A cloud access security broker, or CASB, is a security control layer that helps organizations monitor and enforce policy across cloud applications and services. It matters because sensitive data and risky user behavior increasingly move through SaaS and cloud platforms outside traditional network boundaries.
What is a Cloud Access Security Broker (CASB)?
A CASB sits between users and cloud services, or integrates directly with cloud platforms, to provide visibility, policy enforcement, data protection, and threat detection. It is commonly used to discover shadow IT, apply data controls, and monitor access to SaaS applications.
CASB capabilities can vary, but the overall goal is to help organizations govern cloud usage more safely without relying only on legacy perimeter controls.
What CASB Commonly Includes
Common capabilities include SaaS visibility, shadow IT discovery, data loss prevention, access control, user behavior monitoring, compliance enforcement, and detection of risky cloud activity.
CASB vs. SASE
CASB focuses more directly on cloud application visibility and policy enforcement. SASE is a broader architecture that combines networking and security services, often including CASB-like capabilities as one part of the stack.
Frequently Asked Questions
Why do organizations use CASB?
Because employees often adopt cloud apps quickly, and security teams need better visibility into where data is going, who is accessing it, and whether usage aligns with policy.
Does CASB only apply to sanctioned SaaS apps?
No. A major use case is discovering unsanctioned or poorly governed cloud services that create hidden business risk.
Related Cybersecurity Terms
- Secure Access Service Edge (SASE)
- Data Loss Prevention (DLP)
- Cloud Security
- Identity and Access Management (IAM)
