Gartner’s introduction of the Security Service Edge (SSE) Magic Quadrant in February of 2022 has been an impetus for organizations to reassess their cloud access security broker (CASB) solutions. CASB is one of the three core components of SSE and the piece of the puzzle that handles cloud security for SaaS and IaaS applications. While the primary focus of SSE seems to be around inline deployments of CASB where cloud security, including data and threat protection, are handled in real time, there’s another important part of CASB that is often overlooked. A typical CASB solution also offers additional protection via API integrations. API-based CASB solutions can enrich and benefit an inline cloud security solution.
Gartner, as part of the SSE Magic Quadrant, describes SSE as securing access to the web, cloud services, and private applications, with capabilities including access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration.
At Netskope, API integrations have always been a core part of our CASB offering. Up until recently, CASB API Protection included support for 19 managed cloud applications. With the introduction of new applications, organizations adapt these applications when they prove useful to their productivity and agility. Netskope has developed a new framework for the development of app API integrations, to rapidly expand support for new applications. As a result, Netskope has added the first batch of four new API integrations including Workday, Okta, Citrix Sharefile, and Yammer, with more to be released in the future.
Support for Workday, Citrix ShareFile, Yammer, and Okta recently started rolling out across our data centers. With the addition of these new applications, Netskope API-enabled protections now support 23 SaaS and IaaS applications.
The benefits of CASB API deployment
If you have only an inline deployment for CASB, or you’re just starting to look at CASB solutions, you may be wondering why you’d want or need a CASB API deployment. With API, CASB takes advantage of existing APIs in SaaS and IaaS applications to provide full granular context on data exposure and controls. Because of the requirement to give API access, CASB API is used for managed applications, where access can be granted to the CASB solution.
Here are six example use cases where API enabled protection provides needed security, and also where it can complement inline protections:
- Data-at-rest classification
- Managing sensitive data exposure
- Protecting against malware spreading via SaaS apps
- Visibility & protection related to risky users, compromised accounts
- Protection against risky misconfigurations
- Visibility & protection related to connected apps, plug-ins
Data at rest classification can be used to identify sensitive data that predates inline controls or is added by unmanaged users, or to reassess data as compliance requirements evolve or threat intelligence is updated. CASB API protection can integrate with classification tools like Microsoft Information Protection and enable higher fidelity and adaptive inline policies by incorporating context from API.
The ability to access settings and data through the API means that existing data stored in the application (data at rest) can be scanned for threats (like viruses and malware) and can be checked for incorrect ownership, sharing, and access permissions, and any number of actions can be implemented for sensitive data. For example, permissions can be corrected, sharing can be revoked, and files can be quarantined, encrypted, or placed on legal hold.
The Netskope CASB API solution also works with data loss prevention (DLP) and SaaS security posture management (SSPM) to apply compliance templates to the settings and data stored in managed SaaS applications to ensure regulatory compliance to a number of government and industry regulations, and provide remediation guidance in case any problems are discovered.