Have you ever wondered what was going on within a cloud regardless of type? SaaS? PaaS? IaaS? Do you need to audit these environments to ensure compliance with your security policy (not to mention the subset of your security policy that contains regulatory compliance)? To provide solutions for these issues, a number companies both new and old have put forward various tools that utilize proxies, reverse proxies, and transparent gateways to uncover what is happening within a SaaS application. The goal is to know who did what, when, where, how, and hopefully why.

The function of these tools is to uncover the actions a user takes within a cloud service in order to determine if those actions are in violation of a security policy. Such a policy could be, for instance, that the user is not allowed to download en masse any data but should be using the application to perform a specific function. Yet, due to the lack of adequate controls within many cloud services, the permissions needed to download data en masse are often the same permissions required for a person to perform their daily job functions. Given that lack of controls, it is important, then, to increase vigilance to determine what are normal actions for users compared to what actions are not and could be security issues.

Cloud Security Monitoring Implementations

There are three implementations of cloud security monitoring: those that modify EUC devices, those that require you go through their gateway sitting within your data center, and those that do neither.

  • Implementations that modify EUC devices such as tablets, smart phones, and laptops can be accomplished in several ways: through use of a proxy (Zscaler), through installing software (VMware Horizon Suite), or through a mobile device manager (MDM) or mobile content manager (MCM).
  • Implementations that require use of a gateway device actually intercept all traffic and either analyze it to determine which cloud services, including SaaS, are in use or go a step further and also track how those services are used (Sky High Networks).
  • Implementations that use transparent gateways require no code to be put within your datacenter or on EUC devices (Elastica, Skyfence, Adallom). Instead, changes are made either within the cloud service or by the cloud service provider.

In all of these cases, some modifications are necessary in order to track what is happening.

Cloud Security Monitoring Technologies

The technologies in use for cloud security monitoring range from those that are limited to web content to those that couldn’t care less what content is being monitored, but will monitor it all as long as there is a hook into the cloud service provider.
Technologies that are implemented using proxies or reverse proxies are limited in scope to those applications for which the proxy works. Writing a general reverse proxy is very difficult, given the way everything links together, so they are usually application specific.
However, using a transparent gateway requires either that the cloud service itself be modified in some fashion, or that it already has been modified and that the necessary hooks already exist. The most common hook to use is single sign-on within a cloud. Single sign-on allows an organization to use its own identity store instead of the cloud service provider’s identity store. This is quite useful for restricting identity to known individuals and having this identity completely contained. Aside from identity, single sign-on can also be used to redirect access through some form of transparent gateway, which is how Elastica, Skyfence, and Adallom all implement their gateways. An admin would set this up within the cloud service if that service has such a feature.
If the feature does not exist, then you must force all data to go through the transparent gateway either by modifying the DNS on your network or by using one of the implementations that modify the EUC device (or you could require that a virtual desktop that you control be used).
Once the data traverses the transparent gateway, data is collected for later analytics.

Cloud Security Analytics

Many of the existing transparent gateways are collecting data at an alarming rate but are also looking at the data in new ways. They are trying to capture what is normal across logins versus what is abnormal and could be a security issue. Some of the issues currently tracked include, “Did the user suddenly start using a new function within a SaaS?” “Is data being ex-filtrated?” and “Are they logging in from wildly different locations?” However, you can also take this data, send it to your own SEIM, and run your own reports.
The goal is to know who did what, when, where, how, and hopefully why. These tools can give you this information.

Closing Thoughts

When you are trying to secure the hybrid cloud, knowing what is happening within the cloud is the second step. The first is to classify your data regardless of where it resides. Yet, the second step is far easier to do and a good start. Pick a tool that not only works within your data center, but also can reach out to the thousands of cloud services that employees could be using. So, know what is in use, but also know how to monitor for normal behavior. Determining what is abnormal is important, as those could be security issues.