Learn About Our CCSK X CCSP Training Week

CASB is Dead, Long Live CASB!

IT sure is a funny industry. I’ve often thought of the Ferris Bueller’s Day Off quote “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” and change it to “Technology moves pretty fast. If you don’t like it, ignore it and it will soon be gone”. This has happened for decades to many products and standards (hello, NetWare and IPX/SPX) and now it’s the Cloud Access Security Broker’s (CASB) turn to disappear into the realm of deprecated technology…or is it?

CASB Backgrounder

To those unfamiliar with CASB, it essentially allows for governance of cloud services. Mostly raised on being an inline device to control SaaS usage, it then morphed into protection of PaaS and IaaS solutions as well with API integration. These offered a solution beyond simple allow/deny access to websites where you could set up DLP rules to prohibit certain messages from being sent to Twitter for example.

This sounds pretty important. Why is it dead?

Well, here’s the funny part, it’s not dead, it’s just going through another transformation. The latest iteration of CASB is that it is now part of a suite of services in a package called Secure Access Service Edge (SASE). SASE consists of numerous functions for both networking and security. Generally, a SASE solution is comprised of the following services:

– Software Defined Wide Area Network (SD-WAN)

– Content Delivery Network (CDN)

– Cloud Access Security Broker (CASB)

– Remote Browser Isolation (RBI)

– Firewall as a Service (FWaaS)

– Secure Web Gateway (SWG)

– Zero Trust Network Access (ZTNA)

So SASE is the new CASB?

Kinda. There is an issue with SASE in that it packs together both networking and security services. As you can imagine, there are very few companies that are competent in both areas. This lead Gartner to break out the security functionality from the networking side and they called it Security Service Edge (SSE). This is the way that many companies on the security side of SASE are now promoting themselves. Cisco, Netskope, Skyhigh Security (which in 4 years went from being Skyhigh Networks to McAfee and is now Skyhigh Security) among others.

So Many Moving Parts

I know that it seems like this post is all over the map, but that’s because the changes in this technology are all over the map. So many CASB vendors were either bought-out or have otherwise failed. Honestly, I think this latest change to SSE will be the last for a few years.


What does SSE do?

According to Gartner, an SSE should be able to offer cloud-based functionality to address the following for any device, anywhere:

– Protect Web Access

– Protect Cloud Usage

– Protect Private Applications


To do this, the SSE device should include the following main components:

– CASB to protect cloud usage

– Secure Web Gateway (SWG) to protect web access

– Zero Trust Network Access (ZTNA) to protect private applications


Additionally, SSE typically includes the following functionality:

– Cloud Security Posture Management (CSPM)

– Firewall as a Service (FWaaS)

– SaaS Security Posture Management (SSPM)

– Digital Experience Monitoring (DEM)


These components will deliver the following capabilities:

– Visibility

– Web and Cloud Application Filtering

– Adaptive Access Control

– Data Security

– Threat Protection

– In-Session Control

– User and Entity Behavior Analytics (UEBA)

– Remote Browser Isolation (RBI)

Gartner’s View

Gartner has created a Magic Quadrant for SSE (February 2022). I’ll lay out the vendors and their quadrants here (note: if you’re unfamiliar with the Gartner Magic Quadrant, the upper right is generally seen as most desirable by vendors, lower left is less so):

Leaders Quadrant (the upper right):

– ZScaler

– Netskope

– Skyhigh Security (former McAfee family member as discussed above)

Visionaries (lower right):

– Forcepoint (Bitglass acquisition)

– Lookout (CipherCloud acquisition)

Challengers (upper left quadrant)

– Palo Alto Networks

– Cisco

Niche Players (lower left quadrant)

– Broadcom

– iboss

– Forcepoint (Skyfence version…told you the acquisitions in this space was crazy. Yes, Forcepoint has two CASB solutions)

– Versa

Single or multivendor approach?

Here’s the hard part. Although SSE does eliminate the networking solutions from SASE, there is still the issue of many eggs being placed in one basket. Do you want a multivendor approach where you have the best CASB for cloud app access, the best SWG for web protection? Are you comfortable using an SSE solution that might be from a great CASB vendor, but they are new to SWG for example?

An expression that I like is “complexity is the enemy of security”. What are you introducing when using multiple point solutions? Complexity. There’s complexity regarding the logging, proxies and agents that need to be deployed. With this in mind, I think using a single SSE is better than multiple point solutions from visibility, control and cost perspectives.

Which is best for me?

Still, we are left with the question of which vendor is best. I can’t tell you which is best because I don’t know your use case.

That in mind, I would be looking at what my priorities are and weight my vendor comparison as required. I would also ask the vendor if all of their functionality is exposed via one console, or if they have a piecemeal approach with separate consoles for separate functionality. Of note, regarding this single interface discussion, more than 50% of SSE buyers are doing so to simplify security policy management and enforcement.

Remember this is a new technology and different vendors are good at some things, but likely not the best in every space. Consolidation in the SSE space is highly likely in the future. If you’re happy with your CASB today, I would probably reach out to them and ask what their SSE roadmap is. Between CASB and SWG vendors, I would say that CASB vendors are in the lead for SSE leadership as much of what is in place for CASB acts as main pillars of SSE capabilities.

Final Thought

One last thing regarding SSE. Go for short term contracts of no more than 2 years. As I said, this is a new industry and you can be assured of rapid technical changes and advancements. The mergers and acquisitions in the SSE space should follow a similar path as was shown in the CASB coverage earlier in this post. Keep up with the latest changes in cloud security by checking out our CCSK and CCSP training offerings.

Posted under:

Graham Thompson is an Information Security professional with over 25 years of enterprise experience across engineering, architecture, assessment and training disciplines. He is the founder and CEO of Intrinsec Security, a leading training company that is solely focused on delivering leading authorized IT security training from partners such as the Cloud Security Alliance, ISC2, ISACA, EC-Council and CompTIA.

CCSK | CCSP: The Industry’s Leading Cloud Security Certifications - learn more

Upgrade your Skills. Secure your Potential.

Our experts provide hands-on and on-demand training that helps IT and data security professionals meet today's cyber security challenges and prepares you for a successful future.

Training Schedule Contact Us