Application Control in the World of Cloud and Shadow IT
By, Mor Naim Reinshtein, Oren Koren, Avraham Bechor and Adi Ikan
Cloud solutions are proliferating rapidly. Sometimes it seems like the pace is too fast, and is coming at the expense of security considerations. Sensitive information stored on the cloud is naturally going to draw the attention of threat actors and therefore we must be prepared and of course, we must be protected.
A cloud application is the on-demand delivery of system resources over the internet, for example: data storage, databases, servers and more. Cloud computing is widespread due to its efficiency, reduced costs, increased productivity and many more benefits. Popular applications like Salesforce, Box and Office365 are cloud-based and commonly used.
In this blog, we demonstrate the use of Check Point Application Control to prevent risks across your network and in the cloud.
Check Point’s Application Control covers more than 8500 applications, 500 of which are cloud-related applications. Based on the high coverage, Application Control inspects applications, exposes deep-usage and allows you to take action – all within the cloud itself.
Check Point’s Application Control policy granularity allows you to not only discover and inspect the applications used, but also expose actual user actions. By enabling the ‘Accounting’ feature on an application control rule, you can get full visibility of your users’ actions as well as the traffic usage.
Shadow IT – Hiding in the Dark
This past year, with COVID-19 covering headlines business everywhere, embraced the new normal. The pandemic was a driver and motivator for organizations to change the whole concept of how their employees work. We have seen a gradual but steady process of moving to work for home, directly resulting in an increase of cyber-attacks targeting this new, vulnerable, and ripe for the picking area. Securing and managing your data in today’s world becomes more challenging and one of the major issues is Shadow IT. Shadow IT refers to IT technology systems, devices, software, applications, and services that are used without explicit IT department approval.
Cloud-based applications make it easier to use Shadow IT apps and bypass the IT organizational requirements. Employees may use applications as part of their daily work, yet IT teams may not even be aware of such usage. This is a potentially significant security risk for an organization and may result in data leaks, potential compliance violations, ransomware attacks and sometimes even system compromise.
Possible Shadow IT scenarios and takeovers include the following:
Top Shadow IT apps:
Example 1 – Prevent uploading internal data to unmanaged data repositories
An employee working from home decides to upload internal documents to his private OneDrive without the approval of the IT department. This violates company policy.
Because the company uses Check Point’s VPN and a deployment method that redirects the user through a Check Point Security Gateway, the gateway detects and drops the upload attempt by using a simple rule in the Rule Base for “file storage and sharing.”
The File Storage and Sharing category includes multiple products. The admin can create a determinist rule on a specific application and not on the global category.
Therefore, Application Control allows you to monitor which app data is passed, and make sure employees are in compliance with the policy defined by the IT team. This prevents potential data leaks, and prevents Shadow IT issues.
Example 2 – Block access to non-corporate applications
An employee creates a personal account in Office365 for mail and storage purposes. The employee decides to upload internal resources to his personal account for the purpose of selling the company’s intellectual property to a competitor.
The granularity of the Application Control for Cloud Applications allows the admin to create a simple rule that blocks any login attempts to a non-corporate domain, thereby eliminating the potential threat of data theft from the organization.
In the image below, you can see that the first rule is “Allow login to corporate Office365 account” and the second rule “Block login to a consumer Office365 account”:
Example 3 – Domain and user granularity in cloud services
An admin wants to allow a group of users to log in to a specific Office365 domain and block all the other users.
This is where the Application Control signature tool comes into play, it allows the admin to create a dedicated application per Office365 domain OR per specific user, all within the native Check Point Rule Base. We use the signature tool to create a custom application named ‘Office365-enterprise-my_domain.com’ that contains a list of permitted domains. We then add this custom application to our Rule Base to allow only a group of users to connect to the specific Office365 domain.
Summary
Check Point Application Control gives you full visibility, and the ability to monitor and secure your network in the cloud, thus preventing potential cyber-attacks and misuse of products in your organization like Shadow IT.
Application Control is used by Check Point Quantum & Harmony, allowing you to discover Shadow applications on on-premise deployments alongside branch offices. Harmony Endpoint & Harmony Mobile are using a parallel unique capability to detect Shadow IT applications, providing an additional layer of threat prevention.
Check Point Shadow IT Detection is supported in all Infinity Architecture products.
Network, SDWAN, SAAS, Endpoint and Mobile support Shadow-IT detection and prevention using various methods: