This document summarizes a webinar about developing a secure cloud strategy for financial services. It discusses how traditional security approaches are inadequate for protecting data in the cloud. It promotes the use of a Cloud Access Security Broker (CASB) to provide visibility, data protection, identity and access control for cloud applications and data across user devices and cloud services. The CASB approach provides encryption, activity monitoring, access controls and data loss prevention to help securely adopt cloud services while ensuring compliance.

1. webinar
june 29
2016
developing a
secure and
compliant cloud
strategy for
financial
services

2. STORYBOAR
the traditional
approach to
security is
inadequate

3. STORYBOAR
security must
evolve to protect
data in the cloud
ungoverned
access to
corporate data in
the cloud
data-at-rest
in the cloud
sensitive cloud
data on
unmanaged
devices

4. STORYBOAR
enterprise
(CASB)
end-user devices
visibility & analytics
data protection
identity & access control
application
storage
servers
network
native security features can’t be relied upon:
the data blind spot
app vendor

5. STORYBOAR
CASB: a
better
approach to
cloud security
identity
cloud encryption
data-centric
protection
audit + visibility

6. STORYBOAR
protecting cloud data end-to-end
■ Cloud data doesn’t exist only “in the cloud”
■ A complete solution must provide visibility
and control over data in the cloud
■ Solution must also protect data on end-
user devices
■ Leverage contextual access controls

7. STORYBOAR
access controls
the new data reality requires a new security architecture
■ Secure access from any unmanaged
device
■ Protect data in “unwrappable” native
mobile apps
■ Full data control and visibility for IT
■ Granular DLP applied to data at download
time

8. STORYBOAR
data leakage prevention
a complete set of data controls
■ Apply granular DLP to sensitive data with
spectrum of actions from watermarking to outright
blocking
■ Context-aware engine can distinguish between
users, managed and unmanaged devices, and
more
■ Easily modify sharing permissions and quarantine

9. STORYBOAR
audit and visibility
■ Detailed logging for compliance and
audit.
■ Identify sensitive data at rest and
external sharing
■ Easily modify permissions and
quarantine files

10. STORYBOAR
identity
■ Cloud app identity management should
maintain the best practices of on-prem
identity
■ Cross-app visibility into suspicious access
activity with actions like step-up multifactor
authentication

11. STORYBOAR
cloud encryption
encrypt data-at-rest while retaining app functionality
■ Necessary for data that is subject to
regulatory mandates (e.g. PII, PCI)
○ Only encrypt what’s necessary
■ Structured data
■ Sensitive fields (SSNs, addresses,
etc.)

12. STORYBOAR
cloud encryption
where some solutions fall short
■ Competitors limit the number of
Initialization Vectors to support search
■ Ex: search Salesforce for every ciphertext
value of “Bob”
○ As number of IVs increases, search
time increases exponentially

13. STORYBOAR
cloud encryption
encrypt data-at-rest while retaining app functionality
■ Encryption must be at full strength, using
industry standard encryption
■ Customer managed keys provide an
additional layer of security
■ Solution should be easy to deploy and cost-
effective

14. STORYBOAR
managed
devices
application access access control data protection
unmanaged
devices / byod
in the cloud
Forward Proxy
ActiveSync Proxy
Device Profile: Pass
● Email
● Browser
● OneDrive Sync
● Full Access
Reverse Proxy + AJAX VM
ActiveSync Proxy
● DLP/DRM/encryption
● Device controls
API Control External Sharing Blocked
● Block external shares
● Alert on DLP events
Device Profile: Fail
● Mobile Email
● Browser
● Contextual multi-factor auth
typical use case:
real-time data protection on any device

15. STORYBOAR
our
mission
total
data
protection est. jan
2013
100+
customer
s
tier 1
VCs

16. STORYBOAR
harbor: secure data in the cloud
searchable encryption
public cloud app with private cloud data
■ searchable, sortable true AES-256 + 256-bit IV
■ crypto-independent implementation
■ US Patent 9,047,480
■ endorsed by leading cryptographers
competition
■ maximum 20-bit IVs to support search
■ search performance drops with IV length

17. STORYBOAR
secure
salesforce +
office 365
financial
services
giant
17
challenge
■ Needed complete CASB for enterprise-wide
migration to SaaS
■ Encryption of data-at-rest in Salesforce
■ Security for Office 365
solution
■ Searchable true encryption of data in Salesforce
■ Preserve SOQL API integrations
■ Full control of encryption keys
■ Real-time inline DLP on any device (Citadel)
■ Contextual access control on managed &
unmanaged devices (Omni)
■ API control in the cloud
■ Discover breach & Shadow IT

18. STORYBOAR
client:
■ 15,000 employees in 190+ locations
globally
challenge:
■ Mitigate risks of Google Apps adoption
■ Prevent sensitive data from being stored
in the cloud
■ Limit data access based on device risk
level
■ Govern external sharing
solution:
■ Inline data protection for unmanaged
devices/BYOD
■ Bidirectional DLP
■ Real-time sharing control
secure
google
apps +
byod
business
data giant

19. resources:
more info about cloud security
■ whitepaper: the definitive guide to casbs
■ infographic: cloud adoption in financial services
■ case study: financial services firm secures salesforce and
o365

20. STORYBOAR
bitglass.com
@bitglass