The nonprofit cyber assessment firm CyberRatings.org is launching a tool for testing cloud security solutions that is designed to increase visibility into vendor management of cloud vulnerabilities.
The “Spot Check” tool provides a “step customers can take proactively to help manage their relationship with their [cloud security] service providers,” CyberRatings CEO Vikram Phatak told Inside Cybersecurity. The tool specifically tests “Security Service Edge” threat protection in cloud environments.
The nonprofit announced the tool today in a press release highlighting capabilities that will be tested through the new service. The announcement describes CyberRatings as a non-profit “dedicated to providing confidence in cybersecurity products and services through its research and testing programs.”
CyberRatings says, “SSE solutions leverage the cloud’s scalability, flexibility, and operational benefits to deliver security – Access Control, Authentication and Identity, Data Loss Prevention (DLP), DNS Protection, Encryption (TLS/SSL), Exploit Detection and Prevention, Malware and Phishing Protection (including via Browser Isolation), Cloud Access / Application Control (CASB), and the ability to implement Zero Trust Network Access (ZTNA).”
Cloud-delivered security solutions such as SSE can provide users with “seamless secure access to applications and data regardless of location,” according to the nonprofit.
CyberRatings argues that oversight is needed to confirm third party providers are maintaining systems, understand how policy changes affect security and measure the level of threat protection provided by a SSE solution.
Phatak says in the announcement, “Often times cybersecurity is a black box; and SSE is a black box in a black box.” He asks, “How do [organizations] know that their SSE is defending against the latest threats, or their policy modifications aren’t adversely impacting their security?”
CyberRatings notes that testing a SSE is “a lot harder…than traditional network security products,” adding that “many enterprises don’t have the time or expertise to build a test environment.”
The new tool eliminates the need to create a test environment by providing information on which cipher suites are supported by a SSE; how often a SSE unintentionally blocks legitimate traffic; exploits and malware that can be delivered over HTTP and HTTPS; and which threat actor evasion techniques can be used to bypass security measures.
Phatak explained to Inside Cybersecurity that testing a SSE solution for false positive identification of threats is important because it is a “waste of resources to go hunt something down that’s not real.”
Phatak said CyberRatings plans to publish test results on cloud network firewalls in February, with the goal of addressing how the tech sector’s move to the cloud has impacted the security of certain technologies.
Phatak said, “When you’re building a security product, one of the things that a lot of folks end up taking for granted is that they control the environment in which they are operating.” He added, “When companies lose control of that and things can change behind the scenes ... things will not work all of a sudden.”
CyberRatings is also developing a separate “configuration” guide that will provide step-by-step instructions for customers, Phatak said, “to make sure that they check certain boxes” when setting up cloud network firewalls. -- Jacob Livesay (firstname.lastname@example.org)