What is CASB?

Learn about what CASB is, how it works, and how it can help your organization close security gaps both on-premise and in the cloud.

CASB defined

A cloud access security broker (CASB), is cloud-delivered software or on-premises software and/or hardware that acts as an intermediary between users and cloud service providers. The ability of CASBs to address gaps in security extends across software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) environments. In addition to providing visibility, a CASB also allows organizations to extend the reach of security policies from their existing on-premises infrastructure to the cloud and create new policies for cloud-specific contexts.

CASBs have become a vital part of enterprise security, allowing businesses to safely use the cloud while protecting sensitive corporate data.

The CASB serves as a policy enforcement center, consolidating multiple security policy enforcement functions and applying them to everything your business uses in the cloud—regardless of the kind of device attempting to access it, including unmanaged smartphones and personal laptops.

Why do I need a CASB?

As services previously offered on-premises continue migrating to the cloud, maintaining visibility and control in these environments is essential to meeting compliance requirements, safeguarding the enterprise, and allowing your employees to safely use cloud services without introducing additional risk.

With the increase in remote workers and workforce mobility, the growth in bring-your-own-device (BYOD) programs, and the presence of unsanctioned employee app usage (Shadow IT), the ability to monitor and govern cloud applications such as Microsoft Office 365, SAP SuccessFactors and Slack has become essential to enterprise security. Rather than banning cloud services outright and potentially impacting employee productivity, a CASB enables businesses to take a granular approach to data protection and policy enforcement, making it possible to safely use productivity-enhancing and cost-effective cloud services.

Why Do Companies Need A CASB?

Common use cases and capabilities

Unique CASB capabilities include
  • Cloud governance and risk assessment
  • Data loss prevention
  • Control over native features of cloud services, like collaboration and sharing
  • Threat prevention, e.g., user and entity behavior analytics (UEBA)
  • Configuration auditing
  • Malware detection
  • Data encryption
  • SSO and IAM integration
  • Contextual and adaptive access control
Common use cases provide the following benefits
  • Visibility into all cloud use and data via a single console
  • Control over data and activity in the cloud
  • Protection against cloud threats and misconfiguration with Cloud Security Posture Management (CSPM)
  • Secure mobile and personal device access
  • Prevent data loss with DLP - secures and controls data shared externally with encryption and rights management
  • Detect insider threats with User and entity behavior analytics (UEBA)

Get the CASB Buyer's Guide

How does a CASB work?

A CASB provides visibility and control over data and threats by employing the following steps:


The CASB uses auto-discovery to compile a list of all third-party cloud services, as well as who is using them.


Once the full extent of cloud usage is revealed, the CASB then evaluates the risk level associated with each by identifying the app and determining what sort of data is within it and and how the data is being shared.


After the relative risk of each app is known, the CASB can use the information to set data and user access policies to meet an organization’s security requirements and automatically take action whenever violations occur.

CASBs also offer additional layers of protection through malware prevention and data encryption. Read the Top CASB Use Cases

Lookout CASB Architecture

How do I deploy a CASB?

Consider deployment location

A CASB can be deployed either on-premises or in the cloud. Currently, the majority of CASB instances are SaaS-based.

Determine deployment model

There are three CASB deployment models to consider:

  1. API Control - provides visibility into data and threats in the cloud, as well as faster deployment and comprehensive coverage
  2. Reverse Proxy - ideal for devices, especially those that are unmanaged and/or outside the purview of network security
  3. Forward Proxy - usually working in conjunction with VPN clients or endpoint protection (requires an agent)

How does CASB relate to Secure Access Service Edge (SASE)?

In a recent report, Gartner describes CASBs as an essential element of SASE. While a CASB is crucial for securing a company’s cloud usage, it is also a key part of an overall strategy businesses should employ to ensure defense from endpoint to cloud. For comprehensive protection, enterprises should also consider expanding on CASB capabilities by deploying a secure web gateway (SWG) to help safeguard internet usage and a data loss prevention solution (DLP) to protect intellectual property and sensitive corporate data across the network.

A man with glasses smiling looking down at his phone

Gartner recommends CASBs that offer a variety of architectures to cover all cloud scenarios—multi-mode CASBs help ensure that organizations will be able to expand cloud security as their digital transformation evolves.In order to get the most of your countless cloud apps without risking your data, you need to know exactly what’s going on. You also need to be able to detect and respond to threats and have the ability to dynamically control access.

‍‍Lookout Cloud Access Security Broker (CASB) is a multi-mode CASB that provides full visibility into the interactions between users, endpoints, cloud apps and your data. It also enables you to dynamically dial in Zero Trust access controls. With continuous monitoring of user and entity behavior analytics (UEBA), you can detect and respond to insider threats and advanced cyberattacks. We provide advanced data loss prevention that can classify, encrypt and restrict sharing of your data on the fly so that only authorized users have access. We also perform automated assessment of all your cloud apps and infrastructure to ensure they are properly configured.