What is CASB, and how does it support cloud security architecture?

A Cloud Access Security Broker is a security control point that sits between users and cloud services, providing visibility, data protection, and threat prevention across SaaS, PaaS, and IaaS. It discovers what cloud services are being used, enforces policies, and protects data wherever it resides in the cloud. By integrating with identity systems, it can enforce access controls, single sign-on, and session management, while applying data loss prevention, encryption or tokenization, and key management to protect sensitive information in motion and at rest. It also monitors for risky behavior and threats such as compromised accounts or unusual data transfers and can respond by blocking access or restricting data as needed. This capability supports cloud security architecture by adding a dedicated enforcement and visibility layer for cloud services, complementing identity, data protection, and monitoring programs. It helps uncover shadow IT, allowing governance over sanctioned and unsanctioned cloud usage and applying consistent policies across multiple cloud services. With data-centric protections, CASB enforces DLP, encryption, and access controls across SaaS, PaaS, and IaaS, ensuring policy alignment and risk management. It commonly integrates with SIEM, identity and access management, and cloud posture tools to deliver a unified view of risk and compliance. Deployment options enable API-based monitoring or live in-line control through proxy methods, enabling real-time policy enforcement without requiring changes to each cloud service. The other options describe unrelated technologies: a password storage device, an on-premises firewall, or a cloud hosting service, none of which capture the role and capabilities of a CASB.