In many respects, Cloud Access Security Brokers are the future of what we currently know as the data center firewall. How so, you ask? A data center firewall sits in front enterprise applications/databases (systems of record), providing control and visibility. What happens to that data center firewall when our CRM moves to Salesforce, file sharing moves to Box, and our email moves to Office 365? Our next-generation firewall becomes a very fancy, very expensive, "Next-generation Door Movement Protection" (NGDMP) device.
(Author's note: I recognize that the firewall pictured is not a typical data center firewall - creative license at work).
In the traditional, stateful firewall world, policies were based on a 5-tuple. Specifically:
- Source IP
- Source Port
- Destination IP
- Destination Port
As the security industry adopted the "next-generation firewall," we expanded the 5-tuple to include:
As our systems of record move to the cloud, a new "tuple" becomes our basis for policy decisions. We call it the cloud-tuple. Unfortunately, the cloud-tuple is entirely different from what we've done with our traditional firewalls. Fortunately, it allows us to write policy with contextual elements that are simple to interpret and understand. What are the elements of this new model, and what questions does it allow us to answer?
- User/role - employee or contractor? Sales or engineering?
- Device - managed? unmanaged?
- Application - Salesforce? Office 365?
- Location - inside a corporate office? In a country where we don't do any business?
- Transaction - Downloading a file? Sending an email?
- Data - Contains PII or credit card data?
Does this mean your NGDMP is going away anytime soon? Absolutely not - we'll continue to have plenty of need for protection within our data centers for a long time to come. It does, however, mean that we have new systems with sensitive data that needs to be protected, and a new way of protecting that data.