Most of a user's day happens in the cloud — Microsoft 365, Salesforce, Slack, ServiceNow, generative-AI assistants, and a long tail of tools nobody in IT formally approved. Where the secure web gateway, ZTNA, and firewall-as-a-service decide whether a user or device may reach a resource, CASB and DLP govern what happens to the data once traffic is flowing. Cisco Secure Access is a cloud-delivered Security Service Edge (SSE) platform, and within it CASB is the policy enforcement point between users and cloud services — SaaS, web apps, and generative AI. The CASB component is powered by Cisco Umbrella, which supplies application discovery, risk scoring, and SaaS API integrations.
Think of CASB as a customs checkpoint at a busy international airport. Travelers (users) constantly cross a border into foreign territory (cloud apps). Without a checkpoint, anyone could carry anything across in either direction and no record would exist. CASB installs the checkpoint: it logs who crosses, into which country, and — with DLP — inspects what is in their bags.
Key Points
- CASB is powered by Cisco Umbrella and turns the traffic Secure Access already carries into visibility, judgment, and control.
- App Discovery classifies every DNS/HTTP(S) request into a specific app (Dropbox, Slack, ChatGPT) and attributes it to identities and departments via your IdP.
- Risk scoring assigns each discovered app a profile from business risk, reputation, and usage type — letting you flag high-risk Shadow IT instead of eyeballing app names.
- Control layers include app-access policies, risk-based policies, granular per-transaction controls (allow login but block upload), and OAuth token revocation inside SaaS tenants.
- Two architectural modes: inline (real-time proxy, data in motion) and API-based (out-of-band, data at rest) — the strongest posture combines both.
Cloud app discovery and risk scoring
Every DNS query and HTTP/HTTPS request through Umbrella is logged and classified into a specific application, surfaced under views such as Reporting > App Discovery. Because Secure Access correlates that usage with identities and groups from your IdP, activity ties not just to an app but to specific users or departments. CASB addresses Shadow IT three ways: App Discovery dashboards reveal discovered and flagged apps by risk and category; risk-based classification assigns each app a profile from business risk, reputation, and usage type; and app groups and categories ("File storage," "Generative AI," "Social media") let policy apply per category or risk level.
Worked example. An analyst opens App Discovery and sees a spike to an unrecognized file-sharing domain: 34 Sales users, ~2 GB uploaded over the weekend, and a high risk score from poor reputation and a "consumer file storage" usage type. Rather than an all-hands email, the analyst adds the app to a high-risk group and attaches a policy — discovery, attribution, scoring, and decision all inside one console.
Tenant controls and app blocking
Once apps are discovered and scored, CASB acts as an intermediary enforcing usage policy through three broad types: app access policies (detect, report on, and block selected apps including generative AI); risk-based policies (attach risk profiles so you can express "block all apps with risk score ≥ X"); and OAuth app controls (discover, block, and revoke risky third-party plug-ins inside Microsoft 365 and Google Workspace by revoking their OAuth tokens). Enforcement happens at several layers — DNS/SWG inline blocking, per-transaction controls (allow login but block file upload; allow view but block download/share), and token revocation reaching directly into the SaaS tenant.
Inline vs. API CASB
CASB is delivered in two architectural modes, and this split is the single most important concept in the chapter because DLP inherits it. Inline (proxy-based) CASB reroutes traffic through a proxy between users and cloud apps, inspecting data in motion and enforcing policy synchronously — so a prohibited action can be stopped before it completes. The trade-off: traffic steering is mandatory, and anything that bypasses the proxy (a native mobile app, a thick client, an unmanaged home device) is invisible to it. API-based (out-of-band) CASB integrates directly with sanctioned SaaS tenants via their APIs, reading events, files, and configuration inside the tenant without being on the network path. It sees all access paths plus historic data at rest, but enforcement is asynchronous — arriving seconds after an action. Cisco packages the combined dual approach as "multimode DLP."
Figure 7.1: Shadow-IT discovery-to-control workflow
(DNS + HTTP/HTTPS)"] --> B["Classify into a specific app
(App Discovery)"] B --> C["Attribute to identity / department
(via IdP)"] C --> D["Assign risk score
(business risk · reputation · usage type)"] D --> E["Group into app category
(File storage · Generative AI · Social)"] E --> F{"Decision"} F -->|"Low risk"| G["Allow"] F -->|"Medium risk"| H["Allow but monitor / restrict"] F -->|"High risk"| I["Block or revoke access"]
Figure 7.2: Inline (proxy) vs. API-based CASB/DLP interception paths
(browser, proxied)"] -->|"HTTP(S)"| P["Inline CASB / DLP
proxy · data in motion
synchronous block"] P -->|"allowed traffic"| S["Sanctioned SaaS
(M365 · Slack · ServiceNow)"] M["Mobile app / sync client
(bypasses proxy)"] --> S S -.->|"events · files · sharing state"| API["API CASB / DLP
out-of-band · data at rest
async remediate"] subgraph SSE["Cisco Secure Access (SSE cloud)"] P API end
Key Takeaway
- CASB, powered by Cisco Umbrella, turns carried traffic into visibility (App Discovery), judgment (risk scoring), and control (app blocking, per-transaction controls, OAuth token revocation) — operating in inline and API-based modes whose combination gives the strongest posture.