Cloud Access Security Broker (CASB) is becoming increasingly common in enterprise IT environments, Gartner predicts that growth rates will exceed 30% per annum for the next three years. However, not every business needs to invest in a CASB solution; in the short-term, many of the use cases are not strong enough to support the business case, and in the long-term, it isn’t a core part of a strategic technology roadmap.

In this article we explore: 

  1. what a CASB does
  2. the use cases for CASB
  3. an alternative to CASB
  4. where CASB fits in the long-term

What does a CASB do?

The purpose of a CASB is to ensure workers are compliant with company policies when using cloud services, both sanctioned and unsanctioned. Sanctioned services could include the organization’s CRM or accounting platform. A business will want to ensure that these services are only accessed by authorized users with secure connections. As for unsanctioned services like cloud file storage or an online PDF converter, organizations will want to prevent company information from being exposed to one of these services and potentially being intercepted by a third party.

Many CASB services are feature rich, offering a lot of functionality and analytics for businesses to consume. Capabilities can generally be categorized into three sections:

  • Visibility and compliance – A core function of CASB is detecting the cloud services being accessed, identifying potential risks associated with them as well as which personnel or services use them. Being able to collate and report on these insights is essential for demonstrating compliance in the cloud.
    • Features:
      • Application discovery 
      • Compliance assessment
  • Risk detection and mitigation – Insights into user and device behavior can reveal malicious activity such as stolen credentials or malware-infected operating systems. This intelligence can be used to power adaptive access policies to deny access to cloud services until the risks have been resolved.
    •  Features:
      • User and device analytics 
      • Adaptive access control
  • Data security – Many CASB services use algorithms to identify and classify content, such as source code or banking information. Data loss prevention (DLP) tools can prevent sensitive information being inadvertently disclosed by blocking or encrypting.
    •  Features:
      • Data loss prevention
      • Data encryption

There are different CASB architectures, including cloud and on-premises variants, however many use a “multimode” approach using APIs and a proxy. Integration with the APIs exposed by cloud service providers allows CASB solutions to extract detailed information about how users are accessing that particular service. Unfortunately, only the most well-known cloud service providers have created APIs for CASBs to integrate with, and API support by CASB vendors is not universal. For many businesses, this mandates the need for in-line traffic monitoring via a proxy. 

What are the use cases for CASB?

There is a significant overlap between CASB solution’s capability and other security services. To determine whether CASB is a good fit for an organization, a list of use cases should be compiled and compared against these three top CASB use cases:

  • Limiting the use of unsanctioned SaaS services – cloud services are so ubiquitous that users can consume unauthorized SaaS services without consulting IT teams, something referred to as Shadow IT. Unsanctioned services may be consumer-grade or lack the necessary security features to be compliant with business or regulatory requirements. By monitoring traffic, CASB services can discover when SaaS applications are in use.
  • Providing access to sanctioned SaaS applications – access to business applications should only be granted to authorized users with secure devices. By incorporating identity and endpoint analytics into access policies, CASB can prevent unwanted parties gaining access to cloud applications. 
  • Managing access to sanctioned infrastructure and platform services – private applications may be run in the cloud in IaaS or PaaS environments, but require the same security verification steps as SaaS services. CASB services grant access based on identity and endpoint intelligence, allowing authenticated users and secure devices to connect. 

Despite these three use cases being the original drivers for the CASB product category, they are not exclusive to this service. The emergence of new services, such as Zero Trust Network Access (ZTNA), and convergence of feature capabilities means that many organizations do not need a standalone CASB service.

Analysis of the CASB market shows that many of the buyers are large enterprises with thousands of employees. These organizations usually have a particular need for specialized CASB functionality and have sufficient staff to manage an additional security service. For many companies, CASB is unnecessary and alternative solutions are sufficient.

Is there an alternative to CASB?

Much of a CASB’s capability can be found in other security services, such as ZTNA, which are a more suitable solution in many scenarios. A key benefit of using a ZTNA solution in place of CASB is as a multi-functional tool, not just a service to manage cloud compliance. Using a single consolidated service means more compatibility between features and lower overall IT administrator management overhead.

Why ZTNA should be considered before CASB::

  • Limiting the use of unsanctioned SaaS services – the Secure Web Gateway (SWG) component of ZTNA services can be used to monitor and filter internet traffic. Administrators can use the SWG to identify and block Shadow IT. Additionally, the SWG can block other content threats such as phishing. As a multi-functional service, ZTNA allows administrators to quickly define sanctioned and unsanctioned services without configuring multiple consoles.
  • Providing access to sanctioned SaaS applications – ZTNA solutions integrate with enterprise directories, using an endpoint agent to validate a user’s identity and a device’s compliance. The primary function of ZTNA solutions is to provide secure access to applications, as such, they provide granular controls with the ability to provide secure, compliant access to employees, contractors and BYOD/personal devices.
  • Managing access to sanctioned infrastructure and platform services – the core of ZTNA is a Software-Defined Perimeter (SDP), which is used to connect endpoints and applications. This allows ZTNA services to provide secure access to IaaS and PaaS, l it can also connect on-premises applications. A single ZTNA can be used to configure the access policy for every application, whether it be in the cloud or on-premises, making administration easier and enforcing policies consistently.

A ZTNA solution can fulfill many of the functional needs of CASB service and is a suitable replacement for many organizations. However, as cloud services are increasingly adopted technology leaders must consider what the organization’s future requirements are and whether CASB is part of the long term security roadmap.

Will I need a CASB in the future?

While the current trend indicates that cloud services are increasingly being deployed by enterprises, CASB is not the only service capable of securing them. Gartner has named one such converged solution the Secure Access Service Edge (SASE), which is a combination of ZTNA, SWG, CASB technologies and more.

“By 2023, 20% of enterprises will have adopted SWG, CASB, ZTNA and branch FWaaS capabilities from the same vendor” – Gartner

This trend indicates that CASB features will be increasingly incorporated into other security services, reducing the likelihood that investment in CASB is necessary. It also highlights the need for strategic service selection. Currently, CASB is often used to provide security for edge cases, whereas ZTNA forms a much more integral part of IT services because the SDP forms the access backbone. 

Building a strategy around ZTNA and building out capability from this central component of the IT environment is the optimal way to move to a SASE model. Attempting to transform the IT architecture from the outside in, via CASB for example, will be much more complex. The access layer may need to be replaced, which will be disruptive for end-users and there is more likely to be compatibility issues with other edge solutions in use. 

Unless necessary, businesses should avoid investing in CASB services, many of the features will become available with more strategic IT solutions. Building a SASE roadmap around ZTNA is a more futureproof option. 

Summary

CASB services have several capabilities including visibility and compliance, risk detection and mitigation and data security. Most CASB services are tailored to large enterprises and many organizations can use features available within other solutions. 

ZTNA is a much more suitable solution for the majority of use cases that will be encountered by organizations now or in the future. Building an IT strategy around ZTNA is a feasible way to prepare for future architecture such as SASE. To learn more about ZTNA, SASE and secure application access please get in touch with one of our experts.