Next-Generation CASB Redefines SaaS Security

In a SaaS model where a company’s applications and data reside beyond the corporate controlled premises, on third-party infrastructure, taking a traditional approach to security is not enough.

5 min. read
Listen

Software as a service (SaaS) is a model in which a vendor remotely hosts and delivers software applications as a service to customers over the internet. This form of software delivery has become increasingly popular over the past decade as it allows companies to access and use a wide variety of applications on-demand in a “pay-as-you-go” manner, instead of having to build and maintain their own technology infrastructure in-house.

This growing demand for SaaS applications is also why Gartner, a leading research and advisory firm, estimates public cloud services are forecasted to grow 18.4% in 2021 to total $304.9 billion, up from $257.5 billion in 2020. It further forecasts that the worldwide revenue  for cloud application services (SaaS) alone will jump over 117 million in 2021. Most recently the use of collaboration applications like Slack, Zoom, Confluence and Jira have become instrumental to sustain the business of modern distributed enterprises as their users work from any location.

But just like with traditional technology infrastructures, adopting and using SaaS applications can pose significant risks to a company including:

  • Sensitive data being inadvertently exposed or lost, or being excessively shared especially through the use of collaboration apps by an increasing hybrid and remote workforce.
  • Data exfiltration and major data breaches.
  • Introduction of known and unknown threats such as vulnerabilities and propagating malware.
  • Prevalence of Shadow IT due to employees using applications that were never approved by the company’s IT department.
  • Risk of non-compliance with regulations and data privacy laws such as the European Union General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard ([PCI-DSS], ISO-27001, the Sarbanes-Oxley Act [SOX], the Health Insurance Portability and Accountability Act [HIPAA], and others.
  • Application downtime due to security breaches.Thus, it’s important for a company to understand these risks, and take steps to minimize them.


Next-Generation CASB Redefines SaaS Security

Many years ago when a company wanted to protect its technology infrastructure data and users, the approach was to deploy a variety of security tools throughout the network premises. But, with cloud adoption, in a SaaS model—where a company’s applications and data reside on third-party infrastructure, and the company’s employees have the ability to access those applications anytime, anywhere, and from any device—just taking the traditional approach to security is not enough.

That’s because in a SaaS environment:

  • SaaS Chaos: Companies don’t have a way to monitor and control which applications are being accessed and used and by whom. SaaS apps are growing exponentially in numbers and many of them make their way into user’s hands without knowledge of IT.
  • Data Ubiquity: Companies don’t have a way to monitor and control what data is being uploaded and downloaded, and where. These days large volumes of sensitive data are created in the cloud or stored and shared across an increasingly wide number of applications, and not just via a few apps as it was initially.
  • Lack of Visibility: You can’t protect what you can’t see. A company’s network administrators don’t have visibility into the SaaS vendor’s technology infrastructure, or how the SaaS vendor stores and secures data. This means that many of the tools IT professionals use to secure a company’s on-premise technology either can’t be extended to or won’t work for SaaS applications. Plus, even if they could be extended, it’s almost impossible for a company to ensure effective SaaS security with layered point products anyway.

To compensate, companies have turned to a Cloud-Access Security Brokers (CASB) or security policy enforcement points that sit between a cloud service provider and its users to deliver security policy controls for SaaS applications and enforce governance and data protection policies across diverse environments. 

But standard CASB solutions are operationally complex and yield a high total cost of ownership. Being proxy-based, they are standalone and disjointed from the existing security infrastructure. And requiring complex traffic redirection from the network firewall and PAC agents, they are quite difficult to deploy and manage. Most importantly, these solutions don’t provide a unified data protection policy approach that consistently covers cloud applications, the physical network, the remote users, and all the endpoints and only solve part of the problem requiring organizations to add-on a patchwork of additional tools to get a more holistic security, such as complex connections with on-prem DLP solutions. To add to that, the user behavior of the post-pandemic hybrid workforce creates another concern for security teams. Any unapproved sharing or leaking of data, due to their negligent or malicious actions, can result not only in a data breach, but also in serious data privacy violations and non-compliance with regulations like GDPR.


Securing SaaS applications, sensitive data and your growing hybrid workforce with legacy, outdated approaches is daunting and riddled with risk. What organizations need today is a “Next-Generation CASB” as part of their SASE strategy. One that:

  • Secures applications and data beyond the corporate premises and in the cloud and a growing hybrid workforce across remote locations.
  • Detects, monitors and protects sensitive data in transit between their company networks, users and the SaaS providers and at-rest when it’s stored on a variety of SaaS applications. Keeping today’s remote users who rely on collaboration apps to get work done front and center, a Next-Generation CASB must protect this family of sanctioned apps, from becoming conduits of data exfiltration.
  • Facilitates regulatory compliance, prevents data leakage and excessive data exposure anywhere their regulated data moves and resides.
  • Monitors and manages user behavior and minimizes any potential security or “shadow IT” risks.
  • Doesn’t require a broker because it is seamlessly integrated with the existing security stack, therefore is easy to deploy and doesn’t demand a high TCO.

Selecting the Right Security Vendor

Finding the right vendor to help your company secure its SaaS applications, data, and users across all locations shouldn’t be challenging. When it comes to your company’s security, you want the best security experts, professional guidance, and solutions you can get.

For more information on how to effectively bridge the SaaS security gap within your hybrid workforce with a next-generation CASB approach, visit: https://www.paloaltonetworks.com/network-security/saas-security

More SaaS Security Articles: