SaaS Security: A Next-Generation Platform Approach
Compared with a standalone CASB, a next-generation security platform embraces SaaS as an extension of IT infrastructure to vastly minimize risk.
A cloud access security broker – commonly referred to as CASB – accesses cloud-based services, primarily focusing on addressing security gaps within highly collaborative software as a service (SaaS) applications, such as Box®, Dropbox™, GitHub, Google® Drive, and Salesforce.com®.
Businesses can deploy CASB as a SaaS application or on premises via a virtual or physical appliance form factor to gain centralized control of multiple cloud services concurrently – for any user or device – that would otherwise require individual management. CASBs consolidate multiple types of security policy enforcement, including authentication, single sign-on, authorization, credential mapping, device profiling, malware detection and so on.
Reducing risk in SaaS applications, where oftentimes organizations’ most sensitive data resides, is a keystone of securing enterprise IT infrastructures of the future. This has resulted in such a rapid evolution and adoption of the CASB market. However, while a useful tool to mitigate risks within SaaS environments, CASB often becomes another disparate, point security tool to administer, featuring operational complexity and increased costs that negatively impact IT administration overhead.
Alternatively, a natively integrated next-generation security platform – comprised of a next-generation firewall; a threat intelligence cloud; an application programming interface (API)-based SaaS security service; and advanced endpoint protection minimizes risk by enabling greater security and operational efficacy, with the added benefit of reducing the total cost of ownership.
What follows are primary CASB offerings, alongside a detailed analysis of inherent benefits and specific “value-add” that enterprises can experience when these measures are leveraged as part of an integrated, prevention-first, next-generation platform approach to security.
1. SaaS Visibility Reports
CASB SaaS application usage reports are helpful; however, because they are based on another vendor’s firewall logs, they only include IP/port information, rather than application-specific details. In addition, assigned SaaS application risk scores do not accurately represent risks related to specific SaaS applications. When leveraged alongside an integrated next-generation security platform, equipped with application-based user controls and policy implementation, enterprises gain visibility into all applications, across all ports, all the time. In addition, user-based access controls, another fundamental feature, provide visibility and control on a per-user basis. These details are then included in dedicated SaaS-application usage reports for complete visibility, without the need for additional operational spending.
2. SaaS Access Controls
CASB vendors must insert themselves between the user and the application to provide control over SaaS application access, likely providing a forward proxy or reverse proxy approach to their customers. Proxies move away from the native user experience of the SaaS applications, significantly impeding performance, in addition to passing along several other limitations to the user. Instead, businesses can leverage a security platform’s next-generation firewall to enforce granular policies at an application level to enable access only to sanctioned SaaS applications, eliminating the overhead of a proxy. The API-based element then takes it a step further, extending these protections and ensuring deeper contextual visibility into and control over cloud-based assets, regardless of the location or device being used to access the SaaS application.
3. Data-at-Rest Controls for SaaS
Similar to a CASB approach, the API-based component of a next-generation security platform leverages the API interface of a SaaS service provider to deliver data governance and security for data at rest within SaaS applications. Typically, once data is allowed into the cloud where the SaaS app resides, IT loses visibility and control, particularly when dealing with such circumstances as a remote user uploading a file to a SaaS application. The API-based platform component, however, provides additional context for data stored within the cloud. This context allows organizations to inspect the content, even retroactively, for threats and control access to shared data via contextual policy – a particularly useful feature in instances where permissions are automatically inherited, such as copying a file to a folder that is already shared publicly. Overall, the platform approach is poised to provide organizations with far better security when compared with a stand-alone CASB.
Building defenses with point products results in management overhead and complexity that leaves businesses exposed to the vast realm of increasingly sophisticated cyberthreats. An integrated, prevention-first, next-generation platform offers a highly differentiated approach to securing SaaS applications, allowing organizations to reduce the attack surface area, prevent threats and render unknown attacks known. Plus, the ability to share threat intelligence across all components of the platform provides full visibility into SaaS activity, regardless of access method, device or user, allowing organizations to embrace SaaS as an extension of their IT infrastructure to vastly minimize risk and improve overall security posture.