Shadow IT Discovery
One of the primary benefits of using a CASB is that it provides organizations with visibility into SaaS usage. This includes identifying which cloud services are being used, by whom, and for what purpose. This information can help organizations to better understand and manage their cloud environments, and identify potential security risks.

Data Loss Prevention
DLP is a core feature of most CASBs. Classifying data is necessary to determine risk and how policies should be applied, so most CASB vendors prioritized building data discovery and classification early on. Then, CASBs can control or limit data movement and prevent leakage. This can help organizations to ensure that sensitive data is protected, and that users are only able to access the resources that they need.

Managing Sanctioned vs Unsanctioned SaaS Use
One of the benefits of in-line CASB architectures (mostly forward proxies), is the ability to manage both sanctioned and ‘shadow IT’ (unsanctioned) SaaS use alike. API-based and reverse proxy CASB architectures can only be used with sanctioned SaaS, as they require access to the target application to work.

Secure SaaS Usage
This includes the ability to enforce security policies and access controls, and monitor and manage user activity. For example, CASBs can be used to enforce or add certain features, like multi-factor authentication and data encryption.

Compliance
CASBs can help organizations to comply with regulations and industry standards. CASBs can be configured to meet specific compliance requirements, such as those related to data privacy and security. This can help organizations to avoid costly fines and penalties for non-compliance.

Detection & Response
CASBs can provide threat detection and incident response capabilities. This can help organizations to detect and respond to potential security threats, such as impossible travel or mass download of data, more quickly and effectively, regardless of whether threats come from internal users, or external entities.

SaaS Misconfigurations Blindspot
SaaS applications have evolved to become complex platforms, allowing customers and business users to customize many configurations, including security configurations. The shared responsibility model requires SaaS customers to manage their own tenants, creating a complex setup that CASBs do not analyze and they do not provide insights into the posture of these SaaS applications.

Lack of SaaS-to-SaaS Visibility
Most organizations have hundreds if not thousands of integrations between SaaS applications using OAuth apps, API tokens and no-code/low-code workflows. This SaaS-to-SaaS communication is ignored by most CASBs, so that many third-party integrations are unseen and uncontrolled by the CASB.

Deployment Complexity
Implementing and managing a CASB can be complex and time-consuming due to the effort required to build DLP policies. Unless there is integration with on-Prem DLP policies need to be created from scratch which is time consuming and requires expertise. In addition, proxy chaining can cause deployment challenges.

Latency
Proxy-based CASBs can add latency to the connection, which can affect the performance of cloud applications.

False Positives
CASBs can generate false positives which can lead to false alerts, making it harder to identify real security issues. Behavioral-based detections are notoriously tricky, requiring constant tuning to cut down on unnecessary alerts. A certain amount of false positives is inevitable.