Google has managed to build an entire application ecosystem around Google Apps for Business. With all this convenience, there are also security concerns for many enterprises about exactly what applications and web services are connected to their Google Apps domain. Enter the CloudLock Community Rating System part of the CloudLock Apps Firewall. It enables Google Apps Administrators to get a security rating for any app or web services that uses the OAuth protocol to access their domain.
Gil Zimmerman, the CEO of CloudLock, presented a compelling vision for the Community Rating System during a call I had with him where he brought up the importance of the collective wisdom it provides from data collected from multiple enterprises. With this system in place, both users and administrators have a share in protecting their organization’s sensitive data while maintaining user productivity drawing on community ratings not just the limited experience of one enterprise
CloudLock Apps Firewall and the CloudLock Community Rating System
I recently got the opportunity to try the CloudLock Apps Firewall on my own Google Apps Domain and found the whole experience quite illuminating as to what the tool picked up during its scans on my rather small domain. In fact, considering the window I got into my rather small domain, I could easily see the value for large enterprises standardized on Google Apps for Business who are concerned about their Cloud data security.
The CloudLock App Firewall delivers actionable content policies that can protect your organizations sensitive information that you have in the cloud. The first thing you learn after running a scan is how many apps that are connected to your domain through the OAuth protocol. This presents some potential security issues in itself. Personally, I found some apps connected to my domain that I tested from long since completed writing assignments.
The other side of that challenge is not knowing enough about the risks of third-party API access in apps that are connected to your domain. This leads to the need to make informed decisions on what apps get access so you don’t wreak havoc on user productivity.
The problem point that the Apps Firewall tackles quite handily is a community based rating for these apps that extend out to the collective community versus just a particular enterprise. When I first got a briefing on the CloudLock Community Rating System, I got to see it as more of an “Angie’s List” of apps that draws upon security decisions from the CloudLock Apps Firewall user community, not just a feed of anonymous data updated by some Tier 1 technician on the midnight shift in a Security Operations Center somewhere. This is the source of the rating system’s “super powers”. Figure A shows a sample of the dashboard reporting that the CloudLock Apps Firewall produces.
CloudLock Apps Firewall Reporting
Taking action against apps
When you install the CloudLock Apps Firewall on your domain, it scans all of the apps and web services that go beyond the apps we cover here on Google in the Enterprise. The main dashboard is well laid out and does a great job of communicating your scan results. When you delve into the Apps List, the available filters make it easy to slice and dice the views into your domain’s apps.
When you first run the CloudLock Apps Firewall, many of the apps it finds will appear in red as untrusted. Taking action against an app is as easy as:
- Select the app in your scan results.
- Click Actions.
- From the Actions menu, click Classify Applications where you can select Banned (App is not allowed in the domain), Not Trusted (App should neither be banned or trusted), or Trusted (The app is allowed in the domain).
- Click Apply Changes.
Figure B shows the Classify Applications dialog box,
Classify Applications dialog box
You can also select Notify User(s) where they receive a message enabling them to revoke access to the app themselves. Figure C shows the Notify User(s) dialog box.
Notify Users dialog box
Select Revoke Applications (s) when you want to revoke the application’s access to your domain. When you revoke an app, CloudLock Apps Firewall sends the user a message (Figure D) about access to the app being revoked.
Revoke Applications dialog box
CloudLock Apps Firewall includes the following settings (Figure E):
- General Settings to manage user access to CloudLock Apps Firewall. With three levels of access including user, help desk, and administrator it is possible to setup a workflow that should work with most organizations.
- Scan Settings offering flexible options for when you scan your Google Apps domain for apps.
- Audit Log that would come in handy for security lessons learned and status reporting.
CloudLock Apps Firewall Settings
It takes a community
The CloudLock Community Rating System represents an easy to interpret and use security layer for organizations running Google Apps that draws from the entire CloudLock Apps Firewall community of people who have direct experience with the apps. It can provide another level of security for your Google Apps domain to meet the needs of a compliance audit or to shore up potential cloud security shortcomings in your overall enterprise security regimen.