Cloud Security “Gotcha” Items
Author: Joe Spoon | Senior Network Engineer, Network Operations
CASB (cloud access security broker) providers like Zscaler are taking over the security industry due to their diverse method of deployment and endpoint integration. When migrating to these types of services, what are some of the “gotcha” items that maybe you or your IT person/vendor might not have considered that could play a key role in how seamless a transition the move to the security cloud is for you and your company? This article will tackle that very question.
A major item that is often overlooked when migrating to any new security platform including a CASB platform is, how will this new platform properly evaluate and filter secure web traffic (HTTPS).
Next-generation firewalls issue their own SSL certificates that must be installed on all endpoints that will be using that on-premise or cloud firewall for connectivity out to the internet. This certificate acts as a man in the middle agent by decrypting the SSL traffic in the on-premise firewall or cloud firewall, then re-encrypting the traffic for its destination. Have this unpacking/repacking capability allows the firewall/service to look inside of the web traffic and not just block traffic based on source/destination IP or URL but also services within that source/destination URL. An example of a “Cloud Application” type of block is providing the ability to block posting on Facebook but allowing all other types of Facebook-related traffic. Another use case is blocking upload capabilities for Youtube but allowing view access for company training.
Make sure before you select an on-premise firewall or cloud access security broker, you fully understand how you would distribute this SSL certificate within your environment and how SSL traffic is handled within the policies of the device or service you will be using. Below are a few links that describe how to manually or automatically push these certificates out via group policy.
Pushing through Microsoft Group Policy: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy
Selection of Your Onboard Platform
At BullsEye Telecom, we mainly use VMware SDWAN devices to onboard traffic into the Zscaler CASB using what VMware refers to Cloud Security Services. At its core, a Cloud Security Service is just an easily implementable VPN tunnel between the VMware SDWAN edge and the Zscaler cloud.
Before selecting the on-premise or cloud security platform that you want to migrate to, it’s important to understand how you will be “onboarding” your traffic into that solution. Maybe a VMware SD-WAN solution sounds like a great fit because you get the multilink WAN optimization on top of the cloud security offered by Zscaler. Your implementation model may be different. Zscaler, for example, allows for the installation of their client on multiple types of endpoints including Windows PC, MacOS, iOS, and Android. The Zscaler application can be installed on these endpoints and will use the policies configured in the cloud portal for these devices types before routing out to the destination server. This type of implementation of a cloud security service allows for flexibility in that the device which can be carried anywhere from the office to the employee’s home and retains the same policies all the time.
Knowing what services to purchase
Another potential pain point in selecting an appropriate Cloud Access Security Broker is working through the vendor specific jargon to get to the base of what each offered service does. I’ve listed out below the main next-generation security services that are offered in most next-generation firewall products and generally what they do:
URL Filtering – This basically looks at the URL string (www.espn.com) and based on the contents of that string, will block or allow that traffic. Most security vendors will have URL Categories as well, where they will package up these URL strings into comparable groups so an entire group can be allowed or blocked. For example, if you want to block the Streaming Services category, you will be blocking www.youtube.com alongside www.netflix.com among many others without selecting these each independently
Cloud Application – Think of a cloud application as a service that you use that is hosted on the internet. A few examples of this are Youtube, Facebook, and Twitter. Like URL filtering, most security vendors also package Cloud Applications into groups as well for each of policy implementation. For example, Facebook and Twitter would be part of the “Social Networking” category whereas “Youtube” would be part of the “Streaming” category
Malware Protection – Malware protection is exactly what it sounds like. It will watch traffic for known files that contain trojan viruses or other forms of malware base on the application signatures or file/site reputation. If the service has never seen a signature before, if you have subscribed to a Sandbox type of service, it will send the file to the Sandbox for evaluation
Sandbox – Sandboxing is the act of sending unknown files to a controlled environment outside of your local PC to be executed and checked for malware, viruses, or other issues. Sandboxing can generally be set up based on file types, like EXE or PDF files
ATP (Advanced Threat Protection) – ATP refers to watching for traffic or conditions that match phishing, command and control types of traffic, BitTorrent, Tor, ActiveX vulnerabilities, and many other things. This layer of the security fabric normally is layered on top of the other filter points mentioned above to ensure that if there is a threat in the traffic that’s flowing back and forth, it is caught
DLP (Data Loss Protection) – DLP is a feature that looks at certain patterns in the content of files to ensure sensitive data like files containing HIPAA or PCI data is not inadvertently or purposefully is uploaded to a remote web or FTP server
Lastly, and probably most importantly, before choosing a cloud security vendor to migrate to, you will want to ensure that you have full visibility into the traffic you are sending through the platform. Reporting should be able to give you reports that anyone from the CEO of the company to the IT Administrator that is managing the policies can look at and get value from. Reporting should also arm with the tools you need to appropriately troubleshoot website block issues should they arise.
In conclusion, we discussed some of the main “gotcha items” when it comes to evaluating, selecting, and implementing a cloud security vendor. These items include:
- Your Onboarding Platform(s)
- What features/services you need