Today, cloud access security brokers (CASBs) are go-to tools for securing data in the cloud, and have proven to be indispensable for organizations that are looking to safely embrace the use of SaaS applications and enact digital transformation initiatives. These solutions provide a wide breadth of functionality, delivering everything that organizations need to maintain visibility, control, and compliance as their data moves off premises. But how did CASBs become the advanced solutions that they are today, and what does the future of CASB look like? Read on to learn where CASB has been and where it’s going.
Shadow IT discovery
The original CASB use case was shadow IT discovery. At the dawn of SaaS applications, when enterprise employees were beginning to realize that these new types of apps allowed them to work more flexibly and productively, they started to use them without corporate approval. This created a data leakage concern for IT and security personnel. Consequently, CASBs were adopted to identify unsanctioned applications (also known as shadow IT) and provide insight into their riskiness. Typically, this insight was used to inform black-and-white policies that either allowed or blocked apps at third-party enforcement points. While discovery capabilities are still a needed part of CASB offerings today, the technology has evolved to do far more.
API integrations
As organizations began to formally sanction and adopt popular SaaS applications to capitalize on their benefits, they wanted to make sure that they maintained proper security for data at rest within them. Once again, CASBs answered the call. Through integrations with application programming interfaces (APIs), CASBs were able to scan SaaS apps’ contents to find and respond to sensitive data patterns (via cloud data loss prevention (DLP)) as well as threats like cloud malware (through advanced threat protection (ATP)). More recently, API integrations have been used for SaaS security posture management (SSPM), whereby CASBs remediate costly misconfigurations within applications. Unfortunately, while out-of-band security via API is necessary, it is not sufficient on its own; scanning apps and their contents takes time and cannot provide true inline security.
Proxies
To address the need for granular, real-time protections, CASBs provided proxies as additional deployment modes. With proxies, CASBs could sit in the flow of traffic to apply security policies as needed on the fly; for example, through DLP and ATP functionality, as well as direct control over shadow IT. While forward proxy leverages software on users’ devices to forward traffic to an inspection point, reverse proxy uses URL rewrites to agentlessly route traffic to the CASB, making it a more desirable approach for unmanaged devices. However, as the reverse proxy mode leads to frequent breakages, many organizations are turning to cloud browser isolation (CBI) technology to address unmanaged device use cases.
What’s next?
Today, leading CASBs provide all of the above functionality, and are known as “multimode CASBs” when both proxy and API-based deployment modes are available. They also go beyond securing SaaS to provide protections for IaaS offerings like AWS S3. However, as detailed in a previous blog post, deploying a standalone CASB as yet another point product overlay can lead to a disjointed and complex IT ecosystem and a greater management burden for administrators.
Fortunately, CASB capabilities have been overlapping more and more with secure web gateway (SWG) capabilities in recent years (securing websites and securing cloud applications are highly similar endeavors). In part because of this, Gartner recently coined the phrase secure access service edge (SASE) to refer to cloud-delivered security offerings that provide integrated functionality like CASB, SWG, zero trust network access (ZTNA), and more. SASE platforms deliver consistent, comprehensive protections across the IT ecosystem while streamlining security performance and management for admins.
At Zscaler, our multimode CASB solution addresses all of your cloud security needs and is a homegrown, seamlessly integrated component of our Zero Trust Exchange, the leading platform for fulfilling the demands of SASE.
Want to learn more and see how we address the top CASB use cases? Download our latest ebook.
