© 2015 IBM Corporation

The first CASB solution with integrated access control, visibility, and threat protection

Patrick Wardrop, Chief Product Architect

October 7th, 2015

IBM Cloud Security Enforcer

2 © 2015 IBM Corporation

MOBILE

BYOD

ON PREM

RISKY APPS

APPROVED APPS

A new SaaS solution to help securely deploy cloud services

EMPLOYEES

Identity and Access Control

Threat Prevention

Policy Enforcement

Discovery and Visibility

Cloud Event Correlation

DETECT CONNECT PROTECT

3 © 2015 IBM Corporation

Integrating leading IBM security technology into a single platform

•  Risk scoring for 1000’s of apps

•  Continuous stream of cloud activity data

•  Mapping of network data to specific users

•  Mobile integration to uncover blind spots

•  Federated cloud SSO •  Connectors to

popular cloud apps •  Simplified

access controls •  Self-service catalogs •  Delegated administration

•  User activity and traffic monitoring

•  Behavioral analysis and correlation to company policies

•  Alerting, reporting, and auditing

•  Intrusion Prevention and global threat intelligence from IBM X-Force

•  Threat signatures, network analysis, and zero-day threat protection

•  User coaching •  Redirection for

out-of-policy usage •  Policy and anomaly

rule implementation

Identity and Access Control

Threat Prevention

Policy Enforcement

Discovery and Visibility

Cloud Event Correlation

DETECT CONNECT PROTECT

4 © 2015 IBM Corporation

IBM Cloud Security Enforcer – Discovery and monitoring

Microsoft Active Directory

Enterprise

Cloud, SaaS, & Private Applications

Secure Gateway

. . . (plus many more)

- Users authenticate against Active Directory

- All Cloud, SaaS & Private Applications traffic is logged by the Secure Gateway (e.g., Bluecoat, WebSense, McAfee, XGS … etc)

- Active Directory, Secure Gateway logs can be manually uploaded to IBM Cloud Security Enforcer or an appliance can be deployed to continually upload them automatically on a scheduled basis

Enterprise Bridge Appliance Log

Collection ID

Bridge Directory

Sync

IBM Cloud Security Enforcer Application Discovery

Optional SIEM (or other

log archiving)

5 © 2015 IBM Corporation

IBM Cloud Security Enforcer – World Wide Mobile Cloud Proxy

Home WiFi / Cellular Data Network

Cloud, SaaS, & Private Applications

. . . (plus many more)

- Users use mobile device at the office and out of the office via their home WiFi or cellular data networks.

- This creates a ‘mobile blind spot’ for most corporations.

- Without a secure gateway or IPS there is a risk of malware being downloaded or other threats.

- Leveraging the built-in mobile VPN clients we will direct traffic to our WW deployments of Cloud Proxies to inspect, monitor, and provide controls on the traffic.

IBM Cloud Security Enforcer

World Wide Mobile Cloud Proxy Client Gateway

[VPN] Intrusion Prevention

System

6 © 2015 IBM Corporation

Live Walkthrough Discovery and Visibility

7 © 2015 IBM Corporation

IBM Cloud Security Enforcer – Single Sign-On & Launchpad

Microsoft Active Directory

Enterprise

Cloud, SaaS, & Private Applications

Secure Gateway

. . . (plus many more)

- SSO from either the Enterprise Bridge Identity Bridge component or via a federation product (TFIM, ADFS or Ping)

- User arrives at launch pad and can single click on an entitled application or browser application catalog

Enterprise Bridge Appliance Log

Collection ID

Bridge Directory

Sync

IBM Cloud Security Enforcer

Launchpad & Catalog

SSO [Service Provider]

SSO [Identity Provider]

FIM (or

federation product)

Optional

8 © 2015 IBM Corporation

Live Walkthrough Single Sign-on & Access Control