This chapter covers Cloud Access Security Brokers (CASBs), a critical security control for organizations adopting cloud services. For the SY0-701 exam, understanding CASBs is essential under Domain 3.0 (Security Architecture), Objective 3.6: 'Given a scenario, implement and maintain security controls for cloud environments.' CASBs address the visibility and control gaps that arise when users access cloud applications outside the traditional network perimeter. You will learn the four pillars of CASB functionality, deployment modes, and how they integrate with other security tools like SSE and SASE.
Jump to a section
Imagine a large office building with multiple tenants, each with their own security policies. The building management decides to outsource security to a third-party guard service. Instead of placing a guard at every door (which is impractical), they install a single checkpoint at the main entrance that scans all visitors and packages. This guard doesn't just check IDs; they also inspect bags for prohibited items, verify that visitors are on an approved list, and log every entry and exit. If a visitor tries to bring in a device that violates policy (e.g., a personal laptop with unapproved software), the guard can block entry or require the device to be sanitized. For sensitive areas, the guard can enforce additional checks, like requiring a second factor or escort. The guard also monitors for suspicious behavior, such as someone tailgating or attempting to access a restricted floor without authorization. This centralized checkpoint provides visibility and control over all traffic, even though the building has many different tenants and uses. Similarly, a Cloud Access Security Broker (CASB) sits between users and cloud services, enforcing security policies, monitoring activity, and protecting data—all from a single control point, regardless of the cloud provider or user location. The guard doesn't replace the tenants' own security; it augments it with consistent, centralized enforcement.
What is a Cloud Access Security Broker (CASB)?
A Cloud Access Security Broker (CASB) is a security policy enforcement point positioned between cloud service consumers and cloud service providers. It acts as a gatekeeper, applying enterprise security policies as cloud-based resources are accessed. The term was coined by Gartner in 2012, and CASBs have become a cornerstone of cloud security, especially in Software as a Service (SaaS) environments like Microsoft 365, Salesforce, and Google Workspace.
The primary drivers for CASB adoption are: - Shadow IT Discovery: Employees often use unauthorized cloud services, exposing the organization to data leaks. CASBs discover and catalog these services. - Data Security: CASBs enforce data loss prevention (DLP) policies, such as blocking upload of sensitive data to personal cloud storage. - Threat Protection: They detect anomalous user behavior and compromised accounts. - Compliance: They help meet regulatory requirements (e.g., GDPR, HIPAA) by monitoring and controlling data access.
The Four Pillars of CASB Functionality
CASBs are defined by four core capabilities, often called the 'four pillars':
Visibility: Discover all cloud services in use and assess their risk. This includes cataloging sanctioned and unsanctioned apps.
Compliance: Ensure cloud usage meets regulatory and corporate policies. This includes data residency checks and audit logging.
Data Security: Apply DLP, encryption, and access controls to protect data at rest and in transit.
Threat Protection: Detect and block threats like malware, account compromise, and insider threats.
How CASBs Work Mechanically
CASBs can be deployed in four modes, each with a different architectural approach:
#### 1. API-based Deployment In this mode, the CASB connects directly to the cloud service provider's APIs (e.g., Microsoft Graph API, Salesforce REST API). This provides out-of-band visibility and control without changing network traffic. The CASB reads logs, metadata, and content from the cloud service. For example, it can scan all files stored in SharePoint for sensitive data and quarantine those that violate policy.
Advantages: No network changes, works with mobile and off-network users. Disadvantages: Limited to what the cloud provider's API exposes; cannot block real-time traffic.
#### 2. Forward Proxy Deployment In this mode, the CASB acts as a forward proxy. User traffic is redirected to the CASB (e.g., via PAC files, browser proxy settings, or VPN). The CASB inspects all traffic in real time, applying policies before forwarding requests to the cloud service.
Advantages: Granular control over all traffic, including blocking malicious URLs or preventing uploads. Disadvantages: Requires client configuration; may introduce latency; not all protocols are supported.
#### 3. Reverse Proxy Deployment Here, the CASB sits in front of the cloud service. Users connect to the CASB's URL, which proxies requests to the actual cloud service. The user sees the cloud app, but traffic passes through the CASB. This is often used for sanctioned apps like Office 365.
Advantages: No client software needed; works for any user, anywhere. Disadvantages: Only works for pre-configured apps; may break some app features.
#### 4. Log Collection / Out-of-Band This mode relies on collecting logs from the cloud service (e.g., via syslog or SIEM integration) and analyzing them. It provides visibility but no real-time control. Often used as a stepping stone to full CASB deployment.
Key Components and Standards
CASB Policy Engine: Defines rules based on user, device, location, content, and behavior.
User and Entity Behavior Analytics (UEBA): Many CASBs include machine learning models to detect anomalous behavior, such as impossible travel or unusual data access patterns.
Data Classification: Integration with DLP tools to identify sensitive data (e.g., credit card numbers, PII).
Encryption: CASBs can enforce encryption at rest and in transit, and even tokenize or mask data in real time.
Single Sign-On (SSO) Integration: CASBs often integrate with identity providers (IdPs) like Azure AD or Okta to enforce authentication policies.
How Attackers Exploit Cloud Without CASB
Without a CASB, attackers can:
Exfiltrate data by uploading to personal cloud storage (e.g., Google Drive, Dropbox).
Use compromised credentials to access cloud apps and download sensitive data.
Install malicious OAuth apps that grant permissions to read emails or files.
Exploit shadow IT services that lack security controls.
How Defenders Deploy CASB
A typical deployment involves: 1. Discovery Phase: Use the CASB to scan network logs or DNS traffic to identify all cloud services in use. 2. Risk Assessment: Categorize discovered apps as sanctioned, unsanctioned, or tolerated. 3. Policy Creation: Define policies for data protection, access control, and threat detection. 4. Integration: Connect the CASB to cloud providers via APIs and configure proxy forwarding. 5. Monitoring and Response: Continuously monitor alerts and respond to incidents.
Real Commands and Tools
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security): A popular CASB that integrates with Microsoft 365 and other apps.
Netskope: A leading CASB with advanced DLP and threat protection.
Zscaler: A cloud security platform that includes CASB capabilities as part of its SASE offering.
Proofpoint CASB: Focuses on email and collaboration app security.
Example API call to retrieve file metadata from Microsoft Graph (used by CASB):
GET https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root/children
Authorization: Bearer {access-token}Example policy rule (pseudocode):
IF user.location == 'high-risk-country' AND app == 'Salesforce' THEN
block access
END IFIntegration with SSE and SASE
CASB is a key component of Security Service Edge (SSE) and Secure Access Service Edge (SASE). SSE combines CASB, Zero Trust Network Access (ZTNA), and Secure Web Gateway (SWG) into a unified cloud-delivered security stack. SASE adds SD-WAN capabilities. For the exam, remember that CASB is not standalone; it often works alongside SWG and ZTNA.
Discover Cloud Services in Use
The first step in deploying a CASB is to gain visibility into all cloud services accessed by users. This is done by analyzing firewall logs, DNS logs, or proxy logs. The CASB identifies the cloud services (e.g., Dropbox, Slack, Trello) and categorizes them by risk level. For example, a CASB might flag a file-sharing site with weak encryption as high risk. The output is a list of sanctioned, unsanctioned, and tolerated apps. This step is critical for discovering shadow IT. Tools like Microsoft Defender for Cloud Apps can integrate with network appliances to collect logs automatically.
Assess Risk of Each Cloud Service
Once cloud services are discovered, the CASB assigns a risk score based on factors like encryption standards (e.g., TLS 1.2+), data residency, compliance certifications (e.g., SOC 2, ISO 27001), and security features (e.g., MFA support). The risk assessment helps administrators decide which apps to block, allow, or monitor. For example, a service that stores data in a non-compliant region may be automatically blocked. The CASB uses a proprietary risk database that is updated regularly. This step is often automated, but administrators can override scores.
Configure Policies for Data Protection
After assessment, policies are created to enforce data security. Policies can include DLP rules (e.g., block upload of files containing Social Security numbers), access controls (e.g., require MFA for accessing sensitive apps), and session controls (e.g., monitor read-only access). Policies are based on user identity, device posture, location, and content. For example, a policy might block a user from downloading a file labeled 'Confidential' to an unmanaged device. The CASB applies these policies in real time (proxy mode) or periodically (API mode).
Deploy in Appropriate Mode
The CASB is deployed in one or more modes: API, forward proxy, reverse proxy, or log collection. For managed devices, forward proxy is common; for unmanaged devices, reverse proxy is used. API mode is always recommended for deep inspection of data at rest. Often, a combination is used. For example, an organization might use API mode for Office 365 and forward proxy for all other web traffic. The deployment must be tested to ensure no breakage of legitimate app functionality. Logs from the CASB are sent to a SIEM for correlation.
Monitor and Respond to Alerts
The final step is continuous monitoring. The CASB generates alerts for suspicious activities, such as multiple failed login attempts, unusual downloads, or access from a new location. Security analysts investigate these alerts using the CASB's dashboard. For example, an alert might show a user downloading 1,000 files in 10 minutes—indicating possible data exfiltration. The analyst can then take action, such as suspending the user's account or blocking further downloads. The CASB also provides audit trails for compliance reporting.
Scenario 1: Shadow IT Discovery in a Mid-Sized Enterprise
A SOC analyst notices an unusual spike in outbound traffic to a unknown domain. Using the CASB dashboard, they discover that employees are using a new file-sharing service called 'FilePizza' (fictional). The CASB risk assessment shows that FilePizza has no encryption at rest and is not SOC 2 compliant. The analyst generates a report and presents it to management. The response is to block FilePizza via the CASB's forward proxy policy and educate users about approved alternatives. The common mistake here is to block the service without notifying users, causing productivity loss. The correct response is to communicate the change and provide sanctioned alternatives.
Scenario 2: Data Exfiltration via Malicious OAuth App
A user's account is compromised via phishing. The attacker uses the stolen credentials to grant an OAuth app access to the user's email and files. The CASB, monitoring API logs, detects that a new OAuth app with high permissions was granted from an unusual location. The CASB automatically revokes the app's access and alerts the SOC. The analyst then forces a password reset and enables MFA. The common mistake is to only revoke the app without resetting credentials, leaving the account vulnerable. The correct response includes both revocation and credential reset.
Scenario 3: Compliance Violation in Healthcare
A hospital uses a CASB to monitor access to its cloud-based EHR system. The CASB detects that a doctor is accessing patient records from a personal device in a country without adequate data protection laws. The CASB blocks the session and logs the incident. The compliance officer reviews the alert and initiates a training session on data handling policies. The common mistake is to ignore the alert because the doctor is a senior staff member. The correct response is to enforce policy uniformly and escalate if necessary.
What SY0-701 Tests on CASB
Objective 3.6 focuses on implementing and maintaining security controls for cloud environments. For CASBs, the exam expects you to:
Understand the four pillars: visibility, compliance, data security, and threat protection.
Differentiate between deployment modes: API, forward proxy, reverse proxy, and log collection.
Know that CASBs are often part of SSE and SASE architectures.
Recognize CASB use cases: shadow IT discovery, DLP enforcement, and threat detection.
Common Wrong Answers and Why Candidates Choose Them
'CASB only works with SaaS applications.' — Wrong. While CASBs are most commonly used with SaaS, they can also protect PaaS and IaaS environments, though with limitations. Candidates assume SaaS-only because of popular marketing.
'Forward proxy is the most secure deployment mode.' — Not necessarily. API mode provides deeper inspection of data at rest, but forward proxy offers real-time control. The 'most secure' depends on the scenario. Candidates often pick forward proxy because it sounds more active.
'CASB replaces the need for a firewall.' — No. CASBs complement firewalls but do not replace network-layer controls. Candidates confuse CASB with SWG.
'CASB can block all cloud threats automatically.' — No. CASBs rely on policies and may generate false positives. Automatic blocking can cause business disruption. Candidates may think CASB is a set-it-and-forget-it solution.
Specific Terms and Acronyms
CASB (Cloud Access Security Broker)
SSE (Security Service Edge)
SASE (Secure Access Service Edge)
ZTNA (Zero Trust Network Access)
SWG (Secure Web Gateway)
DLP (Data Loss Prevention)
UEBA (User and Entity Behavior Analytics)
Shadow IT
Trick Questions
A question may ask which tool provides 'visibility into cloud application usage.' The answer is CASB, not SWG or IDS. SWG focuses on web traffic, not cloud app discovery.
A question may ask which deployment mode 'provides real-time traffic inspection without client software.' The answer is reverse proxy, not forward proxy (which requires client config).
Decision Rule
When faced with a scenario question about controlling cloud app usage, ask: 'Does the scenario involve discovering unsanctioned apps, enforcing DLP, or detecting compromised accounts?' If yes, the answer involves a CASB. If the scenario is about web browsing or malware, consider SWG. If about remote access to internal apps, consider ZTNA.
CASB stands for Cloud Access Security Broker and is a policy enforcement point between users and cloud providers.
The four pillars of CASB are Visibility, Compliance, Data Security, and Threat Protection.
Deployment modes include API, forward proxy, reverse proxy, and log collection.
API mode provides deep inspection of data at rest; forward proxy offers real-time control.
CASBs are a key component of SSE (Security Service Edge) and SASE (Secure Access Service Edge).
Common CASB use cases include shadow IT discovery, DLP enforcement, and compromised account detection.
CASB does not replace firewall or SWG; it complements them.
For the exam, know that CASB is used for cloud app security, not general web filtering.
These come up on the exam all the time. Here's how to tell them apart.
CASB (Cloud Access Security Broker)
Focuses on cloud application security (SaaS, IaaS, PaaS)
Provides visibility into shadow IT and unsanctioned app usage
Enforces DLP policies for data in cloud apps
Often uses API integration for deep inspection
Part of SSE and SASE architectures
SWG (Secure Web Gateway)
Focuses on web traffic security (HTTP/HTTPS)
Blocks malicious websites and filters URLs
Inspects web traffic for malware and phishing
Typically operates as a forward proxy
Also part of SSE and SASE architectures
Forward Proxy Deployment
Requires client configuration (PAC file, proxy settings)
Inspects all outbound traffic from users
Supports any web-based cloud app
Can block traffic in real time
May introduce latency on user devices
Reverse Proxy Deployment
No client configuration needed
Sits in front of the cloud app (user connects to CASB)
Works only for pre-configured cloud apps
Can apply session controls (e.g., read-only)
May break app functionality if not properly configured
Mistake
CASBs only work with SaaS applications, not IaaS or PaaS.
Correct
While CASBs are primarily used for SaaS, they can also provide visibility and control for IaaS (e.g., AWS S3) and PaaS (e.g., Azure SQL) through API integration. However, the depth of control may be limited compared to SaaS.
Mistake
A CASB is a physical appliance that must be deployed on-premises.
Correct
CASBs are typically cloud-delivered services (SaaS) that can be deployed in minutes without on-premises hardware. Some vendors offer virtual appliances, but the dominant model is cloud-based.
Mistake
CASB and SWG are the same thing.
Correct
A Secure Web Gateway (SWG) protects users from web-based threats (e.g., malware, phishing) and enforces URL filtering. A CASB focuses on cloud application security, including shadow IT discovery, DLP, and compliance. They are complementary but distinct.
Mistake
Once a CASB is deployed, no further configuration is needed.
Correct
CASBs require ongoing policy tuning, threat intelligence updates, and integration maintenance. Cloud providers change APIs, and new apps emerge, so continuous management is necessary.
Mistake
A CASB can block all data exfiltration attempts.
Correct
No security tool is 100% effective. CASBs can block many exfiltration methods (e.g., uploads to unsanctioned apps), but sophisticated attackers may use encrypted channels, steganography, or air-gap techniques that bypass CASB controls.
A CASB focuses on securing cloud applications (SaaS, IaaS, PaaS) by providing visibility into shadow IT, enforcing DLP, and detecting threats within cloud apps. An SWG (Secure Web Gateway) protects users from web-based threats like malware and phishing by filtering URLs and inspecting web traffic. They are complementary; a CASB is not a replacement for an SWG. On the exam, if the scenario involves discovering unsanctioned cloud apps or protecting data in Office 365, think CASB. If it involves blocking malicious websites, think SWG.
No, a CASB is specifically designed for cloud applications. For on-premises applications, you would use other controls like a VPN, ZTNA, or a web application firewall (WAF). However, some CASBs can provide visibility into hybrid environments if the on-prem app is accessed via cloud gateways, but this is not a primary use case.
Shadow IT refers to the use of unauthorized cloud services by employees without IT's knowledge. A CASB discovers these services by analyzing network logs or DNS traffic, assesses their risk, and allows administrators to block or monitor them. For example, a CASB might detect that employees are using a personal Dropbox account to share corporate files, and then block that activity.
Reverse proxy is often best for BYOD because it doesn't require client software installation. Users access cloud apps through the CASB's proxy URL, and the CASB enforces policies without needing to configure each device. API mode is also useful for monitoring data at rest without client changes. Forward proxy would require configuring proxy settings on each device, which is harder to manage in BYOD.
CASBs use UEBA (User and Entity Behavior Analytics) to establish baseline behavior for each user. When a user deviates from the baseline—such as logging in from a new country, downloading an unusual number of files, or accessing apps at odd hours—the CASB generates an alert. It can also integrate with threat intelligence to flag known malicious IPs. For example, if a user's account is used to download thousands of files in minutes, the CASB can automatically block further activity and notify the SOC.
No. SSE (Security Service Edge) is a broader architecture that includes CASB, SWG, and ZTNA. CASB is one component of SSE. SASE (Secure Access Service Edge) adds SD-WAN to SSE. So while a CASB can be part of an SSE solution, they are not the same.
The most important feature is data classification and DLP enforcement. CASBs can scan data in cloud apps for sensitive information (e.g., PII, PCI, PHI) and apply policies to prevent unauthorized sharing or storage. They also provide audit logs that demonstrate compliance with regulations like GDPR, HIPAA, and SOX. For example, a CASB can automatically quarantine a file containing credit card numbers uploaded to a public folder.
You've just covered Cloud Access Security Broker (CASB) — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?