Skip to main content
Versa Networks

Configure Offline CASB Profiles

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Offline cloud access security broker (CASB) is on-premises or cloud-based policy enforcement that secures data between users and cloud applications to comply with corporate and regulatory requirements. Offline CASB applies enterprise security policies when users access cloud-based resources. 

As more applications move to the cloud, offline CASB addresses the following challenges to securing data:

  • Implement data-centric policies to authorize or control.
  • Analyze data access and changes to data stored in software-as-a-service (SaaS) clouds.
  • Implement access control for files, applications, and users.
  • Identify downloads, uploads, and file sharing done by users.

In addition, offline CASB secures cloud services and access to direct cloud-to-cloud deployments.

Versa Networks supports API integration with SaaS and IaaS applications. The API integration uses API calls to SaaS and IaaS applications, inspects user activities and content, enforces security policies, and provides granular access control for SaaS applications. The offline CASB action can match the risk level and activity of multiple cloud applications, and it can allow, deny, or restrict access to shadow IT.

Versa Networks supports both inline CASB and API-Data Protection (API-DP) CASB. The following table compares inline CASB to API-DP CASB and is useful in deciding when to use each of them. If you use inline CASB, see Configure CASB Profiles for more information.

 

Inline CASB API-Based Data Protection (API-DP) CASB

~80 SaaS applications, more applications and activities continuously added through security package updates.

30+ SaaS/IaaS application connectors, more applications and activities are developed as feature additions.

Complements API-DP.

Complements inline CASB.

Deployed through the Versa Operating SystemTM (VOSTM) software.

Deployed offline, closer to the SaaS application.

Granular actions, such as login, upload, download, video, chat. 

Very granular app-specific actions, such as file download in a Slack channel, actions based on a sender/receiver list or groups in Gmail or Outlook. 

No additional authorization needed because this is a proxy.

Needs explicit authorization by an application administrator.

Operates at the network layer using a reverse proxy mechanism.

Operates at the application layer—Uses webhooks, application connectors, and works directly as an authorized connector of the SaaS/IaaS application.

Risk classification on a scale of 1–5, from extremely low to extremely high risk.

Risk classification does not apply.

Use where it is possible to decrypt TLS.

Use when the SaaS/IaaS application is certificate-pinned.

Works through the Versa Cloud Gateway (VCG) or an appliance running the VOS software, typically through a corporate network.

Works even for users who bring their own device (BYOD) and connect from outside the corporate network.

To enforce offline CASB security policies, you do the following:

  • Create one or more offline CASB profiles
  • Specify match criteria for applications
  • Associate offline CASB profiles with an API-DP policy for SaaS

For more information, see Configure API-Based Data Protection Policy for SaaS.

To use offline CASB, you must use the premium security pack (SPack) Version 1939 or later.

Configure an Offline CASB Profile

You can configure an offline CASB profile for SaaS applications or IaaS services, as described in the following sections.

Configure an Offline CASB Profile for SaaS Applications

  1. Go to Configure > Security Service Edge > Advanced Security > Profiles.



    The following screen displays with the Cloud Access Security Broker (CASB) tab and the SaaS subtab selected by default.


     
    1. To delete an existing CASB profile, select the profile, and then click Delete in the horizontal menu.


       
    2. To customize which columns display, click Select Columns, and then click the columns to display or hide. Click Reset to return to the default column settings. The options are:
      • Rules
      • Actions
         
  2. To create a SaaS profile, click the  Add icon. The Add Rules screen displays.


     
  3. Click Add Rules. The Add CASB Rules screen displays with step 1, Applications, selected by default. The available SaaS applications display.


     
  4. Select a SaaS application, and then click Next to go to step 2, Instance.


     
  5. Select an instance of the SaaS application.
  6. Click Next to go to step 3, Activities.


     
  7. Select one or more of the activities that are allowed for that application. Different SaaS applications might have different activities associated with them, as shown below. 
     
    SaaS Application Activities Alert Action
    Asana file-attach Yes Delete / Remove
    comment Yes Delete / Remove
    Box file-upload Yes Delete / Remove
    file-share Yes Revert, Set Expiry, Remove User, Remove Permission
    file-delete Yes
    comment Yes Delete / Remove
    Cisco Webex Teams space-join Yes Delete / Remove
    meeting-join Yes Delete / Remove
    file-send Yes Delete / Remove
    message-send Yes Delete / Remove
    Citrix ShareFile file-upload Yes Delete / Remove
    file-share Yes Revert, Set Expiry
    file-delete Yes
    Confluence file-attach Yes Delete / Remove
    content-activity Yes Delete / Remove
    Dropbox file-upload Yes Delete / Remove
    file-share Yes Revert, Set Expiry, Remove User, Remove Permission
    file-delete Yes
    Egnyte file-upload Yes Delete / Remove
    file-share Yes Revert, Set Expiry
    file-delete Yes
    Google Drive file-upload Yes Delete / Remove
    file-share Yes Revert, Set Expiry
    file-delete Yes
    connected-apps Yes Revert, Set Expiry, Remove User, Remove Permission
    Github file-commit Yes Delete / Remove
    file-delete Yes
    repository-visibility-change Yes Delete / Remove
    user-add Yes Delete / Remove
    GitLab file-commit Yes Delete / Remove
    file-delete Yes
    project-visibility-change Yes Delete / Remove
    user-add Yes Delete / Remove
    Gmail message-body-send Yes
    file-attachment-send Yes
    message-body-receive Yes
    file attachment-receive Yes
    Jira file-attach Yes Delete / Remove
    content-activity Yes Delete / Remove
    Microsoft OneDrive file-upload Yes Delete / Remove
    file-share Yes Set Expiry, Remove Permission
    file-delete Yes
    Microsoft Outlook message-body-send Yes Delete / Remove
    file-attachment-send Yes Delete / Remove
    message-body-receive Yes Delete / Remove
    file attachment-receive Yes Delete / Remove
    Microsoft SharePoint file-upload Yes Delete / Remove
    file-share Yes Set Expiry, Remove Permission
    file-delete Yes
    Microsoft Teams message-send Yes Delete / Remove
    chat-join Yes Delete / Remove
    team-join Yes Delete / Remove
    Microsoft Yammer content-activity Yes Delete / Remove
    Notion file-attach Yes Delete / Remove
    content-activity Yes Delete / Remove
    Salesforce file-upload Yes Delete / Remove
    file-share Yes Revert, Set Expiry, Remove User, Remove Permission
    file-delete Yes
    content-activity Yes Delete / Remove
    ServiceNow file-attach Yes Delete / Remove
    content-activity Yes Delete / Remove
    Slack message-send Yes Delete / Remove
    file-send Yes Delete / Remove
    channel-join Yes Delete / Remove
    Trello file-attach Yes Delete / Remove
    content-activity Yes Delete / Remove
    Workplace from Meta file-attach Yes Delete / Remove
    content-activity Yes Delete / Remove
    Zendesk file-attach Yes Delete / Remove
    comment Yes Delete / Remove
    Zoom message-send Yes Delete / Remove
    file-send Yes Delete / Remove
    channel-join Yes Delete / Remove
    meeting-join Yes Delete / Remove
  8. The activities for some SaaS application have additional fields, as follows:
     
    SaaS Application Additional Activities Fields
    Jira
    • File Attach
      • Exclude
      • Project Type
        • Product Discovery
        • Service Management
        • Software
        • Work Management
      • Project Names
    Microsoft OneDrive
    • File Share
      • Alert
      • Remove
    • File Delete
      • Alert
    • File Upload
      • Alert
      • Expire
      • Remove Access
      • Remove User
      • Revert 
    Microsoft Sharepoint
    • File Upload
      • Alert
      • Remove
    • File Delete
      • Alert
    • File Share
      • Alert
      • Expire
      • Remove User
      • Remove Access
        (Note: Sharing to internal users is not supported)
      • Revert
    Microsoft Teams
    • chat-join
    • team-join
      • Exclude
      • Team Type
        • Public
        • Private
      • Team Names
    • message-send
      • Direct Message
      • Team Message
        • Exclude
        • Team Type
          • Public
          • Private
        • Team Names
    Microsoft Yammer
    • Storylines
    • Communities
      • Exclude
      • Community Type
      • Community Names
    Slack
    • Channel Join
      • Exclude
      • Channel Type
      • Channel Name
    • Message Send
      • Direct Message
      • Group Message
      • Channel Message
        • Channel Type
        • Channel Names
    • File Send
      • Direct Message
      • Group Message
      • Channel Message
        • Channel Type
        • Channel Names
    Zendesk
    • File Attach
      • Private
      • Public
    • Comment
      • Private
      • Public
    Zoom
    • Channel Join
      • Exclude
      • Channel Type
      • Channel Name
    • Message Send
      • Direct Message
      • Channel Message
        • Channel Type
        • Channel Names
    • File Send
      • Direct Message
      • Channel Message
        • Channel Type
        • Channel Names

     
  9. Click Next to go to step 4, Actions, and then enter the following information. Note that different applications might have different actions associated with them.


     
    Field Description
    File Attach (Group of Fields)  
    • Alert

    Enable—Select Enable to send alerts when files are uploaded.

    Disable—Select Disable to prevent sending alerts when files are uploaded. 
    • Remove

    Enable—Select Enable to remove alerts.

    Disable—Select Disable to prevent removing alerts when files are uploaded. 
    Comment (Group of Fields)  
    • Alert

    Enable—Select Enable to send alerts when files contain comments.

    Disable—Select Disable to prevent sending alerts when files are uploaded. 
    • Remove

    Enable—Select Enable to remove alerts.

    Disable—Select Disable to prevent removing alerts when files contain comments. 
  1. Click Next to go to step 5, Review and Submit.


     
  2. Enter a name for the rule in the General section.
  3. Review the entries and click the  Edit icon to make changes to any section.
  4. Click Save to create the rule.

CASB File Share Actions

  Remove Permission
Application Revert Set Expiry Remove User Read Write
Box Yes Yes Yes Yes Yes
Citrix ShareFile Yes Yes No No No
Dropbox Yes Yes Yes Yes Yes
Egnyte Yes Yes No No No
Google Drive Yes Yes Yes Yes Yes
Microsoft OneDrive No Yes No Yes Yes
Microsoft SharePoint No Yes No Yes Yes
Salesforce Yes Yes Yes Yes Yes

Configure an Offline CASB Profile for IaaS Services

  1. Go to Configure > Security Service Edge > Advanced Security > Profiles.



    The following screen displays with the CASB Profiles tab and the SaaS subtab selected by default.


     
  2. To create an IaaS profile, click the IaaS subtab, then click the  Add icon.



    The Add Rules screen displays.
     
  3. Click the Add Rules button. The Add CASB Rules screen displays with step 1, Applications, selected by default. The available IaaS service applications display.


     
  4. Select a service application, and then click Next to go to step 2, Instance.


     
  5. Select an instance of the selected IaaS service, then click Next to go to step 3, Activities. IaaS services all have two activities available, file-upload and file-delete.

  6. Select one or more activities, then click Next to go to step 4, Actions.
  7. Enter information for the following fields.


     
    Field Description
    File Upload (Group of Fields)  
    • Alert

    Enable—Select Enable to send alerts when files are uploaded.

    Disable—Select Disable to prevent sending alerts when files are uploaded. 
    • Action

    Delete—Select Delete to delete uploaded files.

    Allow—Select Allow to prevent uploaded files from being deleted. 
    File Delete  
    • Alert

    Enable—Select Enable to send alerts when files are deleted.

    Disable—Select Disable to prevent sending alerts when files are deleted. 
  8. Click Next to go to step 5, Review and Submit.


     
  9. Enter a name for the rule in the General section.
  10. Review the entries and click the  Edit icon to make changes to any section.
  11. Click Save to create the rule.

Activities and Actions for Each Application

Application

Activity

Alert

Action

IaaS Applications
Amazon Web Services (AWS) file-upload Yes Delete / Remove
  file-delete Yes
Google cloud Platform (GCP) file-upload Yes Delete / Remove
  file-delete Yes
Microsoft Azure Cloud file-upload Yes Delete / Remove
  file-delete Yes
Oracle Cloud Infrastructure (OCI) file-upload Yes Delete / Remove
  file-delete Yes

Supported Software Information

Releases 11.1.1 and later support all content described in this article.