The more technology evolves, the more of it you seem to need. Today’s typical tech stack most resembles a towering layer cake. In addition to the tech applications needed by business users, you also need layers upon layers of solutions to connect, enhance, support and protect those end user applications and the data running through them.
The move to the cloud and “as-a-service” solutions has created its own tech stack growth. The average small business with 500 or fewer employees has 172 apps in their SaaS tech stack. The average rises to 255 for mid-size companies and 664 for large enterprises.
In any size organization where data security is a priority (and today you’d be hard pressed to find one where it isn’t), a Cloud Access Security Broker (CASB) is an essential part of the cloud-based tech stack.
The big question about choosing a CASB
Part of the protection layer of your tech stack layer cake, a CASB is a security policy enforcement solution for data moving through cloud applications.
CASBs secure your SaaS data by:
- protecting against data exfiltration or exposure
- monitoring user access and behavior
- protecting against over permissioned or data-leaking OAuth apps
Some CASB providers, such as Microsoft and Google, are also vendors for widely used cloud technology and applications. Their CASB is an extension of their other cloud offerings. Other providers are independent third-party vendors, focused solely on securing cloud technology.
And herein lies the question: are the best CASB solutions those that match your cloud technology? If your organization uses Microsoft 365, for example, should you automatically select the Microsoft CASB solution: Microsoft Defender for Cloud Apps? If you use Google Cloud, should you go for Google Command Center? Or is it preferable to choose and use a third-party CASB solution that isn’t “native” to your SaaS application environment?
Let’s take a look at the advantages of each, as well as other considerations when it comes to choosing the right CASB for your business.
Advantages of SaaS app-native over third-party CASB solutions
SaaS app-native CASB providers come to SaaS security from the perspective of their own SaaS offerings. They want to create a solution that will protect their SaaS technology environment from security threats, and that will usually include securing third-party applications that have been integrated into that environment. Examples include Microsoft Defender for Cloud Apps (if your organization uses Microsoft 365) and Google Command Center (if you use Google Cloud as a basis for your cloud environment).
Benefits of choosing a CASB solution that “matches” your cloud tech include:
- Designed for your primary SaaS app
- Familiar interfaces
- Less vendors to manage
Designed for your primary SaaS app
Microsoft Defender for Cloud Apps was designed to integrate with and support Microsoft 365 and other Microsoft cloud technology. This intentional design means that incompatibilities are much less likely, and that you don’t have to worry that your CASB is going to stop supporting your cloud applications, or not work with the latest update of those applications.
Familiar interfaces
There’s a lot to be said for the comfort of the familiar. If your organization employees are used to working with Google’s or Microsoft’s UI, it will be much easier for them to adopt and work with a CASB that has the same UI.
Less vendors to manage
With hundreds of applications in the SaaS tech stack, managing all those vendors can be a headache. A third-party CASB solution is inevitably one more vendor to keep (or lose) track of.
Advantages of third-party over SaaS app-native CASB solutions
Third-party CASB solution providers come to SaaS security from a perspective which is technology brand-agnostic. The goal is to secure the SaaS environment of their user base, whichever applications and foundational technologies that consists of. DoControl’s SaaS Security Platform is an example of a third-party CASB solution.
Benefits of choosing a third-party CASB solution include:
- No single point of failure
- Better support for multiple technologies
- Potential for more innovation
No single point of failure
“Not putting all your eggs in one basket” applies equally to chicken farm environments and to cloud technology environments. When you have one vendor responsible for both your SaaS applications’ functionality and their security, there is more damage potential in any single attack, threat or mistake. Using an independent security solution diversifies risk.
Better support for multiple technologies
If you are using hundreds of SaaS apps, it’s very unlikely that you’ll be using only Google products or only Microsoft products. It’s common for organizations to use Slack and Google Drive and Box and Salesforce, among many other applications from many other vendors. While a SaaS app-native CASB may have the best support for their own apps, a third-party CASB may give better all-around support for multiple technologies.
Potential for more innovation
SaaS app-native CASBs have a built-in market: the existing customers of their apps and technology. Microsoft doesn’t have to look far for people who would be inclined to buy Defender for Cloud Apps; all they have to do is check their Microsoft 365 customers lists. Because third-party CASBs don’t have the same natural market, they need to put more effort into standing out and actually being better than the competition. This has the potential to lead to a more innovative offering that is more reflective of what their clients really need in a CASB.
Other CASB solution considerations
Beyond a CASB solution being SaaS app-native or independent third-party, there are a host of other considerations regarding selecting a CASB that may be even more significant to your decision. Here are a few to bear in mind:
Does it support all the cloud applications you use?
With average SaaS tech stacks starting at 172 applications and going up to 664, depending on organization size, it’s often a priority (rightly) to find a CASB that supports the highest number of applications, or the highest number of widely used applications. Compile a list of your SaaS apps in use and note their approximate importance to your data before starting to decide as to the best CASB solutions.
How easily does it integrate with those applications?
For any given application, does the CASB have a built-in integration available at the click of a button? Do they offer an API? Or do you have to come up with some jerry-rigged connector in order to have your CASB monitor the data coming to and from that application?
How accurate is it?
When choosing a CASB, it’s advisable to look very closely at the amount of false positives or false negatives that the system is likely to generate. False negatives are obviously a problem, making you unable to see what going on right under your nose. False positives are annoying, distracting and dangerous, with their potential to lead to alert fatigue and the “boy who cried wolf” effect.
How complete a solution is it?
There are many security functions a CASB might be equipped to handle, ranging from discovery and alerting to remediation and reporting. What does the CASB solution in question handle - and does that fill your requirements?
Additionally, what kind of context does it use to ascertain risky behavior? All CASBs take user identity context into account (e.g. should this person be sharing this kind of data), but only some take multiple contexts, like business context (e.g. should this person, in their particular HR status, at this particular time, be sharing this kind of data) into account. The more context your CASB uses, the more accurate its decisions will be.
Choose your CASB wisely
Your CASB is a critical part of your SaaS tech stack, keeping your SaaS ecosystem usable and safe. When it comes to choosing your CASB, take stock of the other parts of your SaaS tech stack, weigh the advantages of a CASB native to your SaaS vendor versus an independent third-party, and consider important functional criteria. May the best CASB (for your SaaS situation) win.