cloud access security brokers - critical capabilities

21
STORYBOARD S Cloud Access Security Brokers Critical Capabilities Rich Campagna VP, Products Bitglass Salim Hafid Marketing Manager Bitglass

Upload: bitglass

Post on 11-Jan-2017

508 views

Category:

Technology


3 download

TRANSCRIPT

Page 1: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Cloud Access Security BrokersCritical Capabilities

Rich CampagnaVP, ProductsBitglass

Salim HafidMarketing ManagerBitglass

Page 2: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Enterprise Needs

Visibility and audit

Restrict data on unmanaged devices

Prevent hacked accounts

Prevent data leakage & control access

Page 3: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

First Attempt - Infrastructure “Lockdown”

Firewall DLP

Web Proxy

VPN

HQ & Branch Office

Starbucks

ApartmentVPN

MDM

+many more...

Page 4: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Components

Usage/Consumption

Data

Application

Services

Servers & Storage

Network

Area

Data

Application

Infrastructure

Owner

Enterprise

Second Attempt - Rely on Cloud App Vendors

Page 5: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Solution?

Cloud Access Security Brokers (CASBs)

Page 6: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

CASB Use Cases

1. Discover unknown cloud apps and exfiltration 2. Visibility and user behavior analytics 3. Contextual access control4. Data leakage prevention5. Protect Cloud Data-at-Rest6. Mobile data protection

Page 7: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Complete CASB Architecture

Managed Devices Forward Proxy ActiveSync Proxy Device Profiler

Unmanaged Devices Reverse Proxy + AJAX VM ActiveSync Proxy No agents/No certs/Any device

Data at Rest API Visibility & Control

+many more...

Identity SSO Multi-Factor Auth

CASB

Page 8: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Clou

dOn

-Pre

mise

Managed BYOD

Cloud

Network

Access

Device

CASB Critical Capabilities

Page 9: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

CASB Critical CapabilitiesCl

oud

On-P

rem

ise

Managed BYOD

Cloud

Network

Access

Device

Data-at-rest encryptionExternal sharing control

Contextual Access ControlData Leakage PreventionIdentity/SSOVisibility/Alerting

Mobile Data ProtectionAgentless BYOD SupportDRM/Encryption/Redaction

Shadow IT DiscoveryHigh Risk Exfiltration Discovery

Page 10: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Common CASB Policy

Managed device

Application Access Access Control Data Protection

BYOD

In the Cloud

Forward ProxyActiveSync Proxy

Device Profile: Pass● Email● Browser● Thick clients

● Full Access

Reverse Proxy + AJAX VMActiveSync Proxy

● DLP/DRM/encryption ● Device controls

API Control External Sharing Blocked ● Block external shares● Alert on DLP events

Device Profile: Fail● Mobile Email● Browser

Page 11: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Gartner on CASBs

Hybrid Architecture CASBs are a requirement [Forward Proxy, Reverse Proxy, API Integration]● All three deployment modes may be required to deliver the security outcomes that the organization desires.● Many SaaS application providers do not yet have a rich set of APIs● When deployed in the data path (typically as a form of proxy) the CASB can provide detailed logging on all users and devices,

managed or bring your own device (BYOD), on what activities are occurring inside cloud applications and infrastructure.

Beware of API-only vendors● Proxy mode CASBs are actually networking vendors; they are processing traffic similar to Web gateway vendors. This is a

considerably harder engineering exercise than that of using APIs... It will be considerably harder for API-only CASB providers

to retrofit proxy architecture to their platforms.

Managed/unmanaged device access control is required● CASBs must be able to cover data… from any device type — managed or unmanaged — while accessing enterprise

applications.

CASBs must include endpoint data protection components [Data protection on Devices]● A CASB should handle not only the SaaS applications, but also how that data is tracked, delivered and stored on endpoints.

Page 12: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Bay Cove Human Services - Google Apps + HIPAA

2500 Employees

HIPAA Compliance with GApps and BYOD

● Google cost effective for non-profits, enhances productivity

● Challenges: Protect PHI, remain HIPAA compliant, keep costs low

● Key features: Data leakage prevention, visibility, integrated identity management, mobile data protection

Page 13: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Financial Services - Salesforce Encryption

Full strength encryption of PII

● First-gen cloud encryption gateway weakened encryption; brittle proxy technology

● Challenges: Maintain Salesforce functionality, encrypt data, extend risk-appropriate access

● Key features: Encryption with KMS Integration, visibility, access control

100k+ Employees

Page 14: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

UNC Charlotte - Dropbox

Controlling External Sharing

● Moved to Dropbox to centralize Faculty file storage/sharing, including sensitive research data

● Challenges: External sharing, Unmanaged device access

● Key features: Contextual access control, encryption, watermarking, DRM

26,000 Students3,000 Employees

Page 15: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Ad Agency - O365 OneDrive

Protect unreleased creative files in OneDrive

● Global clients demanded protection

● Challenges: Prevent data leakage

● Key features: External file sharing visibility/control, restricted access from unmanaged devices, Integrated identity/SSO

200 EmployeesGlobal clients

Page 16: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Only Bitglass

Page 17: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Complete CASB Architecture

Managed Devices Forward Proxy ActiveSync Proxy Device Profiler

Unmanaged Devices Reverse Proxy + AJAX VM ActiveSync Proxy No agents/No certs/Any device

Data at Rest API Visibility & Control

+many more...

Identity SSO Multi-Factor Auth

Only

Page 18: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

End-to-End Data Protection

In the Cloud At Access On the Device

● Full-Strength Cloud

Encryption w/Search, Sort*● Proxy-Accelerated Real-

Time API Scanning**

● Contextual Access Control ● Native DLP (including

unmanaged devices)● Integrated SSO & 2FA● Transparent to Users**

● Reverse Proxy w/ AJAX VM**● Activesync Proxy● Sensitive Data Control: Track**,

Encrypt, DRM, Redact, Block ● No Agents, Profiles, Certificates● Agentless Selective Wipe**

* Patented ** Patents Pending

Only

Page 19: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Standards-Based, Cloud-Scale

● Hosted globally across multiple AWS zones

● Auto-scaling and replication● Private-cloud options● Fully redundant architecture

ensures constant uptime (99.9% SLA)

● Global load balancing for minimal latency

● 24x7x365 Global Support

Only

Page 20: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Helpful Resources

1. Market Guide for CASBs - http://pages.bitglass.com/Gartner-CASB-Market-Guide-2015.html

2. Bitglass Case Studies - http://www.bitglass.com/resources#case_studies=1

3. Definitive Guide to O365 Security - http://pages.bitglass.com/definitive-guide-o365.html

Page 21: Cloud Access Security Brokers - Critical Capabilities

STORYBOARDS

Total Data ProtectionBeyond the Firewall

Rich CampagnaVP ProductsBitglass

[email protected]@RichCampagna

Salim HafidMarketing ManagerBitglass

[email protected]@SalimHafid