EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?
Guest: Ben Johnson, CTO/co-founder @ Obsidian Security Topics: Why is there so much attention lately on SaaS security? Doesn’t this area date back to 2015 or so? What do you see as the primary challenges in securing SaaS? What does a SaaS threat model look like? What are the top threats you see? CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing? Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system? Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle? For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology? Resources: Obsidian Security blog and Resource Center Does the World Need Cloud Detection and Response (CDR)? blog Does the world need Cloud Detection and Response (CDR) as a new market segment? poll MITRE ATT&CK for SaaS matrix CISA SCUBA resource “Essentialism” book.