The answer depends on where you desire to control apps and to what depth of policy controls are required. Next generation firewalls (NGFW) long ago recognized apps in allow or deny policy controls for user identity, content type, and app identity. URL categories in secure web gateways (SWG) were too broad to delineate specific apps and use cases, plus an associated app risk profile. Also, web sites became app like instances with personal logins and features that mirror custom apps to post data, share, like, and personalize. Overtime, SWGs responded with specific app web filtering URL controls given available visibility.
On the IT front, core applications such as customer relationship management (CRM), email, and data storage migrated to the cloud. As a prime example, Microsoft Office 365 is a well recognized leading app suite managed by IT with administration rights. Cloud access security broker (CASB) solutions then developed using vendor-provided cloud APIs for near real-time policy controls and data-at-rest security functions. This led to a dozen or more IT managed cloud apps falling under the domain of CASB API policy controls.
The value of cloud-based apps quickly expanded into thousands of apps where the majority are used by business units and users without IT administrations rights. NGFWs and SWGs could respond with basic allow and deny policy controls for these unmanaged apps outside the domain of IT administration using CASB API policy controls. However, this situation falls short to understand the user, app, instance, risk, activity, and data for policy controls aware of ‘content and context’. Given 95% or more of apps are outside of IT control, they need security controls for safe use beyond just allow or deny. Who is the user, device, and what app, instance, activity, and more impor