3. STORYBOAR
security must
evolve to
protect data
outside the
firewall
cloud:
attack on SaaS
vendor risks
sensitive data
access:
uncontrolled
access from
any device
network:
data breach -
exfiltration &
Shadow IT
mobile:
lost device with
sensitive data
3
6. STORYBOAR
2. does the solution protect cloud data end-to-end?
■ Cloud data doesn’t exist only “in the cloud”
■ A complete solution must provide visibility
and control over data in the cloud
■ Solution must also protect data on end-
user devices
■ Leverage contextual access controls
7. STORYBOAR
3. can the solution control access from both managed &
unmanaged devices?
reverse proxy
■ unmanaged devices - any device, anywhere
■ no software to install/configure
forward proxy
■ managed devices - inline control for installed apps
■ agent and certificate based approaches
activesync proxy
■ secure email, calendar, etc on any mobile device
■ no software to install/configure
■ device level security - wipe, encryption, PIN etc
8. STORYBOAR
4. does the solution provide real-time visibility and
control?
■ Apply granular DLP to data-at-rest and upon access
■ Context-awareness should distinguish between users,
managed and unmanaged devices, and more
■ Flexible policy actions (DRM, quarantine, remove
share, etc) required to mitigate overall risk
9. STORYBOAR
5. can the solution encrypt data at upload?
■ Encryption must preserve app functionality
■ Encryption must be at full strength, using
industry standard encryption (AES-256, etc)
■ Customer managed keys required
10. STORYBOAR
6. does the solution protect against unauthorized
access?
■ Cloud app identity management should
maintain the best practices of on-prem
identity
■ Cross-app visibility into suspicious access
activity with actions like step-up multifactor
authentication
11. STORYBOAR
7. can the solution help me discover risky traffic on my
network, such as shadow IT and malware?
■ Analyze outbound data flows to
learn what unsanctioned SaaS
apps are in use
■ Understand risk profiles of
different apps
12. STORYBOAR
8. will the solution introduce scale or performance
issues?
■ Hosted on high-performance, global cloud
infrastructure to introduce minimal latency
■ Security should not get in the way of user
experience/productivity
15. STORYBOAR
secure
office 365
+ byod
client:
■ 35,000 employees globally
challenge:
■ Inadequate native O365 security
■ Controlled access from any device
■ Limit external sharing
■ Interoperable with existing infrastructure,
e.g. Bluecoat, ADFS
solution:
■ Real-time data visibility and control
■ DLP policy enforcement at upload or
download
■ Quarantine externally-shared sensitive
files in cloud
■ Controlled unmanaged device access
■ Shadow IT & Breach discovery
fortune 50
healthcare
firm
16. STORYBOAR
client:
■ 15,000 employees in 190+ locations
globally
challenge:
■ Mitigate risks of Google Apps adoption
■ Prevent sensitive data from being stored
in the cloud
■ Limit data access based on device risk
level
■ Govern external sharing
solution:
■ Inline data protection for unmanaged
devices/BYOD
■ Bidirectional DLP
■ Real-time sharing control
secure
google
apps +
byod
business
data giant
17. resources:
more info about cloud security
■ whitepaper: the definitive guide to CASBs
■ report: cloud adoption by industry
■ case study: fortune 100 healthcare firm secure O365
The old approach to the problem is to secure the infrastructure. Historically this has been where the spend for large organizations has been.
Secure your network, put agents on every trusted device to manage the device etc.
Fact is that the "trusted device" approach makes you more vulnerable to breaches since users take their devices home for the weekend, and come back infected on monday.
Malware Mondays!
Issues with this approach - cumbersome. expensive to administer since you have to manage every device and network.
And usability is poor too, especially when it comes to mdm
One of the big problems with this architecture -- unmanaged devices accessing the cloud directly. No visibility or control for IT teams. Complex to deploy/ Poor user experience/ Data-sync proliferation/ BYOD blindspot
we think CASBs provide a better approach to cloud security.
It starts with discovery.