& cloud security - infinigate (schweiz)...corporate owned / or byod secured device. with uid...
TRANSCRIPT
MobileIron ConfidentialMobileIron Confidential
“Protect your Cloud as data goes mobile”
& Cloud Security
MobileIron ConfidentialMobileIron Confidential
Old: Perimeter Model
Security Model Fundamentally Changes
System imageAnti-malware agents
PerimeterFirewall
Device VPNVDI
Mobile & Cloud Model
Salesforce Office365 Workday SAP Oracle
Concur Google Drive box Dropbox
MobileIron ConfidentialMobileIron Confidential
Components of Cloud Security
Access Control. Ingress encryption.(Non-persistent data in browsers)
Federated identity (User ID & PW)
Browser-to-Cloud
Identity / IDP
Mobile apps are becoming #1 way to access enterprise
cloud data & email
Data is persistent. Apps can be anywhere.
Traditional cloud security
insufficient
Mobile App-to-Cloud
MobileIron ConfidentialMobileIron Confidential
“Protect your Cloud as your data goes mobile”
& Cloud Security
MobileIron ConfidentialMobileIron Confidential
StandardAuthentication
Cloud Security in Action
CASB
Identity/IDP(SAML)User ID?
Secure Device?
Secure App?
Salesforce Office365 Workday
SAP Oracle Concur
Google Drive box Dropbox
Biz Apps(secured)
Conditional Access Approved
Conditional Access Denied
Biz Apps(not secured)
Personal Apps & Cloud Services
Optional: Steer mobile app traffic to CASB for
further inspection
No special App or Identity coding
MobileIron ConfidentialMobileIron Confidential
Challenge: Spouse’s iPad Problem
Identity/IDP(SAML)
Salesforce Office365 Workday
SAP Oracle Concur
Google Drive box Dropbox
Sales rep downloads work cloud apps onto daughters unsecured iPad. As long as have UID and PW, enterprise data moves down into app.
• Enterprise data now persistent on unsecured iPad
• Side-door access into Cloud• No DLP Protections
Installs work cloud app on spouse’s iPad
With Username and Password, enterprise data
moves on to device
MobileIron ConfidentialMobileIron Confidential
Solution: Spouse’s iPad Problem
Identity/IDP(SAML)
Salesforce Office365 Workday
SAP Oracle Concur
Google Drive box Dropbox
Sales rep downloads work cloud apps onto daughters unsecured iPad.
Installs work cloud app on spouse’s iPad
Enterprise data remains secure
User ID?
Secure Device?
Secure App?
MobileIron ConfidentialMobileIron Confidential
Challenge: Sloppy app download problem
Identity/IDP(SAML)
Salesforce Office365 Workday
SAP Oracle Concur
Google Drive box
Honest mistake: Employee gets app from public storesCorporate owned / or BYOD secured device. With UID & PW, enterprise data moves into the app.
With Username and Password, enterprise data
moves on to device
• App & app data is outside enterprise data boundary.
• No DLP Protections. Sharable into personal cloud.
• Cannot be deleted.
Public App Store Enterprise App Store
MobileIron ConfidentialMobileIron Confidential
Challenge: Sloppy app download problem
Identity/IDP(SAML)
Salesforce Office365 Workday
SAP Oracle Concur
Google Drive box
Ensure only secured apps before granting access
Public App Store Enterprise App Store
User ID?
Secure Device?
Secure App?
Enterprise data remains secure
Customized Block Alert
Your access to this Cloud Application is blocked for security reasons. In order to securely access this Cloud Application, please use a properly secured mobile device
and download apps from [Company Name] enterprise app store.
Go to the [Help Center Link] for more information or contact the helpdesk at
[Help Center Email]
MobileIron ConfidentialMobileIron Confidential
Challenge: 3rd party parasite-app problem
Identity/IDP(SAML)
Salesforce Office365 Workday
SAP Oracle Concur
Google Drive box
Sales rep finds cool 3rd party ecosystem app that connects directly into cloud service API’s – or locally on the device (e.g. SalesMesh or Pulsar). Logs in with cloud ID and PW.
With Username and Password, enterprise data
moves on to device
• Cloud data now moving into unsanctioned 3rd party app
• Data moves into other apps and clouds• Data escapes
Salesforce AppExchange
MobileIron ConfidentialMobileIron Confidential
Challenge: 3rd party parasite-app problem
Identity/IDP(SAML)
Salesforce Office365 Workday
SAP Oracle Concur
Google Drive box
Ensure only sanctioned and secure 3rd
party apps from the cloud service’s ecosystem can be used
Salesforce AppExchange
User ID?
Secure Device?
Secure App?
Enterprise data remains secure
Customized Block Alert
Your access to this Cloud Application is blocked for security reasons. In order to securely access this Cloud Application, please use a properly secured mobile device
and download apps from [Company Name] enterprise app store.
Go to the [Help Center Link] for more information or contact the helpdesk at
[Help Center Email]
MobileIron ConfidentialMobileIron Confidential
Identity/IDP(SAML)
Office365
Challenge: Cloud Email – Mobile problem
IOS NativeEmail App
Users want Native IOS Email App OR separate email appWith UID and Password, Email flows down into local appsPLUS: Email uses ActiveSync Protocol, not HTTP
• Email now moves into any email app• Contents and attachments can be shared outside
enterprise & sync with other clouds
User ID & Password
ActiveSync
MobileIron ConfidentialMobileIron Confidential
CASB
Identity/IDP(SAML)
Office365
Solution: Cloud Email – Mobile problem
IOS NativeEmail App
Conditional Access for Cloud EmailMust speak ActiveSync ProtocolWork with Native or 3rd party email apps
CASB’s match ActiveSync with Mobile feeds
User ID?
Secure Device?
Secure App?
Conditional Access Approved
Conditional Access Denied
StandardAuthentication
Secure Sharing
Email only in secured appNative or 3rd PartyContent DLP
MobileIron ConfidentialMobileIron Confidential
NormalAuthentication
Policy Granularity & Visibility
CASB
Identity/IDP(SAML)User ID?
Secure Device?
Secure App?
Salesforce Office365 Workday
SAP Oracle Concur
Google Drive box Dropbox
Biz Apps(secured)
Conditional Access Approved
Conditional Access Denied
Biz Apps(not secured)
Personal Apps & Cloud Services
Optional: Steer mobile app traffic to CASB for
further inspection
Flexible: Different Security / Different AppsGraduated conditions for allow/block (most secure -> least)Customizable Cloud Service by Cloud ServiceExample: Salesforce = most secure. Concur = no check
Conditional Access Summary Dashboards
Allow/Block - summaryAllow/Block – by Cloud Service & Service Rule
Detailed Logging & Event Reporting
By UserBy Cloud ServiceBy Service Rule
MobileIron Confidential