4. STORYBOAR
native security features can’t be relied upon:
the data blind spot
components
usage/consumption
data
application
services
servers & storage
network
layer
data
application
infrastructure
owner
enterprise
5. STORYBOAR
security must
evolve to
protect data
outside the
firewall
cloud:
attack on SaaS
vendor risks
sensitive data
access:
uncontrolled
access from
any device
network:
data breach -
exfiltration &
Shadow IT
mobile:
lost device with
sensitive data
5
8. STORYBOAR
casb discovery:
gain visibility into your org’s cloud usage
■ analyze outbound data flows to
learn what SaaS apps your
organization is using
■ understand risk profiles of
different apps
■ essential in process of enabling
secure cloud app usage
9. STORYBOAR
casb security:
a data-centric approach
the new data reality requires a new security
architecture
■ cross-device, cross-platform agentless data
protection
■ granular DLP for data at rest and in motion
■ contextual access control
■ detailed logging for compliance and audit
10. STORYBOAR
mobile security cannot be overlooked:
protect data across all devices, managed and unmanaged
■ demand for byod continues to rise
■ employees have rejected mdm and mam
■ IT must securely enable access to
frequently used apps
11. STORYBOAR
casb identity:
centralized identity management is key in securing data
■ cloud app identity management should
maintain the best practices of on-prem
identity
■ limit potential breaches with contextual
multi-factor auth for high risk logins
12. STORYBOAR
managed
devices
application access access control data protection
unmanaged
devices / byod
in the cloud
Forward Proxy
ActiveSync Proxy
Device Profile: Pass
● Email
● Browser
● OneDrive Sync
● Full Access
Reverse Proxy + AJAX VM
ActiveSync Proxy
● DLP/DRM/encryption
● Device controls
API Control External Sharing Blocked
● Block external shares
● Alert on DLP events
Device Profile: Fail
● Mobile Email
● Browser
● Contextual multi-factor auth
typical use case:
only CASB with real-time data protection on any device
13. STORYBOAR
fortune 50
conglomerate
use case:
■ office 365 access control
why bitglass:
■ controlled access from any
device (ajax-vm)
■ transparent deployment
■ 30,000
employees
■ 100s of
locations
globally
17. STORYBOAR
Data Exfiltration (Malware hosts, TOR, Phishing…)
Integrated Identity & SSO
Mobile Security
ActiveSync Proxy
Visibility & Control: Data-at-rest
API integration
Data Protection
Watermarking, Encryption,
DLP, DRM
Access Control
Forward Proxy
Reverse Proxy + AJAX-VM
Cloud
Encryption
ShadowIT
Access Control
SAML Proxy
the only casb with
real-time inline data
protection on any device
out of band
in band
19. resources:
more info about cloud security
■ definitive guide to casbs
■ bitglass report: project cumulus
■ glass class: cloud security priorities for 2016
20. download the gartner market guide to casbs
with predictions and
recommendations,
the market guide is
an essential
resource for
formulating your
CASB strategy
download
the report
The old approach to the problem is to secure the infrastructure. Historically this has been where the spend for large organizations has been.
Secure your network, put agents on every trusted device to manage the device etc.
Fact is that the "trusted device" approach makes you more vulnerable to breaches since users take their devices home for the weekend, and come back infected on monday.
Malware Mondays!
Issues with this approach - cumbersome. expensive to administer since you have to manage every device and network.
And usability is poor too, especially when it comes to mdm
One of the big problems with this architecture -- unmanaged devices accessing the cloud directly. No visibility or control for IT teams. Complex to deploy/ Poor user experience/ Data-sync proliferation/ BYOD blindspot
When talking to potential customers, sometimes this comes up. Aren’t cloud vendors already protecting their apps with native security features?
Very simple framework for thinking about this. WSJ test.
we think CASBs provide a better approach to cloud security.
It starts with discovery.
“By 2018, more than half of all bring your own device (BYOD) users that currently have an MDM agent will be managed by an agentless solution” - Gartner
Inseparable
in: CA, NY, MA, IL, N
Founded: Jan 2013/ HQ: Campbell, CA/ Employees: 50/ Funding: $35M, Tier 1 Venture Capital Firms
we have three data protection solutions, cloud, mobile, and discovery
Global Manufacturer - Secure collaboration via cloud apps
Why Bitglass?
Ease of use
Document tracking, DLP
Pharmaceutical Company - Secure intellectual property in the cloud, at access and on device
Why Bitglass?
Visibility and protection, data tracking
Low deployment overhead
Large Healthcare Organization - HIPAA compliant mobile email
Why Bitglass?
DLP on BYOD, no S/W agents
Bitglass team responsiveness
Financial Services - Compliance & Security for customer data on Salesforce.com
Why Bitglass?
Full-strength data-at-rest encryption
Robust to app updates