??? pgHead ???
  • What is a CASB?
  • Why do you need a CASB?
  • Use cases of CASB
  • Pillars of CASB
  • How does a CASB work?
  • Architecture of CASB
  • How to evaluate or choose a CASB solution
  • CASB solution by ManageEngine
  • Role of CASB in healthcare
  • Role of CASB in banking and finance
  • Role of CASB in the education sector
  • Zero Trust and CASB
  • FAQ

What is a CASB?

A cloud access security broker or CASB is an on-premises or cloud-hosted security software or solution that acts as a gatekeeper and monitors the interaction between users and cloud applications. Gartner® defines a CASB as "on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed."

CASB offers insights into cloud applications, the users accessing them, and the activities they perform, such as file uploads.

Figure 1: A CASB solution monitoring user activity in the cloud, including file uploads

The increasing use of cloud technology in business operations poses risks such as reduced visibility, increased complexity in ensuring security, and the use of unsanctioned cloud applications by users. A CASB-integrated SIEM solution helps mitigate these security risks. CASBs allow you to gain visibility into user activities on the cloud. They also allow enterprises to control access by enforcing policies and extending their on-premises security policies to the cloud.

Why do you need a cloud access security broker?

Organizations require CASBs for the following reasons:

  • Regulate user access: Since cloud services are hosted outside the perimeter of organizations, exercising control over user activities becomes difficult. CASB solutions enable organizations to enforce security policies and regulate users' access to data stored on the cloud.
  • Protect sensitive data: CASB technology can be used to monitor sensitive data in-transit and protect the contents of the data through encryption.
  • Stop data exfiltration:CASB helps identify and restrict unauthorized attempts to access and transmit data to and from the cloud, thus preventing data exfiltration attacks.
  • Monitor and prevent shadow IT: CASB keeps a close eye on unsanctioned cloud applications or "shadow IT" applications being accessed by users.
  • Ensure compliance: Using CASB technology, organizations can meet the data security and access requirements of various IT compliance mandates.
  • Stop app duplication: CASB audits the usage of cloud services for budgeting purposes. CASB identifies users utilizing third-party applications for convenience of work while the organization has paid subscriptions for similar software.
  • Secure collaboration: CASB ensures resource sharing platforms are not exploited.

Use cases of cloud access security broker

CASBs are frequently used to prevent the problem of shadow IT and malicious data exfiltration.

Monitoring shadow IT applications: Shadow IT, the use of unsanctioned cloud applications, reduces visibility and leads to increased security risks and compliance violations. When employees use unauthorized software or cloud services, IT admins have no way of ensuring if a user accessing a particular resource is authorized to do so, or if the organization's data security policies are being adhered to. This may inadvertently expose sensitive company data to security threats such as data breaches, malware, and cyberattacks. To avoid these issues, you need a CASB solution that can discover shadow apps, the requesting user, when they made the request, and their activities.

Log360, a comprehensive CASB-integrated SIEM solution by ManageEngine, discovers shadow applications and provides information regarding the domain name, actor or user, time an event was generated, app category, app reputation, URL, and upload size. The reputation score is obtained from Log360's threat feeds. With this, administrators can ban applications in their network and enforce policies.

Log360 leveraging CASB capabilities to provide reports on shadow application requests made by users

Figure 2: Log360 reports offering insights into shadow app requests

Monitoring sensitive data uploads: Organizations should protect against data exfiltration or data theft attempts, which involve an unauthorized transfer of business-critical data from inside the organization to an external network. A CASB solution can monitor the data leaving the network and detect suspicious activities that are indicative of data exfiltration.

Log360 can control access to your data and applications in the cloud, and perform deep packet inspection during file uploads into the cloud in real time by leveraging its CASB capabilities. The File Uploads report in Log360 lists all upload requests with contextual information such as file name, upload request size, domain name, actor, and more.

Log360 leveraging CASB capabilities to provide reports on all file uploads performed by users

Figure 3: Log360 reports offering insights into all file uploads

User risk tracking: CASB provides contextual insights such as the top user accessing banned applications, all of the user's download activity, upload activity, and cloud application requests, as shown in the banned applications dashboard in Log360.

CASB in Log360 identifies banned apps and access attempts made by users, and presents the findings in the form of a visual dashboard.

Figure 4: Log360 dashboard displaying the number of banned applications and their access attempts by users

ManageEngine Log360 helps you detect; investigate; and respond to threats, while meeting compliance requirements.

Pillars of cloud access security broker

Gartner has defined four core features or components that a CASB solution should have, and these components are termed as pillars. The four pillars of CASB in cybersecurity are: visibility, data security, compliance, and threat detection.

Visibility: Most cloud security providers (CSPs) offer very little in terms of audit and logging capabilities. CASB tools overcome these limitations by providing details about the traffic of data being moved between the organization and cloud providers. This helps organizations better understand what sanctioned and unsanctioned cloud services are being utilized by users, and guides them to safer alternatives. User, location, device, application, and quantity of data are some of the metrics that can be extracted to monitor the usage of cloud services by users.

Data security: While the cloud has made sharing data with people easier than ever, it has also put traditional data leak prevention tools into jeopardy because cloud services do not fall under their purview. CASB security solutions can inspect sensitive data being moved to and from the cloud, between cloud services, and within the cloud. These observations help organizations identify and stop attempts to leak sensitive information.

Compliance: It's important to consider compliance when switching to cloud-based services. Regulations such as PCI DSS, HIPAA, GDPR and others ensure that organizations have proper security systems in place to store and handle sensitive data. CASBs provide you with a range of options to identify and control the flow of personal data, monitor high-risk activities, and detect shadow IT applications to ensure adherence to privacy regulations and compliance mandates.

Threat detection: Organizations need to regulate the access of critical data from cloud services. Businesses also need to detect the exfiltration of data by malicious actors with stolen credentials or negligent users accessing sensitive information. CASBs can observe and register patterns of usage exhibited by users and form a baseline, using user entity and behavior analysis (UEBA). Any deviation from the baseline gets flagged as an anomaly, helping organizations spot and mitigate threats earlier.

Clearly, CASBs elevate your organization's cloud security. But, do you know what will take your security to a higher level? A CASB-integrated SIEM solution. To learn why CASBs should be a part of your SIEM solution, read this resource. To see how a unified SIEM solution with integrated CASB capabilities like ManageEngine Log360 has incorporated the four pillars of CASB, visit this page.

How does a cloud access security broker work?

There are three main deployment modes in CASB, namely: forward proxy, reverse proxy, and API scanning.

Forward Proxy: All traffic from the assets within your organizational network is channeled through the CASB before reaching cloud applications, acting as a gateway server at the organization's perimeter. The CASB controls access, and allows or blocks uploads deep packet inspection (DPI) and DLP, and provides real-time analysis of HTTPS traffic during file uploads, including file name, type, and size, aiding in identifying potential threats and policy violations. Learn more about the different deployment modes and the real file use cases of forward CASB from this resource.

Log360 offers forward proxy CASB to monitor traffic from on-prem environments. The gateway server and policies can be configured from the Log360 console.

A forward proxy CASB deployment with a gateway server placed in the on-prem network between organizational users and cloud applications

Figure 5: Forward proxy CASB deployment

Reverse Proxy: Cloud applications redirect user requests to the CASB for validation via user identity using Security Assertion Markup Language (SAML) and grants access. This is particularly beneficial for sanctioned/approved applications and BYOD scenarios. It offers enterprises control over uploads or downloads from unmanaged devices accessing cloud apps from any network (home or work). Read this resource to learn more about proxy-based CASBs.

A reverse proxy CASB deployment with proxy server in front of the cloud applications integrating with identity provider authentication

Figure 6: Reverse proxy CASB deployment

API Scanning: CASBs directly connect with cloud apps to scan data at rest, quarantining or revoking access upon policy breaches, providing effective protection for data stored in sanctioned applications, although it may not control user access or offer real-time protection.

CASB deployment mode - API scanning

Figure 7: API scanning CASB deployment

Architecture of cloud access security broker

The architecture of CASB varies based on the deployment modes.

Forward proxy architecture

The forward proxy CASB architecture relies on a gateway server positioned on the client's premises. This server intercepts outbound traffic, conducts DPI to analyze HTTPS packets, manages SSL/TLS certificates for decryption and re-encryption, and enforces security policies such as URL filtering, application controls, and DLP.

The gateway server is configured and managed through Log360, facilitating periodic configuration syncing and audit data collection.

Reverse proxy architecture

In the reverse proxy CASB architecture, a proxy server is positioned in front of cloud applications. These cloud applications are sanctioned or official applications that the organization has configured reverse proxy for. When clients initiate requests to access these cloud applications, these requests are rerouted to the CASB reverse proxy server (CRPS). This rerouting process is facilitated through SSO, ensuring that all client interactions—whether from managed or unmanaged devices and on-premises or remote—with sanctioned applications are channeled through the reverse proxy server. The CRPS acts as an intermediary between clients and service providers, executing core CASB functionalities such as policy enforcement and audit logging. Organization administrators utilize the CASB application to configure control policies, supply policy settings, and metadata to the CRPS.

API scanning

In an API scanning CASB architecture, the CASB integrates with cloud service providers' APIs to monitor and secure data interactions between an organization's users and cloud applications. This involves continuous monitoring of API calls to inspect files and data at rest, ensuring the content of requests and responses is free from security threats, policy violations, or sensitive data. The CASB enforces security measures such as access controls, encryption, and DLP on API traffic. In simple terms, API scanning keeps an eye on the files and data that are stored and accessed in the cloud. If it spots security issues or sensitive info being shared, it steps in to lock it down using access controls and encryption.

How to evaluate or choose a CASB solution

Every CASB security solution vendor will offer different functionalities. These functionalities can range from shadow IT monitoring to encryption to web content filtering. Here are a few CASB prerequisites you should consider while evaluating or choosing a CASB solution:

  • Assess your security needs and goals to find the CASB solution that best fits your requirements.
  • Check if the CASB vendor has designed the solution keeping in mind the four pillars of CASB.
  • Identify if the solution provides complete visibility into the shadow applications used in your organization.
  • Check if the CASB will improve the cloud security posture of your organization by providing activity analytics insights, such as tracking applications used in the cloud, sensitive file uploads made by users, or compliance policy violations at a granular level.
  • Ascertain the solution's scalability. A good CASB solution will be able to keep up with the growing cloud usage without compromising on security.
  • Check if the CASB software can provide actionable data in the form of dashboards and reports, and can satisfy your requirements at a reasonable cost.

For more insights into choosing CASBs for multi-cloud, read this resource.

CASB solution by ManageEngine

Log360, ManageEngine's unified SIEM solution, comes with integrated DLP and CASB capabilities. Log360 has the four pillars of CASB integrated into it, thereby allowing you to leverage CASB for:

  • Enhanced visibility into cloud events
  • Facilitating identity monitoring in the cloud
  • Compliance management in the cloud
  • Threat protection in the cloud

With Log360's integrated CASB capabilities, you can discover and ban the use of shadow applications in your network, safeguard cloud accounts from unauthorized access, ensure the security of cloud-based resources, prevent web-based attacks, and malicious data exfiltration attempts.

Log360 leveraging CASB capabilities to provide visibility into top cloud apps by accesses, upload, and download size.

Figure 6: Log360 dashboard showing Top Cloud Apps by accesses, upload, and download size

CASB in Log360 offering insights into sanctioned and shadow application accesses and users, in the form of a visual dashboard.

Figure 6: Log360 dashboard offering insights into sanctioned apps and shadow app access.

Role of CASB in healthcare

Healthcare organizations are like fortresses protecting valuable treasures—the personal health information of patients. CASBs act as the vigilant guards of these fortresses, constantly monitoring and controlling access to cloud-based applications and data. They serve as the gatekeepers, ensuring that only authorized personnel—doctors, nurses, and staff—can access patient records and sensitive medical information. In this way, CASBs help healthcare organizations mitigate security risks such as data exfiltration, protect sensitive patient data, achieve compliance with regulatory requirements, and enable secure collaboration and remote access in today's cloud-centric healthcare environment.

Role of CASB in banking and finance

The role of CASB in banking institutions lies in its critical ability in safeguarding highly sensitive financial data and complying with rigorous regulatory standards.

CASBs allow banks to apply tailored access controls based on factors like the user's role, device, and location, ensuring that only authorized individuals can access confidential, cloud-stored data. Banks handle sensitive customer information such as financial records and personal data, and must comply with strict regulatory standards such as PCI DSS, GLBA, and GDPR, which vary depending on their location and operations.

Role of CASB in the education sector

Educational institutions enforce stringent internet access policies, driven by the understanding that their users primarily consist of students. This necessity arises due to the varied user groups present, encompassing students, faculty, staff, and researchers, requiring tailored approaches to user management and data security. Additionally, the prevalence of shadow IT, where unauthorized cloud applications are adopted without oversight, poses a significant concern. BYOD policies are common, which allow students and faculty to utilize personal devices for educational purposes. Cloud-based collaboration tools such as learning management systems (LMS) and email services play a pivotal role in facilitating remote learning and productivity.

Zero Trust and CASB

Both CASB and Zero Trust are cybersecurity measures that aim to enhance security in cloud environments and adopt a proactive, risk-based approach to security. While CASB focuses primarily on securing access to cloud services and data, Zero Trust extends this concept to all network resources, including on-premises infrastructure, remote users, and third-party connections.

CASBs can play a crucial role in implementing Zero Trust principles by providing visibility into cloud usage, enforcing security policies based on user behavior and context, and integrating with SIEM solutions. By leveraging a CASB-integrated SIEM solution within a Zero Trust framework, organizations can achieve granular control, visibility, and security across their cloud environments while mitigating the risks associated with unauthorized access, data breaches, and compliance violations.


What is Zero Trust?

Zero Trust is a security framework based on the principle of "never trust, always verify." Unlike traditional network security models that rely on perimeter-based defenses, Zero Trust assumes that threats may already exist inside the network and that users and devices should not be implicitly trusted based solely on their location or network segment. Zero Trust policies involve enforcing strict access controls, continuous authentication, and least privilege principles to minimize the risk of unauthorized access and lateral movement within the network.

What is shadow IT?

If any cloud application or service is used without the knowledge of, or the explicit approval of the organization's IT department, it is called shadow IT. In other words, these applications are neither sanctioned nor unsanctioned, and fall into a grey area.

What is data exfiltration?

Data exfiltration, also known as data theft, is a stealth cyberattack that involves the unauthorized transfer of business-critical data from inside the organization to an external network. It can be caused by insider threats, phishing emails, and other external attacks.

Are CASBs and firewalls the same?

No. While both CASBs and firewalls can help monitor data traffic and control users' access to resources, CASBs go a step further in providing complete visibility into user activities in cloud environments, enforcing DLP policies, achieving compliance, and in preventing data exfiltration and data loss. Organizations should use both firewalls and CASBs to improve their cybersecurity posture.

Are CASB and SIEM the same?

No. CASBs are available as a standalone security solution. However, modern SIEM solutions have CASB capabilities built into them. Organizations will benefit from using a SIEM solution with integrated CASB capabilities.

What is the difference between DLP and cloud access security broker?

A CASB solution primarily focuses on securing cloud-based services and applications. It provides visibility into cloud usage, controls access to cloud resources, and enforces security policies to protect data stored in the cloud. A DLP solution on the other hand, focuses on preventing the unauthorized disclosure of sensitive data. It monitors data in motion, at rest, and in use across various endpoints, network gateways, email servers, and cloud storage platforms to enforce data security policies and prevent data breaches and leaks. Organizations will benefit from having both DLP as well as CASB capabilities as a part of their security infrastructure.

Can SIEM solutions help monitor shadow IT or prevent data exfiltration?

Yes. A unified SIEM solution like ManageEngine Log360 that comes with integrated CASB and DLP capabilities can help in monitoring shadow IT, enforcing DLP policies, and in prevent data loss and data theft. To learn more, sign up for a personalized demo.