Policy Exception 2.0

Matt Keil


Category: Uncategorized

Last week, we published our 9th Application Usage and Risk Report summarizing the application traffic patterns observed between November 2011 and April 2012 on more than 2,000 networks worldwide. The most significant and startling difference between this report and the previous editions is the breadth and growth in applications that are being used for personal purposes. Mixed within the personal use are many business uses – which means you need to strike a balance between allow and deny.

In legacy firewall language, the balance between allow and deny was called an exception – a specific port needed to be opened for a specific application and/or IP address(es). Now, we can be far more granular with the specific application and the user identity, so the term exception seems too limiting. We prefer secure application enablement because the applications and the users are moving the business forward. In no other report have the data and traffic patterns observed made a stronger or more compelling argument for secure application enablement.

Let’s looks at three examples of how our customers are securely enabling applications.

Streaming video: the analysis found video and photo applications consumed 13% of total bandwidth and 8% (107) of the 1,280 applications. You can interactively browse all 107 video and photo applications found here. Block them all you say? Not so fast, some of these applications have definite business purposes, while others are purely for personal use.

  • Many companies have YouTube channels for their own sales, marketing and training efforts; RTMP, is the technology behind Flash, another core component in many website and sales/marketing efforts. So blocking these might be blocking your business.
  • Or you might be blocking TeacherTube, a community-based video site dedicated to education and in use across 15% of the participating organizations.
  • On the other hand, blocking it all would mean stopping the use of Netflix Streaming, which jumped to 3% of total bandwidth –and most likely is not being used for any sales, marketing or training efforts within your company.

The video streaming challenge is not as black and white as one would hope and the decision to block the application, or securely enable it should be based on the business need, highlighted by Mike Wade, from Summa Healthcare:

“We allow or block on the basis of needs. In order for the nursing staffs to be effective and get done what they need done, there’s a lot of resources on the internet. YouTube is an on or off solution but there are also other solutions out there like Flash that streams media. We’ve been able to build an environment by a set of rules that won’t allow the user to stream a radio station but will allow you to stream training videos on a website like nursing.org. We’ve been able to give them what they need without just blowing everything wide open.” [Watch the Summa Healthcare video]

Social networking: once thought to be a fad that would quickly come and go, social networking applications are here to stay and your business is using them, or is in the process of figuring out how to use them to connect and stay connected with your current and future customers. Statistically speaking, social networking is not the bandwidth hog everyone seems to think it is. The analysis shows that there were 74 social networking applications found (6% of the 1,280 applications), and an average of 29 were in use in each organization. Yet the total bandwidth consumed is a mere 1.3% of total bandwidth – a ranking of 12th out of 26 subcategories. You can interactively browse the social networking applications found here.

Obviously, your business is not using 29 of the 74 social networking applications to enable the business – at most, there are maybe 10 – inclusive of specific functions like posting – that would fill your business need. At 24 Hour Fitness, Justin Kwong, Senior Director of IT Operations makes the case for securely enabling social networking.

“In the past we were so restrictive that our club employees couldn’t surf the web unless it is specifically permitted. Our CEO says that doesn’t make any sense. Our Club Manager should be able to drive his own ship. They should be able to go on Facebook and see what members are saying about that club. They should be able to tweet messages to the employees who sign up for that. Before, we blocked everything but now we can set specific categories. The Club Managers can now go into Facebook and Twitter and we can still block them from going to the bad sites.” [Watch the 24 Hour Fitness video]

Webmail and SSL decryption: nearly everyone you know has a personal email account – maybe several – and they are commonly used at work. The analysis showed that there are 59 email/webmail applications in use and they are consuming roughly 3% of the total bandwidth. While not highlighted in specifics within the report, webmail commonly uses SSL and that means it is commonly invisible to traditional controls. So while personal emails are protected, so too are any threats inadvertently sent by friends and relatives and the protected use may put the company and the user in direct violation of industry rules and regulations. Should all webmail be blocked? Or should it be decrypted and controlled? SSL decryption is undoubtedly one of the more difficult challenges that organizations face due to the significant privacy issues. Yet in the financial services industry, doing so may help avoid SEC violations. John Shaffer, Director of Global Systems and Technology, at Greenhill & Company financial services put the challenges and compliance concerns around webmail very succinctly.

We needed better visibility into our network in order to block access to certain applications – especially Gmail over HTTPS. We could see users were circumventing our blocking solution by switching to SSL encrypted versions of webmail applications.” [Read the Greenhill & Co. case study]

Palo Alto Networks allows Greenhill & Co. to rein in webmail usage by blocking access to it unless a user has been added to the company’s Webmail Exception Users Group in the Active Directory. Summa Healthcare and 24 Hour Fitness are also using Palo Alto Networks to securely enable application usage, striking an appropriate balance between allow and deny. How are you securely enabling applications? We would love to hear about your examples.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS