I'm studying for the CCSP exam and I'm a little confused on why outsourcing access controls to a third party CASB would be appropriate. Could someone please explain the rationale there (and ideally perhaps a use case)?
It seems like, if anything, access control is the ONE thing that organizations would prefer to manage locally since it's such a sensitive and powerful thing.
One of the main reasons to utilize a third-party CASB, or any third-party provider, would be to ensure the offering is done "right." In this case, a CASB would have the necessary resources to supply IAM services or other monitoring (depending on the provider) that does it BETTER than you would yourself.
Let's say, you have three members on your team, and none of them have the necessary experience or the knowledge to implement IAM services "correctly" and "securely," utilizing a third-party can provide you confidence that is being done. Of course, that depends on your SLA/Contract.
Stick to what you know, and do well, rather than try to implement a control or mechanism yourself.
