This article provides an overview and background information about Cato's out-of-band SaaS Security API service to monitor and control traffic to sanctioned SaaS cloud apps.
Note: Please contact SaaSecAPI@catonetworks.com or your official Cato reseller for more information about using the SaaS Security API policy.
Cato's SaaS Security API provides out-of-band visibility and control for sanctioned cloud apps. Other security features (such as CASB) can only control and monitor traffic that goes over the Cato Cloud. SaaS Security API gives the ability to also monitor and react to traffic from remote users that connect directly to the cloud apps. This applies even when they are not using the SDP Client to send traffic over the Cato Cloud.
SaaS Security API inspects the content of a connection without using TLS Inspection. This is especially benificial to accounts that don't have TLS Inspection enabled. However, even for accounts that are using TLS Inspection, some cloud apps can't be inspected due to issues related to certificate pinning. SaaS Security API compliments Cato's inline CASB and DLP solutions to provide the best security coverage.
This is a high-level overview of the steps to implement SaaS Security API.
Create the connectors for the relevant cloud apps.
For Microsoft apps, it is necessary to create a Microsoft 365 parent connector and then a child connector for each app.
Create (or review) the DLP Content Profile that defines the sensitive data that SaaS Security API is scanning for (see Creating DLP Content Profiles).
Create the rules for the Data Protection policy.