STORYBOARDS

Cloud Access Security BrokersReal-World Use Cases

Rich CampagnaVP, ProductsBitglass

Salim HafidMarketing ManagerBitglass

STORYBOARDS

Enterprise Needs

Visibility and audit

Restrict data on unmanaged devices

Prevent hacked accounts

Prevent data leakage & control access

STORYBOARDS

First Attempt - Infrastructure “Lockdown”

Firewall DLP

Web Proxy

VPN

HQ & Branch Office

Starbucks

ApartmentVPN

MDM

+many more...

STORYBOARDS

Components

Usage/Consumption

Data

Application

Services

Servers & Storage

Network

Area

Data

Application

Infrastructure

Owner

Enterprise

Second Attempt - Rely on Cloud App Vendors

STORYBOARDS

Solution?

Cloud Access Security Brokers (CASBs)

STORYBOARDS

Use Cases

1. Discover unknown cloud apps and exfiltration 2. Visibility and user behavior analytics 3. Contextual access control4. Data leakage prevention5. Mobile data protection

STORYBOARDS

CASB Architecture Options

1. Managed Devices Forward Proxy ActiveSync Proxy Device ProfilerSAML Proxy

+ SSO

2. Unmanaged Devices Reverse Proxy + AJAX VM ActiveSync Proxy No agents/No cert install Any device

Rev. Proxy

Fwd. Proxy

3. Data at Rest API Visibility & Control

+many more...

STORYBOARDS

Total Data ProtectionCl

oud

On-

Prem

ise

Managed BYOD

Cloud

Network

Access

Device

STORYBOARDS

Typical CASB Policy

Managed device

Application Access Access Control Data Protection

BYOD

In the Cloud

Forward ProxyActiveSync Proxy

Device Profile: Pass● Email● Browser● Thick clients

● Full Access

Reverse Proxy + AJAX VMActiveSync Proxy

● DLP/DRM/encryption ● Device controls

API Control External Sharing Blocked ● Block external shares● Alert on DLP events

Device Profile: Fail● Mobile Email● Browser

STORYBOARDS

Bay Cove Human Services - Google Apps + HIPAA

2500 Employees

HIPAA Compliance with GApps and BYOD● Google cost effective for non-profits, enhances productivity

● Challenges: Protect PHI, remain HIPAA compliant, keep costs low

● Key features: Data leakage prevention, visibility, integrated identity management, mobile data protection

STORYBOARDS

UNC Charlotte - Dropbox

Controlling External Sharing● Moved to Dropbox to centralize Faculty file storage/sharing,

including sensitive research data

● Challenges: External sharing, Unmanaged device access

● Key features: Contextual access control, encryption, watermarking, DRM

26,000 Students3,000 Employees

STORYBOARDS

Ad Agency - O365 OneDrive

Protect unreleased creative files in OneDrive● Global clients demanded protection

● Challenges: Prevent data leakage

● Key features: External file sharing visibility/control, restricted access from unmanaged devices, Integrated identity/SSO

200 EmployeesGlobal clients

STORYBOARDS

Financial Services - Salesforce Encryption

Full strength encryption of PII● First-gen cloud encryption gateway weakened encryption; brittle

proxy technology

● Challenges: Maintain Salesforce functionality, encrypt data, extend risk-appropriate access

● Key features: Encryption with KMS Integration, visibility, access control

100k+ Employees

STORYBOARDS

The Bitglass Mission:Total data protection outside the firewall

$35M investment Est. Jan. 2013 CA, NY, MA, IL, NC

STORYBOARDS

Bitglass: The Only Complete CASB Solution

Data Exfiltration

Integrated Identity & SSO

Mobile SecurityActiveSync Proxy

Access Control: Data-at-restAPI integration

Data Protection Watermarking, Encryption,

DLP, DRM

Access ControlForward Proxy

Reverse Proxy + AJAX-VM

Cloud Encryption

ShadowIT

Access Control SAML Proxy

Out-of-Band

Inband

STORYBOARDS

Helpful Resources

1. Definitive Guide to CASBs - http://pages.bitglass.com/definitive-guide-to-cloud-access-security-brokers.html

2. Bitglass Case Studies - http://www.bitglass.com/resources#case_studies=1

3. Definitive Guide to O365 Security - http://pages.bitglass.com/definitive-guide-o365.html

STORYBOARDS

Total Data ProtectionBeyond the Firewall

Rich CampagnaVP ProductsBitglass

rich@bitglass.com@RichCampagna

Salim HafidMarketing ManagerBitglass

shafid@bitglass.com@SalimHafid