& Cloud Security - Infinigate (Schweiz)...Corporate owned / or BYOD secured device. With UID & PW, enterprise data moves into the app. With Username and Password, enterprise data moves

MobileIron ConfidentialMobileIron Confidential

“Protect your Cloud as data goes mobile”

& Cloud Security


Old: Perimeter Model

Security Model Fundamentally Changes

System imageAnti-malware agents

PerimeterFirewall

Device VPNVDI

Mobile & Cloud Model

Salesforce Office365 Workday SAP Oracle

Concur Google Drive box Dropbox

Vorführender

Präsentationsnotizen

But the good news is that mobile is more secure than the PC.


Components of Cloud Security

Access Control. Ingress encryption.(Non-persistent data in browsers)

Federated identity (User ID & PW)

Browser-to-Cloud

Identity / IDP

Mobile apps are becoming #1 way to access enterprise

cloud data & email

Data is persistent. Apps can be anywhere.

Traditional cloud security

insufficient

Mobile App-to-Cloud


“Protect your Cloud as your data goes mobile”

& Cloud Security


StandardAuthentication

Cloud Security in Action

CASB

Identity/IDP(SAML)User ID?

Secure Device?

Secure App?

Salesforce Office365 Workday

SAP Oracle Concur

Google Drive box Dropbox

Biz Apps(secured)

Conditional Access Approved

Conditional Access Denied

Biz Apps(not secured)

Personal Apps & Cloud Services

Optional: Steer mobile app traffic to CASB for

further inspection

No special App or Identity coding


Challenge: Spouse’s iPad Problem

Identity/IDP(SAML)


SAP Oracle Concur


Sales rep downloads work cloud apps onto daughters unsecured iPad. As long as have UID and PW, enterprise data moves down into app.

• Enterprise data now persistent on unsecured iPad

• Side-door access into Cloud• No DLP Protections

Installs work cloud app on spouse’s iPad

With Username and Password, enterprise data

moves on to device


Solution: Spouse’s iPad Problem

Identity/IDP(SAML)


SAP Oracle Concur


Sales rep downloads work cloud apps onto daughters unsecured iPad.

Installs work cloud app on spouse’s iPad

Enterprise data remains secure

User ID?

Secure Device?

Secure App?


Challenge: Sloppy app download problem

Identity/IDP(SAML)


SAP Oracle Concur

Google Drive box

Honest mistake: Employee gets app from public storesCorporate owned / or BYOD secured device. With UID & PW, enterprise data moves into the app.


moves on to device

• App & app data is outside enterprise data boundary.

• No DLP Protections. Sharable into personal cloud.

• Cannot be deleted.

Public App Store Enterprise App Store


Challenge: Sloppy app download problem

Identity/IDP(SAML)


SAP Oracle Concur

Google Drive box

Ensure only secured apps before granting access

Public App Store Enterprise App Store

User ID?

Secure Device?

Secure App?


Customized Block Alert

Your access to this Cloud Application is blocked for security reasons. In order to securely access this Cloud Application, please use a properly secured mobile device

and download apps from [Company Name] enterprise app store.

Go to the [Help Center Link] for more information or contact the helpdesk at

[Help Center Email]


Challenge: 3rd party parasite-app problem

Identity/IDP(SAML)


SAP Oracle Concur

Google Drive box

Sales rep finds cool 3rd party ecosystem app that connects directly into cloud service API’s – or locally on the device (e.g. SalesMesh or Pulsar). Logs in with cloud ID and PW.


moves on to device

• Cloud data now moving into unsanctioned 3rd party app

• Data moves into other apps and clouds• Data escapes

Salesforce AppExchange


Challenge: 3rd party parasite-app problem

Identity/IDP(SAML)


SAP Oracle Concur

Google Drive box

Ensure only sanctioned and secure 3rd

party apps from the cloud service’s ecosystem can be used

Salesforce AppExchange

User ID?

Secure Device?

Secure App?


Customized Block Alert

Your access to this Cloud Application is blocked for security reasons. In order to securely access this Cloud Application, please use a properly secured mobile device

and download apps from [Company Name] enterprise app store.

Go to the [Help Center Link] for more information or contact the helpdesk at

[Help Center Email]


Identity/IDP(SAML)

Office365

Challenge: Cloud Email – Mobile problem

IOS NativeEmail App

Users want Native IOS Email App OR separate email appWith UID and Password, Email flows down into local appsPLUS: Email uses ActiveSync Protocol, not HTTP

• Email now moves into any email app• Contents and attachments can be shared outside

enterprise & sync with other clouds

User ID & Password

ActiveSync


CASB

Identity/IDP(SAML)

Office365

Solution: Cloud Email – Mobile problem

IOS NativeEmail App

Conditional Access for Cloud EmailMust speak ActiveSync ProtocolWork with Native or 3rd party email apps

CASB’s match ActiveSync with Mobile feeds

User ID?

Secure Device?

Secure App?



StandardAuthentication

Secure Sharing

Email only in secured appNative or 3rd PartyContent DLP


NormalAuthentication

Policy Granularity & Visibility

CASB

Identity/IDP(SAML)User ID?

Secure Device?

Secure App?


SAP Oracle Concur


Biz Apps(secured)



Biz Apps(not secured)

Personal Apps & Cloud Services

Optional: Steer mobile app traffic to CASB for

further inspection

Flexible: Different Security / Different AppsGraduated conditions for allow/block (most secure -> least)Customizable Cloud Service by Cloud ServiceExample: Salesforce = most secure. Concur = no check

Conditional Access Summary Dashboards

Allow/Block - summaryAllow/Block – by Cloud Service & Service Rule

Detailed Logging & Event Reporting

By UserBy Cloud ServiceBy Service Rule

MobileIron Confidential

Documents

& Cloud Security - Infinigate (Schweiz)...Corporate owned / or BYOD secured device. With UID & PW, enterprise data moves into the app. With Username and Password, enterprise data moves