If cloud services were used only by employees who worked from the office, on company-issued devices, enforcing cloud policies would be straight-forward. IT Security would simply direct all traffic, for all employees, across all cloud services through a Cloud Access Security Broker (CASB), which would provide the required visibility, threat protection, compliance, and data security for all users.
3 megatrends that make Cloud Security a bit more challenging
Three IT megatrends render this type of simplicity impossible:
- BYOD: According to a CompTIA survey, 47 percent of companies have a Bring Your Own Device (BYOD) policy in place, allowing employees to access corporate data from their own devices. With the BYOD, employees access corporate data in cloud services from a variety of devices, most of which are unmanaged.
- Telecommuting: According to statistics from the American Community Survey, telecommuting has risen 79 percent between 2005 and 2012. With many employees logging hours from home and on the road, it can be difficult to get in the path without forcing users to adopt the dreaded VPN.
- 3rd Party Collaboration: According to Skyhigh’s recent Cloud Adoption and Risk report, the average enterprise collaborates with 1,555 partners via cloud services. Agents and VPN are not options for 3rd parties (many would suggest they aren’t an option for employees on BYOD either), making it impossible to get in path for policy enforcement.
API access offers a frictionless path to visibility, but for companies with policy enforcement requirements, such as real-time DLP with closed-loop remediation, contextual access and collaboration control, and structured and unstructured encryption, a new technique is required in order to get in path and enforce security, compliance, and governance policies.
Skyhigh solves policy enforcement challenges with new, patented technology
Today, Skyhigh announces that the United States Patent and Trademark Office has issued US Patent 9,137,131 for Pervasive Cloud Control. The patent covers SAML-based Identity Provider (IdP) redirection, which enables customers to enforce their cloud security, compliance and governance policies across all devices – managed or unmanaged – and across all user – on-premises, remote, or third party.
Best of all, the solution meets two universal requirements for cloud security and enablement – pervasiveness and zero-friction.
Pervasiveness: It is impossible to circumvent the CASB control point, regardless of the device or user.
Zero-friction: The solution requires no device agents and has no impact to the user experience or the cloud service providers.
Skyhigh Pervasive Cloud Control extends Skyhigh’s leadership in the Cloud Access Security Broker space and enables policy enforcement while supporting BYOD access to cloud services, off-network access to cloud services, and collaboration between employees, customers, and partners.
Three killer use cases for Skyhigh’s Pervasive Cloud Control
BYOD Access to Cloud Services: With Skyhigh Pervasive Cloud Control, IT and Security teams can support BYOD policies while enforcing corporate security, compliance, and governance policies. As an example, a sales person may be authorized to access a Customer Relationship Management service, such as Salesforce, from their personal iPhone to view or update their sales forecast. However, when the salesperson tries to download their monthly forecast to their iPhone, Skyhigh’s Pervasive Cloud Control automatically prevents the download because it violates the company’s security policies.
Off-Network Access to Cloud Services: With Skyhigh Pervasive Cloud Control, IT and Security teams can secure off-network access to cloud services, and best of all they can do so without an agent on the device or VPN access to the corporate network. As a example, an executive needs to download an encrypted file stored on a file sharing and collaboration cloud service, such as Box, while logged in from the airport. Skyhigh’s Pervasive Cloud Control seamlessly decrypts the encrypted file and the executive can access the encrypted file in a readable format
Collaboration Between Employees, Customers and Partners: With Skyhigh Pervasive Cloud Control companies can satisfy security, compliance and governance requirements while collaborating seamlessly with third parties such as vendors, customers, and partners and without breaking business workflows. As an example, while collaborating with a customer’s HR department, a third party HR vendor uploads a document containing PII to the customer’s Office 365 SharePoint site. Skyhigh’s Pervasive Cloud Control flags the file containing PII for policy violation, puts the file in quarantine as the PII is identified, and replaces the file with a tombstone file.
How Pervasive Cloud Control works (according to Gartner)
“Reverse Proxy Mode – This mode involves traffic redirection by making configuration changes to how traffic arrives from clients to the SaaS application. One way this can occur is by configuration applied to the SaaS application so that, during the SaaS authentication workflow, each individual app in question is directed to use the CASB provider as the authentication source. The CASB then forwards the authentication request to the IAM solution, and directs future traffic through it as well. This SAML redirection method is a popular way to force end-user traffic through the CASB so that it can perform inspection, even from unmanaged devices.” — Gartner, Select the Right CASB Deployment for Your SaaS Security Strategy, Craig Lawson, Neil MacDonald, Sid Deshpande, March 2015.
Security behind the curtains
Skyhigh’s Pervasive Cloud Control is based on the SAML standard. Skyhigh complements this by focusing on how traffic is seamlessly and securely re-routed after the SAML handshake.
Skyhigh supports both on-premises and cloudhosted intermediation. The Skyhigh Cloud Service is itself ISO27001 certified and hosted in SOC-2 compliant data centers.
Deployment of the IdP initiated redirection never requires user credentials to be sent to the cloud service or to Skyhigh. Only assertions are sent as per the SAML 2.0 standard and are signed by mutually established trusted certificates between the Cloud Service Provider, Identity Provider and Skyhigh.
Furthermore, Skyhigh does not store or record any data that is transiting through its network, provides multiple security controls to protect data, and has been tested and validated by some of the largest organizations in the world.