Wiz
AcademyWhat is a Cloud Access Security Broker (CASB)?

What is a Cloud Access Security Broker (CASB)?

CASBs play a critical role in providing visibility into how businesses use the cloud. They enforce security and governance rules to mitigate the risk that cloud services or SaaS apps could become weak links in an organization’s security posture. Without a CASB, you may not know which applications, services, and data your business has exposed in cloud environments. How would you know if those resources are secure if you don’t know they exist?

Wiz Experts Team

What is a CASB?

A Cloud Access Security Broker is a service that operates as an intermediary between a business and cloud-based applications.

With a CASB, employees who want to use cloud services must first gain clearance through the CASB, which typically requires complying with preconfigured CASB security policy rules, enforcing requirements such as authentication, authorization, and encryption.

Why are CASBs important?

To understand why CASBs matter, you must first understand that while the cloud makes applications and data easy for anyone to access, it also makes it easy for users to make mistakes that lead to security risks.

CASBs help to mitigate these risks by providing visibility into which cloud services are being used, as well as determining whether they are being used in ways that meet security and compliance requirements.

CASB example

As an example of how a CASB could prevent critical security mistakes, imagine that your business’s accounting department chooses to use a cloud-based SaaS application to keep track of sales records that include personally identifiable information (PII) related to customers.

Since SaaS services are hosted in the cloud and require no special technical skills to operate, they can usually be launched in minutes by anyone. This means that the accounting department can start using a SaaS app without notifying the IT or cybersecurity team. As a result, people with expertise in cloud security may not even be aware that the application is being used, let alone whether it’s being used securely.

Meanwhile, because SaaS applications will happily store and manage any data that users upload into them, and your accountants may not be experts in compliance or cybersecurity, there is little to protect your accountants from using the SaaS solution to process PII in a way that violates your organization’s security rules. The SaaS app itself also has no knowledge of what those rules are or which types of security practices your organization requires.

Without a CASB solution in place, an seemingly benign activity like this could lead to a major security risk or compliance violation in the event that the PII is managed in an insecure way.
With a CASB, the accounting department’s attempt to use the SaaS application will be detected. The CASB will then notify the IT or cybersecurity department about the application, so that they can intervene and make sure it’s used in a secure way. The CASB could also potentially validate the specific ways that the accountants interact with the SaaS app and determine automatically whether they are insecure. For example, it could determine whether or not they are attempting to upload PII to the app.

How do CASBs work?

Most CASBs rely on multiple approaches to detecting unauthorized use of cloud services. They might inspect incoming and outgoing network traffic to determine which endpoints employees inside your business are connecting to, then validate whether those endpoints are associated with authorized cloud applications or services. A CASB could also encrypt traffic before it leaves the local network, providing another layer of security.


Advanced CASBs analyze data from a variety of sources in order to profile user behavior and detect deviations from the norm. For example, if a CASB notices that a user account that has previously never moved large volumes of data over the network is suddenly trying to upload hundreds of gigabytes to an external endpoint, it could flag the activity as a possible data exfiltration risk‍.

CASB as one step toward cloud security

While CASBs provide one layer of security to protect cloud environments, they are hardly sufficient on their own to address all types of cloud security threats.


The main purpose of CASB is to defend against the risk of rogue IT, unauthorized or non-compliant use of third-party cloud resources. Most CASBs are not designed to detect other types of cloud security risks, such as vulnerabilities within applications that businesses deploy using a cloud IaaS service or misconfigurations within cloud IAM rules. The latter types of risks are addressed by Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) solutions. 

So, while any business that uses SaaS applications or other third-party cloud resources can and should deploy a CASB solution as one pillar of its security strategy, it’s important to think holistically about cloud security and the other services needed to keep your organization safe.

Continue Reading

What is SOC 2 compliance?

Whether you offer Software-as-a-Service (SaaS) apps to customers, use SaaS apps yourself, or both, you need to be familiar with SOC 2 compliance. SOC 2 compliance rules provide a foundation for ensuring that sensitive data is managed in a secure way within the context of SaaS and other cloud-based services.

What is Cloud Security Posture Management (CSPM)?

In modern cloud environments, security monitoring and periodic audits won’t suffice for detecting threats before they turn into breaches. Instead, to achieve an environment that is as secure as possible, you need Cloud Security Posture Management, or CSPM. CSPM lays the foundation for minimizing the number of risks that exist within your clouds. CSPM tools help to automate cloud security, keeping cloud environments secure even as they grow larger and more complex.

Understanding AWS Security Groups

One of the fundamental challenges you face with a cloud computing service like AWS is that you can’t implement all of the security controls that would be available to you on-premises, since you don’t have access to the physical infrastructure that powers your cloud environment. For example, you can’t set up the same types of network firewalls, because you don’t control your cloud provider’s network infrastructure. What you can do, however, is take advantage of solutions like AWS Security Groups, a powerful framework for controlling which network traffic can flow to and from cloud-based virtual machines.

Top cloud vulnerabilities for 2022

The popularity of cloud computing has grown exponentially in recent years, reducing costs, improving availability of service, and driving collaboration. With increased access and infrastructure being hosted on public-facing, shared platforms, come security challenges that cannot be met using outdated controls from traditional data centers. Cloud vulnerabilities take many forms, and it has never been more important for organizations to secure their accounts, subscriptions, VPCs, access control lists, and security groups from threats.

Top cloud computing security challenges

Understanding which security challenges you face when deploying applications and data into cloud environments is the first step in securing your cloud. Those challenges may vary depending on how your cloud is configured and which clouds you use, but in general, the typical organization faces the following core challenges when it comes to cloud computing security.