This is the Trace Id: 3b1043d4b51579cf3178f5b6662e3d42
Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

What is a cloud access security broker (CASB)?

Learn how cloud access security brokers provide visibility, data control, and analytics to identify and combat threats.

Cloud access security broker (CASB) defined

A cloud access security broker, often abbreviated (CASB), is a security policy enforcement point positioned between enterprise users and cloud service providers. CASBs can combine multiple different security policies, from authentication and credential mapping to encryption, malware detection, and more, offering flexible enterprise solutions that help ensure cloud app security across authorized and unauthorized applications, and managed and unmanaged devices.

Key benefits of CASBs

CASBs offer a range of security benefits that allow enterprises to mitigate risk, enforce policies across various applications and devices, and maintain regulatory compliance.

Shadow IT assessment and management
CASBs deliver visibility into all cloud applications, sanctioned and unsanctioned. Enterprises can employee a CASB to obtain a comprehensive picture of cloud activity and enact security measures accordingly.

Granular cloud usage control
CASBs offer detailed management of cloud usage with strong analytics. Enterprises can limit or allow access based on employee status or location, and can govern specific activities, services, or applications.

Data loss prevention (DLP)
A CASB’s DLP capabilities help security teams protect sensitive information like financial data, proprietary data, credit card numbers, health records, or social security numbers. A CASB solution can enable policies that prevent unauthorized sharing of this data.

Risk visibility
CASBs allow enterprises to assess the risk of unsanctioned applications and make access decisions accordingly.

Threat prevention
CASBs detect unusual behavior across cloud applications, identifying ransomware, compromised users, and rogue applications. CASBs can analyze high-risk application use and automatically remediate threats, limiting an organization’s risk.

Understanding CASBs

Why use a CASB?
In the modern work era, enterprises are responsible for increasingly complex security enforcements between users and cloud-based applications. Traditional binary security systems only block or allow access, and no longer serve a cloud-based enterprise contending with multiple locations and devices. A CASB allows an organization to take a nimble, flexible approach to security policy enforcement, providing tailored options for the contemporary workforce and balancing access with data security.

Four cornerstones of CASBs

A person sitting at their desk using a mobile phone.

Visibility

CASBs allow IT departments to identify all cloud services in use and assess subsequent risk factors. For enterprises grappling with shadow IT, CASBs offer a comprehensive understanding of all cloud-based applications employees are accessing. Risk assessments then provide information to shape IT’s access policy, including more detailed controls based on specific employee and device criteria.

Two people working together at a desk.

Data security

A core component of a CASB system, data loss prevention (DLP) extends an enterprise’s security to all data traveling to, within, and stored in the cloud, reducing the risk of costly data leaks. A CASB protects both the data itself as well as the data’s movement.

A person looking at a screen.

Threat protection

By aggregating and understanding typical usage patterns, CASBs can identify anomalous behavior and recognize malicious activities. Adaptive access control, malware mitigation, and other capabilities help protect the enterprise from third party or internal threats. CASB threat protection defends against all modern threats, whether malicious or negligent.

A person having a conversation.

Compliance

CASBs help ensure compliance with data privacy and safety regulations, and monitor compliance for enterprises requiring adherence to regulatory standards like HIPAA or PCI DSS.

How does a CASB work?

CASBs use a three-part process to offer visibility across sanctioned and unsanctioned applications and control over enterprise data in the cloud.

Discovery
The CASB identifies all cloud applications in use as well as affiliated employees.

Classification
The CASB assesses each application, identifies its data, and calculates a risk factor.

Remediation
The CASB creates a tailored policy for the enterprise based on its security needs. From there the CASB identifies and remediates any incoming threats or violations.

How to implement a CASB

CASBs are easy to deploy and use. While most CASBs are deployed in the cloud, on-premise options are available. CASBs operate with three different deployment models, and multimode CASBs that utilize all three offer the most flexibility and robust protection.

API scanning
Available for sanctioned enterprise applications, API scanning is an unobtrusive security measure for data at rest in the cloud, but it does not offer real-time prevention.

Forward proxy
Forward proxy offers DLP in real time for both sanctioned and unsanctioned applications, but only applies to managed devices, and cannot scan data at rest.

Reverse proxy
A reverse proxy redirects all user traffic, and therefore works for both managed and unmanaged devices. It offers DLP in real time, but only on sanctioned applications.

Top use cases for CASBs

Discover all cloud apps and services in use
Shadow IT can comprise up to 60 percent of an enterprise’s cloud services. A CASB offers a full picture of all cloud-based applications in use.

Assess risk and compliance in cloud-based apps
Assess general security, regulatory compliance, and legal factors for any cloud-based app your enterprise uses.

Enable monitoring to detect new and risky cloud apps
A CASB’s continuous monitoring policies help to ensure your enterprise is alerted to new cloud-based services and spikes in usage.

Enforce DLP and compliance policies for sensitive data stored in your cloud apps
CASBs enforce DLP policies as soon as data arrives in the cloud, and help enterprises locate sensitive files in the cloud and provide remediation options.

Protect data on unmanaged devices
Configure granular access to prevent downloads or apply protection labels on unmanaged devices.

Detect and remediate malware in cloud apps
CASBs monitor and identify malicious files in cloud-based apps, offering remediation options to enable enterprises to react quickly.

Learn more use cases for CASBs

The role of CASBs for businesses

In the evolving cloud-based workplace, CASBs will continue to play a vital role in enterprise security. Multiple vendors offer multimode CASB security services—when evaluating options, consider the changing security landscape, and determine if a given CASB will continue to progress along with your enterprise’s needs. A CASB should work in tandem with other elements of your enterprise’s security strategy to help protect your users and data, so make sure your CASB integrates with your enterprise’s security architecture.

What to consider when weighing CASB options:

  • Existing enterprise security architecture
  • What capabilities and features the enterprise requires
  • Implementation time
  • Ease of use
  • Compliance certification needs

Products and services available with CASBs:

  • Data loss prevention
  • Malware detection
  • Adaptive access control
  • Behavior analytics
  • Web application firewalls
  • Authentication
  • Collaboration control
  • Encryption​​​​

Learn more about Microsoft cloud security

Cloud security solutions

Get integrated protection for multicloud apps and resources.

Learn more

Microsoft Defender for Cloud

Strengthen cloud security and monitor and protect workloads across multicloud environments.

Learn more

Microsoft Defender for Cloud Apps

Gain comprehensive DLP in real time and view user activity across multiple cloud services.

Learn more

Frequently asked questions

  • A CASB solution is a set of products and services that function as a secure gateway between enterprise employees and cloud applications and services.

  • CASBs integrate with a broad spectrum of cloud-based and on-premises applications and services, including SaaS, PaaS, and IaaS. Content collaborations platforms, CRMs, HR systems, cloud service providers, and more all work with CASBs.

  • A CASB is used to help ensure regulatory compliance and data protection, govern cloud usage across devices and cloud applications, and protect against threats. As organizations migrate services to the cloud, CASBs will become an essential element of their security profiles.

  • Research CASBs at enterprises like yours and consider how a vendor’s capabilities can meet your security needs and evolve with your enterprise. Many CASBs offer a free trial that can help you evaluate its features and integrations.

Follow Microsoft

Surface Pro Surface Laptop Copilot for organizations Copilot for personal use Microsoft 365 Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store Support Returns Order tracking Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education Office Education Educator training and development Deals for students and parents Azure for students
Microsoft AI Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Advertising Microsoft 365 Copilot Microsoft Teams Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Microsoft Power Platform Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Security Sustainability
English (India)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Contact Microsoft Privacy Manage cookies Terms of use Trademarks About our ads