Understanding CASB’s role across the network edge

By /
Chart showing how Netskope, Microsoft, Zscaler, Skyhigh Secuiry and Palo Alto Networks integrate CASB into theiir SASE offerings

A cloud access security broker (CASB) is a security solution that sits between cloud consumers and cloud service providers and enforces security policies. A CASB is an umbrella term for a suite of functionality, including malware detection, data loss prevention (DLP), authentication, credential mapping, and shadow IT control, all bundled together by a vendor to secure cloud access, and offered as either a cloud-hosted service or an on-premise software package or hardware appliance. It acts as an intermediary, managing a range of security policies and interjecting them along the way as users access cloud-based resources.

The phrase was coined by Gartner, which describes a CSAB as, “consolidat[ing] multiple types of security policy enforcement.”

Key benefits of CASBs

CASBs have emerged as an important tool in the era of cloud computing and remote work, as organizations need visibility into what’s happening in their clouds, numerous software-as-a-service (SaaS) applications, and managed and unmanaged devices. 

CASBs can provide the following: 

  • Greater control over cloud usage: IT leaders can see what’s happening in their cloud environments, allowing them to control and limit access based on user status, location, or device. 
  • Threat prevention: CASBs can detect unusual behavior, compromised credentials, or rogue applications. They can identify risk in app use and remediate potential threats. 
  • Data loss prevention: Enterprises can prevent unauthorized sharing of important data such as customers’ or employees’ personally identifiable information (PII), proprietary data, financials, or other sensitive materials. 
  • Shadow IT and shadow AI management: Particularly as employees use AI to improve their workflows, CASBs can identify and govern sanctioned and unsanctioned use of certain apps and platforms. They can also control risky file sharing. 
  • Risk visibility: CASBs allow enterprises to see how apps are accessed and used, and adjust their security measures accordingly. 
  • SaaS misconfiguration remediation: Cloud apps aren’t always configured correctly, which can inadvertently expose sensitive data. CASBs can help determine if apps need to be reconfigured. 

Also, as the cybersecurity landscape continues to rapidly evolve, CASBs are increasingly being integrated into broader frameworks like secure access service edge (SASE) and (security service edge (SSE). 

The SASE model gaining traction because it addresses the complexity of modern, distributed workforces and cloud-first environments. CASB, along with other critical security functions like Secure Web Gateway (SWG), Firewall-as-a-Service (FWaaS), and Zero Trust Network Access (ZTNA), are all converging under the SASE umbrella.

5 things you need to know about CASB and SASE

  • CASB is a core component of SASE:
    Think of SASE (Secure Access Service Edge) as a comprehensive security and networking framework delivered from the cloud. CASB is not a competitor to SASE; rather, it’s one of the foundational security services that makes up a complete SASE architecture.
  • SASE extends CASB’s reach:
    While CASBs traditionally focus on securing access to cloud applications and data, SASE integrates it with other network and security functions (like SWG, Firewall-as-a-Ssrvice and ZTNA. This means CASB’s benefits are now part of a unified solution that secures all traffic, not just cloud-bound, from any user, device or location.
  • It’s about convergence, not replacement:
    The trend isn’t that SASE replaces CASB, but that CASB capabilities are converged and delivered more efficiently within a single, cloud-native SASE platform. This simplifies management, reduces complexity and ensures consistent policy enforcement across the distributed enterprise.
  • Enhanced visibility and control for the distributed workforce:
    In a SASE model, CASB’s capability to discover Shadow IT/AI, prevent data loss (DLP) and provide granular control over cloud app usage becomes even more powerful. It ensures that regardless of where an employee is working or what device they’re using, their interactions with cloud services are secure and compliant within the broader SASE framework.
  • Seamless security and performance:
    By integrating CASB functionality into a SASE platform, organizations can achieve both robustsecurity and optimized network performance. The combined solution eliminates the need for backhauling traffic to a central data center for security inspection, allowing direct and secure access to cloud resources.

    • 4 pillars of CASBs

    Gartner defines four important CASB “pillars” as follows: 

    Visibility

    Enterprises need to be able to see what’s going on in their sprawling IT environments that extend across different clouds and devices both managed and unmanaged. CASBs allow enterprises to identify and assess the risk of cloud and shadow IT use. IT teams can see user, device and location information. 

    CASBs allow enterprises more flexibility over controls; they don’t have to take an “allow all” or “block everything” stance. IT departments have the ability to differentiate between useful and risky services and can specify the features or data that users can access within services. They can also adapt access based on a user’s location. 

    An added, non-security benefit is greater visibility into cloud spend. CASB can identify all cloud services in use, including redundancies, so that enterprises can cut back on unnecessary or duplicate expenditures. 

    Data security

    Data loss prevention (DLP) protects both data and data movement, whether it’s traveling to, from, or simply residing within a cloud. When enterprises know where their data is, they have the ability to control it. CASBs can prevent sensitive or confidential data from leaving company-controlled systems, whether maliciously or due to negligence. 

    Threat protection

    The exponential growth of the cloud has increased the attack surface, and security teams struggle to keep up with the barrage of alerts. A CASB platform powered with large-scale analytics, AI and machine learning (ML) can automate alerts and responses. 

    CASBs can get to know typical usage patterns to serve as comparison points and flag anything that comes up as anomalous or malicious, such as a user gaining improper access to a system or app they’ve never used before. CASBs incorporate adaptive access controls, malware detection, browser isolation, URL filtering, data packet inspection and detailed threat intelligence. 

    Compliance

    Cloud environments are spread out over a wide area that isn’t always under a company’s purview. This can make it difficult for organizations to keep up with certain data and safety regulations such as the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), HIPAA, or SOC 2, potentially opening them up to penalties and fines. CASBs can monitor for compliance to help ensure systems aren’t compromised. 

    How CASBs work 

    CASBs perform a three-part process: 

    • Auto discovery: The system identifies all cloud apps in use and employees using them. It then determines applications, users, and other elements that could put the organization at risk.
    • Classification: The CASB analyzes each app and its data and creates a risk factor based on cloud function, type of data and data use. 
    • Remediation: The CASB creates a policy specific to the enterprise’s security needs, then enforces user access policies and automatically acts if there is a violation. The system will encrypt data as it travels, enforce single-sign on (SSO) and react to suspicious activity based on past user behavior.

    Types of CASBs

    CASB platforms are typically offered as cloud services, but they can also be deployed on-premises. They can be set up to use a forward or reverse proxy (intermediary) server, application programming interface (API) or both (multimodal). 

    Proxy CASBs provide real-time traffic inspection and control, while API-based CASBs offer visibility into data at rest within cloud applications. Each approach has pros and cons depending on an organization’s specific security needs.

    Forward proxy

    Forward proxies typically sit closer to the user and intercept requests en route to the cloud. Tunneling architecture forwards traffic to the CASB, then to the cloud, and the CASB enforces security policies. 

    Reverse proxy

    Reverse proxies sit closer to the cloud, and direct traffic from the device requesting access to the cloud, then to the CASB, kicking off its security controls. 

    Advantages and disadvantages of proxy-based CASBs 

    One of the greatest advantages of proxy-based CASB is flexibility, as it operates on the data stream and can service practically any SaaS app. It is also typically agentless, meaning it uses existing infrastructure and controls and doesn’t require deployment of new software agents. 

    On the other hand, data can be viewed by the proxy service provider. This means that, even though connections and networks are encrypted, data can be leaked. Also, proxies can slow down network speed and can be complex to deploy and manage. 

    API CASBs

    Proxy CASB intercept data in motion, but enterprises need to be able to secure data at rest within cloud apps. This can be provided through integrations with a cloud service provider’s API. 

    Advantages and disadvantages of API CASBs

    One advantage of API CASB is that it doesn’t reroute traffic and thus has less of an impact on latency and user connectivity. It is also easier to deploy, scale, and integrate with existing infrastructure, and can be a more cost-effective option than proxy-based CASB tools. 

    At the same time, API CASBs may not provide real-time data protection; they depend on the cloud provider’s API access so may not cover all types of cloud traffic; and may deliver false positives. 

    Multimode CASBs

    Some CASBs are both proxy and API-based, making them a more comprehensive solution. Proxy enforces inline policy (for a user, group, or role) to prevent leakage and unauthorized access in real time, while API integrations scan SaaS content while data is not being actively used. 

    Key vendors, often recognized in Gartner’s Magic Quadrants and Forrester Waves, for CASB.

    IDG

    Drawbacks of CASBs and factors to consider 

    CASBs aren’t end-all-be-all tools, and they do bring these challenges:

    • They can be complex to deploy because they require specific expertise. Tools like log collectors and proxy auto-configs (PACs), which tell browsers when and where to use proxies, must be configured correctly. 
    • They can be expensive and time-consuming for IT teams.
    • They can be difficult to integrate with existing security policies. 
    • They can slow network performance. 

    This makes it important for enterprises to weigh the various options on the market. Important factors to consider when looking at vendors include: 

    • Strong mitigation methods and data privacy controls;  
    • Proper integration with existing security architecture to ensure full visibility; 
    • Ability to scale; 
    • Implementation time;
    • UI and ease of use 

    CASBs have become an important layer in enterprise security stacks, bridging the gap between users and cloud services. They serve as a watchdog and gatekeeper, offering strong visibility, control, and threat protection to help organizations manage cloud risk. 

    But while powerful, these platforms aren’t without challenges — complex deployment, potential performance hits, and integration hurdles make vendor evaluation critical. Choosing the right CASB means weighing usability and fit within a broader enterprise security ecosystem.

    Source:: Network World