Deep application programming interface inspection (DAPII) for cloud security

What is claimed is: 1. A computer-implemented method, including: a network security system intercepting communications between clients and application programming interfaces (APIs) of hosted services, the intercepted communications including requests from the clients directed to the APIs and responses from the APIs directed to the clients, semantics for the requests and the responses being defined for the APIs and differing among at least two of the APIs; in response to the network security system intercepting a particular one of the requests from a client directed to a particular one of the APIs of a hosted service, parsing the particular intercepted request using an application definition which is specific to the semantics defined for the particular API; based on the parsing, determining an activity being invoked on the hosted service by the particular intercepted request and a context of the activity; and based on the determined activity and parts of the determined context, enforcing a policy on the particular intercepted request. 2. The computer-implemented method of claim 1 , further including: in response to the network security system intercepting a particular one of the responses from the particular API directed to the client, parsing the particular intercepted response using the application definition; based on the parsing, further determining the context of the activity; and based on the determined activity and the determined context, enforcing the policy on the particular intercepted response. 3. The computer-implemented method of claim 1 , wherein the activity is upload, download, login, access, edit, create, delete, or logout; wherein the context includes a name of a user that invoked the activity, a user group of which the user is part of, an account name used by the user to access the hosted service, device and client information about a device and a client used by the user to invoke the activity; wherein the context includes a name of the hosted service, a hosted service group of which the hosted service is part of, and a resource of the hosted service being requested by the activity and metadata about the requested resource; wherein the context includes an event triggered by the activity, Internet Protocol (IP) and geolocation information about a connection that includes the particular intercepted request and/or the particular intercepted response, a session linked to the connection, and a response status for the activity; wherein enforcing the policy further includes performing an action; and wherein the action is logging, allowing, blocking, dropping, resetting, or encrypting. 4. The computer-implemented method of claim 1 , wherein the particular intercepted request includes a requested unified resource locator (URL), a request header, and request data, further including: performing deep packet inspection of the request data and detecting sensitive data and/or malicious data being transmitted to the hosted service from the client; and based on the determined activity, the determined context, and the detection of the sensitive data and/or the malicious data, enforcing the policy on the particular intercepted request. 5. The computer-implemented method of claim 2 , wherein the particular intercepted response includes a response header and response data, further including: performing deep packet inspection of the response data and detecting sensitive data and/or malicious data being transmitted to the client from the hosted service; and based on the determined activity, the determined context, and the detection of the sensitive data and/or the malicious data, enforcing the policy on the particular intercepted response. 6. The computer-implemented method of claim 1 , wherein the application definition defines API-specific condition variables that extract values from fields of the particular intercepted request and/or the particular intercepted response based on literal matches, pattern matches, and/or regular expression matches. 7. The computer-implemented method of claim 6 , further including: parsing the requested URL using an application identifier variable of the application definition and extracting parameters of the requested URL; invoking the application definition based on the extracted parameters; and wherein the application definition is specific to the semantics defined for a group of APIs of related hosted services, further including parsing respective requested URLs of the related hosted services using the application identifier variable and extracting parameters of the respective requested URLs; and invoking the application definition based on the extracted parameters. 8. The computer-implemented method of claim 6 , further including: parsing the requested URL using a resource identifier variable of the application definition and extracting parameters of the requested URL; and based on the extracted parameters, determining the activity, the requested resource, and the metadata about the requested resource. 9. The computer-implemented method of claim 8 , wherein the resource identifier variable applies to specific method invocations in the particular intercepted request and/or the particular intercepted response, further including: parsing specific data types provided by the specific method invocations using the resource identifier variable and extracting values from key-value pairs in the particular intercepted request and/or the particular intercepted response; and assigning the extracted values to a target variable, wherein the extracted values identify metadata about the activity and the requested resource. 10. The computer-implemented method of claim 1 , further including: parsing the particular intercepted request and/or the particular intercepted response using a custom variable of the application definition and further extracting the metadata about the activity and the requested resource. 11. The computer-implemented method of claim 1 , further including: parsing the particular intercepted request and/or the particular intercepted response using a custom event trigger variable of the application definition and determining an event resulting from the activity; wherein the event is successful login, failed login, upload, download, access, edit, create, delete, detection of application attack signatures, and detection of confidential information; and responding to the determined event by enforcing a logging policy that logs the determined event and/or a flow step policy that performs the action. 12. The computer-implemented method of claim 1 , further including: parsing the particular intercepted request and/or the particular intercepted response using a user-related variable of the application definition and extracting user information about the user; wherein the user information includes the user name, the user group, and the account name; parsing the particular intercepted request and/or the particular intercepted response using a device and client platform variable of the application definition and extracting the device and client information; wherein the device information includes a device type, a device subtype, an OS family, and an OS subfamily; wherein the client information includes a browser family; parsing the particular intercepted request and/or the particular intercepted response using an IP and geolocation variable of the application definition and extracting the IP and geolocation information; and wherein the IP and geolocation information includes a source IP address, a source location, a source region, a source country, a source zipcode, a source latitude, a source longitude, a d