Glass Class - Security Policy Language For The Cloud


Glass Class - The Cloud-tuple: The New Security Policy Language For The Cloud 

Video Transcript

Hi! I'm Rich Campagna with Bitglass. In today's glass class session, we're going to be talking about the Cloud-Tuple or tuple depending on what part of the country you're from. The Cloud-Tuple is the basis for Cloud Access Security Broker (CASB) policies as we move from premises applications out to the cloud. To describe this, let's take a look at the history of our security policy. Primarily orienting around firewalls which of course protects the premises applications. This may look familiar here, you have source and IP port, destination IP and port, and protocol. This makes up the basis for the 5 tuple or just the basic policy mechanism in most firewalls up into a couple of years ago and then along came the next generation firewall and this got a little bit more comprehensive. We added some additional depth and collar to our policies by adding things like user or user identity, their role within the organization perhaps, the actual application itself. These are the 2 main things that a next generation firewall adds to a traditional stateful firewall.

As we move out to the cloud, there's a new basis for security policies. Things like IP address and port are no longer applicable because the IP may change, the port is probably port 443. Things like the application and user is still applied here out in the cloud. We're still going to talk about the user or their role. We're going to talk about the application itself. Is this user accessing Google apps? Is this user accessing [inaudible 00:01:39]. There's a number of other variables that are going to come into play with our policy within the cloud access security broker as well, location. Is this user inside of one of our corporate locations, meaning less risk or is the user outside? Are they in a place where we do business or in a country like North Korea or Russia where we don't have any corporate locations? The device itself. Most commonly, what people were looking at is this managed device or un-managed device.

Probably the last couple of pieces here are the transaction itself, what is this user doing? Am I logging into a box and simply viewing a file in a web-based viewer or am I logging into a box with my box syncher application and downloading a bunch of files proactively into the device itself? The last one is the data itself. If I work for a company in the regulated industry, is this sensitive data that needs me protected. Perhaps personal identifiable information.

These 6 variables, the user and their role, the application, location, the device specifically managed or un-managed, the transaction the user is conducting, and the data the user is accessing or the sensitivity of that data make up for what we call the cloud-tuple which is the basis for security policies when you move to the cloud and you're protecting a cloud app with a cloud access security broker.

The downside here is that this is a new concept, a new constrict to learn. Some of these have been working with this types of concepts for 10 or 15 or even longer years. Here, it's a new concept. The upside is that this is designed from the ground up to be plain English, something that human can read and understand and hopefully a much more understandable and more easily to implement type of policy than we have with the firewalls in the past.

Thanks for joining today's glass class session. My name is Rich Campagna.