How Cloud App Security Works

To protect users from advanced threats and to prevent data loss, Cloud App Security searches for security risks and undesirable data sent through email services, saved in cloud storage applications, or updated in Salesforce object records by performing real-time scanning on files in supported cloud applications and services, including Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, Box, Dropbox, Google Drive, Gmail, and Salesforce.

  • For email services, scanning occurs when an email message arrives at a protected mailbox.

  • For cloud storage applications, scanning occurs when a user uploads, creates, synchronizes, or modifies a file.

  • For Salesforce, scanning occurs when a user updates an object record.

  • For Teams Chat, scanning occurs when a user sends a private Chat message.

Through a cloud service connector, Cloud App Security scans email messages in protected mailboxes, files in protected cloud storage application, messages in private Teams chats, and updates to protected Salesforce object records. Cloud App Security provides default policies for protected cloud applications and services after they are successfully provisioned. The default policies are disabled upon creation and do not scan targets until you enable them. Upon detecting malicious or undesirable content, Cloud App Security automatically takes action against the email, file, chat message, or object record according to enabled scanning policies. Configure policies to scan specific targets and then take certain action or send a notification based on the security risk. Each policy applies only to the targets configured within the policy.

The following illustrates how Cloud App Security works.
Note:

Cloud App Security adopts an API-based architecture rather than a proxy-based architecture to provide advanced protection. It starts scanning when an email message arrives at a protected mailbox, a file is saved to a cloud storage application, a private Teams chat message is sent, or a Salesforce object record is updated. This unique API-based architecture guarantees that Cloud App Security has "zero impact" on your email or chat message delivery or file sharing as well as commitments defined in your service level agreements.