Cisco Multicloud Portfolio overview
Cloud Protect overview
Cloud Protect use cases
Cloud Protect benefits
Validated deployment steps
Configuring new policies
Incident status changes
For more information
Cisco Cloudlock software is a part of the Cloud Protect component of the Cisco Multicloud portfolio for simplifying multicloud adoption and management. This guide will lead you through the process of deploying the Cisco Cloudlock cloud access security broker to protect your organization’s cloud platforms.
This guide documents how Cisco Cloudlock secures cloud applications and data, including detecting data leakages through sanctioned SaaS applications and by protecting sensitive data and users from malicious or compromised applications. The audience for this document includes but is not limited to security analysts, security administrators, and computer security professionals who want to take advantage of an API-native, cloud-based Cloud Access Security Broker (CASB) service to secure their organization’s cloud-platform-resident data and applications.
Cisco Multicloud Portfolio overview
In a multicloud world, growing complexity is driving a cloud gap between what your customers require and what your people, processes, and tools can support. With the Cisco® Multicloud Portfolio, we make it simple: simple to connect, simple to protect, and simple to consume.
The Cisco Multicloud Portfolio is a set of essential products, software, and services supported by simplified ordering and design deployment guides to help you when it comes to multicloud adoption. Cisco Multicloud Portfolio consists of four component portfolios (Figure 1):
● Cloud Advisory: Helps you design, plan, accelerate, and reduce risk during your multicloud migration
● Cloud Connect: Securely extends your private networks into public clouds and ensures the appropriate application experience
● Cloud Protect: Protects your multicloud identities, direct-to-cloud connectivity, data, and applications, including Software as a Service (SaaS) and detects infrastructure and application threats on-premises and in public clouds
● Cloud Consume: Helps you deploy, monitor, and optimize applications in multicloud and container environments
Figure 1. Cisco Multicloud Portfolio comprises Cloud Advisory, Cloud Connect, Cloud Protect, and Cloud Consume
Cloud Protect overview
Cloud Protect consists of essential products to protect your multicloud identities, direct-to-cloud connectivity, data, and applications, including SaaS, and detects infrastructure and application threats on premises and in public clouds:
● Cisco Umbrella™
● AMP for Endpoints
● Cisco Meraki™ Systems Manager
● Tetration Cloud
● Stealthwatch Cloud
For detailed use cases, see the section about Cloud Protect on the portfolio's solution page at https://www.cisco.com/go/multicloud.
Cloud Protect use cases
Cloud Protect delivers value in the following use cases:
● Secure users connecting to the Internet (cloud), including users from data centers/main offices, branches (no Multiprotocol Label Switching [MPLS]), users who are roaming (off VPN), and “direct-to-cloud” users. Includes protection for ransomware, command-and-control callbacks, phishing attacks, and inappropriate web use.
● Secure users’ devices connecting to the Internet, both on and off the network. Security measures include blocking malicious files at initial entry by inspection and using a sandbox to further inspect unknown files for advanced protection.
● Enable endpoint protection by ensuring the right security services are installed and configured, by permitting only sanctioned apps to access the cloud, and by constantly evaluating and dynamically taking corrective action based on changes to endpoint posture.
● Secure cloud applications and data, including detecting data leakages through sanctioned SaaS applications and protecting sensitive data and users from malicious or compromised applications.
● Discover, map, baseline, and protect applications for workloads on the cloud, hybrid, and on premises. Planning application migrations, identifying deviations in application behavior, and applying security policies for enforcing fine-grain application micro-segmentation are included.
● Efficiently identify threat activity and monitor user and device behavior across the public cloud and on-premises network. Use high-value, low-noise alerts to detect unusual, risky, and malicious behavior across your IT infrastructure, from the public cloud to headquarters to the branch network.
Cloud Protect benefits
Cloud Protect benefits include:
● Secure cloud identities, data, and apps/SaaS
● Provide secure cloud access for users on and off the network
● Enable easy pluggable protection of mobile devices accessing apps (for example, Apple iOS devices)
● Protect workloads on public cloud Infrastructure-as-a-Service (IaaS) providers with security policy enforcement
● Enable compliance in the cloud
● Lower risk by providing increased visibility and control
● Provide ~5% to 10% lower cost through simplified deployment
● Reduce remediation time for >30% of organizations by >90%
● Reduce malware infections for ~40% of organizations by >90%
● Protect on-premises and cloud environments with a single vendor
● Provide increased visibility tied into automated threat defense
● Dynamically react to changes in endpoint posture by controlling apps, users, and services that access cloud data via laptops and mobile devices
Cisco Cloudlock is a multitenant SaaS security platform that provides security controls for other SaaS/cloud applications (third-party or private). You can utilize Cloudlock to provide security controls such as data loss prevention, application blacklistin/whitelisting, and threat detection to off-premises SaaS/cloud applications. Key security functions performed by Cloudlock are data loss prevention, user and entity behavior analytics, and SaaS/cloud application firewalling. Cisco Cloudlock also offers a suite of management and analysis tools through a web-based user interface, enabling you to configure security policies, interrogate system results, and perform incident remediation.
The Cloudlock service integrates with SaaS/cloud applications through public APIs to access, process, and analyze customer data and activities while asserting security controls. Typical Cloudlock users employ one or more commercial SaaS/cloud applications (Google Drive, Salesforce CRM, Microsoft Office 365) as part of their IT infrastructure. End users, usually employees, access and use these commercial SaaS/cloud applications to perform their normal job functions (author documents, share files, use email, collaborate via instant messaging).
Security administrators access and utilize Cloudlock to administer and manage security policies that pertain to these commercial SaaS/cloud applications. Cloudlock application administration includes provisioning authorized access for Cloudlock to the commercial SaaS/cloud applications. Cloudlock connects to commercial SaaS/cloud applications through their public APIs on behalf of a customer using authorized OAuth API privileges. Cloudlock interacts with commercial SaaS/cloud applications, using these public APIs to access user data, collect user activity log events, and assert security controls.
The core of the Cloudlock CASB service is independent of the cloud platforms with which it integrates. At a very high level, Cloudlock uses cloud-platform APIs to retrieve structured data, evaluate the data against selected policies and configured users, and generate results in the form of incidents. When you activate Cloudlock protection, all the user metadata contained in your cloud platform is typically retrieved and evaluated but not stored. (Note that we say “typically”, not “universally”; some platforms differ.) As with all Cloudlock scanning, this protection is generally invisible, and users experience no degradation of performance.
You must have administrative privileges for the cloud platform(s) you need to integrate with Cisco Cloudlock. You must also have an account in an OAuth- or Security Assertion Markup Language (SAML)-capable service (such as Google) that you can use for your initial login to Cisco Cloudlock.
Individual cloud platforms may have additional unique requirements. For details, refer to the Cisco Cloudlock Quick Start Guide for the platform(s) you use.
Important: To ensure your Cisco Cloudlock integration process is successful, use the current version of Chrome or Firefox and temporarily set your browser configuration as follows:
● Disable private browsing mode.
● Turn off pop-up blockers.
● Turn off ad blockers.
If you see the message, “An error occurred while activating the platform,” confirm your browser configuration against the above list.
For more details about any specific platform, consult the Cisco Cloudlock Quick Start Guide for that platform. The general process for activating Cisco Cloudlock is to grant Cloudlock permission to access your cloud platform and then identify your platform to Cloudlock.
Validated deployment steps
Follow this general procedure to activate The Cisco Cloudlock service:
Step 1. Open the administration console of your cloud platform.
Step 2. In a separate browser tab, open Cisco Cloudlock using the link you received from Cisco Cloudlock Support.
Step 3. Log in using the identity provider (such as Google) you specified to Cisco Cloudlock. You will have the role of Cloudlock Global Admin.
Step 4. In the Platforms tab of the Settings page, select Configure Platform (see Figure 2).
Figure 2. Configure the platform in the Platforms tab of the Settings page
Select your platform from the drop-down menu, then click Authorize (see Figure 3).
Figure 3. Authorize your choice of platform
This completes the activation process.
To verify that your integration was successful, open the Admin Stats page in Cloudlock. Select your platform and check to be sure data has begun to be displayed.
The Navigation menu at the left provides access to all Cisco Cloudlock functions and displays. The ones you will use most often include:
● Dashboard: Use to get a “single pane of glass” overview of your environment, including all the platforms you secure with Cloudlock.
● Incidents: Review and manage incidents triggered by events monitored by policies.
● Policies: Configure the details of events you need to monitor in your environment.
Policies are the automated rules you create in Cisco Cloudlock to customize information protection to match your organization’s needs. Cloudlock comes with a wide variety of predefined policies targeted at specific regions, industries, and concerns.
Cisco Cloudlock is also preconfigured with several policies that go into effect upon activation. Although these policies apply to most organizations, we recommend you tune your policies to produce the best results for your organization. You may also want to configure additional policies to provide the protections best tailored to your needs.
The following Cisco Cloudlock policies are preconfigured to be active when Cloudlock is activated:
● US Social Security Number: This policy detects U.S. Social Security numbers in documents exposed or shared in your platform.
● Credit Card Number: This policy detects patterns that are likely to represent credit card numbers in documents exposed or shared in your platform.
● Blacklisted IPs: This policy generates incidents for events in your platform that originate from IP addresses identified as suspicious by the Cisco Cloudlock Cyberlab, as well as any IP addresses you add to your Cloudlock library of suspicious IP addresses.
● Revoke Banned Apps: This policy automatically disallows access to any apps that have been classified as banned. You see this policy only if you have subscribed to the Cisco Cloudlock Apps Firewall service, available for Google and Office 365 platforms.
The apps policies listed below are provided in your policies list. However, they are set to inactive when Cisco Cloudlock is first enabled. You see these policies only if you have subscribed to the Cisco Cloudlock Apps Firewall service, available for Google and Office 365 platforms:
● Risky Access Scopes
● Trusted Access Scopes
● Trust Apps by Name
● Monitor Under-Audit Apps
● New Unclassified App Installs
To set any of these policies to active, use the drop-down menu in that policy’s list entry (see Figure 4).
Figure 4. Activate policies using the drop-down menu for that policy
Configuring new policies
Follow these steps to configure new Cisco Cloudlock policies for your platform:
Step 1. On the Policies page, select Add a Policy, then choose Add Predefined Policy (see Figure 5).
Figure 5. To configure a new policy, begin by adding a predefined policy
Step 2. In the Add Predefined Policy dialog box, select a policy (see Figure 6). Then specify how severe the incidents generated by the policy should be (from Info to Critical). Note that the policy name and
description are completed automatically for predefined policies.
Figure 6. Select the policy you want to configure and specify the severity of incidents
Step 3. When your policy selection is ready, click Configure Policy. The Policy Configuration page opens.
Policy configuration settings vary according to the policy you select. In this example, the ABA Routing Number policy, there are three content criteria panels: Regex, Threshold, and Proximity. You can also configure the context of a policy.
Some Cloudlock policies include regular expression (regex) matching. For example, in the ABA Routing Number policy, as well as in a number of others, the regex is editable (see Figure 7).
Figure 7. Regular expression (regex) policies, such as the ABA Routing Number policy shown here, can be edited
In addition to the regex search expression, you can specify up to 15 “exceptions.” These are also regex expressions, but they serve the opposite function. A regex expression searches your platform for matching patterns and generates an incident when a match is found, assuming other policy criteria are also satisfied. Regex exceptions eliminate matches. For example, consider an organization that uses ABA numbers in test documents. Since test documents always contain the label “Account Test” along with a valid ABA number, you might add “Account Test” as an exception. That would ensure that a test document containing the pattern “Account Test” would not generate a security incident in spite of containing a match to the primary regex pattern.
A “threshold” in a Cisco Cloudlock policy is the number of matches required for an incident to be generated. In this example, if you set the threshold to 5, a document containing up to 4 ABA routing numbers would not generate an incident.
A “proximity expression” is a regex pattern that must be found within a certain distance of the primary regex. Proximity expressions can greatly reduce the number of false-positive incidents generated by a policy. In our example, an ABA routing number can easily be mistaken for other groups of digits. For that reason, the policy in this example includes a proximity expression that searches for additional patterns such as “American Banking Association routing number” and other related terms that serve to further identify a numeric pattern as an ABA number. You can edit the proximity expression for this policy; however, some policies contain proximity expressions that cannot be edited.
“Proximity” refers to the proximity expression and also to the proximity value. The proximity value is the distance (in number of terms) that constitutes the limit between the primary regex expression and the proximity expression. If this policy identifies the sequence “123456789” as a possible ABA number but does not find the pattern “American Banking Association routing number” closer than the proximity limit, no incident is generated. For the ABA routing number policy, the proximity value is 100 terms.
“Context,” in Cisco Cloudlock policies, refers to the aspects of a document (or other container) that may be relevant but are not associated with content. You can use the Context tab (and its several panels) to restrict a policy to monitor only a specific platform (or platforms) and to identify the kinds of files you want to monitor and the size of those files. You can also target documents owned by specific users or groups, and alternatively exempt users and/or groups from being monitored.
Context also includes the extent to which a document is shared or distributed. This is ”exposure.” Exposure in Cloudlock is specified for each protected platform, because cloud platforms differ in their file-sharing capabilities and features.
Finally, for the Salesforce platform, context includes object type. “Object type” refers to the type of the Salesforce object that contains the content monitored by Cloudlock. All objects—from Chatter posts to custom objects—can be monitored by Cloudlock.
Getting the most value from Cisco Cloudlock involves carefully configuring the policies you activate and establishing an effective workflow for incident management. You use the status of an incident to manage its lifecycle and create an administrative workflow. The status of a newly generated incident is set to New. The flowchart in Figure 8 shows the basic workflow for managing incidents using the Status indicator.
Figure 8. This flowchart shows the basic workflow for managing incidents using the status indicator
While you are researching an incident, you can set its status to In Progress. You might do this to allow for the time required to notify a document owner and get a response, update the document, or take another action. While an incident is in progress, no new incidents are generated from the document in violation. If you choose not to start work on the incident, the status remains New.
You may conclude on the basis of your research that the triggering document is, in fact, acceptable. For example, it might contain training information that only appears to be in violation. Set the incident status to Dismissed in these cases. When an incident is in Dismissed status, no new incidents for the document are generated by that policy. (Note that it is possible for the document to be updated in a way that violates a different policy.)
When the triggering document has been updated so that it is acceptable, set the incident status to resolved. If the document has not, in fact, been updated, this would be a false resolution; instead, the incident should be reset to new.
Incident status changes
In most cases, when an administrator sets an incident status to In Progress, Resolved, or Dismissed, the workflow for that incident and the object that triggered it are complete. However, there are two cases in which the object may reappear in the admin workflow:
● Object modification: If the object is modified in some way that creates a new policy violation, regardless of the status of the original incident, new violations in the object will trigger a new incident.
● False resolution: If the object was intended to be updated to remove the violation, the incident could be marked Resolved while the object is not, in fact, altered. A false resolution occurs if the update was never carried out or if the violation was not entirely corrected. In that case, the object is still in violation, and so triggers a new incident. In these cases, the new incident simply enters the workflow like any other.
For more information
If you have further questions, please refer to the following additional resources:
● Cisco Cloudlock
For a complete list of all of our design and deployment guides for the Cisco Multicloud Portfolio, including Cloud Protect, visit https://www.cisco.com/go/clouddesignguides.
About Cisco design and deployment guides
Cisco Design and Deployment Guides consists of systems and/or solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer deployments. For more information visit: https://www.cisco.com/go/designzone.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS Management Software, Cisco Unified Fabric, Cisco Application Centric Infrastructure, Cisco Nexus 9000 Series, Cisco Nexus 7000 Series. Cisco Prime Data Center Network Manager, Cisco NX-OS Software, Cisco MDS Series, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.