Explore CASB use cases before you decide to buy
CASB tools help secure cloud applications so only authorized users have access. Discover more about this rapidly evolving technology and its use cases.
With the cloud now an integral component of enterprise networking, organizations need to ensure their cloud applications are secure, accessible only to authorized users and compliant with company policies. One platform that addresses all of these concerns is a cloud access security broker. These systems, typically available as cloud services, sit between users and the cloud-based applications and resources they need to access.
CASB tools first emerged as a way to monitor shadow IT. Now, they play a more significant role by ensuring -- among other features -- that network traffic between users and cloud resources complies with an organization's security policies.
How do CASBs work?
Several elements make CASBs work. The most important is API support for the cloud app in question -- for example, Dropbox. In order to scan data objects or documents to ensure they are safe, the CASB must be engineered with the API of each specific app users access.
All CASB traffic ultimately originates in the user's endpoint. It is the endpoint -- or rather the user at the endpoint -- that logs in to a cloud app. Thus, the endpoint -- i.e., the user's device -- plays an important role in the CASB interaction.
This article is part of
What is cloud security management? Guide and best practices
User devices that access the cloud generally fit into two categories: managed and unmanaged endpoints.
Managed devices are those the IT department controls. CASBs use agents -- software deployed into these devices -- to monitor traffic. Organizations have the greatest amount of control over managed devices and can further fortify them by installing a traditional endpoint security platform if available from the CASB vendor. With managed devices, a forward proxy sends the traffic to the CASB, which serves as a gateway that communicates with the cloud app on behalf of each client.
Unmanaged devices can include employees' personal tablets, phones, computers, or devices partners or contractors use to access the company's cloud apps. These endpoints are often in use throughout an organization's environment. Since the organization doesn't have direct control over them, however, IT can't install CASB software agents.
For unmanaged devices, CASBs are triggered via reverse proxy. In this process, the CASB device terminates the session for the unmanaged device and creates a separate session into the target application. The CASB thus becomes a "man in the middle" between the user and the application, inspecting all traffic that flows between the endpoint and the target application. Some vendors advocate using a gateway approach instead because some applications have problems with rewriting the URL, which is part of the reverse proxy mechanism.
Access to the traffic is only a small part of CASB functionality; the CASB also needs to be application-aware, meaning it must understand the proprietary flow of the application and what occurs during each exchange. For example, the CASB should be able to employ data loss prevention (DLP) capabilities when detecting a file transfer.
Application knowledge is challenging, due to the vast number of cloud applications a CASB needs to decipher. According to Microsoft, while most IT admins believe their employees use some 30 to 40 cloud applications, that number is closer to 1,000, so sophisticated programming is necessary to understand all those interactions.
What are the main CASB use cases?
Since the technology's inception, CASB use cases have grown to include the following.
Compliance and data security
Addressing compliance and data security issues is at the heart of what most CASB products are designed to do. During each session, CASBs examine or scan data objects, such as files and documents, to ensure the data is in compliance with company and government standards. It can also encrypt data at rest in the cloud.
A CASB can also take various actions if it discovers violations. These include watermarking, removing or quarantining content. DLP is a key part of CASBs.
Added threat protection for endpoint apps
A more advanced and growing use of a CASB is to act as an additional threat protection layer, guarding against cyberattacks and data theft. The CASB scans data flowing to the corporate user and can detect viruses, malware and potentially more sophisticated threats. This capability will continue to evolve as more threats target cloud application environments.
Visibility into app usage
CASBs enable IT to view all sanctioned and shadow IT apps accessed by users. This alone is often justification enough to implement a CASB.
Cloud application usage tracking
CASBs can provide a way to view cloud application usage, making it easier to identify abuse and usage patterns. If one service is being overused, companies can take action by switching to a more appropriate plan. If other cloud services are getting little or no usage, they can be canceled or modified to cut excess costs.
User behavior analytics
Employers need to understand what their employees and devices are doing when they interact with company cloud applications. Advanced CASB technology can provide access control and perform detailed behavioral tracking and analysis on their cloud application usage.
If a user demonstrates unusual or suspicious behavior, a CASB might alert security practitioners and impose stricter policies, such as MFA or restricted resource access.
Editor's note: This article was originally written in 2019. TechTarget editors revised it in 2024 to improve the reader experience.
Kevin Tolly is founder of The Tolly Group, a provider of third-party validation and testing services for 30 years. The Tolly Group tests cover a broad range of IT hardware, software, and component-level testing and benchmarking.