In today's work environment a major part of data communication is done over computer networks. Data needs to be inspected for presence of malware, and for presence of sensitive data. Often, the inspection process is not immediate and is resource-intensive, yet the receiver desires to prevent access to the data until the inspection completes and the data is allowed to continue its regular course.
Common examples of inspection of data include:                e-mail systems must check that all incoming file-attachments are safe from computer viruses, phishing schemes or other malware;        file sharing systems must check that files are clean from malicious content before being accessed or being shared with other parties;        messaging/collaboration systems must ensure that data flowing between entities does not leak sensitive information;        systems that share sensitive-data often need to encrypt that data upon send and arrival.        
Reference is made to FIG. 1, which is a simplified block diagram of a prior art security system, in accordance with an embodiment of the present invention. FIG. 1 shows an enterprise data center 100 that provides various data exchange services to enterprise employees. The data exchange services include a collaborative document management service 220, such as the MICROSOFT EXCHANGE SERVER® service developed by Microsoft Corporation of Redmond, Wash., USA, and a file sharing service 230, such as the DOCUMENTUM® service developed by EMC Corporation of Hopkinton, Mass., USA. Employees 110A, 110B and 110C access these services using any of a variety of devices, including inter alia a smartphone, a laptop computer and a desktop computer. Also shown in FIG. 1 is a firewall 150 which scans incoming and outgoing data for malware and for leakage of sensitive data.
Firewall 150 scans incoming data scan before the receiver has access to that data, using proxy technologies that often perform block-and-inspect. Specifically, network traffic between a sender and a receiver must flow through firewall 150, which inspects data and, if the data is cleared, forwards the data to the receiver. Firewall 150 is often a store-and-forward device, which blocks the flow of the traffic until inspection completes. Other store-and-forward devices include mail-relay, routers, proxy-servers, software agents and other inspection modules. This type of inspection is referred to as being inline. Inline inspection techniques are described at https://en.wikipedia.org/wiki/Deep_packet_inspection.
Conventional inline block-and-inspect techniques suffer from several drawbacks, including:                Inline systems cannot fully support a fail-open mode, and introduce an additional point-of-failure to services 120 and 130.        Block-and-inspect introduces additional latency, during which traffic is re-routed to an inline device and then back to services 120 and 130.        Introduction of inspection entities into a network disrupts normal operation of other components of services 120 and 130. For example, an added email mail transport agent adversely impacts anti-spam filters used by an e-mail server, because an original source IP address is no longer visible.        Traffic that is encrypted cannot be inspected easily by inline systems.        Inline systems increase network-latency, and negatively impact the end user experience.        
Even worse, in today's off-site environments such as cloud/SaaS services, firewall 150 cannot inspect traffic, because traffic often flows over a public-network to computing and storage systems that the enterprise does not own or control. Moreover, today's end users may access these services from any location, not only from an enterprise office. Some enterprises try to force traffic through a proxy to ensure that the traffic undergoes inspection, but this leads to difficulties of managing endpoint proxy configurations, and of overcoming network-topology limitations.
Reference is made to FIG. 2 is a simplified block diagram of a prior art data security system that gets bypassed by end users of cloud applications. Shown in FIG. 2 are enterprise data center 100 and firewall 150, and a variety of cloud-based data-exchange services that run in a cloud computing center 200, the services including a collaborative document management service 220, such as the OFFICE 365® service developed by Microsoft Corporation of Redmond, Wash., a file sharing service 230, such as the BOX.NET® service developed by Box.net, Inc. of Palo Alto, Calif., and an e-mail service 240, such as the GMAIL® service developed by Google Inc. of Mountain View, Calif. End users 210A, 210B and 210C access these services, bypassing firewall 150, using any of a variety of devices, including inter alia a smartphone, a laptop computer and a desktop computer.
An enterprise's sensitive files are now in the enterprise cloud, and may be shared with external users; and malicious files may be enter or reside in the enterprise cloud. An enterprise, in fact any business, large or small, and even an individual using cloud services, requires protection against malware, against advanced persistent threats, against anomalies, against insider threats and against data leakage. An enterprise may require data sanitation, endpoint compliance, share policy management, security information and event management (SIEM), ticketing integration, and audit compliance. Cloud service providers do not always offer such comprehensive protection and management, and such protection and management is not covered by service level agreements.
Because of these drawbacks enterprises must compromise between inline prevention systems and non-inline detection-only systems for which the system sends alerts but cannot block/prevent a security breach from occurring.
It would this be of advantage to provide a robust security system that provides the requisite security, yet overcomes these drawbacks of in-line block-and-inspect systems for today's cloud/SaaS environments.