New Report Explains Why CASB Solutions Fail to Address Shadow SaaS and How to Fix It

Mar 27, 2025The Hacker NewsBrowser Security / Data Protection

Whether it’s CRMs, project management tools, payment processors, or lead management tools – your workforce is using SaaS applications by the pound. Organizations often rely on traditional CASB solutions for protecting against malicious access and data exfiltration, but these fall short for protecting against shadow SaaS, data damage, and more.

A new report, Understanding SaaS Security Risks: Why CASB Solutions Fail to Cover ‘Shadow’ SaaS and SaaS Governance, highlighting the pressing security challenges faced by enterprises using SaaS applications. The research underscores the growing inefficacy of traditional CASB solutions and introduces a revolutionary browser-based approach to SaaS security that ensures full visibility and real-time protection against threats.

Below, we bring the main highlights of the report. Read the full report here.

Why Enterprises Need SaaS Security – The Risks of SaaS

SaaS applications have become the backbone of modern enterprises, but security teams struggle to manage and protect them. Employees access and use both sanctioned and non-sanctioned apps, each entailing their own types of risk.

• Non-sanctioned apps – Employees often upload data files to SaaS applications, exposing the data to an unknown scope of viewers. This is in itself a violation of privacy. In addition, productivity SaaS apps are often targeted by adversaries since they are aware of the information goldmine that awaits them.
• Sanctioned apps – Adversaries attempt to compromise SaaS app user credentials through password reuse, phishing and malicious browser extensions. With those credentials, they can access the apps and then spread across corporate environments.

Breaking Down SaaS Risk Mitigation Capabilities

Security solutions that mitigate the aforementioned SaaS risks, need to provide the following capabilities:

• Granular visibility of all users’ activities within the application.
• The ability to deduce that a malicious activity might be taking place.
• Terminating malicious activity.

The Limitations of CASB

Traditionally, CASB solutions were used to secure SaaS apps. However, these solutions fall short when it comes to covering both sanctioned and unsanctioned apps, across managed and unmanaged devices.

CASB solutions are made up of three main components: Forward Proxy, Reverse Proxy and API Scanner. Here’s where they are limited:

• Forward Proxy – Cannot provide access control on unmanaged devices
• Reverse Proxy – Cannot prevent data exposure on unsanctioned apps
• API scanner – Cannot prevent malicious activity within sanctioned apps

Plus, CASB solutions lack real-time granular visibility into app activity and have no ability to translate that into active blocking.

The Browser as the Ultimate Security Control Point

A paradigm shift is required: Securing SaaS applications directly at the browser level. Access and activity in any SaaS application, sanctioned or not, typically entails establishing a browser session. Hence, if we build the SaaS risk analysis capabilities into the browser, it would also be trivial for the browser to treat detected risks as a trigger for protective action – terminating the session, disabling certain parts of the web page, preventing download\upload, and so on.

Browser Security vs. CASB: The Showdown

Browser Security provides the following advantages:

• 100% Visibility – Detects every SaaS application in use, including shadow IT.
• Granular Enforcement – Applies real-time security policies at the user’s point of interaction.
• Seamless Integration – Works with identity providers (IdPs) and existing security architectures without disrupting user experience.
• Unmatched Protection – Prevents unauthorized access, data leakage, and credential misuse across all devices, whether managed or unmanaged.

Read more about SaaS risk management and browser security protection in the white paper