Discover the Alliancy's latest editorial 👉 Shadow IT and digital resilience: SaaS Management on the ExCom agenda

Blog

CASB vs SMP: Complementary duo or redundant tool against shadow IT?

Organisations often face a dilemma:

  • Is using a CASB effective enough to detect Shadow IT and effectively govern a growing Cloud ecosystem, particularly with the widespread adoption of SaaS applications?

  • Is the implementation of another tool necessary?

Feb 08, 2024 - 6 min

  • ShadowIT

Managing the SaaS ecosystem has become a strategic challenge for large organisations, driven by the urgency of digitalisation, the rapid growth of SaaS applications (+18% in 2023), and the increasing autonomy of business departments in their technology choices. These trends create new opportunities and numerous challenges and risks for IT departments.

To effectively handle SaaS applications and address Shadow IT (applications used by employees without the knowledge of the IT teams), enterprises are implementing tools to help secure and govern their IT ecosystem.

"There are several technologies to consider when looking to get started with SaaS discovery". For example, CASB "can discover, protect, and restrict access [to these applications] based on assessed risk, conditional access policies or defined business rules, but lacks functionality to manage, automate, optimize or enable SaaS."

Gartner (Market Guide for SMPs, 2021)


CASB: a partial answer to Shadow IT

To deal with the growing cyber threats, large organisations are increasingly deploying a Cloud Access Security Broker (CASB) to strengthen the security of their Cloud environment. It directs the connectivity of all applications through a proxy server or APIs for extensive control and monitoring of Cloud applications. This tool, acting as a guardrail, is also used by IT teams to detect Shadow IT.

CASBs offer many benefits and give organisations visibility, control, and compliance, strengthening their protection against cyberattacks and data breaches.

Despite their crucial role in identifying Shadow Cloud (unauthorised use of Cloud services), CASBs struggle to accurately detect SaaS applications, given the rapid spread of these solutions. Representing a significant portion of Shadow IT, SaaS apps are a major challenge for IT teams. Overwhelmed by the volume and complexity of all the data collected by CASBs —often polluted with applications used for personal purposes (such as Amazon and Facebook...)—IT staff have difficulties filtering out the noise. Gartner points out the limitations of CASBs for "managing, automating and optimizing SaaS applications".

The Limits of CASB

  1. Inaccurate and noisy data: many false positives (application detected but not used), requiring additional manual intervention (about 1 to 2 FTE for 1 year to process the data received)

  2. Incomplete database: CASB databases, generally standardised, only partially reference the SaaS applications available on the market resulting in false negatives (around 50% of SaaS used are missed by CASB’s analysis)

  3. Limited visibility of usage: CASBs only collect data relating to security. They do not distinguish usage, user behaviours, etc.

  4. Blind spot in detection: CASBs do not detect duplicates, redundant applications, unused or underused. This failure can compromise the effectiveness of the analysis and the IS rationalisation efforts of procurement teams or IT architects.

  5. …

These limitations are compounded by a fundamental problem: the lack of actionable data. CASBs' analysis capabilities tend to suffer from a deficit of actionable insight. They generally lack personalised dashboards or an in-depth understanding of usage trends, which are crucial for proactively anticipating and dealing with cyber threats.

comparative table


SMP: the effective solution for governing SaaS

CASBs have developed rapidly alongside SaaS management platforms (SMPs). Although the detection of Shadow IT is a common functionality shared by both tools, CASBs and SMPs adopt distinct approaches to discovering and managing Shadow IT. CASBs focus primarily on securing Cloud applications and detecting “Shadow Cloud”. SMPs such as Beamy, on the other hand, prioritise an approach based on the governance of SaaS applications, highlighting a comprehensive understanding and ongoing monitoring of SaaS usage.

Only SMPs provide central admin console capabilities to discover, manage, automate, optimize, govern and enable SaaS used by employees, but other adjacent tools can provide complementary support.
Gartner (Market Guide for SMPs, 2022)

They show a distinct observability focus using different input data sources and knowledge bases. CASBs delve into more specific security data like incidents, non-compliance with security policies, and the security of application services.

SMPs concentrate on a more detailed and specific investigation of SaaS applications and uncover “Shadow SaaS". These platforms examine data such as session duration, usage level (low/medium/high), login frequency, the differentiation between professional and personal login, and engagement duration. This emphasis on SaaS apps allows IT teams to better understand the specific uses and needs of business departments. It facilitates closer collaboration between IT teams, end-users, and other SaaS governance stakeholders (security, legal, finance, etc.).

The benefits of an SMP

  • Comprehensive detection: SMPs offer a central platform cataloguing all SaaS applications used, including those in Shadow IT. Continuous detection, especially through a web extension, ensures complete and real-time visibility of the SaaS ecosystem.

  • Monitoring & optimisation: Thanks to real-time monitoring, particularly via the web extension, SMPs deliver a deep understanding of SaaS usage. This enables proactive observability of their ecosystem, mitigating potential risks and facilitating targeted adaptation of management, optimisation, and governance strategies.

  • Security and compliance: By providing precise data on SaaS usage and applications’ criticality level, SMPs help identify the most sensitive and urgent applications requiring attention. This enables security and compliance actions to be prioritised.

  • Governance & collaboration: Some SMP tools encourage collaborative governance by involving every stakeholder (IT, finance, legal, business, etc.). IT teams can establish robust governance frameworks thanks to automated and customisable workflows. Business departments then become autonomous in selecting and deploying their preferred apps while contributing to their management within a defined and secure framework.


SMP & CASB: a complementary duo

Next-generation SaaS Management platforms, such as Beamy, include a number of essential features for effective management and governance of the SaaS ecosystem. 

However, they do not substitute the advanced security capabilities offered by CASBs. Therefore, rather than opting for one over the other, large enterprises would benefit from adopting a combined approach, leveraging the complementarity of these two tools.

Rather than competing offerings, tools like CASBs will work in conjunction with SMPs.
Gartner (Market Guide for SMPs, 2021)

Conclusion

Together, the CASB and SMP establish a solid framework for a secure and optimised SaaS landscape within the organisation. The CASB protects and ensures the application of security policies while enabling precise identification of security vulnerabilities. SMPs, on the other hand, focus on monitoring and analysing the use of SaaS applications (session time, connection frequency, usage retention, length of engagement, pro/perso connection). This enables robust governance to be put in place, encouraging greater collaboration with all stakeholders through collaborative and customisable workflows.

Beamy icon colour