Security of remote work: Cloud solutions for business – IT’s Holy Grail or Pandora’s box (24.06.2020)

Sławomir Pyrek, Project Manager, EXATEL S.A.

Gabriel Kujawski, Systems Engineer, Palo Alto Networks

— Sławomir Pyrek —

The topic of today’s webinar is security of remote work in the context of cloud application protection. As our solutions are supported by Palo Alto Networks’ technologies, Gabriel Kujawski is here with me today as the representative of Palo Alto Networks. Together, we will provide you with information on application access security, primarily in the context of accessing and protecting SaaS applications.

This webinar will be divided into two parts. In the first part, I will present a few slides introducing the topic of application access security. In the second part, Gabriel will cover practical functions of Prisma SaaS so that you have some insight into how you can use Palo Alto’s solutions to protect your SaaS applications.

03:30

Why did we choose this topic? First of all, it’s due to changes in the functioning of IT environments. Until recently, the prevailing model was a headquarters, with employees primarily using data center via the Internet. The pattern was fairly simple as employees were hidden behind a citadel of sorts that allowed for fairly tight control of user behaviour, outgoing traffic (to the Internet) and incoming traffic (to the data center systems). In contrast, for the past few years there has been an increasing tendency to disperse applications. At the moment, we still have some applications in our own data center, while we are increasingly using applications in public clouds. Of course, we still use applications on the Internet and we turn to use SaaS applications more and more often. We use devices that are managed by our organisation, of course, and we also use devices that are not managed on the “bring your own device” basis or IOT devices. This is why we don’t have full control over the customer edges that users use. In addition to this change, there have been some rather abrupt changes due to the coronavirus pandemic. Remote work has become common and quite popular. Most organisations have been forced to move to this model of work within a short period of time. Naturally, this results in a stronger trend towards greater use of cloud applications. We’ve started to use remote communication tools to a greater extent. Of course, these tools have their vulnerabilities and the developers try to fix them on a regular basis, nevertheless, this is an additional vector of attack on our infrastructure. Additionally, companies have been forced to quickly reconfigure access to company resources. This is often combined with a change in the way sensitive documents are circulated. There is a risk of errors, either process or technical ones, during reconfiguration of such resources, which also results in a higher probability of exposing us to data loss or penetration of our systems. Also a whole lot of organisations, companies and IT personnel had to modify the systems in use in the small time window that was allotted for these changes. These changes were made quite often without a detailed vulnerability and configuration check, which can also result in a potentially higher possibility of security breaches. All these changes taking place in the short time result in a greater burden on IT and security personnel.

07:24

Going back to accessing apps from different locations – there are a few common solutions. The first one: Companies or organisations often have branch offices in order to provide users with access to the Internet, SaaS applications or the public cloud. There is a connection, whether in MPLS or IPSEC, between branch offices and the headquarters, and then the communication is led out  through the central control point either to the Internet or to SaaS type applications. This is a common solution that works, of course, but it creates some problems because all traffic from the branch has to go through the headquarters. Also, the return traffic goes back to the headquarters first and then is distributed to the branch offices. As a result, we have to scale the device in the headquarters to such a level that it can handle the inspection of traffic from all branches and from the headquarters. Of course, we also need to ensure, especially in the context of a large number of remote workers, an adequate level of system reliability, which generates some additional costs.

Also, the throughput of the Internet link must be scaled appropriately to handle traffic from all branches through a central interconnection point. Obviously, we may face such problems as for example inter-branch traffic which, due to insufficient efficiency of the connections or the central interconnection point, may not maintain proper parameters, e.g. in terms of ping. Direct connections between branch offices often result in the inability to inspect this traffic here. A similar pattern is used for remote user connections. Also, a typical pattern is to connect these users to the central interconnection point. This traffic at the central interconnection point is inspected and goes out later whether to the Internet, the public cloud or SaaS applications. Here we also have a kind of disadvantage of this solution, namely the number of remote users (in the last few months in particular) may suddenly change. At the beginning of the pandemic, virtually all of us started to work remotely. Now, some of us are going back to their offices. The question is what will happen in autumn and whether there will be another wave of Covid. At this point it can be assumed with high probability that again some employees will work remotely and here, unfortunately, the equipment in the central interconnection point must be scaled for the maximum number of users who can work remotely, of course while maintaining the requirement to ensure high availability.

11:22

Another typical solution in use is Proxy. It works great when the traffic comes from branches, remote users or from the  headquarters. However, there are some limitations here namely Proxy controls HTTP, HTTPS and FTP traffic. This solution is not particularly good for accessing SaaS applications. We can use it in relation to application access and access to our main office – with some limitations. The result of using a variety of applications like we do now is the use of a whole range of technologies. We use MPLS, remote access, VPN side to side and CASB solutions when accessing SaaS applications. However, some traffic, for example in case of SSL VPN configuration in split tunnelling is unmonitored in fact. In addition, all of these technologies, if they’re point-based, have their own logic, their own way of logging in, and it’s hard for us to capture the state of security at any given time, without proper integration work or the need for different solutions to monitor particular parts of network traffic or particular data, which of course makes it harder and more time consuming to react to potential threats and security breaches.

Palo Alto’s solution, which addresses the problem of distributed point-based security systems, is called Prisma. Its family actually consists of three components: Prisma Access, Prisma SaaS and Prisma Cloud. Today we will focus on Prisma Access and Prisma SaaS.

14:00

Palo Alto has constructed a hub in its cloud where we can access a number of apps, including the Prisma Access app. Prisma Access is a communication hub that allows us to connect, first of all, the objects of our organisation, such as headquarters, branch offices, remote users, to the places where applications and services used by our employees are provided, be it a data center, public cloud, Internet or SaaS applications. This communication hub consists of two layers, a communication (network) layer and a layer that provides security inspection capabilities. The network layer allows us to connect our resources across technologies. In case of remote workers, we can use agentless VPN technology or SSL VPN technology. When connecting branches, we can use solutions like IPSEC and SD-WAN, and we can also use dedicated tunnels. The security layer, on the other hand, offers the possibility to use all tools typical of next generation firewalls, i.e. the possibility to monitor traffic for threats that appear in it, the possibility to filter URLs, the possibility to use a sandbox system, the possibility to detect applications and control user identity. Regardless of that, we can also use this layer to provide endpoint device protection with Cortex XDR, which is a new name for Palo Alto TRAPS, and we also have the Prisma SaaS module used to secure traffic going to SaaS applications, as well as control data we process in SaaS applications.

As far as usage patterns for Prisma Access are concerned, in case of mobile users, each user has a standard agent via which we connect to a communications hub in the Palo Alto cloud and when connecting our headquarters to that hub users get access to both our headquarters and the application in the public cloud (SaaS or web application), while maintaining the inspection capabilities of this hub of course.

This gives us the advantage that first of all we have one standard agent for mobile devices, we have the same security features that we are familiar with, for example from the Next Generation platform. In the Palo Alto hub there is also a “data lake” which is where the logs are collected, so here we have the ability to use a unified technology to monitor user activity.

18:11

It’s similar with connections between locations. In a situation where we connect branch offices to this hub, the employees of these offices get access to our headquarters as well as to places in the cloud, on the Internet or SaaS applications, also with all security features. The important thing about this system is that it is scalable, so we don’t have the limitation that we have to increase the performance of the platform like we do with our  headquarters. Usually, we do not have the possibility to reduce our platform, whereas here, with this solution, we can dynamically control the number of users of these applications, but also the reliability issues are not a problem for us here. The manufacturer is responsible for the maintenance of the system, so high availability is maintained without any additional expenses. In line with the current zero-trust model, of course we don’t trust anyone, try to surrender, or monitor network traffic and data in all possible directions. There is no compromise here. Whether we’re out, whether we’re using an application on the web, in the public cloud, in our data center or a SaaS application, all that traffic is audited.

20:04

What can we do with Prisma SaaS? First of all, we can track user activity. From the access layer we can check what applications users are using. We can categorise these applications as sanctioned i.e. the ones we allow to be used in our organisation. We can also configure apps as unsanctioned i.e. the ones we don’t want our employees to use. They are flagged as unsanctioned here. We can also define so-called tolerate applications which we tolerate but restrict their certain functionalities. We can do a drill down, of course, to check which users are using these apps, at what time, from what locations and from what organisations. We certainly have the ability to track the access configuration of SaaS applications. We can whitelist them and thus allow the users to use certain apps. We can blacklist apps, which means banning apps that are undesirable. In case of tolerated apps, we can allow users to use apps to download data while ban sending data. I’ve mentioned that Prisma Access ensures standard next generation firewall features. One such important feature is SSL decryption. We can apply SSL decryption on the traffic that goes out to the Internet from the user, which of course significantly increases the visibility and ability to monitor user behaviour. I’ve also mentioned that there is a possibility to impose policies based on the identity of people who use cloud applications or access through Prisma Access. It is important that such access can be integrated with LDAP or Active Directory services that we have in our data center. Here we have the possibility of direct coupling with our LDAP and at this point the policies that we use will already be applied directly, as per the classification of the user assigned to the group.

23:06

A moment ago I discussed Prisma Access which gives us access control and activity tracking of SaaS application users, while the Prisma SaaS component ensures the ability to manage and control data used in SaaS applications. This module is connected to our cloud applications directly via API, which makes it possible to scan data that is stored in our cloud applications. As a result, we have at least the ability to identify malware that will be uploaded to these cloud applications. There is also the possibility of controlling and tracking data used in the applications. What can we do? We can use Prisma SaaS to see who has access to the data (from the public domain, from our organisation or other organisations). With Prisma SaaS we can check what data we have, what is the nature of this data, whether it contains, for example, data enabling identification of a given user, or whether it contains data confidential to our company. We also have a whole bunch of filters or mechanisms here that allow us to identify what data is stored in the cloud. Moreover, we can check who is using this data and how they are doing it. We can impose appropriate security policies on who can use what data, in what way, with what access, and of course we get the results of these policies in the form of a record of breaches integrated with the incident handling module.

If a situation occurs in which a given user goes beyond their authorisations or there is an incorrect configuration of access to resources in cloud applications, the system generates an incident and this incident can be assigned by us to an appropriate person and handled in an appropriate way, e.g. by changing access authorisations to a given file, or moving it to the quarantine, or alerting the data owner. There is also the possibility of reporting in Prism. From the reports we can learn which SaaS applications our company uses, how many files we store in cloud applications, how many of the files are shared with specific user groups and how many files contain sensitive data. With Prisma SaaS, we control user access to cloud applications with standard access control methods, as well as monitor for malware as by connecting directly to cloud applications Prisma SaaS is able to monitor data, operations on data and the way it is shared by cloud applications. Of course, in each of these cases, both Prisma SaaS and Prisma Access use sandboxing features. Both systems refer to a sandbox solution, therefore we can control the malware more precisely.

— Gabriel Kujawski — 28:31

Within the last few minutes of the webinar I am going to show you how Prisma SaaS works in practice and what you can expect when configuring the solution. Sławek talked about the app hub from Palo Alto Networks. For the past three years or so, Palo Alto Networks has been providing security applications in the form of a store where we can buy various of these. That includes Prisma SaaS and Prisma Access. As the app hub is structured in an open way, third party companies are also able to provide a variety of apps. The advantage of the solution is that we can enable a security application (providing some functionality) for a month, to check if it works, and then we can easily abandon it, and none of these activities are associated with deploying, installing, running and maintaining such an application locally. Just like any other SaaS application. As the name suggests, Prisma SaaS, apart from being used to secure SaaS applications such as Dropbox – an application that is used to exchange files by placing them in a storage space hosted on the servers of the provider of that service, is also delivered as an application hosted by Palo Alto Networks. When testing and implementing Prisma SaaS, we do not have to install anything locally, think about the database or update the system as all this will be done for you by Palo Alto Networks.

30:45

Let me log into the system to check what it looks like. I log into it through the web panel via a browser and after providing credentials I get into the system. It is a demo system, filled with some artificial data so that certain aspects of the system can be shown. When we log in, depending on what role we have – whether we have full administrative access or more limited access – we can see a certain screen layout. The first screen layout we see in most roles that can be appointed in this software is the dashboard (or a cockpit). This cockpit shows us some basic information that Prisma SaaS has gathered about the applications it secures. /disruptions/ (31:54 – 31:57) asset information. Assets shall mean here files, information stored inside secure applications. We can see that of all 150,000 files we have here, for example 120,000 are exposed to external companies and can be accessed directly without any additional authentication, which in some cases may result in some unpleasant consequences. This dashboard can be switched to a second view that cuts through the data collected here, shows data type, and we can see here information about the types of files that Prisma SaaS has managed to (…), the extension partially translates to the content of the file. There are C code files, header files, we have documents, PDF files, among other things, so this is the structure of this data that Prisma Access has access to at the moment. But looking at the extension is not a useful thing from the point of view of data security. We’re more interested in what’s inside. Prisma SaaS has algorithms the role of which is to look into a file, its contents to be exact, and determine what type of data is stored there. This information is represented by the Data Profiles dashboard, and we can see that of the collected information that has been processed, a large portion of the files contain data that constitute personal information and can be used in order to identify a person.

There is data connected to health information. There are also some files that are directly malicious because as you probably know, apps like Dropbox can be used by criminals to send out malware and easily gain access to an enterprise network by downloading some malicious file to a network drive. When presenting Prism SaaS Sławek mentioned that there was a certain set of rules describing what was allowed, what was not and what we wanted to monitor and that set of rules led to incident generation.

34:47

Have a look at a list of hypothetical incidents. I will focus on one incident – Tax ID – and start by explaining its nature. The incident involves a group of files that lie in the Box app which is the equivalent of Dropbox. Inside the Box app Tax IDs were found. Tax ID rule is based on identifiers of US taxpayers, however we have a solution which allows for detection of ID numbers for Poland. Let’s look into google_taxid.txt file. We can find out whether this file is shared, and if so, how and why it is so. The administrator directly receives information that this file is publicly available due to the fact that the directory into which it was uploaded is publicly available. Maybe this was not planned, someone may had made a mistake uploading the file to a directory not knowing that it was publicly available and anyone who got the link would be able to download it. We also receive information about the signatures that have been used and have just detected tax IDs. In this case it was US and Austrian tax IDs, but as I mentioned earlier, within Prisma SaaS we also have access to the solution that allows to detect Polish IDs. So, there are patterns for Poland as well and there is a list of five data patterns that can be useful in our Polish environment and in this way, on the basis of such a pattern, we can create our own policy and make sure that this type of data does not appear on network drives or is not exchanged via Gmail, Exchange or Office 365.

37:35

Speaking about apps, I would like to show you how easy it is to get Prisma SaaS tests up and running and then deploy and run the app because essentially one can lead to the other. We talked a lot about SaaS applications that we’re able to secure. I will now show you how to add a new app. I created a Dropbox account specifically for today’s presentation. The user with the name “Gabriel” is the admin of this Dropbox account. After a short verification, we can log in. The purpose of showing it to you is the fact that I would like you to link the admin account to the process of adding an application to Prisma SaaS. Now, I would like to go through this process with you. This is the list of applications that Prisma SaaS works with. There is Box, Google Drive, Office 365 with OneDrive, Gmail, Google Suite. We’re interested in Dropbox at the moment. So, let’s assume we’re using Dropbox. How is the process of connecting to it performed? It’s pretty simple, just a few steps that require us to log into admin account on Dropbox. It looks the same in other apps. We need to go through a brief verification again, allow Prisma SaaS to access Dropbox, click “allow” and from then on Prisma SaaS communicates with Dropbox using API. The advantage is that we don’t need to run a firewall to control what happens on my network drive. What’s more, I’ll control the activities occurring in my network drive, whether my users are in or out of the company, whether they’re using private or public devices due to the fact that Prisma SaaS communicates through software calls between Prisma and Dropbox via so-called API calls. We can see that the app has been added. I’ll rename it so we won’t get confused. When we return to the list of apps, a brief message and an exclamation mark are displayed notifying that we haven’t associated any policies with this app and there is no data on how we want to subject the information that is stored on this Dropbox to a control check.

41:10

And finally, I would like to show you how to create a simple policy. I’m going to create a policy for resources, although we also have policies for security rules and user activity which can be used to detect Dropbox logins from outside Poland. If we have a Polish organisation working in Poland, such logins could be suspicious, therefore we can detect such things, too. Let’s focus on resource policies. I will now present a simple rule and the way it is created. First, we need to name the rule e.g. “test rule”, then add a description, specify the severity level of this incident, enable the rule, then specify when it will run. We need to define first which applications you need to see this for, namely the list of apps that Prisma SaaS works with. This demo instance is quite long. I’m interested in Dropbox eth0 in this case. What would I like to detect? I would like to detect credit card numbers that are shared in public spaces. There are different data patterns, so I’m interested in credit card numbers once there are at least two of them and if such a file is shared in a public space without a password or security ensured by an external company, you will be able get to it.

In such cases I’d like to be informed immediately. Not only that – the system can also take certain actions that will cause this threat to be mitigated and the file to be quarantined. Quarantine involves taking a file from its original location and putting it in a place only the administrator has access to. We can also automatically disable this file from sharing and it will no longer be available to the public, and if someone clicks on the link, they won’t be able to get to it anyway. The advantage is that we are automatically able to mitigate these threats, unlike the other option where we can only send an e-mail warning. Those are the reactions the systems enables. In addition to that, the admin can receive an e-mail and we can create the incident I’ve just talked about and assign it to the current admin. When I click “save”, the system already has at least one rule defined that will control my newly added application. The only thing left for me to do is to start scanning. Later on, scanning is done periodically, on an ongoing basis, while the first one needs to be launched manually.

44:25

Feel free to contact EXATEL or directly Palo Alto Networks if you wish to test our system live. You are more than welcome. You’ve seen how easy it is to launch and add a new app and then watch how it works.

Since this is obviously a cloud application, there may be some concerns regarding data confidentiality. Palo Alto Networks has a broad portfolio of documents describing in detail how we process the data and where we store it. We also have the option to sign a data entrustment agreement, so some of the concerns here can be mitigated.

— Sławomir Pyrek —

Kindly do not hesitate to test our software. It is also possible to run a special UTD lab with Prisma Access so that you can get insight into this solution. EXATEL, as a partner, can also support you with regard to other technologies offered by Palo Alto Networks – from the design, through the solution implementation and maintenance to the use of Palo Alto Networks technologies in our Security Operations Center. Feel free to contact us!