Skip navigation

What is a cloud access security broker (CASB)?

Your employees use cloud applications every day, but can your security team see all of them? Cloud Access Security Broker (CASB) software sits between your users and cloud services to enforce policies, protect data, and close visibility gaps. This guide explains what a CASB is, how it works, and how to evaluate one for your organization.

What is a cloud access security broker

Key takeaways

A CASB is a security checkpoint for cloud access: A cloud access security broker sits between your users and cloud service providers, monitoring activity, enforcing security policies, and protecting sensitive data.

Four pillars define what a CASB does: Visibility, data security, threat protection, and access control work together to give organizations comprehensive oversight of their cloud environments.

Deployment flexibility matters: Organizations can deploy CASBs using API-based, inline proxy, or hybrid models depending on whether they need deep visibility, real-time blocking, or both.

CASBs solve the shadow IT problem: By discovering unauthorized cloud applications and enforcing consistent policies across all cloud services, CASBs close the security blind spots that traditional perimeter defenses miss.

Why does cloud access security matter?

Cloud access security matters because traditional perimeter defenses, including firewalls, VPNs, and network monitoring, cannot see or control what happens inside cloud applications.

Picture this: a security audit reveals that employees across your organization are using 47 cloud applications to share files, manage projects, and collaborate with outside partners. Your IT team approved 12 of them. The other 35 are invisible to your existing security tools, and some of them store sensitive customer data with no encryption, no access controls, and no audit trail. Each new cloud service adds another entry point that perimeter tools cannot see or control.

According to a 2024 Cost of a Data Breach Report (IBM), 40% of breaches involved data distributed across multiple environments, including public cloud, private cloud, and on-premises, and those breaches cost more than $5 million on average. A Cloud Access Security Broker closes this gap.

A cloud access security broker (CASB) helps secure cloud applications

A cloud access security broker (CASB) is security software that sits between an organization's users and its cloud service providers. It monitors cloud activity, enforces security policies, and protects sensitive data as it moves between on-premises infrastructure and cloud applications.

A CASB can intercept cloud traffic in real time, connect to cloud applications through their application programming interfaces (APIs). It can run as cloud-based software, on-premises software, or a combination.

The cloud security challenge in numbers

As organizations move more workloads to the cloud, the attack surface expands—and the gap between cloud adoption and cloud security widens.

40%
Of breaches involved data across multiple cloud environments, costing $5M+ on average1
60%
Of incident response cases involved identity-based attacks2
30%
Of breaches involved a third party—double the previous year3

Source 1: 2024 Cost of a Data Breach Report (IBM); Source 2: 2024 Year in Review (Cisco Talos); Source 3: 2025 Data Breach Investigations Report (Verizon)

What are the four core CASB features and functions?

Industry analysts define four pillars that make up a cloud access security broker's capabilities:

  1. Visibility

  2. Data security

  3. Threat protection

  4. Access control

Visibility and shadow IT discover

Discovers and catalogs every cloud application in use across the organization—including shadow IT; the unauthorized apps employees adopt without IT approval. The CASB analyzes traffic and API connections to build a complete inventory, risk-score for each application, and map where data flows.

Data security and compliance

Protects sensitive data through data loss prevention (DLP), which detects and blocks sensitive information from leaving through unauthorized channels. Also provides encryption, access controls, and compliance logging for regulations like GDPR, HIPAA, and PCI-DSS.

Threat protection

Detects and blocks cloud-based threats including malware in uploaded or downloaded files, anomalous user behavior identified through machine learning, and ransomware encryption attempts. When a threat is detected, the CASB can quarantine files, revoke sessions, and alert the security team.

How do CASBs enforce access control and security policies?

The fourth pillar, access control, ties the other three together. Visibility, data security, and threat protection identify what is happening. Access control determines what to do about it.

A CASB enforces security policies across every connected cloud application from a single point. Assessed factors include an organization's authentication policies, device health, conditional access requirements, and behavioral monitoring.

For example, cloud applications with sensitive financial data may require strong multifactor authentication (MFA), an authorized company device with up-to-date software, and an encrypted connection. Accessing one outside of business hours or multiple failed logins (behavior checks) could flag a possible incident and require additional authentication.

This approach aligns with zero-trust principles. This security model assumes that no user, device, or connection should be automatically trusted. The CASB verifies every attempt. It also integrates with identity providers (the systems that manage and verify user identities) and single sign-on (SSO) systems to coordinate access decisions across the security stack.

Professional working on a laptop in a modern office environment, representing cloud application access

How does a CASB work?

A CASB executes the four pillars, visibility, data security, threat protection, and access control in a step-by-step workflow that runs every time someone interacts with a cloud service.

  1. Traffic interception. A user requests access to a cloud service. They may open a file in cloud storage, log into a project management tool, or upload a document. That request routes through the CASB before reaching the cloud provider.

  2. Inspection and analysis. The CASB scans the request against all four pillars at once. Is this a sanctioned application? Does the file contain sensitive information? Does the file match a known malware signature? Is this user authorized, on a compliant device, from a recognized location?

  3. Policy enforcement. Based on the inspection, the CASB applies the appropriate rule. It may allow the action, block it, encrypt the data before it reaches the cloud, or alert the security team for review.

  4. Logging and reporting. Every action is recorded. The audit trail feeds into compliance reporting, incident investigation, and trend analysis.

An example:

An employee attempts to upload a spreadsheet containing customer credit card numbers to an unapproved file-sharing application. At the checkpoint, the CASB’s visibility engine recognizes the application as unsanctioned. Its data loss tools detect the sensitive data. Policy enforcement blocks the upload. Logging records the attempt. An alert goes to the security team. All of this happens before the file leaves the organization.

What are the different CASB deployment models?

Common CASB deployment models include using API connections, in-line proxy connections, and hybrid or multimode connections. The workflows run the same way regardless of deployment model. What changes is where the CASB sits in the security architecture and how it gains access to cloud traffic. That decision determines the tradeoff between real-time control and deployment simplicity.

How does an API-based CASB work?

An API-based CASB connects directly to cloud service provider APIs, rather than intercepting network traffic. It queries cloud applications for activity logs, user data, and stored files without requiring any changes to the organization’s network.

Deployment is fast, there is no impact on user experience, and the CASB can scan historical data already stored in cloud applications. The tradeoff is timing: an API-based CASB detects policy violations after the fact rather than blocking them as they happen. Coverage is also limited to cloud services that expose APIs. This model fits SaaS-heavy environments where deep visibility and compliance scanning are the priority.

How does an inline (proxy-based) CASB work?

An inline CASB routes all cloud-bound traffic through itself, acting as either a forward proxy (intercepting outbound user traffic) or a reverse proxy (intercepting inbound traffic to cloud services). Every request passes through the CASB for inspection before reaching its destination.

The advantage is immediacy—the CASB can block threats and policy violations the moment they occur, regardless of whether the cloud service exposes an API. The tradeoff is complexity: inline deployment requires network changes, can introduce latency, and demands more technical expertise to maintain. This model fits environments where real-time DLP enforcement and threat blocking are non-negotiable.

What is a hybrid or multimode CASB?

Many modern CASB solutions combine both API- and proxy-based methods. A hybrid deployment might use API mode to scan files already stored in cloud collaboration platforms for compliance violations while simultaneously using inline mode to block risky uploads in real time. This combined approach covers the gaps that either method leaves on its own, and is increasingly the recommended model for most organizations.

​Deployment Model

Best for

Key tradeoff

API-based

Deep visibility, compliance scanning, and retrospective analysis in SaaS-heavy environments

Cannot block actions in real time; limited to cloud services that expose APIs

Inline (proxy)

Real-time threat blocking, DLP enforcement, and shadow IT control

​Requires network changes and may introduce latency; more complex to deploy

Hybrid / multimode

Covers both real-time enforcement and historical scanning

Most complex to configure; recommended for most organizations

What are common CASB use cases?

These real-world scenarios drive organizations to adopt CASB technology.

Discovering and controlling shadow IT

A marketing team signs up for a new design collaboration tool. A sales rep starts storing contracts in a personal cloud storage account. A project manager adopts a task tracker a colleague recommended. None of these went through IT, and none of them appear in the organization’s security monitoring.

In these examples, visibility—the first CASB pillar—translates into action. The CASB builds a complete inventory of every cloud service in use, risk-scores each one, and gives IT the information to approve, restrict, or block. The goal is not to shut down cloud adoption. It is to make it visible so the organization can support cloud services safely.

Protecting sensitive data across cloud services

An HR manager exports a spreadsheet of employee Social Security numbers and uploads it to a shared folder so a benefits consultant can review it. The folder’s permissions are set to “anyone with the link.”

The CASB catches this before the file becomes accessible. It can block upload, apply encryption, or restrict sharing to authorized recipients only. For regulated industries—healthcare organizations under HIPAA, financial institutions under PCI-DSS, or any organization handling EU personal data under GDPR—this consistent enforcement turns a compliance aspiration into an automated control.

Detecting and blocking cloud-based threats

An account that normally logs in from Chicago at 9 AM suddenly accesses cloud storage from three different countries in one hour and begins downloading files in bulk. A contractor uploads a file to a shared project folder, and the file matches a known ransomware signature.

In both cases, the CASB’s threat protection engine detects the anomaly, quarantines the affected files or sessions, and alerts the security team. The response is immediate for inline deployments and near-immediate for API-based ones.

Ensuring compliance in multi-cloud environments

Organizations using multiple cloud providers face a consistency problem: each platform has different native security controls, different logging formats, and different policy frameworks. Passing an audit means demonstrating that the same standards apply everywhere.

A CASB provides one set of rules, one audit trail, and one compliance dashboard regardless of where the data lives. For organizations that must demonstrate adherence to frameworks like GDPR, HIPAA, or SOC 2, this centralized view simplifies audits and closes the gaps between platforms.

What are the key benefits of implementing a CASB?

The use cases above show where CASBs solve specific problems. Stepping back, these are the broader reasons organizations invest in CASB technology.

Complete visibility: The shadow IT scenario disappears. Security teams gain a full inventory of every cloud application in use, which becomes the foundation for every other security decision.

Consistent policy enforcement: Instead of configuring security settings application by application, the CASB applies one set of rules everywhere. Policy changes propagate across every connected cloud service at once.

Reduced data breach risk: The protections and access controls described above systematically reduce the organization’s exposure over time by closing the channels through which data leaks happen.

Improved compliance posture: The centralized audit trail turns compliance from a periodic scramble into a continuous state. When auditors ask for evidence, the CASB already has it.

Faster threat response: Threats identified in cloud applications reach the security team through the same platform that manages visibility and policy.

Safe cloud adoption: A well-configured CASB does not slow down the business. It lets employees use the cloud tools they need while ensuring that the dangerous ones are blocked and the sensitive data is protected.

Centralized management: One platform, one policy set, one dashboard. For security teams managing dozens of cloud providers, this consolidation reduces operational burden significantly.

How does CASB integrate with zero trust and identity security?

A CASB secures cloud applications. But, the access control pillar introduces an important dependency. Before the CASB can enforce policies on cloud traffic, something has to verify who the user is and whether their device is trustworthy. That is the identity layer.

Zero trust provides the framework for how these layers work together. Under zero trust, no user or device is automatically trusted, and every access attempt is verified upfront and continuously monitored.

CASBs enforce the cloud side of this model: inspecting traffic, applying policies, and monitoring behavior. Identity security platforms enforce the access side. Device trust capabilities verify that only secure, compliant devices connect to cloud resources. And single sign-on integration coordinates access policies so users move between applications without repeated logins.

Identity security platforms like Duo Security are purpose-built for this layer. Duo’s phishing-resistant MFA verifies the user, while its device trust verifies the endpoint. The platform’s adaptive authentication adjusts requirements based on risk context, so a familiar device on a trusted network passes through smoothly, while an unrecognized device triggers additional verification. The CASB then takes over, enforcing what the authenticated user can do within the cloud applications they reach.

The result is layered defense: identity security protects the front door, and the CASB protects the rooms inside. The next section covers how to put both in place.

Team of professionals collaborating around a conference table with laptops during a cloud security planning session

What are the steps for choosing and implementing a CASB solution?

Here is a five-step approach to implementing a CASB at your organization.

1. Assess your cloud security requirements

Start with your environment, not with vendors. Which cloud applications does your organization use, both sanctioned and unsanctioned? What types of sensitive data live in cloud services? What compliance requirements must you meet? What risks concern you most?

Conduct a cloud risk assessment. Review your organization’s cloud usage, data exposure, and security posture for a baseline. The shadow IT discovery capability described in the use cases section can serve as the first step in that assessment.

2. Evaluate CASB deployment models

Match the deployment model to your priorities using the tradeoffs outlined in the architecture section above. Choose API-based if you need deep visibility with minimal network changes. Choose inline if you need real-time blocking. Choose hybrid for comprehensive coverage. This is the recommended approach for most organizations.

Factor in practical constraints: How much network reconfiguration can your team absorb? How sensitive are your users to latency? Do your critical cloud services expose APIs?

3. Select a CASB provider

Evaluate vendors against these five criteria:

  • Cloud app coverage: Confirm that the CASB supports every cloud service your organization uses. A CASB that covers email and storage but misses your CRM or HR platform leaves the visibility gaps described earlier.

  • Integration capabilities: Verify that it connects to your identity provider, your Security Information and Event Manager (SIEM), and your existing security tools.

  • Ease of deployment: Ask how quickly you can move from evaluation to production. Some CASB solutions deploy in days; others require weeks of configuration.

  • Scalability: Confirm the CASB can grow with your organization as you add users, applications, and cloud environments.

  • User experience: Test the CASB in action. Does it create friction for employees? The most effective security tools are the ones people do not notice.

4. Configure policies and integrate with existing security tools

Define policies before deployment, organized around the four enforcement categories from the access control section: authentication requirements, device health checks, behavioral monitoring, and conditional access rules.

Then connect the CASB to your existing stack. Integrate it with your identity provider so authentication decisions flow into access enforcement. Connect it to your SIEM so cloud security events appear alongside network and endpoint alerts. As the zero trust section describes, pairing a CASB with identity security solutions ensures strong authentication and device trust are in place before cloud access is granted.

5. Monitor, measure, and optimize

Track the metrics that matter: shadow IT applications discovered, policy violations detected and blocked, threats identified and remediated, and user experience impact. Review policies quarterly and adjust based on what the data shows. A CASB configured six months ago may need updates as your cloud environment grows and new applications appear.

How can my business strengthen its cloud security posture using a CASB?

This article started with a problem: cloud adoption is outpacing cloud security. A CASB protects the cloud applications. The identity layer—strong authentication, device trust, and adaptive access—protects the people connecting to them. Effectively implementing both creates defense-in-depth for cloud environments.

Duo Security protects that identity layer. Whether you are evaluating CASB solutions or already have one in place, securing the access that connects people to cloud applications is the essential complement.

Ready to strengthen your organization’s identity security? Start your free trial of Duo Security today.

Frequently asked questions about cloud access security brokers

  • What is shadow IT, and how does a CASB help control it?

    Shadow IT refers to cloud applications employees adopt without IT's knowledge or approval. A CASB's visibility engine discovers every cloud service in use across the organization, risk-scores each one, and gives IT the information to approve, restrict, or block. The goal is not to stop cloud adoption. It is to make it visible.

  • How do I evaluate which CASB deployment model is right for my organization?
  • Can a CASB protect against insider threats in cloud environments?
  • How do CASBs handle encrypted cloud traffic?
  • What is the difference between CASB and SASE?

Want to learn more about access and identity security?

Discover more ‘what-is’ content and learning resources, including ebooks, guides and webinars, crafted to help you enhance your organization’s access security strategy.