CASB Overview

Massive adoption of cloud services and applications has created new targets and threats like never before. What's more, the widespread use of mobile devices is the new reality that organizations regularly interact with users they don't manage. Your systems, applications, and data are constantly in contact with mobile phones, tablets, and laptops that you do not control. Manual and people-centric cloud security approaches fail in such situations. Organizations must use automation to supplement their cloud security needs.

Juniper Secure Edge provides full-stack Security Service Edge (SSE) capabilities to protect web, Software as a Service (SaaS), and on-premises applications and provide users with consistent and secure access that follows them wherever they go.

A New Solution for Cloud Security—Cloud Access Security Broker (CASB)

CASB provides visibility into the security of your cloud applications. You can create CASB profiles in the Juniper Secure Edge to apply granular controls to ensure authorized access, threat prevention, and compliance to secure your data. You can also assign rules to a CASB profile and associate the profile with a Secure Edge policy to automatically detect anomalous usage and suspicious behavior.

Table 1 lists the Juniper Secure Edge supported cloud applications and their activities.

Table 1: Juniper Secure Edge Supported Cloud Applications and their Activities

Cloud Application	Supported Activities
Group: Chat
MetaMessenger	Login, Chat, Audio/Video, and FileTransfer
Microsoft Teams	Login, Chat, Audio/Video, and FileTransfer
Google Chat	Login, Chat, Audio/Video, and FileTransfer
Slack	Login, Chat, Audio/Video, and FileTransfer
Group: Cloud Storage
Amazon EFS	Upload, Download, Create, Delete, and Edit
Amazon S3	Upload, Download, Create, and Delete
Group: Email
Gmail	Login, Read, Compose, Send, UploadAttachment, and DownloadAttachment
Microsoft Outlook	Login, Read, Compose, Send, UploadAttachment, and DownloadAttachment
Group: File Sharing
Box	Login, Upload, Download, and Share
Dropbox	Login, Upload, Download, and Share
Google Docs	Login, Upload, Download, and Share
Microsoft OneDrive	Login, Upload, Download, and Share
Microsoft OneDrive Personal	Login, Upload, Download, and Share
Salesforce	Login, Upload, Download, and Share
SharePoint	Login, Upload, Download, and Share
Group: M365Apps
Office365_Word	Open, AutoSave, Download, and Share
Office365_Excel	Open, AutoSave, Download, and Share
Office365_Powerpoint	Open, AutoSave, Download, and Share
Group: Source control
GitHub	Login, Upload, Download, Create, View, and CreateRepo

Certificate Pinning is a security mechanism that protects against man-in-the-middle (MITM) attacks by ensuring that a client (such as mobile or desktop application) communicates only with a server that has a pre-defined SSL certificate. When certificate pinning is implemented in an application, the application checks that the server’s certificate matches the pinned certificate which was added during development. If there is a certificate mismatch, the cloud application refuses to connect with the client application.

If an application with certificate pinning has SSL decryption configured, the application will break. The administrator may choose one of the following options:

• Add the application to the SSL decryption exemption list to prevent the application from breaking. CASB and SSL inspection will not occur.

• Remove the application from the SSL decryption exemption list to continue inspecting the application traffic. However, the users must access the application through a browser only to successfully use the application.

The following are the CASB supported cloud applications with certificate pinning:

• Dropbox

• Salesforce

• Google Drive