Policy controls for web apps: the missing link

img_chain-link-fixed

POLICY

Authentic8 is a small company. But that doesn't mean that our data is less important than a bigger company's, nor does it mean that we won't run afoul of the law if our employees fail to follow certain regulations and guidelines. Like many other small companies, we've heavily embraced the cloud. Our mail and productivity suite comes from Gmail and Google Apps. We manage projects in Basecamp, Jira provides our bug tracking and wiki environment, and salesforce.com and Marketo help us manage our go-to-market activities. And when we need to store and share data, box.com is our service of choice.

But it doesn't end there. We also use outsourced hands, also known as business process outsourcers (BPOs). For example, we use a wonderful firm (contact me for a reference) to manage all of our back-office financial and HR transactions. This vendor has a team of service agents that logs into various web services on our behalf and processes our transactions. It’s a bit daunting -- they have our bank account credentials, access our general ledger, and manage employee compensation -- but the leverage we get is undeniable.

Given the wide use of web apps, how can a company like ours enable a coherent set of policies that protects our data and keeps us out of legal issues? And how can we protect our assets (i.e. money and confidential information) in a BPO world?

The answer is we need to implement policy controls that govern the use of web apps.

This is easier said than done. We have written guidelines in place: a code of conduct as part of the employment agreement, contract terms with our BPO vendor, etc. But it is impractical to rely solely on written guidelines. Businesses need to implement a series of IT guardrails that enforce consistent action. Big, regulated companies do this with a smorgasbord of IT solutions. But in a world of web apps, these internal controls are insufficient.

That’s where Authentic8 comes in. At first glance, the 'disposable browser' aspect of our service and the insulation of the client from web code seems like the big benefit. But the more profound aspect of our service is how we make the browser the point of control. When users access web services through the Authentic8 browser, we're able to identify browser actions and implement policy within our browser, upstream from the web service. By making the browser a policy-controlled app and by defining triggers and rules within Authentic8 to govern use, users get a common layer of policy controls across all web services.

This is best highlighted through examples.

How do we control the risk of credential mis-use in a BPO scenario?
There haven't been many choices here: normally, we'd watch transactions in our accounts and change credentials when someone left the team. But with Authentic8 we can pre-configure a user's account with shortcuts set up for each service. The user logs into Authentic8, then clicks shortcuts for single sign-on access to each of the sites (never seeing those site credentials). If a user moves on, we simply disable the Authentic8 account or the SSO shortcut.

How do we keep machines clean in a shared environment?
Traditionally, we'd need to patch, wipe and/or re-install software periodically. Or we could bite off a complex and costly virtual desktop solution. It’s much more straightforward with Authentic8. Authentic8 builds a fresh browser for each user session, and keeps all web code from reaching the client machine. If a user visits a malicious site, encounters a drive-by download, or picks up a zombie cookie, then that code never hits the machine. The machine never accumulates any web cruft, and each user starts the browser with a fresh browser instance.

How can we control which computers are authorized to access our web apps?
Traditionally, we'd start by hiding credentials from users and making them log into an SSO portal for access to web services. Then, we'd need to install VPN clients and make everyone trombone back through our network, relying on a patchwork of whitelisting controls that providers may or may not offer (we've posted on this before). All that involves a lot of IT coordination. With Authentic8, an admin need only create the user’s accounts and configure the "Trusted machines only" policy. If a machine isn't explicitly trusted by IT, Authentic8 doesn't allow access.

How should we manage data transfer rules (download/upload/copy/paste) across all web apps?
We aren't covered by HIPAA, but if we were, it would be nearly impossible to remain in compliance while preserving the "access from anywhere" utility of cloud services. There’s been no answer to conditionally controlling what data users could download or copy based on the machine being used. With Authentic8, admins set a policy allowing users to connect from trusted machines with full access privileges, but if they come in from a machine that IT didn't provision, web actions are restricted. Admins could say "No File Upload", "No File Download", and "No Copy/Paste" from non-authorized computers. This ensures that users remain productive regardless of where they are, but not at the risk of undermining regulatory compliance.

Implementing policies has been difficult in the past, but effectively impossible in a world of web apps. Until now. Authentic8 makes the browser the point of leverage, delivering policy controls for the rest of us. Sign up for a free trial and find out for yourself.

Scott Petry - Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.