Create and Manage CASB Profiles

You configure Cloud Access Security Broker (CASB) rules to control specific actions on each cloud application to secure your data.

By default, Juniper Secure Edge provides a predefined profile called default-casb-profile. You can choose to either modify and use the predefined profile, or create your own profile.

Once you create a CASB profile, assign it to a Secure Edge policy. By default, the cloud application groups are selected as shown in Table 1 for the respective CASB-supported cloud applications. You cannot edit these groups on the Secure Edge Policy page as this option is grayed out.

Certificate Pinning is a security mechanism that protects against man-in-the-middle (MITM) attacks by ensuring that a client (such as mobile or desktop application) communicates only with a server that has a pre-defined SSL certificate. When certificate pinning is implemented in an application, the application checks that the server’s certificate matches the pinned certificate which was added during development. If there is a certificate mismatch, the cloud application refuses to connect with the client application.

If an application with certificate pinning has SSL decryption configured, the application will break. The administrator may choose one of the following options:

Add the application to the SSL decryption exemption list to prevent the application from breaking. CASB and SSL inspection will not occur.
Remove the application from the SSL decryption exemption list to continue inspecting the application traffic. However, the users must access the application through a browser only to successfully use the application.

The following are the CASB supported cloud applications with certificate pinning:

Dropbox
Salesforce
Google Drive

Table 1: Cloud Application Group for CASB-Supported Cloud Applications
CASB-Supported Cloud Applications	Corresponding Cloud Application Group
Amazon EFS	casb-amazonefs-group
Amazon S3	casb-amazons3-group
Box	casb-boxnet-group
Dropbox	casb-dropbox-clear-group
GitHub	casb-github-group
Gmail	casb-gmail-group
Google Chat	casb-google_chat-group
Google Docs	casb-google_docs-group
MetaMessenger	casb-meta_messenger-group
Microsoft OneDrive	casb-onedrive-group
Microsoft OneDrive Personal	casb-onedrive_personal-group
Microsoft Outlook	casb-outlook-group
Microsoft Teams	casb-msteams-group
Office365_Word	casb-office365_word-group
Office365_Excel	casb-office365_excel-group
Office365_Powerpoint	casb-office365_powerpoint-group
Salesforce	casb-salesforce-group
SharePoint	casb-sharepoint-group
Slack	casb-slack-group

Manage CASB Profiles

Select Secure Edge > Security Subscriptions > CASB > CASB Profiles.
The CASB Profiles page opens.
Click the plus icon () to create a CASB profile.
The Create CASB Profile page opens.

Complete the configuration according to the following guidelines:

Table 2: Fields on the Create CASB Profile Page
Setting	Guideline
Name	Enter a unique string of alphanumeric characters; special characters other than -_!@$&*~:. are not allowed. No spaces are allowed; maximum length is 29 characters.
Activity logging	Define activity logging for the CASB profile. For example, Login, Download, and Chat. By default, all the options are selected.

Click OK.

A new CASB profile is created. You can assign the CASB profile to a Secure Edge policy. Ensure to select the cloud application groups for the respective CASB-supported cloud applications. For more information about how to select the cloud application groups, see Security Subscriptions row in the Fields on the Secure Edge Policy Add Page table in Add and Manage Secure Edge Policy Rules.

For example, if your CASB profile covers Amazon EFS and Amazon S3 applications, choose casb-amazonefs-group and casb-amazons3-group respectively.

Manage CASB Profiles

Edit—Select the profile, and then click the pencil icon ().
Delete—Select the profile, and then click the trash can icon ().

ON THIS PAGE

Create and Manage CASB Profiles

Manage CASB Profiles

Manage CASB Profiles

See Also