CASB (Cloud Access Security Broker)
CASB discovers and governs SaaS application usage across your organization. Inline mode inspects traffic in real time; API mode scans data at rest in sanctioned apps. Most enterprises discover 3-5x more cloud apps than IT knows about. Critical for shadow IT visibility, tenant restrictions (blocking personal M365 logins), and compliance enforcement across SaaS platforms.
The first time you run a CASB shadow IT scan, you will have a bad day. Security teams consistently discover 5-10x more cloud applications in use than they expected. A 2,000-person company typically finds 900-1,500 distinct SaaS services — IT sanctioned maybe 120 of them. The other 800+ include personal file-sharing accounts with corporate data, AI tools ingesting source code, and collaboration platforms where entire project teams have been working for months without IT's knowledge. CASB is how you find all of it, assess the risk, and decide what to sanction, tolerate, or block.
CASB operates in two fundamentally different modes that serve complementary purposes. Inline CASB, sometimes called forward-proxy CASB, inspects traffic in real time as users interact with cloud applications, enabling block, allow, coach, and restrict actions on the fly. API CASB, sometimes called out-of-band CASB, connects directly to sanctioned SaaS applications through their APIs to scan data at rest — files stored in OneDrive, emails in Exchange Online, records in Salesforce — and retroactively apply classification, DLP, and sharing controls. A complete CASB strategy requires both modes because each has blind spots the other covers.
The strategic value of CASB extends beyond security into governance and compliance. CASB provides the visibility layer that answers questions auditors and regulators increasingly ask: what cloud services process our customer data? Who has access to shared files containing PII? Are OAuth tokens granting third-party apps excessive permissions to our corporate M365 tenant? Without CASB, answering these questions requires manual surveys and guesswork. With CASB, the answers are continuous, automated, and auditable.
What it does
A Cloud Access Security Broker is a security policy enforcement point positioned between enterprise users and cloud service providers. It provides visibility into cloud application usage, data protection for information stored in and transiting through SaaS applications, threat protection against cloud-based attack vectors like OAuth token abuse and account takeover, and compliance enforcement for regulatory requirements governing data residency, access control, and sharing. CASB discovers shadow IT by analyzing DNS queries, web traffic logs, and API connections to catalog every cloud service employees interact with, assigns each a risk score based on factors like encryption standards, compliance certifications, data residency, and breach history, and gives administrators the data they need to make informed sanction-or-block decisions.
How it works
Inline CASB operates as a component of the SWG traffic inspection pipeline. When the SWG decrypts HTTPS traffic destined for a cloud application, the CASB engine applies application-aware policies: it can distinguish between uploading a file to corporate OneDrive versus personal OneDrive, between viewing a Salesforce record versus exporting a report, or between posting in a sanctioned Slack workspace versus an external one. This granularity comes from deep API-level understanding of each SaaS application's URL structure and request patterns. API CASB connects to sanctioned applications using OAuth tokens or service account credentials granted by the administrator. It then crawls data at rest — scanning every file in SharePoint, every message in Teams, every record in Salesforce — applying DLP classification, identifying overshared files, detecting anomalous sharing patterns, and flagging OAuth tokens that grant excessive permissions. Shadow IT discovery aggregates signals from DNS logs, SWG traffic logs, endpoint telemetry, and cloud application API data to build a comprehensive catalog of every cloud service in the environment, updated continuously.
Why it matters
The average enterprise discovers 5-10x more cloud applications in use than IT sanctioned when they first deploy CASB shadow IT discovery. These undiscovered applications represent uncontrolled data exposure: employees uploading customer lists to free file-sharing services, developers pasting source code into AI coding assistants, sales teams exporting CRM data to personal cloud storage for use at their next job. CASB transforms this blind spot into governed, policy-controlled cloud usage. For compliance, CASB provides the evidence trail that demonstrates you know where regulated data resides in the cloud and that you have controls in place to prevent unauthorized sharing. For M&A due diligence, CASB scans can reveal data exposure in an acquisition target's SaaS environment before the deal closes. For insider threat programs, CASB's user behavior analytics detect anomalous patterns like a departing employee bulk-downloading files from SharePoint in their final two weeks.
Watch out
The biggest gap in most CASB deployments is the unmanaged device problem. Inline CASB requires traffic to flow through the SWG, which means devices without the endpoint agent installed — personal laptops, contractor devices, mobile phones accessing SaaS apps through native mobile apps — bypass inline CASB entirely. API CASB covers data at rest regardless of how it was created, but cannot enforce real-time inline controls on unmanaged devices. Solutions include reverse-proxy CASB (which intercepts traffic at the application's authentication layer rather than at the endpoint), conditional access policies in the IdP that restrict unmanaged devices to browser-only access with reduced permissions, and application-level controls like SharePoint's unmanaged device access policies. Plan for this gap from day one and design your CASB architecture to address both managed and unmanaged device populations.
Vendor comparison — CASB
Inline and API-based CASB covering 250,000+ cloud applications. Shadow IT discovery with risk scoring, granular activity-level controls (e.g., allow Dropbox view but block download), and predefined compliance templates for SOC 2, HIPAA, and PCI-DSS.
Inline CASB with FortiCASB providing shadow IT discovery and SaaS application control. Covers major SaaS platforms (Microsoft 365, Google Workspace, Salesforce, Box) with activity-level controls. API-based CASB mode available for out-of-band inspection. Breadth of SaaS API integrations trails Netskope and Palo Alto — smaller catalog of supported applications for API mode.
Inline and API-based CASB with 80+ SaaS API integrations for out-of-band inspection. SaaS Security Posture Management (SSPM) identifies misconfigurations across Microsoft 365, Google Workspace, Salesforce, and other platforms. AI Access Security (part of SASE 4.0) provides the industry's deepest visibility into GenAI usage, classifying 500+ AI apps by risk and inspecting prompts for sensitive data.
Inline CASB with SaaS application discovery and shadow IT visibility. Activity-level controls for major SaaS platforms (Microsoft 365, Google Workspace). Basic DLP integration for data-in-motion across SaaS channels. API-based CASB mode is limited — fewer SaaS API integrations than Palo Alto or Netskope, restricting out-of-band inspection and SSPM capabilities for less common SaaS applications.
Inline CASB via ZIA with shadow IT discovery across thousands of cloud applications and granular activity-level controls (allow Slack messaging but block file uploads). API-based CASB for out-of-band scanning of data at rest in sanctioned SaaS. Strong but not as deep as Netskope's 49K+ app Cloud Confidence Index — Zscaler's app catalog is broad but the risk-scoring granularity is less refined.
The deepest CASB in the market. Cloud Confidence Index rates 49,000+ cloud applications across 50+ risk attributes. Instance-level controls distinguish corporate from personal SaaS tenants (allow corporate OneDrive, block personal). Activity-level policies control specific actions within apps (allow view, block download, coach on share). Inline and API modes with SSPM for SaaS misconfiguration detection. Shadow IT discovery identifies unsanctioned app usage across the entire organization.
Inline CASB with shadow IT discovery, application risk scoring, and activity-level controls for major SaaS platforms. Decent for identifying unsanctioned SaaS usage and applying coarse-grained controls (block, allow, coach). However, API-based out-of-band CASB for SaaS security posture management (SSPM) is less mature than Netskope or Palo Alto — fewer SaaS API connectors, limited out-of-band scanning, and less granular activity controls for long-tail SaaS applications. CASB is an add-on at approximately 40% over the base license cost.
CASB is available on enterprise plans only — not included in free or PAYG tiers. API-based scanning covers AWS, GCP, Google Workspace, and Microsoft 365 for misconfiguration and data exposure detection. Inline CASB provides shadow IT discovery and SaaS application controls. The integration catalog is significantly smaller than Netskope or Palo Alto, limiting coverage for organizations with diverse SaaS estates. CASB is the most visible maturity gap in Cloudflare's SSE stack.
Related guides & articles
CASB is part of the SASE/SSE stack. See how all six capabilities fit together and compare vendors.