From be3d3bd8af1824d4da5661a1d6db9bd76e03e6fe Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 13 Nov 2024 16:31:40 -0600 Subject: [PATCH 01/18] Initial commit --- .../cloudflare-one/applications/scan-apps/index.mdx | 2 +- .../cloudflare-one/casb/manage-integrations.mdx | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx index c935c7974ec4eb..10232a06245341 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx @@ -13,7 +13,7 @@ Available for all Zero Trust users. Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of an individual finding instance. ::: -Cloudflare's API-driven Cloud Access Security Broker (CASB) scans SaaS applications for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. +Cloudflare's API-driven Cloud Access Security Broker (CASB) scans SaaS and cloud applications for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. ## Manage CASB integrations diff --git a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx index 9c8badd91e60e6..fe13e01e65307d 100644 --- a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx +++ b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx @@ -1,19 +1,18 @@ --- {} - --- -When you integrate a third-party SaaS application with Cloudflare CASB, you allow CASB to make API calls to the application and read relevant data on your behalf. The CASB integration permissions are read-only and follow the least privileged model. In other words, only the minimum access required to perform a scan is granted. +When you integrate a third-party SaaS or cloud application with Cloudflare CASB, you allow CASB to make API calls to the application and read relevant data on your behalf. The CASB integration permissions are read-only and follow the least privileged model. In other words, only the minimum access required to perform a scan is granted. ### Prerequisites -Before you can integrate a SaaS application with CASB, your SaaS account must meet certain requirements. To view the prerequisites and permissions for your application, refer to its [integration guide](/cloudflare-one/applications/scan-apps/casb-integrations/). +Before you can integrate a third-party application with CASB, its account must meet certain requirements. To view the prerequisites and permissions for your application, refer to its [integration guide](/cloudflare-one/applications/scan-apps/casb-integrations/). ### Add an integration 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**. 2. Select **Add integration**. -3. Browse the available SaaS integrations and select the application you would like to add. +3. Browse the available integrations and select the application you would like to add. 4. Follow the step-by-step integration instructions in the UI. 5. To run your first scan, select **Save integration**. You will be redirected to the [Findings page](/cloudflare-one/applications/scan-apps/manage-findings/) to see an in-depth listing of issues found. @@ -30,11 +29,7 @@ You can resume application scanning at any time by turning on **Scan findings**. ### Delete an integration :::caution - - When you delete an integration, all keys and OAuth data will be deleted. This means you cannot restore a deleted integration or its scanned data. - - ::: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**. From bb6159719e809ad994faf1cfe7053857afd1c3e1 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 13 Nov 2024 16:32:33 -0600 Subject: [PATCH 02/18] Remove SaaS --- .../applications/scan-apps/manage-findings.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx index 0e6515377cf570..48414615eb7372 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx @@ -8,7 +8,7 @@ head: content: Manage security findings --- -Findings are security issues detected within SaaS applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Zero Trust and immediately start taking action on the issues found. +Findings are security issues detected within SaaS and cloud applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Zero Trust and immediately start taking action on the issues found. ## Prerequisites @@ -55,11 +55,11 @@ You can change the severity level for a finding at any time, in case the default 2. Locate the finding you want to modify and select **View**. 3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_). -The new severity level will only apply to the finding within this specific integration. If you added multiple integrations of the same SaaS application, the other integrations will not be impacted by this change. +The new severity level will only apply to the finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change. ## Resolve finding with a Gateway policy -Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your company's security policy. This means going from viewing a CASB finding, like the use of an unapproved SaaS application, to preventing or controlling access in minutes. +Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your company's security policy. This means going from viewing a CASB finding, like the use of an unapproved application, to preventing or controlling access in minutes. :::note[Before you begin] @@ -73,7 +73,7 @@ To create a Gateway policy directly from a CASB finding: 3. Find the instance you want to block and select its three-dot menu. 4. Select **Block with Gateway HTTP policy**. A new browser tab will open with a pre-filled HTTP policy. :::note - Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your SaaS application dashboard or through your domain provider. + Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider. ::: 5. (Optional) [Customize the HTTP policy](/cloudflare-one/policies/gateway/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. From 2bb99e702291de582d287ee0c21326570ee91b8c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 13 Nov 2024 17:26:28 -0600 Subject: [PATCH 03/18] Revamp instructions --- .../scan-apps/manage-findings.mdx | 67 +++++++++++-------- 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx index 48414615eb7372..1d3aaf22d411fe 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx @@ -15,61 +15,70 @@ Findings are security issues detected within SaaS and cloud applications that in - You have [added](/cloudflare-one/applications/scan-apps/#add-an-integration) a CASB integration. - Your scan has surfaced at least one security finding. -## View findings +## Posture findings -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. +To view your posture findings: - You will see the findings detected across all integrations. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture findings**. +2. To switch between findings for your SaaS and cloud applications, choose **SaaS** or **Cloud**. +3. Select a finding to view its details. -2. To view details for an individual finding, select **View**. +CASB will display details about your posture findings, including the type, [severity level](#severity-levels), associated integration, and status. - The individual findings page shows all detected instances of the finding within a specific integration. You can expand an individual row to view details for a particular instance. +To resolve the finding, expand the remediation guide and follow the instructions. You can also [create an HTTP block policy](#resolve-finding-with-a-gateway-policy), update the finding's [severity level](#severity-levels), or [hide findings](#hide-findings) from view. -3. To resolve the finding, expand the **Remediation Guide** and follow the step-by-step instructions in the UI. +### Severity levels -Other actions you can take include [creating an HTTP block policy](#resolve-finding-with-a-gateway-policy), updating the finding's [severity level](#severity-levels), or [hiding irrelevant findings](#hide-findings) from view. +Cloudflare CASB labels each finding with one of the following severity levels: -### View shared files +| Severity level | Urgency | +| -------------- | ---------------------------------------------------------------------------- | +| Critical | Suggests the finding is something your team should act on today. | +| High | Suggests the finding is something your team should act on this week. | +| Medium | Suggests the finding should be reviewed sometime this month. | +| Low | Suggests the finding is informational or part of a scheduled review process. | -File findings for some integrations (such as [Microsoft 365](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/#file-sharing) and [Box](/cloudflare-one/applications/scan-apps/casb-integrations/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file: +#### Change the severity level -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. -2. Locate the individual finding, then select **View**. -3. In **Active Instances**, select the file name. -4. In **Shared Links**, select the linked file instance. +You can change the severity level for a finding at any time in case the default assignment does not suit your environment: -## Severity levels +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture findings**. +2. Locate the finding you want to modify and select **Manage**. +3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_). -Cloudflare CASB labels each finding with one of the following severity levels: +The new severity level will only apply to the posture finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change. -- **Critical**: Suggests the finding is something your team should act on today. -- **High**: Suggests the finding is something your team should act on this week. -- **Medium**: Suggests the finding should be reviewed sometime this month. -- **Low**: Suggests the finding is informational or part of a scheduled review process. +## Content findings -### Change the severity level +To view your content findings: -You can change the severity level for a finding at any time, in case the default assignment does not suit your environment: +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture findings**. +2. To switch between findings for your SaaS and cloud applications, choose **SaaS** or **Cloud**. +3. Select a finding to view its details. -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. -2. Locate the finding you want to modify and select **View**. -3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_). +CASB will display details about your content findings, including the file name, number of DLP profiles matched, associated integration, and location. + +## View shared files + +File findings for some integrations (such as [Microsoft 365](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/#file-sharing) and [Box](/cloudflare-one/applications/scan-apps/casb-integrations/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file: -The new severity level will only apply to the finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. +2. Locate the individual finding, then select **Manage**. +3. In **Active Instances**, select the file name. +4. In **Shared Links**, select the linked file instance. ## Resolve finding with a Gateway policy Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your company's security policy. This means going from viewing a CASB finding, like the use of an unapproved application, to preventing or controlling access in minutes. :::note[Before you begin] - Ensure that you have [enabled HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) for your organization. ::: To create a Gateway policy directly from a CASB finding: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. -2. Locate the finding you want to modify and select **View**. +2. Locate the finding you want to modify and select **Manage**. 3. Find the instance you want to block and select its three-dot menu. 4. Select **Block with Gateway HTTP policy**. A new browser tab will open with a pre-filled HTTP policy. :::note @@ -89,9 +98,9 @@ After reviewing your findings, you may decide that certain findings are not appl 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. 2. In the **Active** tab, select the checkboxes for the findings you want to hide. -3. Select **Ignore**. +3. Select **Move to Ignore**. -The findings will be moved from **Active** to **Ignored**. CASB will continue to scan for these findings and report detections in the **Ignored** tab. You can move ignored findings back to the **Active** tab at any time. +The finding's status will change from **Active** to **Ignored**. CASB will continue to scan for these findings and report detections. You can change ignored findings back to **Active** with the same process at any time. ### Hide an instance of a finding From 00bb7bd3638623157b9a2bd2d107cf50dd665b4e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 19 Nov 2024 17:17:15 -0600 Subject: [PATCH 04/18] Reword --- .../cloudflare-one/applications/scan-apps/index.mdx | 4 ++-- .../cloudflare-one/casb/manage-integrations.mdx | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx index 10232a06245341..bd3257b6f05933 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: Scan SaaS applications +title: Scan SaaS and cloud services sidebar: order: 3 --- @@ -13,7 +13,7 @@ Available for all Zero Trust users. Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of an individual finding instance. ::: -Cloudflare's API-driven Cloud Access Security Broker (CASB) scans SaaS and cloud applications for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. +Cloudflare's API-driven Cloud Access Security Broker (CASB) integrates with SaaS applications and cloud environments to scan for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. ## Manage CASB integrations diff --git a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx index fe13e01e65307d..40e70a5a8a6b44 100644 --- a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx +++ b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx @@ -2,11 +2,11 @@ {} --- -When you integrate a third-party SaaS or cloud application with Cloudflare CASB, you allow CASB to make API calls to the application and read relevant data on your behalf. The CASB integration permissions are read-only and follow the least privileged model. In other words, only the minimum access required to perform a scan is granted. +When you integrate a third-party SaaS application or cloud environment with Cloudflare CASB, you allow CASB to make API calls to the service and read relevant data on your behalf. The CASB integration permissions are read-only and follow the least privileged model. In other words, only the minimum access required to perform a scan is granted. ### Prerequisites -Before you can integrate a third-party application with CASB, its account must meet certain requirements. To view the prerequisites and permissions for your application, refer to its [integration guide](/cloudflare-one/applications/scan-apps/casb-integrations/). +Before you can integrate a third-party service with CASB, your account with that integration must meet certain requirements. To view the prerequisites and permissions for your SaaS application or cloud environment, refer to its [integration guide](/cloudflare-one/applications/scan-apps/casb-integrations/). ### Add an integration @@ -14,9 +14,9 @@ Before you can integrate a third-party application with CASB, its account must m 2. Select **Add integration**. 3. Browse the available integrations and select the application you would like to add. 4. Follow the step-by-step integration instructions in the UI. -5. To run your first scan, select **Save integration**. You will be redirected to the [Findings page](/cloudflare-one/applications/scan-apps/manage-findings/) to see an in-depth listing of issues found. +5. To run your first scan, select **Save integration**. CASB will redirect you to the [Findings page](/cloudflare-one/applications/scan-apps/manage-findings/) to view an in-depth listing of issues found. -After the first scan, CASB will automatically scan your application on a frequent basis to keep up with any changes. Due to each application having their own set of requirements, scan intervals will vary, but the frequency is typically between every 1 hour and every 24 hours. +After the first scan, CASB will automatically scan your service on a frequent basis to keep up with any changes. Due to each application having their own set of requirements, scan intervals will vary, but the frequency is typically between every 1 hour and every 24 hours. ### Pause an integration @@ -24,7 +24,7 @@ After the first scan, CASB will automatically scan your application on a frequen 2. Find the integration you would like to pause and select **Manage**. 3. To stop scanning the application, turn off **Scan findings**. -You can resume application scanning at any time by turning on **Scan findings**. +You can resume CASB scanning at any time by turning on **Scan findings**. ### Delete an integration From 4b726625b6b0123e2f63b38a6e5d44f35c2f6fbe Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 19 Nov 2024 17:24:02 -0600 Subject: [PATCH 05/18] Improve wording --- .../applications/scan-apps/casb-dlp.mdx | 26 +++++++------------ .../scan-apps/casb-integrations/index.mdx | 2 +- .../scan-apps/troubleshooting.mdx | 15 +++++------ 3 files changed, 18 insertions(+), 25 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-dlp.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/casb-dlp.mdx index 5cff76a3514b48..308bda4483f5a9 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/casb-dlp.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/casb-dlp.mdx @@ -3,21 +3,15 @@ pcx_content_type: concept title: Scan for sensitive data sidebar: order: 3 - --- -import { Render } from "~/components" +import { Render } from "~/components"; :::note - - Requires Cloudflare CASB and Cloudflare DLP. - - ::: -You can use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) to discover if files stored in your SaaS application contain sensitive data. -To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then enable those profiles in a CASB integration. +You can use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) to discover if files stored in a SaaS application contains sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration. ## Supported integrations @@ -61,17 +55,17 @@ CASB will scan every publicly accessible file in the integration for text that m If you enable a DLP profile from the **Manage integrations** page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes: -* Contents of the file -* Name of the file -* Visibility of the file (only if changed to publicly accessible) -* Owner of the file -* Location of the file (for example, moved to a different folder) +- Contents of the file +- Name of the file +- Visibility of the file (only if changed to publicly accessible) +- Owner of the file +- Location of the file (for example, moved to a different folder) In order to scan historical data, you must enable the DLP profile during the [integration setup flow](#add-a-new-integration). ## Limitations -DLP will only scan: +DLP in CASB will only scan: -* [Text-based files](/cloudflare-one/policies/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported. -* Files ≤ 100 MB. +- [Text-based files](/cloudflare-one/policies/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported. +- Files less than or equal 100 MB in size. diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/index.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/index.mdx index fb7d46a01ec953..5d53bb0b3036b4 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/index.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 3 --- -You can integrate the following SaaS applications with Cloudflare CASB: +You can integrate the following SaaS applications and cloud environments with Cloudflare CASB: - [Amazon Web Services (AWS) S3](/cloudflare-one/applications/scan-apps/casb-integrations/aws-s3/) - [Atlassian Confluence](/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-confluence/) diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/troubleshooting.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/troubleshooting.mdx index 7e581db83b33bc..37dc6b6fdb35b2 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/troubleshooting.mdx @@ -3,14 +3,13 @@ pcx_content_type: troubleshooting title: Troubleshoot integrations sidebar: order: 3 - --- -import { TabItem, Tabs } from "~/components" +import { TabItem, Tabs } from "~/components"; Cloudflare CASB detects when integrations are unhealthy or outdated. -Common integration issues include changes to SaaS app configurations, user access, or permission scope. Integrations may need to be updated to support new features or permissions. +Common integration issues include changes to SaaS app or cloud environment configurations, user access, or permission scope. Integrations may need to be updated to support new features or permissions. ## Identify unhealthy or outdated integrations @@ -20,21 +19,21 @@ To identify unhealthy CASB integrations, go to **CASB** > **Integrations** or ** You can repair unhealthy CASB integrations through your list of integrations or findings. - + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**. 2. Choose your unhealthy integration. 3. Select **Reauthorize**. -4. In your SaaS app, reauthorize your account. +4. In your SaaS app or cloud environment, reauthorize your account. - + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Findings**. 2. Choose the finding highlighted in red. CASB will redirect you to the unhealthy integration. 3. Select **Reauthorize**. -4. In your SaaS app, reauthorize your account. +4. In your SaaS app or cloud environment, reauthorize your account. @@ -45,4 +44,4 @@ Upgrading an outdated integration will allow the integration to access new featu 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**. 2. Choose your outdated integration. 3. Select **Upgrade integration**. -4. In your SaaS app, upgrade your app and reauthorize your account. +4. In your SaaS app or cloud environment, upgrade your app and reauthorize your account. From 597a446ce7df55723ab43c5660590f33b79b62ee Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 12:42:50 -0600 Subject: [PATCH 06/18] Improve more wording --- .../partials/cloudflare-one/casb/manage-integrations.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx index 40e70a5a8a6b44..5606a1c1360e78 100644 --- a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx +++ b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx @@ -11,7 +11,7 @@ Before you can integrate a third-party service with CASB, your account with that ### Add an integration 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**. -2. Select **Add integration**. +2. Select **Connect an integration** or **Add integration**. 3. Browse the available integrations and select the application you would like to add. 4. Follow the step-by-step integration instructions in the UI. 5. To run your first scan, select **Save integration**. CASB will redirect you to the [Findings page](/cloudflare-one/applications/scan-apps/manage-findings/) to view an in-depth listing of issues found. From 5c0c61861394638c9f34fc29460c7b800441bf13 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 14:06:37 -0600 Subject: [PATCH 07/18] Update title --- .../docs/cloudflare-one/applications/scan-apps/index.mdx | 2 +- .../partials/cloudflare-one/casb/manage-integrations.mdx | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx index bd3257b6f05933..1706b518aac316 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: Scan SaaS and cloud services +title: Cloud Access Security Broker (CASB) sidebar: order: 3 --- diff --git a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx index 5606a1c1360e78..587299bdb20594 100644 --- a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx +++ b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx @@ -2,11 +2,11 @@ {} --- -When you integrate a third-party SaaS application or cloud environment with Cloudflare CASB, you allow CASB to make API calls to the service and read relevant data on your behalf. The CASB integration permissions are read-only and follow the least privileged model. In other words, only the minimum access required to perform a scan is granted. +When you integrate a third-party SaaS application or cloud environment with Cloudflare CASB, you allow CASB to make API calls to its endpoint and read relevant data on your behalf. The CASB integration permissions are read-only and follow the least privileged model. In other words, only the minimum access required to perform a scan is granted. ### Prerequisites -Before you can integrate a third-party service with CASB, your account with that integration must meet certain requirements. To view the prerequisites and permissions for your SaaS application or cloud environment, refer to its [integration guide](/cloudflare-one/applications/scan-apps/casb-integrations/). +Before you can integrate a SaaS application or cloud environment with CASB, your account with that integration must meet certain requirements. To view the prerequisites and permissions for your SaaS application or cloud environment, refer to its [integration guide](/cloudflare-one/applications/scan-apps/casb-integrations/). ### Add an integration @@ -16,7 +16,7 @@ Before you can integrate a third-party service with CASB, your account with that 4. Follow the step-by-step integration instructions in the UI. 5. To run your first scan, select **Save integration**. CASB will redirect you to the [Findings page](/cloudflare-one/applications/scan-apps/manage-findings/) to view an in-depth listing of issues found. -After the first scan, CASB will automatically scan your service on a frequent basis to keep up with any changes. Due to each application having their own set of requirements, scan intervals will vary, but the frequency is typically between every 1 hour and every 24 hours. +After the first scan, CASB will automatically scan your SaaS application or cloud environment on a frequent basis to keep up with any changes. Due to each application having their own set of requirements, scan intervals will vary, but the frequency is typically between every 1 hour and every 24 hours. ### Pause an integration From 2d5bf7a8fd704ab8f14f2626c017eee9a8b50de7 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 14:50:08 -0600 Subject: [PATCH 08/18] Rename scan-apps --> casb --- public/_redirects | 1 + .../cloudflare-one/applications/{scan-apps => casb}/casb-dlp.mdx | 0 .../casb-integrations/atlassian-confluence.mdx | 0 .../{scan-apps => casb}/casb-integrations/atlassian-jira.mdx | 0 .../{scan-apps => casb}/casb-integrations/aws-s3.mdx | 0 .../{scan-apps => casb}/casb-integrations/bitbucket-cloud.mdx | 0 .../applications/{scan-apps => casb}/casb-integrations/box.mdx | 0 .../{scan-apps => casb}/casb-integrations/dropbox.mdx | 0 .../{scan-apps => casb}/casb-integrations/github.mdx | 0 .../casb-integrations/google-workspace/gmail.mdx | 0 .../casb-integrations/google-workspace/google-admin.mdx | 0 .../casb-integrations/google-workspace/google-calendar.mdx | 0 .../casb-integrations/google-workspace/google-drive.mdx | 0 .../casb-integrations/google-workspace/index.mdx | 0 .../applications/{scan-apps => casb}/casb-integrations/index.mdx | 0 .../casb-integrations/microsoft-365/admin-center.mdx | 0 .../casb-integrations/microsoft-365/index.mdx | 0 .../casb-integrations/microsoft-365/onedrive.mdx | 0 .../casb-integrations/microsoft-365/outlook.mdx | 0 .../casb-integrations/microsoft-365/sharepoint.mdx | 0 .../{scan-apps => casb}/casb-integrations/salesforce.mdx | 0 .../{scan-apps => casb}/casb-integrations/servicenow.mdx | 0 .../applications/{scan-apps => casb}/casb-integrations/slack.mdx | 0 .../cloudflare-one/applications/{scan-apps => casb}/index.mdx | 0 .../applications/{scan-apps => casb}/manage-findings.mdx | 0 .../applications/{scan-apps => casb}/troubleshooting.mdx | 0 26 files changed, 1 insertion(+) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-dlp.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/atlassian-confluence.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/atlassian-jira.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/aws-s3.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/bitbucket-cloud.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/box.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/dropbox.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/github.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/google-workspace/gmail.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/google-workspace/google-admin.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/google-workspace/google-calendar.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/google-workspace/google-drive.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/google-workspace/index.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/index.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/microsoft-365/admin-center.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/microsoft-365/index.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/microsoft-365/onedrive.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/microsoft-365/outlook.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/microsoft-365/sharepoint.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/salesforce.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/servicenow.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/casb-integrations/slack.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/index.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/manage-findings.mdx (100%) rename src/content/docs/cloudflare-one/applications/{scan-apps => casb}/troubleshooting.mdx (100%) diff --git a/public/_redirects b/public/_redirects index 7cbc4b09f58fca..9f60b5ef97001e 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1781,6 +1781,7 @@ /cloudflare-one/connections/connect-apps/install-and-setup/deployment-guides/* /cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/:splat 301 /cloudflare-one/connections/connect-networks/deployment-guides/* /cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/:splat 301 /cloudflare-one/analytics/logs/* /cloudflare-one/insights/logs/:splat 301 +/cloudflare-one/applications/scan-apps/* /cloudflare-one/applications/casb/:splat 301 /cloudflare-one/connections/connect-apps/use_cases/* /cloudflare-one/connections/connect-networks/use-cases/:splat 301 /cloudflare-one/connections/connect-apps/* /cloudflare-one/connections/connect-networks/:splat 301 /cloudflare-one/connections/connect-devices/warp/exclude-traffic/* /cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/:splat 301 diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-dlp.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-dlp.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-dlp.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-dlp.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-confluence.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/atlassian-confluence.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-confluence.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/atlassian-confluence.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-jira.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/atlassian-jira.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-jira.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/atlassian-jira.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/aws-s3.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/aws-s3.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/bitbucket-cloud.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/bitbucket-cloud.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/bitbucket-cloud.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/bitbucket-cloud.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/box.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/box.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/box.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/box.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/dropbox.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/dropbox.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/dropbox.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/dropbox.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/github.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/github.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/github.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/github.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/gmail.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/gmail.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/gmail.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/gmail.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-admin.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-admin.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-admin.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-admin.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-calendar.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-calendar.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-calendar.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-calendar.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-drive.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-drive.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/index.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/index.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/index.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/google-workspace/index.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/index.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/index.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/admin-center.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/admin-center.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/admin-center.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/admin-center.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/index.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/index.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/index.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/index.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/onedrive.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/onedrive.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/onedrive.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/onedrive.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/outlook.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/outlook.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/outlook.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/outlook.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/sharepoint.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/sharepoint.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/salesforce.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/salesforce.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/servicenow.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/servicenow.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/servicenow.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/servicenow.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/slack.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/slack.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/slack.mdx rename to src/content/docs/cloudflare-one/applications/casb/casb-integrations/slack.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx b/src/content/docs/cloudflare-one/applications/casb/index.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/index.mdx rename to src/content/docs/cloudflare-one/applications/casb/index.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/manage-findings.mdx rename to src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/troubleshooting.mdx b/src/content/docs/cloudflare-one/applications/casb/troubleshooting.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/scan-apps/troubleshooting.mdx rename to src/content/docs/cloudflare-one/applications/casb/troubleshooting.mdx From fe668d04244b2c946b15285fbb0e414435176cc3 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 14:51:26 -0600 Subject: [PATCH 09/18] Update CASB links --- src/content/changelogs/casb.yaml | 4 +- src/content/changelogs/dlp.yaml | 2 +- .../casb/casb-integrations/index.mdx | 40 ++--- .../applications/casb/manage-findings.mdx | 4 +- .../connect-devices/agentless/index.mdx | 13 +- .../dlp-profiles/index.mdx | 4 +- .../dlp-profiles/integration-profiles.mdx | 4 +- .../policies/data-loss-prevention/index.mdx | 4 +- .../data-loss-prevention/saas-apps.mdx | 2 +- .../setup/manage-members/roles.mdx | 141 +++++++++--------- .../data-loss-prevention.mdx | 2 +- .../concepts/security-concepts.mdx | 5 +- .../configure-casb.mdx | 9 +- .../cloudflare-sase-with-microsoft.mdx | 3 +- .../architectures/sase.mdx | 4 +- .../design-guides/zero-trust-for-saas.mdx | 2 +- .../security/securing-data-at-rest.mdx | 4 +- .../security-insights/index.mdx | 4 +- .../casb/casb-dlp-integrations.mdx | 7 +- .../casb/data-loss-prevention.mdx | 2 +- .../cloudflare-one/casb/integration-perms.mdx | 4 +- .../casb/manage-integrations.mdx | 4 +- .../cloudflare-one/casb/security-findings.mdx | 4 +- .../cloudflare-one/casb/shared-links.mdx | 3 +- src/content/products/casb.yaml | 2 +- 25 files changed, 134 insertions(+), 143 deletions(-) diff --git a/src/content/changelogs/casb.yaml b/src/content/changelogs/casb.yaml index c8aeb81862d5cc..7e60371c1fc9e8 100644 --- a/src/content/changelogs/casb.yaml +++ b/src/content/changelogs/casb.yaml @@ -1,7 +1,7 @@ --- link: "/cloudflare-one/changelog/casb/" productName: CASB -productLink: "/cloudflare-one/applications/scan-apps/" +productLink: "/cloudflare-one/applications/casb/" productArea: Cloudflare One productAreaLink: /cloudflare-one/changelog/ entries: @@ -12,7 +12,7 @@ entries: - publish_date: "2024-05-23" title: Data-at-rest DLP for Box and Dropbox description: |- - You can now scan your [Box](/cloudflare-one/applications/scan-apps/casb-integrations/box/#data-loss-prevention-optional) and [Dropbox](/cloudflare-one/applications/scan-apps/casb-integrations/dropbox/#data-loss-prevention-optional) files for DLP matches. + You can now scan your [Box](/cloudflare-one/applications/casb/casb-integrations/box/#data-loss-prevention-optional) and [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/#data-loss-prevention-optional) files for DLP matches. - publish_date: "2024-04-16" title: Export CASB findings to CSV description: |- diff --git a/src/content/changelogs/dlp.yaml b/src/content/changelogs/dlp.yaml index a70b926586cddf..917398c49d3842 100644 --- a/src/content/changelogs/dlp.yaml +++ b/src/content/changelogs/dlp.yaml @@ -16,7 +16,7 @@ entries: - publish_date: "2024-05-23" title: Data-at-rest DLP for Box and Dropbox description: |- - You can now scan your [Box](/cloudflare-one/applications/scan-apps/casb-integrations/box/#data-loss-prevention-optional) and [Dropbox](/cloudflare-one/applications/scan-apps/casb-integrations/dropbox/#data-loss-prevention-optional) files for DLP matches. + You can now scan your [Box](/cloudflare-one/applications/casb/casb-integrations/box/#data-loss-prevention-optional) and [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/#data-loss-prevention-optional) files for DLP matches. - publish_date: "2024-04-16" title: Optical character recognition description: |- diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx index 5d53bb0b3036b4..ff9899813f56fe 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx @@ -7,23 +7,23 @@ sidebar: You can integrate the following SaaS applications and cloud environments with Cloudflare CASB: -- [Amazon Web Services (AWS) S3](/cloudflare-one/applications/scan-apps/casb-integrations/aws-s3/) -- [Atlassian Confluence](/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-confluence/) -- [Atlassian Jira](/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-jira/) -- [Bitbucket Cloud](/cloudflare-one/applications/scan-apps/casb-integrations/bitbucket-cloud/) -- [Box](/cloudflare-one/applications/scan-apps/casb-integrations/box/) -- [Dropbox](/cloudflare-one/applications/scan-apps/casb-integrations/dropbox/) -- [GitHub](/cloudflare-one/applications/scan-apps/casb-integrations/github/) -- [Google Workspace](/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/) - - [Google Drive](/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-drive/) - - [Gmail](/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/gmail/) - - [Google Admin](/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-admin/) - - [Google Calendar](/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-calendar/) -- [Microsoft 365](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/) - - [Admin Center](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/admin-center/) - - [OneDrive](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/onedrive/) - - [SharePoint](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/sharepoint/) - - [Outlook](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/outlook/) -- [Salesforce](/cloudflare-one/applications/scan-apps/casb-integrations/salesforce/) -- [ServiceNow](/cloudflare-one/applications/scan-apps/casb-integrations/servicenow/) -- [Slack](/cloudflare-one/applications/scan-apps/casb-integrations/slack/) +- [Amazon Web Services (AWS) S3](/cloudflare-one/applications/casb/casb-integrations/aws-s3/) +- [Atlassian Confluence](/cloudflare-one/applications/casb/casb-integrations/atlassian-confluence/) +- [Atlassian Jira](/cloudflare-one/applications/casb/casb-integrations/atlassian-jira/) +- [Bitbucket Cloud](/cloudflare-one/applications/casb/casb-integrations/bitbucket-cloud/) +- [Box](/cloudflare-one/applications/casb/casb-integrations/box/) +- [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/) +- [GitHub](/cloudflare-one/applications/casb/casb-integrations/github/) +- [Google Workspace](/cloudflare-one/applications/casb/casb-integrations/google-workspace/) + - [Google Drive](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive/) + - [Gmail](/cloudflare-one/applications/casb/casb-integrations/google-workspace/gmail/) + - [Google Admin](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-admin/) + - [Google Calendar](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-calendar/) +- [Microsoft 365](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/) + - [Admin Center](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/admin-center/) + - [OneDrive](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/onedrive/) + - [SharePoint](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint/) + - [Outlook](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/outlook/) +- [Salesforce](/cloudflare-one/applications/casb/casb-integrations/salesforce/) +- [ServiceNow](/cloudflare-one/applications/casb/casb-integrations/servicenow/) +- [Slack](/cloudflare-one/applications/casb/casb-integrations/slack/) diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index 1d3aaf22d411fe..56a7a1e880627e 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -12,7 +12,7 @@ Findings are security issues detected within SaaS and cloud applications that in ## Prerequisites -- You have [added](/cloudflare-one/applications/scan-apps/#add-an-integration) a CASB integration. +- You have [added](/cloudflare-one/applications/casb/#add-an-integration) a CASB integration. - Your scan has surfaced at least one security finding. ## Posture findings @@ -60,7 +60,7 @@ CASB will display details about your content findings, including the file name, ## View shared files -File findings for some integrations (such as [Microsoft 365](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/#file-sharing) and [Box](/cloudflare-one/applications/scan-apps/casb-integrations/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file: +File findings for some integrations (such as [Microsoft 365](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/#file-sharing) and [Box](/cloudflare-one/applications/casb/casb-integrations/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. 2. Locate the individual finding, then select **Manage**. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx index 491a0e253627af..159f5f1c2e8787 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx @@ -3,14 +3,13 @@ pcx_content_type: concept title: Agentless options sidebar: order: 2 - --- If you are unable to install the WARP client on your devices (for example, Windows Server does not support the WARP client), you can use agentless options to enable a subset of Zero Trust features. -* **[Gateway DNS policies](/cloudflare-one/connections/connect-devices/agentless/dns/)** -* **[Gateway HTTP policies](/cloudflare-one/connections/connect-devices/agentless/pac-files/)** without user identity and device posture -* **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH and VNC connections -* **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/) -* **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/scan-apps/)** -* **[Data Loss Prevention (DLP)](/cloudflare-one/applications/scan-apps/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB +- **[Gateway DNS policies](/cloudflare-one/connections/connect-devices/agentless/dns/)** +- **[Gateway HTTP policies](/cloudflare-one/connections/connect-devices/agentless/pac-files/)** without user identity and device posture +- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH and VNC connections +- **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/) +- **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/)** +- **[Data Loss Prevention (DLP)](/cloudflare-one/applications/casb/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/index.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/index.mdx index c6471b5e6f7adf..0fd82adcca08c7 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/index.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/index.mdx @@ -14,10 +14,10 @@ A DLP profile is a collection of regular expressions (also known as detection en -You can now use this profile in a [DLP policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) or [CASB integration](/cloudflare-one/applications/scan-apps/casb-dlp/). +You can now use this profile in a [DLP policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) or [CASB integration](/cloudflare-one/applications/casb/casb-dlp/). ## Build a custom profile -You can now use this profile in a [DLP policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) or [CASB integration](/cloudflare-one/applications/scan-apps/casb-dlp/). +You can now use this profile in a [DLP policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) or [CASB integration](/cloudflare-one/applications/casb/casb-dlp/). diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles.mdx index 32f3f30696b8d8..899e86df59980a 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles.mdx @@ -7,7 +7,7 @@ sidebar: :::note -Integration profiles require [Cloudflare CASB](/cloudflare-one/applications/scan-apps/). +Integration profiles require [Cloudflare CASB](/cloudflare-one/applications/casb/). ::: Cloudflare DLP integration profiles enable data loss prevention support for third-party data classification providers. Data classification information is retrieved from the third-party platform and populated into a DLP Profile. You can then enable detection entries in the profile and create a DLP policy to allow or block matching data. @@ -20,7 +20,7 @@ Microsoft provides [Purview Information Protection sensitivity labels](https://l ### Setup -To add MIP sensitivity labels to a DLP Profile, simply integrate your Microsoft account with [Cloudflare CASB](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/). A new integration profile will appear under **DLP** > **DLP profiles**. The profile is named **MIP Sensitivity Labels** followed by the name of the CASB integration. +To add MIP sensitivity labels to a DLP Profile, simply integrate your Microsoft account with [Cloudflare CASB](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/). A new integration profile will appear under **DLP** > **DLP profiles**. The profile is named **MIP Sensitivity Labels** followed by the name of the CASB integration. MIP sensitivity labels can also be added to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile) as an existing entry. diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx index 861e55fc93c5d5..eb779b130e01b3 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx @@ -25,9 +25,9 @@ To get started, refer to [Scan HTTP traffic with DLP](/cloudflare-one/policies/d ## Data at rest -Data Loss Prevention complements [Cloudflare CASB](/cloudflare-one/applications/scan-apps/) to detect sensitive data stored in your SaaS applications. Unlike data in transit scans which read files sent through Cloudflare Gateway, CASB retrieves files directly via the API. Therefore, Gateway and WARP settings (such as [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policies and [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configurations) will not affect data at rest scans. +Data Loss Prevention complements [Cloudflare CASB](/cloudflare-one/applications/casb/) to detect sensitive data stored in your SaaS applications. Unlike data in transit scans which read files sent through Cloudflare Gateway, CASB retrieves files directly via the API. Therefore, Gateway and WARP settings (such as [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policies and [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configurations) will not affect data at rest scans. -To get started, refer to [Scan SaaS applications with DLP](/cloudflare-one/applications/scan-apps/casb-dlp/). +To get started, refer to [Scan SaaS applications with DLP](/cloudflare-one/applications/casb/casb-dlp/). ## Supported file types diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/saas-apps.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/saas-apps.mdx index acade282d77bb9..19bc384a186af1 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/saas-apps.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/saas-apps.mdx @@ -1,7 +1,7 @@ --- pcx_content_type: navigation title: Scan SaaS apps -external_link: /cloudflare-one/applications/scan-apps/casb-dlp/ +external_link: /cloudflare-one/applications/casb/casb-dlp/ sidebar: order: 2 --- diff --git a/src/content/docs/fundamentals/setup/manage-members/roles.mdx b/src/content/docs/fundamentals/setup/manage-members/roles.mdx index 082c2a6250fcb8..924c368bccce2f 100644 --- a/src/content/docs/fundamentals/setup/manage-members/roles.mdx +++ b/src/content/docs/fundamentals/setup/manage-members/roles.mdx @@ -6,7 +6,6 @@ sidebar: head: - tag: title content: Account roles - --- Whenever you [add a new member](/fundamentals/setup/manage-members/manage/) to your account, you can assign policies to those users and make use of the available roles. Roles can only ever be assigned to their given scope and multiple roles can be assigned to a given policy. @@ -15,80 +14,80 @@ Whenever you [add a new member](/fundamentals/setup/manage-members/manage/) to y Account-scoped roles apply across an entire Cloudflare account, and through all domains in that account. -| Role | Description | -| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Administrator | Can access the full account and edit subscriptions. Cannot manage memberships nor billing profile. | -| Super Administrator | Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators. | -| Administrator Read Only | Can access the full account in read-only mode. | -| Analytics | Can read Analytics. | -| API Gateway | Grants full access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | -| API Gateway Read | Grants read access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | -| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/setup/account/account-security/review-audit-logs/). | -| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/pro/)) configurations for all domains in account. | -| Billing | Can edit the account’s [billing profile](/fundamentals/subscriptions-and-billing/create-billing-profile/) and subscriptions | -| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) policies. | -| Cache Purge | Can purge the edge cache. | -| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). | -| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/policies/gateway/) and read [Access](/cloudflare-one/identity/). | -| Cloudflare Images | Can access [Cloudflare Images](/images/) data. | -| Cloudflare R2 Admin | Can edit Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | -| Cloudflare R2 Read | Can read Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | -| Cloudflare Stream | Can edit [Cloudflare Stream](/stream/) media. | -| Cloudflare Workers Admin | Can edit Cloudflare [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/) and [R2](/r2/). Also provides read access to Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). | -| Cloudflare Zero Trust | Can edit [Cloudflare for Zero Trust](/cloudflare-one/). | -| Cloudflare Zero Trust PII | Can access [Cloudflare for Zero Trust](/cloudflare-one/) PII. | -| Cloudflare Zero Trust Read Only | Can access [Cloudflare for Zero Trust](/cloudflare-one/) read only mode. | -| Cloudflare Zero Trust Reporting | Can access [Cloudflare for Zero Trust](/cloudflare-one/) reporting data. | -| DNS | Can edit [DNS records](/dns/manage-dns-records/). | -| Email Configuration Admin | Grants write access to all of CES, [CASB](/cloudflare-one/applications/scan-apps/), [DLP](/cloudflare-one/policies/data-loss-prevention/), [Gateway](/cloudflare-one/policies/gateway/), and [Tunnels](/cloudflare-one/connections/connect-networks/), except Mail Preview, Raw Email, on-demand reports, actions on emails, and Submissions, Submission Transparency (Requires Cloudflare Zero Trust PII). | -| Email Integration Admin | Grants write access to CES account integration only, [CASB](/cloudflare-one/applications/scan-apps/), [DLP](/cloudflare-one/policies/data-loss-prevention/), [Gateway](/cloudflare-one/policies/gateway/), and [Tunnels](/cloudflare-one/connections/connect-networks/). | -| Email Security Analyst | Grants write access to all of CES, except Settings which is read only (Requires Cloudflare Zero Trust PII). | -| Email Security Read Only | Grants read access to all of CES, but cannot see Raw Email, take action on emails, or make Submissions (Requires Cloudflare Zero Trust PII). | -| Email Security Reporting | Grants read access to CES Home, PhishGuard, and Submission Transparency. | -| Firewall | Can edit [WAF](/waf/), [IP Access rules](/waf/tools/ip-access-rules/), [Zone Lockdown](/waf/tools/zone-lockdown/) settings, and [Cache Rules](/cache/how-to/cache-rules/). | -| Load Balancer | Can edit [Load Balancers](/load-balancing/), Pools, Origins, and Health Checks. | -| Log Share | Can edit [Log Share](/logs/) configuration. | -| Log Share Reader | Can read Enterprise [Log Share](/logs/). | -| Magic Network Monitoring | Can view and edit [MNM configuration](/magic-network-monitoring/). | -| Magic Network Monitoring Admin | Can view, edit, create, and delete [MNM configuration](/magic-network-monitoring/). | -| Magic Network Monitoring Read-Only | Can view [MNM configuration](/magic-network-monitoring/). | -| Network Services Write (Magic) | Grants write access to network configurations for Magic services. | -| Network Services Read (Magic) | Grants read access to network configurations for Magic services. | -| Minimal Account Access | Can view account, and nothing else. | -| Page Shield | Grants write access to [Page Shield](/page-shield/) across the whole account. | -| Page Shield Read | Grants read access to [Page Shield](/page-shield/) across the whole account. | -| Hyperdrive Read | Grants read access to [Hyperdrive](/hyperdrive/) database configuration. | -| Hyperdrive Admin | Grants write access to [Hyperdrive](/hyperdrive/) database configuration. | -| SSL/TLS, Caching, Performance, Page Rules, and Customization | Can edit most Cloudflare settings except for [DNS](/dns/) and [Firewall](/waf/). | -| Trust and Safety | Can access trust and safety related services. | -| Turnstile | Grants full access to [Turnstile](/turnstile/). | -| Turnstile Read | Grants read access to [Turnstile](/turnstile/). | -| Vectorize Admin | Can edit [Vectorize](/vectorize/) configurations. | -| Vectorize Read only | Can read [Vectorize](/vectorize/) configurations. | -| Waiting Room Admin | Can edit [Waiting Room](/waiting-room/) configuration. | -| Waiting Room Read | Can read [Waiting Room](/waiting-room/) configuration. | -| Zaraz Admin | Can edit and publish [Zaraz](/zaraz/) configuration. | -| Zaraz Edit | Can edit [Zaraz](/zaraz/) configuration. | -| Zaraz Read | Can read [Zaraz](/zaraz/) configuration. | -| Zone Versioning (Account-Wide) | Can view and edit [Zone Versioning](/version-management/) for all domains in account. | -| Zone Versioning Read (Account-Wide) | Can view [Zone Versioning](/version-management/) for all domains in account. | +| Role | Description | +| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Administrator | Can access the full account and edit subscriptions. Cannot manage memberships nor billing profile. | +| Super Administrator | Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators. | +| Administrator Read Only | Can access the full account in read-only mode. | +| Analytics | Can read Analytics. | +| API Gateway | Grants full access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | +| API Gateway Read | Grants read access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | +| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/setup/account/account-security/review-audit-logs/). | +| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/pro/)) configurations for all domains in account. | +| Billing | Can edit the account’s [billing profile](/fundamentals/subscriptions-and-billing/create-billing-profile/) and subscriptions | +| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) policies. | +| Cache Purge | Can purge the edge cache. | +| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). | +| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/policies/gateway/) and read [Access](/cloudflare-one/identity/). | +| Cloudflare Images | Can access [Cloudflare Images](/images/) data. | +| Cloudflare R2 Admin | Can edit Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | +| Cloudflare R2 Read | Can read Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | +| Cloudflare Stream | Can edit [Cloudflare Stream](/stream/) media. | +| Cloudflare Workers Admin | Can edit Cloudflare [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/) and [R2](/r2/). Also provides read access to Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). | +| Cloudflare Zero Trust | Can edit [Cloudflare for Zero Trust](/cloudflare-one/). | +| Cloudflare Zero Trust PII | Can access [Cloudflare for Zero Trust](/cloudflare-one/) PII. | +| Cloudflare Zero Trust Read Only | Can access [Cloudflare for Zero Trust](/cloudflare-one/) read only mode. | +| Cloudflare Zero Trust Reporting | Can access [Cloudflare for Zero Trust](/cloudflare-one/) reporting data. | +| DNS | Can edit [DNS records](/dns/manage-dns-records/). | +| Email Configuration Admin | Grants write access to all of CES, [CASB](/cloudflare-one/applications/casb/), [DLP](/cloudflare-one/policies/data-loss-prevention/), [Gateway](/cloudflare-one/policies/gateway/), and [Tunnels](/cloudflare-one/connections/connect-networks/), except Mail Preview, Raw Email, on-demand reports, actions on emails, and Submissions, Submission Transparency (Requires Cloudflare Zero Trust PII). | +| Email Integration Admin | Grants write access to CES account integration only, [CASB](/cloudflare-one/applications/casb/), [DLP](/cloudflare-one/policies/data-loss-prevention/), [Gateway](/cloudflare-one/policies/gateway/), and [Tunnels](/cloudflare-one/connections/connect-networks/). | +| Email Security Analyst | Grants write access to all of CES, except Settings which is read only (Requires Cloudflare Zero Trust PII). | +| Email Security Read Only | Grants read access to all of CES, but cannot see Raw Email, take action on emails, or make Submissions (Requires Cloudflare Zero Trust PII). | +| Email Security Reporting | Grants read access to CES Home, PhishGuard, and Submission Transparency. | +| Firewall | Can edit [WAF](/waf/), [IP Access rules](/waf/tools/ip-access-rules/), [Zone Lockdown](/waf/tools/zone-lockdown/) settings, and [Cache Rules](/cache/how-to/cache-rules/). | +| Load Balancer | Can edit [Load Balancers](/load-balancing/), Pools, Origins, and Health Checks. | +| Log Share | Can edit [Log Share](/logs/) configuration. | +| Log Share Reader | Can read Enterprise [Log Share](/logs/). | +| Magic Network Monitoring | Can view and edit [MNM configuration](/magic-network-monitoring/). | +| Magic Network Monitoring Admin | Can view, edit, create, and delete [MNM configuration](/magic-network-monitoring/). | +| Magic Network Monitoring Read-Only | Can view [MNM configuration](/magic-network-monitoring/). | +| Network Services Write (Magic) | Grants write access to network configurations for Magic services. | +| Network Services Read (Magic) | Grants read access to network configurations for Magic services. | +| Minimal Account Access | Can view account, and nothing else. | +| Page Shield | Grants write access to [Page Shield](/page-shield/) across the whole account. | +| Page Shield Read | Grants read access to [Page Shield](/page-shield/) across the whole account. | +| Hyperdrive Read | Grants read access to [Hyperdrive](/hyperdrive/) database configuration. | +| Hyperdrive Admin | Grants write access to [Hyperdrive](/hyperdrive/) database configuration. | +| SSL/TLS, Caching, Performance, Page Rules, and Customization | Can edit most Cloudflare settings except for [DNS](/dns/) and [Firewall](/waf/). | +| Trust and Safety | Can access trust and safety related services. | +| Turnstile | Grants full access to [Turnstile](/turnstile/). | +| Turnstile Read | Grants read access to [Turnstile](/turnstile/). | +| Vectorize Admin | Can edit [Vectorize](/vectorize/) configurations. | +| Vectorize Read only | Can read [Vectorize](/vectorize/) configurations. | +| Waiting Room Admin | Can edit [Waiting Room](/waiting-room/) configuration. | +| Waiting Room Read | Can read [Waiting Room](/waiting-room/) configuration. | +| Zaraz Admin | Can edit and publish [Zaraz](/zaraz/) configuration. | +| Zaraz Edit | Can edit [Zaraz](/zaraz/) configuration. | +| Zaraz Read | Can read [Zaraz](/zaraz/) configuration. | +| Zone Versioning (Account-Wide) | Can view and edit [Zone Versioning](/version-management/) for all domains in account. | +| Zone Versioning Read (Account-Wide) | Can view [Zone Versioning](/version-management/) for all domains in account. | ## Domain-scoped roles Domain-scoped roles apply for a given domain within an account. -| Role | Description | -| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Bot Management | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/pro/)) configurations. | -| Cache Domain Purge | Grants access to [purge the edge cache](/cache/how-to/purge-cache/) for a specific domain. | +| Role | Description | +| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Bot Management | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/pro/)) configurations. | +| Cache Domain Purge | Grants access to [purge the edge cache](/cache/how-to/purge-cache/) for a specific domain. | | Domain Administrator | Grants full access to domains in an account, and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/policies/access/), and [Worker](/workers/) resources. | | Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/policies/access/), and [Worker](/workers/) resources. | -| Domain API Gateway | Grants full access to API Gateway (including [API Shield](/api-shield/)). | -| Domain API Gateway Read | Grants read access to API Gateway (including [API Shield](/api-shield/)). | -| Domain DNS | Grants access to edit [DNS settings](/dns/) for domains in an account. | -| Domain Page Shield | Grants write access to [Page Shield](/page-shield/) for domains in an account. | -| Domain Page Shield Read | Grants read access to [Page Shield](/page-shield/) for domains in an account. | -| Domain Waiting Room Admin | Can edit [waiting rooms](/waiting-room/) configuration. | -| Domain Waiting Room Read | Can read [waiting rooms](/waiting-room/) configuration. | -| Zone Versioning | Grants full access to [Zone Versioning](/version-management/). | -| Zone Versioning Read | Grants read-only access to [Zone Versioning](/version-management/). | +| Domain API Gateway | Grants full access to API Gateway (including [API Shield](/api-shield/)). | +| Domain API Gateway Read | Grants read access to API Gateway (including [API Shield](/api-shield/)). | +| Domain DNS | Grants access to edit [DNS settings](/dns/) for domains in an account. | +| Domain Page Shield | Grants write access to [Page Shield](/page-shield/) for domains in an account. | +| Domain Page Shield Read | Grants read access to [Page Shield](/page-shield/) for domains in an account. | +| Domain Waiting Room Admin | Can edit [waiting rooms](/waiting-room/) configuration. | +| Domain Waiting Room Read | Can read [waiting rooms](/waiting-room/) configuration. | +| Zone Versioning | Grants full access to [Zone Versioning](/version-management/). | +| Zone Versioning Read | Grants read-only access to [Zone Versioning](/version-management/). | diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx index 92ba9bf6fa310b..8f6925cc85dfd6 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx @@ -134,7 +134,7 @@ As your datasets change and grow, we recommend building a pipeline to update the #### Microsoft Information Protection (MIP) labels -If your data already contains Microsoft Information Protection (MIP) labeling schema, Cloudflare can detect those values in-transit automatically. To get started, connect your Microsoft 365 account with a [CASB integration](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/). Cloudflare will automatically pull in your existing MIP definitions into Zero Trust. You can then use the MIP definitions to build DLP profiles for use in Gateway policies. +If your data already contains Microsoft Information Protection (MIP) labeling schema, Cloudflare can detect those values in-transit automatically. To get started, connect your Microsoft 365 account with a [CASB integration](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/). Cloudflare will automatically pull in your existing MIP definitions into Zero Trust. You can then use the MIP definitions to build DLP profiles for use in Gateway policies. For more information, refer to [Integration profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx b/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx index 591e2483b5c73f..8956270d27b854 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx @@ -3,10 +3,9 @@ title: What security features does Cloudflare provide? pcx_content_type: learning-unit sidebar: order: 2 - --- -import { GlossaryDefinition } from "~/components" +import { GlossaryDefinition } from "~/components"; Review concepts related to Cloudflare Internet traffic and SaaS app security. @@ -44,7 +43,7 @@ A cloud access security broker protects cloud services from security threats. -For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) and [CASB documentation](/cloudflare-one/applications/scan-apps/). +For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) and [CASB documentation](/cloudflare-one/applications/casb/). ## What is browser isolation? diff --git a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/configure-casb.mdx b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/configure-casb.mdx index 56d5d289fa9a41..9643636e39a5d7 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/configure-casb.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/configure-casb.mdx @@ -3,21 +3,20 @@ title: Scan SaaS applications with Cloudflare CASB pcx_content_type: learning-unit sidebar: order: 4 - --- -import { GlossaryDefinition, Render } from "~/components" +import { GlossaryDefinition, Render } from "~/components"; :::note -Only available on Enterprise plans. +Only available on Enterprise plans. ::: Cloudflare's API-implemented CASB addresses the final, common security concern for administrators of SaaS applications or security organizations: How can I get insights into the existing configurations of my SaaS tools and proactively address issues before there is an incident? CASB integrates with a number of leading SaaS applications and surfaces instant security insights related to misconfiguration and potential for data loss. CASB also powers [risk score heuristics](/cloudflare-one/insights/risk-score/) organized by severity. -For more information on Cloudflare CASB, including available SaaS integrations, refer to [Scan SaaS applications](/cloudflare-one/applications/scan-apps/). +For more information on Cloudflare CASB, including available SaaS integrations, refer to [Scan SaaS applications](/cloudflare-one/applications/casb/). ## Manage CASB integrations @@ -29,4 +28,4 @@ If you use both Cloudflare CASB and Cloudflare Data Loss Prevention (DLP), you c -For more information, refer to [Scan SaaS applications with DLP](/cloudflare-one/applications/scan-apps/casb-dlp/). +For more information, refer to [Scan SaaS applications with DLP](/cloudflare-one/applications/casb/casb-dlp/). diff --git a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx index 5ef6ddc37ac247..dbeaf1fd327814 100644 --- a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx +++ b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx @@ -10,7 +10,6 @@ sidebar: order: 1 label: Cloudflare SASE with Microsoft updated: 2024-06-13 - --- import { Render } from "~/components"; @@ -52,7 +51,7 @@ Microsoft and Cloudflare can be integrated in the following ways. - Using Microsoft [Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) for authentication to all Cloudflare protected resources - Leveraging Microsoft [InTune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune) device posture in Cloudflare policies to ensure only managed, trusted devices have access to protected resources -- Using Cloudflare [CASB](/cloudflare-one/applications/scan-apps/) to inspect your [Microsoft 365](https://www.microsoft.com/en-us/microsoft-365/what-is-microsoft-365) tenants and alert on security findings for incorrectly configured accounts and shared files containing sensitive data +- Using Cloudflare [CASB](/cloudflare-one/applications/casb/) to inspect your [Microsoft 365](https://www.microsoft.com/en-us/microsoft-365/what-is-microsoft-365) tenants and alert on security findings for incorrectly configured accounts and shared files containing sensitive data - Using Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) to control access to Microsoft SaaS applications such as Outlook, OneDrive and Teams - Using Cloudflare's [Email Security](/email-security/) service to increase protection of email from phishing attacks and business email compromise. diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index 658eb015b06487..d0dafa499ea53a 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -213,7 +213,7 @@ When Cloudflare acts as the SSO service to an application, user authentication i ![The flow of SSO requests is proxied through Cloudflare, where the IdP is still used to authenticate, but Cloudflare provides additional access controls.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-8.svg) -The last method of connecting SaaS applications to Cloudflare's SASE architecture is with an API-based [cloud access security broker](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) (CASB). The Cloudflare CASB integrates via API to [popular SaaS suites](/cloudflare-one/applications/scan-apps/casb-integrations/) — including Google Workspace, Microsoft 365, Salesforce, and more — and continuously scans these applications for misconfigurations, unauthorized user activity, and other security risks. +The last method of connecting SaaS applications to Cloudflare's SASE architecture is with an API-based [cloud access security broker](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) (CASB). The Cloudflare CASB integrates via API to [popular SaaS suites](/cloudflare-one/applications/casb/casb-integrations/) — including Google Workspace, Microsoft 365, Salesforce, and more — and continuously scans these applications for misconfigurations, unauthorized user activity, and other security risks. Native integration with the Cloudflare [data loss prevention](https://www.cloudflare.com/learning/access-management/what-is-dlp/) (DLP) service enables CASB to scan for sensitive or regulated data that may be stored in files with incorrect permissions — further risking leaks or unauthorized access. CASB reports findings that alert IT teams to items such as: @@ -678,7 +678,7 @@ It's worth noting that many of the capabilities described in this document can b | Secure Web Gateway | [How to build Gateway policies](/cloudflare-one/policies/gateway/) | | Zero Trust Network Access | [How to build Access policies](/cloudflare-one/policies/access/) | | Remote Browser Isolation | [Understanding browser isolation](/cloudflare-one/policies/browser-isolation/) | -| API-Driven CASB | [Scanning SaaS applications](/cloudflare-one/applications/scan-apps/) | +| API-Driven CASB | [Scanning SaaS applications](/cloudflare-one/applications/casb/) | | Email Security | [Understanding Cloudflare Email Security](/email-security/) | | Replacing your VPN | [Using Cloudflare to replace your VPN](/learning-paths/replace-vpn/) | diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx index 15163e073fde0b..6ae33bdf5d7287 100644 --- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx +++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx @@ -144,7 +144,7 @@ For more information about securing data in transit, refer to our [reference arc #### Data at rest -Cloudflare's [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/scan-apps/) integrates with [popular SaaS applications](/cloudflare-one/applications/scan-apps/casb-integrations/) through APIs. Once integrated, Cloudflare continuously scans these applications for security risks. This enables IT teams to detect incidents of authorized users oversharing data, such as sharing a file publicly on the Internet. For Google Workspace, Microsoft 365, Box, and Dropbox, the API CASB can also utilize DLP profiles to detect the sharing of sensitive data. For more information about securing data at rest, refer to our [reference architecture center](/reference-architecture/diagrams/security/securing-data-at-rest/). +Cloudflare's [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/) integrates with [popular SaaS applications](/cloudflare-one/applications/casb/casb-integrations/) through APIs. Once integrated, Cloudflare continuously scans these applications for security risks. This enables IT teams to detect incidents of authorized users oversharing data, such as sharing a file publicly on the Internet. For Google Workspace, Microsoft 365, Box, and Dropbox, the API CASB can also utilize DLP profiles to detect the sharing of sensitive data. For more information about securing data at rest, refer to our [reference architecture center](/reference-architecture/diagrams/security/securing-data-at-rest/). In addition to the previous measures, IT teams should also consider introducing [User Entity and Behavior Analytics (UEBA)](https://www.cloudflare.com/en-gb/learning/security/what-is-ueba/) controls. Cloudflare can assign a [risk score](/cloudflare-one/insights/risk-score/) to users when detecting activities and behaviors that could introduce risks to the organization. These risk behaviors include scenarios where users trigger an unusually high number of DLP policy matches. By implementing these measures, organizations can significantly reduce the risk of data leaks from managed SaaS applications, even by authorized users. diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx index a654887886cef2..329c60b37efd12 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx @@ -15,9 +15,9 @@ While Cloudflare mostly secures data in transit as it travels over our network, ## Protecting data with Cloudflare CASB -Cloudflare's API-driven [Cloud Access Security Broker](/cloudflare-one/applications/scan-apps/) (CASB) works by integrating with SaaS APIs and discovering both unstructured data at rest (documents, spreadsheets, and so on) and also examining general configuration of the application and user accounts to ensure data access controls are correctly configured. +Cloudflare's API-driven [Cloud Access Security Broker](/cloudflare-one/applications/casb/) (CASB) works by integrating with SaaS APIs and discovering both unstructured data at rest (documents, spreadsheets, and so on) and also examining general configuration of the application and user accounts to ensure data access controls are correctly configured. -[DLP profiles](/cloudflare-one/applications/scan-apps/casb-dlp/) are used to discover if files stored in your SaaS application contain sensitive data. Matches are then compared with access controls and findings are generated, such as findings to alert you to a spreadsheet that contains credit card information that is accessible by anyone on the Internet. +[DLP profiles](/cloudflare-one/applications/casb/casb-dlp/) are used to discover if files stored in your SaaS application contain sensitive data. Matches are then compared with access controls and findings are generated, such as findings to alert you to a spreadsheet that contains credit card information that is accessible by anyone on the Internet. When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) service, which inspects all the traffic going to and from a SaaS application, customers can achieve comprehensive visibility into both data in transit and data at rest for SaaS applications. diff --git a/src/content/docs/security-center/security-insights/index.mdx b/src/content/docs/security-center/security-insights/index.mdx index 16205fc95ba936..fda73a561b6e27 100644 --- a/src/content/docs/security-center/security-insights/index.mdx +++ b/src/content/docs/security-center/security-insights/index.mdx @@ -17,7 +17,7 @@ Listed below are the specific insights currently available: | Insight Name | Description | | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [CASB integration status](/cloudflare-one/applications/scan-apps/troubleshooting/) | We detect unhealthy CASB integrations. | +| [CASB integration status](/cloudflare-one/applications/casb/troubleshooting/) | We detect unhealthy CASB integrations. | | [Dangling `A` Records](/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to an IPv4 address that you might no longer control. You are at risk of a subdomain takeover. | | [Dangling `AAAA` Records](/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to an IPv6 address that you might no longer control. You are at risk of a subdomain takeover. | | [Dangling `CNAME` Records](/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to a resource that cannot be found. You are at risk of a subdomain takeover. | @@ -31,7 +31,7 @@ Listed below are the specific insights currently available: | [Managed Rules not deployed](/waf/managed-rules/reference/cloudflare-managed-ruleset/) | No managed rules deployed on a WAF protected domain. | | [Migrate to new Managed Rules](/waf/reference/migration-guides/waf-managed-rules-migration/) | Migration to new Managed Rules system required for optimal protection. | | [New API endpoints detected](/api-shield/security/api-discovery/) | API Discovery detects new API endpoints in your zone's traffic. | -| [New CASB integrations found](/cloudflare-one/applications/scan-apps/casb-integrations/) | New CASB integrations have been found. | +| [New CASB integrations found](/cloudflare-one/applications/casb/casb-integrations/) | New CASB integrations have been found. | | [Overprovisioned Access Policies](/cloudflare-one/policies/access/) | We detect an Access policy to allow everyone access to your application. | | [Page Shield not enabled](/page-shield/get-started/) | Page Shield helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3. | | [SPF Record Errors](/dns/manage-dns-records/reference/dns-record-types/#spf) | We detect an incorrect or missing `SPF` record. | diff --git a/src/content/partials/cloudflare-one/casb/casb-dlp-integrations.mdx b/src/content/partials/cloudflare-one/casb/casb-dlp-integrations.mdx index dac72dee984f13..e89bc43d215f65 100644 --- a/src/content/partials/cloudflare-one/casb/casb-dlp-integrations.mdx +++ b/src/content/partials/cloudflare-one/casb/casb-dlp-integrations.mdx @@ -1,8 +1,7 @@ --- {} - --- -* [Google Drive](/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/google-drive/) -* [Microsoft OneDrive](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/onedrive/) -* [Microsoft SharePoint](/cloudflare-one/applications/scan-apps/casb-integrations/microsoft-365/sharepoint/) +- [Google Drive](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive/) +- [Microsoft OneDrive](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/onedrive/) +- [Microsoft SharePoint](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint/) diff --git a/src/content/partials/cloudflare-one/casb/data-loss-prevention.mdx b/src/content/partials/cloudflare-one/casb/data-loss-prevention.mdx index 5f560329941481..faca67ed20efa8 100644 --- a/src/content/partials/cloudflare-one/casb/data-loss-prevention.mdx +++ b/src/content/partials/cloudflare-one/casb/data-loss-prevention.mdx @@ -2,4 +2,4 @@ {} --- -These findings will only appear if you [added DLP profiles](/cloudflare-one/applications/scan-apps/casb-dlp/) to your CASB integration. +These findings will only appear if you [added DLP profiles](/cloudflare-one/applications/casb/casb-dlp/) to your CASB integration. diff --git a/src/content/partials/cloudflare-one/casb/integration-perms.mdx b/src/content/partials/cloudflare-one/casb/integration-perms.mdx index a290d0b129f33a..2756def58209eb 100644 --- a/src/content/partials/cloudflare-one/casb/integration-perms.mdx +++ b/src/content/partials/cloudflare-one/casb/integration-perms.mdx @@ -1,7 +1,5 @@ --- inputParameters: parentIntegration;;parentSlug - --- -Refer to {props.one} integration permissions for information on which API permissions to enable. - +Refer to {props.one} integration permissions for information on which API permissions to enable. diff --git a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx index 587299bdb20594..218b11fc70390e 100644 --- a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx +++ b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx @@ -6,7 +6,7 @@ When you integrate a third-party SaaS application or cloud environment with Clou ### Prerequisites -Before you can integrate a SaaS application or cloud environment with CASB, your account with that integration must meet certain requirements. To view the prerequisites and permissions for your SaaS application or cloud environment, refer to its [integration guide](/cloudflare-one/applications/scan-apps/casb-integrations/). +Before you can integrate a SaaS application or cloud environment with CASB, your account with that integration must meet certain requirements. To view the prerequisites and permissions for your SaaS application or cloud environment, refer to its [integration guide](/cloudflare-one/applications/casb/casb-integrations/). ### Add an integration @@ -14,7 +14,7 @@ Before you can integrate a SaaS application or cloud environment with CASB, your 2. Select **Connect an integration** or **Add integration**. 3. Browse the available integrations and select the application you would like to add. 4. Follow the step-by-step integration instructions in the UI. -5. To run your first scan, select **Save integration**. CASB will redirect you to the [Findings page](/cloudflare-one/applications/scan-apps/manage-findings/) to view an in-depth listing of issues found. +5. To run your first scan, select **Save integration**. CASB will redirect you to the [Findings page](/cloudflare-one/applications/casb/manage-findings/) to view an in-depth listing of issues found. After the first scan, CASB will automatically scan your SaaS application or cloud environment on a frequent basis to keep up with any changes. Due to each application having their own set of requirements, scan intervals will vary, but the frequency is typically between every 1 hour and every 24 hours. diff --git a/src/content/partials/cloudflare-one/casb/security-findings.mdx b/src/content/partials/cloudflare-one/casb/security-findings.mdx index d27b4902ed7d3f..b643796bd96394 100644 --- a/src/content/partials/cloudflare-one/casb/security-findings.mdx +++ b/src/content/partials/cloudflare-one/casb/security-findings.mdx @@ -2,6 +2,6 @@ inputParameters: integrationName;;slugRelativePath --- -The {props.one} integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by [severity level](/cloudflare-one/applications/scan-apps/manage-findings/#severity-levels). +The {props.one} integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by [severity level](/cloudflare-one/applications/casb/manage-findings/#severity-levels). -To stay up-to-date with new CASB findings as they are added, bookmark this page or subscribe to its RSS feed. +To stay up-to-date with new CASB findings as they are added, bookmark this page or subscribe to its RSS feed. diff --git a/src/content/partials/cloudflare-one/casb/shared-links.mdx b/src/content/partials/cloudflare-one/casb/shared-links.mdx index adf103c9334097..86029dfd2d14c8 100644 --- a/src/content/partials/cloudflare-one/casb/shared-links.mdx +++ b/src/content/partials/cloudflare-one/casb/shared-links.mdx @@ -1,10 +1,9 @@ --- {} - ---
-To access some file findings, you may need to review shared links. For more information, refer to [View shared files](/cloudflare-one/applications/scan-apps/manage-findings/#view-shared-files). +To access some file findings, you may need to review shared links. For more information, refer to [View shared files](/cloudflare-one/applications/casb/manage-findings/#view-shared-files).
diff --git a/src/content/products/casb.yaml b/src/content/products/casb.yaml index 83a773e1a4f9aa..8c5eeda9bff482 100644 --- a/src/content/products/casb.yaml +++ b/src/content/products/casb.yaml @@ -3,5 +3,5 @@ name: CASB product: title: CASB group: Cloudflare One - url: /cloudflare-one/applications/scan-apps/ + url: /cloudflare-one/applications/casb/ grid_placeholder: true From ecfa1374104d8cd2b3cb56e16bd9b19fd0a5ae7c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 15:53:41 -0600 Subject: [PATCH 10/18] Rearrange page --- .../applications/casb/manage-findings.mdx | 95 ++++++++++++------- 1 file changed, 61 insertions(+), 34 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index 56a7a1e880627e..b58e0b4da3297d 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -8,6 +8,8 @@ head: content: Manage security findings --- +import { TabItem, Tabs, Details } from "~/components"; + Findings are security issues detected within SaaS and cloud applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Zero Trust and immediately start taking action on the issues found. ## Prerequisites @@ -17,15 +19,15 @@ Findings are security issues detected within SaaS and cloud applications that in ## Posture findings -To view your posture findings: +To view details about your posture findings: -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture findings**. -2. To switch between findings for your SaaS and cloud applications, choose **SaaS** or **Cloud**. -3. Select a finding to view its details. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. +2. Choose **SaaS** or **Cloud**. +3. To view details about a finding, select a finding name, then select **Manage**. -CASB will display details about your posture findings, including the type, [severity level](#severity-levels), associated integration, and status. +CASB will display details about your posture finding, including the type, [severity level](#severity-levels), associated integration, and status. -To resolve the finding, expand the remediation guide and follow the instructions. You can also [create an HTTP block policy](#resolve-finding-with-a-gateway-policy), update the finding's [severity level](#severity-levels), or [hide findings](#hide-findings) from view. +To resolve the finding, expand the remediation guide and follow the instructions. You can also update the finding's [severity level](#severity-levels), [hide the finding](#hide-findings) from view, or [create a Gateway HTTP policy](#resolve-finding-with-a-gateway-policy) to block the traffic. ### Severity levels @@ -42,7 +44,7 @@ Cloudflare CASB labels each finding with one of the following severity levels: You can change the severity level for a finding at any time in case the default assignment does not suit your environment: -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture findings**. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. 2. Locate the finding you want to modify and select **Manage**. 3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_). @@ -50,45 +52,36 @@ The new severity level will only apply to the posture finding within this specif ## Content findings -To view your content findings: +To view details about your content findings: -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture findings**. -2. To switch between findings for your SaaS and cloud applications, choose **SaaS** or **Cloud**. -3. Select a finding to view its details. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Content**. +2. Choose **SaaS** or **Cloud**. +3. To view details about a finding, select a finding name. -CASB will display details about your content findings, including the file name, number of DLP profiles matched, associated integration, and location. +CASB will display details about your content finding, including the file name, number of DLP profiles matched, associated integration, and location. ## View shared files File findings for some integrations (such as [Microsoft 365](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/#file-sharing) and [Box](/cloudflare-one/applications/casb/casb-integrations/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file: -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. -2. Locate the individual finding, then select **Manage**. -3. In **Active Instances**, select the file name. -4. In **Shared Links**, select the linked file instance. + -## Resolve finding with a Gateway policy +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. +2. Choose **SaaS** or **Cloud**. +3. Locate the individual finding, then select **Manage**. +4. In **Active Instances**, select the file name. +5. In **Shared Links**, select the linked file instance. -Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your company's security policy. This means going from viewing a CASB finding, like the use of an unapproved application, to preventing or controlling access in minutes. + -:::note[Before you begin] -Ensure that you have [enabled HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) for your organization. -::: + -To create a Gateway policy directly from a CASB finding: +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Content**. +2. Choose **SaaS** or **Cloud**. +3. Select the file name of the detected asset. +4. In **Sharing details**, select the linked file instance. -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. -2. Locate the finding you want to modify and select **Manage**. -3. Find the instance you want to block and select its three-dot menu. -4. Select **Block with Gateway HTTP policy**. A new browser tab will open with a pre-filled HTTP policy. - :::note - Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider. - ::: - -5. (Optional) [Customize the HTTP policy](/cloudflare-one/policies/gateway/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. -6. Select **Save**. - -Your HTTP policy will now prevent future instances of the security finding. + ## Hide findings @@ -110,3 +103,37 @@ The finding's status will change from **Active** to **Ignored**. CASB will conti 4. Select the three-dot menu, then select **Hide**. The instance will be moved from **Active** to **Hidden**. If the finding occurs again for the same user, CASB will report the new instance in the **Hidden** tab. You can move hidden instances back to the **Active** tab at any time. + +## Resolve finding with a Gateway policy + +Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your organization's security policy. This means going from viewing a CASB finding, like the use of an unapproved application, to preventing or controlling access in minutes. + +CASB supports creating a Gateway policy with findings from the [Google Workspace integration](/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/): + +
+ +- Google Workspace: File publicly accessible with edit access +- Google Workspace: File publicly accessible with view access +- Google Workspace: File shared outside company with edit access +- Google Workspace: File shared outside company with view access + +
+ +:::note[Before you begin] +Ensure that you have [enabled HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) for your organization. +::: + +To create a Gateway policy directly from a CASB finding: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture** or **CASB** > **Content**. +2. Choose **SaaS** or **Cloud**. +3. Choose the finding you want to modify, then select **Manage**. +4. Find the instance you want to block and select its three-dot menu. +5. Select **Block with Gateway HTTP policy**. A new browser tab will open with a pre-filled HTTP policy. + :::note + Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider. + ::: +6. (Optional) [Configure the HTTP policy](/cloudflare-one/policies/gateway/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. +7. Select **Save**. + +Your HTTP policy will now prevent future instances of the security finding. From 105ee281a31572bf7bb696b23cfed4eb32ec4147 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 16:04:17 -0600 Subject: [PATCH 11/18] Update procedures --- .../applications/casb/manage-findings.mdx | 22 +++++++++---------- .../applications/casb/troubleshooting.mdx | 19 +++++----------- 2 files changed, 16 insertions(+), 25 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index b58e0b4da3297d..370c4dc42b70ae 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -45,7 +45,7 @@ Cloudflare CASB labels each finding with one of the following severity levels: You can change the severity level for a finding at any time in case the default assignment does not suit your environment: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. -2. Locate the finding you want to modify and select **Manage**. +2. Find the finding you want to modify and select **Manage**. 3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_). The new severity level will only apply to the posture finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change. @@ -68,7 +68,7 @@ File findings for some integrations (such as [Microsoft 365](/cloudflare-one/app 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. 2. Choose **SaaS** or **Cloud**. -3. Locate the individual finding, then select **Manage**. +3. Find the individual finding, then select **Manage**. 4. In **Active Instances**, select the file name. 5. In **Shared Links**, select the linked file instance. @@ -85,24 +85,24 @@ File findings for some integrations (such as [Microsoft 365](/cloudflare-one/app ## Hide findings -After reviewing your findings, you may decide that certain findings are not applicable to your organization. Cloudflare CASB allows you to remove findings or individual instances of findings from your list of active issues. CASB will continue to scan for these issues, but any detections will appear in a separate tab. +After reviewing your findings, you may decide that certain posture findings are not applicable to your organization. Cloudflare CASB allows you to remove findings or individual instances of findings from your list of active issues. CASB will continue to scan for these issues, but any detections will appear in a separate tab. ### Hide a finding -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. -2. In the **Active** tab, select the checkboxes for the findings you want to hide. -3. Select **Move to Ignore**. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. +2. Find the active finding you want to hide. +3. In the three-dot menu, select **Move to ignore**. The finding's status will change from **Active** to **Ignored**. CASB will continue to scan for these findings and report detections. You can change ignored findings back to **Active** with the same process at any time. ### Hide an instance of a finding -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Findings**. -2. In the **Active** tab, locate the finding you want to modify and select **View**. -3. Under **Instances**, select the **Active** tab and locate the instance you want to hide. -4. Select the three-dot menu, then select **Hide**. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. +2. Choose the active finding you want to hide, then select **Manage**. +3. In **Active**, find the instance you want to hide. +4. In the three-dot menu, select **Move to hidden**. -The instance will be moved from **Active** to **Hidden**. If the finding occurs again for the same user, CASB will report the new instance in the **Hidden** tab. You can move hidden instances back to the **Active** tab at any time. +The instance will be moved from **Active** to **Hidden** within the finding. If the finding occurs again for the same user, CASB will report the new instance in the **Hidden** tab. You can move hidden instances back to the **Active** tab at any time. ## Resolve finding with a Gateway policy diff --git a/src/content/docs/cloudflare-one/applications/casb/troubleshooting.mdx b/src/content/docs/cloudflare-one/applications/casb/troubleshooting.mdx index 37dc6b6fdb35b2..b003dd57d4facb 100644 --- a/src/content/docs/cloudflare-one/applications/casb/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/troubleshooting.mdx @@ -13,30 +13,21 @@ Common integration issues include changes to SaaS app or cloud environment confi ## Identify unhealthy or outdated integrations -To identify unhealthy CASB integrations, go to **CASB** > **Integrations** or **CASB** > **Findings**. If an integration is unhealthy, CASB will highlight it in red and set its status to **Broken**. If an integration is outdated, CASB will highlight it in blue and set its status to **Upgrade**. +To identify unhealthy CASB integrations, go to **CASB** > **Integrations**. If an integration is unhealthy, CASB will set its status to **Broken**. If an integration is outdated, CASB will set its status to **Upgrade**. ## Repair an unhealthy integration -You can repair unhealthy CASB integrations through your list of integrations or findings. +:::note[Repair limitation] +If CASB does not support self-service repairs for an integration, you will need to [delete](/cloudflare-one/applications/casb/#delete-an-integration) and recreate the integration to continue scanning. +::: - +You can repair unhealthy CASB integrations through your list of integrations or findings. 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**. 2. Choose your unhealthy integration. 3. Select **Reauthorize**. 4. In your SaaS app or cloud environment, reauthorize your account. - - - - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Findings**. -2. Choose the finding highlighted in red. CASB will redirect you to the unhealthy integration. -3. Select **Reauthorize**. -4. In your SaaS app or cloud environment, reauthorize your account. - - - ## Upgrade an integration Upgrading an outdated integration will allow the integration to access new features and permissions. From e066453f453a5bd1950869753b6f7e61d2e76c79 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 16:19:32 -0600 Subject: [PATCH 12/18] Add findings context --- .../docs/cloudflare-one/applications/casb/index.mdx | 4 ++-- .../cloudflare-one/applications/casb/manage-findings.mdx | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/index.mdx b/src/content/docs/cloudflare-one/applications/casb/index.mdx index 1706b518aac316..8fd85c96aaa943 100644 --- a/src/content/docs/cloudflare-one/applications/casb/index.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/index.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: Cloud Access Security Broker (CASB) +title: Cloud Access Security Broker sidebar: order: 3 --- @@ -10,7 +10,7 @@ import { GlossaryTooltip, Render } from "~/components"; :::note[Availability] Available for all Zero Trust users. -Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of an individual finding instance. +Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of a finding instance. ::: Cloudflare's API-driven Cloud Access Security Broker (CASB) integrates with SaaS applications and cloud environments to scan for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index 370c4dc42b70ae..807dc50d8edfa2 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -19,7 +19,9 @@ Findings are security issues detected within SaaS and cloud applications that in ## Posture findings -To view details about your posture findings: +Posture findings include misconfigurations, unauthorized user activity, and other data security issues. + +To view details about the posture findings that CASB found: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. 2. Choose **SaaS** or **Cloud**. @@ -52,7 +54,9 @@ The new severity level will only apply to the posture finding within this specif ## Content findings -To view details about your content findings: +Content findings include instances of potential data exposure as identified by [DLP](/cloudflare-one/policies/data-loss-prevention/). + +To view details about the content findings that CASB found: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Content**. 2. Choose **SaaS** or **Cloud**. From ba02bc6235d97f8466afc8d8ac6e6e0514df98d6 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 16:39:54 -0600 Subject: [PATCH 13/18] Refine finding details --- .../applications/casb/manage-findings.mdx | 10 +++++----- .../cloudflare-one/casb/manage-integrations.mdx | 4 +++- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index 807dc50d8edfa2..36aa76a9aecacc 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -25,11 +25,11 @@ To view details about the posture findings that CASB found: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. 2. Choose **SaaS** or **Cloud**. -3. To view details about a finding, select a finding name, then select **Manage**. +3. To view details about a finding, select the finding's name -CASB will display details about your posture finding, including the type, [severity level](#severity-levels), associated integration, and status. +CASB will display details about your posture finding, including the finding type, [severity level](#severity-levels), number of instances, associated integration, current status, and date detected. For more information on each instance of the finding, select **Manage**. -To resolve the finding, expand the remediation guide and follow the instructions. You can also update the finding's [severity level](#severity-levels), [hide the finding](#hide-findings) from view, or [create a Gateway HTTP policy](#resolve-finding-with-a-gateway-policy) to block the traffic. +To manage the finding's visibility, you can update the finding's [severity level](#severity-levels) or [hide the finding](#hide-findings) from view. Additionally, some findings provide a remediation guide to resolve the issue or support [creating a Gateway HTTP policy](#resolve-finding-with-a-gateway-policy) to block the traffic. ### Severity levels @@ -60,9 +60,9 @@ To view details about the content findings that CASB found: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Content**. 2. Choose **SaaS** or **Cloud**. -3. To view details about a finding, select a finding name. +3. To view details about a finding, select the finding's name. -CASB will display details about your content finding, including the file name, number of DLP profiles matched, associated integration, and location. +CASB will display details about your content finding, including the file name, a link to the file, matching DLP profiles, associated integration, and date detected. ## View shared files diff --git a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx index 218b11fc70390e..7db54820777735 100644 --- a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx +++ b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx @@ -14,10 +14,12 @@ Before you can integrate a SaaS application or cloud environment with CASB, your 2. Select **Connect an integration** or **Add integration**. 3. Browse the available integrations and select the application you would like to add. 4. Follow the step-by-step integration instructions in the UI. -5. To run your first scan, select **Save integration**. CASB will redirect you to the [Findings page](/cloudflare-one/applications/casb/manage-findings/) to view an in-depth listing of issues found. +5. To run your first scan, select **Save integration**. After the first scan, CASB will automatically scan your SaaS application or cloud environment on a frequent basis to keep up with any changes. Due to each application having their own set of requirements, scan intervals will vary, but the frequency is typically between every 1 hour and every 24 hours. +Once CASB detects at least one finding, you can [view and manage your findings](/cloudflare-one/applications/casb/manage-findings/). + ### Pause an integration 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**. From 557b972442c3e6699446734042b68086237e2f57 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 16:47:50 -0600 Subject: [PATCH 14/18] Add AWS compute section --- .../applications/casb/casb-integrations/aws-s3.mdx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx index a9c2cf5502534b..39948611d9047a 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx @@ -11,10 +11,6 @@ import { Render } from "~/components"; params={{ one: "Amazon Web Services (AWS) S3", two: "AWS account" }} /> -:::note -The CASB integration for AWS S3 only supports posture-related findings. -::: - ## Integration prerequisites - An AWS account using AWS S3 (Simple Storage Service) @@ -30,6 +26,8 @@ For the AWS S3 integration to function, Cloudflare CASB requires the following a These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission scope, refer to the [AWS S3 Permissions documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-policy-actions.html). +## Compute account + ## Security findings Date: Wed, 20 Nov 2024 17:27:33 -0600 Subject: [PATCH 15/18] Add compute account procedures --- .../casb/casb-integrations/aws-s3.mdx | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx index 39948611d9047a..5570736baca302 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx @@ -28,6 +28,36 @@ These permissions follow the principle of least privilege to ensure that only th ## Compute account +{/* */} +You can connect an AWS compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) scans within your S3 bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration. + +### Add a compute account + +To connect a compute account to your AWS integration: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Integrations**. +2. Find and select your AWS integration. +3. Select **Open connection instructions**. +4. Follow the instructions provided to connect a new compute account. +5. Select **Refresh**. + +You can only connect one computer account to an integration. To remove a compute account, select **Manage compute accounts**. + +### Configure compute account scanning + +Once your AWS compute account has successfully connected to your CASB integration, you can configure where and how to scan for sensitive data: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Integrations**. +2. Find and select your AWS integration. +3. Select **Create new configuration**. +4. In **Resources**, choose the buckets you want to scan. Select **Continue**. +5. Choose the file types, sampling percentage, and [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) to scan for. +6. (Optional) Configure additional settings, such as the limit of API calls over time for CASB to adhere to. +7. Select **Continue**. +8. Review the details of the scan, then select **Start scan**. + +CASB will take up to an hour to begin scanning. To view the scan results, go to **CASB** > **Content** > **Cloud**. For more information, refer to [Content findings](/cloudflare-one/applications/casb/manage-findings/#content-findings). + ## Security findings Date: Wed, 20 Nov 2024 17:34:40 -0600 Subject: [PATCH 16/18] Add AWS callout --- .../applications/casb/casb-integrations/aws-s3.mdx | 6 +++++- .../cloudflare-one/applications/casb/manage-findings.mdx | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx index 5570736baca302..92b65e62b3d6f5 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx @@ -56,7 +56,11 @@ Once your AWS compute account has successfully connected to your CASB integratio 7. Select **Continue**. 8. Review the details of the scan, then select **Start scan**. -CASB will take up to an hour to begin scanning. To view the scan results, go to **CASB** > **Content** > **Cloud**. For more information, refer to [Content findings](/cloudflare-one/applications/casb/manage-findings/#content-findings). +CASB will take up to an hour to begin scanning. To view the scan results, go to **CASB** > **Content** > **Cloud**. + +To manage your resources, go to **CASB** > **Integrations**, then find and select your AWS integration. From here, you can pause all or individual scans, add or remove resources, and change scan settings. + +For more information, refer to [Content findings](/cloudflare-one/applications/casb/manage-findings/#content-findings). ## Security findings diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index 36aa76a9aecacc..cf03bf16ce381b 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -64,6 +64,8 @@ To view details about the content findings that CASB found: CASB will display details about your content finding, including the file name, a link to the file, matching DLP profiles, associated integration, and date detected. +AWS users can configure a [compute account](/cloudflare-one/applications/casb/casb-integrations/aws-s3/#compute-account) to scan for data security resources within their S3 resources. + ## View shared files File findings for some integrations (such as [Microsoft 365](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/#file-sharing) and [Box](/cloudflare-one/applications/casb/casb-integrations/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file: From 5bc5e46b81c73f7f0d318e45735fb7940a7a7897 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 20 Nov 2024 17:49:14 -0600 Subject: [PATCH 17/18] Fix broken GCP link --- .../docs/cloudflare-one/applications/casb/manage-findings.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index cf03bf16ce381b..c419b1c46fc03b 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -114,7 +114,7 @@ The instance will be moved from **Active** to **Hidden** within the finding. If Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your organization's security policy. This means going from viewing a CASB finding, like the use of an unapproved application, to preventing or controlling access in minutes. -CASB supports creating a Gateway policy with findings from the [Google Workspace integration](/cloudflare-one/applications/scan-apps/casb-integrations/google-workspace/): +CASB supports creating a Gateway policy with findings from the [Google Workspace integration](/cloudflare-one/applications/casb/casb-integrations/google-workspace/):
From 9e22c4135355ef44df28af4d7dadf3650b6c18b9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 27 Nov 2024 13:14:44 -0500 Subject: [PATCH 18/18] Apply suggestions from code review Co-authored-by: Jun Lee --- .../applications/casb/casb-integrations/aws-s3.mdx | 1 - .../cloudflare-one/applications/casb/manage-findings.mdx | 6 +++--- .../partials/cloudflare-one/casb/manage-integrations.mdx | 4 ++-- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx index 92b65e62b3d6f5..24f4d389a91591 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx @@ -28,7 +28,6 @@ These permissions follow the principle of least privilege to ensure that only th ## Compute account -{/* */} You can connect an AWS compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) scans within your S3 bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration. ### Add a compute account diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index c419b1c46fc03b..5906b9b0502fdf 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -47,7 +47,7 @@ Cloudflare CASB labels each finding with one of the following severity levels: You can change the severity level for a finding at any time in case the default assignment does not suit your environment: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. -2. Find the finding you want to modify and select **Manage**. +2. Locate the finding you want to modify and select **Manage**. 3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_). The new severity level will only apply to the posture finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change. @@ -74,7 +74,7 @@ File findings for some integrations (such as [Microsoft 365](/cloudflare-one/app 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. 2. Choose **SaaS** or **Cloud**. -3. Find the individual finding, then select **Manage**. +3. Locate the individual finding, then select **Manage**. 4. In **Active Instances**, select the file name. 5. In **Shared Links**, select the linked file instance. @@ -96,7 +96,7 @@ After reviewing your findings, you may decide that certain posture findings are ### Hide a finding 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**. -2. Find the active finding you want to hide. +2. Locate the active finding you want to hide. 3. In the three-dot menu, select **Move to ignore**. The finding's status will change from **Active** to **Ignored**. CASB will continue to scan for these findings and report detections. You can change ignored findings back to **Active** with the same process at any time. diff --git a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx index 7db54820777735..aece992100f423 100644 --- a/src/content/partials/cloudflare-one/casb/manage-integrations.mdx +++ b/src/content/partials/cloudflare-one/casb/manage-integrations.mdx @@ -6,7 +6,7 @@ When you integrate a third-party SaaS application or cloud environment with Clou ### Prerequisites -Before you can integrate a SaaS application or cloud environment with CASB, your account with that integration must meet certain requirements. To view the prerequisites and permissions for your SaaS application or cloud environment, refer to its [integration guide](/cloudflare-one/applications/casb/casb-integrations/). +Before you can integrate a SaaS application or cloud environment with CASB, your account with that integration must meet certain requirements. Refer to the SaaS application or cloud environment's [integration guide](/cloudflare-one/applications/casb/casb-integrations/) to learn more about the prerequisites and permissions. ### Add an integration @@ -16,7 +16,7 @@ Before you can integrate a SaaS application or cloud environment with CASB, your 4. Follow the step-by-step integration instructions in the UI. 5. To run your first scan, select **Save integration**. -After the first scan, CASB will automatically scan your SaaS application or cloud environment on a frequent basis to keep up with any changes. Due to each application having their own set of requirements, scan intervals will vary, but the frequency is typically between every 1 hour and every 24 hours. +After the first scan, CASB will automatically scan your SaaS application or cloud environment on a frequent basis to keep up with any changes. Scan intervals will vary due to each application having their own set of requirements, but the frequency is typically between every 1 hour and every 24 hours. Once CASB detects at least one finding, you can [view and manage your findings](/cloudflare-one/applications/casb/manage-findings/).