10. Advanced SaaS Security
Large Automotive Supplier with
190K Employees Globally
10
PROJECT DRIVERS
● Massive cloud/SaaS
adoption
● Visibility and control
over known and
unknown apps
● Reduce complexity;
consolidate security
IMPACT
● Cloud-delivered security
simplified deployment
and policy creation
● Dramatically increased
visibility and control of
all apps
● Consistent protections
for 190K users globally
That certainly sounds like a significant set of security challenges, but the entire CASB industry was born to solve SaaS security for us. Yet these security problems remain. So what went wrong?
Well, traditional CASB tried to solve data security first with an instrument called data loss prevention, or DLP, which attempts to identify and control the movement and access of sensitive data. The problem is that this approach skips over the bulk of the SaaS attack surface — which is the security and integrity of the SaaS app itself. If you focus on data security while neglecting the security posture of the app, it’s like building on a cracked foundation. If you can’t trust that the app itself is hardened from attack, then the app can’t be relied on to provide any security assurances, including data security.
Second, when it comes to data security, traditional CASB products more-or-less took legacy approaches to DLP and bolted these engines onto SaaS. The problem is that the nature of the data itself and how it is shared has changed. We’re no longer just talking about files and databases anymore, we’re talking about sensitive data being shared in real time within unstructured chat conversations through collaboration apps. Legacy DLP just doesn’t work in this model.
Third, most CASB vendors simply have not made the investments required, nor do they have the security pedigree, to deliver best-in-class anti-malware and other threat defense technology, and commodity capabilities and OEM technology just doesn’t have what it takes to detect and stop modern attackers from getting through.
Well, it became clear to us that we needed to take a zero trust-based approach to SaaS security. Just as we pioneered the industry’s only ZTNA 2.0 approach to SASE, we can see that the same principles of ZTNA 2.0 apply to securing SaaS specifically. In fact, since CASB is so tightly woven in SASE, it truly serves as another policy decision and enforcement point in the ZTNA construct. It has the power to allow or deny sessions just as other SASE functions do, and that’s congruent with a key goal of ZTNA, which is moving to session trust.
There are four must-have components to taking a zero-trust approach to securing SaaS.
First, visibility and control over all SaaS consumption across the enterprise is the only way to effectively implement least privilege access for SaaS. You cannot secure what you cannot see.
Second, you need to be able to secure the SaaS apps themselves if you’re going to successfully prevent a breach. With zero trust, you cannot assume that SaaS apps are “secure by default,” because often they are not.
Third, you also need to protect all data — which includes modern forms of data, wherever they may be found, such as in modern collaboration apps
Fourth, in order to prevent attacks, you can’t assume that authenticated users are who they say they are, or that they are well-intentioned. Zero trust requires that you can’t assume a file inside your SaaS app is benign. Continuous inspection of all objects and user activities in SaaS is required to truly implement a zero-trust approach for SaaS.
Not too long ago, we introduced the Application Cloud Engine, which uses cloud-based ML and near-real-time SaaS consumption telemetry from users to automatically discover, identify, and catalog new SaaS apps.
We knew it was the only way to keep up with the incredible pace of SaaS, and it was well worth the investment, as our SaaS app catalog has now swelled past 40k apps and is growing by the day.
This provides an amazing level of visibility and control of all SaaS consumption across the enterprise, enabling security teams to smartly reduce risk through automated policy recommendations, which include access controls, WildFire for antimalware, and DLP, all of which help mitigate risk while not slowing down the business.
You can now actually manage Next-gen CASB directly from the Prisma Access cloud-based management console, which provides a fully unified user experience.
Next, we’re introducing a completely new product within next-gen CASB called SaaS Security Posture Management (or SSPM) to harden your sanctioned enterprise SaaS applications and protect them from attack.
Our focus here is on delivering true security, not just compliance, so our approach to security posture is fundamentally different — we perform comprehensive monitoring of all security-impacting configurations in SaaS apps, not just compliance-related items, and we align them to security-oriented best practice recommendations.
You want to avoid security problems before they occur, so we’ve taken a prevention-first approach, which means that we perform continuous monitoring that allows security teams to quickly identify and fix security risks as they arise often with a single click.
Then you can lock security-critical settings in place with something we call Drift Prevention, which ensures there are no regressions caused by various app admins throughout the IT organization.
We believe SaaS posture security is so important, that it doesn’t make sense to apply it to just a small handful of key apps. It’s likely that your sensitive data and user information spans dozens or perhaps hundreds of apps. That means posture security needs to be there for all your SaaS apps, or at least as many as possible.
Which is why we’ve launched our service with support for over 40 apps, about 5 times more than traditional CASB vendors.
And by the end of 2022, we are aiming to support over 100 apps, or about 20 times the level of SSPM support from traditional CASB vendors.
Next, let’s talk about data security.
The DLP capabilities within Palo Alto Networks next-gen CASB have been greatly expanded to address more contemporary data loss scenarios, for example the growing threat of sensitive data being shared within collaboration apps.
We do this through the use of various techniques, including ML, EDM, OCR, and most recently, Natural Language Processing, or NLP, that helps us understand the context and meaning of unstructured chat data to find passwords, credentials, and other secrets, in near-real time within collaboration apps such as Slack or Teams.
Your users can remediate incidents themselves on the spot, avoiding an incident that the infosec or data security teams have to respond to.
With industry-leading API integrations of 27+ enterprise apps, Next-gen CASB offers the highest levels of data protection for sanctioned SaaS.
And finally, let’s talk about how Palo Alto Networks Next-gen CASB stops attackers and insider threats from getting at your data.
New behavioral analytics identifies suspicious user behavior that could indicate an attacker or malicious insider is attempting to exploit access to a SaaS application to obtain sensitive data or impersonate a user.
Remember that every breach happens as a result of an action that was allowed, such as an authenticated user logging into an app, or allowed network access.
The key requirement of ZTNA 2.0 is that all activity and objects, including non-person entities, are inspected and monitored, regardless of authentication or access policy, to ensure the safety of all content, and the legitimacy of all user actions inside SaaS apps.
That is the only way to ensure complete security for SaaS.
Part of how we do this is with Wildfire integrated right into our CASB. Wildfire is an incredibly capable anti-malware service which believe it or not, stops 224B threats per day.
We are also able to apply our advanced DLP capabilities for private apps and SaaS apps all with the same DLP policy - so you don’t need to guess which apps are protected and what data is secure to continue realizing strong data protection and security policies across the board.
To summarize, we provide complete visibility of SaaS consumption:
Granular control of SaaS app features and functions
SaaS security policy recommendations
SaaS Security Posture Management
Enterprise DLP w/ EDM, OCR, and ML/NLP
Advanced Anti-Malware & Sandboxing
Suspicious User Behavior Monitoring
And all integrated with SASE Management
About the customer
A technology company innovating at the intersection of disruptive trends in the mobility industries, making vehicles safer, greener and more connected to enable the future of mobility.
Global automotive technology leader, with more than 180,000 people across 124 manufacturing facilities and 12 major technical centers worldwide and presence in 44 countries
Customer Challenge
Relying on more apps in the cloud.
Need visibility and granular control of known and unknown SaaS applications
Need more efficient management (too many vendors/products), plus threat inspection
Simple policy creation and deployment w/out leveraging proxy or agents
Eliminating the need to synchronize risks, policies, and goals across a separate layer of the stack
Eliminate requirement to update/configure agents for inline inspection
Protecting unmanaged endpoints