Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

What is a CASB and How Does it Integrate with DLP?

What is a CASB and How Does it Integrate with DLP?

Blog Article Published: 12/19/2022

Originally published by DoControl.

Written by Corey O'Connor, DoControl.

Cloud Access Security Broker (CASB) solutions and Data Loss Prevention (DLP) are both aging technologies and markets, but conceptually are both very relevant for security and risk leaders. The need for controls to prevent the loss of sensitive data is obviously important when you consider the negative outcomes associated with a data breach, as well as the stringent compliance requirements for protecting sensitive data such as proprietary information and personal data.

What is CASB?

CASB solutions first entered the market as organizations initially started to adopt cloud technologies. Initially they were a great conduit to extend on-premises security policies into the cloud. Fast forward to today, traditional CASB policy enforcement points placed between cloud service consumers and providers are often hardcoded, and limited in terms of granularity to effectively interject data access security controls that work. There are many different modes and deployment options, that of course carry with them varied pros and cons.

Out-of-band mode lacks real-time context and features high latency. Inline mode bypasses larger files as they lack the ability to scan them in a timely manner. Both deployment modes are complex, difficult to deploy and manage, and provide a less than ideal end user experience. A modern approach is API-based and event-driven, allowing for granular data access policies to be orchestrated and initiated in a simple way; preventing data overexposure and exfiltration to sensitive company data.

What is DLP?

Well first of all it’s a dinosaur, as a technology it's been around longer than I’ve been alive. As its unambiguous name suggests it is essentially a preventative control that aims to prevent the loss of sensitive information and data.

A lot of traditional approaches to DLP create too many false positives, resulting in alert fatigue for security operations teams. Organizations will benefit from a more targeted, more actionable response – through the business context that is collected and tracked – in preventing the loss of sensitive data. By focusing on the applications that foster collaboration and productivity, organizations will drive the business forward in a secure way; closing the gap on sensitive data from being exposed to unauthorized parties and ultimately exfiltrated.

As mentioned above, while these technologies are in the twilight of their career, the need for controls to prevent data loss are still very much a high priority. Technology moves fast. There is now a need to modernize the approach to both of these solutions in order to be able to address the use cases modern businesses are challenged with.

CASB and DLP: A Marriage of Convenience of the New Power Couple?

Securing sensitive data and files within SaaS applications should be achieved through a combination of data access prevention and detection controls. Modern businesses today demand strong visibility throughout their IT estate for both sanctioned and unsanctioned cloud applications. They need to be able to continually assess and expose cloud application risk as well as remediate risk and support stringent compliance requirements involving access to sensitive data. CASB and DLP are very much hinged on one another, they should be intertwined and not siloed as one of the primary outcomes trying to be achieved through a CASB is to prevent data loss.

The Pillars for a Modern Approach to CASB


Strong visibility throughout all business-critical SaaS applications being utilized by internal and external entities is table stakes. You need to know what’s out there in order to protect it. Beyond users and assets you also need to understand which applications are installed, including all sanctioned and unsanctioned apps. Creating a comprehensive inventory exposes potential data access risks, and enables security teams to monitor all SaaS user and data activities and take appropriate action to remediate threats.


Automation is critical, but there should always be room for manual intervention (not everything should be automated!). Self-service remediation capabilities are needed to take immediate action against known threats as well as automated remediation without agents or inline proxies with the ability to orchestrate and initiate intervention workflow policies that aid in the prevention of sensitive data from becoming overexposed or exfiltrated.


Today, there are a number of industry and regulatory frameworks that organizations of all sizes and types need to comply with (as well as internal organizational policy). The controls and processes required to secure access to sensitive data and files are more stringent now than ever before. SaaS applications are a critical e-gress channel that is often out of the jurisdiction with a lot of traditional technologies in trying to prevent the loss of sensitive data. Organizations need to be able to classify the data, and have the right controls in place to protect sensitive data such as Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Industry (PCI) information.

The Pillars for a Modern Approach to DLP


A completely event-driven solution that leverages metadata to help better understand risk across the SaaS environment is the foundation for a next-gen DLP. You should be able to define enterprise data usage policies, report on policy violations, and implement secure data access controls that automatically prevent data exfiltration. You need to be able to report on internal and external user activity paired with anomaly-detection technology that way Security teams can quickly identify and respond to threats.


Implementing technologies such as natural-language processing (NLP) to scan files stored in cloud applications and analyze the text within to extract key phrases, entities and sentiment for classification. Being able to control who has access to certain data, redact sensitive information, and use a policy engine to create dynamic DLP policies that help remediate threats and satisfy stringent compliance and regulatory requirements.


Every interaction within your SaaS applications should be tracked and monitored, and a baseline of “normal” activity should be established for each individual user. This provides you the context to distinguish between “trusted” business activities and those that pose a risk of data loss, and any threat indicators are automatically detected and blocked. All data access anomalies that are detected should be redirected into SIEM/SOAR technologies and correlated with other detections for a more holistic view of security events.


Access to data should be provided and revoked on-demand. The principle of least privilege should be enforced beyond the identity layer, to better protect sensitive data and files within the SaaS estate. Policies need to be flexible, fully customizable, and triggered by the hundreds of various SaaS event types. This will help enforce consistent and granular data access controls that address an unlimited number of DLP use cases. Security teams need to be able to apply specific policies to groups, domains, and individuals based on risk.

Cloud Access Security Broker (CASB):

CASB solutions act as an intermediary between end users and cloud hosted services. These tools help identify data and files stored within applications, which end users have access, and allow security teams to implement data protection policies.

Data Loss Prevention (DLP):

DLP tools and processes aim to prevent sensitive data from becoming lost, misused, or accessed by unauthorized users. DLP solutions aim to proactively detect data breaches and/or data ex-filtration attempts, and respond by monitoring user activities and blocking sensitive data – both in use, in motion, and at rest.

Software as a Service (SaaS) Governance:

SaaS governance solutions are typically a combination of preventative and reactive measures to enable secure access to business-critical applications and data. SaaS governance tools should enforce the principle of least privilege at the SaaS application and data layer to secure sensitive files.

What are some of the common deployment methods for CASB solutions? What are some of the shortcomings?

Traditional CASB policy enforcement points placed between cloud service consumers and providers are often hardcoded, and limited in terms of granularity to effectively interject data access security controls that work. Out-of-band mode lacks real-time context as well as high latency. Inline mode bypasses larger files as it lacks the ability to scan them in a timely manner. Both deployment modes are complex, difficult to manage, and lack real-time propagation to detect and block unauthorized access to sensitive data.

How does DLP work in Software as a Service (SaaS) environments?

Most traditional DLP solutions do not effectively extend into SaaS/cloud environments, which is why organizations look to CASB tools better enforce security and compliance policies into the cloud.

Share this content on your favorite social network today!