Embed Size (px)
Citation preview
A Secure Future In The Cloud
Cloud App Discovery & Analysis
Eric AndrewsBlue Coat Systems, Inc.
Cost effective
Remote access
Agility and speed
Better collaboration
Improved productivity
Cloud apps are becoming an essential part of business
The Cloud Office — Coming Your Way
Email, Chat, File Share, Conferencing, Social, Office Apps
(Archive, Device Management, Loss Prevention, Discovery)
Source: Gartner 2014
The Cloud Services Market will reach $278 Billion by 2018– Gartner 1Q2016
Forecast Analysis: Public Cloud Services, Worldwide, 1Q16 Update
Who is Responsible for Security in the Cloud?
Cloud App Providers mission and your mission are not always aligned
. . . That result from your unauthorized action or lack of action when
required, or from your employees, agents, contractors, or vendors, or
anyone gaining access to our network by means of your passwords or
equipment, or otherwise resulting from your failure to follow appropriate
security practices. . .
Microsoft’s Policy(the fine print)
“95% of cloud security failures will be
the customer’s fault”
- Gartner Predictions for 2016
. . . While AWS manages security of the cloud, security in the cloud is the
responsibility of the customer. Customers retain control of what security they
choose to implement to protect their own content, platform, applications,
systems and networks, no differently than they would for applications in an
on-site datacenter . . .
Amazon’s Policy(the fine print)
. . . Box will not be liable for any loss or damage arisingfrom any unauthorized use of your accounts…Box will have no liability of any kind as a result of the deletion of, correction of, destruction of, damage to, loss or failure to store or encrypt any Content . . .
Box’s Policy(the fine print)
. . . Customer will use its reasonable endeavors to prevent unauthorized use of the Services, and to terminate any unauthorized use. Customer will promptly notify Google of any unauthorized use of, or access to, the Services of which it becomes aware. . .
Google’s Policy(the fine print)
. . . you are responsible for all use of DocuSignSignature associated with your Account; . . . you are solely responsible for maintaining the confidentiality of your Account names and password(s) ..Subscriber will indemnify us from claims related to the nature and content of all materials, data, . . . of any nature submitted by subscriber or its authorized users . . .
DocuSign’s Policy(the fine print)
A Secure Future in the Cloud
Cloud AppVisibility
Identify Shadow IT & Monitor cloud app usage in real time
Data Governance & Controls
Govern sensitive data with granular controls, encryption and tokenization
ThreatProtection
Combat evolving threats leveraging user behavior analytics
A Secure Future in the Cloud
Data Governance & Controls
Govern sensitive data with granular controls, encryption and tokenization
ThreatProtection
Combat evolving threats leveraging user behavior analytics
Cloud AppVisibility
Identify Shadow IT & Monitor cloud app usage in real time
This is a big problem. With zero visibility the IT dept
Can’t identify risky or non-compliant apps &
Can’t set informed app controls to mitigate risk
admits to using unsanctioned cloud apps
of workforce
Source: CIO Insight
What is Shadow IT? All the IT assets and cloud apps used in an organization,
without the knowledge of IT (unsanctioned apps)
How many
apps do you
think your
employees
are using?
40-50 appsIT DEPT. PERCEPTION
REALITY
Source: 1Elastica Q4 2015 Shadow Data Report
Shadow IT: Top 10 Apps
1H 2015
2H 2015
More Users
Less Users
2 3 41 5 7 8 96 10
Source: Elastica 2H 2015 Shadow Data Report
Top 5 Collaboration & File Sharing Apps
2H 2015
2 3 41 5
SWGs or
Firewalls
sends logs
to CASBs
CASB solutions identify cloud app usage from logs
Step 1: Discovery What cloud apps are being used? Who’s using them?
Business Readiness RatingTM
Multi-factor Authentication X
Admin Audit Trail
SOC2 Compliant
HIPAA Compliant X
REST API Support X
Federated Identity Management
38
Data at Rest Encryption X
. . .
Risk Attributes
Step 2: Analysis
How risky are these apps?
Who is using these risky apps?
Do these apps meet compliance
requirements?
Where is in the world is my data going?
How exposed are we?
Tailor risk analysis to your organization
Perform side-by-side comparative analysis of alternative apps
Are there apps we need to monitor or stop using entirely?
Can we switch users of risky apps to better alternatives?
Can we reduce costs by consolidating multiple accounts?
What is my cloud adoption policy?
Step 3: Decision Making
Cloud app analysis can be used to define and enforce policies
based on app names, app groups, app “Business Readiness
Rating”, app risk attributes
Which applications should be blocked altogether?
Which applications should be monitored?
What is an appropriate Business Readiness Rating, below which I should block?
What other risk attributes should be used to enforce policy? Compliance? SOC-2? MFA?
How to configure and enforce policies?
Cloud App Analysis
Manual or AutomatedManagement
SWG or FW
Step 4: Enforce ControlDefine and enforce policies throughSecurity proxies or firewalls
Step 5: Continuous Monitoring Stay up-to-date and compliant with comprehensive dashboards & reports
Cloud App Visibility & Analysis
Discover cloud apps and users
Analyze apps for business readiness & compliance
Make informed decisions to improve security & save money
Control ongoing cloud app use with policy enforcement
Continuously Monitor for compliance & risk management
Free Shadow IT Risk Assessment Analytics on your cloud app risks
and compliance issues
App usage anomalies across your organization
What apps you should sanction and what apps you should block
SanctionedApps
UnsanctionedApps
Securing The Cloud App Landscape
Shadow IT Risk Assessment
Securing The Cloud App Landscape
A Secure Future in the Cloud
Cloud AppVisibility
Identify Shadow IT & Monitor cloud app usage in real time
Data Governance & Controls
Govern sensitive data with granular controls, encryption and tokenization
ThreatProtection
Combat evolving threats leveraging user behavior analytics
