When applications and data were on premises, IT had controls that limited access to authenticated users signing in from enterprise-managed devices. Now that applications and data are moving to the cloud and enterprises are embracing BYOD programs, IT expects these same controls for cloud services.
The concern is that as users access corporate data in cloud services, they can easily download sensitive data to devices that do not have management software that enforces appropriate security controls (e.g. encryption and strong passwords). When one of these devices is stolen, enterprise data is put at risk. Identity management solutions partially address this issue by blocking access at login, but what happens when you want to enable access to services without enabling risky activity?
In an ideal world, you would enable cloud services that make employees productive from any device anywhere in the world while simultaneously limiting high-risk activity based on the context of the access (e.g. user, department, location, device management status) and action (e.g. preview, upload, download). Enter the cloud access security broker (CASB).
With a CASB, an enterprise can not only enforce coarse-level allow/block access to a cloud service, it can also apply fine-grained controls. For example, a company can create and enforce a policy that says employees accessing from unmanaged devices on remote networks are allowed to view data in Salesforce, but they cannot download reports to that device. There are several ways to approach this problem. Andy Oehler, Sr. Manager, Product Management, explains:
Hey there, I’m Andy Oehler with McAfee product management and I’m here today to talk to you about managed and unmanaged device detection and why that’s important. Traditionally, users have gotten to data and applications either through coming through the front door, or going through your corporate VPN, and we’ve gotten very comfortable with the sophistication and ability to control those types of accesses. Now users are bringing their own devices and your applications are in the cloud, and you’re wondering, can I apply the same level of control when users are going to the cloud to access apps and data.
The nightmare scenario is a user is on an unmanaged device accessing a cloud application in, say, Starbucks. They download a bunch of data to that device where you’ve got no encryption of data at rest. You’ve got no password control. Then they get up to go to the bathroom, they walk away for a few seconds or they turn their head and pick up their drink and their device is gone and all that data that had been downloaded is now compromised.
So how you control access or limit access to only managed devices when the application is in the cloud? One approach you might take would be to deploy an agent to those endpoints. Beyond the difficulty involved in just scaling out a deployment like that, deploying agents to thousands of devices, agents are notoriously bad at not cooperating with other agents. They often conflict with antivirus agents or VPN clients and it’s not a very reliable approach to solving this problem.
As an alternative, McAfee delivers three agent-less approaches that you might consider to solving this problem. The first relies upon your identity as a service provider and the IDaaS provider passes an attribute in a SAML assertion saying this is a managed device or this is a not and unmanaged device.
Another alternative that we offer is GPU fingerprinting. It can ask users to go through a registration process, fingerprint their device and browser and then after registration, consider that a managed device. That’s useful for partners, partner devices, or where you can’t really apply the degree of MDM control that you might already be using.
A third approach, and one that we’re going to talk about today is the use of certificates and doing a certificate check on those devices as a means to determine whether a device is managed or unmanaged. Let’s go through that flow. The first thing that we do is we use McAfee’s enterprise connector to build up a repository of known devices and to continue to add to that repository as you continue to add managed devices with your MDM or other management software. And then when a user goes to access an application, they’re first going to authenticate with the identity as a service provider. After authentication, the IDaaS is going to redirect that access back through the McAfee proxy to access the cloud application and it’s at this point that we request a device certificate.
We take that certificate, we validate the certificate, ensuring that the signature is correct, and then we pick out certain components of that certificate and match it against what we’re expecting from your system of record. If that all matches, we can allow access and if it doesn’t match, we can block access or we can limit access. We can decide that, hey, this is an unmanaged device, I’m going to allow the user to maybe preview some content but not download to that device. That way, you can maximize the user’s productivity but still keep your risk under control.
So, we’ve talked about why you should be detecting managed and unmanaged devices, the options for device detection, and an example of an access control best practice. If you put this scenario in practice you’re going to get an agent-less approach that leverages your existing infrastructure and your existing investments and you’re going to be able to enable fine-grain control of access to cloud applications.
Access control is just one element in an effective cloud security strategy. The nature of today’s evolving threat landscape required a multi-faceted defense-in-depth approach that includes preventative measures such as encryption, access control, and data loss prevention, as well as the ability to detect threats and rapidly respond to them. To learn more about how enterprises are using Gartner’s cloud security framework to secure their data in the cloud, download The Definitive Guide to Cloud Security.
About the Author
Categories: Cloud Security