Upload
bitglass
View
508
Download
3
Embed Size (px)
Citation preview
STORYBOARDS
Cloud Access Security BrokersCritical Capabilities
Rich CampagnaVP, ProductsBitglass
Salim HafidMarketing ManagerBitglass
STORYBOARDS
Enterprise Needs
Visibility and audit
Restrict data on unmanaged devices
Prevent hacked accounts
Prevent data leakage & control access
STORYBOARDS
First Attempt - Infrastructure “Lockdown”
Firewall DLP
Web Proxy
VPN
HQ & Branch Office
Starbucks
ApartmentVPN
MDM
+many more...
STORYBOARDS
Components
Usage/Consumption
Data
Application
Services
Servers & Storage
Network
Area
Data
Application
Infrastructure
Owner
Enterprise
Second Attempt - Rely on Cloud App Vendors
STORYBOARDS
Solution?
Cloud Access Security Brokers (CASBs)
STORYBOARDS
CASB Use Cases
1. Discover unknown cloud apps and exfiltration 2. Visibility and user behavior analytics 3. Contextual access control4. Data leakage prevention5. Protect Cloud Data-at-Rest6. Mobile data protection
STORYBOARDS
Complete CASB Architecture
Managed Devices Forward Proxy ActiveSync Proxy Device Profiler
Unmanaged Devices Reverse Proxy + AJAX VM ActiveSync Proxy No agents/No certs/Any device
Data at Rest API Visibility & Control
+many more...
Identity SSO Multi-Factor Auth
CASB
STORYBOARDS
Clou
dOn
-Pre
mise
Managed BYOD
Cloud
Network
Access
Device
CASB Critical Capabilities
STORYBOARDS
CASB Critical CapabilitiesCl
oud
On-P
rem
ise
Managed BYOD
Cloud
Network
Access
Device
Data-at-rest encryptionExternal sharing control
Contextual Access ControlData Leakage PreventionIdentity/SSOVisibility/Alerting
Mobile Data ProtectionAgentless BYOD SupportDRM/Encryption/Redaction
Shadow IT DiscoveryHigh Risk Exfiltration Discovery
STORYBOARDS
Common CASB Policy
Managed device
Application Access Access Control Data Protection
BYOD
In the Cloud
Forward ProxyActiveSync Proxy
Device Profile: Pass● Email● Browser● Thick clients
● Full Access
Reverse Proxy + AJAX VMActiveSync Proxy
● DLP/DRM/encryption ● Device controls
API Control External Sharing Blocked ● Block external shares● Alert on DLP events
Device Profile: Fail● Mobile Email● Browser
STORYBOARDS
Gartner on CASBs
Hybrid Architecture CASBs are a requirement [Forward Proxy, Reverse Proxy, API Integration]● All three deployment modes may be required to deliver the security outcomes that the organization desires.● Many SaaS application providers do not yet have a rich set of APIs● When deployed in the data path (typically as a form of proxy) the CASB can provide detailed logging on all users and devices,
managed or bring your own device (BYOD), on what activities are occurring inside cloud applications and infrastructure.
Beware of API-only vendors● Proxy mode CASBs are actually networking vendors; they are processing traffic similar to Web gateway vendors. This is a
considerably harder engineering exercise than that of using APIs... It will be considerably harder for API-only CASB providers
to retrofit proxy architecture to their platforms.
Managed/unmanaged device access control is required● CASBs must be able to cover data… from any device type — managed or unmanaged — while accessing enterprise
applications.
CASBs must include endpoint data protection components [Data protection on Devices]● A CASB should handle not only the SaaS applications, but also how that data is tracked, delivered and stored on endpoints.
STORYBOARDS
Bay Cove Human Services - Google Apps + HIPAA
2500 Employees
HIPAA Compliance with GApps and BYOD
● Google cost effective for non-profits, enhances productivity
● Challenges: Protect PHI, remain HIPAA compliant, keep costs low
● Key features: Data leakage prevention, visibility, integrated identity management, mobile data protection
STORYBOARDS
Financial Services - Salesforce Encryption
Full strength encryption of PII
● First-gen cloud encryption gateway weakened encryption; brittle proxy technology
● Challenges: Maintain Salesforce functionality, encrypt data, extend risk-appropriate access
● Key features: Encryption with KMS Integration, visibility, access control
100k+ Employees
STORYBOARDS
UNC Charlotte - Dropbox
Controlling External Sharing
● Moved to Dropbox to centralize Faculty file storage/sharing, including sensitive research data
● Challenges: External sharing, Unmanaged device access
● Key features: Contextual access control, encryption, watermarking, DRM
26,000 Students3,000 Employees
STORYBOARDS
Ad Agency - O365 OneDrive
Protect unreleased creative files in OneDrive
● Global clients demanded protection
● Challenges: Prevent data leakage
● Key features: External file sharing visibility/control, restricted access from unmanaged devices, Integrated identity/SSO
200 EmployeesGlobal clients
STORYBOARDS
Only Bitglass
STORYBOARDS
Complete CASB Architecture
Managed Devices Forward Proxy ActiveSync Proxy Device Profiler
Unmanaged Devices Reverse Proxy + AJAX VM ActiveSync Proxy No agents/No certs/Any device
Data at Rest API Visibility & Control
+many more...
Identity SSO Multi-Factor Auth
Only
STORYBOARDS
End-to-End Data Protection
In the Cloud At Access On the Device
● Full-Strength Cloud
Encryption w/Search, Sort*● Proxy-Accelerated Real-
Time API Scanning**
● Contextual Access Control ● Native DLP (including
unmanaged devices)● Integrated SSO & 2FA● Transparent to Users**
● Reverse Proxy w/ AJAX VM**● Activesync Proxy● Sensitive Data Control: Track**,
Encrypt, DRM, Redact, Block ● No Agents, Profiles, Certificates● Agentless Selective Wipe**
* Patented ** Patents Pending
Only
STORYBOARDS
Standards-Based, Cloud-Scale
● Hosted globally across multiple AWS zones
● Auto-scaling and replication● Private-cloud options● Fully redundant architecture
ensures constant uptime (99.9% SLA)
● Global load balancing for minimal latency
● 24x7x365 Global Support
Only
STORYBOARDS
Helpful Resources
1. Market Guide for CASBs - http://pages.bitglass.com/Gartner-CASB-Market-Guide-2015.html
2. Bitglass Case Studies - http://www.bitglass.com/resources#case_studies=1
3. Definitive Guide to O365 Security - http://pages.bitglass.com/definitive-guide-o365.html
STORYBOARDS
Total Data ProtectionBeyond the Firewall
Rich CampagnaVP ProductsBitglass
[email protected]@RichCampagna
Salim HafidMarketing ManagerBitglass
[email protected]@SalimHafid