Blocking Personal Gmail/Hotmail/Outlook at a company

THIS is probably one of the simplest use-cases you can imagine for an organization. Imagine you’ve given out 300, 1000, or even 10,000 laptops, and now, all of your employees can access their personal Gmail on the work laptop.

It sounds “fine”. What’s the big deal, kunala?

Well, it is so simple for a user to take a bunch of PDFs, Powerpoints, and Word docs, and upload them to their personal Google Drive, or email it to themselves. What would you do? You’d never know someone is doing this!

I’ve seen this happen tons of times. You take a few documents over to your next company. It might be harmless (maybe personal items), but it could be architecture documents, emails, etc! So, how can we stop it?

Be forewarned, this is typically super hard to do. You have to go and buy some CASB, some SWG, read a terrible user manual, pay a ton of money, and maybe get it to work after months of hard work.

What if we could do this in 3 clicks?

‍

Part 1 — Seems interesting, how does it work under the hood?

Service providers (Google Workspace, Microsoft 365, slack, etc.) have documented mechanisms to perform this kind of cloud application control.

For example, Google has an attribute that must be injected into the HTTP headers, called X-GoogApps-Allowed-Domains. Microsoft has a different one, called Restrict-Access-To-Tenants.

HTTP Methods (GET / POST etc)
Target Injection URLs: *.google.com

Header{X-GoogApps-Allowed-Domains} => dope.security, kunalagarwal.com
## Only *@dope.security, or *@kunalagarwal.com will work

‍

Injecting content into an encrypted SSL stream requires a Proxy and SSL Inspection — this is typically referred to as a Secure Web Gateway (SWG). So all you have to do is pop open SSL, inject the headers (example above), and bingo-bongo you are blocking personal email! Yet, your corporate one, still works!

Blargh, now how should I do all this?

Well, maybe it is not so straightforward… there’s the SSL inspection, key management, all the devices have to be consistent, there’s a policy, maybe some groups of users need exceptions…

If only there was something that could do all of this for you ♥

‍

Part 2— dope.security, the fly direct swg

It’s such an important security control, so we had to make it super easy to do without any knowledge about the underlying technical mechanism. That plus no months of back and forth and negotiations with some old, legacy cyber security company.

‍

You can do-it-yourself in 2 min.

That’s because: dope.security *is* a proxy and does SSL inspection, but rather than doing it in a remote datacenter (a stopover), you do it directly on your device via an agent that is installed on all of your employee’s devices. The end result is that web traffic is decrypted to perform URL filtering, anti-malware, and cloud app controls.

So, once you’ve installed the endpoint agent:

1. Choose the cloud app control, Google or Microsoft (or another one)
2. Type in the domains you want to allow (maybe accenture.com)
3. Decide if consumer login (gmail.com, live.com, outlook.com, hotmail.com) is ON or OFF

Hit save.

‍

That’s it! How dope is that?

‍

Small little video to explain it too!

Building cybersecurity products at places like Symantec and Forcepoint taught me so many things. But, I could never get it out of my head on how complex it ended up being for the administrator (customer). That’s why as you can see above, it’s a lot easier.

You can try it for yourself in seconds on dope.security. We’re pretty much the only cybersecurity company that offers an instant free trial. All you need is a Google or Microsoft company account.

Have fun!

— kunala