securing iaas applications
TRANSCRIPT
webinarmarch 22
2016
CASBs for IaaS
STORYBOARDS
enterprise
end-user devicesvisibility & analytics
data protectionidentity & access control
applicationstorageserversnetwork
the data blind spotcloud app vendors don’t control cloud usage
app vendor
STORYBOARDS
key security challengesIaaS apps introduce new risks
■ IaaS management consoles and VMs
■ Connected cloud applications (e.g. data visualization tools)
■ Access to connected apps
■ Data-at-rest in the cloud
STORYBOARDS
security must evolve to
protect data in the cloud
ungoverned access to
corporate data in the cloud
data-at-rest in the cloud
sensitive cloud data on
unmanaged devices
STORYBOARDS
cloud security must strike the balance between agility and security
data protection for all user devices – managed and unmanaged
fast and flexible agentless deployments
user privacy and mobility
poll:what are your
biggest challenges in
protecting IaaS apps?
STORYBOARDS
challenge 1: protecting management consoles
■ AWS, Azure, and Google Cloud management consoles are a gateway
■ Spinning up VMs, killing existing instances, and more
■ Limited native access controls
STORYBOARDS
challenge 2: secure data at rest
■ Data stores like S3 contain sensitive data
■ PII, PHI, PCI subject to strict regulatory mandates
○ Visibility and control necessary for compliance
■ Enterprises must encrypt or at minimum tokenize sensitive fields
STORYBOARDS
challenge 3: secure access to connected apps
■ Connected data crunching and visualization apps have full access to data stores
■ Typical use case is
■ Protecting connected apps requires access controls, DLP, more
poll:what capabilities
are you looking to leverage to protect data?
STORYBOARDS
critical capabilities for IaaS security
identity
tokenization
access control
audit + visibility
STORYBOARDS
cloud tokenizationprotect data-at-rest while retaining app functionality
■ Useful for PII and PCI, subject to stringent regulatory mandates
■ Tokenize just those fields that are most sensitive
■ Protects PII as it moves from data stores to connected apps (e.g. S3 to RDS to Tableau)
STORYBOARDS
audit and visibility
■ User behavior analytics & alerting - identify suspicious behavior
■ Detailed logs required to prove appropriate controls are in place
○ Access control policies
○ Sensitive data at rest
○ Risky external shares
STORYBOARDS
data-centric protectionaccess controls and real-time cloud dlp
■ Outright blocking forces users to work around IT
■ Granular context-based controls extend access while applying appropriate protections
■ DLP protects data at access and after download
STORYBOARDS
identity
■ Cloud app identity management should maintain the best practices of on-prem identity
■ Cross-app visibility over suspicious logins can help to prevent a breach
STORYBOARDS
casb securitya data-centric approach
a new security architecture for the new data reality
■ tokenize data as it moves between IaaS apps
■ apply granular access controls
■ protect data at download with cloud DLP
■ detailed logging for compliance
our mission
total data
protectionoutside the
firewall
17
#1 CASB real-time data protection
founded 2013 tier 1 funding
award-winning
tech leader3 patents,3 pending
resources:more info about cloud security
■ technical overview: bitglass for aws
■ solution brief: bitglass cloud security
STORYBOARDS
bitglass.com@bitglass