Embed Size (px)
Citation preview
webinarjune 29
2016
developing a secure and compliant
cloud strategy for financial
services
STORYBOARDS
the traditional approach to
security is inadequate
STORYBOARDS
security must evolve to
protect data in the cloud
ungoverned access to
corporate data in the cloud
data-at-rest in the cloud
sensitive cloud data on
unmanaged devices
STORYBOARDS
enterprise(CASB)
end-user devicesvisibility & analytics
data protectionidentity & access control
applicationstorageserversnetwork
native security features can’t be relied upon:the data blind spot
app vendor
STORYBOARDS
CASB: a better approach to cloud security
identity
cloud encryption
data-centric protection
audit + visibility
STORYBOARDS
protecting cloud data end-to-end
■ Cloud data doesn’t exist only “in the cloud”
■ A complete solution must provide visibility and control over data in the cloud
■ Solution must also protect data on end-user devices
■ Leverage contextual access controls
STORYBOARDS
access controlsthe new data reality requires a new security architecture
■ Secure access from any unmanaged device
■ Protect data in “unwrappable” native mobile apps
■ Full data control and visibility for IT
■ Granular DLP applied to data at download time
STORYBOARDS
data leakage preventiona complete set of data controls
■ Apply granular DLP to sensitive data with spectrum of actions from watermarking to outright blocking
■ Context-aware engine can distinguish between users, managed and unmanaged devices, and more
■ Easily modify sharing permissions and quarantine files for review
STORYBOARDS
audit and visibility
■ Detailed logging for compliance and audit.
■ Identify sensitive data at rest and external sharing
■ Easily modify permissions and quarantine files
STORYBOARDS
identity
■ Cloud app identity management should maintain the best practices of on-prem identity
■ Cross-app visibility into suspicious access activity with actions like step-up multifactor authentication
STORYBOARDS
cloud encryptionencrypt data-at-rest while retaining app functionality
■ Necessary for data that is subject to regulatory mandates (e.g. PII, PCI)
○ Only encrypt what’s necessary
■ Structured data
■ Sensitive fields (SSNs, addresses, etc.)
STORYBOARDS
cloud encryptionwhere some solutions fall short
■ Competitors limit the number of Initialization Vectors to support search
■ Ex: search Salesforce for every ciphertext value of “Bob”
○ As number of IVs increases, search time increases exponentially
STORYBOARDS
cloud encryptionencrypt data-at-rest while retaining app functionality
■ Encryption must be at full strength, using industry standard encryption
■ Customer managed keys provide an additional layer of security
■ Solution should be easy to deploy and cost-effective
STORYBOARDS
managed devices
application access access control data protection
unmanaged devices /
byod
in the cloud
Forward ProxyActiveSync Proxy
Device Profile: Pass● Email● Browser● OneDrive Sync
● Full Access
Reverse Proxy + AJAX VMActiveSync Proxy
● DLP/DRM/encryption ● Device controls
API Control External Sharing Blocked
● Block external shares● Alert on DLP events
Device Profile: Fail● Mobile Email● Browser● Contextual multi-factor auth
typical use case:real-time data protection on any device
STORYBOARDS
our mission
total data
protection est. jan
2013
100+ custome
rs
tier 1 VCs
STORYBOARDS
harbor: secure data in the cloudsearchable encryptionpublic cloud app with private cloud data■ searchable, sortable true AES-256 + 256-bit IV■ crypto-independent implementation■ US Patent 9,047,480■ endorsed by leading cryptographers
competition■ maximum 20-bit IVs to support search■ search performance drops with IV length■ no wild-card search, partial-word search...
STORYBOARDS
secure salesforce
+ office 365
financial servicesgiant
17
challenge■ Needed complete CASB for enterprise-wide
migration to SaaS■ Encryption of data-at-rest in Salesforce ■ Security for Office 365
solution■ Searchable true encryption of data in
Salesforce■ Preserve SOQL API integrations■ Full control of encryption keys■ Real-time inline DLP on any device
(Citadel)■ Contextual access control on managed &
unmanaged devices (Omni)■ API control in the cloud■ Discover breach & Shadow IT
STORYBOARDS
client:■ 15,000 employees in 190+
locations globallychallenge:
■ Mitigate risks of Google Apps adoption
■ Prevent sensitive data from being stored in the cloud
■ Limit data access based on device risk level
■ Govern external sharingsolution:
■ Inline data protection for unmanaged devices/BYOD
■ Bidirectional DLP■ Real-time sharing control
secure google apps +
byod
business data
giant
resources:more info about cloud security
■ whitepaper: the definitive guide to casbs
■ infographic: cloud adoption in financial services
■ case study: financial services firm secures salesforce and o365
STORYBOARDS
bitglass.com@bitglass
