Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Securing Third-Party Cloud Applications Cisco IT Insights

advertisement 
Cisco IT Insights
Securing Third-Party Cloud Applications
What
A growing portion of the applications we use at Cisco are hosted on third-party clouds. In fact, the Information Security (InfoSec)
team now conducts more security assessments for applications hosted on public clouds than for applications hosted on-premises.
“Rather than resisting the move to a world of many clouds because of security concerns, we’re embracing the shift,” says
Mohammed Iqbal, Cisco InfoSec architect.
We’re working on two projects to protect confidential data stored on third-party clouds. One is creating trusted services that
consider the context of a request before granting access. The other is extending our network and security policies to approved
third-party clouds.
Making Applications Smarter About Granting Access
Today our third-party cloud applications grant access based on user identity: username, password, and sometimes a one-time
token. Now we’re making applications smarter about granting access. The project is called Trusted Service. The concept is that the
application itself will take the necessary steps to stay secure and keep its data secure.
The first step in creating a Trusted Service is to make the application aware of the context of requests. The context includes not
only who is making the request but also where, how (wired, wireless, or VPN), when, and with what device. With this information,
the application can take the appropriate action to safeguard itself and its data. To achieve this goal, we plan to connect the Cisco®
Identity Services Engine (ISE) in our data center to cloud applications. ISE will communicate with the application using a
standards-based protocol.
We’re in the process of developing a monitoring framework for our third-party cloud service providers. Suppose an employee
named Aaron signs into a cloud service that stores highly confidential documents. Here’s the vision: the monitoring agent we’ve
deployed on the third-party cloud sees that Aaron is attempting to download a document. Using our API, the agent asks the ISE in
our data center to report which device Aaron is using. ISE sends a message that the device is untrusted. The agent immediately
takes the actions we’ve specified when a user attempts to download documents onto an untrusted device. The policy might be to
block access to the file entirely, for example, or to block the download but allow Aaron to view the document.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
January 2016
Page 1 of 4
Figure 1.
Cisco ISE Considers the Context of a Request Before Granting Access
Intercloud Fabric Extends Policies to Third-Party Clouds
In parallel with the Trusted Service project, we’re developing a trusted hybrid cloud model. The idea is to extend our data center to
approved third-party clouds (Figure 2).
“The same network and security policies will apply to applications whether they are hosted on our private cloud [CITEIS] or the
public cloud,” says Sudesh Gadewar, InfoSec cloud security architect. The underlying technology is Cisco Intercloud Fabric™,
which creates an encrypted IP Security (IPsec) tunnel between clouds. “Intercloud Fabric makes it easy for application teams to
move the application back and forth, eliminating any motivation to host applications or data on non-approved clouds,” Gadewar
says.
We’ve completed a proof of concept using Intercloud Fabric to host supply chain applications on a third-party cloud. Data travels
between our data center and the third-party cloud by way of Cisco Intercloud Fabric Firewalls installed in both locations. The proof
of concept was a success. “People accessed the application in the private cloud exactly as they would have if it were hosted on
CITEIS,” says Gadewar. “Security did not change the experience.”
Figure 2.
Cisco Workforce Uses a Variety of Clouds
Why
We have several motivations for finding a better way to secure external cloud applications:
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
January 2016
Page 2 of 4
●
Facilitating fast IT: Until now, application owners had to complete a lengthy security questionnaire from InfoSec. “The
questionnaire generally takes two weeks for the application owner to complete and two weeks for us to review,” says
Bassem Khalife, senior IT program manager. “We want to speed up assessment so that Cisco teams can start taking
advantage of new applications sooner.”
●
Making sure that application security doesn’t degrade over time: “Our biggest security challenges are incidents that happen
outside the Cisco network,” says Iqbal. For example, an attacker might try to intercept data traveling between two external
clouds. Or an employee might use a cloud service approved for confidential information to share more sensitive information.
●
Avoiding risks from infected endpoints: Many security incidents happen because of compromised endpoints rather than
application vulnerabilities. Examples include malware-infected tablets or public kiosks. Using ISE to check the device’s
security posture before granting access reduces this risk.
●
Ensuring that application data is up to date: Currently we use batch processing to update application databases hosted on
third-party clouds. If we’re confident that intercloud communications are secure, we can update databases in real time.
●
Scaling automatically: With a secure hybrid cloud model, we can automatically provision the right amount of third-party
cloud infrastructure based on current workload. Automatic provisioning avoids slow performance resulting from not having
enough infrastructure. It also avoids paying for more infrastructure than needed.
Iqbal concludes, “As public clouds have matured, so has their security. But it’s up to the tenant to use public clouds in a secure
manner. That’s why we’re shifting how we do security assessments. Instead of conducting a one-time assessment, we’re
implementing controls to make sure we continue to use the application securely over time. The result is a trusted service for
employees, partners, customers, and our IT team.”
For More Information
Cisco Identity Services Engine
Cisco Intercloud Fabric
To read Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT
http://www.cisco.com/go/ciscoit.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.
Note
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to
the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
January 2016
Page 3 of 4
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
January 2016
Page 4 of 4
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Download
advertisement