CASB
Cloud Access Security Broker
The Cloud Access Security Broker exists because the average enterprise has lost visibility into where its data lives. With over 1,000 SaaS applications in use at a typical midsize organization — and IT sanctioning perhaps 100 of them — the other 900 represent an uncontrolled data sprawl that traditional perimeter security cannot see, let alone govern. CASB brings that visibility back by sitting between users and cloud applications, discovering every SaaS service in use, assessing risk, and enforcing data protection policies.
CASB operates in two fundamentally different modes that serve complementary purposes. Inline CASB, sometimes called forward-proxy CASB, inspects traffic in real time as users interact with cloud applications, enabling block, allow, coach, and restrict actions on the fly. API CASB, sometimes called out-of-band CASB, connects directly to sanctioned SaaS applications through their APIs to scan data at rest — files stored in OneDrive, emails in Exchange Online, records in Salesforce — and retroactively apply classification, DLP, and sharing controls. A complete CASB strategy requires both modes because each has blind spots the other covers.
The strategic value of CASB extends beyond security into governance and compliance. CASB provides the visibility layer that answers questions auditors and regulators increasingly ask: what cloud services process our customer data? Who has access to shared files containing PII? Are OAuth tokens granting third-party apps excessive permissions to our corporate M365 tenant? Without CASB, answering these questions requires manual surveys and guesswork. With CASB, the answers are continuous, automated, and auditable.
What it does
A Cloud Access Security Broker is a security policy enforcement point positioned between enterprise users and cloud service providers. It provides visibility into cloud application usage, data protection for information stored in and transiting through SaaS applications, threat protection against cloud-based attack vectors like OAuth token abuse and account takeover, and compliance enforcement for regulatory requirements governing data residency, access control, and sharing. CASB discovers shadow IT by analyzing DNS queries, web traffic logs, and API connections to catalog every cloud service employees interact with, assigns each a risk score based on factors like encryption standards, compliance certifications, data residency, and breach history, and gives administrators the data they need to make informed sanction-or-block decisions.
How it works
Inline CASB operates as a component of the SWG traffic inspection pipeline. When the SWG decrypts HTTPS traffic destined for a cloud application, the CASB engine applies application-aware policies: it can distinguish between uploading a file to corporate OneDrive versus personal OneDrive, between viewing a Salesforce record versus exporting a report, or between posting in a sanctioned Slack workspace versus an external one. This granularity comes from deep API-level understanding of each SaaS application's URL structure and request patterns. API CASB connects to sanctioned applications using OAuth tokens or service account credentials granted by the administrator. It then crawls data at rest — scanning every file in SharePoint, every message in Teams, every record in Salesforce — applying DLP classification, identifying overshared files, detecting anomalous sharing patterns, and flagging OAuth tokens that grant excessive permissions. Shadow IT discovery aggregates signals from DNS logs, SWG traffic logs, endpoint telemetry, and cloud application API data to build a comprehensive catalog of every cloud service in the environment, updated continuously.
Why it matters
The average enterprise discovers 40-60% more cloud applications in use than IT was aware of when they first deploy CASB shadow IT discovery. These undiscovered applications represent uncontrolled data exposure: employees uploading customer lists to free file-sharing services, developers pasting source code into AI coding assistants, sales teams exporting CRM data to personal cloud storage for use at their next job. CASB transforms this blind spot into governed, policy-controlled cloud usage. For compliance, CASB provides the evidence trail that demonstrates you know where regulated data resides in the cloud and that you have controls in place to prevent unauthorized sharing. For M&A due diligence, CASB scans can reveal data exposure in an acquisition target's SaaS environment before the deal closes. For insider threat programs, CASB's user behavior analytics detect anomalous patterns like a departing employee bulk-downloading files from SharePoint in their final two weeks.
Watch out
The biggest gap in most CASB deployments is the unmanaged device problem. Inline CASB requires traffic to flow through the SWG, which means devices without the endpoint agent installed — personal laptops, contractor devices, mobile phones accessing SaaS apps through native mobile apps — bypass inline CASB entirely. API CASB covers data at rest regardless of how it was created, but cannot enforce real-time inline controls on unmanaged devices. Solutions include reverse-proxy CASB (which intercepts traffic at the application's authentication layer rather than at the endpoint), conditional access policies in the IdP that restrict unmanaged devices to browser-only access with reduced permissions, and application-level controls like SharePoint's unmanaged device access policies. Plan for this gap from day one and design your CASB architecture to address both managed and unmanaged device populations.
Vendor comparison — CASB
Inline and API-based CASB covering 40,000+ SaaS applications. Shadow IT discovery with risk scoring, granular activity-level controls (e.g., allow Dropbox view but block download), and predefined compliance templates for SOC 2, HIPAA, and PCI-DSS.
Inline CASB with FortiCASB providing shadow IT discovery and SaaS application control. Covers major SaaS platforms (Microsoft 365, Google Workspace, Salesforce, Box) with activity-level controls. API-based CASB mode available for out-of-band inspection. Breadth of SaaS API integrations trails Netskope and Palo Alto — smaller catalog of supported applications for API mode.
Inline and API-based CASB with 80+ SaaS API integrations for out-of-band inspection. SaaS Security Posture Management (SSPM) identifies misconfigurations across Microsoft 365, Google Workspace, Salesforce, and other platforms. AI Access Security provides visibility and control over generative AI application usage including data classification and prompt inspection.
Inline CASB with SaaS application discovery and shadow IT visibility. Activity-level controls for major SaaS platforms (Microsoft 365, Google Workspace). Basic DLP integration for data-in-motion across SaaS channels. API-based CASB mode is limited — fewer SaaS API integrations than Palo Alto or Netskope, restricting out-of-band inspection and SSPM capabilities for less common SaaS applications.
CASB is one of six core SSE components. See how they fit together and compare vendors.