As the web has evolved so have the security products and services that control our use of it. In the early days of the “static web” it was enough to tell us which URLs to avoid because the content was undesirable (porn etc.) As the web became a means distributing malware and perpetrating fraud, there was a need to identify bad URLs that appeared overnight or good URLs that had gone bad as existing sites were compromised. Early innovators in this area included Websense (now a sizable broad-base security vendor) and two British companies SurfControl (that ended up as part of Websense) and ScanSafe that was acquired by Cisco.
These URL filtering products are still widely used to control user behaviour (for example, you can only use Facebook at lunch time) as well as block dangerous and unsavoury sites. They rely on up to date intelligence about all the URLs out there and their status. Most of the big security vendors have capability in this area now. However, as the web became more interactive (for a while we all called this Web 2.0) there was a growing need to be able to monitor the sort of applications that were being accessed via the network ports typically used for web access; port 80 (for HTTP) and port 443 (for HTTPS). Again this was about controlling user behaviour and blocking malicious code and activity.
To achieve this firewalls had to change; enter the next generation firewall. The early leader in this space was Palo Alto Networks. The main difference with its firewall was that it was application aware with a granularity that could work within a specific web site (for example, applications running on Facebook). Just as with the URL filtering vendors, next generation firewalls rely on application intelligence, the ability to recognise a given application by its network activity and allow or block it according to user type, policy etc. Palo Alto Networks built up its own application intelligence, but there were other databases, such as FaceTime (a vendor that found itself in a name dispute with Apple) which was acquired by Check Point as it upgraded its firewalls. Other vendors including Cisco’s Sourcefire, Fortinet and Dell’s SonicWALL have followed suit.
The rise of shadow IT
So with URLs and web applications under control, is the web is a safer place? Well yes, but the job is never done. A whole new problem has emerged in recent years with the increasing ability for users to upload content to the web. The problem has become acute as users increasingly provision cloud services over the web for themselves (so called shadow IT). How do you know which services are OK to use? How do you even know which ones are in use? Again this is down to intelligence gathering, a task embarked on by Skyhigh Networks in 2012.
Skyhigh defines a cloud service as anything that has the potential to “exfiltrate data”; so this would include Dropbox and Facebook, but not the web sites of organisations such as CNN and the BBC. Skyhigh provides protection for businesses, blocking its users from accessing certain cloud services based on its own classification (good, medium, bad) providing a “Cloud Trust” mark (similar to what Symantec does for websites in general). As with URL filtering and next generation firewalls, this is just information, rules about usage need to be applied. Indeed, Skyhigh can provide scripts to be applied to firewalls to enforce rules around the use of cloud services.
However, Skyhigh cites other interesting use cases. Many cloud services of are of increasing importance to businesses; LinkedIn is used to manage sales contacts, Dropbox, Box and many other sites are used to keep backups of documents created by users on the move. Skyhigh gives businesses insight into their use, enables it to impose standards and, where subscriptions are involved, allows usage to be aggregated into to single discounted contracts rather than being paid for via expenses (which is often a cost control problem with shadow IT). It also provides enterprise risk scores for a given business based on its overall use of cloud services.
Beyond this, Skyhigh can assert controls over those users working beyond the corporate firewall, often on their own devices. For certain cloud services for which access is provided by the business (think salesforce.com, ServiceNow, SuccessFactors etc.), without need for an agent, usage is forced back via Skyhigh’s reverse proxy so that usage is monitored and controls enforced. Skyhigh can also recognise anomalous behaviour with regard to cloud services and thus provide an additional layer of security against malware and malicious activity.
Skyhigh is the first to point out that it is not an alternative to web filtering and next generation firewalls but complimentary to them. Skyhigh, which mostly provides it service on-demand, is already starting to co-operate with existing vendors to enhance their own products and services through partnerships. So your organisation may be able to benefit from its capabilities via an incremental upgrade from an existing supplier rather a whole new engagement. So, that is web security 3.0; the trick is to work out what’s next – roll on Web 4.0!