How to address SaaS visibility and security using cloud app gateways

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Today, any employee with a credit card can subscribe to a cloud application —and create a security and audit blind spot for the organization. A stolen username and password are all that an attacker needs to access sensitive corporate data from cloud-based services like Salesforce, Dropbox, Google Apps, NetSuite and Workday, without the knowledge of IT.

+ ALSO ON NETWORK WORLD 10 most powerful PaaS companies +

The answer, increasingly, is to adopt cloud app gateways, which can both identify and mitigate risks automatically, and remove the blind spots that cloud-based services often create. Cloud app gateways achieve this by first automating the discovery of both sanctioned and unsanctioned cloud apps that employees are using – this step provides IT security and compliance teams the critical 360 degree view of who is using what apps and to what extent. Once this visibility is obtained, some cloud app gateways add further value through three related functions: application-aware data and activity monitoring of services; automatic protection against cyber threats and malicious insiders; and by providing audit trails for compliance management and forensic analysis.

Gaining visibility into shadow IT

For end-users, a major attraction of cloud-based services is they can be provisioned on the fly without involvement from IT or even the corporate bureaucracy – resulting in what some call shadow IT. Consequently, regulating cloud app use is typically a losing proposition and IT must instead adopt measures to discover, monitor and enable employees to be productive when using them.

Cloud gateways can monitor and review user behavior related to each application in a consistent and reliable manner – providing who, what, when, why and how information for any application. They can perform risk analysis to determine whether applications are adhering to corporate security policies.

For example, cloud gateways can assess the number of users, traffic volume and risk profile of the service provider, where they are located and the security measures that they employ. This enables organizations to decide whether they want to block or allow the app, or enforce other specific security measures to ensure safe and compliant use.

In theory, such monitoring could be performed through the logging facility of an individual service, once its use is discovered. In practice, the level of available information, and its formatting, varies greatly from one cloud app to the next, as do the nature of the user-facing controls. And with the number of cloud services constantly increasing, it is clearly not feasible for IT to implement a unique mechanism or procedure for collecting and analyzing logs from each cloud service. Indeed, each service would have its own learning curve. Instead, organizations need a simple and consistent way of monitoring every new service automatically, along with a consistent way to normalize security and compliance standards across a heterogeneous set of cloud apps.

Additionally, to investigate suspicious activity or perform forensic analysis, IT must have detailed activity records, granular down to the level of the specific data objects, user actions, location and other variables. Individual cloud applications are unlikely to provide uniform types of data.

A cloud app gateway will include discovery tools to clearly identify the cloud apps in use and who is using them. Integrated dashboards provide a central point of visibility for the purposes of understanding risks and monitoring apps. The gateway can provide visibility over who viewed or modified what data, and when. They can provide visibility into administrator activities, including settings, permissions, and data access. The gateway should also be able to apply risk scores to cloud activity and create actionable alerts which can be sent to the enterprise’s security information and event management (SIEM), and IT governance, risk management and compliance (GRC) systems.

Managing cloud app risks

While SaaS applications operate in the cloud, they integrate with an organization’s endpoints, users and data. In order to manage and mitigate risks, cloud gateways should have the capability to distinguish between managed and unmanaged (i.e. BYOD) endpoints and enforce policies accordingly. For example, a cloud app gateway can enforce an organization’s requirement that only managed endpoints under Mobile Device Management (MDM) controls can download sensitive information or access specific applications.  

By understanding the application and usage context for each app, cloud gateways can enforce granular policies on a per app or per user basis. For example, Finance teams may be prohibited from sharing Google Apps documents or folders with external parties during financial reporting periods, and sales management may be challenged with strong authentication in order to change security settings in

Cloud app gateways should also be data-aware, meaning capable of classifying apps that use Personally Identifiable Information (PII) or Payment Card Industry (PCI) data and enforcing policies accordingly. For these types of apps, they can generate an audit trail of all user access to a particular cloud-based service, including associated permissions and activity ranging from login events to full post login actions. These gateways can generate reports suitable for either internal and external compliance audits, plus exposure reports for forensic analysis.

If the gateway has in-depth monitoring and tracking of all administrator data access down to the object and action level, along with changes made to administrator settings, it makes it possible to manage the risks associated with privileged users. It also facilitates the separation of duties between the SaaS administrator and the IT security administrator, as required by some regulations.

Blocking attacks that target cloud data

While encryption can certainly help with cloud security, if an attacker steals an employee’s login credentials they will be able to access the data – encrypted or not. Moreover, the access credentials don’t even have to be stolen, as malicious insiders are always a concern, and harder to detect. The ever-present nature of cloud-based threats is such that protection must be immediate and automated.

Cloud app gateways may include capabilities to analyze both the application and usage context in order to create a profile or benchmark of normal activity for each individual user and for each department. Anomalies will trigger alarms, and in many cases policy can be immediately applied such as denying usage or requiring the user to re-authenticate. For example, if a user is accessing an app from an unknown endpoint, from an atypical location and requesting to download a large number of records from – an organization may want to immediately block this activity or verify the user through a one-time password sent to their mobile phone. The ability to detect anomalous behavior enables Cloud App Gateways to prevent man-in-the-middle attacks, compromised endpoints and account takeover attacks.

Cloud app gateways also provide a reliable way to detect malicious insiders. Since these users have legitimate credentials and use recognized endpoints, only intelligent, ongoing analysis of activity can identify and stop insider breaches before they happen. With thousands of employees using hundreds of applications, and new applications being adopted all the time, it is nearly impossible for the IT staff to acquire the necessary application-specific expertise needed to spot malicious insiders.

For enterprises embracing the cloud, cloud app gateways address the need for visibility into SaaS risks and threats.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2014 IDG Communications, Inc.