© 2015 IBM Corporation The first CASB solution with integrated access control, visibility, and threat protection Patrick Wardrop, Chief Product Architect October 7 th , 2015 IBM Cloud Security Enforcer
© 2015 IBM Corporation
The first CASB solution with integrated access control, visibility, and threat protection
Patrick Wardrop, Chief Product Architect
October 7th, 2015
IBM Cloud Security Enforcer
2 © 2015 IBM Corporation
MOBILE
BYOD
ON PREM
RISKY APPS
APPROVED APPS
A new SaaS solution to help securely deploy cloud services
EMPLOYEES
Identity and Access Control
Threat Prevention
Policy Enforcement
Discovery and Visibility
Cloud Event Correlation
DETECT CONNECT PROTECT
3 © 2015 IBM Corporation
Integrating leading IBM security technology into a single platform
• Risk scoring for 1000’s of apps
• Continuous stream of cloud activity data
• Mapping of network data to specific users
• Mobile integration to uncover blind spots
• Federated cloud SSO • Connectors to
popular cloud apps • Simplified
access controls • Self-service catalogs • Delegated administration
• User activity and traffic monitoring
• Behavioral analysis and correlation to company policies
• Alerting, reporting, and auditing
• Intrusion Prevention and global threat intelligence from IBM X-Force
• Threat signatures, network analysis, and zero-day threat protection
• User coaching • Redirection for
out-of-policy usage • Policy and anomaly
rule implementation
Identity and Access Control
Threat Prevention
Policy Enforcement
Discovery and Visibility
Cloud Event Correlation
DETECT CONNECT PROTECT
4 © 2015 IBM Corporation
IBM Cloud Security Enforcer – Discovery and monitoring
Microsoft Active Directory
Enterprise
Cloud, SaaS, & Private Applications
Secure Gateway
. . . (plus many more)
- Users authenticate against Active Directory
- All Cloud, SaaS & Private Applications traffic is logged by the Secure Gateway (e.g., Bluecoat, WebSense, McAfee, XGS … etc)
- Active Directory, Secure Gateway logs can be manually uploaded to IBM Cloud Security Enforcer or an appliance can be deployed to continually upload them automatically on a scheduled basis
Enterprise Bridge Appliance Log
Collection ID
Bridge Directory
Sync
IBM Cloud Security Enforcer Application Discovery
Optional SIEM (or other
log archiving)
5 © 2015 IBM Corporation
IBM Cloud Security Enforcer – World Wide Mobile Cloud Proxy
Home WiFi / Cellular Data Network
Cloud, SaaS, & Private Applications
. . . (plus many more)
- Users use mobile device at the office and out of the office via their home WiFi or cellular data networks.
- This creates a ‘mobile blind spot’ for most corporations.
- Without a secure gateway or IPS there is a risk of malware being downloaded or other threats.
- Leveraging the built-in mobile VPN clients we will direct traffic to our WW deployments of Cloud Proxies to inspect, monitor, and provide controls on the traffic.
IBM Cloud Security Enforcer
World Wide Mobile Cloud Proxy Client Gateway
[VPN] Intrusion Prevention
System
6 © 2015 IBM Corporation
Live Walkthrough Discovery and Visibility
7 © 2015 IBM Corporation
IBM Cloud Security Enforcer – Single Sign-On & Launchpad
Microsoft Active Directory
Enterprise
Cloud, SaaS, & Private Applications
Secure Gateway
. . . (plus many more)
- SSO from either the Enterprise Bridge Identity Bridge component or via a federation product (TFIM, ADFS or Ping)
- User arrives at launch pad and can single click on an entitled application or browser application catalog
Enterprise Bridge Appliance Log
Collection ID
Bridge Directory
Sync
IBM Cloud Security Enforcer
Launchpad & Catalog
SSO [Service Provider]
SSO [Identity Provider]
FIM (or
federation product)
Optional
8 © 2015 IBM Corporation
Live Walkthrough Single Sign-on & Access Control