Security considerations
The cloud application metering solution is designed with data protection and user privacy in mind.
Snow has minimized the amount of collected information to ensure that only required data points are stored. No telemetry, usage data, or any other information is transferred to Snow. Snow has no access to the raw data collected by the extension, which always remains secure at customer premises.
Data collected and sent
The cloud application metering extensions collect the following data points:
Full URL of a website visited by a user
The account that the user is logged on with, that is, either the local computer account or the Active Directory account. For example, computername\username or AD\username.
A timestamp associated with the URL visit
The extension neither collects, examines, nor utilizes security headers, request body, or any other parameters. The collected information is stored in an encrypted file.
After a short period of time (3-5 min), the collected information is processed by the agent, and in the resulting data set the URL details are removed. This is done to ensure that the visited URL information never leaves the user’s device. Instead, only the number of hits against a cloud application metering rule is saved. The rule itself is not stored in clear text, but is instead represented by a unique RuleID that contains no details about which website it identifies.
The data that leaves the device consists of:
The RuleID that matches the user's activity in the browser
The account that the user is logged on with
A timestamp associated with the URL visit
The matching between the RuleID and the known application is done in the data processing pipeline. A known application is an application that has been analyzed and processed by the Data Intelligence Service (DIS).
Data encryption
All collected and processed data is stored encrypted.
This includes:
Temporary storage of URLs, logins, and timestamps (AES-256)
Storage of rules with corresponding hit numbers (AES-256)
Generic Snow Inventory files that are used to package the data for sending (AES-128)
Extension permissions and functionality
In order to perform their tasks, browser extensions need to access browsing data. The different browsers will show warnings regarding what an extension does.
These are examples of warnings regarding browser extension permissions, as stated in the respective browser store:
Chromium-based browsers Google Chrome and Microsoft Edge:
Read and change all your data on the websites you visit
Communicate with cooperating native applications
Apple Safari:
Web Page Content: Can read sensitive information from web pages, including passwords, phone numbers and credit cards. Can alter the appearance and behavior of web pages. This applies to all web pages.
Browsing History: Can see when you visit all web pages.
Mozilla Firefox:
Access your data for all websites
Exchange messages with programs other than Firefox
Access browser tabs
For example, Chromium-based browser extensions by design implement an “all-or-nothing” permission model for the extension that requests access to all URLs visited by a user. For Snow Web Application Metering extension, it means that Chromium-based browsers give it permission to “Read and change all data on websites you visit”.
Important
The cloud application metering extensions only require and collect information on the user-visited URLs. The extensions do not change or read the content of the visited web pages.
Unfortunately, a separate permission scope for “Read all URLs on the websites you visit” does not exist in the current permission model of Chromium-based browsers.
Security testing
Snow recognizes the importance of keeping the browser extensions secure as they are deployed to end-user computers and have access to websites the users visit. Therefore, Snow has started a bug bounty program, where security researchers are rewarded for finding and reporting security issues within the extensions. This facilitates continuous security assessment of the latest changes to the cloud application metering extensions.