Software-as-a-service (SaaS) has taken over the world because it’s easy. With just a few clicks, business units can find an application that’s suitable for a particular business process. They can subscribe to it and immediately start using it — and the IT department might never find out.
Cloud access security brokers (CASB) first emerged to help security teams track and manage their emerging shadow IT problem to gain some visibility and control. But today, according to research from Digital Ocean, 86% of companies increased their reliance on cloud services in 2021. Research from Netskope shows companies now use an average of 805 distinct cloud applications per month, 97% of which are ungoverned. The few that are governed are likely not very well controlled. We may be able to take some solace from the fact that the most mission-critical data is usually concentrated in a few of the most strategic SaaS apps (e.g., Office 365, Salesforce, GitHub, Google Workspace, etc.), limiting the need for guesswork into thousands of other SaaS apps that aren’t as well known.
That said, a lot of mission-critical data also winds up in custom applications that people write and deploy into an infrastructure-as-service (IaaS) cloud, such as Microsoft Azure, Amazon Web Services (AWS), or Google Cloud Platform (GCP). These environments are sufficiently different from the on-premises world. The kinds of tools people use to check the health of applications and infrastructures that were built on-premises don’t accommodate the cloud very well. On-premises security and monitoring tools were all built under the assumption of static existence. The infrastructure was set, and the applications and the data were static. The cloud inverts this thinking and is dynamic. The dynamism in the public cloud causes a lot of traditional security tools to break.
Multi-Cloud Challenges In-House Expertise
Almost every organization on the planet is now multi-cloud. Many will use AWS for some projects and use GCP for others and Azure for still others. In the case of mergers and acquisitions, the choice of cloud platform may even be forced upon you out of circumstance. Or sometimes, choosing a certain platform over another might be a case of suitability for a particular application or developer proficiency.
One of the challenges here is that it’s hard enough to be an expert in even one of these platforms. Each one may have hundreds of different services and the services talk among themselves in varying ways. For example, the access contr