What Is a CASB? [Definition & explanation]

What is a CASB?

A Cloud Access Security Broker (CASB) is a security policy enforcement point between users and cloud services that provides visibility, compliance, data security, and threat protection across the cloud apps and services an organization uses.

CASB tools address the security gaps created by cloud app sprawl, shadow IT, inconsistent security policy across cloud services, and lack of visibility into SaaS data flows. The CASB category was defined by Gartner and is now considered a core component of cloud security and secure access service edge (SASE) architectures.

Cisco CASB security

The four pillars of CASB

Gartner defines CASB through four pillars that map to the security functions enterprises need across their cloud services. Most CASB tools deliver capabilities in all four areas; the depth of each capability varies by vendor.

PillarWhat it coversTypical capability
VisibilityDiscovering all cloud services in use, including unsanctioned (shadow IT)Cloud app discovery, usage analytics, risk scoring
ComplianceEnforcing data and access policy aligned with regulatory requirementsCompliance reporting, policy templates, audit logging
Data securityProtecting data at rest in cloud services and in transitData loss prevention, encryption, tokenization
Threat protectionDetecting and blocking threats targeting cloud servicesAnomaly detection, malware scanning, account compromise detection

The four pillars work together. Visibility identifies what cloud services are in use; compliance enforces policy on those services; data security protects the information flowing through them; and threat protection blocks attacks against the services and the users accessing them. 

Why CASB

Why do I need a CASB?

Organizations adopt cloud applications faster than security teams can audit them. Each cloud app introduces a new entry point into the corporate environment, a new place where sensitive data can flow, and a new authentication surface for attackers to target. Without continuous visibility into cloud app usage, security teams cannot enforce consistent policy across their cloud footprint. A CASB addresses this gap by sitting between users and the cloud services they access. It monitors user behavior, enforces data security policy, and surfaces unauthorized cloud app usage (shadow IT) before it becomes a breach. 

What does a CASB do?

A CASB sits between users and cloud platforms and serves as a central policy enforcement point. It applies an organization's security policies to user behavior, data movement, and authentication across cloud apps and services. CASB tools enforce policy whether the cloud service is sanctioned (officially deployed), tolerated (used but not centrally managed), or unsanctioned (shadow IT). 

Should I be worried about my users using cloud applications?

Cloud applications are essential to how organizations operate today. The risk is not in cloud adoption itself - it is in the lack of visibility and control over how cloud apps are used and what data flows through them. A CASB provides the visibility and policy enforcement needed to use cloud applications securely. 

Is a CASB all I need for cloud security?

A CASB is one component of a complete cloud security program, not the entire program. Cloud security requires a layered approach that includes endpoint security, secure web gateways, public cloud monitoring, and next-generation firewall capabilities. A CASB addresses a specific layer - user-and-app cloud access - and works alongside the other components. 

CASB and DLP

What is the difference between CASB and DLP?

Data loss prevention (DLP) tools focus on protecting data against unauthorized exfiltration. They enforce policies that protect data inline in real time and out-of-band at rest. CASB and DLP integrate naturally: CASB extends DLP enforcement into cloud services and SaaS apps where traditional DLP tools do not reach. Most enterprise CASB deployments include DLP capabilities or integrate with an existing DLP solution. 

Is CASB the same as SASE?

CASB is one component of a broader secure access service edge (SASE) architecture, not the entire architecture. CASB protects user-and-app cloud access. SASE converges networking and security functions in the cloud - including CASB capabilities, secure web gateway, zero-trust network access, firewall as a service, and SD-WAN - to deliver consistent security across distributed users and applications. CASB is part of SASE; SASE is broader than CASB.

SSE and CASB

How is SSE connected to CASB?

Security service edge (SSE) is the cloud-delivered security portion of a SASE architecture. SSE includes CASB along with secure web gateway (SWG), zero-trust network access (ZTNA), firewall as a service (FWaaS), DNS security, remote browser isolation (RBI), and other security services delivered as a unified cloud service. 

Cisco Secure Access is Cisco's SSE solution. It applies zero-trust principles and granular security policy across the security services it includes - combining CASB capabilities with the broader SSE security stack in a single cloud-delivered solution. 

Choosing a CASB

Main considerations when choosing a CASB

Three areas drive most CASB evaluations: user security, data security, and app security. The right CASB for an organization depends on which of these areas needs the most depth and how the CASB integrates with existing security infrastructure. 

User security

Visibility. In organizations with thousands of users accessing dozens of cloud apps, visibility is the foundation of user security. A CASB must surface user activity across all SaaS applications in use - not just the sanctioned ones. Shadow IT visibility is often the first signal of where security policy is not being enforced. 

Threat protection. Visibility alone is not enough. A CASB applies analytics and machine learning to user behavior data to detect compromised accounts, unauthorized access, and anomalous activity. Automated threat detection scales user security in environments where manual alert triage cannot keep pace with cloud app activity. 

Data security

Control. The first step in data security is restricting access to information employees do not need for their roles. Once attackers gain access to a network, they move laterally to find sensitive data - limiting access points reduces the attack surface.

Visibility. Sensitive data flows across cloud services constantly. A CASB provides continuous visibility into where sensitive data lives, who accesses it, and how it moves between cloud services. This telemetry tells security teams where data security policy needs to be enforced. 

App security

Discover. Most organizations underestimate the number of cloud apps their users access. A CASB discovers third-party connected apps and surfaces which ones have access to corporate data. 

Classify. Once an app is discovered, the CASB classifies it: what does it do, what data does it access, and how risky is it? CASB tools draw on community trust ratings and vendor risk assessments to classify cloud apps consistently. 

Disable risky apps. Apps classified as risky should be disabled or restricted. Apps classified as safe and beneficial can remain in use, with CASB monitoring their behavior continuously. This balance - enabling productivity while restricting risk - is the core operating model of a CASB. 

Common questions about CASB

A Cloud Access Security Broker (CASB) is a security policy enforcement point between users and cloud services that provides visibility, compliance, data security, and threat protection across the cloud apps an organization uses. The CASB category was defined by Gartner and is a core component of cloud security and SASE architectures.

The four pillars of CASB are visibility (discovering all cloud services in use), compliance (enforcing regulatory and data policy), data security (protecting data at rest and in transit), and threat protection (detecting and blocking attacks targeting cloud services). The pillars were defined by Gartner and structure how most CASB vendors organize their capabilities.

CASB is one of the security services within a SASE architecture, alongside secure web gateway, zero-trust network access, firewall as a service, and SD-WAN. CASB specifically addresses user-and-app cloud access, while SASE converges networking and security across the broader distributed environment.

A CASB controls how users access cloud applications and SaaS services, focusing on the application layer. A secure web gateway (SWG) controls outbound web traffic, focusing on the network layer. CASB and SWG complement each other and are often deployed together in modern SSE solutions.

CASB is one of the security services within an SSE solution, so an SSE that includes full CASB capabilities can replace a standalone CASB tool. Whether your SSE provides full CASB coverage depends on the depth of its visibility, compliance, data security, and threat protection capabilities. Comparing your SSE against the four CASB pillars is the most direct way to evaluate CASB coverage.