Mid of the month I read about the leakage of accounts for Dropbox in several online magazines and in the news in general.

Here is a reference on Reuters: Hundreds of alleged Dropbox passwords leaked| Reuters

 

This made me think immediately how we can help to avoid such issues, and surprisingly, we already have nearly all assets you need to avoid these issues and make sure that your content and credentials remain yours.


In your strategy to adopt cloud resources, you need to consider at least 3 main topic

  1. WHO can access the web resource?
  2. WHICH application functionality can be used?
  3. WHAT shall happen with the content?

 

WHO

Make sure you are using AAA functionality on your Internet Access Gateway to apply an appropriate access policy to application and their functionality.

AAA functionality is the base requirement to setup a user-dependant, tailored web access and security policy and will enable you to implement further functionality.

Read this Document to learn how to setup authentication on McAfee Web Gateway.

In addition you definitely need Single Sign On part of your web security strategy. Web Gateway can help you with that by providing an identity federation function to cloud applications. Admins can provision users in cloud application and then leverage SAML, POST credentials or ICE Token to federate identity to cloud applications. Using SAML will negate the need of user name password combination other than your internal directory account.

 

WHICH

Make sure to use application control on Web Gateway. Did you know that you can simply monitor web application usage on Web Gateway? For that don't apply a Block action as Action to the criteria, but simply Continue.

The logic is quite simple: call an application property to detect the application, for example If Application.Name doesn't equal <empty> CONTINUE. This will already detect all known applications and will write them to log.

appcntl.png

With that you get application visibility established. In addition you can of course use a similar rule, like the one from the product's rule library, to control access to apps and block certain functionality. Now pare that with the previously mentioned AAA functionality to create group based policies.

 

WHAT

In order to determine what shall happen with the content to the applications, you can create policies per application! One of the cool feature of Web Gateway is the cloud encryption, which enables to to encrypt traffic to cloud application, namely: Dropbox, Box.com, Google Drive, Microsoft Onedrive. The data transferred to these application can be encrypted on the fly during transfer, so that the above mentioned leakage doesn't matter at the end of the day, as the data stored in the account is encrypted and is only viewable, once transferred back over web gateway.

Use the on-board DLP technology to to detect sensitive data and then trigger the encryption selectively for this sensitive data.

 

Conclusion

All these capabilities together will allow you to be less concerned about data/credential loss as

 

a) Through SAML user-name and password combinations for cloud apps are removed, reduced

b) Application Control allows you to track which apps your users are using and get in control of these applications

c) You can decide what to do with sensitive data and apply security countermeasures against potential leakage/loss of information by blocking the transfer or encrypting the content.

 

 

IDC describes the above concept as Cloud Security Gateway and is listing McAfee Web Gateway as a product that falls into that market and well recognizes the product's capabilities in these areas.

See Cloud Security Gateways — The New Security Pipeline - Table of Content - 251546 in case you would like to know more and want to purchase the research from IDC.