Understanding Cloud Access Security Brokers (CASB): Functions, Benefits, and Deployment Models

What Is a Cloud Access Security Broker (CASB)?

A Cloud Access Security Broker (CASB) is an on‑premises or cloud‑based policy enforcement point positioned between cloud service consumers and cloud service providers (CSPs) that monitors cloud‑related activity and applies security, compliance, and governance rules to cloud resource usage.

User credential authentication, granting access only to approved cloud services.

Data protection through encryption, tokenization, or other means to prevent exposure of sensitive information.

Monitoring of cloud service activity to log, tag, and analyze user and entity behavior for anomalous usage or compromised credentials.

Data loss prevention (DLP) to keep sensitive data within the organization’s network.

Malware detection and remediation to keep malicious content out of the organization’s network.

The purpose of a CASB is to enhance an organization’s ability to securely use cloud services, acting as a “security node” that complements, rather than replaces, firewalls, IDaaS, and secure web gateways.

Why Do I Need a CASB?

Initially focused on discovering Shadow IT, CASBs now provide a four‑pillar capability set: data security, regulatory compliance, threat protection, and core visibility.

Visibility

As organizations adopt IaaS, PaaS, SaaS, and FaaS, CASBs help bridge security gaps caused by the erosion of centralized identity and access management, offering controls without hindering legitimate business activities and exposing shadow IT usage and true cloud spend.

Data Security

Many organizations migrate data to multiple clouds (AWS, Azure, GCP, SaaS apps) where shared responsibility models often shift security duties to the customer. While CSP infrastructures are generally secure, misconfigurations expose billions of files. CASBs add an extra layer of protection—through DLP, encryption, tokenization, and adaptive access control—to ensure sensitive data remains safe even when CSP controls are insufficient.

Most CASBs evolved from a focus on DLP and threat detection or on encryption/tokenization for privacy and data residency. Today, DLP remains central, detecting and blocking sensitive data in approved cloud services, though it may not capture how data is shared across services.

Compliance

Stricter privacy regulations such as GDPR, CCPA, LGPD, and industry standards (PCI DSS, SOX, HIPAA, etc.) drive the need for robust data‑privacy controls. CASBs help enforce data residency requirements, perform policy‑aware data classification, and benchmark security configurations against evolving regulatory demands.

Threat Detection and Prevention

CASBs protect against malware introduced via cloud storage and sync clients, leveraging advanced threat intelligence, real‑time scanning, and UEBA to detect compromised accounts, ransomware, and data exfiltration attempts.

How Does a CASB Work?

CASBs can be deployed as forward/reverse proxy agents, API‑based solutions, or a hybrid “multi‑mode” that supports both. Proxy mode offers deep traffic inspection but may require endpoint agents; API mode works well with SaaS APIs but may miss some security functions and can suffer performance degradation under heavy API usage.

CASBs can run in on‑premises data centers, hybrid environments, or purely in the cloud, often integrating with ICAP‑enabled proxies, load balancers, and intercepting JDBC/ODBC calls to enforce field‑level security.

Is Voltage SecureData Sentry a CASB?

Voltage SecureData Sentry is a data‑protection security proxy that works for both cloud and on‑premises applications. It is not a traditional CASB because it does not cover the full four‑pillar functionality, but it can coexist with a CASB, providing strong data‑centric encryption, format‑preserving encryption, tokenization, and searchable encryption without exposing encryption keys.

Sentry can be deployed locally or in the cloud, communicates with ICAP‑enabled infrastructure, and applies security policies to data flowing to and from databases, preserving control over encryption keys and tokens.