Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

CASB in remote work: what governance gaps are teams missing?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: CASBs struggle to keep up with remote work because proxy-based deployment, manual policy handling, incomplete SaaS visibility, and weak offboarding support leave operational gaps that cloud-first teams still have to close, according to Zluri. The underlying issue is that legacy inspection models were built for network boundaries, not for SaaS sprawl and identity-driven access.

NHIMG editorial — based on content published by Zluri: IT Teams Drawbacks of CASBs in the Remote World

By the numbers:

Questions worth separating out

Q: How should security teams govern SaaS access when CASB only provides partial visibility?

A: They should use CASB as an inspection layer, not as the control point for lifecycle governance.

Q: Why do proxy-based CASB deployments struggle in remote and BYOD environments?

A: Because they depend on traffic flowing through a predictable inspection path.

Q: What do organisations get wrong about CASB and DLP?

A: They often assume a CASB can act as a self-contained data protection stack.

Practitioner guidance

  • Map control coverage to the actual SaaS traffic path Identify where forward proxy, reverse proxy, and API-only enforcement leave blind spots for unmanaged apps, mobile users, and non-web traffic.
  • Separate visibility from governance in your operating model Require a clear handoff from activity monitoring to entitlement review, access removal, or privilege tightening.
  • Reduce dependence on manual policy classification Replace box-checking workflows with policy logic tied to user role, app sensitivity, and lifecycle state.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • The exact deployment steps for forward proxy, reverse proxy, and API-based CASB models across SaaS environments.
  • The pricing breakdown and infrastructure overhead behind log collectors, PAC files, identity connectors, and endpoint agents.
  • The Microsoft warning on proxy-based CASB impact for Microsoft 365 traffic and authentication changes.
  • The article's comparison of CASB limitations against SaaS management platform workflows for onboarding and offboarding.

👉 Read Zluri's analysis of CASB drawbacks in remote SaaS environments →

CASB in remote work: what governance gaps are teams missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

CASB was built for perimeter-era control assumptions that no longer hold in SaaS-first identity estates. The article shows that proxy placement, log collection, and policy enforcement all depend on traffic flowing through a predictable control path. That assumption breaks when users work remotely, apps proliferate, and third-party participation becomes routine. Practitioners should treat CASB as a partial inspection layer, not the governance source of truth.

A few things that frame the scale:

A question worth separating out:

Q: How can teams tell whether their SaaS governance model is actually working?

A: Look for automated outcomes, not just alerts. If app discovery does not lead to entitlement cleanup, if leaver access persists, or if policy classification depends on manual review, the programme is producing reporting rather than control.

👉 Read our full editorial: CASB drawbacks in remote work expose SaaS governance gaps



   
ReplyQuote
Share: