What Is a CASB (Cloud Access Security Broker) and When is it Useful?

SASE (Secure Access Service Edge) is comprised of many features which can be grouped into two buckets: WAN Edge Services and Network Security Services. The most common feature within the WAN Edge Services is SD-WAN, and the most common features we see on the Network Security side are CASB (Cloud Access Security Broker), ZTNA (Zero Trust Network Access), and SWG (Secure Web Gateway).

I wrote a blog post that gives a high level overview of each of these features and what types of companies should be considering them, but I wanted to dive deeper. This will be the first post in a series where we analyze each of the features of SASE in much further detail than I’ve done on Get SASE with Sarah so far. Exciting, isn’t it?!

Let’s start with CASB.

What Is a CASB and Who Can Benefit?

Gartner, a leading analytics institution in this industry, gives a very concise definition of CASB. They state that CASBs (either on-premises or cloud-based) are security enforcement points meant to protect users’ access to cloud services. CASBs can include different security features such as authentication, single-sign-on, credential mapping, device profiling, tokenization, and more.

In my “SASE Features and Who Can Benefit From Them” post, I mentioned that CASBs can be a good addition to a network security environment where users are accessing cloud- and/or SaaS-based applications. CASBs make intelligent decisions to block or allow access to cloud resources based on identity, activity, application, and data instead of simply blocking or allowing all traffic. They also give IT and security teams the visibility they need to see and/or control cloud access within the organization.

As Gartner stated, CASB can be included in a device that sits on premises, but in the SASE world, we’re typically talking about cloud-based network security, and therefore, cloud-based CASB.

The Four Pillars of CASB

Most CASB providers, along with Gartner, agree on these four pillars of a CASB and what they should accomplish:


A CASB solution will help an IT team uncover all cloud platforms in use. Most importantly, it can give them visibility into unknown cloud environments that may pose potential risks if these remain undocumented. CASBs also give the ability to granularly allow access to certain services while governing the use of others.

Data Security

Using features like access control and data loss prevention (DLP), CASBs can prevent confidential data from leaving company-controlled services. Whether it’s malicious, or a mistake, CASBs will detect when sensitive data is being uploaded (or has already been uploaded) to the cloud and can route that information to IT to analyze the situation.

Threat Protection

In addition to mitigating data leaks, CASBs will also block external threats. The CASB features that help identify and stop these attacks include anti-malware detection, sandboxing, packet inspection, URL filtering, and browser isolation. Anytime a cloud service is accessed, a CASB will scan and remediate any potential threats.


The security controls included in CASBs help organizations in certain industries maintain their compliance standing in regards to cloud-based data storage. This includes SOC 2, HIPAA, GDPR, PCI, FINRA, and others.

Features Included in CASBs

I touched on a few CASB features in the section above and how they serve each of the four pillars. Here is a full list of the features that should be included in most (if not all) CASB solutions:

  • Access control: controlling what users have access to within company resources
  • Anti-malware detection: scans all incoming data to identify malicious software and prevent it from being downloaded on a device
  • Browser isolation: running the browser in a remote location instead of on a user’s device to protect against malicious code
  • Data loss prevention (DLP): prevents sensitive data from leaving a company-controlled environment
  • Identity verification: verifies that a user is who they say they are using passwords, tokenization, or other methods
  • Packet inspection: inspects data entering or leaving the network for malicious activity
  • Sandboxing: isolating and running code in a secure environment until it’s determined it’s not a threat
  • Shadow IT discovery: identifies any applications or services that employees are using without consent

How CASB Fits into a SASE Strategy

While you’re evaluating different CASB solutions, you’ll find that some providers will offer this service standalone, and some will only offer it as part of a larger SSE (security service edge) or SASE strategy that would also include SWG, ZTNA, and more. I personally talk to several companies about these types of services daily and the majority of them aren’t just looking for CASB. It’s typically a larger conversation about SSE or SASE. They see CASB as a valuable feature of those solutions, not necessarily a standalone point product.

That said, there are occasionally companies that want to keep everything separate. I don’t see this often, but it’s usually an attempt to avoid putting “all their eggs in one basket.” In my opinion, the value that you’d get from managing the entire network security platform within a single portal, and all of these features seamlessly working together, outweighs the risk of having multiple services through a single vendor.

If you’re looking for CASB as part of an SSE or SASE strategy, I’d be more than happy to talk through that with you. Just fill out this form with preliminary information and I’ll reach out to set up that conversation.