While cloud services deliver on promised savings and convenience, keeping everything secure remains a moving target for many organizations.
That’s because the enterprise perimeter has not only expanded, it has pushed the service edge to anywhere business takes you—or employees choose to go. Consequently, many organizations must uplevel how they protect cloud-based apps, data and services. Achieving success will be difficult with walled-garden style defenses found in legacy environments.
Gartner suggests an Adaptative Zero Trust approach (CARTA) to secure use of cloud applications, and it recommends a Secure Access Service Edge (SASE) framework to deliver connectivity and security for Cloud applications.
A lot of SASE vendors have focused on convergence of networking and security, but the key business goal of SASE is to protect applications and data in the cloud by building a pervasive edge that spans all manners of accessing these applications and data.
McAfee’s MVISION Unified Cloud Edge (UCE) delivers this pervasive edge and enables organizations to apply consistent data protection and threat prevention policies across their entire estate, including users, devices, locations and applications. Under the covers, MVISION UCE is convergence of Cloud Access Security Broker (CASB), next-gen Secure Web Gateway (SWG), and data loss protection (DLP) technologies delivered via a single global cloud fabric –with consistent policy and incident management. Each of the MVISION UCE components provide coverage over distinct controls points that seamlessly deliver the pervasive edge:
- McAfee CASB provides direct visibility and control over cloud-native interactions that are impossible to broker via a network/man-in-the-middle approach. This not only includes real time data and threat protection for data being stored/created in the cloud, it also includes on-demand scanning over existing data to identify both sensitive data and malware. The data objects could include files, messages and field data such as structured data objects in business applications like Salesforce.com, ServiceNow, Workday, etc.
- McAfee’s next-gen SWG establishes proxy-based visibility and control over web traffic with deep awareness of cloud activity and data interactions. This keeps users safe from accidental data loss or malware, and it delivers the most advanced threat protection against ransomware, phishing attempts and other advanced attacks by integrating Remote Browser Isolation (RBI), a recommended part of a SASE architecture in our next-gen SWG.
- A common DLP engine that provides device-to-cloud visibility and control over sensitive data on personal or managed devices, data resident and transacted in the cloud and data transiting over the network. McAfee MVISION UCE shares data classifications with all enforcement points for device, network, and the cloud with a single incident management console and API.
The convergence of cloud-native SWG and CASB also enables use cases that can extend network-delivered SASE controls with deep context of cloud applications in a single fabric. Many cloud-application-centric use cases that are critical in a post-COVID work from home scenario cannot be delivered by pure-play cloud SWGs, including:
- The ability to apply contextual access control to users connecting to sanctioned Cloud applications directly over the internet, without a VPN. MVISION UCE ensures a user with a corporate device has full access to Microsoft 365, whereas a user with an unmanaged device has read-only access, which can be delivered by an app-proxy or remote browser isolation.
- The ability to control unsanctioned Cloud applications at different levels of granularity including tenancy, activity and data. McAfee provides consistent policies that specifically identify and grant permissions to unsanctioned or personal services like OneDrive where the cloud user can be blocked from synching any data to personal OneDrive, or can be blocked from synching only “classified or sensitive” data to personal OneDrive.
- The ability to protect against day-zero threats from the cloud in real time without any friction to the user experience. McAfee helps prevent end-user synching or downloading malware delivered from a trusted cloud storage provider such as OneDrive, Google Drive or Dropbox.
In addition, most SASE vendors today focus on user to cloud security – otherwise known as front door controls, but that is not sufficient. Data and threats also need to be protected across side doors in the cloud. Protection also needs to be extended to backdoors within the cloud. McAfee’s MVISION UCE delivers side- and back-door controls that are not offered by any other SASE
Connected Application Control
Enables your architecture to discover SaaS applications or home-grown applications connected to each other via API channels. It can then authorize these API connections based on policies, risk and behavior of the connected application. For instance, a Sales VP connecting Clari, a sales forecasting mobile application, to the corporate Salesforce.com instance and pulling all the Salesforce.com data into Clari. The SASE architecture needs to be able to discover all such app-to-app connections and have granular policies around what scope of access should be allowed.
SaaS Cloud Security Posture Management (CSPM)
Allows your SASE architecture to assess and manage the security posture of your SaaS provider’s control and management planes. Specifically, Microsoft 365 has more than 200 individual configuration settings that need to be evaluated for an appropriate security posture of 365. For example, the default sharing permissions on Sharepoint that make shared links available to anyone in the world and never expire.
Sharing and Collaboration Control
Enables your architecture to control the transaction flow of sensitive data being shared inappropriately between users within the organization or across organizations via popular collaboration platforms such Microsoft OneDrive, Microsoft Teams, Slack, Zoom, etc. For example, McAfee helps ensure sensitive data is not posted to external (guest) users in Microsoft Teams.
Long promised, cloud transformation is catching on at a time when enterprises increasingly rely upon cloud services to support their expanding digital activities. It can support large parts of the workforce who are working remotely and from home. Data and Threat controls must work in real-time as data moves to and from cloud applications. Accordingly, organizations need a cloud-native security architecture that is frictionless and ensures cloud applications function without latency or application breakage, and with security delivered in real-time. This real-time capability is not just necessary for network controls delivered by the SWG service; they are equally essential for cloud-native controls delivered via API and email gateways. Gartner describes the use of Points of Presence (POP) for global distribution and scale for SASE architectures. Most vendors offering SASE describe their footprint in terms of their network POPs. McAfee MVISION UCE has more than 50 globally distributed network POPs, but it also has similar scale and capacity for API and email POPs to ensure pervasive real-time control.
By our estimate, load increases on cloud security services in the last three months have soared from between 200% and 700%. While this surge has caused many other SASE providers to buckle, McAfee has logged an amazing 99.999% uptime! This is largely driven by our cloud-native architecture which does not rely on racking and stacking network appliances in public cloud, or by purely relying in colocation POPs that might have longer lead times to build-out and support burst capacity. McAfee MVSION UCE is not only built in a cloud-native (i.e. software- defined) manner deployed in POPs around the world, it also has ability to leverage public cloud providers such as AWS, Azure and GCP for burst POP capacity in order to deliver surge capacity without delay.
MVISION UCE, with its focus on protecting data and preventing threats in the cloud, along with its approach to both network-based and cloud-native controls, marks a key milestone on the path to implementing Gartner’s SASE framework.
About the Author
Categories: Cloud Security