Quick Thought: Monitoring Data Exfiltration to the Cloud

Truth be told, this thought was sparked by my friend Rob Rounsavall at Terremark while we were presenting at the SANS Virtualization and Cloud Computing Security Summit in DC last month.

The question is simple – with the concerns we have surrounding cloud security, whether providers meet our basic policies and practices, let alone compliance requirements, can we allow business unit IT teams, developers, and others to use “pay with a credit card and get started now” types of cloud services? The answer is likely no…but this is much like telling people they shouldn’t speed in their cars. Without some enforcement mechanism, they’ll do it. So if we’re concerned about this, just creating a “policy” may not help us, especially in large, distributed organizations.

So what kinds of outbound detection/blocking are folks doing (if anything)?

1. Snort or other IDS rules for sites or specific content elements associated with these cloud services? Something like:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: “Cloud Madness!”; uricontent: “terremark.comxyz”; flow: to_server, established; classtype: cloud_is_bad; sid: 31337; rev:1;)

Yes, I know this is more of a “pseudo” rule. Just a thought.

2. More traditional content filtering like Websense?

3. Proxy or DLP filtering?

Rob asked the crowd if they were doing this, and no one really had much to say, so I’m assuming it’s not something many are thinking of…yet.