FireLayers Secure Cloud Gateway (SCG) is another approach to securing applications in the cloud. In this case, however, there are two distinct differences between it and most other similar products. First, it addresses sanctioned products only. Those are the ones that the organization chooses to manage directly, usually through an API. Second, it is inline. That means that it functions much like a traditional gateway in that all communications with cloud-based apps must go through it regardless of where the user is - on-premises, in a remote office or out traveling. If the user attempts to authenticate to the application by going around the gateway, they will be redirected through the gateway and forced to use it.
The product is built around four "pillars": Discover, Analyze, Control and Protect. Within these four pillars is the explicit functionality that the tool applies to manage the security of sanctioned applications. The pillars are intended to describe the functionality that the tool uses to address four distinct weaknesses in typical security management of cloud-based apps.
"Discover" addresses adoption of unmanaged applications. "Analyze" addresses lack of visibility and insight. "Control" addresses the need for secure access to sanctioned applications by anyone, from anywhere and from any device. And, "Protect" addresses the lack of integrated security tools in the cloud.
SCG deploys as an inline gateway device at the organization's perimeter. Everything passes through it on the way out of the enterprise. There are communications routes that act as channels. For example, traffic that travels directly through the corporate gateway goes to real-time enforcement of policies transparently, while endpoint configuration results in a forward proxy, and use of SAML or DNS results in a reverse proxy connection. If there is an API involved - as often is the case with sanctioned applications - that connection goes straight to the application and results in real-time enforcement of policies. Because the gateway does all of the work, there are no agents on endpoints so the system can operate from anywhere on any device - whether that device is within the organization's scope of control or not. Functionality includes encryption, DLP, IDS/IPS and mobile device management, among others.
Enforcement is broken down into pre-session and in-session. Pre-session enforcement includes SAML, user and/or password tokenization or IP restriction, while in-session enforcement is accomplished through session tokenization.
There is a complete set of predefined policies - like most other products of this type SCG is policy-driven - and users can create policies for pre-existing rule sets. An example is the policy set for data leakage prevention. The pre-existing policy set includes prevent session and identity theft, tokenization and encryption, controlling and monitoring data export and out-of-bound notification and verification. Rule sets are broken down by application and can include such elements as PCI compliance, repudiation and information disclosure, among many others. Building a policy - or modifying an existing one - is amazingly simple. In terms of ease of use, we never have seen a policy engine that was so simple to use. The user goes to the RULE Set - All Options Matrix, where they are greeted by a page full of icons. The icons are intuitive, clearly labeled and to build a policy one only needs to select and click on the appropriate icons. We were impressed by this particular user interface... in fact, we have seen nothing like it anywhere.
Reporting is extremely thorough and everything an administrator might want to know is there at the click of a mouse. The main reporting actually is more of a detailed audit trail. Not only are the usual user, date, application and audit fields available, but geolocation and the particular control involved are readily obvious.
There is a lot to like about this product. It is among the most flexible we've seen. It really meets the criteria of anywhere, any app and any endpoint. The security functionality is comprehensive and it is easy to deploy and use. The additional flexibility of deploying on-premises or in the cloud, along with support for multiple/distributed gateways and/or proxies also is inviting. Pricing, as well, is attractive. Plus, focusing on sanctioned apps really sharpens its functionality and allows concentration on what it does best instead of trying to cover all applications and application types.
At a glance
Product FireLayers Secure Cloud Gateway
Price For less than three apps: $5/user per month; for more than three apps: $10/user per month.
What it does An inline gateway for only the sanctioned applications that the organization has chosen to control.
What we liked Very flexible. It doesn't matter where the user is - on or outside of the organization's network. Can be on premises, a cloud or on FireLayers' cloud. Supports multiple gateway and multiple proxy deployments.