Cloud Access Security Broker (CASB)

Cloud Access Security Broker (CASB) serves as a critical security checkpoint positioned between enterprise users and cloud service providers. Its primary role is to enforce security policies to protect and control access to cloud applications.

CASB is a new Layer 7 service on SRX Series Firewalls which provides inline application activity control. CASB's policy engine allows you to refine access conditions. You can specify rules for accessing, downloading, and uploading files for a set of cloud applications for use within your organization.

• Benefits
• Sample CASB Policy Configuration
• Verification Options

To use CASB on your firewalls, you must configure CASB policies and apply CASB policy rules in a security policy.

Steps to configure CASB functionality:

1. Configure CASB policy.

   1. Set CASB policy rule with one of the matching conditions:

      • Application such as Dropbox, Google Docs, OneDrive or application group such as FileSharing, chat, email.

      • Activities such as login, download, and upload. However, not all applications support every activity. When configuring an application, ensure that you only select activities that are supported by that specific application. For a comprehensive view of the mapping between applications and their associated activities, see Table 1.

        Table 1: Mapping of Application and Activities

        Supported Applications	Supported Activities
        Box	Login, Upload, Download, Share
        Dropbox	Login, Upload, Download, Share
        Google Docs	Login, Upload, Download, Share
        Salesforce	Login, Upload, Download, Share
        OneDrive	Login, Upload, Download, Share
        SharePoint	Login, Upload, Download, Share
        Slack	Login, Chat, Audio/Video, File Transfer
        Gmail	Login, Read, Compose, Send, Upload Attachment, Download Attachment

        You can configure activity-parameters for share-activity option. You can configure this optional statement to have even more granular control over traffic.

   2. Create an application instance for CASB. For CASB, to differentiate between corporate and non-corporate SaaS application instances, administrators need to configure access policies using the instance parameter. To identify an instance, CASB requires instance ID, domain, and type (optional). Table 2 provides application instance setting options.

      Table 2: Application Instance Settings

      Setting	Guideline
      Name	(Required) Application instance name. For example, dropbox123.
      Application instance ID	(Required) Application instance ID. It refers to unique URL to access SaaS service Each application can have its own instance ID. For the following example URLs, common string acmecorp07 as the instance ID taken from application's SaaS URLs: Box URL—acmecorp07.app.box.com OneDrive or SharePoint URL—acmecorp07ms-my.sharepoint.com Salesforce URLs—acmecorp07.my.salesforce.com and acmecorp07.lightning.force.com Slack—Slack URL is acmecorp-zoy8730.slack.com and instance ID is acmecorp-zoy8730. Following applications have generic URLs and instance ID is not applicable. Dropbox—dropbox.com Google Docs—docs.google.com Gmail—mail.google.com
      Domain	(Required) Enter the domain address. It refers to email domain. For example, acmecorp07.com is an organization domain. Box, Dropbox, Google Docs, Salesforce, Gmail, and Slack uses the same domain for all the users. OneDrive and SharePoint domain value is acmecorp07ms.onmicrosoft.com.
      Type	(Optional) Enter one of the following values to map a type with an application instance: Work Personal Note: You must configure the type of value for Dropbox. For other applications, this configuration is optional.
      Tag	(Optional) Enter one of the following values to map a tagging with an application instance: Sanctioned—Application instances sanctioned by your organization. Unsanctioned—Application instances unsanctioned by your organization.

   3. Define policy action. Each policy has a set of actions (allow/deny and log-action) that the system performs upon success of all matching conditions.

2. Configure a default rule. The default rule is matched if none of the other rules are matched, or if there are no other rules in the policy. Configuring a default rule is mandatory.

3. Apply CASB policies in the security policy as application services for the permitted traffic.

Note the followings for CASB rules:

• Arrange your CASB rules in sequential order to handle specific match criteria for applications or activities.

• Set up a default CASB policy for the unified policy configuration. This default policy applies to the session until a dynamic application match occurs. Once the final application match is available for the security policy, the corresponding CASB policy will be applied. If no CASB policy is explicitly configured in the final firewall policy, the CASB service disengages for the session.

• You can configure up to 64 CASB policies for SRX300, SRX320, SRX325, SRX340, SRX550M, and SRX1500. You can configure up to 256 policies for SRX4000-line and SRX5000-line Firewalls.

You can also perform following activities for the CASB policy:

• Log activity.

• Change the order of rule.

• Set a default policy.

  The default policy is required for unified policies. In case, if no default policy configured, the system displays an error message during commit.