Drawbacks of CASBs (Cloud Access Security Brokers) in the Remote World

Chaithanya Yambari

2nd March, 2022

SHARE ON:

While traditional cloud access security brokers had their share of benefits, organizations must understand why they aren’t suitable for modern requirements. And plan a way out to move to a modern cloud-first solution, like SaaS management platforms. 

Cloud access security broker (CASB) software acts as a middleware between your organizational infrastructure and cloud service providers. It helps with scanning security threats and keeping your cloud data safe. Most companies deploy CASB to get real-time visibility on their cloud usage, ensure security compliance, and identify threats. 

With more businesses opting cloud, the need for data security has increased tenfold. There was a time when firewalls, antivirus, and intrusion detection & prevention systems worked fine; however, when working on the cloud, you could get attacked from anywhere. At this point, there are no security boundaries and rigid parameters to secure data. 

And, when 99% of companies are using SaaS tools to get things done, the security level shivers with constantly changing user access and third-party participation. As the use of SaaS apps is growing at the workplace, it is further increasing the attack surface of your organizations. 

Asset

Though many IT teams thought CASB tools to be apt for their security needs, the remote work has shown they are not. When things started moving after the pandemic, endpoints got scattered, and these solutions were found to be outdated. 

Even before the remote work, CASB deployment was frustrating for IT teams because of many companies' BYOD (bring your own device) policy. But, not just deployment, the experience of using CASB tools was also good as IT admins have to manually check-off boxes on what's truly sensitive and what's not. 

Do you think IT administrators would be happy doing things manually in the modern world of automation? 

Before we go into the issues with CASB systems, let's first see how CASB solutions work. Generally, CASB works like this: First, the log collectors collect event logs from existing infrastructure like the firewalls SIEMS and secure web gateways. The CASB tool only captures users' activity and not content. 

Either of these mechanisms (or a combination) can be used depending on the vendor you choose: Forward proxy, reverse proxy, or API-based.

1. Forward proxy-Integrated deployment between cloud service and endpoint, the network or device brings traffic to CASB proxy. 

CASB forward proxy

2. Reverse proxy- Integrated deployment between cloud service and endpoint in which the cloud service provider brings traffic to CASB proxy. 

CASB reverseproxy

Issues With CASBs in the Work from Home Setting

While cloud access security brokers have their share of benefits, organizations must understand why they aren’t suitable for modern requirements. And plan a way out to move to a modern cloud-first solution, like SaaS management platforms. 

1. CASB Deployment is Complex

There are two major issues organizations face while deploying CASB. First, when a reverse proxy is deployed, it lacks visibility to unsanctioned apps. The integration only happens within known apps, so anything beyond that goes uncaptured. So, they can't help with shadow IT

Though forward proxies provide visibility to unknown or sanctioned applications, it’s limited to only web protocols. 

Secondly, organizations can get granular control over security policies with API integration, but policy enforcement and threat protection aren’t possible here. 

CASB deployment isn't direct and simple; it requires expertise to deploy cloud access security brokers. It requires proxy auto-configs (PACs), log collectors, and other deployment tools. Yes, that's a mouthful! 

All this ends up making the process effortful, costly, and time-consuming, which increases the cost of the deployment. And note that even after all this, there are risks of misconfiguration when not deployed properly. We have discussed the pricing in detail in our next section. 

2. CASB Solutions are Very Expensive

The primary reason why CASBs are expensive is that many prominent vendors like Salesforce, Box, or Office 365 still use the per-user pricing method. That means they charge for every additional SaaS tool a business use.

This pricing model might have worked if businesses were using a few SaaS applications, but it is costly as SaaS usage is high in organizations today. According to a Gartner report, just the CASBs solutions cost between $15/user/year to $85/user/year.

Company Size vs Number of apps

In addition to this, businesses had to also incur the following costs-

  • Layers of log collectors: To run CASB applications, users must first deploy firewalls or log forwarders to gather logs and then forward them to the CASB tool. Here, the application would build a report that shows the information on unknown users accessing your business’s network.

  • Traffic forwarder appliance: Businesses can either manually forward logs to their CASB or use an application. And we know, no company would spend countless hours of manpower doing such tasks, so they have to invest in a traffic forwarder appliance as well. 

  • Identity collector: The users have to add an Active Directory Connector to allow CASB to enforce policies via AD groups and user ID. The AD connector helps connect AWS apps to your on-premise dictionary. 

  • Deploying endpoint agents: Since CASBs use proxies, PAC (proxy-auto configuration) files have to be deployed on all user’s machines. According to Mozilla, a PAC is a Javascript function that determines whether web browser requests will directly go to the destination or are forwarded to a web proxy server.

This was already a challenge when infrastructure was limited to on-premise. However, with every additional site, businesses have to duplicate this infrastructure over and over again. Now, when things are online, and employees are working remotely, businesses have to add additional endpoints with PAC files and VPN agents to divert the traffic to CASB. 

All these require an insane amount of manual help and subscription to additional tools to make the system work. Plus, CASBs don’t help in cloud cost optimization; it’s also inefficient in finding SaaS apps with overlapping functionally, unused or underused apps. 

Now compare CASB solutions to SaaS management platforms (SMP), like Zluri. Because of the savings Zluri does, it acts as a saving center instead of a cost center for organizations. Not only does it pay for itself, but you can get savings also. You can check how much you can save with this ROI calculator.

SMPs make it easier for businesses to derive ROI from SaaS apps they use, with which they can make data-informed decisions regarding application renewal. 

On the contrary, with such complex deployment, pricier licensing plans, and outdated infrastructure, opting for CASB might seem like too much to spend for. 

3. Consumes a Huge Amount of Time and Effort on the Part of IT Teams

Legacy CASB follows a signature-based approach to identifying malware strains. Here, the CASB focuses on identifying a pattern that matches with features of malware saved in their application library. 

One major problem with this approach is that CASB lacks large datasets to identify emerging risks; they can only identify the known threats. This forces businesses to manually assign signatures to SaaS applications. 

But do you think this is the right approach to cloud data security when almost 360k new malware is found every day? 

With the growing rate of SaaS usage, the signature-based approach has proved to be non-effective. And, if any of these worms enter your cloud space, it can cause severe damage. 

4. Difficult to Integrate With the Existing Security Policy Of The Organisation 

Since CASBs are layered between your cloud service provider and organizational infrastructure, they remain independent and are not attached to your organization’s core security infrastructure. This brings operational challenges for security analysts to streamline data protection and ensure that departments maintain security policies. 

Some CASB systems are not in sync with organizations' data security. In addition, because they are not complete security systems but provide some elements of security, sometimes they are confused with self-contained DLP tools

While we agree that organizations store most of their data on the cloud, a percentage of enterprise data flows on-premise. So, to match the DLP policies across enterprises both on and off the cloud is challenging. IT teams attempting to create consistent data governance, security, and compliance across such hybrid models find this an arduous and risky task.

5. Lacks Complete Visibility into SaaS Apps

While CASB systems are good for visibility, they don't help solve all the issues they highlight. Tim Prendergast, founder, and CEO at Evident.io, likens the situation to a doctor telling a patient they have several problems but cannot fix them. He adds: "Data without action is kind of useless. Data has to be automatable so your team can solve the problem and move on to bigger projects." 

Using CASB, your business might lack information about-

Usage details: CASB lacks complete information on employees' specific actions. For instance, if they are using Slack and there are 30 channels and 200 different teams, CASB wouldn’t answer who is operating these channels and what actions have been taken on the interface.

Screenshot 2022-03-24 at 3.58.41 PM

Neither you license details with CASBs. Compare this to Zluri, where you get licenses details.

Moreover, the job of CASB is over after a user gets into your organization’s infrastructure. So, it’s possible that users with access can exploit sensitive information and send it to unauthorized persons. Privilege access management is something you need separately with CASB.

As we mentioned before, CASB lacks security after a person has access to a SaaS app. This is one of the biggest security loopholes because you now have no idea what the other person is doing inside the application. And, with collaborative tools, the access level broadens with more people using the SaaS tool. 

When it comes to an understanding of how apps are being used, Zluri comes at the top. Since Zluri directly connects to SaaS apps, we have accurate usage data from the source of truth.

6. Slows Performance 

The most common issue with proxy-based CASBs is that it delays the network’s performance. This makes it challenging for employees trying to access information quickly. 

In an article posted on their website, Microsoft warned their customers regarding using proxy-based cloud access security brokers with Microsoft 365. Unfortunately, neither do they provide any support for integrating such solutions. 

Further, it says that while it will not prevent its customer from using CASBs, they won't be responsible for any performance and security issues arising from them. They also highlighted that these solutions could become non-functional in the future as they will update their authentication, protocols, etc., systems.

Additionally, the post advises the customers not to use any third-party WAN optimization solutions, inspection devices, traffic redirection, or any network solution that affects Microsoft 365 user traffic

7. Don't Help With Modern IT Needs Like SaaSOps.

Most CASBs don't help with modern IT needs like managing SaaS applications during onboarding and offboarding of employees. When an employee joins an organization, they need to be given appropriate access to SaaS tools from the very first day. The access depends on the employee’s role and department in the organization.

Similarly, when they leave, their access to SaaS apps needs to be discontinued automatically in the shortest possible time to ensure there are no data breaches—and de-provisioning needs to be done properly

CASB lacks an appropriate IT workflow mechanism that automates the onboarding and offboarding of users, necessary to save manual hours and security glitches. 

CASBs are Only a Partial Solution, SMP Complements Them 

Though cloud access security brokers offer several benefits, they aren’t sufficient. Organizations need to integrate secure web gateway (SWG), firewalls, and many more tools for complete cloud protection. 

Furthermore, CASBs were made primarily for the old systems, not SaaS first. As more businesses are increasingly adopting moving to SaaS, these solutions will further lose their relevance. And will be replaced by API-based SaaS first systems, like SaaS management platforms (SMP).

Book a Demo

Table of contents
Webinar

Introducing On-Prem AD connector, ‘Smart’ contracts & Time-based access control.

Related Blogs

See More