What Your SSE’s CASBs Don’t Understand

/in


What Your SSE’s CASBs Don’t Understand

Ten years ago, SaaS data security was not a big concern—since most corporate data was stored in on-prem or homegrown applications. Then, SaaS adoption exploded thanks to improved productivity, lower operational costs and ease of use. Today, SaaS applications are standard across all major verticals and industries worldwide. Every organizational department uses SaaS applications to push business. Moreover, SaaS consumption patterns have evolved over time from internal-only access to collaborative, external access, as well as programmatic, API-based access.

However, early SaaS security solutions called cloud access security brokers (CASB) haven’t evolved alongside the new SaaS era. Initially, CASB solutions offered reverse and forward proxy modes, intended to sit between the end-user’s device and the web to enforce access controls on a network level. While effective in meeting multiple compliance requirement checkboxes and visualizing end-user activity, CASBs in proxy mode don’t understand how SaaS applications work.

Over the years, CASB vendors have introduced secure access service edge (SASE) and zero trust network access (ZTNA) capabilities, eliminating the need for a physical VPN and enabling secure remote access from any network and device. This opened an enormous market for disruption that eventually put SASE at the forefront of leading security vendors.

From there, a new cross-product category emerged to combine ZTNA, CASB and secure web gateway (SWG) into one consolidated offering: security service edge (SSE). Vendors are incentivized to sell as a platform, which makes sense for many reasons (low total cost of ownership, single interface, single support team, single documentation, etc). Yet this bundle still relies on 10-year-old CASB API technology and, again, doesn’t understand how SaaS applications work.

SSE vendors offer a so-called modern CASB in API mode; however, technological gaps in their implementation and architecture pose significant risks in preventing SaaS application data breaches.

SSE vendors had begun to use the SSL proxy capabilities of SWG in front of SaaS applications to decrypt, inspect and…

Source…