What is a cloud access security broker (CASB)?

A Cloud Access Security Broker, more commonly known as CASB, is a security enforcement or security checkpoint of sorts between users of cloud services and cloud applications. It is positioned that way too, between the user’s device and cloud application. It ensures that all activities comply with the enterprise’s security policies, no matter where the user is or what their device is. It provides visibility (into cloud usage, detects risks if any), control (think data encryption, tokenization, or multi-factor authentication), and compliance (with the organizations security policies) for SaaS, PaaS, and IaaS environments.

An enterprise that has implemented a CASB effectively will have access to all the cloud applications in use (including unsanctioned “shadow IT” applications). They can monitor user activity in real time, enforce data loss prevention (DLP) rules, and can also prevent sensitive data from being uploaded to unsanctioned apps, which is an essential capability for any enterprise that takes security seriously.

For example, if a sales employee tries to download a large batch of customer data to their personal device, the CASB could encrypt the data, block the download, or ask for additional authentication, posing a hurdle to the download.

Even in a literal sense, you can say that a Cloud Access Security Broker (CASB) ‘brokers” security between cloud users and cloud applications, because it sits in the middle between the people (or devices) accessing cloud services and the cloud applications themselves, and intercepts and controls the flow between the two parties.