Post on 18-Feb-2017
transcript
STORYBOARDS
Cloud Access Security BrokersReal-World Use Cases
Rich CampagnaVP, ProductsBitglass
Salim HafidMarketing ManagerBitglass
STORYBOARDS
Enterprise Needs
Visibility and audit
Restrict data on unmanaged devices
Prevent hacked accounts
Prevent data leakage & control access
STORYBOARDS
First Attempt - Infrastructure “Lockdown”
Firewall DLP
Web Proxy
VPN
HQ & Branch Office
Starbucks
ApartmentVPN
MDM
+many more...
STORYBOARDS
Components
Usage/Consumption
Data
Application
Services
Servers & Storage
Network
Area
Data
Application
Infrastructure
Owner
Enterprise
Second Attempt - Rely on Cloud App Vendors
STORYBOARDS
Solution?
Cloud Access Security Brokers (CASBs)
STORYBOARDS
Use Cases
1. Discover unknown cloud apps and exfiltration 2. Visibility and user behavior analytics 3. Contextual access control4. Data leakage prevention5. Mobile data protection
STORYBOARDS
CASB Architecture Options
1. Managed Devices Forward Proxy ActiveSync Proxy Device ProfilerSAML Proxy
+ SSO
2. Unmanaged Devices Reverse Proxy + AJAX VM ActiveSync Proxy No agents/No cert install Any device
Rev. Proxy
Fwd. Proxy
3. Data at Rest API Visibility & Control
+many more...
STORYBOARDS
Total Data ProtectionCl
oud
On-
Prem
ise
Managed BYOD
Cloud
Network
Access
Device
STORYBOARDS
Typical CASB Policy
Managed device
Application Access Access Control Data Protection
BYOD
In the Cloud
Forward ProxyActiveSync Proxy
Device Profile: Pass● Email● Browser● Thick clients
● Full Access
Reverse Proxy + AJAX VMActiveSync Proxy
● DLP/DRM/encryption ● Device controls
API Control External Sharing Blocked ● Block external shares● Alert on DLP events
Device Profile: Fail● Mobile Email● Browser
STORYBOARDS
Bay Cove Human Services - Google Apps + HIPAA
2500 Employees
HIPAA Compliance with GApps and BYOD● Google cost effective for non-profits, enhances productivity
● Challenges: Protect PHI, remain HIPAA compliant, keep costs low
● Key features: Data leakage prevention, visibility, integrated identity management, mobile data protection
STORYBOARDS
UNC Charlotte - Dropbox
Controlling External Sharing● Moved to Dropbox to centralize Faculty file storage/sharing,
including sensitive research data
● Challenges: External sharing, Unmanaged device access
● Key features: Contextual access control, encryption, watermarking, DRM
26,000 Students3,000 Employees
STORYBOARDS
Ad Agency - O365 OneDrive
Protect unreleased creative files in OneDrive● Global clients demanded protection
● Challenges: Prevent data leakage
● Key features: External file sharing visibility/control, restricted access from unmanaged devices, Integrated identity/SSO
200 EmployeesGlobal clients
STORYBOARDS
Financial Services - Salesforce Encryption
Full strength encryption of PII● First-gen cloud encryption gateway weakened encryption; brittle
proxy technology
● Challenges: Maintain Salesforce functionality, encrypt data, extend risk-appropriate access
● Key features: Encryption with KMS Integration, visibility, access control
100k+ Employees
STORYBOARDS
The Bitglass Mission:Total data protection outside the firewall
$35M investment Est. Jan. 2013 CA, NY, MA, IL, NC
STORYBOARDS
Bitglass: The Only Complete CASB Solution
Data Exfiltration
Integrated Identity & SSO
Mobile SecurityActiveSync Proxy
Access Control: Data-at-restAPI integration
Data Protection Watermarking, Encryption,
DLP, DRM
Access ControlForward Proxy
Reverse Proxy + AJAX-VM
Cloud Encryption
ShadowIT
Access Control SAML Proxy
Out-of-Band
Inband
STORYBOARDS
Helpful Resources
1. Definitive Guide to CASBs - http://pages.bitglass.com/definitive-guide-to-cloud-access-security-brokers.html
2. Bitglass Case Studies - http://www.bitglass.com/resources#case_studies=1
3. Definitive Guide to O365 Security - http://pages.bitglass.com/definitive-guide-o365.html
STORYBOARDS
Total Data ProtectionBeyond the Firewall
Rich CampagnaVP ProductsBitglass
rich@bitglass.com@RichCampagna
Salim HafidMarketing ManagerBitglass
shafid@bitglass.com@SalimHafid