In last week’s Insight Alert, we explored SaaS usage trends published in our 2020 State of SaaSOps report, as well as some new insights not included in the report. This week, we get answers to a question we frequently hear from prospects and customers: How is a SaaSOps platform different from a cloud access security broker (CASB)? Why does an organization need one technology, the other, or both? And finally, how does the 2020 State of SaaSOps survey data provide answers and insight to these questions?
What are CASBs and SaaSOps platforms—and how do they differ?
Before we discuss how they differ, let’s first look at these two technologies. We’ll explain what they are, how they’re the same, and how they’re different.
First, what is a CASB?
According to the Gartner definition, CASBs are on-prem or cloud-based security policy enforcement points. They stand between cloud service consumers and cloud service providers to combine and add enterprise security policies as cloud-based resources are accessed.
It’s a fairly broad category of technologies enforcing policies regarding any type of cloud service including platforms as a service, infrastructure as a service, and of course, software as a service. Within a SaaS environment, CASBs focus primarily on SaaS data security, asset encryption, inline blocking of sharing assets, and network security.
Second, what is a SaaSOps platform?
SaaS Operations, or SaaSOps, is a relatively new discipline for IT and security teams that emerged out of the need to discover, manage and secure SaaS applications. Just as SaaS is a fundamental shift in how organizations use technology, SaaSOps is a fundamental shift in how IT manages data, users, and applications.
A SaaSOps platform, therefore, facilitates discovery, management and security of SaaS, its users, and the data contained with each SaaS app.
The first key difference between the two then? A SaaSOps platform focuses on SaaS and a CASB has a broader charter, focusing on cloud services.
How CASBs and SaaSOps platforms overlap
According to our 2020 SaaSOps Buying Guide, CASBs overlap with SaaSOps platforms in the areas of Data Loss Prevention (DLP – also referred to as “File Security” in SaaSOps) and sensitive content identification functionality. However, CASBs lack operational context on users and data to properly target specific security events.
Without context into users and data, CASBs cannot differentiate between normal, approved user collaboration versus a true security event. Additionally, CASBs do not offer granular actions for remediation within SaaS applications.
As a result, CASBs’ data security methods are intrusive and disruptive to employee productivity and to the overall end user experience.
Here’s an example: If a user shares a file with sensitive information externally, a CASB will allow administrators to block sharing. Meanwhile, in contrast, a SaaSOps platform will have functionality to unshare the file, notify IT about the sharing of a sensitive file, or even send the file owner an email asking if they intended to share the file and a link to unshare the file.
So this is the second key difference: The two technologies enforce security policy in completely different ways.
What the 2020 State of SaaSOps data says about users of CASBs and SaaSOps
According to our research, this analysis divides respondents into 4 groups. They are:
- SaaSOps platform users only, called “SaaSOps Only” make up 32% of our sample (it’s the biggest group, but expected for a study on the state of SaaSOps)
- CASB-only users, who are 8% of respondents
- CASB AND SaaSOps platform users, we’ll call them the “Combo Group,” make up 10%
- The rest who don’t use either, who are not relevant to this discussion, so we won’t say anything else about them.
Let’s move on to talk about the 3 groups important to this discussion. And based on that, we wondered how these 3 groups of organizations differ.
CASB-only users rely on far fewer SaaS applications
Before we get into specific security concerns, it’s important to note that CASB-only companies use far fewer SaaS applications than organizations that use a SaaSOps solution. A CASB-only organization uses an average of 59 SaaS applications. This is far fewer than the overall average of 80 apps, and an even bigger drop off from the typical SaaS-only company, which uses upwards of 93 applications. And the Combo Group uses an eye-popping average of 169 SaaS applications.
CASB-only users are less willing to try new applications
Considering that CASB-only companies tend to use fewer SaaS apps, it might not be surprising to learn that they’re also less willing to try new applications. As the below chart shows, in willingness to try new SaaS apps, the Combo Group comes out on top, just surpassing the SaaSOps only group.
And it’s probably not surprising that nearly half of CASB-only users always require that users ask IT for approval before using a new SaaS application. And as the chart here shows, the SaaSOps only group is the most permissive when it comes to trying a new app.
CASB-only users are motivated to use more SaaS by productivity and security improvements, and much less by employee experience
And when it comes to motivations to use more SaaS apps, we see that all groups are most often motivated by increasing productivity. When it comes to improving the employee experience, the SaaSOps Only and Combo Groups surpass the CASB-only group. And the CASB-only group is not only less motivated by improving the employee experience, they’re more motivated to use more SaaS as a means to increase security.
The obvious conclusion: SaaSOps users max both employee productivity and employee experience while CASBs users value security levels over employee experience.
Each group has different security concerns and SaaS management challenges
Our research shows that CASB-only users clearly have different security concerns than SaaSOps users. From the chart below, you can see CASB-only users are both more likely to identify employees using rogue SaaS apps as well as monitor to prevent confidential information sharing.
This, of course, doesn’t mean SaaSOps platform users cannot monitor to prevent public sharing of confidential data. BetterCloud does include this functionality and for some organizations with strict security and compliance requirements, they do use their SaaSOps platform for content scanning and file management. However, while they should, not all SaaSOps-only organizations take advantage of these functions to properly monitor it.
CASB-only users have challenges in their SaaS environment that BetterCloud solves
As you can see in the table that ranks crucial SaaS environment challenges to solve, CASB-only companies say the top challenge is securing sensitive data and files without end user friction. Next for them comes enforcing least privilege access.
Compare this to the SaaSOps only group, where the top challenge is managing offboarding and onboarding. And then for the Combo Group—where they use an average of nearly 170 SaaS apps—their challenge is understandably managing all those SaaS apps in use.
Overall, the key takeaway is that CASB-only users experience challenges that a SaaSOps platform is designed to solve. They’d benefit from joining the other CASB users in the research—those who combined their CASB with a SaaSOps platform—to improve security and manageability of their SaaS environment.
Find out what a SaaSOps platform can do for you here by scheduling some office hours with our team of SaaSOps implementation experts.
BetterCloud surveyed more than 600 IT leaders and security professionals from the world’s leading enterprise organizations. Download the full report here.