Company Updates

Why Versa’s API-Based CASB is Essential for Modern Enterprises

Securing SaaS, IaaS, and PaaS applications has become more complex—and more critical—than ever. The rise of hybrid work, the increased adoption of SaaS tools, and the use of mobile devices have vastly increased the attack surface. In this scenario, inline-only security tools are not sufficient. Certificate pinning, encrypted traffic, and app-specific behaviors often block inline inspection tools from seeing or controlling what’s happening in your cloud environment. Versa’s recently introduced API-based CASB (Cloud Access Security Broker) with integrated Data Protection (API-DP) helps address these scenarios.

Versa’s Cloud Access Security Broker (CASB) effectively deals with today’s enterprise security challenge of accessing SaaS applications, as we’ll explore further in this blog.

The Way Your CASB is Deployed Matters. Why Inline CASB Alone Is Insufficient?

Not all CASBs work the same way. Two common deployment models—inline and API-based—approach cloud security from different angles, each with its own strengths.

Inline CASB sits directly in the data path, intercepting traffic between users and cloud services. This real-time enforcement is especially useful for blocking risky behaviors on the spot, like blocking the upload of sensitive files to unauthorized apps or preventing the download of suspicious files.

However, modern internet and cloud technologies can present a challenge:

• Certificate Pinning: Apps like Microsoft 365 and Salesforce are configured to trust only specific certificates. When an inline CASB attempts to intercept traffic using its own certificate, the connection is blocked, preventing visibility and policy enforcement.
• Encrypted Traffic: According to Google’s Transparency Report, over 95% of web traffic is encrypted. Without full decryption capabilities, inline tools can’t inspect most of what’s going on.
• Mobile Devices and BYOD: 63% of traffic now comes from mobile devices, making TLS interception even more difficult, especially on unmanaged endpoints.
• App Behavior: Many modern apps use native clients with built-in security that can’t be intercepted or inspected by an inline CASB.

The result? Security blind spots that attackers can exploit and sensitive data that may leave your environment unnoticed.

API-Based CASB: Cloud-Native Visibility and Control

When inline tools lack visibility, API-based CASB can help.

API-based CASB works by connecting directly to cloud services like Microsoft 365 via their native APIs. Instead of sitting in the line of traffic, it is deployed “out-of-band” and scans activity and data at rest—things like file sharing permissions, user behavior, and configuration settings. It’s great for continuous visibility and catching issues when inline tools can’t be deployed, like files already shared externally or dormant threats in cloud storage.

Versa’s API-based CASB overcomes these challenges by integrating directly with cloud applications using their native APIs. This approach offers full visibility into user actions and data—without breaking encryption or inline traffic inspection.

Here’s how it works:

• Versa API-CASB registers as a trusted application within platforms like Office 365, Google Workspace, Box, AWS, and more.
• It reads and controls data directly at the app layer, inspecting content and user behavior without intercepting traffic.
• It can enforce policies retroactively, scanning data-at-rest that was uploaded even before API-DP was enabled.
• It also supports offline scanning using DLP, Advanced Threat Protection (ATP), and sandboxing engines.

This provides remediation, policy enforcement, and continuous monitoring embedded into your environment.

Real-World Use Cases: Going Beyond Visibility

Securing cloud apps requires more than one approach, so organizations should deploy a combination of inline and API-based CASB methods. Inline CASB is great for real-time enforcement, such as scanning and controlling traffic as it flows between users and cloud services. API-based CASB is more adept at monitoring and remediating data and configurations at rest. Together, they offer comprehensive visibility and control over cloud usage.

Here are some common use cases that show how inline and API-based CASB work to secure data, users, and applications:

1. Data Loss Prevention (DLP)

Prevent sensitive information—like PII, credit card numbers, or confidential documents—from being uploaded or shared in cloud environments like Box, GDrive, or AWS S3.

Example:

• Inline: Block uploads of sensitive documents to Box in real time.
• API: Scan existing content in Box and redact any sensitive content.

2. Threat Protection for Files and Storage

Scan file uploads for malware and zero-day threats using ATP and sandboxing. Even historical files in Dropbox, GCP, or AWS S3 can be scanned retroactively.

Example:

• Inline: Block the upload of malicious documents to Dropbox.
• API: Retroactively scan files in OneDrive to identify threats introduced from file sharing.

3. Granular SaaS Policy Enforcement

Get fine-tuned control over specific app behaviors.

Example:

• Inline: Restrict users from joining public Slack channels with their corporate account.
• API: Delete unauthorized comments or shared content in Box posted by certain user groups.
•  

4. Legal and Compliance Actions

Apply legal holds to files for regulatory needs. Enable forensic logging and maintain audit trails for investigations and compliance.

API Examples:

• Apply legal holds to specific files in cloud repositories for eDiscovery or audits.
• Record detailed forensic logging and long-term audit trails to ensure compliance with regulations like HIPAA, GDPR, or FINRA

5. Shadow IT and Account Takeover Detection

Stop the use of unsanctioned apps and limit prevent loss from account takeovers. 

Example:

• Inline: Detect and block access to unsanctioned communication apps (e.g. Slack, Teams, etc.) in real time.
• API: Log users out of Slack if abnormal or suspicious behavior is detected.

Deep Ecosystem Support

Versa’s CASB API-DP supports over 80 cloud applications, including:

• SaaS: Office 365, G Suite, Box, Slack, Salesforce, Dropbox
• IaaS/PaaS: AWS S3, Azure Blob, GCP Object Storage
• Productivity tools: Teams, Zoom, Jira, Confluence

The platform is constantly updated with new connectors, policies, and scanning capabilities—ensuring you stay protected as your cloud usage evolves.

Conclusion

As certificate pinning, encrypted traffic, and mobile-first app design continue to reshape how users interact with the cloud, API-CASB is a critical layer in defending against SaaS data breaches, insider threats, and shadow IT. Versa’s API-CASB in its Universal SASE platform gives organizations a centralized, scalable, and data-aware security posture across all SaaS applications.

With continuous monitoring, granular policy enforcement, and deep SaaS context, Versa API-CASB helps enterprises meet compliance mandates and mitigate modern SaaS risks—without compromise.