VigilancePro – a new approach to cloud security
A conversation with Ed Macnair, chief executive officer of Overtis
“The challenge for companies moving into the cloud,” says Ed Macnair, CEO of Overtis, “is that the traditional IT model gets turned upside down and inside out. We’re outsourcing data; but we’re also outsourcing responsibility.” That gives us two problems: we lose control of our data; and we lose control of who can access it.
The first is because we no longer know where that data resides. “Most of the big SaaS players are American – so if we use them we’ve got the whole EU Data Protection thing to worry about.” The problem with the cloud is that the more we use it and the more we maximise the value we get from it, the more we abdicate control. And without that control we can be neither secure nor compliant.
The second problem is exacerbated by the new wave of consumerisation within computing. “The security officers I speak to,” says Ed, “are having kittens because employees are demanding, not asking but demanding, to be able to use their own devices. And it’s being allowed – which makes good business sense in a lot of areas. But we now have this plethora of different devices – iPhones and iPads, Androids, netbooks, Mobile 7 and more – all accessing our corporate data from we don’t know where. And how do we control that? And how do we know who’s holding those different devices”
The traditional silo model for security, says Ed, has failed. “The silo model is all about point products. We can have email security products and web security products, and a firewall and our intrusion detection and prevention systems; and they can all only look at their own specific area. But they don’t understand the user. SIM and SEM tries to paper over the cracks but still doesn’t provide end-to end visibility of what the user is doing.” If silo doesn’t work in traditional computing, how on earth will it work in cloud computing?
Ed’s new product (VigilancePro Web Application Manager) takes a fresh approach. To get security in this new world, he says, “we have to invest security into the browser.” It’s the only common point across all the different access devices and all the different data locations. “And that’s what we’re doing,” he says. “VigilancePro is a secure browser plug-in currently available for Internet Explorer and Firefox (with Safari to follow soon).”
The basic premise of this new product is that the user doesn’t know and doesn’t need to know his or her own secure log-in credentials – it’s all managed by the plug-in. “A new user coming into the organisation gets sent a link to a site from where he or she downloads and installs the browser plug-in. That browser plug-in has the user credentials and the user permissions that control which applications can be used and what can be done with them.” Complete security provisioning in a single step. “By logging into the browser plug-in, the plug-in automatically logs the user into all the web applications he or she is entitled to use. It doesn’t bypass any strong two factor authentication, it simply acts as a secure single sign-on to all the web applications that the user is entitled to use. And the plug-in has to be present before the user can access those applications.”
Needless to say, de-provisioning is just as easy. “Revocation is done centrally,” says Ed. “If someone leaves the company, a link to Active Directory decommissions the plug-in; and the user loses all access to the restricted areas.”
But useful as this is, it would be very wrong to think of VigilancePro as just a single sign-on system. Since it lies at the heart of the browser, it can provide tight control over what can be done via that browser; and detailed reporting on what has been done. “By implementing this as a browser plug-in, we not only get web single sign-on, but we get really granular management of all interactivity between the user and the web application – a full audit trail as to which page the user went to, and what he or she did on that page. But we also have the ability to block and actually prevent certain actions. We can control access to any tab, any URL or any view on a web page; and we can control the use of any HTML component. We can control any of the browser menu options – such as export, print, copy, cut, save as, and so on; and we have the ability to mask any regulated or sensitive data. We think this is a complete game-changer. So far we’ve been trying to manage identity in the cloud – but now we can manage user activity in the cloud.”
The problem with the cloud is that you cannot secure your data because you don’t know where it is. Nor can you secure the users because you don’t know who they are. But you can secure the channel used by the users to get to the data. That channel invariably goes through the browser. Control the browser and you can control the user. Control the user, and it doesn’t matter where the data resides. In short, by controlling the browser you can get both security and compliance (this is not legal advice!) in the cloud. Almost all public cloud computing is done via the browser. Add security to the browser and you secure almost all public cloud computing.