Issue: Unable to grasp the actual usage of cloud services

Fukuoka University has established a "security zone" and has established operational guidelines to store information that should not be leaked, such as student personal information, "within the zone" under the university's control. In addition to cloud services such as Box and Gmail designated by the university as within compartments and outside cloud services such as Google Drive that are known to be used, what kind of cloud services are used by whom and how much? They had a sense of crisis about not being able to grasp the actual usage situation.

Survey: What are the best solutions for data breach risk preparedness?

Mr. Fujimura and others decided to work on strengthening security measures related to the use of cloud services, starting with the understanding of the actual use of cloud services.

"Information to be protected" refers to information assets owned by the university (personal information of students, research data, etc.), "Who handles that information" refers to faculty and staff members, and "Assumed security incidents (to be prevented)" refers to the use of cloud services. After clarifying that it was an information leak at the time, the solution that attracted attention while collecting information was "Cloud Access SecurityBroke (r hereinafter, CASB)".

Focusing on CASB, Mr. Fujimura first sorted out the necessary functions of CASB for solving the problems of his own studies.

Visualization of cloud service usage
Who is using which cloud service, when and how much (upload and download data volume).

Evaluation of cloud service security
What is the risk of information leakage from the cloud services being used?
For example, does it enforce multi-factor authentication, what happens to the ownership of uploaded data, has there been a security incident with that cloud service in the past?

Developing an environment for safe use of cloud services
Safety and ease of operation. Can you easily stop using high-risk cloud services?
Does the operation work become a burden on the administrator?

Selection: What is the best CASB for self-study problem solving?

In order to select the manufacturer that has the organized necessary functions and is the best, we started to compare multiple manufacturers. As a result, McAfee's MVISION Cloud (MVC) was selected.

Visualization of cloud service usage
MVC can visualize user access status to cloud services via firewalls and proxies used. The point is that the usage status can be visualized without an agent via a log transfer server, and that it can be easily linked with McAfee's Proxy products as well as other companies' products.
Based on the CSA (Cloud Security Alliance) guidelines, MVC classifies cloud services into 50 risk categories into 6 risk categories and judges them according to 9 risk levels. Compared to CASB of other companies, the point is that the basis for cloud service risk judgment is detailed and easy to understand.

Developing an environment for safe use of cloud services
With MVC, if you want to restrict access to high-risk cloud services based on usage, if you have a specific firewall or proxy, the URL list for control is automatically linked to the firewall or proxy. In addition, when combined with McAfee's Proxy, one-stop operation from visualization to control of cloud service usage status and risks is also a point that leads to operational efficiency.
In addition to the essential functions,

• No need to introduce agents to clients
• No network configuration changes required
• Proxy product in use: McAfee Web Gateway

can be operated in combination with
These features that other manufacturers do not have were also reasons for the selection.

Introduction: Reduce the risk of information leakage by introducing CASB with an eye on operations

Fukuoka University decided to introduce MVC.

However, implementing a solution is not the goal. Efficient and optimal operation after introduction will produce the expected effects. After introducing MVC, the operation system of the cloud service became as follows.

The daily cloud usage status is automatically visualized by MVC, and periodic report output is also automated. Based on this report, Fukuoka University and system integrators review it at regular monthly meetings to determine whether there are any dangerous cloud services or suspicious usage situations.

If there is a dangerous cloud service, set a proxy to restrict its use.

User Profile