Cloud computing is the use of computing resources, including hardware and software, that are delivered as a service over a network, typically the Internet. As cloud computing achieves increased popularity and adoption of cloud-based services by businesses increases, concerns over security and risks of using these cloud-based services become significant. Traditionally, systems and software applications were deployed in enterprise environments, such as within an enterprise's own private data network, with strict controls and policies to ensure that data and usage are compliant with the enterprise's standards. However, the adoption of cloud-based services offered by third parties creates a potential mismatch, or complete absence, of expected enterprise level controls. Enterprises are faced with the challenge of accessing risk exposure associated with the use of cloud-based services in order to apply compensating controls.
Furthermore, the inherent nature of cloud services being available “anywhere, anytime” presents challenges for an enterprise wishing to monitor its employees' use of various cloud-based services. In particular, the ability of an employee to access cloud services on behalf of the enterprise from outside of the enterprise's private data network makes monitoring the enterprise's cloud traffic difficult and more complex.
For example, cloud-based services include Software-as-a-Service (SaaS) where a specific application or service is offered to a customer as a subscription. Dropbox, Salesforce.com, and QuickBooks are examples of SaaS. An employee of an enterprise may access Salesforce.com on behalf of the enterprise at a location or from a mobile device outside of the enterprise's private data network. In that case, the enterprise is not able to monitor the employee's web activities with the cloud service and cannot apply control over any of the web activities. Meanwhile, the enterprise may be exposed to risks associated with the employee's use of the cloud service.
Traditional approaches to monitoring network traffic include forwarding the network traffic from a firewall to a web proxy, such as by using an IP GRE tunnel (Internet Protocol generic routing encapsulation tunnel). However, network traffic forwarding using this approach only works when the traffic originates from within the enterprise's network boundaries. When network traffic originates from outside the enterprise's private data network, monitoring the traffic becomes more cumbersome, often requiring the traffic to be routed through the enterprise, such as via a virtual private network (VPN).
Another approach to re-route network traffic is to rely on deployment of end-point agents on the client devices used to connect to the cloud service. The end-point agent forces network traffic from the client device to first pass through a proxy service, such as addressed by a web URL, before reaching the target service. However, the enterprise needs to manage all devices that are used by employees to access cloud services to ensure that the proxy or configuration is in effect. The proliferation of mobile devices used by employees in businesses makes the use of end-point agent impractical.