What is a Cloud Access Security Broker? CASB explained

November 5, 2020  |  Ericka Chickowski

This blog was written by a third party author.

What is a Cloud Access Security Broker (CASB)?

A common component of modern cybersecurity infrastructure, a cloud access security broker (CASB) is technology that provides monitoring and mitigates risks from employee use of cloud services. CASBs were initially developed to fill a gap in cloud security visibility left behind by traditional firewalls, next-generation firewalls, and early secure web gateways, which struggled to identify instances of the unapproved use of cloud services, otherwise known as shadow IT or rogue IT.

Since then, CASB has evolved into a fully featured cloud governance control that can both monitor and manage which cloud services employees use and how they use them, whether they're connecting from the corporate network or remotely. According to Gartner, in spite of slowing spending growth across the security industry, organizations have bolstered their CASB spending by 33% in 2020 as the category "has entered the mainstream," posting the largest increase of any information security market.

The benefits CASB provides

Industry experts say that the features and benefits of CASB tend to cluster around four major areas: visibility, compliance, data security, and threat protection. These are what Gartner analysts first coined as the four pillars of CASB.

CASB provides insight, alerting, and reporting into inbound and outbound cloud activity. This includes visibility into which cloud services are being used, who is using them, what content is being sent and stored in the cloud, and whether security policies are being followed in the process.

Beyond basic behavioral visibility, CASB gives risk and compliance personnel granular reporting that makes it possible to track how regulated data is stored across various cloud services. The level of detail makes it easier to prove to auditors whether cloud data handling and encryption practices for personally identifiable information (PII) meet compliance requirements for regulations like PCI DSS and HIPAA.

Data security
Reporting is just one component of the data privacy and security role that CASB plays. It can also enforce a range of data security policies. This includes access control based on contextual variables like role, device type, device protection status, geography, and more. CASB can extend data loss prevention (DLP) controls across the cloud and restrict sharing of certain classes of data across all cloud stores or certain providers. In addition, CASB can be configured to enforce encryption or tokenization practices and support enhanced authentication practices and integration with technology like single sign on (SSO) and identity and access management (IAM) platforms.

Threat protection
CASB provides controls and integration with other security products to protect organizational data from both insiders and external threats. A key part of this is behavioral-based activity monitoring to block and alert suspicious activity that could indicate negligent or malicious insiders or potentially compromised accounts. Additionally, many CASBs can analyze for and block malware in cloud resources.

Where can a CASB be deployed?

CASB deployments can vary greatly, with the category offering a range of possibilities for monitoring and enforcement usage from:

  • Inside the network
  • Remote work connections
  • Cloud-to-cloud connections

Visibility and controls are applied through the use of technology like reverse and forwarding proxies, as well as APIs and sometimes SIEM log collection.

CASB vs secure web gateway

CASBs and secure web gateways are two technologies that can be frequently confused with one another because there is some degree of overlap depending upon product capabilities and options offered by vendors.

In its purest sense a secure web gateway filters and inspects outbound user traffic to protect user machines from malicious sites and keep them accessing content according to corporate policies. Control and policy spans across a full range of web and web-app based activity, and it is particularly focused on blocking cyber threats and filtering out malicious web traffic.

Meanwhile, CASB provides more comprehensive and granular control over how a user interacts with cloud-based services. This includes management of what data can be shared on a service, role-based access controls, and enforcement of policies such as encryption requirements for sensitive data.

The two technologies tend to work best together, and indeed some secure web gateway services today now offer CASB options and integrations to extend their functionality across cloud use cases.


Secure access service edge (SASE) is the latest analyst term to describe the integration of transformative cloud security and networking capabilities that leverages new models of software-defined networking and cloud-native architectures. CASB is a part of the SASE model, as are technologies like SD-WAN, WAN optimization, and cloud security web gateways.

Can CASB be offered as a service?

The earliest CASBs were solely offered as appliances meant to be deployed at the network edge, but today much of the CASB market is cloud-native and provided via as-a-service delivery models.

Share this with others