Beyond SWGs (Part 2): Cloud Security Platforms

While battling cyberattackers, security vendors are also struggling to stay on top of disruptive mobile and cloud trends. As I wrote in part 1 of this article, secure web gateways (SWGs) have proven less than 100% effective against sophisticated malware, creating a market for “sandboxing” appliances, such as FireEye’s. Various other types of cloud security gateway products are emerging. Before internet traffic slows to a crawl through too many gateways (or proxies), the market needs a more unified approach – a platform architecture – as depicted below.
 KEY: AuthN: Authentication | AuthZ: Authorization | AUP: Appropriate Use Protection | DLP: Data loss protection | SSO: Single sign on
In this post, we’ll look at unified cloud security platforms and we’ll use Zscaler – one of the leading cloud security vendors – as a case study.
The Mobile Gap
There’s an important caveat to make about enterprise readiness to deploy the same SWG solution they use on premises to cover their growing numbers of mobile users. As described in the “Mobile Security Gap,” users are accessing important services from these devices and storing sensitive data – at least email – on them too. Android devices and Windows devices are especially vulnerable to malware, and not dealing with the issue raises risk and compliance concerns. However, proxy solutions used for desktops and laptops could create serious latency issues for mobile devices. Also, in the BYOD environment, containerization is a must and manageability a big challenge. Relatively few enterprises have fully addressed mobile security yet, but for those that do, a cloud-based solution with broad global distribution of proxies is needed at scale.
Cloud Access Security Brokers
Given how painful but necessary enterprise mobile coverage can be, it makes sense to group multiple mobile, cloud and enterprise security issues into one package and address them holistically – to try and build a business case, manage a consistent set of policies, and only require one proxy to filter user traffic for malware, data leakage and other concerns. That’s the unified cloud security gateway concept, or what Gartner calls the “cloud access security broker.” To paraphrase Gartner’s IT glossary:
“Cloud security access brokers are placed between cloud service consumers and cloud service providers to consolidate multiple types of security policy enforcement, including authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection.”
Looking at the collection of functions grouped under CASB, encryption and tokenization of data stored in software-as-a-service (SaaS) applications seems something of an edge case compared to SSO and malware filtering, but for some markets it’s absolutely critical. Switzerland, for example, has quite prescriptive laws prohibiting financial data from leaving the country unencrypted.
The IT Glossary definition also doesn’t appear to address API management, a type of functionality and category of the security market described in “Securing the API Economy. In terms of scope both SWGs and CASBs act as forward proxies, whereas API management, web access management (WAM) and other kinds of security gateways act as reverse proxies. It’s not as if I, or Gartner, want one cloud security platform to do everything. But even just on the forward proxy, or client-outbound side, there’s a need for deep application-awareness both in filtering and appropriate use protection. For SWGs, this feature is called “application control.”
Of all vendors in the SWG category I revisited in part 1 of this article, Zscaler is the one that looks most like a CASB to me. I interviewed the Zscaler analyst relations team last week to get their latest perspective. Note: Please comment if you can think of other SWGs that should be reviewed in the CASB context, and I may be able to address them in a later post.
Zscaler delivers policy enforcement, logging, alerting and anti-malware in the SWG format. It also provides enhanced authentication and SSO (through partners) to cloud services such as Salesforce. It provides centralized policy management, monitoring, audit and reporting of all activity from authenticated clients, not limited to browsers, creating outbound sessions through its proxies.
The only part of Gartner’s CASB definition that Zscaler doesn’t address, as far as I can tell, is the encryption and tokenization function provided by vendors such as Perspectsys (who stores data in an encrypted or tokenized form and translates all flows for users so that only they – and not the cloud services – see the plain text values for protected data). 
A Robust Platform Approach
Zscaler describes its Fall 2014 platform (now in limited general availability) as “a comprehensive, unified Cloud Security and Compliance platform” featuring:
  • Secure web gateway (SWG)
  • APT protection (including a sandbox)
  • Data loss prevention (DLP)
  • Cloud application visibility and control
  • Guest WIFI support
  • Mobile and BYOD security
  • Open ecosystem (exposed APIs for security partners)
 Looking under the hood, the platform has some robust characteristics. Specifically, it: 
  • Has about 100 policy enforcement nodes globally, some close to core Internet routers to speed performance
  • Scans ALL traffic from all web sites for malware
  • Decrypts and inspects all SSL traffic (unless precluded by a privacy policy)
  • “Detonates” all executable files and structured documents in its virtual machine sandbox once
  • If the sandboxing is delayed, by default Zscaler will quarantine the executable content, sending a message to the browser suggesting the user try again after a few minutes. This only happens to the very first user or users that encounter that particular content since its hash value will be whitelisted once the analysis completes.

Two years ago I heard from Zscaler that scanning ALL web traffic is a key differentiator from some other vendors that do not, by default, scan web traffic from “known” or whitelisted sites. That, clearly, can be a problem since cyberattackers often infiltrate malware onto “known” sites to conduct watering hole attacks. Zscaler claimed at the time that at least one of its key competitors could not handle the CPU load if you changed that default setting to make the other product try and scan everything.

 It’s nice to see sandboxing moving into the mainstream SWG space today with Zscaler and others, such as Trend Micro and Websense, deploying it. So what does this mean for FireEye and the other sandbox specialist vendors? Since this post is getting kind of long, I’ll address that in Beyond SWGs (Part 3): What’s in the Sandbox? soon. 

Organizations feeling the pain of cyberattacks, slow gateways or hard-to-manage collections of point security products, should do the following:

  • Understand what you most have to protect and where you’re architecturally weak: Consider commissioning a rapid risk and security controls assessment using an external consultant with good expertise in this.
  • Assume you’re already compromised by cyberattackers (especially if you’re in a high-threat industry like financial services, high technology or government,) This will encourage your team to more aggressively hunt  attackers using security monitoring tools.
  • Audit your environment for malware, and the infection vectors: I’ll cover that in Part 3 of this series, but you need to replace, redeploy or augment solutions along those infection vectors.
  • Factor the learnings from the above steps into your enterprise security roadmap, and make sure the roadmap includes a good Cloud Security Strategy, and a good Mobile Security Strategy
    • However, if the enterprise lacks over-arching cloud and mobile strategies to guide security, escalate this issue. Without valid enterprise strategies in these areas, you can’t construct a valid future (“to be”) security state.
  • Do a thorough assessment of your network and web security deployment for performance and manageability in its “as is” state and assess both operational gaps, and gaps against the “to be” state
  • Develop a phased migration strategy to cover the infection vectors, improve manageability and perhaps consolidate point products around a more unified platform

Actually doing all this may take at least 3 months, but it is the right way to go about optimizing the enterprise network / cloud / mobile security architecture. You might ask: “Is there a tactical short cut for easing the enterprise pain?” I’d answer with a qualified “Yes: You can treat your symptoms and get some worthwhile relief, but should still address the root cause issues.

Please comment if you have any ideas of your own, either on the “right way” or potential shortcuts. And come back later this week for Beyond SWGs (Part 3).
Subscribe to Blog Notifications...  HERE