This article provides an overview and background information about Cato's out-of-band SaaS Security API service to monitor and control traffic to sanctioned SaaS cloud apps.
Note
Note: Please contact SaaSecAPI@catonetworks.com or your official Cato reseller for more information about using the SaaS Security API policy.
Cato's SaaS Security API provides out-of-band visibility and control for sanctioned cloud apps. Other security features (such as CASB) can only control and monitor traffic that goes over the Cato Cloud. SaaS Security API gives the ability to also monitor and react to traffic from remote users that connect directly to the cloud apps. This applies even when they are not using the SDP Client to send traffic over the Cato Cloud.
SaaS Security API inspects the content of a connection without using TLS Inspection. This is especially benificial to accounts that don't have TLS Inspection enabled. However, even for accounts that are using TLS Inspection, some cloud apps can't be inspected due to issues related to certificate pinning. SaaS Security API compliments Cato's inline CASB and DLP solutions to provide the best security coverage.
This is a high-level overview of the steps to implement SaaS Security API.
-
Create the connectors for the relevant cloud apps.
For Microsoft apps, it is necessary to create a Microsoft 365 parent connector and then a child connector for each app.
-
Create (or review) the DLP Content Profile that defines the sensitive data that SaaS Security API is scanning for (see Creating DLP Content Profiles).
-
Create the rules for the Data Protection policy.
These are the SaaS app connectors that are currently supported for SaaS Security API. Cato is continually improving these apps and adding support for more.
Known Limitations for SaaS Security API
These are limitations that apply to any connector used in the Data Protection policy. For limitations related to specific SaaS apps, see below Known Limitations for Specific Connectors.
- Can’t edit SaaS Security API connectors.
Workaround - delete the connector and create a new connector with the required settings. - For Anti-malware scans, allowlisting with file hash isn’t supported.
-
Changes to permissions for folders and directories are not scanned.
-
Actions for groups (such as file sharing with a group) are not scanned.
-
Maximum supported file size for DLP and Anti-Malware scans is 20MB.
- For DLP and Anti-Malware scans, SaaS Security API only supports file types supported by the Cato DLP and Anti-Malware engines.
- When Threat Protection and Data Protection rules are created, deleted, or edited, the changes are tracked in the Audit Trail without showing details relating to the rule content
Known Limitations for Specific Connectors
These are limitations for the specific SaaS Security API connectors.
-
Azure
-
New users that are added after the connector is created are not scanned.
Workaround - create a new rule for the connector, or disable and then re-enable the SaaS Security API policy.
-
-
Box
-
New users that are added after the connector is created are not scanned.
Workaround - create a new rule for the connector, or disable and then re-enable the SaaS Security API policy.
-
New files added to the root folder can take up to 24 hours before they are scanned and generate events. Files in sub-folders are scanned immediately after they are uploaded.
-
Only 1 connector per tenant is supported. (Microsoft and Google connectors support multiple connectors per tenant)
-
-
Exchange
-
For rules that scan email activity, the event can also include an attached file (even if the file does not match the policy).
-
-
Google Drive
-
Only commercial accounts are supported for the Google Drive connector.
-
-
OneDrive
-
When there are SharePoint and OneDrive connectors for the same resource, each connector creates a separate event for the same action.
- One Drive can take up to 5 minutes to indicate a change in a file, which can cause delays in event generation.
-
-
SharePoint
-
Only the Documents directory is scanned.
-
When there are SharePoint and OneDrive connectors for the same resource, each connector creates a separate event for the same action.
-
-
Slack
-
Only 1 connector per tenant is supported. (Microsoft and Google connectors support multiple connectors per tenant)
-
Only public and shared channels are supported.
-
Comments
1 comment
Added Known Limitations for SaaS Security API
Please sign in to leave a comment.