What Is a CASB? Conventional Versus Next-Generation CASB Explained

5 min. read

Years ago, companies typically kept all their applications and data in a single on-site data center. In this environment, companies had complete visibility into and precise control over who was accessing their applications and data—and when—as well as which devices (typically desktop or laptop computers) were being used to access them.

What is CASB Security?

Over time, as companies moved their data to the cloud and began using cloud services such as SaaS applications, they discovered they no longer had insight into who was accessing and using their cloud applications and data, nor—thanks to the advent of mobile technologies such as laptops and smartphones—the devices being used to access these cloud services.

This lack of visibility made it difficult for companies to protect their data and opened them up to a host of enterprise security risks, such as shadow IT, data breaches, regulatory noncompliance, malware, ransomware and more.

To address these cloud security and enterprise security challenges, CASB vendors developed what is known as the cloud access security broker (CASB) technology.

Cloud Access Security Brokers and SASE

Today, cloud access security brokers, or CASBs, are one of the key cloud security capabilities that make up a comprehensive SASE solution. Serving as security policy enforcement points that sit between a cloud services provider and its users, CASBs help organizations discover where their data is across multiple software-as-a-service (SaaS) applications, and when it’s in motion across cloud services environments, on-premises data centers, and mobile workers. A CASB also enforces an organization’s security, governance, and compliance policies, allowing authorized users to access and consume cloud applications while enabling organizations to effectively and consistently protect their sensitive data across multiple locations.

Conventional CASBs Have Limitations

A conventional CASB solution offered by CASB vendors fails to adopt new cloud applications quickly as it relies on static application libraries that are manually populated. Modern collaboration apps like Slack, Zoom, Confluence, Jira, etc., where users spend most of their time today sharing sensitive information, are typically not covered by their API protections. A traditional CASB solution offers basic cloud security capabilities that are limited in breadth and depth, offering only piecemeal cloud security. For example, its data loss prevention capabilities are quite basic and inaccurate, cover only data security in the cloud, and are detached from enterprise data loss prevention. They also lack the essential threat protection mechanisms that detect endless threat variations that cybercriminals constantly create as they target SaaS applications. When the CASB was first born, it was designed to fulfill its purpose as a stand-alone proxy-based point solution and remain disjointed from the rest of security infrastructure. The issue with proxy-based CASBs is that they require complex traffic redirection from the network firewall with proxy auto-configuration (PAC) agents and log collectors, causing significant architectural and operational complexity together with high cost of ownership. 

Enterprises today can’t keep up with the rapid growth of SaaS applications and shadow IT, the ubiquitous growth of data, or the increasing numbers of hybrid and remote workers. To keep pace with the changes and challenges of these times, enterprises need a Next-Generation CASB solution in their SASE architecture to safely embrace cloud services.

Next-Generation CASB is the way forward

To address modern enterprise security requirements, a next-generation CASB should natively promote the convergence of cloud and enterprise security to close operational gaps between the two. By integrating with existing security infrastructure and leveraging ML and crowdsourced intelligence from the global community, it should automatically discover and control all SaaS and data risks across all users from every location, whether the corporate office or remote. The next-generation of CASB should be available to enterprises as a unified platform across all control points and protect all types of structured and unstructured data across all apps (whether SaaS-based apps or on-premises apps) for uniform compliance controls and breach prevention. It should enable safe collaboration app use across all users, regardless of their location, by detecting the context of conversation-based data using real-time and natural language processing-based detection methods. It should detect and prevent known, unknown and zero-day threats targeting SaaS apps and users.

Using API-based security mechanisms, it should scan SaaS applications for sensitive data, endless variants of malware and policy violations while maintaining compliance and ensuring threat protection in real-time without dependence on third-party tools. Lastly, it should be easy to deploy and manage via the cloud or an on-premises next-generation firewall, yielding low total cost of ownership. 

To learn more about how the Palo Alto Networks approach to cloud access security brokers differs from other CASB vendors, visit us here: https://www.paloaltonetworks.com/network-security/next-gen-casb.