The Future of CASBs

A Cloud Security Force Awakens

cloud & mobile drive data outside the firewall...

...leaving traditional security technologies ineffective

problem

STORYBOARDS

the dark side

enterprises can’t rely solely on native app security

enterprise

(CASB)

end-user devicesvisibility & analytics

data protectionidentity & access control

applicationstorageserversnetwork

a new hopewebinar 1 recap

STORYBOARDS

shadow IT

the clone warsin the beginning… shadow IT was all we knew

STORYBOARDS

shadow IT

API-based approach

revenge of the sithAPI based solutions were touted as “the only way”

STORYBOARDS

shadow IT

API-based approach

API + in-line

a new hopeThe Rebels emerged with an new way to secure SaaS apps

pollwhich of the

following security

functions is most critical?

the security menace

webinar 2 recap

STORYBOARDS

the cloud security menacesbenefits outweigh drawbacks, but risks remain

■ Lack of visibility and control over sensitive data

■ Difficult to identify malicious activity■ Easy external sharing can result in

unauthorized access■ Cloud extends access to risky

unmanaged devices

STORYBOARDS

deployed in over a third of organizations, office 365 isoffice 365 is the leading SaaS productivity suite

2015

google apps office 365

other

16.3%

7.7%

76%

22.8%

25.2%

52%40.7%

24.5%

34.8%

2016

STORYBOARDS

this is not the dlp you’re looking foroffice 365 native dlp

■ BYOD blindspot - O365 DLP focused on data-at-rest

■ High operational overhead - Complex to configure

■ High cost - Must have top of the line license■ Point solution - Support focused on O365,

what about other cloud apps?

pollwhat are your

office 365 migration

plans?

a cloud security force

awakensthe future of

CASBs

STORYBOARDS

CASBsolution

components

cloud mobile discovery

STORYBOARDS

the future of CASB securitya data-centric approach

o365 requires a new force with new security architecture■ Cross-device, cross-app agentless data

security■ Real-time data protection■ Limit high-risk activities like external file

sharing, unmanaged access■ User behavior analytics

STORYBOARDS

Reverse Proxy

ActiveSync Proxy

Forward Proxy

Acce

ss C

ontr

ol

Dat

a Pr

otec

tion

Wat

erm

arki

ng, E

ncry

ptio

n,

DLP,

DRM

Cloud Encryptio

n

Identity: integrated SSO & SAML proxy

API Integratio

n

Analytics & Visibility

managed devicesvisibility + control

unmanaged devices

visibility + control

technology

Breach (Malware, TOR…) Shadow IT

out-of-band

in-band

components of a complete CASB solution

STORYBOARDS

agentless real-time inline data protectionreverse proxyfuturistic CASB approach■ no software or configuration ■ resilience to SaaS app updates■ privacy - only corporate traffic inspected

legacy CASB approach■ inline control requires software agent■ hard-coded proxy rules break on SaaS app updates

STORYBOARDS

futuristic CASB approach■ secure email, contacts & calendar■ agentless■ selective wipe, device encryption, PIN etc■ privacy - only corporate traffic inspected

legacy CASB approach■ no native ActiveSync support

agentless security on any mobile deviceactivesync proxy

STORYBOARDS

data leakage preventionintegrated high-performance enginefuturistic CASB approach■ high performance, comprehensive matching■ advanced remediation■ optional ICAP to on-prem DLP engine

legacy CASB approach■ no native DLP engine

■ black or white allow/block decisions

STORYBOARDS

futuristic CASB approach■ public or private cloud flexibility■ auto-scaling and replication■ fully redundant architecture■ global load balancing

legacy CASB approach■ proprietary bottlenecks and

infrastructure

scalable infrastructurehigh availability, geo-load balancing

STORYBOARDS

common office 365 policyhybrid approach to protect data on any device

managed devices

application access mode data protection

unmanaged devices /

byod

in the cloud

● profile-agent● VPN+IP-restriction

● DLP/DRM/encryption ● Device controls (e.g PIN)● Agentless Selective Wipe● Client apps: block

● OneDrive● Sharepoint● Yammer

● APIs

● Quarantine● Encrypt with on-prem key● Block external shares● Alert on DLP events

Legacy Auth Apps (e.g Office 2010)

● Full access

Modern Auth Apps (e.g Office 2013+)

● profile agent● VPN+IP-restriction● client certificate check

● Full access

● Browser● ActiveSync Mail● Client apps

● Reverse-proxy + AJAX-VM● ActiveSync Proxy

STORYBOARDS

challenge

■ Ensure OneDrive usage is HIPAA-compliant■ Prevent leakage of PII and PHI■ Maintain end user privacy■ Enforce data security policies on managed

and unmanaged devicessolution

■ Real-time inline data protection on any device

■ Block downloads of PHI and PII to unmanaged devices

■ Agentless BYOD with selective wipe■ Ability to support future enterprise-wide

SaaS deployments180,000

users

secure office 365

+ byod

healthcare giant

STORYBOARDS

secure salesforce

+ office 365

24

financial servicesgiant

client

■ $6T in assets■ Subject to GLB, PCI-DSS, privacy laws that

vary by region

challenge

■ Reduce risk presented by enterprise-wide Salesforce and Office 365 migration

■ Control Salesforce data residency

solution

■ Maintenance of full Salesforce frontend and backend functionality

■ Preserve SOQL API integrations■ Full control of encryption keys■ Bidirectional remediation of customer PII

and PIFI in Sharepoint and Yammer

STORYBOARDS

■ access control• distinguish between managed and unmanaged devices?

■ unmanaged devices • real-time control of data flow without agents?• support rich functionality, e.g. in-browser editing of docs?

■ mobile devices• secure BYOD without agents?

■ breach discovery• discover both exfiltration threats & Shadow IT?

■ security architecture• dilute standards, e.g. does proxy of passwords increase phishing

risk?

proof of concept checklistkey tests in choosing a CASB

STORYBOARDS

about bitglass

est. jan 2013

tier 1 VCs

250+ customer

s

total data

protectionoutside the

firewall...may the force be with you

STORYBOARDS

bitglass.com@bitglass