Uncle Ben and ACE
As organizations interact more and more with the public cloud (AWS, GCP, Azure) or software as a service (SaaS) products, teams need to keep up with the requirement to provide both functionality, consistency and security.
ACE has had a lot of new functionality added recently to support different organizations needs.
New nodes such as :
support access to data inside AWS.
One of the new nodes, which is the focus of this post, is the Box Request Node.
Some of our clients use Box to manage access to external files (not from ACE), mostly as a secure way of doing FTP without FTP. So we upload new versions of software that specific and limited users inside their network can then access and download.
This is mostly an incoming flow of data. So with this Box Request Node, message flows can interact with Box accounts to view, add and remove files. This is quite powerful when you think of it.
We allow developers to expose and export data from inside out business to the outside world.
Often, organizations that make use of ACE/IIB/WMB, are often in the banking, insurance or health industry. The data that customers in these industries work with is often sensitive. The could be data about customers, staff or business data such as financial reports or transaction information.
We go to great effort to ensure that Personally identifiable information (PII) doesn't show in trace logs:
领英推荐
So it would stand to reason that we ensure that we are mindful and track the types of workflows and data that are leaving our business and going out to 3rd parties and 3rd party providers.
With this in mind, we have added a new rule to identify where Box Request nodes are being used in our code:
The idea being that where the system is explicitly sending data externally we should spend more time ensuring that the data is sensible and only the bare minimum of data is exposed.
This also takes into account that this exposure, when using Box Request nodes will happen in development and test, as the their is no logical separation of the Box endpoint. So a developer could be sending data to Box from their test system as part of some R&D work that could be exposing confidential client data or proprietary data or processes.
So as soon as one is used, we would want to be looking more closely at that code for any potential risks to the organization.
In this same way that we might use a secure internet gateway, as part of a Secure Access Service Edge (SASE) solution to restrict access and place controls around how cloud and SaaS services are used on a users (Bring Your Own Device - BYOD) device, we would also be interested in where our on premise servers or our cloud solutions are sending and consuming data from.
More information on our products and on pricing can be found on our website:
You can also reach me via email at:
Or contact me via the contact page on our website:
Regards
Richard