Protecting data and monitoring user behavior used to be relatively simple when everyone was behind the corporate firewall. However, in the new world of cloud computing and hybrid workforces, some basic practices and assumptions need to be revisited. For example, more people now need access to sensitive business data while working from home, on public computers, and via their mobile devices.
That’s where Security Service Edge (SSE) is an advantage. It combines zero-trust network access (ZTNA), data loss prevention tools, and remote browser isolation (RBI) to enable advanced threat protection and complete control over data — regardless of how users access and manage it.
“Think of the analogy of securing your home,” says Thyaga Vasudevan, Vice President of Product Management for Skyhigh Security. “Locking the front door doesn’t help if the windows and back doors are open. This is why a comprehensive data-aware approach is imperative in a perimeter-less environment. A holistic solution reduces complexity and benefits the customer by only requiring them to define their policy once. ”
Lock the front door
For example, data within software-as-a-service (SaaS) applications can’t be protected by the corporate virtual private network if users are outside the firewall, so access needs to be governed at the user account level.
ZTNA assumes that nothing and no one can be trusted and applies policy-driven identity and access management to ensure that users can access only the applications and services they are authorized to use.
Users authenticate to a cloud access service broker (CASB), which is aware of all SaaS services in use across the organization — both authorized and unauthorized. Security administrators can allow or block access at the user level and monitor data flows to and from SaaS applications to look for anomalies. When configured properly, ZTNA improves the user experience by eliminating the need to individually log on to each SaaS application.
Secure the windows
Monitoring all SaaS applications in use also helps prevent the problem of cloud-to-cloud exfiltration, or the transfer of data that never touches the business network.
Take the native sharing functionality in Google Docs. It allows people to transmit data to other users outside of the company. Or a person may open a document using an unauthorized cloud-based PDF reader launched from the Play Store. In both cases, the data never touches the corporate network.
Protection from Skyhigh Security covers this contingency by establishing a direct out-of-band connection to other cloud services to enforce policies in real time with comprehensive data, user, and device coverage.
“It detects applications that aren’t visible to administrators and allows you to create policies based on risk, such as prohibiting shares or downloads,” Vasudevan says.
But what about the executive traveling in Singapore who needs access to an internal SharePoint server from an unsecured computer in a hotel lobby? That’s where remote browser isolation (RBI) comes in, Vasudevan says.
Once a user authenticates to the SharePoint server, RBI intercepts data streams and isolates them in a secure space. Screen images are passed to users as pixels, enabling them to see the information they need but not to access the actual data.
“They can still view the assets, but nothing is downloaded, and they can’t take screenshots,” Vasudevan says.
RBI can be configured with a wide variety of options that make it impossible for malicious code, attachments, zero-day malware, and ransomware to run on endpoints.
Bar the exits
In the home security analogy, the back door usually involves no attackers at all. Cloud misconfiguration is a problem that has afflicted 90% of organizations, according to a McAfee report. Problems occur when users don’t understand the options available to them when setting up cloud services such as storage or application permissions.
“You practically need a Ph.D. to understand some cloud administrative consoles,” Vasudevan says. For example, an administrator may leave on a switch that allows anonymous link-sharing of OneDrive files without specifying an expiration date. Imagine the potential consequences when “a new employee comes along who has no idea about the context and drops a product roadmap into a shared folder,” he says.
Misconfiguration has been responsible for some large and embarrassing recent data exposures in which information was left in the open on public file shares. Cloud Security Posture Management (CSPM) tools can identify misconfiguration issues and compliance risks to minimize this vulnerability.
The combination of ZTNA, data loss prevention tools like CSPM, and RBI creates a 360-degree view of an organization’s security profile that covers nearly every potential vulnerability, both from within and without.
While no protection is absolute, an integrated on-premises and cloud security platform is the best solution for a remote-access world.
Enhance security for your remote workforce. For more information, visit www.skyhighsecurity.com.