If you are shopping for a CASB, this is an interesting question to ponder.
In 2016, some large enterprises chose an agent-based CASB for their cloud security needs. Each month in 2017, we go back and ask them how things turned out a year later. Every one of them tell us they are struggling to deploy. It is plain for all the world to see. Go to Office365 and login with a dummy email address for the customer. You might be taken to a test SSO page. Often with an expired certificate. Or nowhere at all. What is going on?
Agent-based CASB are impossible to deploy in the real world. For one thing, maintaining proxy agents across thousands of end-user devices is no joke. But worse yet, CASB agents are inherently incompatible with Secure Web Gateways (SWG). The CASB agent wants to proxy traffic to the CASB, but the SWG that sits in between has conflicting ideas The end result is you get nowhere month after month.
So if you still own a VCR, and it flashes 12.00, an agent-based CASB might well be the right choice for you. If you have moved on to modern technology, Bitglass is worth considering. The only agentless CASB that delivers real-time data protection on any device.