How CASB is Different from a Web Proxy or Firewall?

As IT teams begin to look at cloud access security broker (CASB) features, a common question arises around already adopted web proxy and/or firewalls. If you have found yourself asking “we already have a web proxy and/or firewall, how is this different?” or “does CASB replace my web proxy / firewall?” Welcome to the right place.


These are natural questions because web proxies and firewalls have visibility into all traffic over the corporate network including traffic to and from cloud services. However, there are significant differences between existing network security solutions and a CASB. Let’s first dispel a major misconception: a CASB is not a replacement for existing network security tools, and vice versa.


Cloud access security brokers (CASBs) are security solutions placed between cloud service consumers and providers, enforcing security policies when users or entities want to access cloud-based resources. CASBs are a key element of enterprise security because they enable businesses to leverage cloud services while protecting sensitive data.


The original purpose of a CASB was to provide visibility into all the cloud services in an enterprise infrastructure. In the war against "shadow IT" and its use of unapproved cloud services, the CASB was one of the first purpose-built weapons. Deployed at the network edge and using a variety of proxy types, the CASB could identify every call to or connection from a cloud service, whether or not the cloud was approved.


Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorisation, credential mapping, device profiling, encryption, tokenisation, logging, alerting, malware detection/prevention and so on.


CASB is separate from proxies and firewalls. While CASBs can be deployed in forward or reverse proxy mode to enforce inline controls, the similarities to web proxies stops there. Unlike network security solutions that focus on a wide variety of inbound threats and filtering for millions of potentially illicit websites, a CASB is focused on deep visibility into and granular controls for cloud usage. A CASB can also be deployed in an API mode to scan data at rest in cloud services and enforce policies across this data.


Here are some of the high-level functions of a CASB not available in existing network security solutions:

Risk assessment for each cloud service

Provide a detailed, independent risk assessment for each cloud service (e.g. compliance certifications, recent data breaches, security controls, legal jurisdiction).

Enforce risk-based policies

AI Threat Detection

Contextual access for users

Data-centric policy control

Real time threat reactions


Citrix CASB solutions

A strong cloud access security broker bridges gaps in security created by distributed and hybrid environments by enhancing visibility and control over how applications and data are accessed. Citrix Secure Internet Access (SIA) sits in-line between the user and the SaaS applications. The traffic from user devices goes through Citrix SIA, enabling holistic visibility into SaaS apps. IT teams can see the apps at a glance or opt for a more detailed view per app. This solution also offers granular control of SaaS app access, enabling domain restrictions for productivity apps and detailed control of social media at the functional level.