How the cloud is changing the security game

New market of vendors has sprouted up to secure the cloud

Cloud computing offers many advantages, but with those benefits come a new range of security concerns.

"From a security perspective, the cloud has introduced new risks," says David Levin, director of information security at Western Union, who oversees the security of applications being used at the money transfer company.

Levin says the first step toward addressing risk is figuring out how much there is ... and that first means knowing which cloud services are being used.

Levin turned to the services of Skyhigh Networks, a vendor in what Gartner calls the emerging market of Cloud Access Security Brokers (CASB). Products in this market basically sit between end users and cloud services, injecting security protocols between the two. Gartner estimates that CASB will be a $3.1 billion market by 2015.

By using Skyhigh, Levin got greater visibility into what apps his employees were using and which ones have appropriate security practices in place.

"Companies know there is stuff going into the cloud they're not aware of," says Adrian Sanabria, senior security analyst at 451 Research Group, which calls this market Cloud Access Control. "CACs can provide that visibility."

+ MORE AT NETWORK WORLD: How network virtualization is used as a security tool +

The problem is rooted in two major trends occurring at the same time: More and more cloud-based services and applications are being used that sit outside of the corporate firewall - from and Dropbox, to Google Apps and Amazon Web Services. On top of that, workers are using these services from either corporate laptops or their smartphones. It's created a situation where "there's really no corporate perimeter anymore," Sanabria says.

There have been solutions to these problems before the CASB market developed, but Sanabria says they've been less than ideal. Existing corporate firewalls can monitor traffic coming into and out of a company's network, but they usually provide IP-level analysis and reporting. Advanced firewalls can block certain connections to cloud-based applications or services.

That all works fine if employees are on the company's corporate network where the firewall policies are in place. But what happens when workers go to the coffee shop and hop on the public Wi-Fi, or if they're working from home?

VPN tunnels can be required for users so traffic runs through the company's firewall, but Sanabria says that can be tough to enforce and easy to get around.

That's where CASBs come in. Many of these companies offer a lightweight service, usually delivered as a SaaS that sits between users and the cloud service. Some of the CASBs have a proxy that can sit in front of any cloud app, gating control of it. So, if a service like Skyhigh is enabled with, then when users log on to Salesforce, Skyhigh would be a proxy sitting in front of Salesforce monitoring what the user is doing in that app, no matter where the user is accessing Salesforce from.

Others vendors, like Netskope, install agents that sit on user devices and monitor all the traffic from that device to any cloud app. Other services monitor network activity by being sent automated traffic reports.

Whereas traditional firewalls can tell IT that an employee is using Dropbox, a CASB product can tell IT what files were uploaded or downloaded. Some CASB vendors encrypt data before it goes into the SaaS application. For example, a rule can be set that any time a file that contains Social Security numbers is accessed that traffic must be encrypted.

Vendors such as FireLayers can add functionality on top of an existing application, such as allowing read-only privileges to users for certain documents, or requiring two-factor authentication when changes are made to a document. It puts what Sanabria calls a "choke-point" on the SaaS vendor. "It allows you to make SaaS apps basically closer to being enterprise-ready," especially as it relates to PCI or HIPAA compliance, he says.

For Levin at Western Union, just having the visibility into what users were doing was valuable. After monitoring worker traffic using Skyhigh, Levin discovered frequent use of file synchronization and sharing services. It highlighted the need for Levin and his IT team to provide a service themselves.

Western Union went with Accellion, which bills itself as a secure Dropbox alternative. Combined with a new program dubbed Western Union Information Security Enablement, or WISE, Levin was able to inform workers that if they needed to use file sync, share and storage, that Accellion was an option for them. Now, if a user attempts to access a platform like Dropbox, then Skyhigh issues a popup asking them to use Accellion instead.

Since the rollout employee usage of non-sanctioned services has dropped dramatically.

Western Union uses Okta - an identity management and single sign-on platform - on top of Accellion too. "We're really just trying to make sure people are making wise decisions, while giving them the tools necessary to be productive," Levin says.

Join the CSO newsletter!

Error: Please check your email address.

Tags GartnerSaaSWestern UnionsecuritySkyhigh Networksiaasinternetcloud computingSoftware as a service

More about AccellionAdvancedAmazon Web ServicesDropboxGartnerGoogleOktaSalesforce.comWestern Union

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts