Jul 06 2021

Review: McAfee MVISION Unified Cloud Edge Provides Simple Network Access Control

The platform adds zero-trust elements to cloud deployments.

Most state governments are in the process of modernizing their infrastructure, which often means moving as many applications and services to the cloud as possible. This is not just for the benefit of states’ internal workforces but also to help optimize many of the citizen services that they provide. While this is a good situation, it does potentially open up security vulnerabilities as data from multiple new cloud providers, applications and users may now may be accessed through the network.

Agencies need a consistent way to secure their data as it moves between multiple devices and the cloud, and from cloud to cloud. That is where the McAfee MVISION Unified Cloud Edge platform comes into play. The platform brings several cybersecurity technologies together under one umbrella, allowing administrators to fully configure permissible interactions and monitor their complete infrastructure from one location.

Admins Get Access to a Simplified Control Manager

At the heart of the UCE ­platform is the MVISION ­console. It supports several capabilities, including acting as a cloud access security broker, a secure cloud gateway, an ­endpoint ­protection platform and a data loss prevention tool. We mostly tested the cloud access ­capabilities, although the rules we created could also apply to the rest of the infrastructure as well.

The UCE platform was ­surprisingly easy to manage despite the complexity of the demo environment where it was being tested. As a test, I was able to apply a security ­policy to any application that used the Mail.ReadBasic scope. Once the new rule was in place, the dashboard showed me how many applications were affected by the new policy. Because the UCE is context aware, I could set up automatic actions based on almost any situation.

McAfee MVISION Unified Cloud Edge

Platform Enables Granular Access Control Policies

For example, I could set one ­policy for a valid user on a ­personal device and another for a valid user on a company resource. 

Some of the possible actions available included revoking access, forcing users to interact through an isolated browser or forcing a security update to bring a device into compliance.

The remarkable thing about the McAfee UCE is that because the entire platform is context aware, and because administrators can finely tune access and permissions based on context, it provides a bridge to a zero-trust environment. At least for cloud applications, states can tap the UCE to provide the most robust zero-trust protection possible.

RELATED: What are different deployment models for a zero-trust security architecture? 

Tailoring Access with McAfee MVISION UCE

To test how the McAfee MVISION UCE platform handled various situations, I set up several precise rules for applications, users and processes. In all cases, the UCE handled traffic exactly how I specified. Whenever it did something incorrect, it was because I didn’t set the rules up just right. Working with the UCE is fairly straightforward, but since managers are basically configuring a zero-trust environment, it may take a little while to learn all the nuances of what this powerful program can achieve. McAfee can offer training to go with new deployments.

In the first scenario, I had a valid user with all correct passwords attempt to access a simulated state government network on a personal device. Per our policy, the user was given full access to the network but was prevented from downloading or uploading any files since a personal device not controlled by the state government was being used.

A second user was also valid and working on a state-owned asset. However, the security patches were not up to date, so the device was noncompliant with my security policy. In this case, the UCE gave the user the choice of interacting with the site using browser isolation (so it could not actually affect the network) or applying all of the patches and then, after the UCE verified that they were again compliant, accessing everything normally. It’s worth noting that assets owned by the organization need to have a UCE agent running on them to verify policies and provide better monitoring.

Yet another valid user with a state-owned device had active malware on the system. The user was denied access to the network and had future access revoked until a human administrator could verify that it was safe for the user to return.

In addition to managing users, McAfee UCE can also enforce rules regarding how cloud-based applications communicate with one another, or what happens when a previously unknown application tries to access network resources. 

The UCE can even control tenant access. In one scenario, I was able to allow users to upload and download files freely to a state-operated Dropbox site, but added restrictions when dealing with personal Dropbox accounts. That can help to eliminate a serious security hole that can crop up with less advanced protection platforms.

Managing everything about cloud deployments, data and access from a single program is easily possible through the UCE. In every scenario tested, the UCE performed exactly as requested. This eliminated many vulnerabilities in the cloud-based test bed, ensured they stayed away and enabled total control of an entire cloud infrastructure from a single, user-friendly console.

McAfee MVISION Unified Cloud Edge

Technology: Cloud-based security software
Cloud Platforms: Amazon Web Services, Google Cloud, Microsoft Azure and many others
License Type: Annually per user
Maximum Users: Unlimited
Technical Support: Available 24/7

McAfee