Cloud access security brokers (CASBs) explained

As the name suggests, a cloud access security broker (CASB) manages access between enterprise endpoints and cloud resources from a security perspective. CASBs can be deployed on-premises or in the cloud; as a hardware appliance or software-only, as a proxy, reverse proxy, or through specific APIs.

Enterprises have untold numbers of endpoints, both managed (corporate-owned devices) and unmanaged (devices owned by employees or third-party contractors). Endpoints can be on-premises or remote. And endpoints can include internet of things (IoT) devices.

[ Download our editors’ PDF cloud access security broker (CASB) enterprise buyer’s guide today! ]

In this buyer’s guide:

• Cloud access security brokers (CASBs) explained
• Why enterprises need cloud access security brokers (CASBs)
• What to look for in a cloud access security broker (CASB) tool
• Core cloud access security broker (CASB) services
• Leading cloud access security broker (CASB) vendors
• What to ask before cloud access security broker (CASB) tool
• Essential reading

In a multicloud environment, each endpoint could connect to multiple cloud resources over the course of a single day — productivity apps (like Microsoft 365), SaaS apps (like Salesforce and Workday), collaboration apps (like Slack and Zoom), and cloud storage (like Amazon Web Services and Dropbox). Not to mention homegrown apps that have been migrated to the cloud, or apps that have been developed in the cloud (that is, cloud-native).

CASBs sit between an organization’s endpoints and cloud resources, acting as a gateway that monitors everything that goes in or out, providing visibility into what users are doing in the cloud, enforcing access control policies, and looking out for security threats.

Some vendors have begun incorporating additional features into core CASB functionality, such as data loss prevention (DLP), secure web gateway (SWG), cloud security posture management (CSPM), and user and entity behavior analytics (UEBA).

However, it is important to note that CASBs are also a key component of a broader security strategy that goes by several names:

• Gartner calls that broader strategy Secure Service Edge (SSE), an integration of CASB, secure web gateway (SWG), and zero trust network access (ZTNA). According to Gartner, by 2026, 85% of organizations seeking to secure their web, SaaS, and private applications will obtain the security capabilities from a Security Service Edge (SSE) offering. The Gartner nomenclature has become the de facto standard. They and others have used a second acronym, Security Access Service Edge (SASE).
• IDC defines the category as network edge security as a service (NESaaS), with the same three core components: CASB, SWG, and ZTNA. “The network security market is in the process of a much-needed convergence trend. Security vendors have shifted from a focus on à la carte, individualized security services to a consolidated, cloud-delivered network security platform that treats individual services as optional modules,” IDC states.

Why enterprises need cloud access security brokers (CASBs)

The original use case for CASBs was to address shadow IT. When security execs deployed their first CASB tools, they were surprised to discover how many employees had their own personal cloud storage accounts, where they squirreled away corporate data. CASB tools can help security teams discover and monitor unauthorized or unmanaged cloud services being used by employees. This has grown to also include shadow AI services, as more enterprise users pick various machine learning models and use personal accounts to access public-facing generative AI tools.

Today, CASBs encompass a variety of other use cases:

• Data protection: The COVID-19 pandemic drove employees to remote work and applications to the cloud, where they could be more easily accessed. The pandemic has passed, and many employees have returned to the office, but those applications and that data are still in the cloud. Organizations must protect sensitive data as it moves across a hybrid cloud environment. Today’s CASB often integrates DLP functionality.
• Compliance: Data privacy regulations continue to tighten. CASBs are an important tool in an organization’s overall regulatory compliance framework, enforcing data privacy policies.
• Remote workforce: Regardless of the location of employees, CASBs allow enterprises to implement more consistent security standards and secure remote access to cloud resources.
• Threat detection: CASBs can detect malicious activity, intrusion attempts, ransomware, and other types of security events. CASB tools can generate real-time alerts to enable quick response by security teams and feed these alerts into other security platforms to mitigate and resolve them.

What to look for in a cloud access security brokers (CASB) tool

From a purely functional perspective, there are four key features of a CASB tool:

• Visibility: CASBs provide comprehensive visibility into cloud usage, user activities, and data flows.
• Control: CASBs offer granular control over user permissions and data access.
• Data protection: CASB solutions provide data protection capabilities to safeguard sensitive information across multiple cloud services.
• Compliance: CASB tools help maintain compliance with data privacy regulations.

Beyond those core features, organizations need to make sure the CASB tool well integrates with existing cloud services, applications, and security infrastructure.

There are three deployment modes: forward proxy, reverse proxy and API-based. Most experts say that API-based CASBs provide better functionality, but organizations need to make sure that the vendor’s list of application programming interface (API) connections matches up with the organization’s inventory of cloud apps.

Core CASB services

Take note about the use or requirements for deploying various agents with each product. This is where the CASB vendors often place their secret sauce, which could be an issue depending on how agent-friendly or agent-adverse your IT department is. For example, Skyhigh uses a single agent that functions across all three operational modes. Some of the other CASBs have multiple agents — such as for specific functional areas like antivirus, DLP, or VPN — that can get messy, not to mention tough to deal with unmanaged endpoints such as personal mobile phones and embedded devices such as internet of things controllers.

The following three basic services that all CASBs offer are at the core of what CASBs do and why you would buy one:

Monitor and control your most sensitive data flows: CASBs were originally designed to stem the tide of shadow IT products and to control and make SaaS applications more secure. Now they have broadened their use and can fit into a variety of situations, including operating across multiple cloud providers and mixing SaaS, mobile, and on-premises applications, too.

Apply uniform DLP policies across all servers and apps: As your data appetite increases, you need better ways to ensure that you aren’t leaking customer- and business-sensitive information, either through a malicious insider or inadvertently through a bad combination of security loopholes. While DLP products have been around for years, having DLP-like features in your CASB can be a nice way to track these potential weak spots, especially as more of your data moves into the cloud and is accessed by unmanaged mobile devices.

Manage cloud-native encryption keys: Ideally, your CASB should automatically keep track of your encryption needs and keys so you don’t have to do this manually, and so you can encrypt more of your data.

Some CASB tools are better at some things than others. For example:

• Bitglass has an Ajax virtual machine-like layer that handles near-real-time DLP on unmanaged devices. The only caveat is that these devices have to access data through their browsers.
• Some CASBs, such as Fortra, has field-level encryption on some SaaS structured data services, which can be a handy mechanism for protecting sensitive information.

Beyond these basics, all CASBs offer the potential to operate in one (or more) of three different modes:

• Forward proxy, usually deployed with endpoint agents or VPN clients.
• Reverse proxy, which doesn’t require agents and can work better for unmanaged devices.
• API control, which provides visibility into data already stored in cloud repositories or data that is used in a cloud process that never enters a corporate network.

Feature sets across CASB operational modes vary

Part of the CASB evaluation challenge is understanding how the feature set extends to each operational mode if indeed the product operates in more than one mode. Broadcom’s Symantec CASB, for example, has reverse proxies just for Microsoft 365 and no other application. Meanwhile, Cisco Systems and Palo Alto Networks both offer API-only CASB products. Such differences mean you need to understand the types of protection and not just which apps are supported but how they are supported, and what is the exact API portfolio that is covered by each product.

You really need the API support if you want to get granular with your CASB protection to understand the state of your public cloud security exposure and to stop any cloud-based malware too. API deployments also can trap cloud-to-cloud activities and to retrospectively inspect archived traffic flows. You will also need some level of proxying to handle application gateways and for implementing specific security policies. It pays to read the fine print and develop an appropriate test plan that will reveal the relevant features for each vendors’ product.

Nice-to-have sets of CASB features:

• Conduct continuous risk assessments and compliance audits on demand: A CASB can show in a single place where a corporation has the most risk and summarizes issues that a security team can quickly focus on for suspicious behavior that other products couldn’t easily do.

Forcepoint, Netskope, and Proofpoint all have nice risk summary dashboards that you can customize to display the things you need to understand how your environment is behaving and what needs immediate attention.

• Apply uniform adaptive authentication policies across all logins, servers, and apps: This should include read-only access (Gartner suggests this would be a good situation for unsanctioned SaaS services that are nonetheless needed), step-up authentication, and more granular access rights management.

Identity management and single sign-on (SSO) tools are the usual go-to reasons for these sorts of tasks, and one important trend is that more CASBs are integrating with traditional SSO products. The trick is to understand that the typical level of integration happens (usually) in reverse proxy mode only, and the SSO authentication is only passed to the CASB at the initial application login moment. This means that if you want a more complete adaptive authentication to trap when more risky behavior happens, you will probably have to stick with your dedicated SSO product.

As you can see, CASBs touch a lot of different existing security products across your enterprise. The challenge for successful integration is being able to understand these interactions and ensure that you overall security profile is enhanced rather than degraded with their use.

Leading cloud access security broker (CASB) vendors

The list of leading CASB vendors (in alphabetical order) includes pure-play companies as well as traditional security vendors that have added CASB capabilities to their portfolios either by acquisition or through internal development. Most vendors would not share their pricing details, but we have found approximate clues on AWS and Azure marketplaces where we could.

Cloudflare CASB is an add-on to their One SASE platform, using the same overall agent. There is a free version for under 50 users which allows two SaaS components, and prices start at $7/user/month above that level, with custom pricing for larger installations. The CASB product is now four years old and integrates with visibility and control of various AI services such as ChatGPT and Google Gemini. It doesn’t support reverse proxies, includes DLP and integrates with the risk scores and metadata sources available with Microsoft’s cloud services, such as with protecting Office 365 documents and emails.

Cisco Cloudlock:Cisco Systems has had a CASB since it acquired Cloudlock back in 2016. Cisco Cloudlock is a cloud-native CASB that protects users, data, and apps with an automated approach that uses APIs to manage the risks in the cloud app ecosystem. It integrates with Cisco’s SSE platform for its protective policies and a uniform dashboard. Cloudlock uses advanced machine learning algorithms to detect anomalies. It also provides DLP functionality and targets shadow IT with policy-based controls that can block dangerous activities, depending on permissions and risk levels. It uses machine learning to produce risk scores for more than 1,300 applications along with having tools to manage AI supply chains.

Forcepoint ONE CASB: Forcepoint bought Bitglass in 2021, one of the original standalone CASB vendors and a leader in Gartner’s Magic Quadrant for CASB. Forcepoint has integrated Bitglass technology with its own DLP capabilities to provide an SSE solution. Forcepoint excels in monitoring and reporting on shadow IT, and its user analytics feature is popular. The software also supports a zero-trust architecture, providing device and user authentication. Pricing is $120 per user per year on AWS Marketplace.

Fortra’s CASBis the result of acquiringendpoint protection vendor Lookout who previously acquired CASB innovator CipherCloud. Fortra now has a solid SSE platform that covers zero trust access controls, advanced DLP capabilities to automate the data discovery process, and supports a range of purpose-built integrations that covers identity access management and security orchestration, among others. It can provide visibility across managed and unmanaged cloud-based applications, users, endpoints, and data.

Netskope CASB: One of the original pure-play CASB vendors, Netskope is a leader in CASBs as well as SSE. According to Forrester Research, Netskope has shown innovation across its technology stack, including significant investments in an impressive new private global network, artificial intelligence and generative AI security. Netskope merged SWG functionality into its CASB tool and sells separate in-line and API versions each for $35,000 per year for 100 users on AWS Marketplace.

Palo Alto Networks Prisma CASB**. **Palo Alto Networks touts its CASB as being “next-generation,” based on the proposition that it’s less a standalone product and more of a range of integrated solutions such as inline security, SSPM, and enterprise DLP. The Palo Alto Networks CASB is designed to secure apps and data across cloud and hybrid workforce environments, protects data in transit between users and SaaS providers, facilities regulatory compliance and minimizes risks from shadow IT.

Proofpoint’s CASB is focused on extending DLP and threat protection from email to cloud apps. Proofpoint takes a people-centric approach; it provides granular visibility into who creates sensitive data and who owns, downloads, uploads, shares and edits that data. It identifies users who have been successfully phished, and those who have been attacked the most by hackers.

Skyhigh Security CASB supports all deployment modes and enables real-time control over user access to sanctioned and unsanctioned cloud services. Skyhigh (a unit of Indian IT tech provider Musarubra that also owns Trellix) focuses on providing comprehensive multimode coverage that feeds security events into a machine learning system to provide sophisticated event correlation, helping security teams to focus on real threats rather than false alarms. CASB is just part of its overall SSE platform which integrates across SWG, ZTNA, DSPM and DLP, along with remote browser isolation. Protective policies are developed platform-wide and include management of AI usage and prevention of shadow AI and crafting user risk scores from all these metrics. Pricing is based on per protected service per user per year, the unlimited services is $88/user/year, with extra charges for shadow services.

Symantec, a division of Broadcom, offers its CloudSOC CASB to monitor and control the use of sanctioned SaaS apps through extensive API integrations and in-line traffic analysis. The Symantec CASB provides full visibility and automatic detection of high-risk users, compromised accounts, and malicious insiders. Individualized behavioral-based user threat scores allow fast identification of risky user accounts. The tool automates the classification regulated data flowing in and out of apps, and it enforces controls that align with corporate policies. The tool includes DLP functionality and CSPM.

Versa’s CASB** is part of its One Universal SSE Platform **that contains a unified dashboard and policy rule set for a variety of security services, including DLP, ZTNA, applications firewall, analytics and reporting. All its modules were entirely developed in-house, include various AI-based tools, and it supports all three modes of operation. ** **Users can create protective policies using natural language queries of its embedded AI, as well as explore alerts and remediations.

Zscaler CASB offers inline, real-time capabilities and out-of-band scanning functionality to protect data, block threats, provide visibility, and assure compliance. Key features include agentless cloud browser isolation to secure BYOD and third-party devices where software installations are infeasible, advanced threat protection to stop malware from reaching cloud resources in real time, cloud sandboxing to detect new ransomware and other zero-day infections, shadow IT discovery to automatically identify unsanctioned apps used by employees and create a risk score for each. It uses AI to classify and detect data leaks and will have additional AI-based tools in early 2026.

What to ask before buying a CASB tool

Buying a CASB tool can be complex. There’s a laundry list of possible features that fall within the broad CASB definition (DLP, SWG, etc.) And CASB tools themselves are part of a larger trend toward SSE and SASE platforms that include features such as ZTNA or SD-WAN. Enterprises need to identify their specific pain points — whether that’s regulatory compliance or shadow IT — and select a vendor that meets their immediate needs and can also grow with the enterprise over time. Here are the key questions to ask yourself before buying a CASB tool:

1. Do I have a good handle on what cloud services my users are accessing, including employees, contractors, and other third-parties?
2. Do I have a solid data classification system in place, so that I know what types of data are sensitive or mission critical?
3. Do I have policies in place for access control across both on-prem and cloud environments, including SaaS applications?
4. Do I have clear objectives? What are my priorities when shopping for a CASB?
5. How will a CASB tool integrate with my existing security infrastructure such as firewalls, endpoint protection and web gateways. Examine how it will protect my entire applications’ estate, including custom-written apps. What happens as I migrate apps from on-premises to the cloud or in reverse?
6. Do I get DLP and SWG as part of the CASB, or are those additional modules?
7. How will the purchase of a CASB tool play into my broader security roadmap that might include the adoption of SSE or SASE?
8. What is the initial cost, as well as the longer-term total cost of ownership?
9. Do I have the budget for a new tool?
10. Can your product scale as my company grows?
11. Does your product cover all the geographic regions where I operate?
12. Do I have the inhouse staff to deploy and manage the tool on-premises, or should I take the cloud-based, managed service route?

Essential reading

• How do you secure the cloud? New data points a way
• What is SASE? A cloud service that marries SD-WAN with security

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.