Why CASB might not be the right fit for securing your Salesforce?


It’s estimated that nearly half of all breaches today involve attackers exploiting cloud infrastructures.  The last few years have seen major incidents of this nature, such as breaches at Facebook and Kaseya.

Given the growing number of threats targeting such infrastructures, cloud must always be at the top of your cybersecurity agenda. And with over 150,000 organisations relying on Salesforce for their CRM  needs, the platform should have a prominent place in cloud security strategies. 

In a hybrid, multi-cloud world, it is critical to maintain visibility across key points of your infrastructure, as well as receiving prompt threat alerts and being prepared to act on them quickly. 

However, finding the right solution can be challenging. The cloud security market is crowded, and specific platforms, like Salesforce, are best protected by specialist solutions designed for the job.  

Cloud Access Security Broker (CASB) is a common choice for most cloud security needs. A traditional CASB is an intermediary between users and cloud service providers, helping with compliance and data protection. 

While useful tools, CASBs can present issues. They are often complex, draining time and resources to manage. In addition, their positioning, between the user and the cloud, can lead to security and performance problems. 

First, here’s an overview of the key differences:

WithSecure™ Cloud Protection for SalesforceCASB solutions

Real-time protection against advanced cyber threats

  • Scans files in real-time upon upload and download
  • Click-time URL protection
  • On-demand and automated environment scans
  • Native integration with Salesforce platform offers seamless protection
  • Protects users regardless of the device used, including BYOD

Real-time protection against advanced cyber threats

  • CASB solutions are not primarily built for advanced threat protection
  • Often only scan files once; often provide no scanning upon download, providing no protection over malicious payloads
  • Many rely on periodic scans or batch processing, causing delays in detections
  • API-based integration can cause time lag between identifying and blocking threats
  • Often offer no protection against malicious URLs
  • Requires the company to set user / device policies and configure the solution


  • Real-time visibility into cloud data and content interactions (what, who, when, where)
  • Full audit trails for threat hunting and forensics


  • May not have the same level of granularity as a natively integrated solution
  • Can provide visibility into broader set of cloud apps
  • Tracking interactions with the specific file is impossible

Operational efficiency and cost-effectiveness

  • Deployment is quick and easy with a click-and-go process in just minutes
  • Instantly protects business-critical platforms without the need for mapping out a long-term security strategy
  • User-friendly interface with familiar Salesforce controls; minimal training required for administrators
  • Maintenance is simple and highly automated, resulting in low total cost of ownership (TCO)
  • Managed directly from the Salesforce portal
  • Integrates with workflows, alerts, and metadata to SIEM and other third-party systems
  • Scanning is fast with minimal impact on performance
  • Usage-based licensing; you pay for what you use
  • No additional Salesforce licensing costs; doesn't consume Salesforce APIs

Operational efficiency and cost-effectiveness

  • Complex, time-consuming, and costly deployment with configurations that require expertise
  • Requires understanding of cloud applications
  • Separate management portal is necessary
  • Complex license agreements with potential for paying for unused features
  • Latency and performance overhead due to all traffic passing through the CASB
  • May not integrate well with existing security solutions and technologies
  • Consumes Salesforce API calls

Data integrity and confidentiality

  • The solution runs within Salesforce platform
  • Your data stays securely stored in Salesforce cloud

Data integrity and confidentiality

  • CASB is positioned between user and cloud service
  • CASB solutions use forward or reverse proxy mechanism
  • Risk of compromised encryption of files during transit
  • CASB may break encryption to inspect data exchanges

Now let’s go a bit deeper:

CASBs provide useful features that are particularly valuable for: cloud environment assessment, user behavioural control, and policy regulation. However, they are not built primarily for active threat protection, so enterprises relying on CASBs for cloud security will lack the real-time protection which is  critical against more advanced threats.

Many CASB solutions rely on periodic scans or batch processing and, often, only scan a file or link once. This leads to dangerous delays in identifying threats, and leaving the system vulnerable to multi-stage attacks or links, that are changed, after initial delivery, to become malicious. CASBs also lack sandboxing capabilities, so they can’t perform in-depth heuristic analysis for files. 

Further, you will typically need to set use and device policies, configuring the solution to match, which means there is no protection for external or BYOD users – a big issue if you collaborate with partners through Salesforce.  

In comparison, ‘WithSecure™️ Cloud Protection for Salesforce’ provides, by conducting real-time scans of all files upon both upload and download, comprehensive protection against malware threats. It  also offers click-time URL protection, with links being scanned both when they are uploaded and when a user clicks them to detect any changes.

You can initiate on-demand and automated scans for your entire environment and cover all users regardless of their devices. 


Alongside their features, CASBs are designed to provide comprehensive visibility into cloud services and secure multiple cloud applications. But they likely don't have the same level of granularity as a natively integrated solution. Tracking interactions, with the specific file, is impossible if you encounter an incident.

WithSecure™️ Cloud Protection for Salesforce provides comprehensive, real-time visibility into data on your platform, including the ability to track interactions with content. This gives you the “who, what, when, and where”, allowing you to understand exactly what has happened, and what you should do next. It also offers comprehensive Salesforce-native analytics capabilities, as well as full audit trails for efficient threat hunting and forensic investigations – ideal for meeting regulatory compliance demands.

Operational efficiency and cost-effectiveness

Complexity is another common issue with traditional CASB solutions. They are often complex to deploy, requiring time, expertise, and significant cost to become fully operational. Managing the solution and its integrations can be resource-intensive and requires specialist skills and knowledge, driving up costs and hitting your ROI.

Further, the way these solutions are positioned, between the user and the cloud environment, can cause detection latency and performance overhead issues. 

Integration with existing systems can also be an issue, especially if you hope to use one CASB across your Salesforce and other cloud environments. You'll often need to use a separate portal for management that is not connected to your other tools . Further, one CASB may not cover all your platforms in any case, necessitating multiple CASBs from different vendors.

In contrast, WithSecure™️ Cloud Protection for Salesforce was designed to function as a native application that blends seamlessly into your Salesforce environment. A user-friendly interface and familiar controls require minimal training for administrators. Maintaining it is a breeze, with high automation and no extra portals, leading to a low cost of ownership. 

Integrating workflows, alerts, and metadata with Security information and event management (SIEM) and other third-party systems is simple and easy, scanning rapidly without sacrificing performance. Licensing is also based on usage, with no additional Salesforce licensing fees or API consumption.

With a click-and-go approach to deployment, you can be up and running in mere minutes. A user-friendly interface means  with familiar and straightforward Salesforce controls means you don't need specialist skills or training. 

Data confidentiality and integrity

As well as issues with advanced threat detection, CASBs can inadvertently expose businesses to other security problems. These solutions typically sit between the user and cloud service, leading to potential security risks, such as compromised file encryption during transit.

WithSecure™️ Cloud Protection for Salesforce avoids this issue by running within the Salesforce platform, ensuring that your data remains securely stored within the environment.

Find out what WithSecure™ Cloud Protection for Salesforce can do for you

CASBs are valuable tools that will go a long way in keeping your cloud environments secure and compliant. But when it comes to taking strong preventive measures and gaining more granular visibility,   WithSecure™ Cloud Protection for Salesforce offers a fast, user-friendly, and cost-effective solution, that natively integrates into your Salesforce environment. 

You get real-time protection against advanced cyber threats such as sophisticated malware, ransomware, and phishing attacks providing comprehensive granular visibility into your content security status. 

There is no tedious implementation period; you can achieve instant value with our click-and-go deployment. Why not head over to AppExchange for a test drive now?

Interested learning more

pluggin the gabs

What is Cloud Protection for Salesforce


How Cloud Protection for Salesforce Works

Secure your Salesforce today.

Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.

Fill the form and get:

  • Free 15-day trial
  • Personalized Salesforce security risk assessment report
  • Demo and a solution consultation
  • Support from our dedicated experts with setup and configurations