Why SSE, SWG and Inline CASB Tools Have Gaps in SaaS Security Coverage
We’ve all heard the old saying, “When you’re a hammer, everything looks like a nail.” You can try tightening a nut or driving a screw with a hammer (and you might eventually succeed) but it won’t be fun for you…or the screw!
There’s not just one tool for every task, and using the wrong tool for the wrong job, while technically possible in some situations, ultimately ends in wasted time and resources and with everyone involved unhappy.
A lot of SSE (Secure Service Edge) solutions started with SWG (Secure Web Gateway) and/or Inline CASB (Cloud Access Security Broker). These tools are hammers, and they are great at securing web browsing or finding Shadow IT applications. But is securing data in sanctioned, modern Software as a Service (SaaS) platforms really the same problem? Is protecting the data in your SaaS a “nail”, or is it a “screw?”
There are several important use cases that an inline SSE “hammer” won’t cover, even on managed endpoints where you can install the SSE agent.
First, inline solutions won’t control content that’s created in the SaaS application. If a user opens a document and starts typing numbers into it, there’s no way for the inline SSE solution to know if they are typing PII (like a credit card number) or something completely innocuous (or if a cat is sitting on the keyboard!). Since the inline SSE can’t understand the content as it’s being created, it won’t stop it.
Second, large files are often excluded from inspection by inline SSE products. Why? User Experience. The time to inspect the data in each cell of a 20MB excel file is non-trivial, and it’s likely the transaction will time out (not to mention the user becoming frustrated!) before the inline scan could be completed. The size threshold at which an inline SSE will bypass inspection varies depending on the platform, but in a sieve-like fashion, all will bypass larger files to preserve User Experience.
Third, files that are uploaded or downloaded via desktop sync apps are often excluded from inline inspection. There are several possible reasons for this: some desktop sync apps are certificate pinned (e.g. Dropbox), some use multiple transfer streams (making reassembly for inspection within the SSE platform impractical), some use non-HTTPS protocols, etc. But whatever the reason, the inline SSE may be missing some or all of this traffic.
Even on managed endpoints, the best case scenario for inline SSE solutions for protecting data in SaaS applications, there are some significant gaps in coverage. It’s becoming increasingly clear that the inline SSE “hammer” isn’t the tool needed to secure the data in SaaS.
Fortunately, there’s a much more flexible, purpose-built tool to solve the SaaS Data Security problem: DoControl.
The solution provides strong visibility throughout the IT estate for both sanctioned and unsanctioned cloud applications, continually assesses and exposes cloud application risk, and provides both manual and automated remediation to reduce risk, and support stringent compliance requirements involving cloud governance and access to sensitive data.
DoControl's CASB Tool Effortlessly Protects SaaS Data
Our CASB solution provides strong visibility throughout the IT estate for both sanctioned and unsanctioned cloud application. It continually assesses and exposes cloud application risk, and provides both manual and automated remediation to reduce risk, and support stringent compliance requirements involving cloud governance and access to sensitive data. The solution provides strong visibility throughout the IT estate for both sanctioned and unsanctioned cloud applications, continually assesses and exposes cloud application risk, and provides both manual and automated remediation to reduce risk, and support stringent compliance requirements involving cloud governance and access to sensitive data.
Learn more by reviewing this two page solution brief on DoControl for CASB.