What Is a Cloud Access Security Broker (CASB)? A cloud access security broker (CASB) is a visibility and control point that secures cloud applications, delivering data protection and threat protection services to prevent leakage of sensitive data, stop malware and other threats, discover and control shadow IT, and ensure compliance. Sitting between cloud app users and cloud services, CASBs can monitor traffic and user activity, automatically block threats and risky sharing, and enforce security policies such as authentication and alerting.

Why Is a CASB Needed Today?

With increased cloud adoption, CASBs have become attractive to enterprise security for their various cybersecurity, access control, and data protection functions. They give you back control over corporate data, in motion or at rest, in cloud platforms and apps. Today, CASBs are critical because:

• The growth of cloud platforms and apps (e.g., Microsoft 365, Salesforce) has made traditional network security tools, such as data center firewalls, far less effective.
• IT teams don’t have the control they once had. Almost anyone can pick up and use a new cloud app, and IT can’t manually manage granular user access controls at that scale.
• They can apply policy to provide shadow IT control, cloud data loss prevention (DLP), SaaS security posture management (SSPM), and advanced threat protection.

The Four Pillars of CASB

An effective CASB solution is constructed with four core features in mind:

1. Visibility

Remote work and BYOD are creating a greater need for organizations to know what’s happening in their cloud environments. Unmanaged devices abound, and without proper visibility into your deployments, you run the risk of allowing unwanted access. A CASB discovers your organization’s cloud app usage, creates reports on cloud spend, and performs risk assessments to let you decide whether an app should be blocked.

2. Compliance

Cloud computing services require that an inordinate amount of compliance regulations be met in order to operate at an organizational level. This is particularly true in the public sector as well as the financial services and healthcare industries. With a CASB, you can identify the greatest risk factors in your industry and set stringent data protection policies to achieve and maintain compliance across your organization.

3. Data Security

Every two years, the volume of the world’s data doubles in size. This exponential increase in data has seen bad actors become craftier than ever before. Combining a CASB with cloud DLP lets you not only see potential data risks but stop them, too. What’s more, you have visibility into sensitive content traveling to or from the cloud or between clouds, giving you the best chance to identify incidents, apply appropriate policy, and, above all, keep data secure.

4. Threat Protection

Cloud threats and malware are rampant in today’s IT ecosystem, and in most cases, cloud resources are the most vulnerable. A CASB gives you the power of behavior analytics and threat intelligence to turbocharge your cloud security. With these advanced capabilities, you can quickly identify and remediate suspicious activity, keep cloud applications and data secure, and bolster your organization’s overall cloud security posture.

How Do CASBs Work?

CASB solutions can take the form of on-premises hardware or software, but they’re best delivered as a cloud service for greater scalability, lower costs, and easier management. Whatever the form factor, CASBs can be set up to use proxying (forward proxy or reverse proxy), APIs, or both (which is called “multimode”—more on that a bit later).

Proxy

CASBs need to operate in the data path, so the ideal CASB is founded on a cloud proxy architecture. Forward proxies are more commonly used with CASB, ensuring users’ privacy and security from the client side. Reverse proxies, on the other hand, sit with internet servers and are prone to performance degradation and request errors.

A forward proxy intercepts requests for cloud services en route to their destination. Then, based on your policy, the CASB enforces functions like credential mapping and single sign-on (SSO) authentication, device posture profiling, logging, alerting, malware detection, encryption, and tokenization.

API

While an inline proxy intercepts data in motion, you need out-of-band security for data at rest in the cloud, which CASB vendors provide through integrations with cloud service providers’ application programming interfaces (APIs).

What Does Gartner Say About CASB?

Gartner first defined CASB in 2012, and organizations used it primarily to control shadow IT. CASBs have evolved since then, moving beyond just securing SaaS apps, to become broadly applicable across platform- (PaaS) and infrastructure-as-as-service (IaaS) delivery models in a variety of new use cases.

Over time, CASB benefits and capabilities began overlapping more with secure web gateway (SWG) capabilities. That’s partly why Gartner defined a new term in 2019: secure access service edge (SASE), a framework of cloud-delivered services that provide “comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.”

In 2021, Gartner distilled this further, identifying the security-centric slice of SASE as the security service edge (SSE). This reflects growing efforts worldwide to streamline complex, disjointed security stacks, with Gartner predicting that 30% of enterprises will have adopted SWG, CASB, ZTNA, and firewall as a service (FWaaS) capabilities from the same vendor by 2024.

What’s a Multimode CASB?

In proxy mode, CASBs provide inline policy enforcement that stops leakage and malware in real time. They can also integrate with APIs to scan SaaS apps’ contents, enabling them to find and respond to sensitive data patterns as well as threats such as ransomware. More recently, API integrations have been used for SaaS security posture management (SSPM), by which CASBs remediate misconfigurations in applications.

CASBs that offer both proxy and API-based modes are called multimode CASBs. Beyond securing SaaS, they can protect IaaS such as Microsoft Azure and AWS S3. And rather than deploying a CASB as another point product, you can deploy it as part of an SSE platform to ensure consistent security, enhanced performance, and consolidated administration.

Top Use Cases for CASB

1. Discover and Control Shadow IT

When your users store and share corporate files and data in unsanctioned cloud apps, your data security suffers. To counteract this, you need to understand and secure cloud usage in your organization.

Zscaler CASB automatically discovers shadow IT, revealing the risky apps visited by users. Automated, easily configurable policies then enforce various actions (e.g., allow or block, prevent upload, restrict usage) on individual apps and app categories.

2. Secure Non-Corporate SaaS Tenants

Users may simultaneously use both sanctioned and unsanctioned instances of apps like Google Drive. Responding with a one-size-fits-all approach—either allowing or blocking the app entirely—can encourage inappropriate sharing or hamper productivity, respectively.

Zscaler CASB can distinguish between your sanctioned SaaS tenants and unsanctioned instances belonging to external parties, applying appropriate policy enforcement to each. Preconfigured SaaS tenancy controls deliver automated, real-time remediation.

3. Control Risky File Sharing

Cloud apps enable unprecedented sharing and collaboration. As a result, your security teams need to know who’s sharing what in sanctioned apps, lest you risk letting dangerous parties get hold of your data.

Collaboration management is a key capability of any leading CASB. Zscaler CASB quickly and repeatedly crawls files in your SaaS tenants to identify sensitive data, check the users with whom files are shared, and automatically respond to risky shares as needed.

4. Remediate SaaS Misconfigurations

When deploying and managing a cloud application, precise configuration is key to ensure the app functions properly and securely. Misconfigurations harm your security hygiene and can easily expose sensitive data.

Zscaler SSPM integrates with your SaaS tenants via API to scan for misconfigurations that could jeopardize regulatory compliance. It’s one component of Zscaler Workload Posture alongside CSPM and CIEM.

5. Prevent Data Leakage

In addition to cloud resource misconfigurations that could enable data breaches and leaks, you need to identify and control sensitive data patterns in the cloud. A vast amount of such data is regulated under frameworks like HIPAA, PCI DSS, GDPR, and many others.

The Zero Trust Exchange, our cloud native security platform, provides unified data protection with cloud DLP and CASB capabilities. It ensures cloud apps are properly configured to stop data loss and noncompliance, backed up with advanced data classification techniques like exact data match (EDM) and indexed document matching (IDM) to identify and secure sensitive data wherever it goes.

6. Prevent Successful Attacks

Once an infected file gets past your organization’s security into one of your sanctioned cloud apps, it can quickly spread to connected apps and other users’ devices. That’s why you need a way to defend against threats in real time both at upload and at rest.

Zscaler CASB thwarts malware’s advances with advanced threat protection (ATP) capabilities, including:

• Real-time proxy to prevent malicious files from being uploaded to the cloud
• Out-of-band scanning to identify files at rest and remediate threats
• Cloud sandboxing to identify even zero-day malware
• Agentless Cloud Browser Isolation to secure access from unmanaged endpoints

Zscaler CASB

Zscaler delivers multimode CASB as a service along with SWG, ZTNA, and more as part of our comprehensive Zscaler Zero Trust Exchange™ platform to help you eliminate point products, reduce IT complexity, and inspect traffic in a single pass. Your administrators simply configure one automated policy for consistent security across all cloud data channels.

Inline Security for Cloud Data in Motion

High-performance forward proxy and SSL inspection provide critical real-time protection:

• Shadow IT discovery and cloud app control identify and secure unsanctioned apps without requiring network device logs
• DLP measures prevent uploads of sensitive data to sanctioned and unsanctioned apps
• Advanced threat protection stops known and unknown malware in real time with machine learning-powered cloud sandboxing
• Cloud Browser Isolation streams sessions as pixels for BYOD to prevent data leakage without a reverse proxy

Out-of-Band Security for Data at Rest

API-based scanning of SaaS apps, cloud platforms, and their contents automatically enhances your security:

• Predefined and customizable DLP dictionaries identify sensitive data in SaaS and public clouds
• Collaboration management functionality crawls apps for risky file shares and revokes them according to policy
• Cloud sandboxing scans data at rest to identify and respond to zero-day malware and ransomware
• SSPM, CSPM, and CIEM evaluate SaaS and IaaS configurations and permissions to remediate issues automatically