Cloud Access Security Broker (CASB) is a security enforcement point positioned between cloud service users and cloud applications to monitor activity, enforce security policies, and protect data. CASBs provide visibility into shadow IT, enforce data loss prevention (DLP) policies, control access to SaaS applications, and protect against cloud-based threats across services like Microsoft 365, Salesforce, and Google Workspace.
As organizations adopt dozens - sometimes hundreds - of SaaS applications, the security team loses visibility into where corporate data flows and who accesses it. CASB restores that visibility and adds policy enforcement between users and the cloud services they consume.
The Four Pillars of CASB
Gartner originally defined CASB around four core pillars that remain the framework for evaluating CASB capabilities today:
- Visibility - Discovers all cloud services in use across the organization, including sanctioned applications and unsanctioned shadow IT. Provides detailed analytics on who is using which services, how much data is being transferred, and what activities are being performed. Without visibility, security teams are protecting a network they cannot see.
- Compliance - Enforces regulatory and internal compliance requirements across cloud services. Maps cloud usage against frameworks like GDPR, HIPAA, PCI DSS, and SOC 2. Ensures that data residency requirements are met and that cloud services meet organizational security standards before employees use them.
- Data Security - Prevents sensitive data from leaving the organization through unauthorized cloud channels. Applies DLP policies to detect and block the upload, download, or sharing of regulated data. Provides encryption and tokenization for data stored in cloud services, and controls sharing permissions to prevent data leakage.
- Threat Protection - Detects and responds to threats within cloud applications. Identifies compromised accounts through anomalous behavior analysis, blocks malware uploads and downloads through cloud storage services, and detects insider threats such as bulk data downloads or unusual access patterns.
Key CASB Capabilities
Beyond the four pillars, modern CASB platforms provide several operational capabilities that security teams rely on daily:
- Shadow IT Discovery - Analyzes network traffic, firewall logs, and endpoint data to build a comprehensive catalog of all cloud services accessed by employees. Classifies each service by risk level based on security certifications, data handling practices, and compliance posture. Most organizations discover 5-10x more cloud services than they expected.
- Data Loss Prevention (DLP) - Inspects content in motion across cloud services to detect sensitive data patterns including credit card numbers, personal identifiers, health records, and intellectual property. Applies policies to block, quarantine, encrypt, or alert based on content classification and context.
- Access Control - Enforces granular access policies based on user identity, device posture, location, and risk level. Can restrict specific actions within SaaS applications - for example, allowing a user to view documents in SharePoint but blocking downloads on unmanaged devices.
- Encryption and Tokenization - Encrypts sensitive data before it is stored in cloud services, ensuring that even if the cloud provider is breached, the data remains protected. Tokenization replaces sensitive values with non-sensitive equivalents while preserving functionality.
- User and Entity Behavior Analytics (UEBA) - Establishes behavioral baselines for each user and detects deviations that could indicate account compromise, insider threats, or policy violations. Flags anomalies such as logins from impossible travel locations, sudden spikes in data downloads, or access to services outside normal working patterns.
CASB vs CSPM
CASB and CSPM are both cloud security tools, but they address fundamentally different concerns. Understanding the distinction prevents gaps in your security coverage.
| Dimension | CASB | CSPM |
|---|---|---|
| Focus | User access to SaaS applications | Cloud infrastructure configuration |
| What It Monitors | User activity, data flows, SaaS usage | Cloud service configs, IAM, networking |
| Primary Use Case | Shadow IT, DLP, SaaS governance | Misconfiguration detection, compliance |
| Deployment | Proxy or API-based, inline or out-of-band | Agentless, API-based cloud scanning |
CASB protects how users interact with cloud applications. CSPM protects how cloud infrastructure is configured. An organization using Microsoft 365 might use a CASB to prevent employees from sharing sensitive files externally, and CSPM to ensure the underlying Azure tenant is configured securely. Both are necessary for comprehensive cloud security.
When Do You Need a CASB?
CASB is most valuable in specific organizational contexts:
- SaaS-heavy organizations - If your workforce relies heavily on SaaS applications for daily operations - Microsoft 365, Salesforce, Slack, Google Workspace, ServiceNow - a CASB provides the visibility and control that native admin consoles cannot. The more SaaS applications in use, the stronger the case for CASB.
- Regulated industries - Healthcare, financial services, government, and legal organizations must demonstrate control over where sensitive data resides and who can access it. CASB provides the DLP enforcement, audit trails, and compliance reporting required by HIPAA, PCI DSS, GDPR, and similar frameworks.
- Remote and hybrid workforce - When employees access cloud services from personal devices, home networks, and public Wi-Fi, the traditional network perimeter offers no protection. CASB applies security policies regardless of where the user connects from, ensuring consistent data protection across managed and unmanaged endpoints.
For organizations primarily concerned with cloud infrastructure security - ensuring Azure subscriptions, AWS accounts, or GCP projects are configured correctly - CSPM is the more directly relevant tool. For organizations concerned with how their workforce uses SaaS applications and where corporate data flows, CASB fills that gap.
