What is Cloud Access Security Brokers?

When protecting your data in the cloud, you can’t just rely on the expectation that the data centers that store your company’s information and records will protect you on their own, even though they offer a high level of security.

As a large business, you’re going to have a lot of sensitive data that needs to be backed up and constantly protected from viruses, DDoS (Distributed Denial of Service) attacks and general malware - That’s why it is important for you to invest in a cloud access security broker. Data protection is one of the most crucial aspects of running a large business, as any leak can leave your reputation in the dirt.


So, what is a cloud access security broker?


In layman’s terms, a cloud access security broker (CASB) is a cloud-based software that runs between any cloud application and the people using them. A cloud access security broker is the best tool to automatically monitor for any malware your staff come into contact with, where you can enforce the necessary security policies to protect any data that you may be storing within your cloud network.

The main feature of a cloud access security broker is to govern the usage of different devices 

- That can be mobiles or desktops, both from inside the organization, or outside attempts made to access critical data that has gone from being stored locally in the company, to then be stored within the public cloud.

Governing cloud usage involves a host of different approaches, such as:

  • Governing access to different public clouds based upon the device class in question, as well as monitoring those accounts which may be assigned greater privileges.
  • Recognizing any unauthorized activity within the cloud applications a company uses, and preventing any possible data leaks or cloud data falsification.
  • Blocking or remediating malware to protect against third-party access to sensitive enterprise data.
  • Notifying administrators of any activity that may be considered harmful to the enterprise, such as data infiltration that is often associated with new employees, login anomalies, unusual actions, including sharing of data between both sanctioned and unsanctioned cloud services, as well as downloads and uploads that may be deemed too large, excessive or irregular.

Cloud access security brokers - Tackling shadow IT usage


In many large enterprises, the traces of shadow IT can be hard to track without having a dedicated software or tool in place to monitor all of the activity that happens from within an on-premise server or proxy address.

It has been reported that only around 8 per cent of cloud services publicly available today meet enterprise data security & privacy requirements, that leaves a huge chunk of services that may go unnoticed by IT departments if they don’t have the necessary security controls put into place.

Without a cloud access security broker, unauthorized use of public cloud services cannot be tracked. A good way to visualize it within your own business is to imagine if one of your employees claims to have found a better application for file-sharing than the one you currently provide to each of your staff. They most likely won’t raise this discovery with senior members in your organisation, but there is a high chance they will share it with their co-workers.

When this adoption of a cloud service goes unnoticed, data can be shared via applications that don’t meet the minimum safety standards that would otherwise be controlled with a CASB in place. Data can be breached thanks to account hijacking, and unfortunately, your employees might not even know their account has been accessed, because their details aren’t stored anywhere but on their local, on-premise device.

As a result of this kind of breach occurring, your data security becomes compromised without your IT department having any real knowledge about the usage of that certain unsanctioned cloud service.


What does a CASB do to protect your business against shadow IT usage?


Here are 3 ways you can use a cloud access security broker to prevent shadow IT usage from making your cloud data vulnerable:

1: Target all unsanctioned cloud services in use

The first measures put in place with a cloud access broker can help determine how heavily shadow IT usage is being used within the business. CASB solutions collate firewall as well as proxy logs, and from the analysis of these logs, IT departments are able to discover any cloud services being used by employees and business units. From there on, IT staff can determine which cloud services do not meet minimum requirements in relation to data security. The hard part without a CASB is that IT departments can’t monitor all of the activity carried out by everyone in the organization. The use of personal devices and mobiles makes it difficult to track and flag some cloud services in use by employees, as they may be using personal emails to share files and messages between fellow members of staff.

Obviously this is a high-risk form of activity, but it does happen when workers are based at home, or doing work on-the-road and need a cloud service at their fingertips. Sometimes staff do this simply because they feel a certain unsanctioned cloud service will help them more than the service their company has provided them with.

The problem here is that they don’t want their administrators or senior managers noticing they have made an account, so they sign up using their own personal details instead of using their work email address like they would normally do for using cloud services in an enterprise setting.

2: Calculate the risks involved with each cloud service being used


Thanks to the ever-changing technology in the cloud security industry, cloud access security brokers are able to keep up to date registries of every cloud service any member of staff within an organisation registers to. The cloud access security broker takes each service and assesses the risk value based on 50 attributes, and more than 260 sub-attributes.
Examples of sub-attributes include a cloud service claiming ownership of data uploaded, a cloud service sharing the user’s data to third parties without authorization or acknowledgement from the user, and the encryption of data in rest storage (in other words not moving between accounts and device e.g. on a laptop or hard drive).
It is very easy for any member of staff to utilize another third-party cloud service without realizing the small-print, and the risks associated with that. Let’s say one of your staff find a convenient tool online to convert JPEG images or Microsoft Word documents into PDF documents.

A common risk associated with this is that the cloud service will list in their terms and conditions that they will claim ownership of any files uploaded to their portal. It wouldn’t matter if the files were something as simple as a receipt for an order, or a datasheet containing dozens of customer’s personal details or credit card information, either way, you won’t want to be sharing that stuff…


3: The application of cloud governance policies


Once the CASB has calculated all of the risk assessments attached to each cloud service being used, the IT department and senior staff within the company can put the appropriate cloud governance policies into place.

The main benefit of this to a large organisation is that the riskier cloud applications will be blacklisted, providing the opportunity for the safer cloud services and cloud applications to be actively promoted across the entire organisation. This works by aligning the CASB with the company’s existing proxy logs and firewall, so that the dangerous cloud services can be blocked on the devices in use.

As a general rule of thumb, you can separate cloud services into three distinct categories based on their risk level. This method helps to maximize data protection when deciding on which cloud applications to utilize within the business.

The first category contains IT-sanctioned services - These cloud applications are deemed safe and useful, and can also leverage the security capabilities for a large company.

The second category can be referred to as the permitted services, these cloud applications can be beneficial to staff as they are generally just as, if not more efficient than sanctioned cloud applications, but they lack the security compliance of IT-sanctioned services.

The third category contains prohibited services. These are the services that pose the real threats to a large company’s data security, as they have little or no safety provisions. It is important that your company utilities a cloud access security broker, to ensure the correct restrictions are put in place to avoid shadow IT activity occurring, because as we know, shadow IT usage triggers the adoption of dangerous cloud applications that aren’t already restricted by your IT department’s firewall.

To give you an insight into these categories of cloud applications, check out the table below:

IT-Sanctioned Cloud ServicesPermitted Cloud ServicesProhibited Cloud Services
SalesforceDropBoxYouTube
Office 365LinkedInGmail
Jive SoftwareFacebook

From this information, you can take onboard which cloud services to recommend. For any large business, a cloud access security broker will help to unify different services across all departments. You will find it is much easier to govern your cloud security when all of your staff are carrying out their work on the platforms you actively encourage them to use.
If you don’t have a cloud security broker in place, it can be easy for shadow IT usage to be exploited, as your staff have no direction as to which cloud-based tools they should be making use of. The governing and restriction of prohibited cloud-based applications allows you to encourage the adoption of the more secure and useful ones, essentially helping your organisation to leverage the immense benefits of cloud-based working.

As your portfolio of data continues to grow, it becomes an increasingly difficult task to protect every last spec of it, but with a cloud access security broker, it is all automated. Built into every device, you can rely on the tool to successfully govern, restrict and notify any suspicious activity which might be putting data security at risk.

Which broker should I choose & what questions should I ask them?


You’ll be glad to know that the market for CASBs is pretty diverse, and you should be able to find a broker that offers API level support for your main cloud application/s. You can choose from a whole host of options including Microsoft Cloud App Security (For cloud services such as Microsoft Azure), McAfee MVISION Cloud, or even Saviynt.

A few of our popular comparisons are:

Prisma SaaS vs Zscaler Internet Access

Cisco Umbrella vs Infoblox Secure DNS

When it comes to choosing the right broker, you want to ensure you know whether you want your service to run via a reverse proxy or forward proxy, or both. Reverse proxies work like web pages, where resources are retrieved from multiple servers to the client. A forward proxy involves a firewall, and restricts outside traffic, while governing activity within the firewall.

If you have found a few cloud access security brokers that interest you, you want to check how they operate to perform the tasks you will require, such as:

  • How new cloud services are spotted - Where are they logged?
  • How are the risk scores of cloud applications generated and calculated?
  • Does the broker offer sensitive data discovery - How is this data then protected inside the company’s server?


Ultimately you want to see if the main cloud services you use have a recommended broker, as that way, the services can be tailored towards the data you may be looking to protect further. The last thing you want is to invest in a broker that offers no added value to cloud security, or investing in a broker that isn’t tailored to the apps you focus on, even if it has received high ratings.

Cloud security is just as important as the cloud services your use as a business, and with the right research, you’ll find yourself leveraging security benefits that will make both shadow IT and data security threats something to leave behind in the past.


Find out what your peers are saying about Palo Alto Networks, Netskope , Microsoft and others in Cloud Access Security Brokers. Updated: July 2020.
430,988 professionals have used our research since 2012.