Way back in 2013/14, Cloud Access Security Brokers (CASBs) were first deployed to identify Shadow IT, or unsanctioned cloud applications. At the time, the prevailing mindset amongst security professionals was that cloud was bad, and discovering Shadow IT was viewed as the first step towards stopping the spread of cloud in their organization.
Flash forward just a few short years and the vast majority of enterprises have done a complete 180º with regards to cloud, embracing an ever increasing number of "sanctioned" cloud apps. As a result, the majority of CASB deployments today are focused on real-time data protection for sanctioned applications - typically starting with System of Record applications that handle wide swaths of critical data (think Office 365, Salesforce, etc). Shadow IT discovery, while still important, is almost never the main driver in the CASB decision making process.
Regardless, I still occasionally hear of CASB intentions that harken back to the days of yore - "we intend to focus on Shadow IT discovery first before moving on to protect our managed cloud applications." Organizations that start down this path quickly fall into the trap of building time consuming processes for triaging and dealing with what quickly grows from hundreds to thousands of applications, all the while delaying building appropriate processes for protecting data in the sanctioned applications where they KNOW sensitive data resides.
This approach is a remnant of marketing positioning by early vendors in the CASB space. For me, it brings to mind Habit #3 from Stephen Covey's The 7 Habits of Highly Effective People - "Put First Things First."
Putting first things first is all about focusing on your most important priorities. There's a video of Stephen famously demonstrating this habit on stage in one of his seminars. In the video, he asks an audience member to fill a bucket with sand, followed by pebbles, and then big rocks. The result is that once the pebbles and sand fill the bucket, there is no more room for the rocks. He then repeats the demonstration by having her add the big rocks first. The result is that all three fit in the bucket, with the pebbles and sand filtering down between the big rocks.
Now, one could argue that after you take care of the big rocks, perhaps you should just forget about the sand, but regardless, this lesson is directly applicable to your CASB deployment strategy:
You have major sanctioned apps in the cloud that contain critical data. These apps require controls around data leakage, unmanaged device access, credential compromise and malicious insiders, malware prevention, and more. Those are your big rocks and the starting point of your CASB rollout strategy. Focus too much on the sand and you'll never get to the rocks.
Read what Gartner has to say on the topic in 2018 Critical Capabilities for CASBs: