Plus ça change, plus c’est la même chose.

—Jean-Baptiste Alphonse Karr

The more things change, the more they stay the same. That’s what we’re looking at when it comes to Security as a Service (SaaS).

Everything I have covered up to now has been focused on understanding the shared responsibilities of the cloud. You’ve seen the aspects of security that the provider and the customer are responsible for. This chapter looks at how cloud services (typically SaaS and Platform as a Service [PaaS]) can be used to secure assets deployed in both the cloud and traditional environments.

The CSA Guidance refers to these services as “Security as a Service,” or SecaaS, but I prefer to use “Security Software as a Service,” because, after all, you are procuring a SaaS solution that happens to focus on security. Whether you are procuring cloud-based security services from a dedicated SecaaS vendor or leveraging security services from an Infrastructure as a Service (IaaS) provider, you are considered to be procuring SecaaS services. Whichever way you procure these services, they must meet the following criteria:

•   They must be a security product or service delivered as a cloud service.

•   They must meet the essential characteristics of cloud computing.

Like everything else in IT (especially in the cloud), new offerings are constantly being released. For your exam, focus on the categories covered in the following sections.

Potential Benefits and Concerns of SecaaS

I’m going to make this as simple as possible. You already know about the benefits and constraints associated with procuring cloud services, and most of that applies to SecaaS as well. That said, the following lists provide a summary of the benefits and disadvantages that are specifically associated with SecaaS.

SecaaS offers several potential benefits:

•   Cloud-computing benefits The normal potential benefits of cloud computing apply to SecaaS, including reduced capital expenses, more agility, redundancy, high availability, and resiliency. As always, you must do your due diligence to ensure that you are selecting an appropriate provider to meet your requirements.

•   Staffing and experience This is a big one, and it may be the biggest reason to adopt SecaaS. Companies around the world are struggling to find qualified cybersecurity professionals. By adopting SecaaS, you can immediately tap into a pool of experts in the area you are procuring. This can enable your staff to focus on your organizational “big picture” of cybersecurity.

•   Intelligence sharing Honestly, this is nothing new. Antivirus customers have been benefitting from intelligence sharing for decades. When the provider gets a malware sample from another customer, they make a signature file that can identify and quarantine the virus, and this will be used by all other customers.

•   Deployment flexibility This is another core benefit of SecaaS. Think of how you manage multiple locations today. Are all security controls located at your headquarters, or do you purchase hardware for every site you manage? Now how about remote workers? How do you protect them? Do you force everyone to VPN into the corporate network just to impose your controls on their connections? There is a better way: it’s called SecaaS.

•   Insulation of clients Why would you choose to allow malware into your corporate network so you can inspect it locally? You’re congesting the perimeter network for what reason again? With SecaaS, you can create a “clean pipe” coming into your network by having a remote system scan and can clear out malicious traffic before it hits your corporate network.

•   Scaling and cost What happens if your 500-person company buys another company with 250 employees? Suddenly, you have to support a 50 percent larger user base. This often requires integration of different technologies and new hardware to meet this demand on resources. With SecaaS, you’d simply procure an additional 250 licenses. This is an example of the “pay-as-you-grow” cost benefits of using SecaaS.

On the other hand, using a SecaaS vendor may result in these issues:

•   Lack of visibility We know the nature of outsourcing means that our visibility into what the provider does is hindered. SecaaS is no different. You may have a high-level view of what the provider does, but you won’t have detailed knowledge of their operations. The biggest impact is in the telemetry (such as log data) that you receive from the provider. You need to ensure that available sources meet your requirements. Always remember to do your due diligence!

•   Regulation differences Where is your provider located, and can they address regulatory issues that your organization faces based on the jurisdictions in which you operate?

•   Handling of regulated data Is your provider able to be a partner? With HIPAA, for example, the SecaaS provider must be able to be a business associate if their systems will be exposed to health records. And what about PCI? Along with these standards, the Guidance calls out a scenario about employee monitoring. What is legally allowed in one jurisdiction may be prohibited in another. Again, due diligence should address these questions.

•   Data leakage Security-related information (such as logs) often contains sensitive data. This data must be highly protected in a multitenant environment. This requires that the provider implement very strong isolation and segregation. Of course, this type of data may also be required in the event of legal cases. You need to ensure that your data will not be accidentally exposed when another client faces an e-discovery request. Another example of data leakage would be leaking internal IP addresses.

•   Changing providers When you procure a SecaaS solution, you are essentially procuring a proprietary application. Changing from one provider to another will likely be a difficult effort, because there may be limited tools available to migrate data from one provider to another. A major item, in real life and for your CCSK exam, is that you must retain historical logs and other data that may be necessary for legal and compliance requirements. Not being able to export this data in a format that you can actually use without access to the provider’s tools may lead to vendor lock-in.

•   Migration to SecaaS Adoption of cloud services must always be well planned and executed. SecaaS is no different.

Major Categories of SaaS Offerings

New technology is released on an almost daily basis, so you don’t need to worry about any category that is not listed in this chapter for your CCSK exam. Notice that many of the technologies in the following sections have been covered previously in this book. That said, don’t just skip this section, because you’ll see category-specific entries here that you may be tested on as part of the exam.

Identity, Entitlement, and Access Management Services

The major offering in this category of SecaaS services is that of identity brokers. This technology can be used to implement federated identity. The CSA Guidance also presents other offerings in this category, such as Policy Enforcement Points (PEP as a Service), Policy Decision Points (PDP as a Service), Policy Access Points (PAP as a Service), services that provide entities with identities, and services that provide attributes (such as multifactor authentication).

Two other offerings are referenced in this category, including the strong authentication services that use apps and infrastructure to simplify the integration of various strong authentication options, including mobile device apps and tokens for MFA. The other category hosts directory servers in the cloud to serve as an organization’s identity provider. You can do this in IaaS by implementing directory services in your own instances, for example.

Cloud Access Security Broker

There is nothing new in the CSA Guidance here that was not covered in the CASB backgrounder back in Chapter 11. Just in case you skipped that backgrounder, you need to be aware of a few things regarding the CASB technology for your exam.

CASB can be used in inline blocking mode that intercepts communications that are directed toward a cloud service, or it can use APIs to monitor activities and enforce policies. Whereas traditional web-filtering tools allow for whitelisting and blacklisting of web sites, you want to be able to allow or restrict based on the content, not just on the web sites being accessed. This is the main differentiator between the two solutions. CASB can enforce the content type of blocking via integration with data loss prevention (DLP) services.

CASB can be deployed as an on-premises control, or it can be deployed in a cloud environment. As mentioned earlier, a cloud deployment allows for greater options when it comes to protecting both multiple locations and remote users.

CASB vendors often support some form of rating system for cloud vendors. They will perform a general risk assessment of providers and may advise you on things such as data center locations, ownership of data used in the provider systems (owned by customer or provider once uploaded), and other items. In some instances, CASB vendors use the Cloud Controls Matrix as the basis for this risk assessment.

Although a vendor may offer both CASB and identity broker solutions, the majority of vendors offer these solutions separately.

Web Security Gateway

This technology provides web filtering, which has been around for quite some time. Web filters can determine what categories of web sites are blocked (for example, hacking sites are restricted from access from endpoints). These solutions can also determine what times of the day sites can be accessed and other web protection solutions.

The power of having a cloud-based solution is the ability to implement your policies on a global basis. For example, imagine your organization has an office in New York City, and a salesperson is working in Singapore for a series of meetings. Rather than forcing this user to connect to the office via VPN so you can inspect their web usage, their workstation would use a local point of presence in Singapore to enforce your policies.

Application authorization management can provide an extra level of granular and contextual security enforcement for web applications.

E-mail Security

Implementing SecaaS that provides e-mail security is a no-brainer. With more than 90 percent of e-mail being spam these days, why would you bring all of that into your environment just so you can drop it? This is probably the best example of the “insulation of clients” benefit.

Any e-mail security solution should be able to provide control over inbound and outbound e-mail, protect the organization from risks such as phishing and malicious attachments, enforce corporate polices such as acceptable use and spam prevention, and provide business continuity options. Some e-mail security SecaaS solutions may offer functionality such as e-mail encryption and digital signatures to support confidentiality, integrity, and nonrepudiation.

Security Assessment

Security assessment solutions have been around for a good number of years. Companies can use these to support NIST, ISO, PCI, and other compliance activities. The only difference between those mature products and the SecaaS solutions is that one is performed locally and the other is in the cloud.

The CSA Guidance specifically lists three forms of security assessment systems, and you should remember these for your exam:

•   Traditional security/vulnerability assessments of cloud-based instances and on-premises servers and workstations

•   Application security assessments, including static application security testing (SAST), dynamic application security testing (DAST), and management of runtime application self-protection (RASP).

•   Cloud platform assessment tools that connect to a cloud environment via exposed APIs to assess the metastructure configuration and server instances

Web Application Firewall

The web application firewall (WAF) in SecaaS is a cloud-based firewall that operates at layer 7; it therefore understands HTTP and can block malicious traffic as a result. This SecaaS category is another “no-brainer” as far as I’m concerned. As with e-mail, how much Internet traffic hitting your network today is either junk or malicious? Drop it using someone else’s systems according to your policies.

Many cloud WAFs can stop a distributed denial of service (DDoS) attack against your network. Can your network handle a 1.3 Tbps DDoS attack? This is what GitHub was hit with back in 2018. Their services were impacted for about 20 minutes in total (about 10 minutes to identify the attack and 10 minutes for their cloud WAF vendor to fully address the malicious traffic, at which point the attacker gave up).

Intrusion Detection/Prevention

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are controls that can detect (IDS) and/or prevent (IPS) malicious activity in your network or your hosts. These systems can work based on anomaly detection and/or signature. SecaaS doesn’t change anything about what these controls do.

What the SecaaS version of IDS/IPS changes is how data is collected and analyzed. Rather than a company having to analyze data supplied by the agents in-house, this analysis is performed by a provider using their platform. This is an opportunity to discuss another benefit of SecaaS, mentioned earlier—your organization can outsource the analysis of potentially malicious network traffic in your environment to an organization that can potentially bring much deeper expertise and new technology to assist clients, such as using machine learning and artificial intelligence to greatly enhance what is realistically possible for the average organization.

Security Information and Event Management (SIEM)

I don’t think it’s a secret when I say that SIEM is a challenge to implement properly. We know that SIEM is able to take logs and perform all kinds of advanced analytics against them. As with IDS/IPS, the SecaaS version of SIEM doesn’t change the functionality; it eases the implementation of SIEM, turning a potential multimonth project into an outsourced solution that may be possible to implement in the same day.

I also don’t think it’s a secret to say that SIEM experts are very expensive, and there is a very limited pool of talent available. Again, when you use SecaaS, you benefit from tapping into a pool of product experts. This is turn enables your security teams to focus on the big picture of your security posture.

Encryption and Key Management

You know about encryption and the importance of a strong key management system. You also know that you can’t spell “encryption” without “cry.” SecaaS providers in this space can encrypt data on your behalf and/or manage encryption keys on your organization’s behalf.

This category includes encryption proxies for SaaS. Again, recall that, unlike IaaS and PaaS, encryption often breaks SaaS when the SaaS provider can’t access the keys to unencrypt data. This is because the SaaS provider likely needs to work with data that you upload to their platform.

Business Continuity and Disaster Recovery

This category is one that you might actually be using at home today. BC/DR SecaaS vendors back up data from individual systems (local servers or cloud instances) and copy that data up to a cloud environment.

These systems could use a local gateway to speed up data transfers and perform local recovery. This category of SecaaS can help with a worst-case scenario of having to access stored data in the event of a disaster, or it could be used as an archival solution. Using this as an archival solution gets you away from having to manage backup tapes. It also has the obvious benefit of supplying you with an offsite storage capability.

Security Management

I think this should be called “endpoint security management,” because that’s what it is all about. The security management SecaaS solution centralizes common endpoint controls such as an endpoint protection platform (EPP), agent management, network security, and mobile device management into a single cloud service. Because the centralized console is cloud-based, there is no need for local management servers, which may be very beneficial for organizations with multiple locations and remote workers.

Distributed Denial of Service Protection

Although cloud WAF does offer DDoS protection, you may be able to procure dedicated DDoS protection solutions. There is really nothing else to add that hasn’t already been said in the WAF section of this chapter. Just know for the exam that this can be a separate SecaaS and doesn’t need to be part of a WAF solution.

Chapter Review

This chapter addressed the benefits and disadvantages of SecaaS and discussed some of the various offerings available according to the CSA Guidance. You should be comfortable with the following items in preparation for your CCSK exam:

•   Selection of any cloud service requires due diligence on your organization’s behalf. SecaaS doesn’t change this critical activity.

•   Data generated by security tools of all types can be highly sensitive, and that remains true when considering SecaaS. You need to have a clear understanding of all requirements for compliance purposes. This will determine requirements for data handling and archival of log data.

•   Regulated data needs to be managed appropriately. If SecaaS systems interact with regulated data, they will need to meet or exceed existing controls within your organization.

•   Lock-in can happen if your provider doesn’t support exporting of data in a readable format.

•   Understand your provider’s data retention capabilities. If you require a five-year retention period, but your provider supports only six months, you have a gap that you’ll need to address (possibly exporting and retaining locally), or you’ll need to find another provider.

•   Finally, you need to ensure that your SecaaS service is compatible with your current and future plans as much as possible. Does the SecaaS provider support your current or planned cloud providers, operating systems, and mobile platforms, for example?

Questions

1.   Which of the following SecaaS solutions can be used to inspect HTTP traffic and can stop DDoS attacks?

A.   BC/DR

B.   WAF

C.   CASB

D.   Web filtering

2.   Which of the following SecaaS solutions can be used to enforce your policies using someone else’s systems?

A.   WAF

B.   Web filtering

C.   E-mail security

D.   All of the above

3.   You ask your SecaaS provider for an export of web filtering log data. They tell you that you can access the data using only their tools. What is the problem with this?

A.   This may be a lock-in scenario.

B.   You need to be able to export data in a CSV format for analytical purposes.

C.   Data cannot be ingested into a SIEM.

D.   All of the above are correct.

4.   What criteria must a SecaaS meet?

A.   Must have a security product or service delivered as a cloud service

B.   Must have a SOC 2 report and/or ISO/IEC 27001 certification

C.   Must meet the essential characteristics of cloud computing

D.   A and C

5.   What is NOT listed as a benefit of SecaaS?

A.   Insulation of clients

B.   Cost savings

C.   Deployment flexibility

D.   Intelligence sharing

6.   Which of the following best defines the IDS/IPS SecaaS?

A.   Local agents are installed on workstations.

B.   Local agents are installed on servers.

C.   Agents feed data to the cloud provider instead of local servers.

D.   All of the above are correct.

7.   What can be performed by security assessment SecaaS?

A.   Traditional network assessment

B.   Assessment of server instances in a cloud

C.   Assessment of applications

D.   All of the above

8.   What does a web security gateway SecaaS solution do?

A.   Inspects web traffic

B.   Limits web sites that users can access

C.   Encrypts connections

D.   A and B

9.   What is NOT a disadvantage associated with SecaaS?

A.   Lack of multitenancy

B.   Handling of regulated data

C.   Migrating to SecaaS

D.   Lack of visibility

10.   How can data transfers be sped up when using BC/DR SecaaS?

A.   Using compression supplied by the provider

B.   Implementing a local gateway device

C.   Using de-duplication techniques supplied by the provider

D.   A and C

Answers

1.   B. Web application firewalls (WAFs) can inspect network traffic at layer 7 and understand HTTP traffic as a result.

2.   D. All of above is the correct answer. SecaaS generally enables you to enforce your policies using your provider’s systems.

3.   A. If a vendor forces you to use their platform to read log data, this will likely lead to a lock-in scenario. You will be required to maintain the relationship to access data that you will likely need to demonstrate compliance and/or satisfy legal requirements. The other answers may or may not be true.

4.   D. In order to be considered a SecaaS service, the provider must have a security product or service delivered as a cloud service and must meet the essential characteristics of the cloud. SOC or ISO/IEC is not listed as a requirement.

5.   B. Yes, this is a tricky answer. Note the “cost” benefit doesn’t say you will save money using a SecaaS service. It says you can “pay as you grow.” Does this mean SecaaS is cheaper? Not necessarily. In fact, it could be more expensive than internal systems you use today.

6.   C. IDS/IPS systems ingest data from agents and analyze such data in the provider’s environment.

7.   D. All of the listed activities can be performed as by a security assessment SecaaS.

8.   D. Web security gateways offer a protective control that can inspect web traffic for malware and limit the web sites that users can access. They do not perform encryption.

9.   A. Strong multitenancy is something you should check for when performing due diligence of a provider, because a lack of it could cause issues, specifically if other tenant data is compromised as a result of an e-discovery request against another tenant.

10.   B. The correct answer is to implement a local gateway device. Though a local gateway may speed up data transfers by using the other techniques, they are not identified directly.