Dynamic user identification and policy enforcement in cloud-based secure web gateways

What is claimed is: 1. A cloud-based gateway, comprising: a network interface communicatively coupled to a network; a processor; and memory storing instructions that, when executed, cause the processor to: dynamically associate traffic received on the network interface with users to form a dynamic association, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, wherein the authenticated traffic is associated to an authenticated user and the unknown traffic is associated to an associated user of a destination Internet Protocol (IP) address from the unknown traffic; maintain the dynamic association over time, wherein the dynamic association is maintained over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address; and apply policies to the traffic based on the dynamic association. 2. The cloud-based gateway of claim 1 , wherein an association is pre-configured between an organization and a destination port to identify traffic originating from the organization. 3. The cloud-based gateway of claim 2 , wherein the instructions, when executed, further cause the processor to: perform authentication challenges for known traffic to identify the destination port periodically and to detect fraudulent use. 4. The cloud-based gateway of claim 1 , wherein the authenticated traffic is authenticated Hypertext Transfer Protocol (HTTP) traffic. 5. The cloud-based gateway of claim 1 , wherein the unknown traffic is associated to the associated user based on determining the associated user through authenticated HTTP traffic from a same destination IP address. 6. The cloud-based gateway of claim 1 , wherein the instructions, when executed, further cause the processor to: map the unknown traffic to an organization depending on whether the destination IP address is private or specific to the organization when multiple users are determined on the destination IP address based on seeing multiple users through authenticated HTTP traffic thereon. 7. The cloud-based gateway of claim 1 , wherein the traffic is received via generic routing encapsulation (GRE). 8. The cloud-based gateway of claim 1 , wherein the traffic is received via a virtual private network (VPN). 9. The cloud-based gateway of claim 1 , wherein the traffic is received via an explicit Proxy mode. 10. The cloud-based gateway of claim 1 , wherein the cloud-based gateway is a node in a distributed security system, and wherein the node is configured to receive dynamic associations from other nodes in the distributed security system. 11. A cloud-based gateway method, implemented by a gateway server, comprising: dynamically associating traffic received on a network with users to form a dynamic association, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, wherein the authenticated traffic is associated to an authenticated user and the unknown traffic is associated to an associated user of a destination Internet Protocol (IP) address from the unknown traffic; maintaining the dynamic association over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address; applying policies to the traffic based on the dynamic association. 12. The cloud-based gateway method of claim 11 , further comprising: pre-configuring an association between an organization and a destination port to identify traffic originating from the organization. 13. The cloud-based gateway method of claim 12 , further comprising: performing authentication challenges for known traffic to identify the destination port periodically and to detect fraudulent use. 14. The cloud-based gateway method of claim 11 , wherein the authenticated traffic is authenticated Hypertext Transfer Protocol (HTTP) traffic. 15. The cloud-based gateway method of claim 11 , wherein the unknown traffic is associated to the associated user based on determining the user through authenticated HTTP traffic from a same destination IP address. 16. The cloud-based gateway method of claim 11 , further comprising: mapping the unknown traffic to an organization depending on whether the destination IP address is private or specific to the organization when multiple users are determined on the destination IP address based on seeing multiple users through authenticated HTTP traffic thereon. 17. The cloud-based gateway method of claim 11 , wherein the traffic is received via one of generic routing encapsulation (GRE), a virtual private network (VPN), and an explicit Proxy mode. 18. A network, comprising: a distributed cloud-based security system coupled to the Internet; a plurality of cloud-based gateways within the distributed cloud-based security system; and a plurality of users accessing the Internet through the distributed cloud-based security system; wherein each of the plurality of cloud-based gateways is configured to: dynamically associate traffic received on the network interface with users to form a dynamic association, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, wherein the authenticated traffic is associated to an authenticated user and the unknown traffic is associated to an associated user of a destination Internet Protocol (IP) address from the unknown traffic; maintain the dynamic association over time, wherein the dynamic association is maintained over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address; and apply policies to the traffic based on the dynamic association. 19. The network of claim 18 , wherein the authenticated traffic is authenticated Hypertext Transfer Protocol (HTTP) traffic. 20. The network of claim 18 , wherein the unknown traffic is associated to the associated user based on determining the user through authenticated HTTP traffic from a same destination IP address.