STORYBOARDS CASBs The Definitive Webinar Rich Campagna VP Products Bitglass @bitglass [email protected]
STORYBOARDS
More Sensitive Data is Moving Outside Your Network
1. Shadow IT applications2. Sensitive data accessed via BYOD 3. Cloud data shared externally4. Cloud represents larger attack surface
STORYBOARDS
Enterprise Needs
Visibility and audit
Restrict data on unmanaged devices
Prevent hacked accounts
Prevent data leakage & control access
STORYBOARDS
First Attempt - Infrastructure “Lockdown”
Firewall DLP
Web Proxy
VPN
HQ & Branch Office
Starbucks
ApartmentVPN
MDM
+many more...
STORYBOARDS
Components
Usage/Consumption
Data
Application
Services
Servers & Storage
Network
Area
Data
Application
Infrastructure
Owner
Enterprise
Second Attempt - Rely on Cloud App Vendors
STORYBOARDS
1. Identity Sprawl2. Suspicious activity3. Data Leakage4. Lost mobile devices
SaaS Application Gaps
STORYBOARDS
Use Cases
1. Discover unknown cloud apps and exfiltration 2. Visibility and user behavior analytics 3. Contextual access control4. Data leakage prevention5. Mobile data protection
STORYBOARDS
CASB Architecture Options
1. Managed Devices Forward Proxy ActiveSync Proxy Device ProfilerSAML Proxy
+ SSO
2. Unmanaged Devices Reverse Proxy + AJAX VM ActiveSync Proxy No agents/No cert install Any device
Rev. Proxy
Fwd. Proxy
3. Data at Rest API Visibility & Control
+many more...
STORYBOARDS
Typical CASB Policy
Managed device
Application Access Access Control Data Protection
BYOD
In the Cloud
Forward ProxyActiveSync Proxy
Device Profile: Pass● Email● Browser● Thick clients
● Full Access
Reverse Proxy + AJAX VMActiveSync Proxy
● DLP/DRM/encryption ● Device controls
API Control External Sharing Blocked ● Block external shares● Alert on DLP events
Device Profile: Fail● Mobile Email● Browser
STORYBOARDS
Gartner on CASBs
Hybrid Architecture CASBs are a requirement [Forward Proxy, Reverse Proxy, API Integration]○ All three deployment modes may be required to deliver the security outcomes that the organization desires.
○ Many SaaS application providers do not yet have a rich set of APIs
○ When deployed in the data path (typically as a form of proxy) the CASB can provide detailed logging on all users and devices,
managed or bring your own device (BYOD), on what activities are occurring inside cloud applications and infrastructure.
Beware of API-only vendors○ Proxy mode CASBs are actually networking vendors; they are processing traffic similar to Web gateway vendors. This is a considerably
harder engineering exercise than that of using APIs... It will be considerably harder for API-only CASB providers to retrofit proxy
architecture to their platforms.
Managed/unmanaged device access control is required○ CASBs must be able to cover data… from any device type — managed or unmanaged — while accessing enterprise applications.
CASBs must include endpoint data protection components [Data protection on Devices]○ A CASB should handle not only the SaaS applications, but also how that data is tracked, delivered and stored on endpoints.
STORYBOARDS
The Bitglass Mission:Total data protection outside the firewall
$35M investment Est. Jan. 2013 CA, NY, MA, IL, NC
STORYBOARDS
Bitglass: The Only Complete CASB Solution
Data Exfiltration
Integrated Identity & SSO
Mobile SecurityActiveSync Proxy
Access Control: Data-at-restAPI integration
Data Protection Watermarking, Encryption,
DLP, DRM
Access ControlForward Proxy
Reverse Proxy + AJAX-VM
Cloud Encryption
ShadowIT
Access Control SAML Proxy
Out-of-Band
Inband
STORYBOARDS
Helpful Resources
1. Definitive Guide to CASBs - http://pages.bitglass.com/definitive-guide-to-cloud-access-security-brokers.html
2. Executive's Guide to CASBs - http://pages.bitglass.com/executives-guide-to-cloud-access-security-brokers.html
3. Definitive Guide to O365 Security - http://pages.bitglass.com/definitive-guide-o365.html
STORYBOARDS
Total Data ProtectionBeyond the Firewall
Rich CampagnaVP Products & MarketingBitglass
Chris HinesSenior Manager, Product MarketingBitglass