Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

ESG WHITE PAPER

The Evolution of Cloud Access Security Brokers

Comprehensive, Integrated, Accurate Protection with Palo Alto Networks SaaS Security

By John Grady, ESG Senior Analyst
JUNE 2021

Executive Summary

In the years since the cloud access security broker (CASB) was first introduced, enterprise SaaS usage has risen dramatically. Most organizations now rely on the cloud for core business applications housing sensitive corporate data. This usage, coupled with the massive scale of smaller, potentially unsanctioned cloud applications, has made the CASB a critical component of enterprise security strategies.

The results of this fragmentation are typically increased complexity, reduced operational efficiency, and poor security effectiveness. To alleviate these issues, software-based, virtual, and containerized next-generation firewalls that can be deployed across a variety of cloud platforms and application architectures in order to provide consistent, effective protection against a myriad of advanced threats, as well as centralized management across the entire firewall infrastructure, are critical to secure the modern hybrid, multi-cloud enterprise.

Security teams must begin considering how CASBs can better integrate with other network security control points to streamline deployment, provide more consistent management, and improve security effectiveness.

Yet the decoupled, layered-on nature with which most organizations approached CASB initially now creates more problems than it solves. CASBs can provide broad functionality but require different deployment models to address different use cases. Organizations need to have visibility into all application usage, as well as inline threat prevention, access control, and policy enforcement across all users, regardless of device or location.
The complexity of accomplishing this via additional agents, log collectors, and traffic redirection has reached a tipping point. As part of the evolution towards secure access service edge (SASE), security teams must begin considering how CASBs can better integrate with other network security control points to streamline deployment, provide more consistent management, and improve security effectiveness.
Palo Alto Networks’ SaaS Security represents an updated approach to CASB, designed to align with these changing enterprise needs. Through integrations with Palo Alto’s cloud, software, and appliance-based next-generation firewalls and its cloud-delivered enterprise DLP, SaaS Security provides a simpler and more cost-effective approach to CASB, while maintaining the broad application visibility and accurate threat and content inspection organizations require to secure the usage of cloud applications.

The Role of SaaS Security in the Modern Enterprise

Cloud adoption has become nearly ubiquitous, with ESG research finding that 94% of organizations use public cloud services of some sort.1 However, more important than adoption is the increase in the consumption of public cloud applications by these organizations.
Most enterprises are well beyond taking a limited approach by shifting a less-sensitive application or two to the cloud, and rather are using the public cloud for numerous, mission-critical applications. This trend is only expected to increase over the next three years, with 47% of organizations expecting more than 40% of their business applications to be public cloud-resident by that time (see Figure 1).2
Most enterprises are well beyond taking a limited approach by shifting a less-sensitive application or two to the cloud, and rather are using the public cloud for numerous, mission-critical applications.
Figure 1. Percentage of Public Cloud Applications, Today versus 36 Months from Now

Of all the business applications used by your organization, approximately what percentage is currently public cloud-resident? How do you expect this to change – if at all – over the next 36 months? (Percent of respondents, N=664)

Source: Enterprise Strategy Group

Core Capabilities of CASB

The need for visibility and control over applications has been apparent for over a decade and has led to the advent of the next-generation firewall (NGFW). While industry-standard now, the shift from predicating policies on port, protocol, and IP address to specific applications and users represented a transformative change at the time and provided network security teams better visibility into the composition of network traffic. Over the years, the number and types of enterprise SaaS applications have grown from just a handful, such as email and CRM, to a diverse universe supporting marketing, user collaboration, human resources, finance, IT, and nearly every other aspect of the business. Further, these applications and the data stored in them may be accessed by both internal and external entities, using both managed and unmanaged devices.
Yet the increase in the number of sanctioned corporate SaaS applications is only one part of a broader story. The self-service nature of the public cloud continues to empower employees to use numerous unsanctioned applications outside the purview of the IT department. As a result, ensuring consistent data security and compliance with mandates such as the Payment Card Industry Data Security Standard (PCI), the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR) has become increasing complex.
Cloud access security brokers (CASB) have been on the market for nearly ten years, specifically to protect and govern the usage of SaaS applications and address many of these issues. With the consumption of cloud applications continuing to increase, their criticality has only been heightened. These tools typically provide functionality to address four major use cases:
• Visibility. CASBs must identify and inventory all the applications enterprise users access, whether sanctioned by the IT department or not, and assess the level of risk these resources pose to the organization to help inform policy decisions. ESG research has found that 32% of organizations cite the increasing use of cloud applications as a leading driver of cybersecurity complexity.3
• Threat Protection. CASBs should protect users and corporate data from malicious activity, especially when using unsanctioned applications, and ensure that threats do not compromise sanctioned application environments. Nearly half of ESG research respondents (45%) cite the increasing threat landscape as one of the biggest drivers of network security complexity.4
• Data Security. CASBs need to identify the types of data flowing to and residing in SaaS applications and apply corporate policies to ensure sensitive data is properly protected. Yet ESG research has found that 26% of organizations indicate that the need to incorporate data-centric policies and security controls has made network security management and operations more difficult.5 This is primarily due to the siloed nature of the different tools used for data security across the environment.
• Compliance. CASBs help organizations map their assets in the cloud back to the regulator mandates to which they are subject. This is important, as 18% of ESG research respondents say difficulty in remaining compliant efficiently has made cybersecurity more difficult.6

A Layered Approach to CASB Has Increased Complexity

Like most emerging technologies, CASB has been layered into existing environments. While this has improved visibility and application control, the fact that it is architected and managed independently from other security tools has a downstream effect on the security analysts and practitioners who must synchronize their risks, policies, and goals across a separate layer of the stack.

The fact that CASB is architected and managed independently from other security tools has a downstream effect on the security analysts and practitioners who must synchronize their risks, policies, and goals across a separate layer of the stack.

Further, depending on the use case in question, CASBs must be deployed differently in the environment. For inline control and visibility, a reverse or forward proxy deployment is required. However, there are limitations to each option. Because they are deployed in front of known applications, reverse proxies lack visibility into unsanctioned applications. While forward proxies provide visibility into many applications whether sanctioned or not, this model requires traffic to be routed from users through the CASB before reaching the application. Proxy auto-configuration (PAC) files or agents on the endpoint can redirect application traffic to the CASB, but these options are only available if the device is managed. Proxy chaining services together or redirecting DNS requests to cloud services through the CASB are also options but require more extensive network routing changes. An additional issue with the proxy model is that visibility is limited to web-based protocols. Applications such as BitTorrent, Tor, FTP, Private VPN, and others can bypass the proxy and can be used by attackers to exfiltrate data.
Alternatively, for sanctioned enterprise applications, CASBs can also sit out-of-band and use log collection and API integrations. API integrations allow granular control over application features and enforce data security policy within the application itself, but only for sanctioned applications. Conversely, while log collection from firewalls and secure web gateways (SWG) provides visibility into application traffic, real-time threat prevention and policy enforcement is not possible in this model.
Over the years, some CASBs have adopted a multi-mode approach to address all use cases and support deployment flexibility for customers. However, the complexity of mapping these deployment modes to use cases and management policies across inline and out-of-band modes can become burdensome.
An additional element of confusion has arisen from the overlap of CASB and data security. Encryption and tokenization-focused use cases have become less common over time as native application data protection has improved. At the same time, as more and more enterprise data has become cloud-resident, CASBs have increasingly been positioned as DLP tools. While they certainly are a component of DLP, a significant percentage of enterprise data remains on-premises and flows through user devices. This is borne out when one considers the broad causes of enterprise data loss (see Figure 2).7 This means that a DLP approach too heavily weighted towards any one control point can lead to reduced effectiveness. Trying to create consistent policies across the different tools that deliver their own data loss prevention across cloud applications, the network, and endpoints is inefficient and can be prone to human error.
Figure 2. Top 11 Causes of Public Cloud Data Loss

Which of the following do you believe were the biggest contributors to your organization’s public cloud-related data loss? (Percent of respondents, N=166, five responses accepted)

Source: Enterprise Strategy Group

Top Requirements for a Modern CASB

To address the ever growing and clearly business-critical nature of SaaS usage, while at the same time reducing complexity, a simplified, integrated approach to CASB is preferred. Specifically, three core requirements are needed:

Deep visibility and intelligence across the thousands of cloud services available.

End-to-end DLP coverage to ensure consistent security across the cloud, network, and endpoints.

Tight integrations with other network security tools to position CASB as the security anchor point for the transition to (SASE).

Visibility

The initial use case for CASB was visibility into unsanctioned applications. Yet while this has become more difficult as the number of available applications has exponentially risen over the years, it has become more important for exactly the same reason. CASBs must be able to accurately recognize and inventory applications in real time as they become available—something traditional CASBs have struggled to keep pace with. Most importantly, providing a detailed risk assessment for these applications helps administrators make informed decisions with regards to employee access. The scale of today’s SaaS usage requires a degree of automation to this discovery and assessment to keep up with the constant rate of change. Yet at the same time, some level of customization is necessary for more or less risk-tolerant organizations to manage employee access according to their preferences.

End-to-end Data Loss Prevention

There is a pressing need for more consistent visibility into and control over corporate data across the entire environment. ESG research has found that 70% of respondents agreed that their organization’s implementation of a single set of data loss prevention policies spanning on-premises and cloud-resident data was in need of improvement.8 With more data now cloud-resident, DLP should be cloud-first but not cloud-only.
This requires strong cloud enforcement capabilities, and centralized policy management through the cloud, but with distributed control points. Consistency means mapping roles to data classes to ensure that users with certain roles have the same level of access and usage policies by classes of data, irrespective of location. Further, policy enforcement must be distributed at the control points for data in motion and at rest, which requires enforcement in the cloud, at egress points, and at the edge. As a result, a central aspect of moving from a siloed to a unified DLP approach is the ability to federate policies across enforcement points, with CASB as the central piece of a large solution set.
A central aspect of moving from a siloed to a unified DLP approach is the ability to federate policies across enforcement points, with CASB as the central piece of a large solution set.

CASB as an Anchor Point of SASE

The trend of consolidation has become a focus across much of the cybersecurity landscape. While defense-in-depth has been the preferred approach for many years, the pendulum is swinging towards integrated platforms to address the difficulties caused by having to manage a variety of disparate point tools. Siloed tools can result in a number of negative issues (see Figure 3).9 These can best be summarized as:
• Operational inefficiencies. The manual mapping of policies across multiple tools, many of which can have overlapping functionality is not only inefficient but prone to error. Similarly, the coordination required by different teams (i.e., network security, data security, cloud security) is made more complex by the use of many disparate tools.
• Increased costs. Both direct and indirect costs are typically higher when organizations use siloed tools. Rather than spreading solution costs across many different vendors, a converged approach can lead to a more strategic and cost-effective relationship with fewer vendors. Additionally, security teams can focus their training and certifications on a more targeted set of solutions.
• Weakened security. Ultimately, visibility and threat protection can be inconsistent across siloed tools, leading to investigation complexity when issues do arise.
Figure 3. Issues Arising from Using Many Disparate Tools

In your opinion, which of the following issues resulting from using disparate tools have had the most negative impact on your business? (Percent of respondents, N=337, multiple responses accepted)

Source: Enterprise Strategy Group

While SASE includes a variety of capabilities from SD-WAN to zero trust network access (ZTNA) to remote browser isolation, the convergence of CASB with traditional perimeter tools such as secure web gateway and next-generation firewall is often a first step on the longer path towards a full SASE architecture. In fact, 75% of ESG survey respondents indicated that CASB is a required or important component of a SASE architecture.10 The shift to SASE comes in recognition that network security is no longer on-premises only but must provide distributed enforcement everywhere. By merging CASB back into the broader, foundational security architecture, management and policies can become integrated with other network security controls, relieving security analysts and practitioners of the burden of managing a layered CASB.
By merging CASB back into the broader, foundational security architecture, management and policies can become integrated with other network security controls, relieving security analysts and practitioners of the burden of managing a layered CASB.

Introducing Palo Alto Networks’ SaaS Security

Palo Alto Networks has introduced SaaS Security as an integrated CASB to address the core cloud application challenges most organizations face today. The solution is tightly integrated with Palo Alto Networks’ next-generation firewall, enterprise data loss prevention, and Prisma Access for ease of deployment and broader DLP coverage. Palo Alto Networks anticipates both significant deployment time savings, as well as a lower total cost of ownership by running a leaner security architecture through this model. While full functionality is enabled through the use of the broader portfolio, not all tools are required for organizations to use SaaS security. The offering seeks to deliver deep application visibility, simpler and more efficient management, and granular content and threat inspection.

Palo Alto Network SaaS Security seeks to deliver deep application visibility, simpler and more efficient management, and granular content and threat inspection.

Comprehensive with Cloud-scale

Palo Alto Networks’ SaaS Security supports both inline and API deployment models. Inline scanning currently recognizes tens of thousands of applications and automatically adds new ones as they are seen by crowdsourcing the Palo Alto Networks customer base. The directory provides detailed application reports, as well as a risk score based on more than 40 application elements such as application type, SOC 2 compliance, privacy policies, and more. API integrations are currently available for more than 20 of the most common enterprise applications to support granular in-application control as well as streamlined compliance reporting for GDPR, HIPAA, PCA, and other mandates.

Simple and Cost-effective

The solution uses a unified management console and common interface across API and inline CASB deployments, as well as DLP policy creation. Through this unified console, rules can be more consistently applied to individuals and roles across both sanctioned and unsanctioned applications, reducing the potential for misconfigurations. While out-of-the box rules are available to help customers get started quickly, the solution allows for broad customization. For example, application risk scores are tunable, allowing more risk-averse organizations to be more conservative with unsanctioned application usage. This can be adjusted based on specific factors such as the application group, data type, user role, and more.

Deep Content and Threat Inspection

SaaS Security leverages Palo Alto Networks’ broad visibility into threat through its Wildfire threat analysis capabilities and Unit 42 threat research group. Palo Alto Networks’ next-generation firewalls are updated to benefit from this intelligence as threats are identified and utilize machine learning to identify unknown threats in real time, all of which improves threat prevention for SaaS Security use cases.
Content inspection for DLP control is supported by three types of rulesets: asset, user activity, and security controls. Asset rules rely on match criteria to identify sensitive data and support follow-on actions such as notifying the file owner, quarantining the file, removing public links to make the file unsharable, and more. User activity rules can be used to limit actions such as copy, move, and share across a single application, or all applications based on the data and individual in question. Finally, security controls provide auditing for security administrators, with role-based access control to ensure sensitive data is not compromised by first responders during investigation and remediation activities.

The Bigger Truth

Unsurprisingly, the threat landscape continues to be the biggest cybersecurity challenge most organizations face. However, complexity is a significant and growing concern. The increasingly distributed nature of enterprise environments through cloud usage and, more recently, remote work, has challenged traditional security approaches. While the emergence of broader security transformations such as SASE can be directly tied to these changes, the reality remains that such a significant architectural shift takes time to plan and implement.
Organizations have prioritized cloud investments during the pandemic to improve flexibility and agility, and this will likely continue. As a result, a logical first step on the SASE journey is to begin assessing how to tie CASB back more closely into the network security stack in order to reduce complexity and improve the effectiveness of securing cloud application usage. Palo Alto Networks’ SaaS Security accomplishes this by focusing on tight integrations with existing network security tools and building on the strong security foundation the company has built over the last sixteen years. As a result, organizations should expect a simpler, cost-effective, comprehensive approach to CASB with SaaS Security.
Complete Zero Trust Network Security

Source: ESG Research Report, 2021 Technology Spending Intentions Survey, Jan 2021.
Ibid.
Source: ESG Master Survey Results, The State of Zero Trust Security Strategies, May 2021.
Source: ESG Master Survey Results, Network Security Trends, Mar 2020.
Source: ESG Master Survey Results, Transitioning Network Security Controls to the Cloud, Jul 2020.
Source: ESG Master Survey Results, The State of Zero Trust Security Strategies, May 2021.
Source: ESG Master Survey Results, Trends in IAM: Cloud-driven Identities, Dec 2020.
Source: ESG Master Survey Results, Trends in Cloud Data Security, Jan 2019.
Source: ESG Master Survey Results, Transitioning Network Security Controls to the Cloud, Jul 2020.
10 Source: ESG Master Survey Results, Transitioning Network Security Controls to the Cloud, Jul 2020.

This ESG White Paper was commissioned by Palo Alto Networks and is distributed under license from ESG.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.