STORYBOARDS
DLPCloud vs On-
PremisesSalim HafidProduct [email protected]
Rich CampagnaVP, [email protected]
STORYBOARDS
Vote #1
STORYBOARDS
User wants access
Starbucks
Managed Device
Any Device...
Anywhere...
Unmanaged Device
CorporateNetwork
STORYBOARDS
Enterprise wants security and control
Visibility and audit
Restrict data on unmanaged devices
Prevent hacked accounts
Prevent data leakage & control access
STORYBOARDS
First Approach: Secure the Infrastructure
Firewall DLP
Web Proxy
VPN
HQ & Branch Office
Starbucks
ApartmentVPN
MDM
STORYBOARDS
Traditional Data Loss Prevention (DLP)
Limited to managed devices and applications only
Assumes trusted devices - DLP on Outbound/Send traffic only
Content analysis - keyword matches, regular expressions, etc
Doesn’t handle out-of-band access (external/public sharing, etc) typical with cloud apps
No visibility into encrypted traffic from public cloud applications
Performance concerns - WAN latency with cloud apps
STORYBOARDS
Vote #2
STORYBOARDS
CASB Data Loss Prevention (DLP)
Support BYOD, public cloud apps in any access scenario• Ex: BYOD iPad from Starbucks accessing O365
Bidirectional scanning with contextual access control• Ex: Restrict credit card download to BYOD outside of US
Content analysis policies match/integrate via ICAP with Premises DLP
Control external sharing and API-based access to data• Ex: File shared publicly can be quarantined for analysis
Full decryption and analysis of cloud application data
Global, cloud-scale distributed infrastructure minimizes perf impact.
STORYBOARDS
CASB Cloud DLPInbound Policy
Data, User, Device, Location
Any Cloud App
Email, Files
Outbound PolicySharing, Sending, etc
Email, Files
● Contextual DLP
● Any device, zero footprint
● Real-time, proxy-accelerated API scans
Modify sharing permissions, Watermark, DRM, Redact, Encrypt
STORYBOARDS
● Reverse Proxy and ActiveSync○ Secure BYOD without agents
● Forward Proxy○ Enforce policies on managed
devices● API control
○ Watermark, DRM, Redact, Encrypt
How it worksComprehensive CASB Architecture
STORYBOARDS
Typical Policy
Managed device
Application Access Access Control Data Protection
BYOD
In the Cloud
Forward ProxyActiveSync Proxy
Device Profile: Pass● Email● Browser● Thick clients
● Full Access
Reverse Proxy + AJAX VMActiveSync Proxy
● DLP/DRM/encryption ● Device controls
API Control External Sharing Blocked
● Block external shares● Alert on DLP events
Device Profile: Fail● Mobile Email● Browser
STORYBOARDS
Policy
STORYBOARDS
Bay Cove Human Services - Google Apps + HIPAA
2500 Employees
HIPAA Compliance with Google Apps and BYOD
● Secure Protected Health Information (PHI)● Remain HIPAA compliant with DLP, identity
management, mobile data protection
STORYBOARDS
Ad Agency - O365 OneDrive
Protect unreleased creative files in OneDrive
● Visibility and control● Limit access from unmanaged devices; project team
members only● Prevent data leakage
200 EmployeesGlobal clients
STORYBOARDS
Resources
1. Definitive Guide to Cloud Access Security Brokers http://pages.bitglass.com/definitive-guide-to-cloud-access-security-brokers.html
2. Bitglass Case Studies http://www.bitglass.com/resources#case_studies=1
3. Glass Class - Traditional DLP Limitations https://www.youtube.com/watch?v=ZXKvoqQCdNs
STORYBOARDS
DLPCloud vs On-
PremisesSalim HafidProduct [email protected]
Rich CampagnaVP, [email protected]