the future of casbs - a cloud security force awakens
TRANSCRIPT
cloud & mobile drive data outside the firewall...
...leaving traditional security technologies ineffective
problem
STORYBOARDS
the dark side
enterprises can’t rely solely on native app security
enterprise
(CASB)
end-user devicesvisibility & analytics
data protectionidentity & access control
applicationstorageserversnetwork
STORYBOARDS
shadow IT
API-based approach
revenge of the sithAPI based solutions were touted as “the only way”
STORYBOARDS
shadow IT
API-based approach
API + in-line
a new hopeThe Rebels emerged with an new way to secure SaaS apps
STORYBOARDS
the cloud security menacesbenefits outweigh drawbacks, but risks remain
■ Lack of visibility and control over sensitive data
■ Difficult to identify malicious activity■ Easy external sharing can result in
unauthorized access■ Cloud extends access to risky
unmanaged devices
STORYBOARDS
deployed in over a third of organizations, office 365 isoffice 365 is the leading SaaS productivity suite
2015
google apps office 365
other
16.3%
7.7%
76%
22.8%
25.2%
52%40.7%
24.5%
34.8%
2016
STORYBOARDS
this is not the dlp you’re looking foroffice 365 native dlp
■ BYOD blindspot - O365 DLP focused on data-at-rest
■ High operational overhead - Complex to configure
■ High cost - Must have top of the line license■ Point solution - Support focused on O365,
what about other cloud apps?
STORYBOARDS
the future of CASB securitya data-centric approach
o365 requires a new force with new security architecture■ Cross-device, cross-app agentless data
security■ Real-time data protection■ Limit high-risk activities like external file
sharing, unmanaged access■ User behavior analytics
STORYBOARDS
Reverse Proxy
ActiveSync Proxy
Forward Proxy
Acce
ss C
ontr
ol
Dat
a Pr
otec
tion
Wat
erm
arki
ng, E
ncry
ptio
n,
DLP,
DRM
Cloud Encryptio
n
Identity: integrated SSO & SAML proxy
API Integratio
n
Analytics & Visibility
managed devicesvisibility + control
unmanaged devices
visibility + control
technology
Breach (Malware, TOR…) Shadow IT
out-of-band
in-band
components of a complete CASB solution
STORYBOARDS
agentless real-time inline data protectionreverse proxyfuturistic CASB approach■ no software or configuration ■ resilience to SaaS app updates■ privacy - only corporate traffic inspected
legacy CASB approach■ inline control requires software agent■ hard-coded proxy rules break on SaaS app updates
STORYBOARDS
futuristic CASB approach■ secure email, contacts & calendar■ agentless■ selective wipe, device encryption, PIN etc■ privacy - only corporate traffic inspected
legacy CASB approach■ no native ActiveSync support
agentless security on any mobile deviceactivesync proxy
STORYBOARDS
data leakage preventionintegrated high-performance enginefuturistic CASB approach■ high performance, comprehensive matching■ advanced remediation■ optional ICAP to on-prem DLP engine
legacy CASB approach■ no native DLP engine
■ black or white allow/block decisions
STORYBOARDS
futuristic CASB approach■ public or private cloud flexibility■ auto-scaling and replication■ fully redundant architecture■ global load balancing
legacy CASB approach■ proprietary bottlenecks and
infrastructure
scalable infrastructurehigh availability, geo-load balancing
STORYBOARDS
common office 365 policyhybrid approach to protect data on any device
managed devices
application access mode data protection
unmanaged devices /
byod
in the cloud
● profile-agent● VPN+IP-restriction
● DLP/DRM/encryption ● Device controls (e.g PIN)● Agentless Selective Wipe● Client apps: block
● OneDrive● Sharepoint● Yammer
● APIs
● Quarantine● Encrypt with on-prem key● Block external shares● Alert on DLP events
Legacy Auth Apps (e.g Office 2010)
● Full access
Modern Auth Apps (e.g Office 2013+)
● profile agent● VPN+IP-restriction● client certificate check
● Full access
● Browser● ActiveSync Mail● Client apps
● Reverse-proxy + AJAX-VM● ActiveSync Proxy
STORYBOARDS
challenge
■ Ensure OneDrive usage is HIPAA-compliant■ Prevent leakage of PII and PHI■ Maintain end user privacy■ Enforce data security policies on managed
and unmanaged devicessolution
■ Real-time inline data protection on any device
■ Block downloads of PHI and PII to unmanaged devices
■ Agentless BYOD with selective wipe■ Ability to support future enterprise-wide
SaaS deployments180,000
users
secure office 365
+ byod
healthcare giant
STORYBOARDS
secure salesforce
+ office 365
24
financial servicesgiant
client
■ $6T in assets■ Subject to GLB, PCI-DSS, privacy laws that
vary by region
challenge
■ Reduce risk presented by enterprise-wide Salesforce and Office 365 migration
■ Control Salesforce data residency
solution
■ Maintenance of full Salesforce frontend and backend functionality
■ Preserve SOQL API integrations■ Full control of encryption keys■ Bidirectional remediation of customer PII
and PIFI in Sharepoint and Yammer
STORYBOARDS
■ access control• distinguish between managed and unmanaged devices?
■ unmanaged devices • real-time control of data flow without agents?• support rich functionality, e.g. in-browser editing of docs?
■ mobile devices• secure BYOD without agents?
■ breach discovery• discover both exfiltration threats & Shadow IT?
■ security architecture• dilute standards, e.g. does proxy of passwords increase phishing
risk?
proof of concept checklistkey tests in choosing a CASB
STORYBOARDS
about bitglass
est. jan 2013
tier 1 VCs
250+ customer
s
total data
protectionoutside the
firewall...may the force be with you