Cloud computing is becoming more popular due to its cost-savings, scalability, and accessibility. However, there is a drawback when it comes to security posture. Firstly, you no longer have as much visibility or control as you used to with on-premise application access. Cloud providers assume more risk and have less visibility into your environment the more they manage it for you. A critical security concern is that you have yet to learn what’s being done in the cloud and when. In addition, the cloud now hosts your data, which raises questions about what information is there, who can access it, where it goes, and whether it’s being stolen. Cloud platforms’ security challenges are unique, and Cisco has several solutions that can help alleviate these challenges. This post will focus on Cisco CloudLock.
Examples: Cloud Security Solutions.
- Cisco CloudLock
- Cisco Umbrella
- Cisco Secure Cloud Analytics
- Cisco Duo Security
Our approach to technology has changed as a result of cloud technology. But unfortunately, bad actors have also exploited vulnerabilities in digital infrastructure to create a new set of security challenges that we must deal with. Firstly, enforcing corporate security policies becomes more challenging since third-party hosted SaaS applications do not guarantee that users will pass through corporate security infrastructure where traditional security screening would have occurred. This needs to be more visibility. Due to the gaps in visibility and coverage, a breach can go undetected for months. So we can employ several cloud security controls to convert this gap. All of these fall under the cloud security solution of Cisco CloudLock.
We have user and entity behavior analytics (UEBA), data loss protection (DLP), and application firewalls, today’s SaaS applications’ most important security controls. Cisco offers these security services as part of the Cisco CloudLock, the Cisco CASB offering. In addition, Cisco Cloudlock provides security across multiple cloud environments.
A key point: Before you proceed, you may find the following posts useful for pre-information:
- Cisco Secure Firewall
- Dropped Packet Test
- Network Security Components
- Cisco Umbrella CASB
- CASB Tools
Cloud Security Solutions.
- A key point: Back to basics with cloud security concepts.
Before we go any further, let us brush up on some critical security concepts. The principle of least privilege states that people or automated tools should be able to access only the information they need to do their jobs. However, when the least privilege is applied in practice, your access policies are typically denied by default. Users are not granted any privileges by default and must request and approve any required privileges. The concept of defense in depth acknowledges that almost any security control can fail, either because a bad actor is sufficiently determined or because the security control is implemented incorrectly.
By overlapping security controls, defense in depth prevents bad actors from gaining access to sensitive information if one fails. In addition, you should remember who will most likely cause you trouble. These are your potential “threat actors,” as cybersecurity professionals call them.
Examples: Threat actors.
- Organized crime or independent criminals interested in making money
- Hacktivists, interested primarily in discrediting you by releasing stolen data, committing acts of vandalism, or disrupting your business
- Inside attackers are usually interested in discrediting you or making money.
- State actors who may steal secrets or disrupt your business
Cloud Security Solutions
Authentication and group-based access control policies defined in the application are part of the security the SaaS environment provides. However, SaaS providers significantly differ regarding security features, functionality, and capabilities. It is far from one size fits all regarding security across the different SaaS providers. For example, behavioral analytics, data loss prevention, and application firewalling are not among most SaaS providers’ main offerings – or capabilities. We will discuss these cloud security features in just a moment. Organizations must refrain from directly deploying custom firewalls or other security mechanisms into SaaS environments because they need to expose infrastructure below the application layer. Most SaaS platforms allow users to control their infrastructure through tools provided by the provider, but not all.
Cloud Security Solutions: Data Loss Prevention (DLP)
Let us start with DLP. The goal of data loss prevention (DLP) is to prevent critical data from leaving your business in an unauthorized manner. This presents a significant challenge for security because the landscape and scope are complex, particularly when multiple cloud environments are involved.
Generally, people think of firewalls, load balancers, email security systems, and host-based antimalware solutions as protecting their internal users. However, organizations use data loss prevention (DLP) to prevent internal threats, whether deliberate or unintentional. DLP solutions are specifically designed to address “inside-out” threats, whereas firewalls and other security solutions are not positioned to be experts in detecting those types of threats.
By preventing authorized users from performing authorized actions on approved devices, data loss prevention solutions address the challenge of preventing authorized users from moving data outside authorized realms. Intentional, unintentional, or at least accidental data breaches are not uncommon.
- Example of Threat
Let us examine a typical threat. A financial credit services company user could possess legitimate access to unlimited credit card numbers and personally identifiable information (PII) through an intentional insider breach. It is also likely that the insider has access to email, so attachments can also be sent this way.
Even firewalls and email security solutions can’t prevent this insider from emailing an Excel spreadsheet with credit card numbers and other personal information from their corporate email account to their email address. They are not looking for that type of metadata. However, a DLP is more aligned with this type of threat. So, with the help of adequately configured data loss prevention solutions, unacceptable data transfers can be mitigated, prevented, and alerted.
Remember that disaster recovery and data loss prevention go hand in hand. The data you can access is lost to you once you re-access it. In other words, preventing data loss is a worthwhile goal. However, recovering from data loss and disasters that prevent you from accessing your data (whether they are caused by malware or something more straightforward, such as forgotten domain renewals) requires planning.
- A key point: It boils down to a lack of visibility
In on-premises DLP systems, visibility is limited to network traffic and does not extend to cloud environments, such as SaaS-bound traffic. Additionally, given the ease with which users can distribute information in cloud environments and their highly collaborative nature, distributing sensitive information to external parties is easy for employees. However, it is difficult for security analysts to detect with traditional mechanisms. Cloudlock’s data loss prevention technology continuously monitors cloud environments to detect and secure sensitive information in cloud environments. Cloudlock, for instance, can detect whether files stored in an application are shared outside of an organization, outside of specific organizational groups, or outside the entire organization.
Cloud Security Solutions: Application Firewalls
Next, we have application firewalls. How does an application firewall differ from a “traditional firewall”? What is its difference from a “next-generation firewall”? First, an application firewall focuses on the application, not the user or the network. Its logic differs entirely from a non-application firewall, and it can create policies based on different objects. Establishing a policy on traditional things in cloud environments is useless.
- Application Firewall vs. Traditional Firewall.
Many traditional approaches to protecting cloud applications will not work when you use a firewall. Because your cloud application needs to be accessible from anywhere, it is not feasible to configure rules for “Source IP.” You might be able to geo-fence using IP blocks assigned by IANA, but what about a traveling user or someone on vacation who needs remote assistance? Source IP addresses can not be used to write security policies for cloud applications.
Your toolkit just became ineffective when it came to Layer 3 and Layer 4 security controls. In addition, the attack could originate from anywhere in the world using IPv4 or IPv6. So how you secure your cloud applications and data must change from a traditional firewall to an application firewall focusing directly on the application and nothing below. In addition, you face challenges when you write firewall policies based on user IDs. To make your cloud application accessible from anywhere by anyone, you may as well not write firewall rules based on directory services like LDAP or Active Directory.
Compared with an on-premise solution, you have fewer options for filtering traffic between clients and the cloud application. In an application firewall, data is exchanged, and access is controlled to (or from) an application. Security of IP networks and Layer 4 ports are not the focus of application firewalls but rather the protection of applications and services. A firewall at the application layer cares little about how data is received and connected to the application or how it is formatted or encrypted. And this is what a traditional firewall would focus on. Instead, an application firewall monitors data exchanges between applications and other entities. Data exchange methods rather than location are examined when determining if policy violations have occurred.
- The road to Cisco CloudLock or multiple products.
It is possible to enable security micro services such as UEBA, DLP, and the application firewall to protect your SaaS environment by deploying multiple products for each capability and then integrating them with different SaaS vendors and offerings. This approach provides additional capabilities but at the cost of managing multiple products per environment and application. Adding other security products to the cloud environment increases security capabilities. Still, there comes the point where the additional security capabilities become unmanageable due to time, financial costs, and architectural limitations.
Cisco can help customers close the complexity of multiple-point products and introduce additional security services for your SaaS environments under one security solution, Cisco CloudLock. It has UEBA, Application Firewall, DLP, and CASB. This has been extended to secure access service edge (SASE) with Cisco Umbrella, which we will touch on at the end of the post.
Cloud Security Solutions: Cloud Access Security Broker
Users use cloud access security brokers (CASBs) to interact with cloud services such as SaaS applications, IaaS, and PaaS environments. Moreover, they help you comply with security policies and enforce them. Now we can enforce policy in settings that we do not control. CASBs safeguard cloud data, applications, and user accounts, regardless of where the user is or how they access the cloud application. Where other security mechanisms focus on protecting the endpoint or the network, CASB solutions focus on protecting the cloud environment. They are purpose-built for the job of cloud protection.
CASB solutions negotiate access security between the user and the cloud application on its behalf. CASB solutions go beyond merely “permitting” or “denying” access. A CASB solution can enable users to access cloud applications, monitor user behavior, and protect organizations from risky cloud applications by providing visibility into user behavior. The cloud application continues to be accessible to end users in the same way as before CASB deployment. Applications are still advertised and served by cloud application service providers in the same manner as before the implementation of CASB. Cloud applications do not change, nor does the user environment.
Additionally to a lack of control, there will be a need for more visibility – many SaaS environments need a mechanism for tracking user behavior and controlling the users (although most cloud providers have their own UEBA systems).
Identifying the Different CASB Categories
- CASB architectures generally fall into two categories: In-line deployment or out-of-band deployment.
Reverse proxies and forward proxies are two types of In-line CASB deployments. Proxy servers provide security services to users when they connect to resources. They are usually located in front of the resource to be accessed. Users connect to remote resources directly through forward proxies, which provide security services.CASB solutions based on in-line CASBs are susceptible to data path problems if interruptions occur in the CASB environment or the services on which the CASB solution depends. Forward Proxies have another drawback: you must know where your users are to place the proxy appropriately. In addition, proxy-based CASB security capabilities are limited, given the nature of cloud usage. For instance, proxy-based CASBs can’t secure cloud-to-cloud traffic, and users and devices within the cloud are unmanaged. These deficiencies create potential security gaps.
It is possible to categorize out-of-band CASB into API-based CASB and log-based CASB, which live outside users and cloud applications. Compared to a log-based CASB, API-based CASB exchanges API calls with the cloud application environment rather than log data. SIEM or other reporting tools typically ingest log data, but API calls allow the CASB solution to control cloud applications directly. API-Based are not dependent on cloud applications. They are integrated with cloud applications but external to their environments.
CASB solutions based on logs are limited because they only take action once logs have been parsed by a SIEM or other tool. CASBs based on APIs monitor cloud usage, whether on or off the corporate network or using managed or unmanaged devices, along with monitoring cloud usage. Cloud-to-cloud applications can also be protected using a CASB that uses APIs – communications that never reach the corporate network.
So, Cloudlock is an API-based CASB. Therefore, it doesn’t need to be in the user traffic path to provide security, unlike proxy-based CASBs. As a result, there is no need to worry about under-sizing or oversizing a proxy. Also, you don’t have to maintain proxy rulesets, cloud application traffic doesn’t have to be routed through another security layer, and traffic doesn’t have to circumvent the proxy, which is a significant value-add to cloud application security.
- A key point: CloudLock and machine learning
To detect anomalies, Cloudlock uses advanced machine learning algorithms. It also sees actions that appear to be occurring across distances at impossible speeds outside Whitelist countries. Identifying suspicious behavior and anomalies in behavior is one of the critical features of Cisco Cloudlock.
The Evolution of Cloud Security Service
Cisco CloudLock is now part of Cisco SASE. People are now calling this the evolution of cloud security. Cisco SASE includes a secure web gateway, firewall, CASB functionality, DNS-layer security, and interactive threat intelligence, all delivered from one cloud security service so organizations can embrace direct Internet access. The cloud security service Cisco Umbrella provides multiple security functions and integrates well with Cisco SD-WAN and Cisco Thousand Eyes.
Cisco Umbrella Features:
- DNS-Layer Security
Using Umbrella’s DNS-layer security, you can improve your security quickly and easily. Its ability to stop threats over any port or protocol before they reach your network or endpoints improves security visibility, detects compromised systems, and protects your users.
- Secure Web Gateway
With Umbrella’s secure web gateway, you can view and inspect web traffic, control URLs and applications, and protect yourself against malware. To enforce acceptable use policies and block advanced threats, use IPsec tunnels, PAC files, or proxy chaining.
With Umbrella’s firewall, all activity is logged, and unwanted traffic is blocked using IP, port, and protocol rules. An IPsec tunnel can be configured on any network device to forward traffic. Policies automatically apply to newly created tunnels to ensure consistent enforcement and easy setup.
- Cloud Access Security Broker
Through Cisco Umbrella, you can discover and report on cloud applications used throughout your organization. To better manage cloud adoption and reduce risk, you can view details on risk levels for discovered apps and block or control usage.
Summary of Cisco CloudLock’s main features:
User security: Cloudlock uses advanced machine learning algorithms to detect anomalies based on multiple factors. It also identifies activities outside allowed countries and spots actions that occur at impossible speeds across distances.
App security: The Cloudlock Apps Firewall discovers and controls cloud apps connected to your corporate environment. You can see a crowd-sourced Community Trust Rating for individual apps, and you can ban or allowlist them based on risk.
Data security: Cloudlock’s data loss prevention (DLP) technology continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. SaaS applications can come from many sources, both reliable and unreliable. Therefore, Data Security is a primary concern when using SaaS applications in the cloud.
- Fortinet’s new FortiOS 7.4 enhances SASE - April 5, 2023
- Comcast SD-WAN Expansion to SMBs - April 4, 2023
- Cisco CloudLock - April 4, 2023