A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure.
CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies. The value of cloud access security brokers stems from their ability to give insight into cloud application use across cloud platforms and identity unsanctioned use. This is especially important in regulated industries. CASBs use auto-discovery to identify cloud applications in use and identify high-risk applications, high-risk users and other key risk factors. Cloud access brokers may enforce a number of different security access controls, including encryption and device profiling. They may also provide other services such as credential mapping when single sign-on is not available.
CASBs are particularly useful in organizations with shadow IT operations or liberal security policies that allow operating units to procure and manage their own cloud resources. The data that CASBs collect can be used for reasons other than security, such as monitoring cloud service usage for budgeting purposes. Vendors in the cloud access security space include SkyHigh Networks and Netskope.