Cloud Access Security Broker (CASB) Buyer's Guide 2026
Employees use an average of 1,295 cloud services in a typical enterprise organization, the vast majority without IT approval. Sensitive data flows to personal Dropbox accounts, confidential documents are shared via consumer messaging apps, and AI tools process proprietary code. Cloud Access Security Broker (CASB) platforms provide visibility into this shadow IT landscape, enforce access policies, and apply data loss prevention controls at the cloud application layer. As CASB capabilities merge into Security Service Edge (SSE) and SASE platforms, the buying decision has become intertwined with network security architecture.
What CASB Does
CASB provides four core capabilities for cloud application security:
Shadow IT discovery
Identify all cloud services employees are accessing by analyzing network logs, proxy logs, or endpoint agent data. Categorize discovered services by risk level and business function. Most organizations discover 40 to 60 percent more cloud services than IT had approved or catalogued. Shadow IT discovery is the starting point for all other CASB capabilities.
Access control and policy enforcement
Define which cloud services are sanctioned, blocked, or tolerated. Apply context-aware access policies: a sanctioned service may be accessible from managed corporate devices but blocked from personal devices, or accessible with full functionality on corporate networks but read-only on unmanaged devices.
Data loss prevention (DLP)
Apply DLP policies to data moving to and from cloud services: block uploads of files containing PII, credit card numbers, or classified content to personal cloud storage, alert when confidential documents are shared externally via sanctioned platforms, and monitor for bulk data downloads that could indicate insider exfiltration or credential compromise.
Threat protection
Detect compromised accounts accessing cloud services from anomalous locations, malware uploaded to cloud storage that is then synced to other devices, and unusual data access patterns that indicate insider threats or account takeover.
CASB Deployment Modes
CASB operates through three distinct deployment architectures, each with different coverage and limitations:
API-based (out-of-band)
Connects to sanctioned cloud services via their management APIs (Microsoft 365 API, Google Workspace API, Salesforce API) and scans content at rest: files in cloud storage, email in mailboxes, data in SaaS databases. API-based CASB can retrospectively scan existing content and enforce policies on data already in the cloud. It cannot intercept traffic in real time and does not cover unsanctioned services that have not been connected.
Proxy-based (inline)
Routes cloud service traffic through a CASB proxy (forward proxy for managed devices, reverse proxy for unmanaged devices) enabling real-time inspection and enforcement. Can cover any cloud service, including unsanctioned shadow IT. Requires routing traffic through the proxy, either via agent, PAC file, or network-layer enforcement. Inline mode provides real-time DLP but introduces latency and requires traffic steering.
Log-based discovery
Analyzes existing firewall, proxy, or SIEM logs to discover cloud service usage without requiring traffic redirection. Provides shadow IT visibility at low operational cost but cannot enforce policies in real time. Used as a starting point for CASB programs before full proxy deployment.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Platform Comparison
CASB is increasingly delivered as part of SSE and SASE platforms rather than as a standalone product:
Netskope
Purpose-built SSE platform with the deepest CASB capabilities in the market. Industry-leading cloud service database (over 50,000 rated applications). Best-in-class DLP with granular activity-level controls (can allow upload to Box but block download to Box from unmanaged devices). Strong data context: understands the content being transferred, not just the destination. Cons: premium pricing, complexity. Best for: organizations where data protection in cloud is the primary security investment.
Zscaler Internet Access (ZIA)
Combines SWG, CASB, and ZTNA in a cloud-delivered SSE platform. Strong for traffic-based policy enforcement and URL filtering. CASB capabilities are solid but less granular than Netskope for complex data protection scenarios. Better total cost of ownership for organizations wanting SWG + CASB + ZTNA from a single vendor. Best for: organizations consolidating network security into a SASE architecture.
Microsoft Defender for Cloud Apps (MDCA)
Microsoft's CASB offering included in Microsoft 365 E5. Strong API-based integration with Microsoft 365, Azure, and 70+ non-Microsoft SaaS apps. Deep integration with Conditional Access for device-aware access policies. Cons: shallower third-party app coverage than specialized platforms, less granular DLP for non-Microsoft services. Best for: Microsoft 365 organizations wanting CASB at no additional license cost as part of E5.
Skyhigh Security (formerly McAfee MVISION Cloud)
Deep DLP capabilities with strong enterprise data classification integration. Zero-trust network access alongside CASB. Best for organizations with mature DLP programs wanting to extend existing classification policies to cloud services.
CASB and SASE Architecture
The standalone CASB market is consolidating into SSE (Security Service Edge) platforms that combine CASB, SWG, ZTNA, and FWaaS into a unified cloud-delivered service. Gartner's SASE framework positions these capabilities as part of a broader network security transformation. Practical implication: if you are evaluating CASB as a standalone purchase, also evaluate whether an SSE platform would provide better coverage and consolidation value. Organizations that deploy Netskope, Zscaler, or Palo Alto Prisma as their SSE platform get CASB as an integrated capability rather than a separate product with separate administration.
Implementation: Starting with Shadow IT Discovery
Most CASB programs begin with shadow IT discovery before moving to enforcement. Phase 1 (weeks 1 to 4): connect log-based discovery to your existing firewall or proxy logs, identify the top 100 cloud services by usage volume, and categorize them by risk and business function. Phase 2 (months 1 to 3): deploy API-based CASB for your top 5 to 10 sanctioned cloud applications (Microsoft 365, Google Workspace, Salesforce, Box, Slack). Begin scanning for sensitive data at rest and configure basic DLP policies. Phase 3 (months 3 to 9): deploy inline proxy for real-time enforcement. Block clearly unsanctioned high-risk services (personal cloud storage from corporate devices), apply DLP policies to inline traffic, and implement device-aware access policies that restrict functionality on unmanaged devices.
The bottom line
CASB starts with visibility: you cannot govern what you cannot see. Shadow IT discovery via log analysis is the low-cost, low-risk first step that justifies further investment. API-based CASB for your top sanctioned applications delivers DLP value without traffic steering complexity. Inline proxy enforcement is the final step for comprehensive coverage. Match platform selection to where you are in this journey.
Frequently asked questions
Is CASB still a standalone product or is it part of SSE?
Both exist in the market. Dedicated CASB platforms (Netskope, Skyhigh) have expanded into full SSE suites. SSE platforms (Zscaler, Palo Alto Prisma) have strong CASB modules alongside SWG and ZTNA. Microsoft provides CASB capabilities as part of Microsoft 365 E5. The standalone CASB market is shrinking as most organizations prefer integrated platforms. When evaluating CASB, compare total SSE platform cost against standalone CASB to understand whether platform consolidation delivers better value.
What is the difference between CASB and SWG?
A Secure Web Gateway (SWG) filters internet web traffic: blocking malicious URLs, enforcing acceptable use policies for web browsing, and providing TLS inspection. CASB focuses specifically on cloud application traffic: discovering which cloud services are used, enforcing access policies for those services, and applying DLP to data moving to and from cloud applications. SWG has broader internet coverage; CASB has deeper cloud application intelligence. Modern SSE platforms combine both: using SWG for general web traffic and CASB for cloud application-specific controls.
Can CASB see traffic in encrypted apps like WhatsApp or Signal?
CASB can identify that WhatsApp or Signal traffic is occurring (by destination IP, domain, and certificate) and block or alert on it at the network level. It cannot decrypt the content of end-to-end encrypted communications. For corporate-sanctioned messaging platforms (Slack, Teams), API-based CASB can scan message content through the platform's management API. The use of personal messaging apps for business communication represents a governance risk that policy (acceptable use) and awareness training address better than technical inspection.
How does CASB handle unmanaged personal devices (BYOD)?
Reverse proxy deployment mode handles unmanaged devices: rather than requiring an agent on the device, the cloud service's authentication flow is routed through the CASB reverse proxy. The user authenticates to the cloud service through the proxy, which then applies session-level controls: allow read-only access, block downloads, prevent copy-paste, and apply watermarks. This gives organizations visibility and limited control over unmanaged device access without requiring MDM enrollment. Session controls are less granular than inline proxy controls on managed devices.
What data should we prioritize protecting with CASB DLP?
Start with the data types that create the highest regulatory and business risk: regulated personal data (PII, PHI, PCI cardholder data), intellectual property (source code, product designs, M&A documents), and financial data (non-public earnings information, contract terms). Configure DLP policies for these categories first using built-in classifiers (most CASB platforms include classifiers for common regulated data types). Add custom classifiers for organization-specific sensitive content after baseline protection is operational.
How do we handle legitimate business use of personal cloud storage?
The goal is not to block all personal cloud storage use but to prevent sensitive data from leaving via those channels. Policy approach: block uploads of files containing sensitive data patterns to personal cloud storage, allow general use of personal cloud storage for non-sensitive content, and require corporate accounts for any work-related cloud storage. Educate employees on why personal cloud storage creates data governance risks, and ensure sanctioned alternatives (OneDrive, Google Drive with corporate accounts) are easily accessible. Blanket blocking without alternatives drives employees to workarounds.
Sources & references
- Gartner Magic Quadrant for Security Service Edge 2025
- Netskope Cloud and Threat Report 2025
- Microsoft Defender for Cloud Apps Documentation
- McAfee/Skyhigh Security CASB Research
- Forrester Wave Security Service Edge 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.