Web Security Service

English

About the CloudSOC Integration

The
Web Security Service
 is an integrated platform for Content Filtering, Threat Protection, DLP, and CASB deep-controls on cloud applications. The Symantec CASB platform, CloudSOC™, provides visibility to over 24,000 cloud applications plus over 60 attributes
per
 application. This enables scalable policy to control Shadow IT and cloud application access.
Symantec
 provides two CloudSOC integration solutions:
  • CASB Gatelets
    —A full secure web gateway (
    WSS
    ) solution plus integration with CloudSOC. After completing the one-time
    WSS
    -to-CloudSOC integration, you can apply a combined policy enforcement to both platforms based on their respective configurations for all enabled application
    Gatelets
    . Configure gatelet policies in CloudSOC. An increased number of web applications are available in policy editors. The remainder of this conceptual topic discusses the CASB Gatelet solution.
  • CASB Gateway
    —A CASB-only solution. Configure
    WSS
     to identify and authenticate users and steer traffic to CloudSOC. Use CloudSOC for all gatelet configuration, policy, and data analysis. Consult the CloudSOC documentation for more information about this solution.

CASB Gatelets Topography

This topography assumes that you have obtained the CASB/CloudSOC product.
Elastica Audit Service Concept
1
—A
WSS
 admin links the
WSS
 and CloudSOC accounts through a unique Integration ID. After launching CloudSOC from the
Web Security Service
 portal, the Admin enables application Gatelets—for example, Yammer, Google Drive, Box. Within the Gatelets are additional options, such as domains.
2
—When Gatelet configurations are saved,
WSS
 receives a list of applications subject to CASB deep control.
3
—Regional employees (on campus or remote) perform requests for web application destinations.
WSS
 processes the policy; allows or denies the content; and adds entries to the access logs.
WSS
 uses these access logs for report generation.
4
—Over a secure connection, an API connects
WSS
 to the CloudSOC. The
WSS
 forwards the access logs to the CloudSOC Audit.
5
—Admin accesses
WSS
 portal; from there, launches the CloudSOC portal, which opens in a separate browser tab. In CloudSOC, users can generate reports.
WSS
 remains in sync with the Symantec Global Intelligence Network (GIN). Updates to the database occur each day.

About the Traffic Evaluation Order

The following summarizes how
WSS
 and CloudSOC prioritizes and evaluates traffic according to behavior. When possible, all behaviors are applied; the order addresses conflicts.
This graphic demonstrates the policy and service order when the
WSS
 receives a request. There are two scenarios—
A
 (no CASB Gatelet) and
B
 (redirected CASB Gatelet).
  • Denial and blocking based onpolicy
    Allow/Deny
     rules
     configured in the
    WSS
     portal or from Universal Policy Enforcement (UPE) uploaded policy rules.
    For security and compliance reasons, explicit denials (for Content Filtering or Threat Protection) must be applied.
  • Authentication
     verifies the logged-in employee credentials.
CASB flow
SCENARIO A
  • SSL Intercept
     except for exemptions configured in the
    WSS
     portal.
    Explicit SSL exemptions (for example, traffic to
    Healthcare
     categories) are assumed to be defined by an organization's legal compliance.
  • Malware scanning
     and
    Sandboxing
     (with Advanced license).
  • DLP
     scanning (with license).
  • Web Isolation
     (if licensed) forwarding.
SCENARIO B
Applications routed to CloudSOC (CASB Gateway) over ICAP service.
  • Authentication
    Gatelets only work for
    WSS
     connectivity methods where the end user must authenticate. For example, if an endpoint accesses through explicit proxy with no authentication, the CASB Gatelet policy enforcement is ignored.
  • SSL Interception
    When enabled Gatelet matches,
    WSS
     forwards the traffic to CloudSOC, regardless of
    WSS
     SSL Interception setting.
  • CloudSOC performs
    DLP
     and
    Malware
     scanning.
    As CASB Gatelets include Symantec content analysis and integration to Symantec DLP, material can be exempted from
    WSS
     processing of those types.
The primary use cases for CASB Gatelets and Isolation are parallel. The Web Isolation service is focused on risky/unfamiliar sites, while CASB Gatelets are by definition for sanctioned applications. The population of sanctioned applications is smaller, thus this remains lower in the order because the account has enabled CASB.

Current Limitations

  • O365 Gatelet—
    WSS
     global O365 SSL exemption is overridden for specific destinations.
  • O365 Gatelet—File Sharing Block policy is ignored for the Desktop O365 Apps (OneDrive for Business, Word, Excel, Powerpoint).
    For example, if the file sharing block policy is in place and a user is attempts to share the files (already synced to OneDrive) to another user/group, the files are allowed instead of blocked.
  • Google Drive Gatelet—Similar to the Office 365 issue, uploads from Google Drive are allowed despite blocking policy in pace.
  • If you have modified O365 settings to disable the
    Modern-Authentication
     option, clients with
    WSS Agent
     installed are not able to login to Outlook. The credential dialog repeats.

Integrate CASB?