CASB, DLP & SaaS Security
~60 minutes covering Cloud Access Security Brokers, Data Loss Prevention, SaaS security posture, Shadow IT, OAuth governance, and insider threat detection.
Topics Covered
| # | Topic | Time |
|---|---|---|
| 1 | Core Concepts: CASB, DLP, SSPM, Shadow IT | 10 min |
| 2 | 20 Interview Q&As | 20 min |
| 3 | 25 MCQs | 15 min |
| 4 | Sim: CASB Deployment Mode Selector | 4 min |
| 5 | Sim: Shadow IT Risk Rater | 4 min |
| 6 | Sim: DLP Policy Action Selector | 4 min |
| 7 | Sim: OAuth App Permission Rater | 3 min |
CASB, DLP & SaaS Security Fundamentals
CASB — Cloud Access Security Broker
A CASB is a security policy enforcement point between users and cloud services. It provides visibility and control over cloud app usage, whether sanctioned or unsanctioned.
Discover all cloud apps in use (Shadow IT)
Enforce regulatory compliance across cloud apps
DLP, encryption, rights management in cloud
Detect malware, compromised accounts, UEBA
CASB Deployment Modes
| Mode | How It Works | Pros | Cons | Best For |
|---|---|---|---|---|
| API-based | Connects directly to SaaS APIs (Office 365, Salesforce) | No agent needed, deep inspection, retroactive scanning | Not inline — cannot block in real time during upload | Auditing stored data, OAuth governance, DLP on existing files |
| Forward Proxy | Intercepts outbound traffic from managed devices via PAC file or agent | Real-time blocking, full URL visibility | Requires endpoint agent or MDM | Blocking uploads to unapproved apps from managed devices |
| Reverse Proxy | Traffic redirected via DNS/SSO; CASB sits in front of the cloud app | No agent needed, works for BYOD | Only covers SSO-integrated apps; limited to session-level controls | BYOD environments, Conditional Access enforcement |
Shadow IT & SaaS Security Posture
Shadow IT: cloud services used by employees without IT approval. Discovered by analyzing firewall/proxy logs and assigning a risk score per app.
SSPM (SaaS Security Posture Management): continuously monitors SaaS application configurations for misconfigurations.
| Common SaaS Misconfiguration | Risk | Tool to Detect |
|---|---|---|
| Guest sharing enabled in SharePoint with no expiry | Data leakage to external parties | Defender for Cloud Apps / SSPM |
| Over-permissioned third-party OAuth apps | Account takeover, data exfiltration | CASB API mode |
| Legacy authentication protocols enabled (Basic Auth) | Bypasses MFA, brute-forceable | Entra ID sign-in logs |
| Admin accounts without MFA in Microsoft 365 | Credential compromise → tenant takeover | Microsoft Secure Score |
| Global admin roles directly assigned (not PIM) | Permanent over-privilege | Entra ID / SSPM |
DLP (Data Loss Prevention) in Cloud
| Component | Description |
|---|---|
| Content Inspection | Regex patterns (CCN, SSN), document fingerprinting, ML classifiers for PHI/PII |
| Enforcement Points | Email (Exchange Online), Endpoint, Cloud Storage (SharePoint/OneDrive), Web Proxy, CASB |
| Policy Actions | Block, Quarantine, Encrypt, Alert-Only, User Justification Required, Apply Rights Management |
| AWS Macie | ML-powered PII discovery in S3 buckets; findings sent to Security Hub |
| Microsoft Purview DLP | Unified DLP across M365, Teams, Exchange, SharePoint, Endpoints |
| Google Cloud DLP API | Inspect/redact/tokenize sensitive data in text, images, BigQuery, GCS |
| Netskope DLP | Inline DLP across web and cloud apps; understands cloud context |
Insider Threats & OAuth Governance
| Insider Threat Type | Example | Detection Signal |
|---|---|---|
| Malicious | Employee bulk-downloads CRM data before resigning | UEBA: mass download spike, after-hours, unusual volume |
| Negligent | User uploads PII to personal Google Drive | CASB: upload to unapproved storage app |
| Compromised | Attacker using stolen credentials logs into Microsoft 365 | Impossible travel alert, unfamiliar device, new location |
OAuth App Risks: Third-party apps granted OAuth access can read/write data with user-level or admin-level permissions. A rogue OAuth app can exfiltrate data silently. Control: review connected apps, enforce admin consent policies, revoke suspicious grants.
Interview Questions & Model Answers
Click any question to expand the model answer.
The four pillars (Gartner model):
- Visibility: Discover all cloud apps in use, including unsanctioned Shadow IT, and assess their risk.
- Compliance: Ensure cloud usage meets regulatory requirements (GDPR, HIPAA, PCI-DSS).
- Data Security: Apply DLP policies, encryption, and rights management to cloud data.
- Threat Protection: Detect compromised accounts, malware in cloud storage, and insider threats via UEBA.
- API-based: Connects directly to cloud app APIs (Microsoft Graph, Salesforce API). Provides retroactive scanning — can inspect data already stored. No latency impact. Cannot block uploads in real time. Best for: auditing, data classification, OAuth governance.
- Forward Proxy: Endpoint agent/PAC file routes outbound traffic through CASB proxy. Inline — can block uploads in real time. Requires managed device. Best for: real-time enforcement on corporate devices.
- Reverse Proxy: SSO redirects users through CASB proxy in front of cloud app. No endpoint agent — works for BYOD. Limited to SSO-integrated apps. Best for: unmanaged device access control.
Risks: data leakage (PII uploaded to personal storage), compliance violations, malware propagation.
CASB helps by:
- Analyzing firewall/proxy logs to discover all cloud apps in use
- Assigning a risk score (1–10) to each app based on security certifications, data handling, TLS support
- Blocking or restricting access to high-risk apps
- Providing an app catalog for sanction/unsanction decisions
SSPM covers apps like Microsoft 365, Salesforce, Slack, Zoom, GitHub.
Common findings:
- Excessive guest sharing in SharePoint
- Admin accounts without MFA
- Legacy authentication protocols enabled
- Unused admin accounts (orphaned)
- Third-party OAuth apps with excessive permissions
- Guest sharing enabled in SharePoint without expiry dates — external users retain permanent access
- Legacy authentication (Basic Auth) not blocked — bypasses Conditional Access/MFA
- Admin roles assigned permanently instead of via PIM (Just-in-Time)
- MFA not enforced for all admin accounts
- Third-party OAuth apps with read/write access to all data
- Audit logging disabled in Salesforce or Microsoft 365
- Public links enabled by default in file sharing (Google Drive)
- Overly permissive API access tokens with no expiry
How it works in cloud:
- Content inspection: Scans for patterns (credit card regex, SSN regex), document fingerprints, or ML classifiers for PHI/PII
- Enforcement points: Email gateway, endpoint agent, CASB proxy, cloud storage API, web proxy
- Policy actions: Block transfer, quarantine file, encrypt, alert admin, require user justification
- Microsoft Purview DLP — M365, Exchange, SharePoint, Teams, Endpoints
- AWS Macie — PII discovery in S3 with ML
- Google Cloud DLP API — inspect and redact sensitive data in text, images, BigQuery
- Cloud Discovery: analyzes traffic logs to identify 16,000+ cloud apps and Shadow IT
- App connectors: API-based integration with Microsoft 365, AWS, GCP, Salesforce, Box, Dropbox for deep visibility
- Conditional Access App Control: reverse proxy for session-level controls on any SSO app
- Threat Protection: anomaly detection, UEBA, impossible travel, mass download alerts
- DLP policies: inspect files in connected apps and apply DLP actions
- Information Protection: integrates with Microsoft Purview sensitivity labels
- Volume anomaly: UEBA baseline detects a user downloading 100x more data than their normal pattern
- Time anomaly: Bulk download at 2am or just before employee departure date
- App anomaly: Upload to unapproved personal storage (CASB forward proxy blocks/alerts)
- New app OAuth grant: User grants a new third-party app access to their entire OneDrive
- Email anomaly: User forwards emails to personal Gmail or sends large attachments externally
- API activity: Unusual API calls via Postman/scripting tools rather than normal web UI
Risks:
- Apps may request more permissions than needed (e.g., read/write all mail, manage all files)
- A malicious app can silently exfiltrate data without the user's ongoing awareness
- Rogue OAuth apps are used in phishing campaigns ("OAuth phishing" / "consent phishing")
- Tokens persist even after password changes — revocation must be explicit
- SaaS-to-SaaS daisy-chain: an app connected to Slack connected to Google Drive creates a chain of trust
Why dangerous:
- Attackers can spray passwords directly against legacy endpoints — MFA is never triggered
- Common attack: spray passwords via IMAP against Exchange Online (bypasses Conditional Access)
- Many email clients (Outlook 2010, Thunderbird) use Basic Auth by default
Detection: Azure AD sign-in logs → filter by "Legacy Authentication Client" → shows which users still use it.
- Verify explicitly: CASB integrates with Identity Provider (Entra ID) to enforce Conditional Access — checks user identity, device health, location before allowing cloud app access
- Least privilege access: Session-level controls (read only, no download, watermark) based on user/device risk score
- Assume breach: Continuous behavioral monitoring (UEBA) even after authentication — looks for post-auth anomalies
| Feature | Netskope | Microsoft Defender for Cloud Apps |
|---|---|---|
| Architecture | Born-in-cloud SSE/SASE platform; inline proxy + API | CASB within Microsoft security stack |
| Multi-cloud | Strong AWS, Azure, GCP, all major SaaS coverage | Deep Microsoft 365 integration; multi-cloud via connectors |
| DLP | Industry-leading inline DLP with cloud context awareness | Integrated with Microsoft Purview DLP |
| Best for | Vendor-agnostic organizations; advanced DLP; SASE strategy | Microsoft-first organizations on M365/Azure |
- Establish baseline: UEBA engine builds a behavioral baseline per user — normal download volume, working hours, devices, locations
- Trigger alerts on deviation: Mass download (10x baseline), after-hours access, new device/location, access to out-of-role content
- Correlate signals: HR data (resignation submitted) + CASB download spike + DLP violation = high-confidence insider threat
- Specific indicators:
- Bulk file download from SharePoint followed by personal cloud upload via forward proxy CASB
- Email forwarding rule created to external address (Exchange audit log)
- Access to projects outside user's department
- Accessing the same document hundreds of times (possible screen capture evasion)
- TLS/HTTPS enforcement
- Data retention and deletion policies
- Compliance certifications (SOC 2, ISO 27001, CSA STAR)
- Security practices (penetration testing, bug bounty)
- Admin activity logging / audit trails
- Data encryption at rest and in transit
- GDPR/HIPAA compliance claims
- Email gateway: Inspect outbound email content and attachments (Microsoft Purview DLP for Exchange, Proofpoint)
- Endpoint: Prevent copy to USB, print, browser upload (Microsoft Purview Endpoint DLP, Symantec)
- Cloud storage / SaaS: Scan files in SharePoint, OneDrive, Box for sensitive content (API-based CASB/DLP)
- Web proxy / CASB: Inspect uploads to web-based apps in real time (forward proxy)
- Network: Deep packet inspection on corporate network egress (network DLP appliances)
- Cloud DLP API: Inspect data in AWS S3, GCP BigQuery, GCS via cloud provider DLP service
Types:
- Document fingerprinting: Create hash of a template document (e.g., NDA, IP document). Any file with similar structure triggers a DLP match even if renamed.
- Exact Data Match (EDM): Upload a structured dataset (employee SSNs, customer PAN list). DLP alerts when any of those exact values appear in communications.
| Feature | CASB | SWG |
|---|---|---|
| Focus | Cloud apps and SaaS security | General web browsing security |
| Coverage | Sanctioned and unsanctioned cloud apps | All web traffic (HTTP/HTTPS) |
| Capabilities | DLP, UEBA, OAuth governance, Cloud app risk scoring | URL filtering, malware inspection, SSL inspection |
| Context | Cloud app context (who accessed what object in SharePoint) | URL/category context |
| Deployment | API + proxy modes | Inline proxy (forward) |
- SSO redirect (IdP changes the application URL to point through CASB proxy)
- DNS manipulation (CASB domain replaces application domain)
- BYOD (unmanaged personal devices) — no ability to install agents
- Third-party/contractor access to SaaS apps
- Enforcing download restrictions, watermarking, or session-level controls without endpoint agents
- Inspection: Scan text, images, BigQuery tables, GCS files for sensitive data types (150+ built-in: PII, PHI, PCI, credentials)
- De-identification: Replace sensitive values with tokens, redact, mask, encrypt, or pseudonymize
- Risk analysis: Assess re-identification risk of quasi-identifiers in datasets
- Integration: Used via REST API, gcloud CLI, or natively in BigQuery, GCS, Cloud Functions
Example chain: Personal productivity app → connects to Slack workspace → Slack integrates with Google Drive → attacker compromises the productivity app → gains access to Google Drive through the chain.
Risks:
- A breach in one SaaS app propagates to all connected apps
- OAuth tokens for connected apps may persist indefinitely
- Third-party integration apps may have poor security practices
- Visibility is difficult — most organizations don't know all their app integrations
Multiple Choice Questions
CASB Deployment Mode Selector
For each scenario, select the most appropriate CASB deployment mode.
Shadow IT Risk Rater
Rate each cloud app discovered in firewall logs.
DLP Policy Action Selector
Choose the most appropriate DLP action for each scenario.
OAuth App Permission Risk Rater
Assess each OAuth app permission request and decide the appropriate action.