← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 09 · Multi-Cloud Security Curriculum

CASB, DLP & SaaS Security

~60 minutes covering Cloud Access Security Brokers, Data Loss Prevention, SaaS security posture, Shadow IT, OAuth governance, and insider threat detection.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Topics Covered

#TopicTime
1Core Concepts: CASB, DLP, SSPM, Shadow IT10 min
220 Interview Q&As20 min
325 MCQs15 min
4Sim: CASB Deployment Mode Selector4 min
5Sim: Shadow IT Risk Rater4 min
6Sim: DLP Policy Action Selector4 min
7Sim: OAuth App Permission Rater3 min
💡 CASB and DLP are high-frequency topics in cloud security interviews. Know the three deployment modes of CASB cold, and be ready to distinguish CASB from SWG (Secure Web Gateway).
Core Concepts · ~10 min

CASB, DLP & SaaS Security Fundamentals

CASB — Cloud Access Security Broker

A CASB is a security policy enforcement point between users and cloud services. It provides visibility and control over cloud app usage, whether sanctioned or unsanctioned.

👁️
Visibility

Discover all cloud apps in use (Shadow IT)

📋
Compliance

Enforce regulatory compliance across cloud apps

🔒
Data Security

DLP, encryption, rights management in cloud

🛡️
Threat Protection

Detect malware, compromised accounts, UEBA

CASB Deployment Modes

ModeHow It WorksProsConsBest For
API-basedConnects directly to SaaS APIs (Office 365, Salesforce)No agent needed, deep inspection, retroactive scanningNot inline — cannot block in real time during uploadAuditing stored data, OAuth governance, DLP on existing files
Forward ProxyIntercepts outbound traffic from managed devices via PAC file or agentReal-time blocking, full URL visibilityRequires endpoint agent or MDMBlocking uploads to unapproved apps from managed devices
Reverse ProxyTraffic redirected via DNS/SSO; CASB sits in front of the cloud appNo agent needed, works for BYODOnly covers SSO-integrated apps; limited to session-level controlsBYOD environments, Conditional Access enforcement
💡 Key Products: Microsoft Defender for Cloud Apps (formerly MCAS), Netskope, Zscaler CASB, Palo Alto Prisma SaaS, McAfee MVISION Cloud.

Shadow IT & SaaS Security Posture

Shadow IT: cloud services used by employees without IT approval. Discovered by analyzing firewall/proxy logs and assigning a risk score per app.


SSPM (SaaS Security Posture Management): continuously monitors SaaS application configurations for misconfigurations.

Common SaaS MisconfigurationRiskTool to Detect
Guest sharing enabled in SharePoint with no expiryData leakage to external partiesDefender for Cloud Apps / SSPM
Over-permissioned third-party OAuth appsAccount takeover, data exfiltrationCASB API mode
Legacy authentication protocols enabled (Basic Auth)Bypasses MFA, brute-forceableEntra ID sign-in logs
Admin accounts without MFA in Microsoft 365Credential compromise → tenant takeoverMicrosoft Secure Score
Global admin roles directly assigned (not PIM)Permanent over-privilegeEntra ID / SSPM

DLP (Data Loss Prevention) in Cloud

ComponentDescription
Content InspectionRegex patterns (CCN, SSN), document fingerprinting, ML classifiers for PHI/PII
Enforcement PointsEmail (Exchange Online), Endpoint, Cloud Storage (SharePoint/OneDrive), Web Proxy, CASB
Policy ActionsBlock, Quarantine, Encrypt, Alert-Only, User Justification Required, Apply Rights Management
AWS MacieML-powered PII discovery in S3 buckets; findings sent to Security Hub
Microsoft Purview DLPUnified DLP across M365, Teams, Exchange, SharePoint, Endpoints
Google Cloud DLP APIInspect/redact/tokenize sensitive data in text, images, BigQuery, GCS
Netskope DLPInline DLP across web and cloud apps; understands cloud context

Insider Threats & OAuth Governance

Insider Threat TypeExampleDetection Signal
MaliciousEmployee bulk-downloads CRM data before resigningUEBA: mass download spike, after-hours, unusual volume
NegligentUser uploads PII to personal Google DriveCASB: upload to unapproved storage app
CompromisedAttacker using stolen credentials logs into Microsoft 365Impossible travel alert, unfamiliar device, new location

OAuth App Risks: Third-party apps granted OAuth access can read/write data with user-level or admin-level permissions. A rogue OAuth app can exfiltrate data silently. Control: review connected apps, enforce admin consent policies, revoke suspicious grants.

Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click any question to expand the model answer.

1What is a CASB and what are its four pillars?Easy
A CASB (Cloud Access Security Broker) is a security enforcement point — on-premises or cloud-hosted — that sits between cloud service users and cloud providers to enforce security policies.

The four pillars (Gartner model):
  • Visibility: Discover all cloud apps in use, including unsanctioned Shadow IT, and assess their risk.
  • Compliance: Ensure cloud usage meets regulatory requirements (GDPR, HIPAA, PCI-DSS).
  • Data Security: Apply DLP policies, encryption, and rights management to cloud data.
  • Threat Protection: Detect compromised accounts, malware in cloud storage, and insider threats via UEBA.
💡 Leading CASB products: Microsoft Defender for Cloud Apps, Netskope, Zscaler CASB, Palo Alto Prisma SaaS.
2What is the difference between API-based and proxy-based CASB deployment?Medium
  • API-based: Connects directly to cloud app APIs (Microsoft Graph, Salesforce API). Provides retroactive scanning — can inspect data already stored. No latency impact. Cannot block uploads in real time. Best for: auditing, data classification, OAuth governance.
  • Forward Proxy: Endpoint agent/PAC file routes outbound traffic through CASB proxy. Inline — can block uploads in real time. Requires managed device. Best for: real-time enforcement on corporate devices.
  • Reverse Proxy: SSO redirects users through CASB proxy in front of cloud app. No endpoint agent — works for BYOD. Limited to SSO-integrated apps. Best for: unmanaged device access control.
💡 Most enterprise deployments use a combination: API for deep inspection + forward proxy for real-time enforcement.
3What is Shadow IT and how does a CASB help control it?Easy
Shadow IT refers to cloud applications and services used by employees without explicit IT approval or knowledge. Examples: personal Dropbox, WhatsApp for business comms, personal Gmail.

Risks: data leakage (PII uploaded to personal storage), compliance violations, malware propagation.

CASB helps by:
  • Analyzing firewall/proxy logs to discover all cloud apps in use
  • Assigning a risk score (1–10) to each app based on security certifications, data handling, TLS support
  • Blocking or restricting access to high-risk apps
  • Providing an app catalog for sanction/unsanction decisions
💡 Defender for Cloud Apps discovers 16,000+ cloud apps and rates each with a risk score.
4What is SSPM (SaaS Security Posture Management)?Medium
SSPM continuously monitors SaaS application configurations for security misconfigurations and deviations from best practices — similar to how CSPM monitors IaaS/PaaS.

SSPM covers apps like Microsoft 365, Salesforce, Slack, Zoom, GitHub.

Common findings:
  • Excessive guest sharing in SharePoint
  • Admin accounts without MFA
  • Legacy authentication protocols enabled
  • Unused admin accounts (orphaned)
  • Third-party OAuth apps with excessive permissions
Tools: Adaptive Shield, AppOmni, Defender for Cloud Apps, Obsidian Security.
💡 SSPM is the SaaS equivalent of CSPM — both focus on configuration drift and compliance, just at different layers of the cloud stack.
5What are common SaaS security misconfigurations?Easy
  • Guest sharing enabled in SharePoint without expiry dates — external users retain permanent access
  • Legacy authentication (Basic Auth) not blocked — bypasses Conditional Access/MFA
  • Admin roles assigned permanently instead of via PIM (Just-in-Time)
  • MFA not enforced for all admin accounts
  • Third-party OAuth apps with read/write access to all data
  • Audit logging disabled in Salesforce or Microsoft 365
  • Public links enabled by default in file sharing (Google Drive)
  • Overly permissive API access tokens with no expiry
💡 Microsoft Secure Score in Defender for Cloud gives a percentage score and actionable recommendations for M365 SaaS misconfigurations.
6What is DLP and how does it work in cloud environments?Medium
DLP (Data Loss Prevention) prevents sensitive data from leaving controlled environments through policy enforcement at multiple points.

How it works in cloud:
  • Content inspection: Scans for patterns (credit card regex, SSN regex), document fingerprints, or ML classifiers for PHI/PII
  • Enforcement points: Email gateway, endpoint agent, CASB proxy, cloud storage API, web proxy
  • Policy actions: Block transfer, quarantine file, encrypt, alert admin, require user justification
Cloud DLP tools:
  • Microsoft Purview DLP — M365, Exchange, SharePoint, Teams, Endpoints
  • AWS Macie — PII discovery in S3 with ML
  • Google Cloud DLP API — inspect and redact sensitive data in text, images, BigQuery
💡 DLP alone is not enough — users can screenshot, photograph screens, or use OCR. Combine with UEBA and endpoint controls.
7What is Microsoft Defender for Cloud Apps?Medium
Microsoft Defender for Cloud Apps (formerly MCAS — Microsoft Cloud App Security) is Microsoft's enterprise CASB solution. It provides:
  • Cloud Discovery: analyzes traffic logs to identify 16,000+ cloud apps and Shadow IT
  • App connectors: API-based integration with Microsoft 365, AWS, GCP, Salesforce, Box, Dropbox for deep visibility
  • Conditional Access App Control: reverse proxy for session-level controls on any SSO app
  • Threat Protection: anomaly detection, UEBA, impossible travel, mass download alerts
  • DLP policies: inspect files in connected apps and apply DLP actions
  • Information Protection: integrates with Microsoft Purview sensitivity labels
💡 Defender for Cloud Apps is included in Microsoft 365 E5 and Microsoft Defender for Office 365 P2 — a key differentiator in Azure-heavy environments.
8How do you detect data exfiltration via SaaS applications?Hard
Detection signals:
  • Volume anomaly: UEBA baseline detects a user downloading 100x more data than their normal pattern
  • Time anomaly: Bulk download at 2am or just before employee departure date
  • App anomaly: Upload to unapproved personal storage (CASB forward proxy blocks/alerts)
  • New app OAuth grant: User grants a new third-party app access to their entire OneDrive
  • Email anomaly: User forwards emails to personal Gmail or sends large attachments externally
  • API activity: Unusual API calls via Postman/scripting tools rather than normal web UI
Toolchain: CASB (behavioral analytics) + SIEM (correlation) + DLP (content inspection) + UEBA (baseline deviation).
💡 Insider threat scenarios are a common interview topic — describe a layered detection approach, not a single tool.
9What is an OAuth app and what risks do third-party OAuth apps pose?Medium
OAuth apps are third-party applications that users authorize to access their SaaS data (Microsoft 365, Google Workspace, Salesforce) on their behalf using OAuth 2.0 tokens.

Risks:
  • Apps may request more permissions than needed (e.g., read/write all mail, manage all files)
  • A malicious app can silently exfiltrate data without the user's ongoing awareness
  • Rogue OAuth apps are used in phishing campaigns ("OAuth phishing" / "consent phishing")
  • Tokens persist even after password changes — revocation must be explicit
  • SaaS-to-SaaS daisy-chain: an app connected to Slack connected to Google Drive creates a chain of trust
Controls: require admin consent, review OAuth grants via CASB, block apps with excessive permissions, periodic access reviews.
💡 The 2018 Google+ OAuth breach and multiple Microsoft 365 "illicit consent grant" attacks demonstrate real-world OAuth abuse.
10What is legacy authentication and why should it be disabled?Medium
Legacy authentication refers to older authentication protocols (Basic Auth, NTLM, POP3, IMAP, SMTP AUTH) that do not support Modern Authentication and therefore cannot support MFA or Conditional Access.

Why dangerous:
  • Attackers can spray passwords directly against legacy endpoints — MFA is never triggered
  • Common attack: spray passwords via IMAP against Exchange Online (bypasses Conditional Access)
  • Many email clients (Outlook 2010, Thunderbird) use Basic Auth by default
Microsoft blocked Basic Auth in Exchange Online in October 2022 for most protocols.

Detection: Azure AD sign-in logs → filter by "Legacy Authentication Client" → shows which users still use it.
💡 In any organization moving to the cloud, disabling legacy auth is one of the highest-impact, lowest-effort security improvements.
11How does CASB integrate with Zero Trust architecture?Hard
CASB is a key enforcement component in Zero Trust for cloud access:
  • Verify explicitly: CASB integrates with Identity Provider (Entra ID) to enforce Conditional Access — checks user identity, device health, location before allowing cloud app access
  • Least privilege access: Session-level controls (read only, no download, watermark) based on user/device risk score
  • Assume breach: Continuous behavioral monitoring (UEBA) even after authentication — looks for post-auth anomalies
Zero Trust + CASB flow: User → Identity Provider (MFA + Conditional Access) → CASB (session policy, DLP, threat detection) → Cloud App
💡 Microsoft's Zero Trust framework explicitly positions Defender for Cloud Apps as the cloud app visibility and control layer within their security stack.
12What is Netskope and how does it differ from Microsoft Defender for Cloud Apps?Hard
FeatureNetskopeMicrosoft Defender for Cloud Apps
ArchitectureBorn-in-cloud SSE/SASE platform; inline proxy + APICASB within Microsoft security stack
Multi-cloudStrong AWS, Azure, GCP, all major SaaS coverageDeep Microsoft 365 integration; multi-cloud via connectors
DLPIndustry-leading inline DLP with cloud context awarenessIntegrated with Microsoft Purview DLP
Best forVendor-agnostic organizations; advanced DLP; SASE strategyMicrosoft-first organizations on M365/Azure
💡 Both are strong products. Netskope is often preferred for multi-cloud, best-of-breed DLP; MDCA for Microsoft-centric shops leveraging E5 licensing.
13How would you detect an insider threat using SaaS activity logs?Hard
Detection methodology:
  • Establish baseline: UEBA engine builds a behavioral baseline per user — normal download volume, working hours, devices, locations
  • Trigger alerts on deviation: Mass download (10x baseline), after-hours access, new device/location, access to out-of-role content
  • Correlate signals: HR data (resignation submitted) + CASB download spike + DLP violation = high-confidence insider threat
  • Specific indicators:
    • Bulk file download from SharePoint followed by personal cloud upload via forward proxy CASB
    • Email forwarding rule created to external address (Exchange audit log)
    • Access to projects outside user's department
    • Accessing the same document hundreds of times (possible screen capture evasion)
💡 Mention the "leaver risk" scenario — insider threats spike in the 30 days before/after employee resignation. HR-SIEM integration is the gold standard.
14What is a cloud app risk score?Easy
A cloud app risk score is a numerical rating (typically 1–10, higher = safer) assigned to cloud applications based on security criteria:
  • TLS/HTTPS enforcement
  • Data retention and deletion policies
  • Compliance certifications (SOC 2, ISO 27001, CSA STAR)
  • Security practices (penetration testing, bug bounty)
  • Admin activity logging / audit trails
  • Data encryption at rest and in transit
  • GDPR/HIPAA compliance claims
CASB tools like Defender for Cloud Apps provide pre-built risk scores for 16,000+ apps. Security teams use these scores to set policies: block apps below score 5, allow but monitor 6–7, whitelist 8+.
💡 Risk scores are opinion-based and should be supplemented with manual review for business-critical apps.
15What are the DLP enforcement points in an organization?Medium
  • Email gateway: Inspect outbound email content and attachments (Microsoft Purview DLP for Exchange, Proofpoint)
  • Endpoint: Prevent copy to USB, print, browser upload (Microsoft Purview Endpoint DLP, Symantec)
  • Cloud storage / SaaS: Scan files in SharePoint, OneDrive, Box for sensitive content (API-based CASB/DLP)
  • Web proxy / CASB: Inspect uploads to web-based apps in real time (forward proxy)
  • Network: Deep packet inspection on corporate network egress (network DLP appliances)
  • Cloud DLP API: Inspect data in AWS S3, GCP BigQuery, GCS via cloud provider DLP service
💡 Coverage gaps exist between enforcement points — a user can screenshot content and photograph it. Defense in depth across all points + UEBA behavioral monitoring is the answer.
16What is content fingerprinting in DLP?Hard
Content fingerprinting (also called document fingerprinting or exact data matching) is a DLP technique that creates a unique fingerprint of specific documents or data sets and detects when their content — even partial excerpts — is transmitted.

Types:
  • Document fingerprinting: Create hash of a template document (e.g., NDA, IP document). Any file with similar structure triggers a DLP match even if renamed.
  • Exact Data Match (EDM): Upload a structured dataset (employee SSNs, customer PAN list). DLP alerts when any of those exact values appear in communications.
Advantage over regex: Much lower false positive rate — regex matches any 16-digit number; EDM only matches your actual customer card numbers.
💡 Microsoft Purview supports both document fingerprinting and EDM. EDM is required for high-fidelity PCI/HIPAA compliance scenarios.
17What is the difference between CASB and a Secure Web Gateway (SWG)?Hard
FeatureCASBSWG
FocusCloud apps and SaaS securityGeneral web browsing security
CoverageSanctioned and unsanctioned cloud appsAll web traffic (HTTP/HTTPS)
CapabilitiesDLP, UEBA, OAuth governance, Cloud app risk scoringURL filtering, malware inspection, SSL inspection
ContextCloud app context (who accessed what object in SharePoint)URL/category context
DeploymentAPI + proxy modesInline proxy (forward)
Modern SASE platforms (Netskope, Zscaler) combine SWG + CASB + ZTNA + FWaaS in a single cloud platform.
💡 CASB and SWG are complementary. Most mature enterprises deploy both; SASE merges them into a unified edge.
18What is a reverse proxy CASB and when is it used?Medium
A reverse proxy CASB is deployed in front of the cloud application. User traffic is redirected through the CASB via:
  • SSO redirect (IdP changes the application URL to point through CASB proxy)
  • DNS manipulation (CASB domain replaces application domain)
When to use:
  • BYOD (unmanaged personal devices) — no ability to install agents
  • Third-party/contractor access to SaaS apps
  • Enforcing download restrictions, watermarking, or session-level controls without endpoint agents
Limitations: Only covers SSO-integrated apps; cannot inspect native app traffic (e.g., OneDrive sync client).
💡 Conditional Access App Control in Defender for Cloud Apps uses reverse proxy mode — enabled by routing sessions through Microsoft's CASB proxy via Entra ID Conditional Access.
19How does Google Cloud DLP API work?Medium
Google Cloud DLP API is a managed service to inspect, classify, and de-identify sensitive data. It works by:
  • Inspection: Scan text, images, BigQuery tables, GCS files for sensitive data types (150+ built-in: PII, PHI, PCI, credentials)
  • De-identification: Replace sensitive values with tokens, redact, mask, encrypt, or pseudonymize
  • Risk analysis: Assess re-identification risk of quasi-identifiers in datasets
  • Integration: Used via REST API, gcloud CLI, or natively in BigQuery, GCS, Cloud Functions
Use cases: sanitize data before sharing with non-prod teams, scan uploads for PII, redact logs before analysis.
💡 A common architecture: Cloud Function triggered on GCS upload → calls DLP API → quarantines files with PII → notifies Security team.
20What is SaaS-to-SaaS connection risk?Hard
SaaS-to-SaaS connection risk refers to the security exposure created when multiple SaaS applications are interconnected via OAuth tokens or API integrations, creating a chain of trust that can be exploited.

Example chain: Personal productivity app → connects to Slack workspace → Slack integrates with Google Drive → attacker compromises the productivity app → gains access to Google Drive through the chain.

Risks:
  • A breach in one SaaS app propagates to all connected apps
  • OAuth tokens for connected apps may persist indefinitely
  • Third-party integration apps may have poor security practices
  • Visibility is difficult — most organizations don't know all their app integrations
Controls: Regular OAuth token review, enforce admin consent for all integrations, use CASB API mode to audit all connected apps, implement app allowlisting.
💡 Tools like Obsidian Security and AppOmni specialize in mapping and monitoring SaaS-to-SaaS connections as part of their SSPM offering.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Progress:
0 / 25
Simulation 1 · CASB Deployment Mode

CASB Deployment Mode Selector

For each scenario, select the most appropriate CASB deployment mode.

Simulation 2 · Shadow IT Risk

Shadow IT Risk Rater

Rate each cloud app discovered in firewall logs.

Simulation 3 · DLP Policy

DLP Policy Action Selector

Choose the most appropriate DLP action for each scenario.

Simulation 4 · OAuth Governance

OAuth App Permission Risk Rater

Assess each OAuth app permission request and decide the appropriate action.

🎉 Module 09 Complete! You've covered CASB, DLP, SSPM, Shadow IT, and OAuth governance.