IS CASB YOUR NEW BEST FRIEND FOR SAFE CLOUD ADOPTION? · Insecure APIs 4. System and Application Vulnerabilities 5. Account Hijacking 6. Malicious Insiders ... Look for CASB solutions

Copyright © 2018 Forcepoint. | 1

IS CASB YOUR NEW BEST

FRIEND FOR SAFE CLOUD

ADOPTION?

Mike Smart

Security Strategist, Forcepoint

[email protected]

mailto:[email protected]


SANCTIONED CLOUD APPLICATION ADOPTION



“By 2017 the CMO

will spend more on

IT than the CIO”

- Gartner (2012)

Up to 40% of IT Spend is

Shadow IT – and it is

expected to grow.

36 cloud services used

on average by employees

600 to 1,000SaaS applications used at a typical company


ARE YOU READY FOR THE NEXT WAVE OF SHADOW IT INNOVATION?

Source: chiefmartec.com http://cdn.chiefmartec.com/wp-content/uploads/2016/03/marketing_technology_landscape_2016_3000px.jpg

http://cdn.chiefmartec.com/wp-content/uploads/2016/03/marketing_technology_landscape_2016_3000px.jpg


THE NEW CHALLENGE FACING ORGANIZATIONS

SECURITY &

COMPLIANCEINNOVATION

of business decision makers state it is DIFFICULT or

VERY DIFFCULT to promote innovation while maintaining

corporate security and governance

A BALANCING ACT…

56%


CSA - TREACHEROUS 12

1. Data Breaches

2. Weak Identity, Credential and Access Management

3. Insecure APIs

4. System and Application Vulnerabilities

5. Account Hijacking

6. Malicious Insiders

7. Advanced Persistent Threats (APTs)

8. Data Loss

9. Insufficient Due Diligence

10. Abuse and Nefarious Use of Cloud Services

11. Denial of Service

12. Shared Technology Issues


Pro

vid

er

Ma

na

ge

d

Pro

vid

er

Ma

na

ge

d

THE SHARED SECURITY MODEL

Enterprise ITInfrastructure

(as a Service)

Platform

(as a Service)

Software

(as a Service)

Identity & Access

Management

Client & Endpoint Protection

Data Classification &

Accountability

Identity & Access

Management



Accountability

Identity & Access

Management



Accountability

Identity & Access

Management



Accountability

Databases

Security

Applications

Servers

Virtualization

Operating Systems

Data Centers

Networking

Storage

Databases

Security

Applications

Operating Systems

Databases

Security

Applications

Servers

Virtualization

Operating Systems

Data Centers

Networking

Storage

Databases

Security

Applications

Servers

Virtualization

Operating Systems

Data Centers

Networking

Storage

Cu

sto

me

r M

an

ag

ed

Cu

sto

me

r M

an

ag

ed

Cu

sto

me

r M

an

ag

ed

Cu

sto

me

r M

an

ag

ed

Pro

vid

er

Ma

na

ge

d

Servers

Virtualization

Data Centers

Networking

Storage


CASB – IS IT YOUR NEW BEST FRIEND?

CASB


ANALYSTS VIEW OF CLOUD ACCESS SECURITY

COMPLIANCE

THREAT

PROTECTION

DATA

SECURITY

VISIBILITY

CASB


Authorised users accessing

approved cloud applications from

unmanaged endpoint devices


unsanctioned cloud app (Shadow IT)

from unmanaged endpoint devices


approved cloud apps from managed

endpoint devices

Cybercriminals/malicious insiders

using stolen credentials to access

cloud applications

4 TOP USE-CASES FOR THE WHENEVER, WHEREVER WORKFORCE

1 2

3 4


MEDIUM RISK(General Deployment)

HIGER RISK(As Exception)

LOW RISK(Early Adoption)

Shadow IT

Discover Shadow IT

Monitor Users & Data

Strict Policy Enforcement

Data Encryption &

Tokenization

Semi-Real-Time Enforcement

Hard Real-Time Enforcement

ANALYST GUIDANCE FOR CASB ADOPTION


CASB

CLOUD APPLICATION SECURITY BROKER DEPLOYMENT OPTIONS

MANAGED

DEVICES

UN-MANAGED

DEVICES

UNSANCTIONED

CLOUD

SANCTIONED CLOUD

AP

I

DL

P

En

cry

pt

To

ke

niz

e

Devic

e

Mgm

t.

Lo

ggin

g

Ide

ntity

Use

r

Activity

BY

OK

Existing Proxy

No

Visibility


CASB

CASB INTEGRATION WITH EXISTING PROXY

MANAGED

DEVICES

UN-MANAGED

DEVICES

UNSANCTIONED

CLOUD

SANCTIONED CLOUD

AP

I

DL

P

En

cry

pt

To

ke

niz

e

Devic

e

Mgm

t.

Lo

ggin

g

Ide

ntity

Use

r

Activity

BY

OK

Existing Proxy

Policy

Logs

Existing Proxy


IDENTIFY CLOUD APPLICATIONS IN USE


RISK ASSESSMENT METHODOLOGY

https://appdirectory.skyfence.com


CASB

CASB INTEGRATION WITH EXISTING PROXY

MANAGED

DEVICES

UN-MANAGED

DEVICES

UNSANCTIONED

CLOUD

SANCTIONED CLOUD

AP

I

DL

P

En

cry

pt

To

ke

niz

e

Devic

e

Mgm

t.

Lo

ggin

g

Ide

ntity

Use

r

Activity

BY

OK

Existing Proxy

Policy

Logs

Existing Proxy


CASB

CASB - API

MANAGED

DEVICES

UN-MANAGED

DEVICES

UNSANCTIONED

CLOUD

SANCTIONED CLOUD

AP

I

DL

P

En

cry

pt

To

ke

niz

e

Devic

e

Mgm

t.

Lo

ggin

g

Ide

ntity

Use

r

Activity

BY

OK

Cloud APIs

Existing Proxy

Policy

Logs

API Mode

Existing Proxy


MONITOR & AUDIT USER ACTIVITY


BENCHMARK CLOUD APPS TO INDUSTRY STANDARDS





Shadow IT

Discover Shadow IT



Data Encryption &

Tokenization





25% Shared

Broadly

THE NEED TO GAIN VISIBILITY & CONTROL OF CRITICAL DATA

18% Uploaded files

contain sensitive data

12.5% Broadly

shared files contain

sensitive data

Business Partners

Personal Email Users

28%

6.2%

Anyone with the link

5.5%

Skyhigh & Symantec 2017

2.7%

Publicly Accessible


IDENTIFY SENSITIVE DATA IN CLOUD APPLICATIONS


IDENTIFY SENSITIVE DATA IN CLOUD APPLICATIONS


IDENTIFY MALWARE IN CLOUD APPLICATIONS


CASB

CASB – REVERSE & FORWARD PROXY

Reverse Proxy

MANAGED

DEVICESUN-MANAGED

DEVICES

UNSANCTIONED

CLOUD

SANCTIONED CLOUD

Existing

Proxy

AP

I

DL

P

En

cry

pt

To

ke

niz

e

Devic

e

Mgm

t.

Lo

ggin

g

Ide

ntity

Use

r

Activity

BY

OK

Forward

Proxy


CASB

CASB - API

MANAGED

DEVICES

UN-MANAGED

DEVICES

UNSANCTIONED

CLOUD

SANCTIONED CLOUD

AP

I

DL

P

En

cry

pt

To

ke

niz

e

Devic

e

Mgm

t.

Lo

ggin

g

Ide

ntity

Use

r

Activity

BY

OK

Cloud APIs

Existing Proxy

Policy

Logs

API Mode

Existing Proxy


CASB

CASB – REVERSE PROXY

Reverse

Proxy

MANAGED

DEVICES

UN-MANAGED

DEVICES

UNSANCTIONED

CLOUD

SANCTIONED CLOUD

AP

I

DL

P

En

cry

pt

To

ke

niz

e

Devic

e

Mgm

t.

Lo

ggin

g

Ide

ntity

Use

r

Activity

BY

OK

Cloud APIs

Existing Proxy

Policy

Logs

API Mode

Reverse Proxy

Existing Proxy


CASB

CASB – FORWARD PROXY

Reverse

Proxy

MANAGED

DEVICES

UN-MANAGED

DEVICES

UNSANCTIONED

CLOUD

SANCTIONED CLOUD

AP

I

DL

P

En

cry

pt

To

ke

niz

e

Devic

e

Mgm

t.

Lo

ggin

g

Ide

ntity

Use

r

Activity

BY

OK

Cloud APIs

Existing Proxy

Forward Proxy

Policy

Logs

API Mode

Forward Proxy

Reverse Proxy

Existing Proxy


USER BEHAVIOUR ANALYTICS – TO IDENTIFY HIGH RISK USERS


UNDERSTANDING THE RHYTHM OF YOUR EMPLOYEES - CLOUD UEBA

a. Adaptive Access Controls

b. Cloud applications enable employee mobility.

c. Users can, and do, work from several devices – both corporate

managed and BYOD

d. Do you have a BYOD policy or solution? Must be able to protect

both endpoints, managed and unmanaged

IRA - REGIONAL SALES MANAGER

▸ Travels for work often

▸ Has access to company IP

▸ Uses cloud apps on her

personal mobile phone to

access data


JULY 22

▸ Working remotely

using public Wi-Fi

on her smart phone


JULY 27

▸ Ira is leaving Las Vegas

▸ Her Box acct. is being

accessed from Ukraine

▸ Indicator of account

takeover


USER RISK RANKING OF CLOUD USERS

Understand how your users are interacting with cloud hosted data to prevent exfiltration

Be certain solution is capable of monitoring very granular actions in real-time

Look for CASB solutions with automated enforcement to protect against both malicious

insiders and

Risk = Likelihood * Impact


UEBA – CLOUD SECURITY, SIMPLIFIED


USER ACCESS MANAGEMENT





Shadow IT

Discover Shadow IT



Data Encryption &

Tokenization





CSA - TREACHEROUS 12

1. Data Breaches


3. Insecure APIs





8. Data Loss






HOW CAN CASB HELP IN THEORY?

1. Data Breaches


3. Insecure APIs





8. Data Loss






Pro

vid

er

Ma

na

ge

d

Pro

vid

er

Ma

na

ge

d

THE SHARED SECURITY MODEL

Enterprise ITInfrastructure

(as a Service)

Platform

(as a Service)

Software

(as a Service)

Identity & Access

Management



Accountability

Identity & Access

Management



Accountability

Identity & Access

Management



Accountability

Identity & Access

Management



Accountability

Databases

Security

Applications

Servers

Virtualization

Operating Systems

Data Centers

Networking

Storage

Databases

Security

Applications

Operating Systems

Databases

Security

Applications

Servers

Virtualization

Operating Systems

Data Centers

Networking

Storage

Databases

Security

Applications

Servers

Virtualization

Operating Systems

Data Centers

Networking

Storage

Cu

sto

me

r M

an

ag

ed

Cu

sto

me

r M

an

ag

ed

Cu

sto

me

r M

an

ag

ed

Cu

sto

me

r M

an

ag

ed

Pro

vid

er

Ma

na

ge

d

Servers

Virtualization

Data Centers

Networking

Storage

CA

SB

-M

an

ag

ed


CASB – IS IT YOUR NEW BEST FRIEND?

CASB


4 TOP USE-CASES FOR THE WHENEVER, WHEREVER WORKFORCE

1Authorised users accessing approved cloud

applications from unmanaged endpoint devices 2Authorised users accessing approved cloud apps

from managed endpoint devices

3Authorised users accessing unsanctioned

cloud app (Shadow IT) from unmanaged

endpoint devices 4Cybercriminals/malicious insiders using stolen

credentials to access cloud applications

Implement Data Protection & User access controls

based on device, destination, user or application

Understand user risk & behaviour

Enforce application-based controls

Apply data protection policies to prevent loss or theft of data

Detect malicious code embedded in documents in cloud storage

Discover Cloud App use from proxies & firewall

Manage unsanctioned cloud app use

Block High risk cloud app access from network

Employ UEBA to detect anomalies and protect & remediate

account takeover threats in real-time

Identify high risk user patterns and apply security polices to

trigger remediation actions (Like account blocking)

Detect unsanctioned application use putting data at risk


ELIMINATE SECURITY BLIND SPOTS FOR ANY CLOUD APPS

VISIBILITY

Insight into what apps are being used by

employees

Granular view of how employees are

using apps

ENFORCEMENT

Automated threat prevention and

context-aware policy enforcement

RISK ASSESSMENT

Contextual risk of apps, users,

and security configurations

ACCOUNT TAKE OVER DATA PROTECTION DEVICE ACCESS CONTROL

ACCOUNT CONTROL & MONITORING AUDIT OF USER ACTIVITIES

FORCEPOINT CASB


NEXT STEPS

Introducing the Office 365 Cloud Threat Assessment

Cloud Threat Assessment Report details cloud-application risk posture:• Cloud usage patterns. How potentially harmful activities happen in cloud applications across your organization.

• Geographical usage. Which countries your data is traveling to and from (you may be surprised).

• Privileged users. Do you have more administrators than you need?

• Dormant users. Are you overspending on unused licenses?

• Riskiest users. Who are your riskiest users and why?


Thank you

Mike Smart

[email protected]

Questions?

mailto:[email protected]

Documents

IS CASB YOUR NEW BEST FRIEND FOR SAFE CLOUD ADOPTION? · Insecure APIs 4. System and Application Vulnerabilities 5. Account Hijacking 6. Malicious Insiders ... Look for CASB solutions