Cato Networks went after shadow IT today with the introduction of cloud access security broker (CASB) functionality to its secure access service edge (SASE) platform.

The integration bolsters enterprise customer’s visibility and control over software-as-a-service (SaaS) applications — the majority of which are unsanctioned, Boaz Avigad, director of product marketing at Cato, told SDxCentral.

“Most of the applications are unsanctioned. There are almost a 1,000 unsanctioned applications on average in enterprises,” he said, citing a Track Resources report. “It’s a huge problem.”

Cato’s CASB is designed to combat this by generating reports of all the SaaS applications used by employees and alerting IT managers of unsanctioned and potentially dangerous applications.

“The simplest thing to do for an IT manager is say ‘if it's an unsanctioned application, and I didn't approve it, I'm just gonna block it. You can't use it anymore.’ But obviously, that's not realistic,” Avigad said.

CASB not only provides enterprises a tool to spotlight unsanctioned applications, but it also takes targeted action to block those that pose a legitimate security risk. This ability, Avigad admits, isn’t unique to Cato. “CASB has been around. We didn’t invent it.”

However, unlike traditional standalone CASB products, Cato’s is significantly easier to deploy, he argued.

“When you look at a traditional CASB project, it’s about mapping. We need to map all the endpoints. We need to understand who’s connected, from where, if it’s remote users and laptops, if it’s in a headquarters or a branch office, and then I need a log collector somewhere,” Avigad said. “CASB can be a daunting task for enterprises. We want to eliminate all of that.”

Because Cato’s CASB integrates directly into its existing SASE architecture, all of that functionality is deployed in its more than 70 points of presence (PoPs) globally.

All traffic connected to Cato’s network flows through these PoPs ensuring that any relevant data passes through Cato’s security stack, including the CASB.

“We are the network … we see all the traffic,” Avigad boasted. “We already have CASB running for all of customers, it just requires enabling that license.”

While Cato’s CASB functionality is now available as part of its SASE offering, certain functionality, including API hooks and data loss prevention (DLP) won’t arrive until later this year.

Cato decided to hold off on rolling out API-based CASB functionality because of the limited subset of applications with API integrations, according to Avigad.

In the two years since Cato Networks adopted the SASE sigil, the vendor has steadily introduced new functionality including integrated managed detection and response and now CASB.

The company has also expanded beyond a self-serve SaaS model to incorporate channel partners and managed service providers, which now total more than 100, according to Niv Barzilay, director of channel marketing at Cato.

This has dramatically expanded the company’s addressable market, which has nearly doubled in the year since it announced its first collaboration with KDDI Global almost a year ago. The company now claims more than 1,100 customers.

Cato last week announced its latest expansion in partnership with Netherlands-based service provider Expereo, which provides a number of SD-WAN, cloud-security, and networking services, including last-mile connectivity to more than 190 countries.