This document summarizes a webinar about developing a secure cloud strategy for financial services. It discusses how traditional security approaches are inadequate for protecting data in the cloud. It promotes the use of a Cloud Access Security Broker (CASB) to provide visibility, data protection, identity and access control for cloud applications and data across user devices and cloud services. The CASB approach provides encryption, activity monitoring, access controls and data loss prevention to help securely adopt cloud services while ensuring compliance.
3. STORYBOAR
security must
evolve to protect
data in the cloud
ungoverned
access to
corporate data in
the cloud
data-at-rest
in the cloud
sensitive cloud
data on
unmanaged
devices
6. STORYBOAR
protecting cloud data end-to-end
■ Cloud data doesn’t exist only “in the cloud”
■ A complete solution must provide visibility
and control over data in the cloud
■ Solution must also protect data on end-
user devices
■ Leverage contextual access controls
7. STORYBOAR
access controls
the new data reality requires a new security architecture
■ Secure access from any unmanaged
device
■ Protect data in “unwrappable” native
mobile apps
■ Full data control and visibility for IT
■ Granular DLP applied to data at download
time
8. STORYBOAR
data leakage prevention
a complete set of data controls
■ Apply granular DLP to sensitive data with
spectrum of actions from watermarking to outright
blocking
■ Context-aware engine can distinguish between
users, managed and unmanaged devices, and
more
■ Easily modify sharing permissions and quarantine
9. STORYBOAR
audit and visibility
■ Detailed logging for compliance and
audit.
■ Identify sensitive data at rest and
external sharing
■ Easily modify permissions and
quarantine files
10. STORYBOAR
identity
■ Cloud app identity management should
maintain the best practices of on-prem
identity
■ Cross-app visibility into suspicious access
activity with actions like step-up multifactor
authentication
11. STORYBOAR
cloud encryption
encrypt data-at-rest while retaining app functionality
■ Necessary for data that is subject to
regulatory mandates (e.g. PII, PCI)
○ Only encrypt what’s necessary
■ Structured data
■ Sensitive fields (SSNs, addresses,
etc.)
12. STORYBOAR
cloud encryption
where some solutions fall short
■ Competitors limit the number of
Initialization Vectors to support search
■ Ex: search Salesforce for every ciphertext
value of “Bob”
○ As number of IVs increases, search
time increases exponentially
13. STORYBOAR
cloud encryption
encrypt data-at-rest while retaining app functionality
■ Encryption must be at full strength, using
industry standard encryption
■ Customer managed keys provide an
additional layer of security
■ Solution should be easy to deploy and cost-
effective
14. STORYBOAR
managed
devices
application access access control data protection
unmanaged
devices / byod
in the cloud
Forward Proxy
ActiveSync Proxy
Device Profile: Pass
● Email
● Browser
● OneDrive Sync
● Full Access
Reverse Proxy + AJAX VM
ActiveSync Proxy
● DLP/DRM/encryption
● Device controls
API Control External Sharing Blocked
● Block external shares
● Alert on DLP events
Device Profile: Fail
● Mobile Email
● Browser
● Contextual multi-factor auth
typical use case:
real-time data protection on any device
16. STORYBOAR
harbor: secure data in the cloud
searchable encryption
public cloud app with private cloud data
■ searchable, sortable true AES-256 + 256-bit IV
■ crypto-independent implementation
■ US Patent 9,047,480
■ endorsed by leading cryptographers
competition
■ maximum 20-bit IVs to support search
■ search performance drops with IV length
17. STORYBOAR
secure
salesforce +
office 365
financial
services
giant
17
challenge
■ Needed complete CASB for enterprise-wide
migration to SaaS
■ Encryption of data-at-rest in Salesforce
■ Security for Office 365
solution
■ Searchable true encryption of data in Salesforce
■ Preserve SOQL API integrations
■ Full control of encryption keys
■ Real-time inline DLP on any device (Citadel)
■ Contextual access control on managed &
unmanaged devices (Omni)
■ API control in the cloud
■ Discover breach & Shadow IT
18. STORYBOAR
client:
■ 15,000 employees in 190+ locations
globally
challenge:
■ Mitigate risks of Google Apps adoption
■ Prevent sensitive data from being stored
in the cloud
■ Limit data access based on device risk
level
■ Govern external sharing
solution:
■ Inline data protection for unmanaged
devices/BYOD
■ Bidirectional DLP
■ Real-time sharing control
secure
google
apps +
byod
business
data giant
19. resources:
more info about cloud security
■ whitepaper: the definitive guide to casbs
■ infographic: cloud adoption in financial services
■ case study: financial services firm secures salesforce and
o365
The old approach to the problem is to secure the infrastructure. Historically this has been where the spend for large organizations has been.
Secure your network, put agents on every trusted device to manage the device etc.
Fact is that the "trusted device" approach makes you more vulnerable to breaches since users take their devices home for the weekend, and come back infected on monday.
Malware Mondays!
Issues with this approach - cumbersome. expensive to administer since you have to manage every device and network.
And usability is poor too, especially when it comes to mdm
One of the big problems with this architecture -- unmanaged devices accessing the cloud directly. No visibility or control for IT teams. Complex to deploy/ Poor user experience/ Data-sync proliferation/ BYOD blindspot
we think CASBs provide a better approach to cloud security.
It starts with discovery.