Abstract: The technology disclosed describes a system. The system comprises an edge network of a plurality of points of presence of a network security system. Points of presence in the plurality of points of presence are configured to intermediate traffic between clients and cloud applications and to use metadata to apply policies on the intermediated traffic. There are redundancies in metadata synchronization between the points of presence due to metadata migration to a second point of presence from a first point of presence handing off intermediation to the second point of presence within an application session. Each of the points of presence is configured with inline metadata generation logic. The inline metadata generation logic is configured to issue synthetic requests to provide the metadata to the second point of presence without requiring the metadata migration to the second point of presence.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive one or more incoming requests towards a cloud application from a client during an application session, inject one or more synthetic requests into the application session to transmit the synthetic requests to the cloud application, and receive one or more responses to the synthetic requests from the cloud application. The synthetic requests are constructed using one or more parameters of the incoming requests, and do not transmit the incoming requests.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to process an incoming request from a client and generate metadata. The network security system is further configured to transmit the incoming request to a cloud application. The network security system is further configured to configure the metadata to expire after an expiration window. The network security system is further configured to receive, after the expiration window, a further incoming request from the client. The further incoming request is directed towards the cloud application and subject to policy enforcement that requires the expired metadata. The network security system is further configured to hold the further incoming request and transmit a synthetic request to the cloud application. The synthetic request is configured to retrieve the expired metadata from the cloud application.

Abstract: The technology disclosed relates to application-specific data flow for synthetic request injection for cloud security enforcement. In particular, it relates to data flow logic configured to inject an incoming request directed to a cloud application in a processing path of a particular network security system.

Abstract: The technology disclosed describes a network security system that is configured to configure a synthetic request with an object identifier, and to inject the synthetic request into an application session to transmit the synthetic request to a cloud application. The synthetic request is configured to retrieve object metadata about the object using the object identifier. The network security system is further configured to receive from the cloud application a response to the synthetic request. The response supplies the object metadata.

Abstract: The technology disclosed relates to using synthetic request injection to improve cloud object security posture management.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to generate a synthetic request, and inject the synthetic request into an application session to transmit the synthetic request to a cloud application and receive a response to the synthetic request from the cloud application.

Abstract: The technology disclosed relates to an inline proxy configured with synthetic request injection logic to intercept incoming requests during an application session, and generate, during the application session, synthetic requests that are separate from the incoming requests.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive one or more incoming requests from a client during an application session, inject one or more synthetic requests into the application session independently of the incoming requests to transmit the synthetic requests to the cloud application, and receive one or more responses to the synthetic requests from the cloud application.

Abstract: The technology disclosed describes a computer-implemented method. The computer-implemented method includes disambiguating a bypassed login event that caused a client to access a cloud application but bypassed a network security system configured to intermediate traffic between the client and the cloud application. The network security system receives from the client an incoming request to access a resource on the cloud application over an application session. The bypassed login event preceded the incoming request. The network security system analyzes the incoming request and detects absence of instance metadata required to determine whether the bypassed login event emanated from a controlled account or an uncontrolled account. The network security system holds the incoming request, generates a synthetic request, and injects the synthetic request into the application session and transmits the synthetic request to the cloud application.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive, during an application session, an incoming request from a client. The incoming request is directed towards a cloud application and includes an object identifier of an object. The network security system is further configured to analyze the incoming request and detect the object identifier. The network security system is further configured to configure a synthetic request with the object identifier and inject the synthetic request into the application session to transmit the synthetic request to the cloud application. The synthetic request is configured to retrieve object metadata about the object using the object identifier. The network security system is further configured to receive a response to the synthetic request from the cloud application. The response supplies the object metadata.

Abstract: The technology disclosed describes a system. The system comprises data flow logic configured to inject an incoming request directed to a cloud application in a processing path of a particular network security system. The particular network security system is configured to use an application-specific parser to inspect certain fields and variables in the incoming request for metadata, determine that the metadata is missing, and use an application-specific template to construct a synthetic request. The data flow logic is further configured to inject the synthetic request and its corresponding response in the processing path of the particular network security system. The particular network security system is further configured to use the application-specific parser to extract the missing metadata from the corresponding response.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive from a client an incoming request to upload an object to a cloud application over an application session. The object is subject to policy enforcement by the network security system. The network security system is further configured to generate a synthetic request, upload the object to the cloud application, and inject the synthetic request into the application session to transmit the synthetic request to the cloud application. The synthetic request is configured to modify a security posture of the uploaded object in dependence upon the policy enforcement.

Abstract: The technology disclosed describes a system. The system comprises an edge network of a plurality of points of presence of a network security system. Points of presence in the plurality of points of presence are configured to intermediate traffic between clients and cloud applications and to use metadata to apply policies on the intermediated traffic. There are redundancies in metadata synchronization between the points of presence due to metadata migration to a second point of presence from a first point of presence handing off intermediation to the second point of presence within an application session. Each of the points of presence is configured with inline metadata generation logic. The inline metadata generation logic is configured to issue synthetic requests to provide the metadata to the second point of presence without requiring the metadata migration to the second point of presence.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive from a client an incoming request to access a cloud application in an application session. The network security system is further configured to analyze the incoming request and detect absence of at least some metadata required to enforce a security policy on the incoming request. The network security system is further configured to hold the incoming request, generate a synthetic request, and inject the synthetic request into the application session to transmit the synthetic request to the cloud application. The synthetic request is configured to retrieve otherwise absent metadata from the cloud application. The network security system is further configured to receive a response to the synthetic request from the cloud application. The response supplies the otherwise absent metadata.

Abstract: Virtual storage arrays consolidate branch data storage at data centers connected via wide area networks. Virtual storage arrays appear to storage clients as local data storage; however, virtual storage arrays actually store data at the data center. The virtual storage arrays overcomes bandwidth and latency limitations of the wide area network by predicting and prefetching storage blocks, which are then cached at the branch location. Virtual storage arrays leverage an understanding of the semantics and structure of high-level data structures associated with storage blocks to predict which storage blocks are likely to be requested by a storage client in the near future. Virtual storage arrays determine the association between requested storage blocks and corresponding high-level data structure entities to predict additional high-level data structure entities that are likely to be accessed. From this, the virtual storage array identifies the additional storage blocks for prefetching.

Abstract: Virtual storage arrays consolidate branch data storage at data centers connected via wide area networks. Virtual storage arrays appear to storage clients as local data storage; however, virtual storage arrays actually store data at the data center. The virtual storage arrays overcomes bandwidth and latency limitations of the wide area network by predicting and prefetching storage blocks, which are then cached at the branch location. Virtual storage arrays leverage an understanding of the semantics and structure of high-level data structures associated with storage blocks to predict which storage blocks are likely to be requested by a storage client in the near future. Virtual storage arrays determine the association between requested storage blocks and corresponding high-level data structure entities to predict additional high-level data structure entities that are likely to be accessed. From this, the virtual storage array identifies the additional storage blocks for prefetching.

Abstract: Systems and techniques are described for optimizing communications between a client and a server. Specifically, in some embodiments, an executing script on a client can send a resource request to a server. In response, the server can send an optimized version of the resource back to the client. The client can then reconstruct the resource from the optimized version of the resource.

Abstract: Virtual storage arrays consolidate branch data storage at data centers connected via wide area networks. Virtual storage arrays appear to storage clients as local data storage; however, virtual storage arrays actually store data at the data center. Virtual storage arrays overcome bandwidth and latency limitations of the wide area network by predicting and prefetching storage blocks, which are then cached at the branch location. Virtual storage arrays leverage an understanding of the semantics and structure of high-level data structures associated with storage blocks to predict which storage blocks are likely to be requested by a storage client. Virtual storage arrays may use proximity-based, heuristic-based, and access time-based prefetching to predict high-level data structure entities that are likely to be accessed by the storage client. Virtual storage arrays then identify and prefetch storage blocks corresponding with the predicted high-level data structure entities.

Abstract: A single-ended optimized storage protocol enables storage clients or other devices to direct a remote data storage to copy data. In response to commands via the protocol, a remote data storage can copy portions of a data stream at the remote data storage to destination storage locations within the same or a different data stream. The protocol may be utilized for optimized transfer of data via a network to a remote data storage. An initial data stream is divided into segments. Redundant segments are removed from the data stream to form an optimized data stream, which is transferred to the remote data storage. Commands are issued to the remote data storage using the protocol to direct the remote data storage to reconstruct the initial data stream at the remote data storage using the optimized data stream and optionally segments from other data streams previously transferred to the remote data storage.