Blue Coat Systems Cloud Security Service Overview. Blue Coat Cloud Security Service (ThreatPulse)

Transcription

1 Blue Coat Systems Cloud Security Service Overview Blue Coat Cloud Security Service (ThreatPulse)

2 Blue Coat Cloud Security Service: Security Statements Contact Information Americas: Blue Coat Systems Inc. 420 North Mary Ave Sunnyvale, CA Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland For concerns or feedback about the documentation: Copyright Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, ProxyOne, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY BLUE COAT ) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Americas: Rest of the World: Blue Coat Systems, Inc. Blue Coat Systems International SARL 420 N. Mary Ave. 3a Route des Arsenaux Sunnyvale, CA Fribourg, Switzerland Document Number: Document Revision: 01/2013 ii

3 Contents This document contains the following sections: Section A: "About the Blue Coat Cloud Security Solution" on page 4 Section B: "Where the Cloud Security Service Stores Data" on page 9 Section C: "About Blue Coat Customer Information Security" on page 11 3

4 Using the Blue Coat Document Templates Section A: About the Blue Coat Cloud Security Solution Section A: About the Blue Coat Cloud Security Solution This section provides an overview of the Blue Coat Cloud Security Solution. Abstract Blue Coat offers its market-leading Web Security Solution as a cloud-based subscription service: the Blue Coat Cloud Security Service. This service, product named ThreatPulse, provides Web security to organizations of all sizes. The user-based subscription model allows you to pay only for what resources you require and eliminates the need for onpremise hardware installation and operating system maintenance. If you are a current Blue Coat customer, you can also configure on-premise ProxySG appliances with ThreatPulse, which allows for existing proxy authentication and the creation of unified policy across all devices. Whether accessing the Web from behind the corporate firewall, remotely from a corporate asset (such as a laptop), or from a corporate-owned or personal mobile device, users are protected from malware and other Web-borne threats. Furthermore, they must abide by acceptable corporate Web use as determined by the content filtering policy that you define. All Web-based traffic (HTTP and HTTPS) routes from the internal network through the firewall to ThreatPulse. Blue Coat supports multiple access methods: Firewall/VPN: Web traffic routes (transparently) to ThreatPulse through an IPsec (VPN-to-VPN) connection. Blue Coat officially supports Cisco ASA and 1941 devices, Juniper SRX and SSG20 devices, and Check Point firewall devices. Other devices might work and Blue Coat continues to evaluate and test them. 4

5 Section A: About the Blue Coat Cloud Security Solution Authentication: Requires the Auth Connector, which integrates with your LDAP/ Active Directory. This application forwards user and group information to ThreatPulse for use in Advanced Policy. Proxy Forwarding: This access method enables you to configure an existing proxy to send Web requests to ThreatPulse. In a proxy chaining deployment, the gateway proxy is configured to route the requests. Non-Web requests (including internal network traffic) are not sent to ThreatPulse. In addition to Blue Coat ProxySG appliances, ThreatPulse also supports traffic from Microsoft Internet Security and Acceleration (ISA) 2006 or Microsoft Forefront Threat Management Gateway (TMG) proxy servers. Upon request, you can also receive instructions for Squid devices. Authentication: Supports the authentication configuration on the proxy. Remote Clients/Users: For employees who use corporate devices, such as laptops, from locations external from the corporate network are protected by a light-weight application called the Client Connector. All Web requests are sent transparently. Authentication: There are two supported methods: You can rely on the default behavior, which uses the corporate credentials entered when the user logs onto the system. You can enable challenge-based auth, which is also known as Captive Portal. This requires users to enter their valid credentials each time they begin a new browser session. It also allows for greater security control, as Active Directory lockout settings apply and an administrator can deactivate access for a lost device or compromised device. (This feature requires the Auth Connector application.) Explicit Proxy: You can configure browsers to point to Proxy Automatic Configuration (PAC) files, which in turn route traffic to ThreatPulse. This method is recommended for demonstrations and proof of concept. Trans-Proxy (Explicit Proxy Over IPsec): A trans-proxy deployment is one where the same Web request is instigated by the browser as an explicit proxy connection but viewed by the cloud service as a transparent request. This is achieved by installed PAC files on browsers that route to the firewall device, which then provides an IPsec connection to ThreatPulse. 5

6 Using the Blue Coat Document Templates Section A: About the Blue Coat Cloud Security Solution Global Presence The Blue Coat Web Security Service (ThreatPulse) is deployed globally on designed-forpurpose, multi-tenant architecture. Blue Coat has deployed data pod locations across the globe. This scalable infrastructure ensures proper cloud processing resources regardless of where your users connect. Note: Blue Coat continues to add more data pod locations. These maps are for example purpose only and might not contain all of the currently in-operation locations. Later in this document, Section B: "Where the Cloud Security Service Stores Data" provides more details about how these datapods function. What Services Does ThreatPulse Provide? By default, ThreatPulse provides protection against malware and other Web-borne threats to your network security. The service also provides a Web-based portal from which you can define advanced or basic content filtering policy, control specific Web Application access, and generate reports on all Web-based activity. Refer to the following sections for more details. Malware Protection As an Internet-based service, ThreatPulse leverages the Blue Coat WebPulse technology, which ensures real-time protection against known and newly-arriving Web-borne threats. The service uses an ecosystem of WebPulse and inline scanning technology (from multiple vendors) to examine Web content. The resulting behavioral analysis identifies malicious and suspicious sites, bot-net traffic, and phone-home malware. The community-driven WebPulse technology allows all of these threats to be categorized in real-time. 6

7 Section A: About the Blue Coat Cloud Security Solution Content Filtering ThreatPulse enables you to define a content filtering policy that satisfies your business requirements and environment. The basic policy consists of a combination of blocked and allowed Web content categories and trusted and blocked sources and destinations that apply globally to all users (Basic Policy). You also have the option to create more granular rules (Advanced Policy). For example, you can coach users on company policy when they attempt to access a restricted site; block unauthenticated users; and create allow or block lists for specific Web destinations. This module also provides dynamic rating algorithms that identify and categorize Web content in real time to provide unrivaled URL filtering. Web Application Controls ThreatPulse provides policy options that control various aspects within certain Web applications. These options might include the ability to block post requests, attachments and downloads. The ThreatPulse portal displays the currently supported Web applications, including which aspects within the application are available to control. For example, you can allow employees to access the Facebook, but prevent them from uploading video or pictures. Another example is to allow employees to access and use Webmail, but prevent them from sending attachments through Webmail. You can also enforce the browser SafeSearch feature and keyword search controls for all major engines, including media search engines. Management, Policy, and Reporting Your IT professionals have access to the Blue Coat Cloud Security Service through the ThreatPulse portal. This Web-based management tool allows them to easily navigate between the Content Filtering, Malware Scanning, and Web Application Control modules to define policies and generate reports. Administrators can define roles that limit access for other users. For example, they can add a ThreatPulse user who has access only to the Reporting interface-they cannot define policy or configure the service. Cloud service administrators are able to define policy. Depending on the mode or module, this can be very basic, such as globally blocking specific categories or Web Applications. In the Content Filtering module, administrators have the option to define more granular policy, such as determine what times employees can access specific sites or categories. For Web Applications, they can select options such as allow Facebook but block file/video uploads. When users begin sending traffic to the cloud service, the generated access logs provide the basis for extremely comprehensive and interactive reports. There are high-level and trend reports and specific reports-all the data you require to know exactly what is happening on your network. Administrators can use this data to further manage policies and provide coaching when acceptable Web use policies are not obeyed. Furthermore, Administrators can define policy directly from user behavior reports, which allows for instant action. 7

8 Supplemental Information Log storage for 100 days of transactional data (proxy access logs) generated within the cloud service (the Hosted Reporting product provides three years). You have the ability to download the transactional data log files during the retention period. Report access, which allows you to analyze and extract reports from that same 100 day sliding window of transactional data (the Hosted Reporting product provides one year). Redundancy is accomplished through separate but identical storage and software systems. Blue Coat maintains multiple Data Pods and Control Pods in several countries and achieves redundancy through separate but identical storage and software systems. Currently, each line of log data is stored on two geographically distinct Control Pods. Summary The Blue Coat Web Security Service provides market-leading threat protection and content filtering while reducing the costs associated with traditional on-premise solutions. You can review comprehensive reports and adjust instantly enacted policies as your environmental needs arise or change. The subsequent sections provide architectural and customer security information. 8

9 Section B: Where the Cloud Security Service Stores Data Section B: Where the Cloud Security Service Stores Data Data Pod (DP) Located around the globe, the Blue Coat Cloud Security Service datacenters provide the infrastructure required to provide service to employees no matter where they are located. Three components comprise each datacenter: the Data Pod (DP), the Control Pod (CP), and the Reporting Pod (RP). Each component provides specific actions and stores various customer data based on those required actions. The following sections describe how data is stored. The DP is a collection of Blue Coat ProxySG appliances. These appliance serve in a concentrator role; that is, they recognize customer connections and perform connections. They store some customer data, but do not contain permanent storage of such data. Control Pod (CP) Two components comprise the CP, which stores a majority of the customer information. The Portal Database stores information regarding who and where. The Reporting Database stores configuration information. 9

10 Using the Blue Coat Document Templates Section B: Where the Cloud Security Service Stores Data Reporting Pod (RP) The RP stores all user access log-related information. The cloud services uses this information to generate reports. Furthermore, the RP stores the raw access logs, which can be downloaded for use with another reporting product (such as Blue Coat Reporter). 10

11 Section C: About Blue Coat Customer Information Security Section C: About Blue Coat Customer Information Security Blue Coat provides the best possible technology in its Cloud Security Service data centers to ensure that customer information and data remains private and secure. This section summarizes the technology and practices put in place by Blue Coat. Where Does Blue Coat Store Customer Information and Data? Blue Coat directly manages all of its global systems and networks that are required to provide Cloud Security Services. This equipment is located in global data centers, which employ the best technology available to provide the highest levels of reliability and security. The following are the key features of the data centers used by Blue Coat: SSAE16 SOC-1 Type II Certified Full, un-interruptible Power Supply (UPS) systems with N+1 levels or greater, and backup generator systems. Precision HVAC systems to cool the most demanding high-power deployments 24x365 onsite security. Motion-detection CCTV and alarm systems. All equipment is located in locked cabinets and cage. Access controlled by biometric hand geometry readers. All access to the data centers is logged, monitored, and tracked. On-site resources are used only for power-cycle and physical checks support. The entire infrastructure is remotely managed by authorized Blue Coat personnel. How Does Blue Coat Secure Access to Customer Data and Information? Blue Coat implements suitable measures to prevent unauthorized access to its systems and networks. This is accomplished by: All customer data access requests are subject to Change Control approval. All systems and database actions are logged, secured, and retained. Access logs are audited on a regular basis by the Blue Coat security team. Access to all systems is controlled by using a unique user identification and password; furthermore, access is role-based. Two-factor authentication is required for all administrative access to the system. Use of centralized security access controls. Administrative access needs to pass through a central control before reaching to systems. Centralized password management controls around shared passwords. Employee desktops and laptops hard drives are encrypted and securely backed up. Site-to-site communication encrypted through AES. Perimeter routers/firewalls with deny and ingress policies to only allow required services. All network equipment passwords managed using enterprise management tools. System user accounts passwords are hashed. All access to systems and data content is logged, tracked, and audited. 11

12 Using the Blue Coat Document Templates Section C: About Blue Coat Customer Information Security Employee policies and training in respect of each employee's access rights to the personal data Data retention and destruction policies are in place. There are strict polices to limit the use of removable media that might contain customer data. How Does Blue Coat Ensure Customer Data Availability? Blue Coat implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: Redundant systems and networks across all servicing components. DNS based load balancing allows transparent traffic routing in case of failures. All customer data is stored and replicated across redundant sites using encrypted connections. Network storage solutions are used to ensure maximum data redundancy and performance. Established and regularly tested Business Continuity and Disaster Recovery Plans. Industry-leading anti-virus (AV) product protects the Cloud Service infrastructure. Security patches are regularly applied based on subscribed services. How Does Blue Coat Monitor Who Accesses Customer Data? Blue Coat implements several measures to monitor and report customer data use. The following are some of the key controls in place: 24x365 NOC to monitor systems and quickly issue management processes and tools. Implemented a Security Incident Management policy and process to ensure expedited communication of any potential data security breach. Implemented Distributed Network Analysis tools to monitor suspicious traffic. Penetration and vulnerability tests are performed on a regular basis. Implemented next-generation IDS/IPS tools and processes. Intelligent Security Automation allows monitoring and alerts based on policies and network behavior. 12