CASB in remote work: what governance gaps are teams missing?

TL;DR: CASBs struggle to keep up with remote work because proxy-based deployment, manual policy handling, incomplete SaaS visibility, and weak offboarding support leave operational gaps that cloud-first teams still have to close, according to Zluri. The underlying issue is that legacy inspection models were built for network boundaries, not for SaaS sprawl and identity-driven access.

NHIMG editorial — based on content published by Zluri: IT Teams Drawbacks of CASBs in the Remote World

By the numbers:

• According to a Gartner report, CASB solutions cost between $15/user/year to $85/user/year.
• The post says almost 360k new malware is found every day, which makes signature-based detection increasingly ineffective.

Questions worth separating out

Q: How should security teams govern SaaS access when CASB only provides partial visibility?

A: They should use CASB as an inspection layer, not as the control point for lifecycle governance.

Q: Why do proxy-based CASB deployments struggle in remote and BYOD environments?

A: Because they depend on traffic flowing through a predictable inspection path.

Q: What do organisations get wrong about CASB and DLP?

A: They often assume a CASB can act as a self-contained data protection stack.

Practitioner guidance

• Map control coverage to the actual SaaS traffic path Identify where forward proxy, reverse proxy, and API-only enforcement leave blind spots for unmanaged apps, mobile users, and non-web traffic.
• Separate visibility from governance in your operating model Require a clear handoff from activity monitoring to entitlement review, access removal, or privilege tightening.
• Reduce dependence on manual policy classification Replace box-checking workflows with policy logic tied to user role, app sensitivity, and lifecycle state.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The exact deployment steps for forward proxy, reverse proxy, and API-based CASB models across SaaS environments.
• The pricing breakdown and infrastructure overhead behind log collectors, PAC files, identity connectors, and endpoint agents.
• The Microsoft warning on proxy-based CASB impact for Microsoft 365 traffic and authentication changes.
• The article's comparison of CASB limitations against SaaS management platform workflows for onboarding and offboarding.

👉 Read Zluri's analysis of CASB drawbacks in remote SaaS environments →

CASB in remote work: what governance gaps are teams missing?

Explore further

View Full Forum →  |  NHI Foundation Course →