Cloud computing offers many advantages, but with those benefits come a new range of security concerns.
“From a security perspective, the cloud has introduced new risks,” says David Levin, director of information security at Western Union, who oversees the security of applications being used at the money transfer company.
Levin says the first step toward addressing risk is figuring out how much there is … and that first means knowing which cloud services are being used.
Levin turned to the services of Skyhigh Networks, a vendor in what Gartner calls the emerging market of Cloud Access Security Brokers (CASB). Products in this market basically sit between end users and cloud services, injecting security protocols between the two. Gartner estimates that CASB will be a $3.1 billion market by 2015.
By using Skyhigh, Levin got greater visibility into what apps his employees were using and which ones have appropriate security practices in place.
“Companies know there is stuff going into the cloud they’re not aware of,” says Adrian Sanabria, senior security analyst at 451 Research Group, which calls this market Cloud Access Control. “CACs can provide that visibility.”
+ MORE AT NETWORK WORLD: How network virtualization is used as a security tool +
The problem is rooted in two major trends occurring at the same time: More and more cloud-based services and applications are being used that sit outside of the corporate firewall - from Salesforce.com and Dropbox, to Google Apps and Amazon Web Services. On top of that, workers are using these services from either corporate laptops or their smartphones. It’s created a situation where “there’s really no corporate perimeter anymore,” Sanabria says.
There have been solutions to these problems before the CASB market developed, but Sanabria says they’ve been less than ideal. Existing corporate firewalls can monitor traffic coming into and out of a company’s network, but they usually provide IP-level analysis and reporting. Advanced firewalls can block certain connections to cloud-based applications or services.
That all works fine if employees are on the company’s corporate network where the firewall policies are in place. But what happens when workers go to the coffee shop and hop on the public Wi-Fi, or if they’re working from home?
VPN tunnels can be required for users so traffic runs through the company’s firewall, but Sanabria says that can be tough to enforce and easy to get around.
That’s where CASBs come in. Many of these companies offer a lightweight service, usually delivered as a SaaS that sits between users and the cloud service. Some of the CASBs have a proxy that can sit in front of any cloud app, gating control of it. So, if a service like Skyhigh is enabled with Salesforce.com, then when users log on to Salesforce, Skyhigh would be a proxy sitting in front of Salesforce monitoring what the user is doing in that app, no matter where the user is accessing Salesforce from.
Others vendors, like Netskope, install agents that sit on user devices and monitor all the traffic from that device to any cloud app. Other services monitor network activity by being sent automated traffic reports.
Whereas traditional firewalls can tell IT that an employee is using Dropbox, a CASB product can tell IT what files were uploaded or downloaded. Some CASB vendors encrypt data before it goes into the SaaS application. For example, a rule can be set that any time a file that contains Social Security numbers is accessed that traffic must be encrypted.
Vendors such as FireLayers can add functionality on top of an existing application, such as allowing read-only privileges to users for certain documents, or requiring two-factor authentication when changes are made to a document. It puts what Sanabria calls a “choke-point” on the SaaS vendor. “It allows you to make SaaS apps basically closer to being enterprise-ready,” especially as it relates to PCI or HIPAA compliance, he says.
For Levin at Western Union, just having the visibility into what users were doing was valuable. After monitoring worker traffic using Skyhigh, Levin discovered frequent use of file synchronization and sharing services. It highlighted the need for Levin and his IT team to provide a service themselves.
Western Union went with Accellion, which bills itself as a secure Dropbox alternative. Combined with a new program dubbed Western Union Information Security Enablement, or WISE, Levin was able to inform workers that if they needed to use file sync, share and storage, that Accellion was an option for them. Now, if a user attempts to access a platform like Dropbox, then Skyhigh issues a popup asking them to use Accellion instead.
Since the rollout employee usage of non-sanctioned services has dropped dramatically.
Western Union uses Okta - an identity management and single sign-on platform - on top of Accellion too. “We’re really just trying to make sure people are making wise decisions, while giving them the tools necessary to be productive,” Levin says.