This is the second installment of The Top 10 Quick-Tips for Shoring Up Your Cloud Data Security. Last week we discussed creating consistent policy enforcement across your regional egress devices. Today’s tip sticks with the theme of cloud access policy consistency, but addresses a different piece which is often overlooked.
Top 10 Quick-Tips for Shoring Up your Cloud Data Security
Tip #10: Ensure consistent egress policies across regions
Tip # 9: Don’t rely on URL categorization services for cloud access policy enforcement.
Cloud access policies are incredibly useful. They enable enterprises to offer their employees a variety of great services that make them productive, while maintaining the various levels of security, governance, and compliance required. That being said, enforcing these helpful policies with your firewalls and proxies can be a journey of frustration and defeat.
Firewalls and proxies are terrific when it comes to preventing access to inappropriate sites that employees shouldn’t be accessing at work or on work devices. However, you will find them woefully inadequate if you’re trying to use them to block access to high-risk cloud services.
There’s no shame in trying. Almost every customer we work with first attempts to enforce their cloud access policies via their firewalls and proxies. It makes perfect sense – that’s how you block access to all other sites, right? The disconnect exists because proxies and firewalls typically rely on 3rd party categorizations services that are unable to accurately identify and classify cloud services. (A few proxies have their own proprietary classification services that experience the exact same issue).
These services attempt to classify 300M+ different URLs, and their focus is on finding the sites that offer, drugs, porn, guns, and gambling. Their enormous scope results in categorization that is often incomplete (i.e. they are not aware of new cloud services and therefore, these new services are categorized as “unclassified”) and inaccurate (i.e. cloud services are miscategorized as internet services).
For example, a customer in the technology sector standardized on 3 low-risk cloud storage vendors and attempted to use their proxy to block all others so they could prevent IP leakage, compliance issues, and unnecessary costs. They found 6 other cloud storage services still in use including Pogoplug, 4shared, and RapidGator. The proxy’s categorization service mis-classified the first two as internet services and the third was unclassified, meaning that users could freely access all three.
Using a classification service focused exclusively cloud services, rather than one focused on hundreds of millions of internet sites will allow you to use reliable information when enforcing your cloud access policy.