongside an integrated next-generation security  platform, equipped with application-based user controls and policy implementation, enterprises gain visibility into all applications, across  all ports,  all the time. In addition,  user-based access  controls, another fundamental feature, provide visibility and control  on a per-user basis. These details are then  included  in dedicated SaaS-application usage  reports for complete visibility, without the need for additional operational spending.


2. SaaS Access  Controls

CASB vendors must insert themselves between the user and the application to provide  control  over SaaS application access,  likely providing a forward proxy or reverse proxy approach to their customers. Proxies move away from the native user experience of the SaaS applications, significantly impeding performance, in addition  to passing along several  other limitations to the user. Instead, businesses can leverage a security  platform’s next-generation firewall to enforce granular policies at an application level to enable  access  only to sanctioned SaaS applications, eliminating  the overhead of a proxy. The API-based  element then  takes  it a step  further, extending these protections and ensuring deeper contextual visibility into and control  over cloud-based assets, regardless of the location  or device being used to access  the SaaS application.

3. Data-at-Rest Controls for SaaS

 Similar to a CASB approach, the API-based  component of a next-generation security platform  leverages the API interface of a SaaS service  provider  to deliver data governance and security  for data at rest within SaaS applications. Typically, once data is allowed into the cloud where the SaaS app resides,  IT loses visibility and control, particularly when  dealing with such circumstances as a remote user uploading  a file to a SaaS application. The API-based  platform  component, however, provides  additional context for data stored within the cloud. This context allows organizations to inspect the content, even retroactively, for threats and control  access  to shared data via contextual policy – a particularly  useful feature in instances where permissions are automatically inherited, such as copying a file to a folder that is already shared publicly. Overall, the platform  approach is poised  to provide  organizations with far better security when  compared with a stand-alone CASB.


Building defenses with point products results  in management overhead and complexity that leaves businesses exposed to the vast realm of increasingly sophisticated cyberthreats. An integrated, prevention-first, next-generation platform  offers a highly differentiated approach to securing  SaaS applications, allowing organizations to reduce the attack  surface area, prevent threats and render unknown attacks known. Plus, the ability to share  threat intelligence across  all components of the platform  provides  full visibility into SaaS activity, regardless of access  method, device or user, allowing organizations to embrace SaaS as an extension of their IT infrastructure to vastly minimize risk and improve  overall security posture. 


Ignite 2017 Vancouver