Shadow IT discovery: identifies cloud applications used without IT approval. Reports show popular apps, involved users, sensitive data transferred.
What is CASB
CASB (Cloud Access Security Broker) is a security platform that monitors, controls and protects user access to cloud applications (SaaS, IaaS, PaaS). It implements visibility of shadow IT (unauthorized applications used by employees), policy-based access control, cloud malware detection, and data loss prevention (DLP). CASBs act as a proxy between users and cloud services to inspect traffic, authenticate, authorize, and generate alerts about anomalous behavior or policy non-compliance.
Why it matters
Cloud-first trends and remote work accelerated SaaS adoption (Slack, Salesforce, Google Workspace, Microsoft 365) without central oversight. CASB closes a critical gap: if an employee accesses personal Dropbox, unauthorized Gmail, or SaaS with a compromised credential, CASB detects and blocks it. Without CASB, CISOs have zero visibility of what cloud applications employees use. Regulations mandate control: ISO 27001 requires access control to external systems; NIS2 for critical financial services requires cloud visibility; DORA requires governance of critical third-party cloud. SaaS attacks are frequent: credential compromise, phishing targeting cloud users, weak configuration (publicly shared drives), and data theft. CASB + directory integration (AD/Entra) + MFA is essential defense.
Key points
Data Loss Prevention (DLP): monitors data transfer to cloud; blocks if file contains sensitive data (credentials, PII, trade secrets).
Directory integrations: syncs users, groups and permissions from AD/Entra; revokes access automatically if user is terminated or role changes.
Cloud threat detection: identifies malware, anomalous behavior (login from impossible location, massive download), and APT activity targeting SaaS.
Example: Shadow IT exposes data in unauthorized Dropbox
A marketing employee uses personal Dropbox to share product presentations with external agency. Without CASB, IT has no knowledge of this transfer. The personal Dropbox has weak password; attacker accesses, downloads new product deck 2 years before launch, and sells to competitor. Impact: loss of competitive advantage. With CASB: 1) automatically detects employee uses Dropbox (shadow IT), 2) generates alert because sensitive file transfer to personal cloud is detected, 3) blocks Dropbox.com access, 4) IT investigates and discovers the practice, implements authorized Google Drive with DLP monitoring.
Common mistakes
- Assuming firewall + traditional web proxy protects cloud; CASB inspects SaaS applications using HTTPS/TLS; traditional proxy does not decrypt SaaS.
- Implementing CASB but not integrating with directory/MFA; CASB policies not synced with user changes (late termination, old role) = gaps.
- Not configuring DLP correctly; CASB lets sensitive data transfers through if policies do not define what is sensitive (PII patterns, keywords, data classification).
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between CASB and CSPM
CASB monitors user access to SaaS applications (control sessions, detect malware, DLP). CSPM (Cloud Security Posture Management) audits cloud infrastructure configuration (public S3 buckets, weak IAM permissions, encryption at rest). Both are complementary: CASB = access protection; CSPM = configuration hardening.
Can a CASB block cloud applications
Yes. It can block by policy: if personal Dropbox is unauthorized, CASB blocks Dropbox.com access. But it must act intelligently: do not block Gmail if users legitimately use it for work, or collaboration fails. App categorization (approved, tolerated, prohibited) is essential.
Does CASB replace VPN in remote work
No. VPN encrypts traffic between user and corporate network. CASB protects direct SaaS access. Modern architecture: Zero Trust Network + MFA + CASB + DLP. User authenticates, connects to zero-trust network, CASB monitors SaaS access and blocks sensitive data transfers.