“Should I Switch to FWaaS?”

"Should I Switch to FWaaS?" Moving to the Cloud: The SASE Puzzle Part 6

A firewall is commonly known for monitoring incoming and outgoing network traffic, acting as a barrier to prevent unauthorized access. Previously, firewalls could be either hardware or software, but various forms of cloud adoption have forced firewalls to adapt to organizational change. Just think about how significantly your organization’s security has changed in the last three years (or in the case of 2020, less than three months). With every turn of events, your security must change as well. Enter firewall as a service (FWaaS), a critical component of SASE. FWaaS brings your firewall up to speed with the trending cloud environment.

What is FWaaS?

FWaaS is a cloud firewall that is avaliable anywhere (another term that may be used is Cloud Firewall Service, or CFS). The goal of this type of firewall is to not only eliminate the need for a physical appliance, but to also simplify your security environment and streamline company policies across in-office, remote, or hybrid workers. Gartner analyst Jeremy D-Hoinne defines FWaaS as “a firewall delivered as a cloud-based service or hybrid solution (that is, cloud plus on-premises appliances). The promise of FWaaS is to provide a simpler and more flexible architecture by leveraging centralized policy management, multiple enterprise firewall features and traffic tunneling to partially or fully move security inspections to a cloud infrastructure.”

Despite its simplicity, a cloud firewall still delivers next-generation firewall (NGFW) capabilities including URL filtering, advanced threat protection, intrusion prevention systems (IPS) and DNS security. The key advantage to this type of system is the scalability and versatility of it being avaliable anywhere, while still enforcing unified policies across and organization.

FWaaS vs. NGFW

Before FWaaS, the NGFW was the evolution of the traditional use of a firewall to expand and evolve past the tradition capabilities and roles. NGFW offerings have been adding features prior to the larger migration to the cloud, but the but the abilities they provide are also needs that FWaaS may be desired to fulfill also. The traditional roles of a firewall including packet filtering, stateful inspection, and VPN awareness are all supported in NGFW; yet, it also allows for potential application awareness and control, intrusion protection, threat intelligence, information feed support, DNS security, and new techniques for evolving security threats.

While both FWaaS and NFGW are replacing the image of a typical firewall, a NGFW is a firewall with advanced features, while FWaaS is a cloud-delivered firewall. Even though the two are often compared, a NGFW is about what the capabilities of the firewall are, while FWaaS is where the firewall is deployed; therefore, there can be a lot of overlap between the two. FWaaS can have NGFW capabilties and a NGFW can also be hosted on the cloud. It’s not just one or the other.

It can be broken down like this:

The key difference between FWaaS and NGFW is the FWaaS may be hosted by the vendor: where the vendor is required to configure, maintain, and update the OS or options provided to the customer. If a customer runs a NGFW in the cloud, they will be responsible for the configuration, maintenance, and updating of that software.

FWaaS is Different from your IaaS/PaaS

Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) are virtual firewalls in the cloud designed to protect your cloud infrastructure, but not specifically your remote users or network perimeter.

With IaaS/PaaS, your organization is “renting” the infrastructure from the service provider you have selected, where you create, provision, and manage your own virtual servers. You can use these servers for storage, applications, and more. In this environment, you need to protect these hosted offerings from malicious traffic or attacks, in addition to protecting them from other servers or insiders attempting to take control of a cloud–hosted server.

It is important to mention that virtual firewalls may also be used in your data center beyond just in the cloud. Just like we discussed with building your own servers, most vendors provide a product with a license option for IaaS/PaaS, and may or may not contain the same functions and features of the on-premise NGFW offering. This allows you to host that NGFW, either as a pre-provided virtual machine or run on an existing virtual machine. Do not be misled, the virtualized firewall has plenty of functions and features if you want to protect a grouping of servers or specific server with micro segmentation, but the configuration of these rules or policy relies on your team. Even if basic IaaS or PaaS offerings are allocated by the service provider you have selected, it is in your best interest to install and manage your own firewall to protect your hosted applications and the servers they reside on.

When is FWaaS Right for your Organization?

Let’s face it, for many companies, hardware firewalls are difficult to maintain from both a budgetary and operational standpoint. FWaaS guves all employees access to the same number of resources on several types of devices; hence, scalability is easier no matter the size of your organization.

1. Do you find that you must hairpin your remote user traffic back to a branch or primary office to provide the security you need?
2. Where does the majority of your user access sit – the Private/Public Cloud services or serviced from an internal hosted server?
3. Do you want to reduce your management footprint and allow for improved scalability with a unified security policy?
4. Is your firewall intended more for on-premise users and less for your shift to remote support users?
5. Does your current firewall need to offer local and cloud integration for complete network visibility?
6. Are you looking for a cloud provider who can offer protection against Distributed Denial–of– Service (DDoS)? (A DDoS attack is a malicious attempt to disrupt normal traffic of the targeted server, service, or network)
7. Do you require control over versioning and updates to your firewall software as to test updates before they are released to production?

Connecting FWaaS to SASE and Cloud-Based Security

As a critical aspect of the SASE architecture, FWaaS brings together the protection of an on-premise solution while still being flexible enough to fit the modern workplace. For many companies, that means fading away from traditional, in-house options. Network edge has changed, so FWaaS adjusts to the flexibility and scalability that can’t be achieved with an appliance-based firewall. The best fit may be determining whether your current vendor has FWaaS offerings and evaluating whether the offering meets your cloud needs. FWaaS helps by providing the migration to the new network edge of your organization, the cloud, and integrating with the other components to complete a full SASE posture of connectivity.

FWaaS is also important to organizations working to meet the upcoming drive to the SSE Gartner Quadrant, which includes FWaaS and Software Defined Wide Area Network (SD-WAN). When including SD-WAN, it allows the ability to restructure your network security to meet the changing needs of your enterprise and users. SD-WAN benefits from being deployed in conjunction with FWaaS by receiving the integrated security offered by FWaaS. The partnership and combination of these two products allows a company to improve the performance and usability of their corporate WAN.

Implementing SASE correctly secures your workforce, no matter where they are. Choosing to partner with Braxton-Grant means we can become an extension of your team, work toward your goals, and be a trusted resource with deep experience that you can leverage.

Learn more about our SASE Solutions

Kickstart your Journey - Contact us!

8 Ways to Identify Phishing Attempts – Updated for 2021

8 Ways to Identify Phishing Attempts Updated for 2021

What is Phishing?

Gone phishing? Cybercriminals sure have, but it’s not just catch and release anymore. At its core, phishing is a cybercrime that uses electronic communication to take advantage of users. Attackers attempt to gain sensitive or confidential information, such as usernames and passwords, credit card information, and more by posing as legitimate organizations or individuals. They use social engineering to manipulate victims into clicking on malicious links and entering information.

Phishing was the most prevalent cybercrime in 2020, according to the FBI. Reported incidents nearly doubled from 2019 to 2020, with 114,702 in 2019 and 241,324 incidents in 2020. Email is still the top way phishing tactics are delivered, with 96% arriving in an inbox; however, there are other tactics outside of email that are being used every day. We’ve broken down these differences below:

Email

Why is email such an easy target? While most people know how to send and receive emails, the same cannot be said about the understanding of how emails are sent or received. The simplicity of modern email interfaces lulls users into a false sense of security; however, a potent combination of human error and malicious agents can make emails one of the most dangerous threats to an organization’s security.

As with all security practices, it starts with training employees to understand and identify suspicious emails. Alongside this training, organizations need to have the right tools to fight against this data theft, including anti-virus filters, email filtering, email encryption, and more.

Types of email phishing can be broken down into the following categories:

Spear phishing: These attacks will not look random. Attackers will gather information about the victim to make the email feel more authentic.
Clone Phishing: Attackers will make almost identical copies of previously delivered email messages and change an attachment or link to something malicious.
Whaling: These specifically target high profile and/or senior executives at organizations, presenting themselves as legal communications or other executive business matters.

Other Forms of Phishing

While most phishing attempts do occur over email, it is still common to receive material in other ways. A telephone attempt is also known as vishing. When a message is sent over text message, it is called smishing.

Phishing in a Pandemic

By now its old news that COVID-19 changed everything in how organizations operate and share information, and phishing is no exception. Of the consumer complaints about stimulus payments to the Federal Trade Commission (FTC), 72% were related to fraud or identity theft. Additionally, the three primary objectives for COVID-19 related phishing emails were identified as fraudulent donations to fake charities, credential harvesting, and malware delivery. Although these may be primary objectives seen from phishing emails, the traditional methods of attempting to phish employees remain consistent.

One note: The increase in phishing during the pandemic, however, may be skewed because of the increase in remote users, and those users may not be protected by the same security tools they used to.

As we move toward the holiday season, the nature of those trended emails will surge, encouraging users to click using some of the traditional, influencing tactics. With businesses of different industries suffering supply chain delays, scarcity will be leveraged to drive email responses or secure deals.

8 Ways to Identify Phishing Attempts

Requests for Sensitive Information – A legitimate organization will never ask you to enter any information that is sensitive by following a link. You will usually be asked to go to the official website or app to enter your credentials and any other information that is required.
Generic Salutations – Most hackers will greet you with a “Dear Valued Customer…” or “Dear Account Holder.” Sometimes, ads will not even include a greeting. Genuine organizations will use your name.
Check the Domain – Don’t just check the name of the sender. Check the email address attached by hovering over the ‘from’ address. If you see any changes from what you were expecting, like numbers or letters added, this might be a phishing attempt.
Bad Grammar – Legitimate organizations will send emails that are professionally written, with no spelling errors or bad syntax. Hackers believe their prey are less observant and easier targets, so they tend to have spelling errors and grammatical mistakes.
Forcing you on to a Site – If in doubt, don’t open the email. Many times, emails can be coded entirely as a hyperlink so any accidental click anywhere in the email can lead you to a malicious site or start a spam download on your computer.
Unsolicited Attachments – Authentic organizations will seldom send you attachments. They will usually direct you to their website to download what you need from there.
Hyperlinks – Always hover over any links in the email because it may not be all it appears to be. When you hover over the link, it will show you the actual URL it will direct you to.
Sense of Urgency – One of a hacker’s favorite methods to hook a victim is asking them to act fast, often by offering a one-time deal for a limited time. Other times they will pretend to inform you that your account has been compromised. It is usually best to ignore these communications.

Here's an example...

(Note – we have removed our domain information we tested here as not to advertise what services we use for which of our testing email domains. This email was from a testing domain used at O365.)

This was an email we recently received at one of our email domains. Here’s how we know this is a phishing attempt:

1. Yellow Headers: We added headers from our email provider, letting the receiver know it did not source from our domain. If your provider offers such potential, this is a great tool that could benefit your team’s awareness of where an email is coming from.
2. “To” and “From” Visibility: We see that “To” and “From” are not domains that anyone should expect to see regarding a password alert. This email is hoping that the user has an urgency to click the “Keep your Password Now” link and ignore the rest of these details.
3. The onmicrosoft[.]com message at the bottom looks out of place and is likely not an email that you would receive for a password reset notification from Microsoft.

When we went to “View Message Details” on this specific email, here is what stood out:

“Received: from 365days[.]one – Marked by some Web Filtering Vendors as Placeholder Category

X-Originating-Ip: Received-SPF: pass (domain of mail110.suw91.mcdlv[.]net designates 198.X.X.X as permitted sender) – IP address of the user that sent the email, then using that identify the owner of the IP address, leveraging sites like ARIN Whois/RDAP.”

Buried in the headers we found:

“X-Mailer: MailChimp Mailer – **CIDEXAMPLE** X-Campaign: mailchimp CIDEXAMPLE X-campaignid: mailchimp CIDEXAMPLE X-Report-Abuse: Please report abuse for this campaign here: https://mailchimp.com/contact/abuse/?u= CIDEXAMPLE &id= CIDEXAMPLE” and since this is not new to use services, such as MailChimp for such activities, MailChimp does have a website using the above abuse link to report it (we removed all indicators from this campaignid above, but this is an example).

While this specific email did source from MailChimp, it was forwarded by another email service provider before reaching our test email address domain. In this example, we found our email report to MailChimp as Abuse returned a quick response back.

Lessons Learned:

- Mismatched sender addresses? This may not always be an indicator of malicious intent, but helpful to review.
- Email Travel Path? As email traverses’ multiple email servers a record of those servers is stored in the email headers. Headers can be modified by email servers so should not be considered entirely trustworthy. This is where looking for DKIM and SPF being enabled will show results of “failed verification.”
- Email client specified? Most of us use a client to send our email and do not directly connect, but as with the email travel path, email client can also be altered or spoofed.
- Received an email with an attachment? Call the person directly if possible, or craft a new email to them (not using the reply button) and ask about the attachment.
- Received an email with a link? If it’s a system you normally use, don’t click the link, use a trusted process that doesn’t involve clicking the link. For example, if you use Gmail and received a Gmail expired password email: open a new browser, type in the domain on your own, log in, and verify the password works. While you are logged in, check your Google Security settings to see if any strange systems or IP addresses connected to the account recently that would lead to receiving such an email. That’s just one example, but if you use a Portal to access corporate tools, use a Web Portal of Widgets to access the site (via Lastpass, Okta, PingIdentity, OneLogin to name a few).

Pro Tip: Don’t publicly share templates for emails (or communication emails) which help adversaries better craft attacks against your organization.

Helpful Links

These links include tools and quizzes to ensure you’re up to speed on phishing knowledge!

https://dkimvalidator.com/

https://www.dmarcanalyzer.com/dkim/

https://search.arin.net/rdap/

https://phishingquiz.withgoogle.com/

https://www.intradyn.com/phishing-quiz/

https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/quiz/phishing

Evaluating the Switch to a Cloud-Native DLP

Evaluating the Switch to a Cloud-Native DLP Moving to the Cloud: The SASE Puzzle Part 5

What is DLP?

Gartner describes Data Loss Prevention (DLP) as “a set of technologies and inspection techniques used to classify information content contained within an object — such as a file, email, packet, application or data store — while at rest (in storage), in use (during an operation) or in transit (across a network).”

The DLP Market

The shift toward DLP systems has been significant in the past few years, and market revenue is expected to continue to grow significantly through 2023. In 2020, the market was valued at USD 1,204.8 million and is expected to grow at a CAGR rate of 23.47%, reaching a value of USD 4,297.7 million by 2026.

It is no secret that the surge in DLP escalated due to the increase in employees working from home, and its likely not stopping anytime soon. 20% of data breaches are caused by data workers, which only proves the importance of tightening all areas of your environment, no matter how near or far.

DLP Solutions

Network DLP – Monitors, detects, and potentially blocks sensitive data exfiltration while the data is in motion (DIM).

Why it’s Important – Network DLP prevents critical DLP sensitive information from being transferred outside the corporate network. It also enforces compliance requirements, dictating the ability to demonstrate care to advert loss of confidential information. This solution should consider traffic that traverses over a variety of channels, protocols, and non-standard ports, which could be egress points to leak sensitive information.

Endpoint DLP – Provides granular policy prevention to the operating system (OS) as the OS and installed applications access sensitive data. This could be data at rest (DAR) on the endpoint, data in use (DIU), or data in motion (DIM). The application is requesting to leverage that data to complete tasks, such as uploading a file, a screen-capture, or attaching a document to an email.

Why it’s Important- Endpoint DLP is an intimidating avenue for protection due to the requirements to enforce policy on all endpoints. This also means that patching and updates become a part of the status quo, just as ut would be for any installed endpoint agent that requires updates during a product lifetime. Despite this challenge, the level of protection that Endpoint DLP is without questions – it protects data on the go when a system is outside of organizational network protection tools, controls portable devices from becoming unapproved avenues for data transfer, and discovers sensitive data that resides on the user endpoint.

Cloud DLP – Cloud DLP is better summarized as a combination of DAR that exists in a variety of forms outside the traditional corporate environment, including cloud hosted, cloud based, public or private cloud storage, external repositories, and others.

Why it’s Important- Cloud DLP covers the growing leverage of cloud computing, both for the public and private cloud. Depending on the solution and its implementation capabilities, it provides a variety of DIM, DAR, or DIU policy enforcement points.

Email DLP – Email DLP implements your expected DLP policy within your email provider, email solution, or be a policy that is enforced via an Email Gateway or API Integrations.

Why it’s Important- Email DLP complements all other efforts put in place for DLP prevention by protecting a method of communication that plays a significant role in corporate communications. Email DLP includes an extra layer of protection with monitoring, detection, and flagging suspicions email activity to prevent exposing sensitive data over email. This avenue is also the most likely channel to expose critical information for the same reasons that email is also an avenue seeing increase in phishing, compromised accounts, and account infiltration.

The Movement Toward Cloud-Native DLP

Cloud-native platforms are built in the cloud, for the cloud. According to Gartner, as more organizations move their entire network to the cloud, 60% of companies will replace VPNs with Zero Trust Network Access (ZTNA) by 2023. Cloud DLP is no exception to this change.

So why the shift? For one, DLP technology has been available for more than a decade, but usually in an on-premises solution that costs millions of dollars to deploy and manage. Additionally, an on-premise DLP also means purchasing a license, which is another added expense.

With a cloud-native solution, smaller businesses have access to more with less. DLP previously only covered specific applications, but with cloud coverage, all points of control can be covered throughout the whole organization. There is less complexity, no hardware, and less manpower to manage.

Cloud collaboration platforms are being embraced at an increased pace, which means DLP tools are in some aspect playing “catch-up” to make sure that shared, critical files don’t fall into the wrong hands.

The Difference of Cloud-Native

Cloud-native is a version of cloud DLP, but cloud DLP is not equal to cloud-native. Many DLP solutions may include DLP offerings, while coverage of a DLP product extends into cloud solutions such as SaaS, IaaS, cloud storage, or home-grown applications hosted in the cloud. Cloud-native takes on the cloud first approach, offering a solution that protects a variety of cloud interests with DLP data that must be protected. With less focus on endpoint installed agents, cloud-native aims to provide agentless, API integrated, and automated processes that prioritizes accuracy, endpoint, or being network agnostic.

Cloud-native DLP can be defined as cloud first: built in and for the cloud before any other solution. If an organization does not have corporate-owned roaming endpoints and only allocates users to use VDI, DaaS, or VPD, then they may be able to facilitate a cloud first, cloud-native SaaS solutions that uses APIs to gather metadata feeding a multi-part Risk Evaluation Decision Engine.

With better coverage, cloud-native DLP provides more visibility that may not have been possible without an API or direct integration. Additionally, visibility is gained by the cloud first attitude for seamless integration for scanning, identification, and encryption of sensitive data before the data is shared in the cloud. The scanning continues for what is added or what is already present, which can be audited to strengthen the posture taken for the data that exists and make sure that all sensitive data has been appropriately protected.

Another benefit of cloud-native DLP is freeing up maintenance time, which means more time to ensure policies are running as expected. Downtime is more of a rarity than on-premise solutions since the providers design the product in such a way that it is easy to migrate a customer from one cloud connection to another.

Cloud storage companies have started to offer their own take on DLP coverage for their respective cloud storage, but not all vendors are allocating for a policy-sharing, vendor-neutral approach. For example, your Google Cloud DLP policies could be built in a completely unique way versus the way you build DLP in Microsoft O365, which you use for email. Since neither solution offers vendor-neutral integration, it introduces breakdowns in consistency between effective policy with the same result of protection.

When is Cloud-Native Right for you?

Before determining your cloud-native DLP solution, understand your DLP needs around the data you have. This will help determine a solution that meets your use cases.

❓ What type of sensitive data are you required to protect? (SSN, Credit Card Numbers, Intellectual Property, Trade secrets, Health Records, etc.)

❓ Is your data more cloud-based or located within your internal corporate network resources?

❓ Is the solution easy to deploy and manage?

❓ Can data be protected when the user is not connected to the corporate network?

❓ What type of communication channels can the product monitor for DLP?

Your Use Cases Could Be:

Protect intellectual property from being exfiltrated from the corporate network.
Support regulatory compliance efforts to detect and prevent compliance policy violations.
Visibility of sensitive data and augment employee security awareness.
Scan documents or images to prevent sensitive data exposure.
Prevent from accidental sharing in corporate-owned SaaS applications.
Alert on suspicious behavior with potential to block when actions match malicious indicators.

These are only a few questions that you should be considering when determining whether a cloud-native, cloud-connected, or hybrid solution is a better solution for your needs. If you’re look for more guidance, get in touch with us and we can help evaluate your environment.

Connecting DLP to SASE and Cloud-Based Security

Email, network, endpoint, and cloud are all impact points offering the opportunity to integrate with a new or existing deployment of SASE tools. Each area may have dependencies from a specific vendor that would already have required an integration with existing SASE solutions, but not all will require them. If an integration into existing SASE tools is a requirement for your organization, working with a partner like Braxton-Grant will complement your DLP goals and requirements with engineer teams ready to assist in those plans.

Our vendor partners have a plethora of DLP resources, and we help determine what is right for your organization and your process. Explore these links to learn more and contact us to get started:

Partner DLP Solutions

Learn more about our Process

Kickstart your Journey

Secure Web Gateway: What it is & Where it’s Going

Secure Web Gateway: What it is & Where it's Going Moving the Cloud: The SASE Puzzle Part 4

How is a Secure Web Gateway Defined Today?

A Secure Web Gateway (SWG) protects users and organizations from malicious activity when browsing the internet. The goal of a SWG is to inspect web traffic at the application level, while not compromising the user’s overall web experience. No matter the location of the employee on the network, the gateway’s role is to:

- - Filter URL/content, anti-virus, and malware detection.
  - Decrypt SSL traffic.
  - Enforce web application controls.

As user traffic now sources from work from home (WFH) or remote users, many of these SWG offerings must accommodate for a combination of corporate users and remote users; meaning, there is now the need to have SWG capabilities beyond just the local edge of the corporate headquarters, and a hybrid approach is necessary to protect all employees.

Gartner defines that, at minimum, SWG includes URL filtering, malicious-code detection and filtering, and application controls for popular web-based applications, such as instant messaging (IM).

Additional Capabilites

A SWG may also have the functionality to provide anti-virus (AV) scanning or Data Loss Prevention (DLP) capabilities from external sources, or in rare cases, with on-device policies. Web Isolation is another feature that may be offered; however, it is not considered a standard SWG function due to off-box integration or software license activation to use. Finally, the ability to offload a copy of the decrypted traffic could be included in SWG capabilities, but all these are traditionally add-on capabilities to the product and not part of the initial feature set.

How does a Secure Web Gateway Work?

A SWG can be installed either as a software component, cloud-hostable virtual component, or as a hardware device. Attached to the edge of the network or at the user endpoint, it filters and monitors all traffic for malicious activity through web application use and attempted URL connections. Any activity that is not approved can be blocked or restricted. Blocked sites are usually stored in the SWG database, or when possible, sourced from intelligence feeds that are either company sourced or third-party provided.

Additionally, information flowing out of the network can be monitored. The SWG can perform logging on all your web traffic, combined with decryption of SSL web traffic for full visibility and user authentication. Overall, this gives you the ability to always know who is going where, proactively monitor the network and tweak policies as needed, and investigate prior events in case of attacks or vulnerabilities.

What Configuration is Applicable to your Organization?

Remote Workers
Mobile Users
Corporate Headquarters
Data Center
Corporate Branches

What are the Benefits?

With a SWG, organizations can enforce company policies that prevent end users from visiting malicious sites, while also restricting the use of the internet to business-critical functions. Having these policies in place prevents malware infections and detect infected devices. Also, a SWG protects remote workers since security policies are always aligned, even when employees are not located in corporate headquarters.

SWG Requirements

SWG execution is flexible since it can be deployed inline, virtually inline (WCCP, PBR), or out-of-path (explicit proxy). Certain deployments will allow for ease of future growth, while some will be more limited. An inline deployment is an example of this, as there will be downtime necessary if the physical device requires maintenance or is not operating as expected.

It can also be used in a reverse scenario – to protect externally facing corporate web accessible resources to customers – but our focus today is focused on protecting users while accessing corporate assets that meet their day-to-day needs.

What Questions Should be Considered before Deploying a SWG?

Will you require authentication of your users traversing the appliance?
Will you require decryption of SSL traffic to inspect and apply policy?
Will you need hardware, software, or cloud appliance for your organization?
What is your organization's Acceptable Use Policy?

An Acceptable Use Policy will help shape your organization’s policy building, as well as discussions with a governance group if enforcing DLP policies. It is possible that your company has acquired applications to enforce policies and prevent exfiltration of sensitive data, but the Acceptable Use Policy should be the administrative control identifying the technical controls that will be in place on the SWG.
Will you need to account for devices that are not proxy-aware or proxy configurable?
Will you need a solution that provides the same secure web policy coverage when the user is on the corporate network as well as when they are traveling with no corporate network connectivity?

Some vendors will provide global policy effectiveness, whether you have deployed your systems on-premises, through the cloud, or a mixed combination. Your organization may value a simple policy execution and look to identify vendor products where a single dashboard (a single pane of glass) view of policy and deployment is possible. Not all vendors provide such capabilities, and even vendors that provide such may not be able to extend every granular option that on-premises provided to the cloud. Research the right solution that meets your needs and leverage our expertise to match your needs with the perfect vendor product.

Connecting SWG to SASE and Cloud-Based Security

As a critical aspect of the SASE infrastructure, a SWG is strategically located in a position to monitor all web traffic, provide verbose logging, and prevent and detect attacks. Meanwhile, a SWG integrates with other technologies, such as a DLP or a sandbox, that require a SWG or similar device to feed it traffic.

Cloud Access Security Broker (CASB), a component of SASE and integration potential with Zero Trust, extends the traditional SWG to cover the more advanced internet web-hosted applications that we use today for mobile, desktop and abroad. CASB could be considered a SWG for the SaaS world has additional capabilities that the original SWG may not have been configured to support when it was originally deployed. The internet has changed, and the idea of what was available on the internet has evolved from static web pages to dynamic content and interactive applications.

Looking Forward - The Future of SWG

As the migration to having a cloud-first or hybrid solution for SWG continues, you’ll likely come across terms like Cloud Web Security Solution, Cloud Web Gateway, Cloud Delivered Web Gateway, or others. With the need to protect cloud storage, cloud hosted applications, and employees leveraging cloud-provided virtual desktops increases, the need to have a SWG protecting those resources is increased as well.

Cloud-based or cloud-hosted SWG allows for more flexibility in scaling and bandwidth demands, which would be an operating expense versus a capital expense. This may work better for a company that does not maintain the same traffic needs and demands each year. Moving away from physical purchases and hosting applications has already transitioned costs to more operational, and hence, hybrid or remote working environments no longer demand the previous capital spend of physical appliances as they once did.

The growth of cloud-based applications and services has not completely rendered the traditional SWG obsolete; however, it does means that a SWG is part of the defense in depth approach, as it was not explicitly designed to handle Cloud SaaS solutions or the heavily increasing mobile workforce. SWG combined with a Cloud Access Security Broker (CASB) allows for coverage of internet-bound web traffic as well as cloud hosted offerings.

In the future, expect to see SWG transition to being referred to as SSE, which stands for Security Service Edge.

At Braxton-Grant, we are a multi-vendor integrator that has deep experience in SWG implementation that you can leverage. Reach out to us today to get started today!

More about SASE

Your CASB Solution Guide (with Checklist & Assessment Questionnaire)

Your CASB Solution Guide Moving to the Cloud: The SASE Puzzle Part 3

What is a CASB Solution?

A Cloud Access Security Broker (CASB) is the watchdog between users and cloud service providers. Coined by Garner in 2012, CASBs are “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.”

CASB solutions combine various kinds of security policies, including authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection/prevention. These solutions have been a vital part of growing organizational security, specifically with growth in Bring Your Own Device (BYOD) and the need to expose cloud use regarding Shadow IT. Overall, CASB grants organizations the ability to use the cloud while still protecting their sensitive data.

Four Pillars of CASB

There are four main functions, or pillars of CASB solutions:

1. Visibility – CASB allows a new level of transparency between cloud providers and organizations by each sharing a responsibility model. While cloud providers are responsible for maintaining the application and underlying infrastructure, organizations are responsible for ensuring proper monitoring and control of your data.
2. Compliance – CASB extends data protection and monitoring to see how data is accessed and used. Additional integration with Identity and Access Management (IAM) and Data Loss Prevention (DLP) solutions further improve compliance.
3. Data Security – Some CASB solutions can protect sensitive data; however, having a DLP system in addition to CASB adds an extra layer of protection. Together, they enhance the ability to identify and authorize access and sharing of data by users of cloud applications, preventing and alerting when improper data access or actions occur.
4. Threat Protection – Reduce the chance that cloud malware and threats are not able to spread through cloud storage service vectors or synced clients or services.

Why do you need a CASB Solution?

CASBs are just as important as having a firewall in your environment due to new features and functions constantly being introduced. For example, some CASB solutions provide Private Applications, which provide protection for internally hosted applications. Additionally, CASBs now offer benefits that make them necessary to be in place by 60% of large enterprises by 2022. Previously, many businesses looked at CASB primarily as a vector to expose and address the large amount of unknown Cloud application use via Shadow IT reports or audits. Now, CASBs contain features for in-motion or at-rest Cloud SaaS applications, which allows the extension of existing policies to be leveraged for Cloud SaaS enforcement. This does not, however, address the need for business access to Cloud SaaS – creating a policy of enforcement is not enough to make sure business requirements are met while still maintaining the security needs to protect sensitive corporate data.

It may be easy to assume that if you have on-premise Next-Generation Firewall (NGFW), Secure Web Gateway (SWG), DLP, Anti-Virus Software (AV), and other devices, your users will be jointly protected from web-based threats since these products may support add-ons or partial protection of Cloud SaaS applications. Each vendor product may offer a portion of protection; nevertheless, layering each portion of protection does not necessarily mean that additional layers will execute in the intended behavior or not bring additional delays to the user traffic. Attempting to leverage features on all your devices could block where a permit was desired (or vice versa) due to the layers of policy applied between different functional appliances.

Using a CASB to protect Cloud SaaS solutions is beneficial because CASBs are designed for Cloud SaaS awareness (as opposed to classic web traffic proxy appliances, which were not build for Cloud SaaS but for web browsing). With the right settings, CASB can be configured to know the difference between a corporate owned SaaS tenant, an external vendor SaaS tenant, or a personal user account. These systems also have adapted many integration benefits with ZTNA (Zero Trust Network Access) and allow for connections to Single-Sign On (SSO), DLP, and Global Web Security Gateway (GWSG) for adaptive policy application.

Getting Started

Before putting this type of solution in place, a Shadow IT report is the most valuable assessment to start with. This report identifies whether the cloud SaaS traffic is corporate owned or non-corporate owned, while also pinpointing if current policies are working as intended or not. On the contrary, if the assessment contains only a small quantity of your traffic (and that traffic traverses network devices that can log this), you may end up with a report that does not fully represent all Cloud SaaS application use and will need to be updated as you proceed forward.

A Program “champion,” or someone who can head the project, is advised to not only drive progress internally, but allow for collaboration between groups to protect access provided by Acceptable Use Policies (AUP) and data protection goals.

Keep in mind that CASB by itself is not a complete solution, as it is a part of the SASE solution set. Consider complimentary tools to advance defense in depth, such as DLP, IAM, and GSWG. If you already have such tools at your disposal, ensure they can integrate with any prospective CASB platform. Further, continuous monitoring is a key piece of any compliance efforts. Integration with a Security Information and Event Management (SIEM) system along with automated alerting ensures those charged with monitoring and auditing are enabled to succeed.

CASB Solution Checklist - What to look for

✅ Cloud Application Discovery, also known as Shadow IT

✅ Risk and Data Governance Visibility

✅ Activity Monitoring

✅ Threat Protection

✅ Data Security

✅ Activity-based Analytics

✅ Endpoint Access Control

✅ Remediation Actions

✅ Deployment Flexibility

✅ Delivery Infrastructure

CASB Assessment Questionnaire

Looking to get started with a CASB solution? Take our assessment questionnaire to understand where you currently are in maturity.

At Braxton-Grant, we are a multi-vendor integrator that has deep experience in CASB implementation that you can leverage. Reach out to us today to get started today!