原生js案例
Many organizations are making the shift to cloud-based collaboration and productivity tools because they make it easier — and cheaper — to deploy, manage, and use the tools people need. With services such as Google GSuite, Microsoft Office 365, DropBox, or Box, organizations can start small and scale quickly with predictable costs. Mobile device support is a given, and with a central storage facility for documents and other data, sharing is easier and more consistent. These benefits enable a dramatic reduction in organizational friction, driving higher participation and facilitating better business outcomes.
许多组织之所以转向基于云的协作和生产力工具,是因为它们使部署,管理和使用人们所需的工具变得更加容易(更便宜)。 借助Google GSuite,Microsoft Office 365,DropBox或Box之类的服务,组织可以从小规模开始并以可预测的成本Swift扩展规模。 移动设备支持已成定局,并且具有用于存储文档和其他数据的中央存储功能,共享更加轻松,更加一致。 这些好处可以显着减少组织摩擦,推动更高的参与度并促进更好的业务成果。
As significant as these benefits are, however, the ease with which people can share data using these cloud services brings new challenges to security and risk management teams. With SaaS tools, it’s easier for users to make an innocent mistake. They can share data with the wrong people, share the wrong data, or give outsiders broader access than necessary, creating risk for the organization. At the other end of the spectrum, malicious insiders find it easier to locate and share data with outsiders. Making matters worse, most organizations lack the tooling to find and manage these risks.
然而,尽管这些好处具有重大意义,但是人们使用这些云服务可以轻松共享数据给安全和风险管理团队带来了新的挑战。 借助SaaS工具,用户可以更轻松地犯一个无辜的错误。 他们可能与错误的人共享数据,共享错误的数据,或者使外部人员获得超出必要范围的访问权限,从而给组织带来风险。 另一方面,恶意内部人员发现更容易找到并与外部人员共享数据。 更糟糕的是,大多数组织都缺乏寻找和管理这些风险的工具。
In one sense, data leakage of this kind isn’t a new problem. But SaaS collaboration products significantly increase the speed with which risks can accrue and the difficulty of identifying, prioritizing, and responding to those risks. The challenge is managing the risks that SaaS collaboration platforms create without reducing the inherent value these platforms bring to the organization.
从某种意义上说,这种数据泄漏并不是一个新问题。 但是SaaS协作产品显着提高了风险累积的速度,并提高了识别,确定优先级和对这些风险做出响应的难度。 挑战在于管理SaaS协作平台带来的风险,而又不降低这些平台带给组织的内在价值。
While serving as Twitter’s CISO, Michael Coates saw this challenge and realized that he lacked the tools to address it. Traditional data loss prevention (DLP) products are heavy-handed enforcement mechanisms that don’t work well with lighter-weight SaaS products. And while cloud access security brokers (CASBs) can track down shadow IT, they typically don’t help security teams identify and remediate cloud data sharing risks with enough granularity. Coates saw an unmet need for a cloud-native solution for a cloud-native problem, one that could manage risk in real-time without compromising the user experience SaaS platforms provide.
在担任Twitter的CISO时,迈克尔·科茨(Michael Coates)看到了这一挑战,并意识到他缺乏解决这一挑战的工具。 传统的数据丢失防护(DLP)产品是严格的强制执行机制,不适用于重量较轻的SaaS产品。 尽管云访问安全代理(CASB)可以跟踪影子IT,但它们通常无法帮助安全团队以足够的粒度识别和补救云数据共享风险。 Coates看到了针对云原生问题的云原生解决方案的需求未得到满足,该解决方案可以实时管理风险而不损害SaaS平台提供的用户体验。
So Coates teamed up with Amir Kavousian, a data scientist who had been working on machine learning for fraud detection on Capital One’s payment platform, and launched Altitude Networks . The result is Altitude’s “cloud-native DLP.”
因此,科茨(Coates)与一直致力于在Capital One的支付平台上进行欺诈检测的机器学习的数据科学家Amir Kavousian合作,并推出了Altitude Networks 。 结果就是Altitude的“云原生DLP”。
Altitude Networks is a SaaS security solution, integrating with SaaS collaboration services at the API level. Customers don’t have to deploy client agents or slog through difficult back-end integration work. It applies a spectrum of tools and automation to the problem, ranging from common sense rules to more complex behavioral and relationship analysis, working in the background while giving security teams the tools to manage risks in SaaS platforms. This cloud-native approach was the leading factor in Rain’s investment in Altitude Networks.
Altitude Networks是一个SaaS安全解决方案,在API级别与SaaS协作服务集成。 客户不必部署客户端代理,也不必通过艰巨的后端集成工作来解决问题。 它为问题应用了一系列工具和自动化,从常识规则到更复杂的行为和关系分析,在后台工作,同时为安全团队提供了工具来管理SaaS平台中的风险。 这种以云计算为原生的方法是Rain对Altitude Networks进行投资的主要因素。
问题 (The Problem)
The data sharing risks on SaaS collaboration platforms aren’t indications that Google, Microsoft, Dropbox, and Box have failed when it comes to security. Generally speaking, their products include robust authentication and access control capabilities. But as Coates points out, many of the problems crop up when users, who happen to be human beings, fail to meet unrealistic expectations. In fact, SaaS collaboration products lack any guardrails that remind users they are sharing sensitive or notifying them (and security personnel) when sharing data creates undue risk. Those risks fall into these general categories:
SaaS协作平台上的数据共享风险并不表示Google,Microsoft,Dropbox和Box在安全性方面失败了。 一般来说,它们的产品包括强大的身份验证和访问控制功能。 但是正如Coates所指出的,当碰巧是人类的用户无法满足不切实际的期望时,就会出现许多问题。 实际上,SaaS协作产品缺少任何防护栏,它们可以提醒用户共享数据或在共享数据造成不适当风险时通知用户(或安全人员)。 这些风险属于以下一般类别:
Accidents: Accidental sharing constitutes a large percentage of the security and risk events teams see on cloud collaboration platforms. Sending a link to a draft of the quarterly financials to the CFO of a public company is easy. But a typo in the email address facilitates the sharing of sensitive data with the wrong people, and a public company faces regulatory risk. That’s just one of many well-known examples. Assuming that human beings will execute every task perfectly every day of every year is simply unrealistic. Organizations need automated mechanisms that kick in during accidental sharing incidents, helping both users and security teams address them quickly.
事故:事故共享在团队在云协作平台上看到的安全和风险事件中占很大比例。 将季度财务草稿的链接发送给上市公司的CFO很容易。 但是电子邮件地址中的错字有助于与错误的人共享敏感数据,并且上市公司面临监管风险。 那只是许多众所周知的例子之一。 假设人类每年每一天都能完美地执行所有任务,这是不现实的。 组织需要在意外共享事件期间启动的自动机制,以帮助用户和安全团队快速解决它们。
Poor (or uninformed) Risk Decisions: To an employee under a deadline, it may seem perfectly reasonable to share sensitive data with herself, using her personal email address. Sharing to a personal email address may not be acceptable under company policy, but it’s difficult to detect. And even if it is acceptable, she still has access to shared data via her personal email address when she leaves the company. Knowing that such things happened, who did it, and what data was shared — and shutting access off when she quits — are clear requirements, and automation is the only way to address them at scale.
风险决策不佳(或不知情) :对于在期限内的员工而言,使用自己的个人电子邮件地址与自己共享敏感数据似乎是完全合理的。 根据公司政策,与个人电子邮件地址共享可能是不可接受的,但是很难检测到。 即使可以接受,她离开公司后仍可以通过个人电子邮件地址访问共享数据。 知道发生了这样的事情,由谁来做以及共享了哪些数据,并在退出时关闭访问权限是明确的要求,而自动化是大规模解决这些问题的唯一方法。
Malicious Insiders: While they are a smaller percentage of the risk problems organizations face, malicious insiders are a reality. Former employees may download the entire contents of their Google Drives before leaving. A disgruntled engineer may steal intellectual property, or a mole could be harvesting sensitive data for a competitor. SaaS tools that make it easy to share data appropriately also make it easier to share data inappropriately. Organizations need a way to identify abnormal behavior quickly, understand the severity of the risk, and take action if necessary. Again, automation is the only way to address these problems at scale.
恶意内部人员:尽管内部恶意人员在组织所面临的风险中所占的比例较小,但现实是事实。 前员工可以在离开之前下载其Google云端硬盘的全部内容。 心怀不满的工程师可能会窃取知识产权,或者一个黑痣可能正在为竞争对手收集敏感数据。 SaaS工具可以轻松轻松地适当共享数据,也可以轻松地不适当地共享数据。 组织需要一种方法来快速识别异常行为,了解风险的严重性并在必要时采取措施。 同样,自动化是大规模解决这些问题的唯一方法。
Problems like these crop up quickly on cloud collaboration platforms. Finding and dealing with them is much more difficult. Manually digging through logs isn’t scalable, and doesn’t come close to matching the speed at which risks accrue. And given the number of users and potential incidents, reliable automated mechanisms are baseline requirements.
诸如此类的问题在云协作平台上Swift出现。 查找和处理它们要困难得多。 手动浏览日志是不可扩展的,并且无法接近风险累积的速度。 考虑到用户数量和潜在事件,可靠的自动化机制是基本要求。
本地与云原生 (On-Prem vs. Cloud-Native)
Traditionally, enterprises have deployed on-premise DLP products to address the risks associated with sharing and using sensitive data, often driven by compliance requirements. More recently, CASBs emerged in an attempt to extend an enterprise’s security policies and management capabilities into the cloud. But neither DLP nor CASB products are well-aligned with cloud-native architectures, creating significant mismatches in deployment, management, and usage models. These include:
传统上,企业已部署本地DLP产品来解决与共享和使用敏感数据相关的风险,这些风险通常是由合规性要求驱动的。 最近,CASB出现是为了将企业的安全策略和管理功能扩展到云中。 但是,DLP和CASB产品都无法与云原生架构很好地保持一致,从而在部署,管理和使用模型上造成严重的不匹配。 这些包括:
Adding another layer of security technology to already complex environments: Typical DLP solutions are the antithesis of lightweight, cloud-based collaboration services. They are enforcement mechanisms and, like CASBs, create duplicative security controls that can make managing risk more complicated, and thus more prone to failure.
在已经很复杂的环境中增加另一层安全技术:典型的DLP解决方案与轻量级基于云的协作服务相对立。 它们是强制执行机制,并且像CASB一样,创建了重复的安全控制措施,可以使风险管理更加复杂,从而更容易发生故障。
Requiring long deployment cycles: DLP systems cross departmental boundaries and technology silos, making them hard to deploy and manage. More traditional DLP systems require organizations to integrate multiple appliances and servers with the network, email systems, web proxies, and identity and access management systems. Agent-based approaches eliminated backend-end integration, but require organizations to install agents on every endpoint, which often creates conflicts with operating systems and applications. Given the long deployment cycles these products require, it’s usually months before organizations start to realize any value from them.
需要较长的部署周期: DLP系统跨越部门界限和技术孤岛,使其难以部署和管理。 更传统的DLP系统要求组织将多个设备和服务器与网络,电子邮件系统,Web代理以及身份和访问管理系统集成在一起。 基于代理的方法消除了后端集成,但是要求组织在每个端点上安装代理,这通常会与操作系统和应用程序产生冲突。 考虑到这些产品需要较长的部署周期,通常要几个月后组织才能开始从中实现任何价值。
Frustrating users: Heavy-handed enforcement mechanisms can be intrusive, negating many of the benefits SaaS collaboration brings to end-users. And long deployment cycles can’t keep up with the pace at which users adopt cloud products that help them meet their objectives. If they prevent people from doing their work, security tools also create a perverse incentive to subvert controls. Users will find a way around them to do their jobs.
令人沮丧的用户:过分严格的执行机制可能是侵入性的,从而抵消了SaaS协作为最终用户带来的许多好处。 而且较长的部署周期无法跟上用户采用可帮助其实现目标的云产品的步伐。 如果它们阻止人们进行工作,安全工具还会产生有害的动机来颠覆控制。 用户将找到周围的方法来完成工作。
Lacking tools to address the problem: While a CASB can help organizations identify any cloud services in use by shadow IT, most don’t identify and prioritize risks with enough granularity. A CASB may reveal that an organization has 10,000 files shared publicly, for example, but it can’t tell a security manager which of those 10,000 files creates real risk for the company. Nor does it give the security team a mechanism for remediating threats, other than manually dealing with them.
缺乏解决问题的工具:尽管CASB可以帮助组织确定影子IT部门正在使用的任何云服务,但大多数都无法以足够的粒度来识别风险并确定优先级。 例如,CASB可能会透露一个组织有10,000个公开共享的文件,但它无法告诉安全经理这10,000个文件中的哪一个给公司带来了真正的风险。 除了手动处理威胁之外,它也没有为安全团队提供补救威胁的机制。
These mismatches and shortcomings are simply yet more evidence of the mismatch between traditional, on-premise security models and cloud-native systems. As we’ve said before, securing cloud-native systems requires aligning security systems with cloud-native architecture.
这些不匹配和缺点只是更多的证据,证明了传统的本地安全模型与云本地系统之间的不匹配。 如前所述,保护云原生系统需要使安全系统与云原生架构保持一致。
海拔建筑 (Altitude Architecture)
Altitude is a cloud-native security service, sold as a SaaS product, operating within the collaboration platform’s environment, according to its rules. Altitude does not create yet another management layer, such as a duplicative access control structure.
Altitude是一种云原生安全服务,根据SaaS产品出售,根据其规则在协作平台的环境中运行。 海拔高度不会再创建另一个管理层,例如重复访问控制结构。
As Figure 1 illustrates, Altitude integrates with the SaaS platform’s APIs, gathering the metadata on every file and person in the platform. Altitude discovers the name of every file, who created it, when they created it, its security settings, who has access to it (including third parties), and every action taken on that file (such as renaming, viewing, and editing). (Altitude limits its intake to the metadata, having no need to access the actual data in any file.) Altitude’s Risk Engine operates on that meta-data, performing the following functions:
如图1所示,Altitude与SaaS平台的API集成在一起,收集平台中每个文件和每个人的元数据。 Altitude会发现每个文件的名称,创建者,创建时,安全性设置,有权访问该文件(包括第三方)以及对该文件执行的所有操作(例如重命名,查看和编辑)。 (Altitude限制访问元数据,而无需访问任何文件中的实际数据。)Altitude的Risk Engine在该元数据上运行,执行以下功能:
Meta-Data Analysis: Altitude comes with a baseline set of assumptions and rules based on common sense. If a file name includes terms such as “confidential” or “internal,” Altitude assumes that file should not be shared externally and flags any cases that violate the rule. Likewise, Altitude assumes that file names that include terms such as “salary” or “board deck” shouldn’t be shared either internally or externally. These are just a few examples. Companies can modify or add rules and terms as they go, such as project code names and other sensitive data file naming conventions.
元数据分析:高度带有基于常识的一组基准假设和规则。 如果文件名包含诸如“机密”或“内部”之类的术语,则Altitude假定该文件不应在外部共享,并标记任何违反规则的情况。 同样,Altitude假定不应在内部或外部共享包含诸如“薪水”或“板甲板”之类术语的文件名。 这些只是几个例子。 公司可以随时修改或添加规则和术语,例如项目代码名称和其他敏感数据文件命名约定。
Relationship Analysis: Using the meta-data and learning from usage patterns, Altitude builds relationship graphs that reveal how, and with whom, users share data, assigning confidence scores to relationships that weren’t obvious or even visible before. It will discover and map the relationship between employee company email addresses and personal email addresses, allowing security teams to understand how employees are sharing data using those mechanisms. Altitude also maps relationships with third parties, including business partners, teams that span organizational boundaries, and so on.
关系分析:通过使用元数据并从使用模式中学习,Altitude可以建立关系图,揭示用户如何以及与谁共享数据,并为以前不明显甚至不可见的关系分配置信度得分。 它将发现并映射员工公司电子邮件地址和个人电子邮件地址之间的关系,使安全团队可以了解员工如何使用这些机制共享数据。 Altitude还映射了与第三方的关系,包括业务合作伙伴,跨组织边界的团队等等。
Behavioral Analysis: Altitude uses machine learning techniques to model behavior and find anomalies that may constitute risk. If employees suddenly start downloading a large number of files or sharing data with third parties they’ve never worked with before, the system flags the behavior in real-time, allowing security managers to address the problem.
行为分析 :Altitude使用机器学习技术对行为进行建模,并发现可能构成风险的异常。 如果员工突然开始下载大量文件或与以前从未使用过的第三方共享数据,则系统会实时标记该行为,从而使安全经理可以解决此问题。
As Figure 2 illustrates, Altitude puts this information in a dashboard, allowing them to view risks to the organization in an organized fashion, by severity. Managers can see a history for specific files or specific users, allowing them to audit previous activity as part of the remediation process. They can also take action in real-time, including notifying the end-user of the problem, complete with instructions on how to fix it. In severe cases, a security manager can remove access to a file for a third party, or lock the file from sharing completely.
如图2所示,Altitude将这些信息放在仪表板中,使他们可以按照严重性以有组织的方式查看对组织的风险。 管理人员可以查看特定文件或特定用户的历史记录,从而使他们可以在修复过程中审核以前的活动。 他们还可以实时采取措施,包括将问题通知最终用户,并附上有关如何解决问题的说明。 在严重的情况下,安全管理员可以删除第三方对文件的访问权限,或锁定文件以防止完全共享。
Today, Altitude supports Google’s GSuite offering. The company plans to release support for additional SaaS collaboration platforms in the future.
如今,Altitude支持Google的GSuite产品。 该公司计划将来发布对其他SaaS协作平台的支持。
结论 (Conclusion)
SaaS collaboration platforms have become popular because they work. They help people get their work done, and their deployment and usage patterns match the speed of the business. Instead of getting in the way of that progress, security systems must keep pace, giving security teams the tools they need to quickly discover, understand, and remediate risks in these SaaS platforms, without degrading their functionality. That’s the goal of Altitude Networks and its product. And that’s why we at Rain Capital invested in the company.
SaaS协作平台因可以工作而变得流行。 它们帮助人们完成工作,并且他们的部署和使用模式与业务的速度相匹配。 安全系统必须与时俱进,而不是阻碍进度,为安全团队提供他们需要的工具,以快速发现,理解和补救这些SaaS平台中的风险,而又不降低其功能。 这就是Altitude Networks及其产品的目标。 这就是为什么我们在Rain Capital投资该公司的原因。
Originally published at https://www.raincapital.vc on January 13, 2020.
最初于 2020年1月13日 发布于 https://www.raincapital.vc 。
原生js案例
811
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
