Author: Matthew Chiodi, CSO Public Cloud
Applications moving to the cloud and increased user mobility are changing the way networking and network security services must be delivered. Palo Alto Networks founder and CTO Nir Zuk believes that the future of network security is in the cloud, and has been driving this change for the past few years, with the Prisma Access product, the industry’s most comprehensive SASE. In this ongoing series, Palo Alto Networks thought leaders explore the core tenets of an integrated, effective SASE solution, and more broadly, its implementation and implications.
One of the most common questions I hear from organizations of all sizes is, “My users are accessing cloud apps, but I have no idea as to the scale or the type of data. Is a cloud access security broker (CASB) the only solution to address this?” A well-intentioned question for sure, but somewhat shortsighted. Organizations must understand that the rapid adoption of software as a service (SaaS) in the enterprise has radically shifted not only risk but access patterns. While in the past, CASB was the only choice, SASE platforms are now challenging that historical dominance.
SaaS Adoption Introduces Security Risks
SaaS applications offer companies, employees and customers many benefits. However, for each positive, there is also a negative.
|Quick deployment – As a software solution, the installation and configuration of SaaS apps are quick and painless. By utilizing the cloud, the apps are easily accessible to all users.||Anyone with a credit card can start using almost any cloud service. They are typically set up without IT and security oversight. Users are able to access the application from every coffee shop and any device.|
|Simple maintenance – Instead of having your IT department manually upgrade the app, that responsibility falls to the SaaS vendors, saving you IT resources.||Maintenance isn’t always for increasing uptime. SaaS vendors do an amazing job releasing new features and functionality, but this frequent pace of change also makes it difficult for IT and security teams to keep tabs on configurations and risk.|
|Scalable – Since SaaS apps live in the cloud, they are scalable, no matter how small or large your organization is. Remote users are able to access the apps no matter their location.||Most tier-1 SaaS apps are designed to be infinitely scalable in theory. The downside is that unsanctioned apps will grow virally in your organization and the SaaS provider will gladly pass along the bill. Finance won’t be happy.|
Given the ease of use, the volume and sensitivity of data being transferred, stored and shared in these cloud environments continue to increase. Simultaneously, users are constantly moving to different physical locations, using multiple devices, operating systems and application versions to access the data they need.
As a result, some undesirable security tradeoffs have emerged. The most common thorn in the flesh? A loss of insight into who is accessing and using these applications and data, plus – thanks to the advent of bring your own device (BYOD) – lack of awareness around the devices being used to gain access.
The Cloud Demands More
In a cloud-driven world, security needs to be unified, consistent and delivered from the cloud that it’s chartered to protect. To that end, Gartner has proposed a new model for networking and network security in the cloud, known as the “secure access service edge,” or SASE (pronounced “sassy”). In Gartner’s words:
“The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions to support the dynamic secure access needs of digital enterprises.”
Prisma Access is Palo Alto Networks SASE solution. It delivers networking and network security from the cloud, providing a fabric to connect all users and networks to its cloud-delivered infrastructure. This provides consistent network connectivity to data and apps, both at headquarters and in the cloud, and applies policy-based security services to users and devices, no matter their location.
Our multi-mode CASB solution, Prisma SaaS, integrates seamlessly with Prisma Access, enabling businesses to implement security that combines inline security, API security and contextual controls to determine access to sensitive information. These controls are implemented together in an integrated manner and applied throughout all cloud application policies.
So Is CASB Enough?
The legacy CASB-centric way to secure SaaS applications uses a standalone proxy designed to perform a limited amount of inline inspection capabilities. There are different deployment modes by which a CASB can deliver its functions, including network inline, SAML proxy, agent and API (introspection). And while CASB can also be used for API-based controls, it’s often with a limited set of ties to contextual policies on which specific users or devices have access to particular data. Despite multiple options for deployment, there are shortcomings with traditional implementation methods and many enterprise CASB projects have struggled to get off the ground because of it.
Secure SaaS Requires SASE!
Effectively securing SaaS, and digital business transformation as a whole, requires a SASE solution. Attempting to address cloud security challenges with point solutions unwittingly reduces risk clarity by increasing operational complexity. SASE simplifies both networking and security, replacing conventional point products. Firewalls, proxies, secure web gateways, remote access VPNs, CASBs, DNS security and so on are unified into one cloud-based infrastructure. This provides simplified management, visibility and near-complete risk clarity over your entire global network.
Learn more about SASE in our 10 Tenets of an Effective SASE Solution ebook.