Cloud Security Solutions – SY0-601 CompTIA Security+ : 3.6

We have created new technologies to protect a new generation of cloud-based applications. In this video, you’ll learn about CASB, secure web gateways, firewalls in the cloud, and other security controls.


One of the challenges that a security professional has is being able to maintain the security of our data, even though the data is being stored somewhere external to our organization.

This is one of the largest challenges with cloud-based applications because it can become more difficult to manage exactly what type of data is being transferred.

One way to manage this is through the use of a cloud access security broker, or a CASB. We would use a CASB to help enforce the security policies that we’ve already created with data that we’re storing in the cloud.

This can be implemented as software that’s running on individual devices, we may have a security appliance that’s local on our corporate network, or the CASB may be located in the cloud, and that’s where we’re making our security policy decisions.

The CASB is able to operate based on four primary characteristics. The first of these characteristics is visibility. The CASB needs to understand exactly what applications are in use, and it needs to understand what users are authorized to use those applications. Being able to see exactly what data is being transferred is an important part of making this determination.

Your organization might also have additional compliance requirements such, as HIPPA, PCI, or some other type of local regulation. Our CASB allows us to enforce these compliance regulations on all of the users that may be storing data in the cloud.

Our CASB is allowing authorized use of the application, but it can also be configured to disallow unauthorized use through the use of threat prevention. This might focus on exactly what users have access to the application, and would prevent access from everyone else.

And there may be additional components of the CASB that are looking at the actual transfer of data. For example, if this is sensitive data, it may require that all of the data is encrypted, or it may be protecting any personally identifiable information through the use of data loss prevention.

Securing an application running on your local network is difficult enough. When we move that application to the cloud, there are additional security concerns. One of the biggest concerns is a misconfiguration of the application itself. You can implement the strongest encryption, and have the strongest security policies in place, but if someone happens to misconfigure the application to allow access, then all of those security policies aren’t helping you.

There’s also a need to provide additional authorization and access to the data. There should be very strong and granular controls that might allow access for individual users, or groups of users. And you want to be sure that you have some way to monitor all of the application programming instance calls that are being made by that application to see if anybody may be trying to exploit an existing API, or gain access to data that would normally not be available.

We can add on additional security through the use of the Next-Gen secure web gateway, or an SWG. This is going to provide security for all of our users, across all of their devices, regardless of where they may be connecting from.

It’s common to use a secure web gateway if you want to monitor that API usage. This would allow you to get detailed information about how these API’s are being queried, and exactly what queries are occurring.

You would also be able to make policy decisions with your secure web gateway. For example, you might want to monitor Dropbox use and make sure that the Dropbox is being used for corporate use, and not personal use.

The secure web gateway gets into the details of the data that are being transferred through the network. So it can examine API calls, it can look at the JSON strings, and understand exactly what type of API requests are being made.

Once all of that information is examined, the secure web gateway can make a decision about whether this type of traffic is allowed, or if this might be malicious. And the secure web gateway might allow us to apply different security policies depending on the type of instance that’s being created. For example, a production application instance is going to have a completely different security profile than an instance that is running for development use.

And these days, we can put physical and virtual firewalls within the application flow that would allow us to control exactly what type of data is being transferred. In a cloud-based environment we don’t need physical appliances. So we might spin up a virtual firewall, or host-based firewall, and because there isn’t a physical component, there may be a more economical cost associated with using this type of firewall.

This also means that you could deploy firewalls at a very granular level. You could spin up multiple firewalls for each individual virtual machine, or microservice, and allow a very fine-grained control over exactly what data is allowed through the network.

It may be that we just want to provide simple filtering of traffic based on an IP address or port number. And that would provide us with layer four, or TCP/UDP, type controls.

Our more modern firewalls can provide us with visibility up to layer seven, which is viewing exactly what type of application is flowing through the network, regardless of what port number or IP address may be in use.

This means that we could set security policies that would allow certain individuals that are part of a certain network to use certain applications, but prevent any other type of communication to that service.

Depending on your cloud service provider, there may be security features that are already built into their clouds. These may be provided and supported by the cloud provider themselves, which give you a lot of different options and granular control over that provider’s configurations.

This also means that, since this is built into the infrastructure of what you’re using, that there usually is not an additional cost to provide that functionality. This becomes more of a challenge, though, if you’re using more than one cloud service provider. And many organizations are using multiple providers.

In that case, you may want to use third-party solutions that can allow you to see and control different aspects of security, regardless of what cloud service provider you’re using. This gives us one pane of glass to be able to see the security for all of these different providers. And we can also set security policies that would apply across the board, regardless of what cloud provider you may be using.

Many of these third party tools also provide enhanced reporting, so that we’re able to get a comprehensive view of all of our security controls across all of our cloud providers.