Notifications
Clear all
Topic starter
08/06/2026 4:55 pm
TL;DR: Cloud access security brokers extend policy, visibility, and data controls into SaaS, IaaS, and PaaS environments to manage Shadow IT and cloud risk, according to StrongDM’s overview. The governance problem is that cloud access outgrows perimeter-era IAM and requires continuous monitoring, contextual enforcement, and tighter integration across security stacks.
NHIMG editorial — based on content published by StrongDM: Understanding Cloud Access Security Brokers (CASBs)
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: How should security teams govern shadow IT in cloud environments?
A: They should treat shadow IT as an access governance problem, not just an asset inventory issue.
Q: Why do CASB controls matter when IAM already exists?
A: IAM can authenticate users and assign permissions, but it often cannot see how cloud apps are used, which devices are connecting, or where sensitive data moves after access is granted.
Q: What breaks when cloud access is managed only through perimeter security?
A: Perimeter-only models miss unmanaged devices, unsanctioned apps, and data movement inside cloud services.
Practitioner guidance
- Inventory cloud apps beyond the approved stack Correlate identity logs with cloud discovery analytics to identify sanctioned and unsanctioned services, then classify them by business use, data sensitivity, and access risk.
- Tie cloud access decisions to data sensitivity Align CASB policy with DLP labels so uploads, sharing, and downloads can be blocked or audited when sensitive data moves across SaaS, IaaS, or PaaS.
- Use device and session context in access policy Require contextual access control for unmanaged devices, unusual locations, and high-risk applications so access can be reduced when posture changes.
What's in the full article
StrongDM's full blog covers the operational detail this post intentionally leaves for the source:
- How the CASB control stack maps to APIs, gateways, log data, and endpoint agents in real deployments
- Which cloud access risks StrongDM highlights for shadow IT, compliance, and data protection scenarios
- How CASB fits alongside SASE and IAM in organisations that already run multiple security tools
- Why StrongDM positions its infrastructure access platform as part of the broader cloud access management conversation
👉 Read StrongDM's overview of cloud access security brokers and shadow IT →
CASB and shadow IT: what IAM teams are missing in cloud?
Explore further
08/06/2026 6:49 pm
CASB is really a cloud access governance problem, not a product category problem: the article shows that cloud controls fail when identity, device, and data decisions are split across separate tools. The practical issue is not whether a CASB exists, but whether the organisation can see sanctioned and unsanctioned cloud usage well enough to govern it. For practitioners, the lesson is that cloud access needs identity-led policy, not just added monitoring.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Should organisations use CASB, SASE, or IAM as the primary cloud control?
A: They should not treat them as interchangeable. IAM governs identity and permissions, CASB governs cloud app visibility and data policy, and SASE broadens enforcement across networking and security services. The right choice depends on which gap is most urgent, but none of the three fully replaces the others.
👉 Read our full editorial: Cloud access security brokers and the IAM gap in shadow IT
