casbs and office 365: the security menace
TRANSCRIPT
CASBs and Office 365
the security menace
STORYBOARDS
office 365 is the leading SaaS productivity suite:deployed in over a third of organizations, office 365 is
2015
google apps office 365
other
16.3%
7.7%
76%
22.8%
25.2%
52%40.7%
24.5%
34.8%
2016
STORYBOARDS
the traditional approach to
security is inadequate
STORYBOARDS
the dark side:enterprises can’t rely solely on native app security
enterprise(CASB)
end-user devicesvisibility & analytics
data protectionidentity & access control
applicationstorageserversnetwork
4
STORYBOARDS
cloud security menacesbenefits outweigh drawbacks, but risks remain
■ Lack of visibility and control over sensitive data
■ Difficult to identify malicious activity
■ Easy external sharing can result in unauthorized access
■ Cloud extends access to risky unmanaged devices
poll:what are your
office 365 migration
plans?
STORYBOARDS
components of o365 security
identity
cloud
access
mobile
STORYBOARDS
cloud:not a trap if adequately secured
■ External sharing opens the door to unintended leaks
○ API-based controls can restrict sharing of sensitive data
■ User behavior analytics, logging
○ Little in-app visibility, no cross-app visibility
○ Third-party solutions are built with compliance in mind
STORYBOARDS
access:native security provides limited visibility
■ More access, greater risk of data leakage
○ Granular access controls can limit risky access
○ Allow/block is not sufficient
■ DLP is critical to securing sensitive data in risky contexts○ Complete security solutions should
be content-aware, apply DLP at access
STORYBOARDS
mobile:fear of unmanaged devices is a path to the dark side
■ Employees have rejected MDM and MAM
■ IT must securely enable access to frequently used apps
■ Allow different levels of mobile access based on device type, user, etc.
STORYBOARDS
identity:centralized identity management will be with you always■ Cloud app identity management
should maintain the best practices of on-prem identity
■ O365 can identify some but not all high-risk logins
■ Prevent use of compromised credentials with cross-app IAM, step-up MFA
STORYBOARDS
office 365 native dlp:this is not the dlp you’re looking for■ BYOD blindspot - O365 DLP focused on
data at rest.
■ High operational overhead - Complex to configure.
■ Difficult deployment - OneDrive DLP requires Office 2016.
■ High cost - Must have top of the line license.
■ Point solution - Support focused on O365, what about other cloud apps?
poll:which of the
following security
functions is most critical?
STORYBOARDS
casbs uniquely strike the balance between agility and security
data protection for all user devices – managed and unmanaged
fast and flexible agentless deployments
future proof and adaptable
STORYBOARDS
casb security:a data-centric approach
o365 requires a new force, a new security architecture■ Cross-device, cross-application
agentless data security■ Real-time data protection■ Limit high-risk activities like external
file sharing, unmanaged access
■ User behavior analytics
STORYBOARDS
how casb security works
reverse proxy■ unmanaged device controls without agents
forward proxy■ managed devices controls
activesync proxy■ secure email, calendar, etc on any mobile
device■ device level security - wipe, encryption, PIN
etc
STORYBOARDS
casb identitycentralized identity management is key in securing data
■ CASBs offer integrated identity management across apps
■ Limit potential breaches with step-up multifactor auth for high risk logins
STORYBOARDS
managed devices
application access mode data protection
unmanaged devices &
mobiles
in the cloud
● profile-agent● VPN+IP-restriction
● DLP/DRM/encryption ● Device controls, e.g PIN● Agentless Selective wipe● Client apps: allow/block ● OneDrive
● Sharepoint ● API● Quarantine DLP● Block external shares● Alert on DLP events
office 365 use case:real-time inline data protection on any device
Legacy Auth Apps e.g Office 2010
● Full access
Modern Auth Apps e.g Office 2013+
● profile agent● VPN+IP-restriction● certificates
● Full access
● Browser● ActiveSync Mail● Client apps
● Reverse-proxy + AJAX-VM● ActiveSync Proxy
18
STORYBOARDS
challenge
■ Ensure OneDrive usage is HIPAA-compliant■ Prevent leakage of PII and PHI■ Maintain end user privacy■ Enforce data security policies on managed
and unmanaged devicessolution
■ Real-time inline data protection on any device
■ Block downloads of PHI and PII to unmanaged devices
■ Agentless BYOD with selective wipe■ Ability to support future enterprise-wide
SaaS deployments
19
180,000 users
secure office 365
+ byod
healthcare giant
STORYBOARDS
secure salesforce
+ office 365
20
client
■ $6T in assets
■ Subject to GLB, PCI-DSS, privacy laws that vary by region
challenge
■ Reduce risk presented by enterprise-wide Salesforce and Office 365 migration
■ Control Salesforce data residency
solution
■ Maintenance of full Salesforce frontend and backend functionality
■ Preserve SOQL API integrations
■ Full control of encryption keys■ Bidirectional remediation of customer PII
and PIFI in Sharepoint and Yammer
financial servicesgiant
STORYBOARDS
about bitglass
total data
protectionoutside the
firewall est. jan 2013
tier 1 VCs
21
200+ customer
s
STORYBOARDS
trustedby the
Global 2000
financial services
22
healthcare
manufacturing
and more...
resources:more info about office 365 security
■ whitepaper: definitive guide to casbs
■ case study: fortune 100 healthcare firm secures o365
■ video: securing office 365
STORYBOARDS
bitglass.com@bitglass