CASB (Cloud Access Security Broker)

A Cloud Access Security Broker (CASB) is a control point — proxy, API integration, or both — that sits between users and the SaaS applications they use, so that an enterprise security team can enforce policy on traffic that would otherwise bypass on-premise controls. Gartner coined the term in 2012 to describe a then-new category of vendors solving for the rapid sprawl of cloud apps inside the enterprise.

A CASB typically covers four pillars (Gartner’s framing): visibility (which SaaS apps are in use), compliance (mapping app behavior to regulations), data security (DLP-style content inspection), and threat protection (anomaly detection on cloud access). Defining properties:

• Policy-at-the-edge. The CASB intercepts the action — file upload, share, login — and decides whether to allow, block, alert, or modify it.
• Inline or API mode. Inline (proxy) CASBs sit on the network path; API CASBs read SaaS APIs out-of-band. Most mature CASBs offer both, with tradeoffs in coverage vs. latency.
• Content-aware. A CASB inspects payload (file contents, message body) to apply DLP classifications.
• App catalogue–dependent. CASB efficacy depends on how many SaaS apps the vendor has reverse-engineered API integrations for; long tail of shadow IT is hard to cover.

CASBs solve a real problem and remain a fixture in mature security stacks. Their limit is structural: they enforce what the policy permits, but most SaaS breaches today don’t violate written policy — they involve a legitimate user making a risky-but-permitted choice (sharing a doc publicly, accepting an OAuth grant to a productivity tool, leaving a former contractor’s account active). That’s the gap behavior-centered SaaS monitoring is built to address.