In the current context, the reasons for prior checking of devices to access the company’s cloud services are numerous: considerable increase in telework, use of personal terminals in a professional setting, shared access to numerous collaborative applications.
Many cloud services include features that allow administrators to define and determine access based on user profiles. Unfortunately, many of these features are unused or poorly controlled, either by the complexity involved, or because they are neglected in favor of other aspects of the service. For example, the application of a security policy depending on the connection context is often overlooked.
One aspect of cloud services is the ability to collaborate between multiple users, and their strength lies in their broad compatibility with different devices. Most of these services are indeed accessible via applications, or via the main browsers of different operating systems. To access it, users (employees or partners) can use terminals managed by the company, personal terminals, trusted or not, having the latest security updates or old systems with obsolete security devices.
Here are some of the risk scenarios that companies should consider:
- An employee using or downloading confidential information to an insecure terminal that could be infected and used to exfiltrate data.
- An employee connecting from a friend’s or family member’s device to download information or edit a document, which could lead to the spread of malware.
- A business partner using their personal terminal who could inadvertently download malware because their terminal is not secure.
Policies to address these and other risk scenarios could include:
- Authorization for users to view but not download content on unmanaged devices.
- A ban on downloading from unknown devices.
- Implementation of DLP (data loss prevention) policies on all devices that download data when they are outside the enterprise.
Cloud administrators need to consider each of these scenarios and decide on appropriate policies and define them on the cloud service. Many security criteria and controls allow contextualization and risk mitigation:
- Managed / unmanaged device
- Operating system used
- Activity (upload, post, download)
- Presence of security software
- BYOD device managed by MDM / MAM solutions
- IP address / geography
- User / group as defined in the authentication system (LDAP, etc.)
- User domain
Among the actions based on the conditions that could be supported are:
- Allow / deny access
- Check the presence of a company certificate on the device
- Strong authentication (MFA) for the user
- Traffic redirection for inspection and application of real-time security policies.
- Implement a specific DLP policy
Not all cloud services offer policies based on each condition, what is supported is worth checking before subscribing to a particular cloud service. Each cloud has functionality to define these services, although it is often much easier to define them once and extend them to all cloud services using a CASB solution such as MVISION Cloud.
Being able to enforce granular policies, such as allowing unmanaged devices to access Exchange Online but not SharePoint, or blocking access to the O365 Admin portal to a device that is not on the corporate network is also a good idea. practices to adopt.
Device control is just one line of the Cloud Security 360 ° shared responsibility model – There are nine lines in total, the full document is available here.
By Nigel Hawthorn, McAfee