Dissolving the Perimeter and Extending Security to the Cloud Edge

1 6 M a y 2 0 1 7

• Audio is streamed over your computer

• Dial in numbers and codes are on the left

To receive your CPE credit:

1. Complete 3 checkpoints

- or -

2. Watch the recorded version from the beginning to the very end

• Don’t forget to take the survey!

Use the Papers tab to find the following:

• PDF Copy of today’s presentation

• CPE job aid

• Have a question for the speaker? Access the Q&A tab

• Technical issues? Access the Help tab

• Questions or suggestions?Visit https://support.isaca.org

2

3

Michael Schneider, CISSP, CCSKProduct Management LeadWeb Protection Solutions

McAfee

Thomas BryantTechnical Director

McAfee

AGENDA

• The legacy approach

• Y2K and beyond

• Changes through cloud adoption

• Cloud as a security advantage

• Conclusion

4

The legacy approach

Software based ’security’

• SQUID

• IPChains/IPTables

• AV Scanners on Systems

• Regularexpression based blocks• *s?x*

No real data/content protection

• Cloud was not a problem

• Static Security as data was static• Data stored and processed mostly inside the local

network• Floppies as ‘transfer’ medium

The ear ly days o f ‘cloud’ secur i ty

Y2K and beyond

• Data moved to remote locations• Co-Locations• Needs additional defenses and protections

• Web becomes a business vehicle

• 1st integrated security products – so called CSM or SCM gateways

• CSM = Content Security Management• SCM = Secure Content Management• Integrates managed URL Filter with AV and other

security filters

Cloud adopt ion r ises

Practical Internet Security, John R. Vacca, Springer Science & Business Media, 10.01.2007ISBN 0387298444, 9780387298443Page 450

• Software-based technology found to be problematic due to not being able to combine strength of hardware with optimized software

• First firewall and web gateway appliances

• Hardware assisted SSL Scanning as standard to secure the “unreadable”

9

The r ise o f the appl iances

• Cloud computing enables cost savings to companies

• Outsourced data bases

• Outsourced applications and services• Salesforce CRM as pioneer• AMAZON EC2• Google G-suite• Microsoft Office 365• Countless others…

• Shift in security mandated

• The perimeter is pushed into the cloud

10

In to the cloud

Changes through cloud adoption

11

12

Dr ivers for cloud adopt ion

Lower TCO Global AccessHigher performance

• Removes the cost of hardware appliances

• No more resources used maintaining hw

• Removes entire process of patching and upgrading sw – you are always on the latest version

• Globally distributed datacenter locations

• Local web content per country

• Able to connect safely anywhere

• High availability with elastic capacity

• Immediate failover closest, fastest point of presence

• Peering with internet exchanges can outperforms direct connection

URL Filtering not enough anymore• Must control cloud applications in a more granular way• Application functionality can be used in web access and security policy• Web Application Control is born

New questions?• How to protect data in an app that I have limited control over?• How to secure data in motion in conjunction with DLP technology?• How to safely store data in remote locations without owning the service?• How do I secure web and cloud activity outside of the network perimeter?

13

Impact on Web Secur i ty

14

The d i lemma

Distance from Origin

Diff

icul

ty to

pro

tect

15

Today’s major cloud r isks

THREATPROTECTION

URL filtering and AV aren’t enough

CLOUD DATA AT RISK

Visibility into app use and data is limited

PROTECTIONEVERYWHERE

What about devices off-network?

.

Cloud as a security advantage

16

Gateways as a service

• Cloud-delivered Internet Access and Security solutions

• Used as standalone or together with Appliances as Hybrid

CASB/ Gateway/ Endpoint Integration

• CASB controls access to cloud apps

• Enforces policies via API connection to cloud apps

• Applies security features to data in rest, such as encryption, DLP

• Full data lifecycle is covered when connected to endpoint and web gateway

Policy enforcement points

• Data in motion over proxy

• Data at rest over API

• Data in use at endpoint

Common management

• CASB and cloud-delivered gateway live on the same platform = same management and reporting

• SOC integration

17

Moving secur i ty to the cloud edge

18

Apply ing secur i ty as a cloud p la t form

Cloud Management Framework

Endpoint base

Critical partners, applications and services

(amongst others)

19

Vis ib i l i ty and contro l are cr i t ica l

Challenge: Little visibility into risk and threat sources

Desired Outcome: Quickly identify risks

and respond to threats

20

Understanding Data Ex f i l t ra t ion

Who wants the data? How are thieves getting data out?

Where is data being taken from?

60%Electronic means

40%Physical means

2/3of breaches occur

on traditional networks

1/3occur in cloud infrastructures

57%External actors

43%Internal actors

21

Focusing on Data Pro tec t ion

Endpoint Data Protection§ PCs§ Macs§ Mobile devices§ Removable media

Network Data Protection§ File shares§ Databases§ Enforcement at

egress points (web & email gateways)

WebProtection§ Visibility into Shadow IT§ Enforce cloud application

control§ SSL Decryption§ AntiMalware

Cloud Data Protection§ Data stored in cloud-

based applications§ Discover and remediate

data in cloud storage§ Scan data uploaded and

downloaded to the cloud

22

Addressing Compl iance

Challenge: Keeping up with regulatory compliance and enable privacy

Desired Outcome: Help meet compliance

needs; pass audits with ease, and filter when

appropriate

23

Ut i l i z ing knowledge o f endpoint s ta tus

Each user is trying to get an encrypted file from their corporate cloud application

George

Tom

Dave

Cindy

Ben

Able to decrypt and store locally because AV is running.

No access, because of no, or nonstandard, AV running.

Able to decrypt and store locally because drive encryption is running.

Able to decrypt and store locally because endpoint DLP is running.

Gateway+CASB+Sandbox

Able to decrypt and store locally because gateway is inspecting the content and checking policies dynamically as it downloads.

24

Anchor ing a t the endpoint

On-network

Off-network

Proxy SW

Proxy SW

25

Ine f f ic ient ex tended edge

Main OfficeAppliance (vm/hw)

Remote OfficeAppliance (vm/hw)

Remote OfficeMPLS Circuit

Mobile UserVPN Tunnel

MPLS/VPN backhaul: all traffic

26

Cost-ef f ic ient cloud edge

Main OfficeAppliance

(vm/hw) or cloud

Remote OfficeAppliance (vm/hw)

or cloud

Remote OfficeMPLS+Cloud

Mobile UserVPN+Cloud

MPLS/VPN backhaul: internal traffic only

27

Transi t ion through hybr id cloud

Threat Defense |Visibility| Data Protection

Globally distributed, multi-tenant, SLA-driven

Security Cloud

Corp Boundary

On Prem

End Users

Endpoints

On-premdefense

Central visibility, understanding, and control Remote device

defense

28

Takeaways

• Basic traffic inspection isn’t enough – cloud has evolved requirements beyond URL filtering

• Threat, data, and ubiquitous protection are core to evolving with cloud

• Use a security cloud to your advantage • Protect your data in the cloud, and everywhere else• Manage security efficiently• Extend protection to off-network users• Gain network cost-efficiencies

• Transition is likely best handled through a hybrid rollout

• Start your security cloud build-out with secure web gateway technology as a foundation

• Visit https://www.mcafee.com/us/products/web-gateway-cloud-service.aspx for more information on McAfee Web Gateway Cloud Service and complementary cloud-delivered security solutions

29

Learn more

Questions?

THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.

Copyright © 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).

THANK YOU FOR ATTENDING THIS WEBINAR

For more information, visit www.ISACA.org