By now you are likely familiar with Cloud Access Security Brokers (CASBs) and understand how they fit into your broader security and cloud strategy. What should organizations be looking for in a CASB? What capabilities are here or on the horizon that can provide improved data protection in the cloud? Bitglass and (ISC)2 presents the final episode of the CASB series where we will examine where cloud security is headed, discussing agentless and agent-based solutions, the growing number of cloud apps in use and the importance of easy deployment. Learn why cross-app security will become increasingly valuable as organizations look to third-party solutions for deep visibility, behavior analytics, and more.

1. The Future of CASBs
A Cloud Security Force Awakens

2. cloud & mobile drive data outside the firewall...
...leaving traditional security technologies ineffective
problem

3. STORYBOAR
the dark side
enterprises can’t rely solely on native app security
enterprise
(CASB)
end-user devices
visibility & analytics
data protection
identity & access control
application
storage
servers
network

4. a new hope
webinar 1 recap

5. STORYBOAR
shadow
IT
the clone wars
in the beginning… shadow IT was all we knew

6. STORYBOAR
shadow
IT
API-based
approach
revenge of the sith
API based solutions were touted as “the only way”

7. STORYBOAR
shadow
IT
API-based
approach
API + in-
line
a new hope
The Rebels emerged with an new way to secure SaaS apps

8. poll
which of the
following security
functions is
most critical?

9. the security
menace
webinar 2 recap

10. STORYBOAR
the cloud security menaces
benefits outweigh drawbacks, but risks remain
■ Lack of visibility and control over sensitive
data
■ Difficult to identify malicious activity
■ Easy external sharing can result in
unauthorized access
■ Cloud extends access to risky unmanaged
devices

11. STORYBOAR
deployed in over a third of organizations, office 365 is
office 365 is the leading SaaS productivity suite
2015
google apps
office 365
other
16.3%
7.7%
76%
22.8%
25.2%
52%
40.7%
24.5%
34.8%
2016

12. STORYBOAR
this is not the dlp you’re looking for
office 365 native dlp
■ BYOD blindspot - O365 DLP focused on data-at-
rest
■ High operational overhead - Complex to configure
■ High cost - Must have top of the line license
■ Point solution - Support focused on O365, what
about other cloud apps?

13. poll
what are your
office 365
migration plans?

14. a cloud security
force awakens
the future of
CASBs

15. STORYBOAR
CASB
solution
component
s
cloud mobile discovery

16. STORYBOAR
the future of CASB security
a data-centric approach
o365 requires a new force with new security
architecture
■ Cross-device, cross-app agentless data
security
■ Real-time data protection
■ Limit high-risk activities like external file
sharing, unmanaged access
■ User behavior analytics

17. STORYBOAR
Reverse Proxy
ActiveSync
Proxy
Forward Proxy
AccessControl
DataProtection
Watermarking,Encryption,
DLP,DRM
Cloud
Encryption
Identity: integrated SSO & SAML proxy
API
Integration
Analytics & Visibility
managed devices
visibility + control
unmanaged devices
visibility + control
technology
Breach (Malware, TOR…) Shadow IT
out-of-band
in-band
components of a complete CASB solution

18. STORYBOAR
agentless real-time inline data protection
reverse proxy
futuristic CASB approach
■ no software or configuration
■ resilience to SaaS app updates
■ privacy - only corporate traffic inspected
legacy CASB approach
■ inline control requires software agent
■ hard-coded proxy rules break on SaaS app updates

19. STORYBOAR
futuristic CASB approach
■ secure email, contacts & calendar
■ agentless
■ selective wipe, device encryption, PIN etc
■ privacy - only corporate traffic inspected
legacy CASB approach
■ no native ActiveSync support
agentless security on any mobile device
activesync proxy

20. STORYBOAR
data leakage prevention
integrated high-performance engine
futuristic CASB approach
■ high performance, comprehensive matching
■ advanced remediation
■ optional ICAP to on-prem DLP engine
legacy CASB approach
■ no native DLP engine
■ black or white allow/block decisions

21. STORYBOAR
futuristic CASB approach
■ public or private cloud flexibility
■ auto-scaling and replication
■ fully redundant architecture
■ global load balancing
legacy CASB approach
■ proprietary bottlenecks and infrastructure
scalable infrastructure
high availability, geo-load balancing

22. STORYBOAR
common office 365 policy
hybrid approach to protect data on any device
managed
devices
application access mode data protection
unmanaged
devices /
byod
in the cloud
● profile-agent
● VPN+IP-restriction
● DLP/DRM/encryption
● Device controls (e.g PIN)
● Agentless Selective Wipe
● Client apps: block
● OneDrive
● Sharepoint
● Yammer
● APIs
● Quarantine
● Encrypt with on-prem key
● Block external shares
● Alert on DLP events
Legacy Auth
Apps
(e.g Office 2010)
● Full access
Modern Auth Apps
(e.g Office 2013+)
● profile agent
● VPN+IP-restriction
● client certificate check
● Full access
● Browser
● ActiveSync Mail
● Client apps
● Reverse-proxy + AJAX-
VM
● ActiveSync Proxy

23. STORYBOAR
challenge
■ Ensure OneDrive usage is HIPAA-compliant
■ Prevent leakage of PII and PHI
■ Maintain end user privacy
■ Enforce data security policies on managed and
unmanaged devices
solution
■ Real-time inline data protection on any device
■ Block downloads of PHI and PII to unmanaged
devices
■ Agentless BYOD with selective wipe
■ Ability to support future enterprise-wide SaaS
deployments
180,000
users
secure office
365 + byod
healthcare
giant

24. STORYBOAR
secure
salesforce +
office 365
24
financial
services
giant
client
■ $6T in assets
■ Subject to GLB, PCI-DSS, privacy laws that vary
by region
challenge
■ Reduce risk presented by enterprise-wide
Salesforce and Office 365 migration
■ Control Salesforce data residency
solution
■ Maintenance of full Salesforce frontend and
backend functionality
■ Preserve SOQL API integrations
■ Full control of encryption keys
■ Bidirectional remediation of customer PII and
PIFI in Sharepoint and Yammer

25. STORYBOAR
■ access control
• distinguish between managed and unmanaged devices?
■ unmanaged devices
• real-time control of data flow without agents?
• support rich functionality, e.g. in-browser editing of docs?
■ mobile devices
• secure BYOD without agents?
■ breach discovery
• discover both exfiltration threats & Shadow IT?
■ security architecture
• dilute standards, e.g. does proxy of passwords increase phishing risk?
proof of concept checklist
key tests in choosing a CASB

26. STORYBOAR
about
bitglass
est. jan
2013
tier 1
VCs
250+
customers
total
data
protection
outside the firewall
...may the force be with you

27. STORYBOAR
bitglass.com
@bitglass