What are the Pros and Cons of CASB for SaaS Security?

Cloud Access Security Broker (CASB), as the name suggests, was introduced to “broker” the connection between users and cloud services and act as a control point to apply security policies.  The term is believed to have been coined by Gartner in 2012, and the first products started hitting the market the following year. At the time, cloud services were still considered to be questionable and had not gained mainstream acceptance. CASBs were valuable to security teams because they helped discover shadow IT cloud services.  

The world has changed markedly since 2012. SaaS now dominates cloud services, and CASBs have become the key control point in modern security architectures to help monitor and control the risk of companies, most of which use hundreds of SaaS applications. With the sheer volume of SaaS applications companies now use, CASBs have evolved to become Internet access gateways and reverse proxy solutions to control access to internal and external applications.  

Though widely viewed as the best solution to discover and control SaaS usage, they do have limitations. For example, they are unable to detect SaaS usage from unmanaged devices or when not on the corporate network. CASB technology was developed when the number of SaaS applications was far less and people almost always worked on a corporate network.  So how does a CASB improve enterprise security?  

What Problem Does a CASB Solve?  

When purchasing any security product, it is important to start with the business objectives and the problem that you are trying to solve.  CISOs increasingly place importance on partnering with businesses and enabling the company’s workforce to be more productive rather than securing the enterprise at all costs. So that means creating a security architecture that allows users to use the best SaaS application available to do their job.  

The business objective needs to be balanced by the security objectives, which are:

– Discover and monitor SaaS usage for every employee, especially for those the employee acquires on their own

– Control or terminate SaaS access where appropriate, e.g., employee offboarding

– Apply the appropriate data governance policies to data being used or stored in SaaS applications

CASBs today help with all three of these objectives, but they are incomplete as a solution. The original purpose of a CASB was to discover unsanctioned SaaS applications when companies were operating with a walled garden model.  Digital transformation has changed all of that. Workers are spread around the world using a simple Internet connection and using managed and unmanaged devices. The fundamental shift in the underlying infrastructure has created challenges for CASBs because of their technology foundation of assuming that workers are on the company network, and the company has visibility into their network traffic.  

How Does a CASB Discover SaaS? 

Effective SaaS security begins with discovery, and for CASBs, that means collecting and analyzing the network traffic.  Though they do not need to be inline with the traffic, the platform-focused vendors do require that in order to be able to control access to the SaaS application. Being inline also allows them to monitor the data used by the SaaS application lifecycle

Collecting this data means that a CASB must collect network traffic for every user, and this is usually done with a physical or virtual network device that acts as a gateway to the Internet and SaaS applications. The latest industry thinking is for a CASB to be part of what Gartner calls a Security Service Edge (SSE), which is a combination of a CASB, secure web gateway (SWG), cloud firewall, and zero trust network access (ZTNA). This approach merges SaaS security with network security, meaning that you cannot have one without the other. 

This makes sense from an enterprise-centric perspective, where the enterprise is the castle and cyber security’s main purpose is to protect the company’s assets or applications that they control: endpoints, data, infrastructure, services.  Where it breaks down is when the company does not control the asset or applications, which is the case with SaaS.  If an employee creates an account for a new SaaS application and saves data to that application when not on the “virtual corporate network,” it is invisible to the security team. What happens when that employee is no longer with the company?  Access cannot be turned off.  What SSE fails to do is control the access to unsanctioned SaaS applications–a huge blindspot. 

Standalone CASB or Security Service Edge (SSE)?

Taking the SSE approach to deploying a CASB is a multi-year journey for most medium to large enterprises.  It is a complete transformation that includes new network and security architectures, vendor integrations, and operating procedures. Deploying a standalone CASB is easier, but it will still take months since it requires a change to a company’s network infrastructure and complicates any changes to network topologies. For example, the best location to collect network traffic data for a CASB is from the firewall. So if there is any change that requires a firewall to move or be added to the network, the CASB data collection and backhaul will need to be architected into the change.  

What is the CASB Alternative? 

SaaS security platforms (SSPs) like Grip have emerged as a great solution to augment CASBs. These platforms are agent-less and are not required to be inline with network traffic to discover, control access, and govern data used in SaaS applications. They cover the same use cases but are faster to deploy and operate.  

SSPs take a fundamentally different approach by integrating with the SaaS application and IAM systems to understand who the user is and the authentication method. Grip stands out among SSPs by using a proprietary discovery method that detects more than 5X more SaaS applications than CASBs. With a complete inventory of all SaaS applications being used by every employee, SSPs remove the SaaS blindspot that exists today.  


Modern CISOs understand that SaaS usage in their companies is growing. They also want to ensure that they are working with the business leaders to enable the workforce to be as productive as possible, and many are considering CASBs to help them secure their SaaS applications. Though CASBs are effective up to a point, they are not the complete solution for the SaaS security risks of today’s world, remote workers, and a constant stream of new SaaS applications. 

Enterprise security is improved, but there are still huge blindspots that are not covered. For today’s environment, CISOs need a security platform that has been purpose built to solve the SaaS security problem in the best way possible without the drawbacks of technical requirements that were defined to solve a problem using an outdated paradigm. 

Grip’s SaaS security control plane helps easily detect and and identify shadow SaaS. To learn more about our SSCP schedule your FREE SaaS risk assessment today.

*** This is a Security Bloggers Network syndicated blog from Grip Security Blog authored by Grip Security Blog. Read the original post at: