Apply suggestions from code review

Co-authored-by: marciocloudflare <[email protected]>

Author: securitypedant

src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx

@@ -17,22 +17,22 @@ SaaS applications have become essential tools in today's business operations. Wh
 
 However SaaS applications tend to focus their security on their own platform, such as storing data at rest in a secure manner and ensuring their applications are not exposing customer data due to application vulnerabilities. This document is going to cover how to address some of the limitations of SaaS applications by using Cloudflare's Secure Access Service Edge (SASE) platform. Specifically our Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG) services, combined with integrations to your existing identity and device security vendors.
 
-## Isn't SaaS already secure?
+## Is SaaS not already secure?
 
-Before discussing the specifics of implementing SASE for SaaS applications, we should consider asking: isn't SaaS already secure? Major providers like Salesforce, ServiceNow, Microsoft and more have implemented robust security capabilities, including integrations with identity providers for Single Sign On (SSO), SSL/TLS for all application communication, encryption of data at rest and comprehensive audit logs. Unfortunately, SaaS vendors are not attempting to rebuild entire security platforms in their applications, so they are not able to provide many features required for a modern Zero Trust architecture.
+Before discussing the specifics of implementing SASE for SaaS applications, we should consider asking: is SaaS not already secure? Major providers like Salesforce, ServiceNow, Microsoft and more have implemented robust security capabilities, including integrations with identity providers for Single Sign On (SSO), SSL/TLS for all application communication, encryption of data at rest and comprehensive audit logs. Unfortunately, SaaS vendors are not attempting to rebuild entire security platforms in their applications, so they are not able to provide many features required for a modern Zero Trust architecture.
 
-SaaS applications are unable to evaluate the security posture of connecting devices. A compromised laptop with valid credentials appears identical to a securely managed, corporate device. When data is downloaded from the SaaS application, it has no visibility into where it goes or if the device it's being downloaded to is secure. Typically authentication for SaaS applications is externalized by redirecting users to an identity service, therefore the SaaS application has no sense of how the user authenticated and as such all trust is placed in the identity provider.
+SaaS applications are unable to evaluate the security posture of connecting devices. A compromised laptop with valid credentials appears identical to a securely managed, corporate device. When data is downloaded from the SaaS application, it has no visibility into where it goes or if the device it is being downloaded to is secure. Typically authentication for SaaS applications is externalized by redirecting users to an identity service, therefore the SaaS application has no sense of how the user authenticated and as such all trust is placed in the identity provider.
 
-These security challenges are compounded by poor network access controls \- most SaaS applications accept connections from any Internet source, but sometimes they can be limited to only accessing from a specific set of IP addresses that might be associated with one or more physical offices. But these rudimentary network controls are hard to expand for remote users working from home, or partners and contractors who need access.
+These security challenges are compounded by poor network access controls — most SaaS applications accept connections from any Internet source, but sometimes they can be limited to only accessing from a specific set of IP addresses that might be associated with one or more physical offices. But these rudimentary network controls are hard to expand for remote users working from home, or partners and contractors who need access.
 
-Cloudflare's SASE platform offers the ability to bring a more Zero Trust orientated approach to securing SaaS applications. Centralized policies, based on device posture, identity attributes and granular network location can be applied across one or many SaaS applications. Cloudflare becomes the new corporate network, and it's possible to gate access to Internet based SaaS applications to those users and devices that are connected to Cloudflare. Essentially it's a new corporate network in the cloud.
+Cloudflare's SASE platform offers the ability to bring a more Zero Trust orientated approach to securing SaaS applications. Centralized policies, based on device posture, identity attributes and granular network location can be applied across one or many SaaS applications. Cloudflare becomes the new corporate network, and it is possible to gate access to Internet based SaaS applications to those users and devices that are connected to Cloudflare. Essentially it is a new corporate network in the cloud.
 
 ## Securing access with Cloudflare
 
 The diagram below shows how Cloudflare sits between your users, devices and networks that require access to any SaaS application. The two main services proving security capabilities are:
 
-- [Zero Trust Network Access](/cloudflare-one/policies/access/). Allows Cloudflare to become an identity proxy. So that you can easily enable authentication with a wide variety of identity providers to a single SaaS application. This service also incorporates the ability to evaluate access based on device posture and network location.
-- [Secure Web Gateway](/cloudflare-one/policies/gateway/). Once all traffic to access the SaaS application flows through our gateway, HTTPS connections are terminated at Cloudflare and you have the ability to inspect the data flowing to and from the SaaS application. Blocking sensitive data from being exported to insecure locations.
+- [Zero Trust Network Access](/cloudflare-one/policies/access/). Allows Cloudflare to become an identity proxy, so that you can easily enable authentication with a wide variety of identity providers to a single SaaS application. This service also incorporates the ability to evaluate access based on device posture and network location.
+- [Secure Web Gateway](/cloudflare-one/policies/gateway/). Once all traffic to access the SaaS application flows through our gateway, HTTPS connections are terminated at Cloudflare and you have the ability to inspect the data flowing to and from the SaaS application.  This allows you to block sensitive data from being exported to insecure locations.
 
 ![Figure 1: Only traffic that has passed the Cloudflare network and relevant policies is authorized to access the SaaS application.](~/assets/images/reference-architecture/secure-access-to-saas-applications-with-sase/figure1.svg "Figure 1: Only traffic that has passed the Cloudflare network and relevant policies is authorized to access the SaaS application.")
 
@@ -63,9 +63,9 @@ The first step is using an [egress IP policy under Cloudflare Gateway](/cloudfla
 | **Identity**                        |                  |
 | User Group Names                    | All Employees    |
 | **Select Egress IP**                |                  |
-| Use dedicated Cloudflare Egress IPs | \[203.0.113.88\] |
+| Use dedicated Cloudflare Egress IPs | `203.0.113.88` |
 
-This is important not only for securing access to Salesforce, but also for adequately protecting its contents while in use. Now let's look at the access policy that is limiting access to members of the Sales or Executives groups. We are also using our Crowdstrike integration to ensure that users are on company managed devices.
+This is important not only for securing access to Salesforce, but also for adequately protecting its contents while in use. Now let us examine the access policy that is limiting access to members of the Sales or Executives groups. We are also using our Crowdstrike integration to ensure that users are on company managed devices.
 
 | Policy name                    | Account executives on trusted devices |
 | :----------------------------- | :------------------------------------ |
@@ -91,7 +91,7 @@ This second policy applies to all employees but we are going to apply a few more
 | **Additional Settings**        |                                    |
 | Purpose justification          | On                                 |
 | Temporary authentication       | On                                 |
-| Email addresses of approvers   | [email protected]       |
+| Email addresses of approvers   | `[email protected]`       |
 
 We are going to add in temporary authentication to this second policy. That means if Cloudflare determines that the incoming request is from someone outside of the Sales or Executives department, an administrator will need to explicitly grant them temporary access. In context, this policy could be used to secure access to Salesforce for employees outside the Sales department, as the customer information could be sensitive and confidential.