Palo Alto SaaS Security and Its Benefits as a Next-Gen CASB Service

After years of working experience with different CASB/SaaS solutions, I've found that Palo Alto SaaS Security is superior compared to the other vendors.

The primary issue seems to be that all the traffic needs to be sent to a single instance of a CASB system, which adds latency—especially when more policies that scan for Malware or DLP are enabled.

Even when there are several instances of the CASB system in different regions—e.g. one in EMEA, one in NA and one in APAC—it is still not enough. A large company may have more than 100 offices. Initially, the issue isn’t spotted until real-time inspection policies are enabled, and a lag and lower performance are introduced. IT departments also need to ensure that users aren’t deploying unsanctioned SaaS applications (the so-called Shadow IT). Even non-web SaaS applications should be inspected. For all this, a CASB solution is required. One that can enable many policies that can be inspected via packets in parallel for all policies and not one-by-one.

The Palo Alto SaaS security is the perfect solution because the CASB policies are on the next-generation firewalls or on the Prisma Access system. This way, CASB functions are close to the end-users—plus, the Palo Alto SP3 design inspects many policies like DLP or Malware in parallel. Because the user’s traffic is sent via GlobalProtect Agent, shadow IT applications and non-web applications will also be detected. Since most Palo Alto firewalls are in HA, the Palo Alto cloud firewall solution will auto scale if there is a need or an issue.

Prisma Access can also work with MDM systems and with clientless VPN and SAML to provide access for devices that are unmanaged. This is the so-called SAML proxy. It returns the user to the clientless VPN portal of a next-generation firewall or Prisma Access after successful authentication. This is just a function SAML offers, though many CASB solutions are based just on this feature.

Prisma Access functions with the on-prem firewalls, too. The GlobalProtect portal will activate based on geolocation, which allows Prisma SaaS to function on-prem and in the cloud at the same time.

With most CASB solutions, there are inline and out-of-band integrations with the cloud applications for monitoring and security; the same is true for Prisma SaaS. The CASB, DLP, and Antivirus policies that check the traffic in real-time on the Next-Generation Firewalls or Prisma Access are inline session security, and the SaaS Security API provides the out of band integration with cloud applications like Salesforce, ServiceNow etc. It is good to always integrate the cloud applications through their API with Prisma SaaS, so that the user behavior can be investigated. If there is a violation, the account of the user can be blocked on the cloud application.

Because Prisma SaaS uses the Cortex Data Lake, it can be easily integrated with most Palo Alto products (Cortex XSOAR, for example, can automatically lock AD user accounts or with Cortex XDR for extra analysis).