By now you are likely familiar with Cloud Access Security Brokers (CASBs) and understand how they fit into your broader security and cloud strategy. What should organizations be looking for in a CASB? What capabilities are here or on the horizon that can provide improved data protection in the cloud?
Bitglass and (ISC)2 presents the final episode of the CASB series where we will examine where cloud security is headed, discussing agentless and agent-based solutions, the growing number of cloud apps in use and the importance of easy deployment. Learn why cross-app security will become increasingly valuable as organizations look to third-party solutions for deep visibility, behavior analytics, and more.
How AI, OpenAI, and ChatGPT impact business and software.
Mitigating the Top 5 Cloud Security Threats
1. MITIGATING THE TOP 5
CLOUD SECURITY
THREATS
Shalmali Rajadhyax, Product Manager, Bitglass
2 8 F e b r u a r y 2 0 1 7
2. • Audio is streamed over your computer
• Dial in numbers and codes are on the
left
To receive your CPE credit:
1. Complete 3 checkpoints
- or -
2. Watch the recorded version from the
beginning to the very end
• Don’t forget to take the survey!
Use the Papers tab to find the
following:
• PDF Copy of today’s presentation
• CPE job aid
• Have a question for the speaker?
Access the Q&A tab
• Technical issues? Access the Help tab
• Questions or suggestions?
Visit https://support.isaca.org
2
4. 4
ENTERPRISE VS APP VENDOR
SECURITY RESPONSIBILITIES: The data
blind spot
enterprise
(CASB)
end-user devices
visibility & analytics
data protection
identity & access control
application
storage
servers
network
app vendor
5. 1. DLP
2. firewall
3. proxy-based solution
4. device management
POLL: How are you securing data in your
organization?
6. 6
1: EXTERNAL SHARING
Made easier by cloud apps
Can result in costly PCI PII leaks
Challenge is to enable sharing while
maintaining control over sensitive
data
7. 7
Cloud APIs allow for control over file
sharing
How can enterprises know what
content to block , what to limit and
what to allow?
Robust cloud DLP solutions are
context and content aware
LIMIT EXTERNAL SHARING WITH A
CASB: Cloud access security brokers are
controls
8. 8
2: COMPROMISED CREDENTIALS
Privileged users, among others, have
access to all corporate data
Orgs need a means to identify risky
logins
Cloud apps have made identity a
critical piece of the security puzzle
9. 9
CASBs offer integrated identity
management across apps
Limit potential breaches with step-up
multi-factor auth for high risk logins
INTEGRATED IDENTITY MANAGEMENT:
Centralized identity is key to securing data
10. 10
3: LOST AND STOLEN DEVICES
The most common cause of breach
BYOD/unmanaged devices pose a
new threat
11. 11
4: UNMANAGED DEVICE ACCESS
IT must enable secure access to
cloud apps from any device
BYOD pose a threat to data security
due to a lack of visibility and control
after download
CASBs accommodate user BYOD
demands and IT security needs
without agents
12. 12
5: UNSANCTIONED APPS
Blocking access forces employees to
work around IT
First step is discovering Shadow IT
usage
Technical controls like firewalls and
proxies are effective
Written policies aren’t as effective
13. 13
Understand risk profiles of
frequently used apps
Intelligent, time-saving alerts out
of the box
UEBA enables IT to proactively
identify threats
IDENTIFY UNSANCTIONED APPS WITH
CASB DISCOVERY: Gain visibility into your
org’s cloud usage
14. 14
TOP THREATS:
1. External sharing
use API-based controls and DLP to identify and limit sharing of sensitive data
2. Compromised credentials
Cross-app identity solutions can force step up auth in risky contexts
3. Lost and stolen devices
Choose a solutions that protects data on all devices, managed and
unmanaged
4. Unmanaged device access
Routing users through a proxy can provide secure access
5. Unsanctioned applications
Identify risky destinations without complex setup
15. 1. ….
2. ….
3. ….
4. ….
POLL: What are your casb deployment plans?
16. 16
Cloud data doesn’t exist only “in the
cloud”
IT must protect data at access and on
any device
o Granular DLP
o Context-aware to distinguish
between users, device type and
more
o Device controls on mobile
CASB SECURITY: A data-centric approach
17. 17
HOW CASB SECURITY WORKS
API
Visibility + control over sharing
Reverse proxy
Unmanaged device controls without
agents
Activesync proxy
Secure email, calendar, etc on any mobile
device
Device level security – wipe, encryption,
PIN etc
18. 18
TYPICAL USE CASE
hybrid CASBs provide real-time protection on any
device
managed
devices
application access access control data protection
unmanaged
devices / BYOD
in the cloud
Forward Proxy
ActiveSync Proxy
Device Profile: Pass
● Email
● Browser
● OneDrive Sync
● Full Access
Reverse Proxy + AJAX VM
ActiveSync Proxy
● DLP/DRM/encryption
● Device controls
API Control
External Sharing
Blocked
● Block external
shares
● Alert on DLP events
Device Profile: Fail
● Mobile Email
● Browser
● Contextual multi-factor
auth
20. secure
google
apps +
byod
challenge
■ Mitigate risks of Google Apps adoption
■ Control sensitive data stored in the cloud
■ Limit data-access based on device risk level
■ Govern external sharing
competition
■ Skyhigh, Netskope, Cloudlock, Elastica/Bluecoat
solution
■ Real-time inline data protection on any
device
■ API control of data in the cloud
21. challenge
■ Needed complete CASB for enterprise-wide migration
to SaaS
■ Encryption of data-at-rest in Salesforce
■ Security for Office365
competition
■ Salesforce Shield, Skyhigh, Ciphercloud, Bluecoat
Perspecsys, Netskope, Adallom
solution
■ Searchable true encryption of data in Salesforce
■ Preserve SOQL API integrations
■ Full control of encryption keys
■ Real-time inline DLP on any device (Citadel)
■ Contextual access control on managed & unmanaged
devices (Omni)
■ API control in the cloud
■ Discover breach & Shadow IT
secure
salesforce
+ office 365
22. challenge
■ HIPAA Compliant cloud and mobile
■ Controlled access to Office 365 from managed &
unmanaged devices
■ Control external sharing
■ Real-time inline data protection
■ No agents on devices
■ Transparency, usability & privacy
competition
■ Skyhigh, Netskope, Adallom
solution
■ Real-time inline protection on any device
■ Contextual access control on managed & unmanaged
devices (Omni)
■ Real-time DLP on any device
■ API control in the cloud
■ Agentless BYOD with selective wipe
■ Enterprise-wide for all SaaS apps
180,000
seats
secure
office 365
+ byod