The 20

Most Common
CASB Use Cases
As people and organizations adopt cloud services, Cloud Access Security Brokers
(CASBs) have become a must-have for any information security team. CASBs provide
critical capabilities such as governing access and activities in sanctioned and
unsanctioned cloud services, securing sensitive data and preventing its loss, and
protecting against internal and external threats. In short, CASBs enable organizations
to extend their information protection policies and programs from their on-premises
infrastructure and applications to the cloud. For organizations that are considering
deploying CASB, it’s useful to consider the specific use cases they’re likely to
address within these broad topic areas as they inform functional and architectural
requirements.

Here’s a list of the 20 most common CASB use cases.

2
 GOVERN USAGE SECURE DATA PROTECT AGAINST
THREATS

Govern access to Office 365 Prevent data exfiltration from an Block or remediate malware
and other cloud services by IT-led to any cloud service ....................4 in IT-led and en route to/from
device ownership class ..........................7 business-led cloud services ................6
Enforce different policies
Monitor privileged accounts for personal and corporate Detect and alert on user login
and prevent unauthorized instances of the same cloud anomalies ............................................15
activity in IaaS instances .......................9 service ....................................................5
Detect anomalies such as
Monitor or control users’ Monitor sensitive data in excessive downloads, uploads,
activities within Collaboration Amazon S3 buckets ...............................8 or sharing within both IT-led and
or Social Media without business-led services .........................16
blocking those services .......................11 Enforce an activity- or data-
level policy across a category of Block and quarantine zero-day
Monitor or control advanced cloud services .....................................10 malware in the cloud ..........................19
or cross-service activities in
real time ................................................17 Enforce conditional activity- Recover from cloud-based
level policies ........................................12 ransomware infections ......................20
Protect against password
email abuse .........................................22 Enforce layered policies Prevent data infiltration involving
that include a “base” and new employees ...................................21
Monitor or control users’ “exception” policy ................................13
activities even when they are
accessing cloud services from Apply encryption based on
a mobile or desktop app or conditional factors ..............................14
sync client ..........................................23

Find and protect sensitive data

embedded in images ...........................18

3
 SECURE DATA
Functional Requirements

1 Prevent data ▸▸ See and control usage in both IT-led and business-led
services

exfiltration from ▸▸ Detect sensitive data, e.g., “confidential”

an IT-led to any
▸▸ Identify all unique content in motion and track its
movement

cloud service
▸▸ Be aware of context, e.g., activities such as “upload”
and “download”

▸▸ Correlate users’ identities (e.g., bob@netskope.com =

For example, prevent the download bob123@yahoo.com = bobaran@gmail.com)

▸▸ Differentiate between internal and external domains

of confidential content from a
▸▸ Know corporate vs. personal accounts
corporate-IT-led service such as
▸▸ Recognize and enforce differing policies between
Salesforce, Box, or even AWS S3 service instances, e.g., corporate and personal

to a personal Dropbox or other file
sharing service
▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction
▸▸ Surface data exfiltration activities in a user interface
that is easy to understand

Deployment Requirements
▸▸ Forward proxy (monitor and control)

4
 SECURE DATA

2 Enforce different Functional Requirements

policies for ▸▸ Detect sensitive data, e.g., data beholden to
FISMA, NERC, or PCI

personal and ▸▸ Be aware of context, e.g., activities such as

“upload” and “download”

corporate ▸▸ Know corporate vs. personal accounts

▸▸ Recognize and enforce differing policies

instances of between service instances, e.g., corporate and

personal

the same cloud ▸▸ See and control usage in both IT-led and
business-led services

service ▸▸ Decrypt SSL and decode the unpublished API to

understand the transaction

For example, prevent the upload of

regulated information (such as that
Deployment Requirements
▸▸ Forward proxy (monitor and control)
beholden to FISMA, NERC, or PCI) to any
Dropbox EXCEPT for the corporate- IT-
led instance of Dropbox

5
 PROTECT AGAINST THREATS

3 Block or Functional Requirements

remediate ▸▸ Inspect, detect, block, and remediate malware
in IT-led cloud services

malware in IT-led ▸▸ Inspect, detect, block, and remediate malware

en route to/from business-led cloud services

and en route to/ ▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction

from business-led Deployment Requirements

cloud services ▸▸ API (IT-led only)

▸▸ Forward proxy
For example, detect, quarantine, and
▸▸ Reverse proxy (IT-led only, browser only)
block malware being downloaded from
any cloud service in real time

6
 GOVERN USAGE

4 Govern access Functional Requirements

to Office 365 ▸▸ Understand different authentication protocols

and other cloud

and federated identity across Office 365 and
other cloud services

services by device
▸▸ Enforce access and activity policies based on
device attributes, including classification of

ownership class
“managed” and “unmanaged”

▸▸ Decrypt SSL and decode the unpublished API to

understand the transaction (for forward proxy)
For example, offer web-based email
access only to a BYOD device but full Deployment Requirements
suite access to a corporate one ▸▸ Forward proxy

▸▸ Reverse proxy (IT-led only, browser only)

7
 SECURE DATA

5 Monitor sensitive Functional Requirements

data in Amazon ▸▸ Cloud DLP that can scan S3 buckets

▸▸ Specify all or individual S3 buckets

S3 buckets ▸▸ Incident management workflow

For example, alert when PCI data is

Deployment Requirements
discovered in AWS S3 buckets
▸▸ API (IT-led only)

8
 GOVERN USAGE

6 Monitor Functional Requirements

privileged ▸▸ Be aware of context, e.g., activities such
as “create” and “edit” and objects such as

accounts
“instances” and “buckets”

▸▸ Determine identity and control usage by user,

and prevent
group, and other enterprise directory attributes

▸▸ See and control usage in both IT-led and

unauthorized
business-led services

▸▸ Decrypt SSL and decode the unpublished API to

activity in IaaS
understand the transaction

instances Deployment Requirements

▸▸ API (IT-led only)
For example, disallow creation, ▸▸ Forward proxy
edit, or delete of cloud instances,
“buckets,” or “clusters”

9
 SECURE DATA

7 Enforce an Functional Requirements

activity- or ▸▸ Be aware of context, e.g., activities such as
“upload” and “download”

data-level ▸▸ Correlate users’ identities (e.g., bob@netskope.

com = bob123@yahoo.com = bobaran@gmail.

policy across
com)

▸▸ See and control usage in both IT-led and business-

a category of
led services

▸▸ Integrate with enterprise directory to enforce

cloud services
policies at a group or organizational unit level

▸▸ Decrypt SSL and decode the unpublished API to

For example, block the download of
personally-identifiable information
(PII) from ANY HR service if the user
is outside of the HR team
understand the transaction
Deployment Requirements
▸▸ Forward proxy

10
 GOVERN USAGE

8 Monitor or Functional Requirements

control users’ ▸▸ Integrate CASB with directory services to focus
policy on a specific group, e.g., Investment

activities within
Banking

▸▸ Be aware of context, e.g., activities such as

Collaboration
“view,” “post,” and “create”

▸▸ See and control usage in both IT-led and

or Social Media
business-led services

▸▸ Detect data violations using advanced DLP

without blocking
features including regular expressions, custom
keyword dictionaries, and Boolean operators to
focus on specific risky activities (e.g., for FINRA)

those services or to set policies for a specific group (e.g.,

Finance)

▸▸ Decrypt SSL and decode the unpublished API to

For example, block any financial employee
from posting “guarantee” or “recommend”
alongside a stock ticker or company name
on any Collaboration or Social Media
understand the transaction
Deployment Requirements
▸▸ Forward proxy (monitor and control)

service like Slack or Twitter to comply

with FINRA and other regulations

11
 SECURE DATA
9 Enforce
conditional
activity-level
policies
For example, block the sharing
of content by a corporate
‘insider’ with anyone outside
of the organization from ANY
Cloud Storage service if it is the
organization’s financial reporting
quiet period
Functional Requirements
▸▸ Be aware of context, e.g., activities such as “share”
▸▸ See and control usage in both IT-led and business-
led services
▸▸ Differentiate between internal and external domains
▸▸ Enforce “set-it-once” policies across categories of
services
▸▸ Detect and enforce policies by IP address, network
location, or geolocation
▸▸ Integrate with enterprise directory to enforce
policies at a group or organizational unit level
▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction
Deployment Requirements
▸▸ Forward proxy
▸▸ Reverse proxy (IT-led only, browser only)
12
 SECURE DATA

10 Enforce layered Functional Requirements

policies that ▸▸ Support for policies with “allow” and “block”
actions

include a “base” ▸▸ Support for category-level policies

▸▸ Differentiate between instances of cloud

and “exception” services

policy Deployment Requirements

▸▸ Forward proxy
For example, prevent the upload
▸▸ Reverse proxy (IT-led only, browser only)
of confidential data to ANY Cloud
Storage service except corporate IT-
led Google Drive

13
 SECURE DATA

11 Apply Functional Requirements

encryption ▸▸ Be aware of context, e.g., activities such as “upload”

▸▸ See and control usage in both IT-led and business-

based on led services

▸▸ Apply strong encryption to sensitive content with

conditional enterprise key management

▸▸ Integrate with KMIP-compliant, on-premises key

factors manager

▸▸ Decrypt SSL and decode the unpublished API to

For example, apply strong understand the transaction

encryption with enterprise key

Deployment Requirements
management to confidential
▸▸ Forward proxy
intellectual property such as next-
▸▸ Reverse proxy (IT-led only, browser only)
generation product designs

14
 PROTECT AGAINST THREATS

12 Detect and Functional Requirements

alert on ▸▸ Correlate users’ identities (e.g., bob@netskope.com
= bob123@yahoo.com = bobaran@gmail.com)

user login ▸▸ See usage in both IT-led and business-led services

▸▸ Use machine learning to detect cloud behavior

anomalies anomalies

▸▸ Detect IP addresses, network location, or geo-

For example, detect users logging location

▸▸ Decrypt SSL and decode the unpublished API to

into a cloud service from two understand the transaction
different locations with the
same credentials, indicating a Deployment Requirements
potentially compromised account ▸▸ API (IT-led only)

▸▸ Reverse proxy (IT-led only, browser only)

▸▸ Forward proxy

15
 PROTECT AGAINST THREATS

13 Detect anomalies Functional Requirements

such as excessive ▸▸ Be aware of context, e.g., activities such as

downloads,
“download” and “share”

▸▸ See and control usage in both IT-led and business-

uploads, or
led services

▸▸ Use machine learning and rules to detect anomalies

sharing within that could signal risky behavior, non-compliance,

data exposure, or even malware

both IT-led and ▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction

business-led
Deployment Requirements
services ▸▸ API (IT-led only)

For example, detect excessive ▸▸ Forward proxy

download of sensitive customer ▸▸ Reverse proxy (IT-led only, browser only)

data from Salesforce

16
 GOVERN USAGE

14 Monitor Functional Requirements

or control ▸▸ Be aware of context, e.g., activities such as
“edit,” “sync,” and “save”

advanced or ▸▸ See and control usage in both IT-led and

business-led (including ecosystem) apps

cross-service ▸▸ Identify and control integration with ecosystem

services

activities in ▸▸ Decrypt SSL and decode the unpublished API to

understand the transaction

real time Deployment Requirements

For example, “Edit in Box,” ▸▸ Forward proxy (monitor and control)
“Save to Dropbox” from Slack,
or enforce which services can
integrate and share data with
your G Suite

17
 PROTECT AGAINST THREATS

15 Find and Functional Requirements

protect ▸▸ Cloud DLP with OCR (Optical Character
Recognition) capability

sensitive data ▸▸ Ability to scan IT-led cloud services with OCR-

supported cloud DLP

embedded in ▸▸ Ability to apply OCR to cloud traffic to and from

business-led cloud services

images Deployment Requirements

For example, find and stop patient ▸▸ API (IT-led only)
data embedded in an x-ray image ▸▸ Forward proxy

being uploaded to a personal ▸▸ Reverse proxy (IT-led only, browser only)

cloud servicecloud service

18
 PROTECT AGAINST THREATS

16 Block and Functional Requirements

quarantine ▸▸ Support for cloud-based inspection with
dynamic analysis using a cloud-based sandbox

zero-day ▸▸ Support for multiple threat intelligence

mechanisms including external and internal

malware in the ▸▸ Support quarantine workflows that are malware-

centric

cloud Deployment Requirements

For example, detect and ▸▸ API (IT-led only)
quarantine new strains of malware ▸▸ Forward proxy

present in IT-led cloud services ▸▸ Reverse proxy (IT-led only, browser only)

and block this type of malware en

route to and from business-led
cloud services

19
 PROTECT AGAINST THREATS
17 Recover from
cloud-based
ransomware
infections
For example, alert when a
ransomware infection has taken
place and provide a seamless
workflow to recover from the
infection
Functional Requirements
▸▸ Use 70 different signals to identify unauthorized
encryption
▸▸ Integration with cloud storage apps like
OneDrive to enable “roll-back” functionality
▸▸ A streamlined UI to enable an intuitive workflow
for rolling back infected content to pre-infected
state
Deployment Requirements
▸▸ API (IT-led only)
▸▸
20
 PROTECT AGAINST THREATS

18 Prevent data Functional Requirements

infiltration ▸▸ Integrate “new employee” policy with enterprise
directory

involving new ▸▸ Use custom keyword dictionary to delineate

sensitive competitor documents

employees ▸▸ Decrypt SSL and decode the unpublished API to

understand the transaction

For example, block new employees

from uploading confidential data
Deployment Requirements
▸▸ API (IT-led only)
from their previous employer to
▸▸ Forward proxy
their new company’s IT-led cloud
▸▸ Reverse proxy (IT-led only, browser only)
service
▸▸

▸▸

21
 GOVERN USAGE

19 Protect against Functional Requirements

password email ▸▸ Cloud DLP with custom keyword dictionaries to
incorporate any variation of keyword that may

abuse
signal that a password is being shared

▸▸ Cloud DLP support for business-led webmail

accounts (hundreds)
For example, block passwords
▸▸ Support for category-level policies with specific
being sent via any webmail app support for webmail

▸▸ Decrypt SSL and decode the unpublished API to

understand the transaction

Deployment Requirements
▸▸ Forward proxy

▸▸ Reverse proxy (IT-led only, browser only)

▸▸

▸▸

22
 GOVERN USAGE

20 Monitor or Functional Requirements

control users’ ▸▸ Inspect and control cloud traffic even when it
originates from a mobile or desktop app or sync

activities
client

▸▸ See and control usage in both IT-led and

(even when they business-led services

are accessing cloud

▸▸ Enforce policy action such as block, coach, or
justify in real time

services from a mobile
or desktop app or sync
client)
For any of the real-time use cases
▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction (for forward proxy)
Deployment Requirements
▸▸ Forward proxy (monitor and control)

▸▸
that require a forward proxy,
▸▸
support should be extended to
mobile apps, desktop apps, and
sync clients

23
 GOVERN USAGE SECURE DATA PROTECT AGAINST
THREATS

▸▸ Monitor or control users’ ▸▸ Prevent data exfiltration ▸▸ Block or remediate malware

activities even when from a sanctioned to an in sanctioned and en route
they are accessing cloud unsanctioned service to/from unsanctioned
services from a mobile or cloud services, even in
▸▸ Enforce different policies
desktop app or sync client mobile and desktop apps
for personal and corporate
and sync clients
▸▸ Govern access to Office 365 instances of the same cloud
and other cloud services by service ▸▸ Detect and alert on user
device ownership class login anomalies
▸▸ Enforce an activity- or
▸▸ Monitor privileged accounts data-level policy across a ▸▸ Detect anomalies such
and prevent unauthorized category of services as excessive downloads,
activity in IaaS instances uploads, or sharing, within
▸▸ Enforce conditional activity-
both sanctioned and
▸▸ Monitor or control level policies
unsanctioned services
users’ activities within
▸▸ Enforce layered policies
Collaboration and Social ▸▸ Prevent data infiltration
that include a “base” and
Media without blocking involving new employees
“exception” policy
those services
▸▸ Apply encryption based on
▸▸ Monitor or control
conditional factors
advanced or cross-service
activities in real time

©2018 Netskope, Inc. All rights reserved. Netskope is a registered trademark and Netskope Active, Netskope Discovery, Cloud Confidence
Index, and SkopeSights are trademarks of Netskope, Inc. All other trademarks are trademarks of their respective owners. 01/18 EB-198-1