As your company grows, so does your reliance on cloud applications. Without proper oversight, cloud service usage can expose your organization to significant security vulnerabilities due to a lack of visibility and control. Implementing a Cloud Access Security Broker (CASB) can strengthen your organization’s cloud security, compliance posture, and visibility across sanctioned and unsanctioned applications.
CASB solutions—or what many now call CASB 2.0, also known as Secure Access Service Edge (SASE)—emerged from the need to protect cloud-hosted data. At a high level, these platforms govern how users interact with data, leveraging Data Loss Prevention (DLP) features to classify sensitive data and enforce access policies based on whether devices are “managed” (company-controlled) or “unmanaged” (personal or third-party owned).
What Types of Applications Are at Risk?
Unsanctioned IT (Shadow IT): These are applications employees use without IT’s knowledge or approval. Once organizations analyze secure web gateway traffic, many are surprised to find employees interacting with hundreds—or thousands—of these tools. For example, in today’s virtual meeting culture, some employees have adopted AI-based note-taking tools that transcribe and summarize meetings. But where is this data being stored? Who has access? What if sensitive IP or customer information is being captured?
Sanctioned IT: These are officially approved apps like Microsoft 365, Dropbox, Slack, Salesforce, and cloud providers like AWS, Azure, or Google Cloud. A CASB platform can identify misconfigurations (e.g., publicly accessible object storage) and detect sensitive data stored improperly within these environments.
What Should You Do About Shadow IT?
Many companies feel overwhelmed when faced with a long list of unsanctioned tools. Here’s a practical path forward:
- Start by asking “why.” Why are users turning to unsanctioned apps? Are existing toolsets lacking key features? For example, maybe your company uses OneDrive for storage, but a team prefers Dropbox for external collaboration due to sharing restrictions.
- Educate your users. In many cases, employees use what they know. Providing training on sanctioned tools can reduce reliance on shadow IT.
- Begin blocking rogue services. After addressing gaps and enabling collaboration, enforce controls. Most employees aren’t trying to exfiltrate sensitive data—but you shouldn’t leave the door open either.
Governing Access to Sanctioned Cloud Platforms
There are two main ways to manage access:
1. Proxy Agents
Often misunderstood, proxy agents are lightweight, easy to deploy, and capable of immediate inline enforcement. They can do things APIs can’t—like distinguishing between personal and corporate OneDrive accounts. In environments where all devices are corporate-owned and managed, proxy agents are highly effective.
2. APIs
Application Programming Interfaces (APIs) are especially useful for BYOD scenarios and external collaborators. APIs don’t require endpoint control and work directly with the cloud provider. However, they aren’t real-time. You’ll hear terms like “near real time,” which often means a response time between 20 to 30 seconds (ideal). But delays of 45 minutes or more, due to API rate limiting, are a serious concern.
Best practice: Look for a CASB solution that supports both API and agent-based deployment. Use agents to secure managed devices and APIs to monitor BYOD access. For unmanaged devices, block downloads and allow browser-based editing only.
Final Thoughts
When evaluating CASB tools, prioritize solutions that:
- Support both API and proxy agent architectures
- Provide real-time or near-real-time policy enforcement
- Offer granular DLP, cloud app discovery, and compliance monitoring
- Enable security teams to apply conditional access based on user identity, device type, and app risk
Test extensively, document your results, and consider the real-world implications of each deployment strategy.
At CyberOne, our experts help clients navigate cloud security strategy, from evaluating CASB platforms to managing SASE architecture and addressing shadow IT. Get in touch to see how we can help secure your cloud environment and ensure compliance.