bitglass webinar - dlp: content vs on-premises

STORYBOARDS

DLPCloud vs On-

PremisesSalim HafidProduct Marketingshafid@bitglass.com

Rich CampagnaVP, Productsrcampagna@bitglass.com

STORYBOARDS

Vote #1

STORYBOARDS

User wants access

Starbucks

Managed Device

Any Device...

Anywhere...

Unmanaged Device

CorporateNetwork

STORYBOARDS

Enterprise wants security and control

Visibility and audit

Restrict data on unmanaged devices

Prevent hacked accounts

Prevent data leakage & control access

STORYBOARDS

First Approach: Secure the Infrastructure

Firewall DLP

Web Proxy

VPN

HQ & Branch Office

Starbucks

ApartmentVPN

MDM

STORYBOARDS

Traditional Data Loss Prevention (DLP)

Limited to managed devices and applications only

Assumes trusted devices - DLP on Outbound/Send traffic only

Content analysis - keyword matches, regular expressions, etc

Doesn’t handle out-of-band access (external/public sharing, etc) typical with cloud apps

No visibility into encrypted traffic from public cloud applications

Performance concerns - WAN latency with cloud apps

STORYBOARDS

Vote #2

STORYBOARDS

CASB Data Loss Prevention (DLP)

Support BYOD, public cloud apps in any access scenario• Ex: BYOD iPad from Starbucks accessing O365

Bidirectional scanning with contextual access control• Ex: Restrict credit card download to BYOD outside of US

Content analysis policies match/integrate via ICAP with Premises DLP

Control external sharing and API-based access to data• Ex: File shared publicly can be quarantined for analysis

Full decryption and analysis of cloud application data

Global, cloud-scale distributed infrastructure minimizes perf impact.

STORYBOARDS

CASB Cloud DLPInbound Policy

Data, User, Device, Location

Any Cloud App

Email, Files

Outbound PolicySharing, Sending, etc

Email, Files

● Contextual DLP

● Any device, zero footprint

● Real-time, proxy-accelerated API scans

Modify sharing permissions, Watermark, DRM, Redact, Encrypt

STORYBOARDS

● Reverse Proxy and ActiveSync○ Secure BYOD without agents

● Forward Proxy○ Enforce policies on managed

devices● API control

○ Watermark, DRM, Redact, Encrypt

How it worksComprehensive CASB Architecture

STORYBOARDS

Typical Policy

Managed device

Application Access Access Control Data Protection

BYOD

In the Cloud

Forward ProxyActiveSync Proxy

Device Profile: Pass● Email● Browser● Thick clients

● Full Access

Reverse Proxy + AJAX VMActiveSync Proxy

● DLP/DRM/encryption ● Device controls

API Control External Sharing Blocked

● Block external shares● Alert on DLP events

Device Profile: Fail● Mobile Email● Browser

STORYBOARDS

Policy

STORYBOARDS

Bay Cove Human Services - Google Apps + HIPAA

2500 Employees

HIPAA Compliance with Google Apps and BYOD

● Secure Protected Health Information (PHI)● Remain HIPAA compliant with DLP, identity

management, mobile data protection

STORYBOARDS

Ad Agency - O365 OneDrive

Protect unreleased creative files in OneDrive

● Visibility and control● Limit access from unmanaged devices; project team

members only● Prevent data leakage

200 EmployeesGlobal clients

STORYBOARDS

Resources

1. Definitive Guide to Cloud Access Security Brokers http://pages.bitglass.com/definitive-guide-to-cloud-access-security-brokers.html

2. Bitglass Case Studies http://www.bitglass.com/resources#case_studies=1

3. Glass Class - Traditional DLP Limitations https://www.youtube.com/watch?v=ZXKvoqQCdNs

STORYBOARDS

DLPCloud vs On-

PremisesSalim HafidProduct Marketingshafid@bitglass.com

Rich CampagnaVP, Productsrcampagna@bitglass.com