As companies move more of their applications to the cloud, they need a new enforcement point to protect data. Skyfence Networks offers a security gateway that monitors user activity for all cloud applications and prevents unauthorized access by malicious insiders and criminals using stolen credentials.
In the early days of SaaS computing (just a few years ago), customers’ main security concerns were about the service provider’s infrastructure. Before putting their trust in the cloud application, companies asked questions like:
• Where and how will our data be stored?
• Will our data be encrypted in the cloud, and if so, does the service provider have access to the encryption keys?
• Does multi-tenancy mean other companies can somehow access our data?
• What privileges will the service provider’s administrators have regarding our data? Can they access it in any way?
Those fears have pretty much gone away as SaaS providers – for the most part – have shown their infrastructure is locked down and secured and administrators have no access to customer data. As companies as well as individual workers have rushed to adopt cloud applications, those questions have been replaced by new ones:
• What applications are being used by our business?
• Who has access to those applications and what are they doing with our data?
• What data is being uploaded to, downloaded from, or created in those applications?
In other words, the bottom line question is: Is our data secured?
Today’s threats are more likely to come from hackers and malicious insiders who access the cloud applications using legitimate credentials. Hackers are stealing millions of cloud application passwords, and this allows them to get into enterprise accounts without being detected.
For example, security researchers at Trustwave’s SpiderLabs reported in December that they uncovered a server in The Netherlands that held stolen user names and passwords for nearly 2 million accounts of cloud applications. Several thousand of the purloined credentials were for ADP, a company that processes payroll information for other companies. By using any of these stolen credentials, a criminal theoretically could create illegitimate payments from the victim company’s payroll account.
Cyber intrusion controls which are installed on a company’s own corporate network are not applicable for cloud applications. Therefore a new enforcement point is necessary to protect data in the cloud.
Skyfence Networks (www.skyfence.com) is a new player that just released a cloud application gateway that is said to deliver three types of capabilities: activity monitoring, threat detection and risk and compliance management. The gateway provides a generic infrastructure so enterprises can secure their cloud applications with out-of-the-box policies. According to Skyfence, the solution automatically provides protection to the data in cloud apps without the cumbersome manual definition of policies.
The Skyfence Cloud Gateway has a discovery tool that automatically identifies the cloud apps in use. Once an application is selected for monitoring, Skyfence generates an activity log in a uniform format. The activity logs enable a company to analyze data usage across cloud applications, generate activity reports, and perform basic forensic analysis. Moreover, the logs can be integrated with SIEM and IT GRC platforms in order to include cloud applications in enterprise security, risk and compliance initiatives.
A second capability of the Skyfence solution is threat prevention, which the company calls its DNA. Skyfence provides out-of-the-box intrusion prevention for cloud applications, and the company says it has a unique way of detecting malicious insiders who try to steal information out of cloud accounts.
Skyfence’s solution has a learning mechanism that allows it to do dynamic user fingerprinting. That is, the company is able to build a baseline profile of each user and use this “fingerprinting” to identify anomalies which might be related to account takeovers or malicious insiders. These profiles are built over time and are based on users’ typical locations, typical devices, typical usage patterns, and so on.
When an action is out of context with the user’s usual fingerprint, it can be blocked or flagged for further analysis. The dynamic user fingerprinting technology prevents account hijacking due to stolen credentials, insider attacks, and man-in-the-middle attacks from a compromised endpoint.
In addition, an administrator can manually create security policies to detect specific activities such as access from unmanaged endpoints or access from prohibited locations.
The Skyfence solution is also designed to help companies manage risk and compliance through the in-depth monitoring and tracking of all user activity, including privileged users and administrators. Sarbanes-Oxley and other regulations require a company to maintain an audit trail of all user data access. Skyfence can deliver user activity reports to feed into compliance audits.
The Skyfence Cloud Gateway has flexible deployment options that include a cloud-based proxy, an on-premise proxy, and an off-line sniffer.
Perhaps the easiest approach is to use a cloud-based reverse proxy which has a different URL for each protected cloud app. For example, instead of going to www.salesforce.com, users will go to www.salesforce.skyfence.com. Internal users who come from the enterprise network can just use a simple DNS change and route all their traffic automatically through the Skyfence proxy. For external users, Skyfence recommends a single sign-on infrastructure that first authenticates the users and then redirects them to the cloud application through the Skyfence proxy.
Some customers might prefer to have an on-premise proxy in their own facilities, and Skyfence supports this implementation approach. A third option – one which Skyfence claims is unique in the security space – is to use an off-line sniffer. The sniffer appliance monitors all the authentication requests going to the sniffer center infrastructure. Skyfence is able to provide all the activity monitoring and create the logs based on transactions flowing through the wire.
Though Skyfence just recently announced the general availability of its security gateway, the company has had numerous customers in production for a while. There are two primary use cases that have emerged: The first is to monitor all user activity to these cloud applications, analyzing it and presenting the organization with a good overview of what’s going on for visibility and forensics. The second use case is for security and preventing bad guys and malicious employees from hurting the organization through unauthorized use of the cloud applications. Both uses represent essential capabilities as companies deploy more of their applications in the cloud.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.