By now you are likely familiar with Cloud Access Security Brokers (CASBs) and understand how they fit into your broader security and cloud strategy. What should organizations be looking for in a CASB? What capabilities are here or on the horizon that can provide improved data protection in the cloud?
Bitglass and (ISC)2 presents the final episode of the CASB series where we will examine where cloud security is headed, discussing agentless and agent-based solutions, the growing number of cloud apps in use and the importance of easy deployment. Learn why cross-app security will become increasingly valuable as organizations look to third-party solutions for deep visibility, behavior analytics, and more.
2. cloud & mobile drive data outside the firewall...
...leaving traditional security technologies ineffective
problem
3. STORYBOAR
the dark side
enterprises can’t rely solely on native app security
enterprise
(CASB)
end-user devices
visibility & analytics
data protection
identity & access control
application
storage
servers
network
10. STORYBOAR
the cloud security menaces
benefits outweigh drawbacks, but risks remain
■ Lack of visibility and control over sensitive
data
■ Difficult to identify malicious activity
■ Easy external sharing can result in
unauthorized access
■ Cloud extends access to risky unmanaged
devices
11. STORYBOAR
deployed in over a third of organizations, office 365 is
office 365 is the leading SaaS productivity suite
2015
google apps
office 365
other
16.3%
7.7%
76%
22.8%
25.2%
52%
40.7%
24.5%
34.8%
2016
12. STORYBOAR
this is not the dlp you’re looking for
office 365 native dlp
■ BYOD blindspot - O365 DLP focused on data-at-
rest
■ High operational overhead - Complex to configure
■ High cost - Must have top of the line license
■ Point solution - Support focused on O365, what
about other cloud apps?
16. STORYBOAR
the future of CASB security
a data-centric approach
o365 requires a new force with new security
architecture
■ Cross-device, cross-app agentless data
security
■ Real-time data protection
■ Limit high-risk activities like external file
sharing, unmanaged access
■ User behavior analytics
18. STORYBOAR
agentless real-time inline data protection
reverse proxy
futuristic CASB approach
■ no software or configuration
■ resilience to SaaS app updates
■ privacy - only corporate traffic inspected
legacy CASB approach
■ inline control requires software agent
■ hard-coded proxy rules break on SaaS app updates
19. STORYBOAR
futuristic CASB approach
■ secure email, contacts & calendar
■ agentless
■ selective wipe, device encryption, PIN etc
■ privacy - only corporate traffic inspected
legacy CASB approach
■ no native ActiveSync support
agentless security on any mobile device
activesync proxy
20. STORYBOAR
data leakage prevention
integrated high-performance engine
futuristic CASB approach
■ high performance, comprehensive matching
■ advanced remediation
■ optional ICAP to on-prem DLP engine
legacy CASB approach
■ no native DLP engine
■ black or white allow/block decisions
21. STORYBOAR
futuristic CASB approach
■ public or private cloud flexibility
■ auto-scaling and replication
■ fully redundant architecture
■ global load balancing
legacy CASB approach
■ proprietary bottlenecks and infrastructure
scalable infrastructure
high availability, geo-load balancing
22. STORYBOAR
common office 365 policy
hybrid approach to protect data on any device
managed
devices
application access mode data protection
unmanaged
devices /
byod
in the cloud
● profile-agent
● VPN+IP-restriction
● DLP/DRM/encryption
● Device controls (e.g PIN)
● Agentless Selective Wipe
● Client apps: block
● OneDrive
● Sharepoint
● Yammer
● APIs
● Quarantine
● Encrypt with on-prem key
● Block external shares
● Alert on DLP events
Legacy Auth
Apps
(e.g Office 2010)
● Full access
Modern Auth Apps
(e.g Office 2013+)
● profile agent
● VPN+IP-restriction
● client certificate check
● Full access
● Browser
● ActiveSync Mail
● Client apps
● Reverse-proxy + AJAX-
VM
● ActiveSync Proxy
23. STORYBOAR
challenge
■ Ensure OneDrive usage is HIPAA-compliant
■ Prevent leakage of PII and PHI
■ Maintain end user privacy
■ Enforce data security policies on managed and
unmanaged devices
solution
■ Real-time inline data protection on any device
■ Block downloads of PHI and PII to unmanaged
devices
■ Agentless BYOD with selective wipe
■ Ability to support future enterprise-wide SaaS
deployments
180,000
users
secure office
365 + byod
healthcare
giant
24. STORYBOAR
secure
salesforce +
office 365
24
financial
services
giant
client
■ $6T in assets
■ Subject to GLB, PCI-DSS, privacy laws that vary
by region
challenge
■ Reduce risk presented by enterprise-wide
Salesforce and Office 365 migration
■ Control Salesforce data residency
solution
■ Maintenance of full Salesforce frontend and
backend functionality
■ Preserve SOQL API integrations
■ Full control of encryption keys
■ Bidirectional remediation of customer PII and
PIFI in Sharepoint and Yammer
25. STORYBOAR
■ access control
• distinguish between managed and unmanaged devices?
■ unmanaged devices
• real-time control of data flow without agents?
• support rich functionality, e.g. in-browser editing of docs?
■ mobile devices
• secure BYOD without agents?
■ breach discovery
• discover both exfiltration threats & Shadow IT?
■ security architecture
• dilute standards, e.g. does proxy of passwords increase phishing risk?
proof of concept checklist
key tests in choosing a CASB