Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

CASB or ZTNA: Why Not Both?

CASB or ZTNA?

Share this article

Anyone who has walked the exhibit floor of a large security conference can be forgiven for confusing the alphabet soup of acronyms that make up a modern cybersecurity space dominated by remote access needs — particularly Cloud Access Security Brokers (CASB) and Zero Trust Network Access (ZTNA), which are often used in the same breath, if not interchangeably.

CASB has been entrenched in many organizations for the better part of a decade, protecting and managing SaaS applications. While the concept of Zero Trust has been around for a while, Zero Trust Network Access (ZTNA) is the relatively new kid on the block, a rising star that represents the future by taking trust beyond simply accessing applications to implementing security controls tied to those apps.

The onset of the pandemic threw interest in both CASB and ZTNA into overdrive — Gartner has predicted a 40 percent compound annual growth rate for CASB and accelerated adoption of ZTNA over the next five years. Enterprises were forced not only to accelerate their move to the cloud, but also to support an entirely remote workforce flung all over the world, well outside the reach of the secure, on-premises data center fortifications they had built over the years.

In the aftermath of that disruption, CASB and ZTNA have become key components of the Secure Access Service Edge (SASE) framework, which combines a mix of security tools with SD-WAN capabilities so that employees can securely work at any time from anywhere. That will hold true — even more so — as some workers head back to the office and others remain remote, forcing organizations to quickly rethink their application security strategies to protect an ever-evolving hybrid work environment.

While CASB and ZTNA will continue to work hand in hand as part of an overall application security strategy, there are distinct use cases for each (at least for the time being).

Use CASB to…

Secure resources stored in the public cloud

An enterprise with applications that are all hosted on the cloud — think SaaS — is a prime candidate for CASB. This space is where CASB excels and it is already familiar to users, with a price point that it is attractive to IT security organizations with tight budgets.

Gain visibility into shadow IT

What defenders can’t see, they can’t protect. By some accounts, shadow IT — employees’ unauthorized use of cloud services, on the down-low — makes up most of an organization’s IT, putting them at greater risk for a security incident. CASB can provide visibility into shadow IT and help organizations gain control over it.

Ensure regulatory compliance

Some industries have to contend with a slew of strict regulations. CASB’s ability to monitor the usage of cloud services and create policy controls offers organizations a simple solution to stay in accordance with these regulations.

Extend the legacy VPN

The once tried-and-true VPN hasn’t held up well in the post-pandemic remote work environment. VPNs simply did not scale in the face of entire workforces going home. CASB offers the visibility across the computing environment that VPNs just can’t provide, which helps IT security better understand application usage and gain better control over network assets.

Though CASB is a powerful security tool, it isn’t sufficient for every situation.

Use ZTNA to…

Protect private apps or a mix of private and public cloud apps

CASB alone can’t meet the security needs of modern organizations. As recently as 2019, 98 percent of enterprises relied on on-premises servers, into which CASB has little to no visibility. Nor can CASB, in its current form, stay abreast of the rapid uptick in SaaS apps. ZTNA, though, is well suited to provide visibility across the entire network.

Tie security controls more closely to applications

ZTNA is about more than offering secure access to applications. It ensures that important security controls — such as scanning for DLP violations and malicious file uploads and downloads and making apps read only — are tied to private applications. This solution, as opposed to VPNs, is particularly well suited for the enterprise that needs to provide access to the intranet, since ZTNA provides access to internal sites that CASB does not.

Restrict access

Sometimes even SaaS apps like Salesforce must come from a specific IP address range in order to control access. In other words, users essentially have to connect through to the SaaS app via a VPN so the app knows there’s a restricted IP space to use. CASB can’t really help with this level of restriction, but a ZTNA solution can be used as a defined location to connect to the SaaS app and provide additional security.

Understand internal app usage

As part of a solid app strategy, security teams must understand internal applications usage, and that’s where a ZTNA solution can provide insights. IT security can take that information and build security policy around apps and usage.

Keep private applications private

While some ZTNA solutions require even private applications to have a public address, others enable organizations to keep their private apps away from prying eyes. By enabling access to those applications only through a ZTNA infrastructure, access can be granted while privacy is maximized.

Quickly detect and dispatch threats

ZTNA offers true end-to-end visibility across a network and its systems. Defenders can not only set security policies around apps and their usage, but they can also more quickly spot activity and behavior that might indicate a threat, then quash it.

The Best of Both Worlds

In the real world, many enterprises have already deployed CASB and their employees, third parties, and contractors are familiar with using it. The solution still has an important job to do today: protecting SaaS applications. But the future is bending toward ZTNA, or at least a blended version of the two technologies that can secure and control all the apps that decentralized workers need.

Organizations today, then, should be rethinking their broader application security strategies to encompass both SaaS and private apps. An essential piece of that strategy should include prioritizing management. Regardless of the type of apps supported, creating policy around them should be in a familiar format so administrators don’t have to learn two different sets of tools. Those serious about protecting and monitoring their entire app space should seek solutions that provide centralized management console visibility and an evolutionary path toward ZTNA.

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.