Virtually every organization across major verticals — K-12 and higher education, financial services, retail and hospitality, and government — is undertaking digital transformation endeavors. And this includes migrating applications and data to the cloud.
When organizations do choose to adopt cloud technologies, software-as-a-service (SaaS) is the most popular choice according to a Gartner forecast for public cloud adoption. This is evident in the number of SaaS applications a typical organization uses. According IDG, 73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.
73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.
The adoption of SaaS applications brings about new security challenges for IT teams and increases attack surfaces for cybercriminals. The main use case for SaaS security is data protection. How do you protect your corporate data when you no longer have full control of the infrastructure or lack visibility into who can access that data and from which device/location?
The need to address this challenge created a new market segment in 2011 called Cloud Access Security Brokers (CASBs) or Cloud Security Gateways (CSGs). The CASB market segment is one of the fastest growing in information security with Gartner estimating a growth rate of 46% CAGR from 2017 to 2022.
Today, cloud security is not just about limiting or securing access to cloud applications. Cloud security is a shared responsibility where the organization that consumes cloud services is responsible for protecting sensitive data within their SaaS tenants. In fact, according to Gartner, “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”
What is CASB?
At a high level, CASB solutions typically deliver the following four functionalities:
- Visibility. Enable cloud discovery to shed light on cloud application usage and shadow IT activities.
- Data security. Secure the corporate data uploaded or hosted in the cloud by enabling data loss prevention (DLP) and monitor user activity.
- Threat protection. Identify anomalous user behavior and provide anti-malware and sandboxing capabilities to protect against threats in the cloud.
- Compliance. Empower organizations with auditing and reporting tools to demonstrate compliance, especially in regulated industries.
CASB: The evolution of cloud security
The early CASB solutions were geared toward large enterprises that were early adopters of cloud services. These solutions required sophisticated on-premise deployments that proxied all traffic (either forward or reverse proxy) to enforce inline policies for cloud usage.
This proxy-mode CASB approach is sometimes known to introduce latency and/or cause breakage in application functionality, creating a bad user experience. In fact, it’s why Microsoft recommends against using proxy-based solutions when securing Office 365.
The next generation of CASB solutions take advantage of the API-based architecture that SaaS platforms are built on. API-mode CASB is the only way to provide complete visibility into SaaS environments.
API-based CASBs are easy to deploy and provide the most coverage for SaaS security use cases across sanctioned IT, shadow IT, managed devices and unmanaged devices (BYOD).
Need more security and control for your cloud applications? View this joint on-demand webinar, “Securing Your SaaS Landscape,” with Osterman Research principal analyst Michael Osterman, to explore the major concerns and issues organizations have with SaaS adoption, what to look for in a CASB solution and an overview of SonicWall Cloud App Security.
CASB protects Office 365 deployments
Many associate Office 365 to email because it’s the most used app within the Office 365 suite. So, when CISOs and IT directors begin migrating on-premise mailboxes to Exchange Online, the default response is to extend the incumbent Secure Email Gateway (SEG) or Mail Transfer Agent (MTA). This approach to secure cloud email creates two significant blind spots:
- Causing security gaps. Does not protect other apps within Office 365, so it becomes a point solution that is focused on securing only email.
- Missing internal threats. Does not scan internal Office 365 emails, which is becoming increasingly relevant in the current threat landscape with credential compromises and account takeovers.
To address these blind spots, you need to buy an add-on service (to scan internal email) from your email security provider (if they offer one) and deploy a CASB to protect the data residing in OneDrive and SharePoint Online. That’s one more point solution that IT directors need to add to their budget, and IT administrators need to deploy, get trained and manage.
Full-featured CASB solution: SonicWall Cloud App Security
When you view cloud email as a SaaS app, it makes sense that a CASB solution should protect data and provide visibility even if that data is in the form of email messages.
That’s why SonicWall Cloud App Security leverages APIs to directly integrate to SaaS platforms and combine both data security and email security to provide complete protection for SaaS in a single solution. The CASB solution can be implemented in minutes without the need for any on-premise appliances or software installations.