Office 365 is widely adopted but its native security is limited. While cloud apps provide benefits, they also increase risks like lack of visibility, easy external sharing, and access from unmanaged devices. A cloud access security broker (CASB) can address these risks with a more holistic, data-centric approach through features like real-time data protection across all apps and devices, user behavior analytics, and centralized identity management. This provides stronger security for organizations using cloud apps like Office 365 than relying solely on native app security controls.

1. CASBs and Office 365
the security menace

2. STORYBOARDS
office 365 is the leading SaaS productivity suite:
deployed in over a third of organizations, office 365 is
2015
google apps
office 365
other
16.3%
7.7%
76%
22.8%
25.2%
52%
40.7%
24.5%
34.8%
2016

3. STORYBOARDS
the traditional
approach to
security is
inadequate

4. STORYBOARDS
the dark side:
enterprises can’t rely solely on native app security
enterprise
(CASB)
end-user devices
visibility & analytics
data protection
identity & access control
application
storage
servers
network
4

5. STORYBOARDS
cloud security menaces
benefits outweigh drawbacks, but risks remain
■ Lack of visibility and control over
sensitive data
■ Difficult to identify malicious activity
■ Easy external sharing can result in
unauthorized access
■ Cloud extends access to risky
unmanaged devices

6. poll:
what are your
office 365
migration plans?

7. STORYBOARDS
components
of o365
security
identity
cloud
access
mobile

8. STORYBOARDS
cloud:
not a trap if adequately secured
■ External sharing opens the door to
unintended leaks
○ API-based controls can restrict sharing
of sensitive data
■ User behavior analytics, logging
○ Little in-app visibility, no cross-app
visibility
○ Third-party solutions are built with

9. STORYBOARDS
access:
native security provides limited visibility
■ More access, greater risk of data leakage
○ Granular access controls can limit risky
access
○ Allow/block is not sufficient
■ DLP is critical to securing sensitive data in
risky contexts
○ Complete security solutions should be

10. STORYBOARDS
mobile:
fear of unmanaged devices is a path to the dark side
■ Employees have rejected MDM and MAM
■ IT must securely enable access to
frequently used apps
■ Allow different levels of mobile access
based on device type, user, etc.

11. STORYBOARDS
identity:
centralized identity management will be with you always
■ Cloud app identity management should
maintain the best practices of on-prem
identity
■ O365 can identify some but not all high-
risk logins
■ Prevent use of compromised credentials
with cross-app IAM, step-up MFA

12. STORYBOARDS
office 365 native dlp:
this is not the dlp you’re looking for
■ BYOD blindspot - O365 DLP focused on data at
rest.
■ High operational overhead - Complex to
configure.
■ Difficult deployment - OneDrive DLP requires
Office 2016.
■ High cost - Must have top of the line license.
■ Point solution - Support focused on O365, what

13. poll:
which of the
following security
functions is
most critical?

14. STORYBOARDS
casbs uniquely
strike the balance
between agility and
security
data protection
for all user
devices –
managed and
unmanaged
fast and
flexible
agentless
deployments
future
proof and
adaptable

15. STORYBOARDS
casb security:
a data-centric approach
o365 requires a new force, a new security
architecture
■ Cross-device, cross-application agentless
data security
■ Real-time data protection
■ Limit high-risk activities like external file
sharing, unmanaged access
■ User behavior analytics

16. STORYBOARD
how casb security works
reverse proxy
■ unmanaged device controls without agents
forward proxy
■ managed devices controls
activesync proxy
■ secure email, calendar, etc on any mobile device
■ device level security - wipe, encryption, PIN etc

17. STORYBOARDS
casb identity
centralized identity management is key in securing data
■ CASBs offer integrated identity
management across apps
■ Limit potential breaches with step-up
multifactor auth for high risk logins

18. STORYBOARDS
managed
devices
application access mode data protection
unmanaged
devices &
mobiles
in the cloud
● profile-agent
● VPN+IP-restriction
● DLP/DRM/encryption
● Device controls, e.g PIN
● Agentless Selective wipe
● Client apps: allow/block
● OneDrive
● Sharepoint
● API
● Quarantine DLP
● Block external shares
● Alert on DLP events
office 365 use case:
real-time inline data protection on any device
Legacy Auth Apps
e.g Office 2010
● Full access
Modern Auth Apps
e.g Office 2013+
● profile agent
● VPN+IP-restriction
● certificates
● Full access
● Browser
● ActiveSync Mail
● Client apps
● Reverse-proxy + AJAX-VM
● ActiveSync Proxy
18

19. STORYBOARDS
challenge
■ Ensure OneDrive usage is HIPAA-compliant
■ Prevent leakage of PII and PHI
■ Maintain end user privacy
■ Enforce data security policies on managed and
unmanaged devices
solution
■ Real-time inline data protection on any device
■ Block downloads of PHI and PII to unmanaged
devices
■ Agentless BYOD with selective wipe
■ Ability to support future enterprise-wide SaaS
deployments
19
180,000
users
secure office
365 + byod
healthcare
giant

20. STORYBOARDS
secure
salesforce +
office 365
20
■ $6T in assets
■ Subject to GLB, PCI-DSS, privacy laws that vary
by region
challenge
■ Reduce risk presented by enterprise-wide
Salesforce and Office 365 migration
■ Control Salesforce data residency
solution
■ Maintenance of full Salesforce frontend and
backend functionality
■ Preserve SOQL API integrations
■ Full control of encryption keys
■ Bidirectional remediation of customer PII and
PIFI in Sharepoint and Yammer
financial
services
giant

21. STORYBOARDS
about
bitglass
total
data
protection
outside the firewall est. jan
2013
tier 1
VCs
21
200+
customers

22. STORYBOARDS
trusted
by the
Global
2000
financial
services
22
healthcare manufacturing
and more...

23. resources:
more info about office 365 security
■ whitepaper: definitive guide to casbs
■ case study: fortune 100 healthcare firm secures o365
■ video: securing office 365

24. STORYBOARDS
bitglass.com
@bitglass