securing the cloud for financial services
•Descargar como PPTX, PDF•
0 recomendaciones•128 vistas
Financial services firms face a unique set of challenges. Not only do they store large amounts of sensitive personal data, but they face heavier regulations than many other enterprises. As cloud adoption continues to spread within the industry, financial services firms must be particularly focused on ensuring cybersecurity. However, this means that they can no longer rely on traditional, on-premises security solutions. In this webinar, we will discuss cloud access security brokers (CASBs) and how they can help financial services firms solve their security, compliance, and deployment concerns.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a securing the cloud for financial services
Similar a securing the cloud for financial services (19)
Más de Bitglass
Último
Último (20)
securing the cloud for financial services
- 1. webinar june 21 2017 securing the cloud for financial services
- 2. STORYBOARDS cloud overview ■ The good ○ Lower cost ○ Greater flexibility ■ The bad ○ Losing sight of data ○ Losing control of data
- 3. STORYBOARDS the traditional approach to security is inadequate
- 4. poll: what does your organization currently use for cloud security?
- 5. STORYBOARDS financial services firms need a complete casb comprehensive security wherever data goes simple, rapid deployment compliance with regulations like GLBA
- 6. STORYBOARDS security discovery ■ Identify data exfiltration from unsanctioned apps, TOR networks, anonymizers, phishing, and malware ■ Automatically rank destinations by their relative risk ■ Long-term assessments identify stealthy threats
- 7. STORYBOARDS security cloud ■ CASBs that use API and proxies offer comprehensive, real-time security ■ Leverage contextual access controls ■ Make use of data leakage prevention (DLP) ■ Malware protection
- 8. STORYBOARDS security mobile ■ Data-centric vs device-centric security ■ Selective wipe vs full wipe ■ User and entity behavior analytics (UEBA) ○ Contextual access controls and DLP ■ Enforce security settings
- 9. STORYBOARDS compliance encrypt data-at-rest ■ Necessary for data that is subject to regulatory mandates (e.g. PII, PCI) ○ Only encrypt what’s necessary ■ Structured data ■ Sensitive fields (SSNs, addresses, etc.) ■ Customer managed keys provide an
- 10. STORYBOARDS compliance encrypt data-at-rest while retaining app functionality ■ Encryption must be at full strength, using industry standard encryption ■ Encryption must also allow you to use the data (search, sort, etc.) ■ Some firms limit the number of Initialization Vectors to support search
- 11. STORYBOARDS deployability agentless ■ No installation or maintenance ■ Maintains device performance ■ Ensures employee privacy ■ Rapid deployment and adoption
- 12. STORYBOARDS financial services firms need a complete casb comprehensive security wherever data goes simple, rapid deployment compliance with regulations like GLBA
- 13. STORYBOARDS total data protection 13 global tier-1 investors #1 real-time CASB ‘cadillac of CASB’
- 14. STORYBOARDS secure salesforce + office 365 financial services giant 14 challenge ■ Needed complete CASB for enterprise-wide migration to SaaS ■ Encryption of data-at-rest in Salesforce ■ Security for Office 365 solution ■ Searchable true encryption of data in Salesforce ■ Preserve SOQL API integrations ■ Full control of encryption keys ■ Real-time inline DLP on any device (Citadel) ■ Contextual access control on managed & unmanaged devices (Omni) ■ API control in the cloud ■ Discover breach & Shadow IT
- 16. resources: more info about cloud security ■ whitepaper: the definitive guide to casbs ■ infographic: cloud adoption in financial services ■ case study: financial services firm secures salesforce and o365
- 17. STORYBOARDS ■ 15,000 employees in 190+ locations globally challenge: ■ Mitigate risks of Google Apps adoption ■ Prevent sensitive data from being stored in the cloud ■ Limit data access based on device risk level ■ Govern external sharing solution: ■ Inline data protection for unmanaged devices/BYOD ■ Bidirectional DLP ■ Real-time sharing control secure google apps + byod business data giant
- 18. STORYBOARDS harbor: secure data in the cloud searchable encryption public cloud app with private cloud data ■ searchable, sortable true AES-256 + 256-bit IV ■ crypto-independent implementation ■ US Patent 9,047,480 ■ endorsed by leading cryptographers competition ■ maximum 20-bit IVs to support search ■ search performance drops with IV length
Notas del editor
- Hi everyone and thanks ____ I’m excited to talk with you today about what you need for securing your financial services firms in the cloud. We’ll start by briefly discussing the basics of the cloud, and then go on to talk about specific security solutions and capabilities you need as a financial, as well as why you actually need them. And if there’s time in the end we’ll be sure to take some questions for a Q&A. So let’s get started.
- Now, using cloud applications or cloud computing has pros and cons. And each can be more or less boiled down to two main points. For the benefits of using the cloud The first is lower cost. And this is for a number of reasons. When you use cloud, you aren’t shackled to traditional, on-premises solutions and technologies. You don’t have to invest in establishing your own infrastructure, and you don’t have to maintain a large IT team. Obviously, those lead to lower costs. Now, at the same time, these benefits can also give firms more flexibility. And that’s because with cloud solutions, it’s easier to adapt to different levels of demand - for example, you wouldn’t have to expand your IT team or your infrastructure as much. The two main drawbacks of using the cloud are pretty tightly knit together Without adequate security and procedures, it’s very easy to lose sight of your data. Employees might use unsanctioned cloud applications, or shadow IT, without you knowing. It’s a problem when you can’t see what’s being done with your data. And, if you don’t know where your data is, then it’s obviously challenging to control or manage it. For regulated industries like finance, that’s obviously a huge problem, because you’re held to a higher standard when it comes to what happens with your data. The move to the cloud is becoming more and more of a necessity to compete today. So you have to find out how to gain the benefits of the cloud without accepting the costs along with them.
- The problem is that traditional security solutions aren’t adequate once you start using the cloud. Historically, organizations have focused on securing their infrastructure and putting agents on trusted devices. They focused on on-premises security because they didn’t have to worry as much about data outside of their walls. But as data moves beyond the corporate firewall and employees access it from unmanaged devices, that strategy pretty much falls apart. And using agents on all devices accessing corporate data isn’t very realistic That’s partially because widescale agent deployment is logistically difficult - especially with BYOD and all the different devices people use. On top of that, agents harm devices’ functionality and the users’ privacy. So people usually don’t buy in. And that’s understandable when your employer wants you to install something on your phone that harms battery life, makes it slower, and gives them access to your personal information. So that’s just to say that the traditional set of solutions isn’t as helpful as it used to be. Something with consideration for cloud is needed now. So, some organizations try to rely on API solutions on cloud applications. But even though those can protect data at-rest and exercise some access control, they can’t do things like secure data on endpoints or offer many real-time capabilities. So you’re really only getting partial security when you go the API-only route.
- So at this point, we want to take a poll and hear from all of you. And the question we want to ask you is what does your organization currently use for cloud security? Go ahead and pick the answer that best reflects your firm’s current stance. We really just want to know where you are with your security. The options are: Traditional, on-premises solutions Relying on applications’ API-only solutions Using agents Using a CASB (cloud access security broker) So we’ll give you a few moments to answer that. Looks like some answers are starting to come in here. What we’re seeing today is a lot of people using those middle two solutions, but a growing migration to using CASBs. And there is a reason for that. This segues us quite well into our next point.
- What financial services firms need is a complete security solution like a cloud access security broker (or CASB) that doesn’t rely on agents. And that’s because of these three requirements here. Financials need to ensure complete, real-time security for data in the cloud, in transit, and on all endpoints - whether those endpoints are managed or unmanaged. Next, regulatory compliance is critical for financial institutions, and their security solutions must help them meet regulations like Gramm Leach Bliley, or GLBA Finally, deployment is important because security measures don’t mean anything if they can’t actually be fully deployed. All the technology in the world doesn’t mean anything if you can’t use it. This step doesn’t always get a lot of attention, but it’s very important. So to achieve these three things, a comprehensive CASB is the way to go. And making sure that that comprehensive CASB is also agentless is pretty critical. Now for the rest of our time we’ll focus on these three requirements. And as we go, we’ll be talking about the different capabilities you need. So let’s start with security.
- Discovery tools are usually the first security tools that are sought out by organizations as they enter the cloud, because they provide visibility into where data goes. And when you’re just starting to use the cloud, it would make sense that your first desire would be to know where your data is going now that it isn’t stored on-prem and it’s harder to see where it’s going. Of course, this is useful for more mature firms too. So, you want a discovery tool that sees everything - unsanctioned apps, anonymizers, and so on and so forth. There isn’t much of a limit on where data can go, and you want to be able to see it at all times. Discovery solutions should also have some kind of capability whereby they can tell you the relative risk of different destinations or cloud apps, for example. Usually that involves some kind of numeric or qualitative ranking system. And that’s helpful because you don’t just want to know, oh, my data is going to Apps A, B, and C. You want to know if any of those apps are dangerous and which ones aren’t a cause for concern. Lastly, some stealthier threats can take a longer amount of time to reveal themselves, and you want a solution that can detect them. You want a tool that can take a long-term approach and a short-term approach. Now, discovery is necessary, but it isn’t sufficient. Just seeing threats and where data goes isn’t enough - you want to be able to respond. So don’t stop at discovery. You need to make sure that you don’t just see data, but that you can control it.
- And that’s where other cloud security capabilities come in - a few of them here. CASBs that use a combination of API integration and proxies can simultaneously integrate with applications to protect data in the cloud, and proxy traffic to provide real-time protection capabilities. And these are called multimode or hybrid CASBs. Gartner typically refers to them as multimodal CASBs. Now, a lot of CASBs say they are multimode or complete, but are actually API-only. In particular, they often lack a robust reverse proxy that can address incoming requests and activities from unmanaged devices. That’s important because a lot of damage can be done from unmanaged devices. But like we said earlier, API-only doesn’t protect much outside of cloud apps themselves - not to mention that some apps don’t even allow for API integration. So you want to be careful when you’re checking out your options. The claims you hear don’t always match reality. Now, for access controls, you don’t want them to just be limited to static block and do not block options. You want them to be able to consider a lot of factors like geographic location, job function, and past user behavior in real-time. More advanced access controls can recognize the issue when your Office 365 account logs in from California and Russia within a five minute span, for example. We’ll mention how a little bit later. But that can be very helpful for obvious reasons. Likewise, DLP policies should have a host of tools (redaction, quarantining, et cetera) that take a real-time approach. As an example, you want digital rights management (or DRM) where step-up authentication can be enforced mid-session to ensure that users are who they say they are in case they start to exhibit anomalous or strange behavior. Finally, for malware, don’t just use signature-based protections - those only work against known malware. In addition to protection for known threats, make sure you have anti-malware that is able to protect from zero-day malware, too. Zero-day malware is new and unknown - it’s the more dangerous type that you need to watch out for. They’re more dangerous because what they do, how they work, and how to address them isn’t readily available - they are inherently new. Usually the solutions that can protect against zero-day malware incorporate artificial intelligence or machine learning in some capacity so that they can identify threats and their potential for malicious behavior. That way, you don’t have to know what exactly it is, you just have to be able to identify it’s a potential threat.
- Next, mobile devices deserve special security consideration because of how much they allow for rapid, remote access to corporate data. You might even say they have secretive access to corporate data sometimes. The first thing you want to ensure when you’re looking for a mobile solution is that you get a data-centric solution instead of a device-centric solution. The number of devices employees can access data from is effectively endless, so it’s really better to focus on protecting data rather than on controlling an endless number of devices through agents that need to be installed on every single one of them. It would obviously be a time-consuming undertaking to go that route. What an agentless solution can let you do is use tools like selective wipe, where you are solely focused on controlling and deleting corporate data from a personal mobile device, instead of tools like full wipe, where you effectively control and wipe the entire phone and make no distinction between personal and corporate data. Obviously users wouldn’t be very happy about that. User and entity behavior analytics, or UEBA, consider the behaviors of users and detect anomalous activities that pose risks. Ideally, UEBA will be tied into contextual access controls and DLP that work with mobile devices for real-time mobile security. Now, UEBA isn’t JUST for mobile, but it’s very useful when we’re talking about mobile security because, again, mobile access to data can be rapid, remote, and secretive. Finally, even while taking a data-centric approach, enforcing some non-invasive security settings on mobile devices is still a good idea - provided you aren’t using agents and harming the devices. For example, you can enforce shorter time limits before phones lock or you can require pin codes instead of swipe patterns to unlock them. Basically, you can do things that don’t have much of an impact on the user, but that can help ensure additional layers of security. So with all of these security features in mind (that is, discovery, cloud, and mobile), let’s move on to talk about compliance.
- Financials are pretty heavily regulated - probably more than almost any other industry. And there’s a lot to keep track of to ensure compliance, as you all know very well. They handle a lot of sensitive data like PII and PCI and they have to protect it. (PII being personally identifiable information and PCI being payment card industry data). Now, encryption is a very good way to protect this data from the prying eyes of unauthorized and even malicious insiders and outsiders. But you want to make sure you only encrypt what’s necessary. Encrypting everything isn’t necessary or even wise most of the time. So encrypt what’s necessary. For structured data, which is organized into rows and columns (think Excel spreadsheet), you would want to encrypt sensitive fields that contain things like social security numbers, for example. For unstructured data, which doesn’t really have a set format and is just kind of lumped together and exists in a number of file formats, you still want to be able to identify and encrypt sensitive information regardless of how it looks. It’s important to note that however and whatever you encrypt, the best option is to hold your own encryption keys locally so that no third parties can access your sensitive data. If a cloud vendor holds both your data and your encryption keys, you can lose everything if they get hacked. You wouldn’t want to store a key with its lock, right? Right.
- But just encrypting your data isn’t enough - because there are two things you need to consider when selecting what type of encryption you want - strength and usability. Encryption should be full strength AES-256 with 256-bit IV or initialization vectors. Basically, look for the number 256. But you don’t want to mask your data to the extent that you can’t do anything with it. You want to maintain functionality so you can sort and search through your full-strength-encrypted data. And that’s a technologically challenging feat since encryption basically turns your data into gibberish. It’s hard to encrypt data so that it’s disguised but then use it as if it weren’t. To address that, what some companies do is reduce their IVs, or basically weaken their encryption, so that it can still support functions like search. But that kind of defeats the purpose of encryption - if you’re going to protect your data, you should actually protect your data. It doesn’t make sense to have a security measure that only half works because you have to trade off between protection and function. Obviously, you don’t want that. So make sure that your encryption is full strength and provides full functionality.
- For everything we’ve discussed so far, deployability may be the most important - because solutions are useless if they can’t actually be deployed. One insecure device can be all it takes to enable a massive breach. So you want to be sure your solutions are fully deployed. And that’s why agentless CASBs are definitely the way to go. Agentless solutions require no installations or maintenance - employees essentially just use native apps normally and that’s all there really is to it. From the user’s perspective, nothing really changes, so they don’t have much of a reason to refuse it. And because no installations are required, there is nothing to harm employees’ devices or violate their privacy. With agents, as I mentioned earlier, employees’ personal traffic and activity can be monitored, and their devices often run less quickly and efficiently. You basically install something on your device that can let your employer invade your privacy and forces your battery to die more quickly, among other things. But that isn’t an issue when you go agentless. So that’s obviously the route you want to take if you want employees to actually adopt your solution. I know I’ve hit this point quite a bit, but it’s definitely important. So, together, these factors allow for rapid, complete deployment and employee buy-in. Meaning you can start securing your data much more quickly than you could with other solutions.
- Now we’ve talked about each of our three requirements from earlier; that is, comprehensive security, regulatory compliance, and deployment And only a complete, agentless CASB can offer these three things to the extent needed by financial services firms.
- To transition just a bit, Bitglass is an agentless CASB that offers total data protection wherever data goes. We can help meet those three requirements we just mentioned. Bitglass is backed by a number of global tier-1 investors, some of which you can see here, and is considered the number one real-time CASB - we can protect data in the cloud, on endpoints, and in transit in real-time. That’s a departure from a lot of competitors who only provide after-the-fact capabilities when it’s already too late and your data has been compromised. That’s why some analysts refer to us as the cadillac of CASB - we have high quality and complete protection in an all-in-one solution.
- To conclude this portion of the webinar, I wanted to present a use case that sums up our ability to provide the tools we’ve been discussing today. So, Bitglass was previously approached by a financial services giant that wanted to migrate to the cloud and simultaneously secure Salesforce and Office 365. So the solution we provided them offered full-strength encryption with full functionality (in terms of search and sort like we talked about), and we also gave them full control of their encryption keys since, again, that can allow you more control over who sees your data. We also gave them real-time DLP and access controls that worked across all devices, as well as our discovery tool for breaches and shadow IT - basically everything we’ve talked about today. So, this example sums up pretty well the kinds of issues financials face, the kinds of tools they need, and how an agentless CASB like Bitglass can provide what they’re looking for - and that’s security, compliance, and deployment.
- And that about wraps us up. I just wanted to take a moment to thank everyone for joining the webinar today. Hopefully this has been helpful for you. And we do have a few minutes left, so we’ll go ahead and switch over to take a couple of questions. Let’s see here. Sadly we are out of time and won’t be able to get to everyone’s questions. I do apologize about that, but thank you again for your time and have a wonderful day.
- Competition: Skyhigh, Netskope, Cloudlock, Elastica/Bluecoat