Search This Blog

Tuesday, 28 April 2015

Understanding Cloud Access Security Broker Services

Over the past 30 years, we the IT Security team have been promoting and building a "Defence in Depth" strategy to protect our corporate assets. 

This methodology was predicated on the fact that we need to assure our employees, customers, and shareholders that we were able to provide adequate Confidentiality, Integrity, and Availability (The CIA-Triad)  for the sensitive data/intellectual property residing in physical  data centers. 

We have installed Firewalls, Intrusion Prevention, AntiMalware,  Data Loss Prevention, Secure Email, VPN, etc... All with the intent on providing a stack of security capabilities to protect data withing our corporate network.  Within our corporate data centers.

Simultaneously, our lines of business are becoming more agile, more complex, and more attune to services available "in the cloud"Shadow IT is the new trend.  Lines of Business can and are spinning up new services at an aggressive rate to keep up with their online competition. Our ability to manage them "technically" as opposed to by policy has been almost non-existent.

We as Security Experts, are scrambling to augment our "bricks and mortar" based Defense in Depth strategy with Cloud Services, but the path is not presently clear.

Very recently
, a niche market has developed to fill this void. Several vendors identifying themselves as Cloud Access Security Brokers (CASBs) have defined a strategy to mitigate this problem.  CASBs are either on-premise, or cloud-based (or both) security policy enforcement points. Placed between your end users and the various cloud service providers, they can inspect traffic, manage and enforce policy, alert on anomalous behavior, and in most cases provide some level of DLP enforcement.

Either leveraging existing Single Sign On providers, or corporate Active directory services, these Cloud Access Security Brokers can identify individuals' access into Cloud Service Providers that are affiliated with the broker. Currently these number in the  hundreds if not thousands. For "Sanctioned" Cloud Applications (those services for which your enterprise has procured directly) end user access can be strictly enforced by context:
  • Who you are (Role based access)
  • Where you are coming from (corporate network, public Internet, wifi, geographic region)
  • What device you are using (Corporate laptop, Home PC, Tablet or phone)
  • What time of day you're working (Are you authorised to work during this time?)

This Context Awareness also allows the CASB providers to employ heuristic analysis on Cloud bound traffic, to do some form of anomaly detection to identify malicious or erroneous traffic.  This is an area that they are all investing heavily in today.
  Most of the Cloud Access Security Brokers provide granular encryption, but only three provide  Tokenization of your Corporate Data in the Cloud. This can be as coarse as entire records or documents, or as fine grained as a field in a form.  Adallom has also  leveraged the Right's Management functionality of Checkpoint's Capsule to secure data in the cloud, while allowing trusted collaboration.

For more on Tokenization vs encryption, please see my articles: Tokenization as a companion to Encryption and Toronto based PCI Compliance upstart Blueline brings holistic solution to Voice-Web-POS

One of the strengths of some of the Cloud Access Security Brokers is the ability to identify and report on employee access to  "Shadow IT" cloud services.  "Shadow IT" are described as services that the corporation has not subscribed to as a whole, or has not specifically provisioned for the user in question.  These typically include Cloud Storage facilities like Box or Dropbox.   Again, if the CASB has an affiliation with the cloud service provider, these can be managed by policy, otherwise they can be flagged and alerted on to your security operations team for manual remediation.

Several of these CASBs provide on-premise inspection and policy gateways to augment your corporate network controls and provide definitive logical access control to the cloud services from within the corporate network.  These on-premise gateways complement the cloud based CASB services and provide for a hybrid view of data movement.

Since their emergence in 2012, CASBs have grown in importance and today are the primary technical means of giving organizations more control over SaaS security. This technology will become an essential component of SaaS deployments by 2017.
 By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.

- Gartner, The Growing Importance of Cloud Access Security Brokers

Gartner has defined the four pillars of CASB as:
 Visibility, Data Security, Compliance and Threat Prevention.

 As of this time, there are about twelve companies playing in this space. I would like to highlight the leaders at the moment. 

(In alphabetical order, and in their own words. ie: pilfered from their websites.)

Adallom delivers an extensible platform to secure and govern cloud applications. In addition to discovering almost 13,000 cloud services in use, Adallom offers comprehensive controls for data sharing, data security, DLP, eDiscovery and access control. The Adallom platform also integrates with existing on-premises solutions such as SIEMs, MDMs, NACs and DLPs. Adallom has identified new malware attacks in the wild, including a Zeus variant attacking Salesforce, and an identity token hijacking vulnerability affecting Office 365On April 21st, Adallom announced an HP partnership where its platform will be resold on the HP price list, and offered with the HP Enterprise Security Products and Enterprise Security Services portfolio. 

the Total Data Protection company, is a Cloud Access Security Broker, founded in 2013, that delivers innovative technologies that transcend the network perimeter to deliver total data protection for the enterprise - in the cloud, on mobile devices and anywhere on the internet.  Bitglass delivers the security, visibility, and control that IT needs to enable mobile and cloud in the workplace, while respecting user privacy.

CipherCloud is a cloud security software suite that encrypts data during the upload process, and decrypts during download. The encryption keys used for this process remain within your business network; thus, unauthorized users accessing data in the cloud will only see indecipherable text.
CipherCloud also comes with built-in malware detection and data loss prevention. There are specific builds for commonly used cloud applications such as Salesforce, Office 365, Gmail and Box, as well as a variant that can be configured to work with any cloud-based applications your business uses.

Netskope is a leader in cloud app analytics and policy enforcement. Netskope aims to eliminate the catch-22 between being agile and being secure and compliant by providing visibility, enforcing sophisticated policies, and protecting data in cloud apps.  
Netskope is a service that discovers and monitors cloud apps and shadow IT used on your network. Netskope monitors users, sessions, shared and downloaded content as well as the shared content details, and provides detailed analytics based on this information.

Perspecsys' AppProtex Cloud Data Protection Platform provides a flexible cloud data control platform that enables organizations to identify and monitor cloud usage and then encrypt or tokenize data that it does not want to put in the cloud “in the clear”.  The Platform intercepts sensitive data while it is still on-premise and replaces it with a random tokenized or encrypted value, rendering it meaningless should anyone outside of the company access the data while it is being processed or stored in the cloud.

Skyhigh Networks enables organizations to adopt cloud services with appropriate security, compliance, and governance. Skyhigh supports the entire cloud adoption lifecycle, providing unparalleled visibility, analytics, and policy-based control. Specifically, Skyhigh shines a light on Shadow IT by giving a comprehensive view into an organization’s use and risk of all cloud services. Skyhigh analyzes the use of all cloud services to identify anomalous behavior indicative of security breaches, compromised accounts or insider threats. Finally, Skyhigh enforces the organization's policies on the use of over 12,000 cloud services by providing contextual access control, structured and unstructured data encryption and tokenization, data loss prevention, and detailed cloud activity monitoring for forensic and compliance purposes.

Zscaler is leading two fundamental transformations in the world of IT security. First—the shift from on-premise hardware appliances and software to Security as a Service. Second—the transition from point security solutions to broad unified security and compliance platforms. Both transformations exactly parallel what has happened in every other sector of information technology—CRM, ERP, HR, eCommerce, and personal productivity—all have evolved from on-premises point applications to comprehensive cloud—based platforms. 

While conducting this review of the CASB market, I looked at a number of Security Controls that I would expect a mature Access Broker to provide. I've laid this out in accordance with Gartner's four pillars: 
 Visibility, Data Security, Compliance and Threat Prevention.
If you think I have omitted your favorite Cloud Access Security Broker, or have mis-represented a control above, please have them forward details to me including their position on each of the items in the above controls list.  After validating each, I will gladly amend the list.

Although the CASB market space is still in it's infancy, the main players have done a good job defining - and meeting - most of the requirements of an off-premise security service. 
I'm interested to see what happens to this space over the next three years.   My money is on convergence of CASB, SSO, and Mobile Security providers.

Also Read: 

Standing at the Crossroads: Employee Use of Cloud Storage.


Gartner: The Growing Importance of Cloud Access Security Brokers
Gartner: Emerging Technology Analysis: Cloud Access Security Brokers
Bitglass: The Definitive Guide to Cloud Access Security Brokers
CipherCloud looks to stay at the head of the cloud security class 
Ciphercloud: 10 Minute Guide to Cloud Encryption Gateways
Ciphercloud: Cloud Adoption & Risk Report in North America & Europe – 2014 Trends

NetworkWorld: How the cloud is changing the security game
Adallom: The Case For A Cloud Access Security Broker
Adallom: Cloud Risk Report Nov 2014
Check Point Capsule and Adallom Integration 
HP - Adallom: Proven Cloud Access Security Protection Platform 
Adallom : to Offer Comprehensive Cloud Security Solution for Businesses With HP 
PingOne - Skyhigh: PingOne & Skyhigh Cloud Security Manager
ManagedMethods: Role of Enterprise Cloud Access Security Broker
Standing at the Crossroads: Employee Use of Cloud Storage. 
Cloud Computing: Security Threats and Tools 
SC Magazine: Most cloud applications in use are not sanctioned  

Monday, 27 April 2015

What's the difference between a Virtual Machine and a Container?

With the current trend towards "Containers" as opposed to "Virtual Machines", I've had a few people asking what the difference was, and where you might use one over the other.

I hope to keep this brief, but... 

Both Containers and Virtual Machines have been around for quite some time.  Mainframe and Commercial UNIX have had terms like LPAR for Logical Partition (Representing VM) and WPAR for Workload Partition (Representing Containers) for over a decade (Mainframe since 1972!!!).

UNIX/Linux have used "chroot" filesystems (otherwise known as "chroot jail")  for years to secure running processes such as a web server or database server. The earliest implementation of "containers" was the 1979 introduction of chroot into UNIX Version 7.

Currently chroot is a part of just about every major distribution of Linux.

In very high level terms, a Virtual Machine or Hypervisor (such as VMWare, Hyper-V, KVM, VirtualBox, and Xen) is designed to emulate an entire physical computer including the various hardware abstraction required for networking, video, audio, etc... 

In a word, VMs are FAT!
Via Accenture:

A container on the other hand ( DockerParallels , CoreOS, chroot, ...)  runs on top of an existing kernel, leveraging resources form the kernel, and merely presents a virtual userspace with separate filesystem, CPU, memory and protected processes.  

Without having to emulate the underlying hardware, you can pack 3-4 times as many containers into the same resource pool as a single Virtual Machine.

So why would I use Virtual Machines, if Containers are just as good?  

Well, because a Virtual Machine abstracts the ENTIRE hardware platform, there's evidence that it is better suited to defined network segregation.  

You could, for instance, define a Virtual Machine to represent your web application in it's entirety, then within that VM, create containers for the web, app, and database tiers.  The containers would provide logical segregation between the tiers, and the VM would protect the entire application from other apps in the DMZ.

Virtual Machines also allow you to run completely different Operating Systems simultaneously on the same hardware.  For instance, on your Ubuntu Laptop, you could use Virtualbox, to simultaneously run Windows 8.1 and OSX.    

Or, on your server, you could simultaneously run Redhat Linux, Windows Server 2008, and Windows Server 2012.   

A containerized system, as mentioned above, runs all containers off of the same Operating System Kernel.

And by far the biggest benefit of Containers over Virtual Machines is speed of launch. A Virtual Machine is, for all intents and purposes, a complete computer Operating System.  On boot, it has to run through all of the legacy boot processes... 

A Container launches on an already running kernel.  A full containerized application can launch in a fraction of a second (restricted only by I/O) whereas that same app launched within a Hypervisor context could be from tens of seconds to potentially a minute or more depending on boot requirements.

Edit: (04/28/2015)

Bromium is an newcomer to the virtualization space, and one to watch carefully.  Based on a fork of the Xen hypervisor, Bromium relies heavily on Intel's hardware virtualization for isolation.

Unlike either of the above Hypervisor or Container approaches,  Bromium isolates specific services in Windows, such as launching an application, downloading an email attachment, or clicking a hyper link in a browser.  When these activities are identified, Bromium creates a small task-specific "Microvisor" to encapsulate and segregate only the resources required for that task.  Mandatory Access Control policies ensure protection of the underlying Operating System, as well as any other apps running on the host.

When NSS Labs tested the Bromium architecture, it achieved a perfect score in defeating all malware, as well as manual and scripted attempts at penetration.


VMware just created its first Linux OS, and it’s container-friendly
Why Containers Instead of Hypervisors? 
IBM Systems Magazine: An LPAR Review 
Wikipedia: Workload Partitions
Wikipedia: Virtual machine 
Wikipedia: Operating-system-level virtualization 
Wikipedia: Chroot 
Best Practices for UNIX chroot() Operations 
Ubuntu: Basic chroot  
Containers—Not Virtual Machines—Are the Future Cloud 
Contain your enthusiasm - Part One: a history of operating system containers 
Accenture: Inspiration through Elevation: Simplified Configuration Management with Docker  
Gartner: Virtualization, Containers and Other Sandboxing Techniques Should be on Your Radar Screen 
Bromium vSentry Sets New Standard for Security Effectiveness 
NSSLABS: Threat Isolation Technology Test Report: Bromium vSentry
Bromium: Micro-virtualization for the Security Architect