Cloud Security Glossary
CASB - Cloud Access Security Broker
A Cloud Access Security Broker (CASB) is a security solution positioned between enterprise users and cloud services that enforces security policies. CASBs offer four core capabilities: visibility (which cloud services are being used?), compliance (are policies being followed?), data security (DLP for cloud data), and threat protection (anomaly detection). Shadow IT discovery is the most common entry-level use case.
Cloud Access Security Broker (CASB) addresses a fundamental problem of the cloud era: Employees use hundreds of cloud services—both known and unknown—outside the IT department’s control. A CASB restores visibility and control over all cloud usage to IT without compromising productivity.
The Four Pillars of CASB
Gartner defines 4 core CASB capabilities:
1. Visibility – Discovering Shadow IT:
→ Which cloud services are employees using? (often 1,000+ unknown apps!)
→ Log analysis: Firewall/proxy logs → Cloud app categorization
→ Risk rating: Dropbox (known) vs. unknown file-sharing (risky)
→ Agentless discovery: only log analysis required!
2. Compliance – Policies for approved apps:
→ Enforcement of data protection policies in Salesforce, M365, Box
→ GDPR: personal data only on approved services
→ NIS2: sensitive data only on verified, secure platforms
→ Reporting: proof of compliance for audits
3. Data Security - DLP for the Cloud:
→ Credit card numbers in Google Drive?
→ Passwords uploaded to Slack?
→ Customer data shared in a private Dropbox?
→ DLP policies for file upload, download, and sharing
4. Threat Protection - Anomaly Detection:
→ Impossible Travel: User in Berlin and New York at the same time
→ Bulk Download: User downloads 5,000 files in one hour
→ Unknown Device Login: First login from this device
→ Compromised Credentials: Credential Stuffing DetectionShadow IT Discovery
Shadow IT: The Invisible Cloud Usage
Real-world figures:
→ Average company: 1,935 unknown cloud apps (Skyhigh 2024)
→ IT department is aware of: approx. 30–50
→ Employees use for work: Dropbox, WeTransfer, ChatGPT, Grammarly...
Shadow IT Discovery Methods:
1. Firewall/Proxy Log Analysis:
→ Forward firewall logs to CASB (no agent required!)
→ CASB categorizes all outgoing URLs
→ Report: "These 150 cloud apps are in use, of which X are unknown"
2. API-Based Discovery:
→ Analyze OAuth tokens in M365/Google Workspace
→ "Which third-party apps have access to corporate emails?"
→ Often alarming: Hundreds of apps with email access
3. CASB Agents (for complete visibility):
→ Endpoint agent: even encrypted traffic can be analyzed
→ Mobile Device Management (MDM) integration: iOS/Android apps
→ Reverse Proxy: Route traffic through the CASB proxy
Risk Rating Example:
High: AWS, Microsoft Azure, Google Cloud
Medium: Box, Dropbox, Slack, Zoom
Low: WeTransfer, unknown file-sharing services
Blocked: Torrents, anonymous proxies, crypto mining
Actions Following Discovery:
□ Create a list of approved cloud apps (whitelist)
□ Risk-based blocking: Block high-risk apps
□ Employee communication: "Use <app> instead of WeTransfer!"
□ Provide a data transfer alternative (secure file-sharing service)CASB Deployment Modes
Three deployment options:
1. API mode (easiest to set up):
→ CASB connects to approved cloud apps via API
→ No agent, no proxy redirection required
→ Access to: M365, Google Workspace, Salesforce, Box, etc.
→ Can: Scan files, check sharing settings, retroactive DLP
→ Cannot: Real-time blocking (only reactive)
→ Latency: No impact on user experience
Use Case: M365 DLP - Finding credit card numbers in SharePoint
CASB periodically scans all SharePoint documents
Found: 23 files containing credit card numbers
Action: Quarantine files + notify owner
2. Forward Proxy (inline control):
→ Browser/App → CASB proxy → Cloud service
→ Real-time blocking: Upload attempt with sensitive data → Block!
→ Configuration: PAC file or explicit proxy
→ Agent on endpoint (for non-browser apps)
→ Latency: minimal impact (important for user acceptance!)
3. Reverse Proxy:
→ DNS redirects cloud app to CASB
→ Especially for unmanaged devices (BYOD, partners, customers)
→ No agent required: works with any device
→ Limitation: only for web-based cloud apps
Recommendation: API + Forward Proxy combination
→ API: DLP for approved apps (M365, Google Workspace)
→ Forward Proxy: Real-time control + Shadow IT blockLeading CASB products
Commercial:
Microsoft Defender for Cloud Apps (formerly MCAS):
→ Best integration with M365 and Azure AD
→ Over 26,000 cloud apps in the app database
→ Session Control: Control browser sessions (no download!)
→ Price: Included in E5 license (M365 E5)
→ Strength: seamless M365 integration, Conditional Access
Netskope:
→ Leader in Gartner Magic Quadrant (consistently)
→ Best data classification and DLP
→ Zero Trust Network Access (ZTNA) integrated
→ Strength: granular data policies, developer tool support
Palo Alto Networks Prisma SaaS:
→ Part of the Prisma Cloud platform
→ Strong ML-based anomaly detection
→ Integration with NGFW and Cortex XDR
Zscaler Internet Access (ZIA) + CASB:
→ Cloud-native proxy + CASB in a single solution
→ SASE architecture: Security where the user is, not in the data center
→ Strength: Performance (global infrastructure)
Open Source / Affordable Alternatives:
→ Microsoft Defender for Cloud Apps: Subset of features via M365 E3
→ Firewall logs + manual categorization (no CASB, but basic discovery)
→ OSSEC / Wazuh: no CASB, but a complement for log analysis
CASB Deployment Recommendation:
Step 1: Shadow IT Discovery (no investment required, log analysis only)
Step 2: API integration of approved apps (usually included in M365 E5)
Step 3: Define DLP policies for sensitive data
Step 4: Forward proxy for real-time control (if budget allows)
```</app>
