Inaugural Edition of Weekly Symantec Cyber Security topics and events. This weeks is primarily focused on Cloud Security and 3 Organizations transforming the world as we know it
I’m Eric Andrews . . . .
And on stage with me is Leeron . . .. (over 1 year)
Organizations are seeing a greater amount of content migrating to cloud apps and services
And this content is being access be a variety of devices, laptops, mobile, etc.. This communication is often direct-to-net, not hairpinning back to HQ through the traditional security stack, creating a blind spot.
Even when you’ve adopted a sanctioned app, it is hard to track how your users are using this app and what type of content they are sharing. We call this problem Shadow Data
Finally, with thousands of credentials floating around in your organization, an increasing concern is how a compromise of any one of these accounts may lead to a costly data breach.
Describe solution
Describe differentiation, best in class, data science, UI
We provide a range of solutions to address these challenges, including visibility of Shadow IT, Granular controls, and monitoring of user accounts to prevent compromised credentials.
All of these solutions come bundled in an elegant platform, often referred to as the best UI in the industry, even by our competitors.
====
Most important point is not that Skyhigh said this, but that it is coming directly from customers. We here, but they are hearing it too. Note Skyhigh had nasty things to say too.
Not just pretty looking, but functional. Well thought out. Designed to accommodate workflows that real users want.
Netskope has lots of information, but clunky UI, no workflows, not thought through. Skyhigh challenging to navigate.
Video
Block web threats & ATP C/C
Feed documents to sandbox
Enforce security policy
Block web threats & ATP C/C
Feed documents to sandbox
Enforce security policy
Blue Coat has a fully meshed and redundant infrastructure spanning 6 continents with over 40 data centers.
With many years and strong investment, Blue Coat offers Core sites shown here with an asterisk.
These sites have 10GB throughput capacity already in place and infrastructure in place to allow 4x expansion.
All Blue Coat data centers are accessible by all Blue Coat Cloud customers – we don’t advertise (or have) any data centers that are not available to all customers unlike other vendors
Another critical requirement for a enterprise grade service and supporting infrastructure are the ISO 27001 and SSAE16 certifications, which Blue Coat holds for all of its data centers, infrastructure, controls and processes. We also require that all of our tier 1 hosting partners carry the same certifications.
Other vendors will advertise global presence and data centers, but these can typically be racks sitting in an SE’s basement.
Blue Coat stands behind its secure and scalable global infrastructure
If you get a question around data privacy.
Arch: store data within region. separation.
Config: dc primary/ backup
Access control: ssae16/ iso27001
Architecture for Content Inspection, Tool Integration & Policy Control
20
This slide gives a quick overview of the process.
Assume this is an HR app where First Name and Last Name fields have been designated to be tokenized via the policies the enterprise has defined.
When a user enters a record for Brian Shaw, the record transaction gets intercepted by the CDP gateway and a replacement token is generated for both fields
The replacement values are:
What gets sent to the cloud application for storage and processing
Stored locally in a CDP database to be used to bring information back into the clear when authorized users access the ServiceNow instance via the gateway
End users can still use the data as if it was actually stored in the cloud. For example, they can search and sort on data that has been encrypted or tokenized.
There are three high-level steps an enterprise takes when using CDP
The 1st step is determining what data elements need the additional protection. For example, a healthcare provider may choose to encrypt the handful of fields in their customer service cloud application that are governed by HIPAA.
Once the data protection requirements are defines, a security analyst uses the applications admin console to write the policies that need to be enforced. It’s a point and click exercise, tokenize this field, encrypt al attachments, etc..
From there the policies are deployed into a run-time environment in the CDP gateway server, where the data protection polices ae enforced real-time.
One final point – the end users of the cloud application maintain application functionality. For instance, they can perform searches and send e-mails on data that has been tokenized.
Here is an interesting way to illustrate the concept.
Imagine that data has been put up in your Servicenow instance and you have some policies in place with CDP that protects various fields and attachments.
If any unauthorized users got a look at that data directly in the cloud, all they would see is meaningless replacement values
But now look at that same screen when viewed by authorized users accessing the cloud org via the Symantec Cloud Data Protection gateway. They see everything in the clear and have full usability of the cloud app.
This critical capability opens up a whole host of new powerful cloud application use cases for the enterprise, since it ensures that regulated data uniquely remains in the hands of the enterprise at all times (at-rest and in-use in the cloud). And the enterprise maintains full physical control over encryption keys and token vaults.
Note: Cloud provider-based solutions have two critical flaws: (1) they only encrypt data while at-rest. It is fully exposed during processing in the cloud app (2) the encryption/decryption occurs in the cloud app…so the keys, at some point, need to be in the app providers infrastructure.
Traditionally, 2FA addresses something know, have and are..
With VIP and added features, you can eliminate the dependency on something you know (UN/PW), and simple rely on something you have (phone) and something you are (fingerprint)
The foundation of authentication platform is the access control – to make sure only the right person can access your network. And it creates a central control point to manage your users, set up your policies, and monitor your apps.
Symantec VIP Access Manager is an Enterprise Grade cloud security access control platform, which leverages existing user directories and allows internal/external users to single sign-on to preconfigured web applications based on policy settings
On the one-hand, it helps reduce IT burden since IT can use single console to monitor and control all the access points. On the other hand, it helps improve user experience – with just one password, you can access all your applications.
End with why VIP is the clear choice? Use this slide as more than just 3 reason to use VIP, but help quantify the reason
Refer to the appendix and slide on “IS RSA WORTH THE COST?” where we quantify a 33% savings using VIP which ties back to EASY TO DEPLOY
Mobile APP is not only free but easy and convenient for user which ties back to EASY TO USE. You may be able to quantify ease of use be reducing PW reset which about $70/call or cost of hardware
Integration to a variety of use cases so investment in VIP can give you return with integration with consumer app (CDK), cloud apps (SSO) and network VPN (Radius), so rather than having separate solutions and vendors for each of the use cases, you have one to deliver all these!
---------------------------------------
Easy to deploy with zero backend infrastructure or hardware cost (given solution is cloud based and credentials options can be mobile which is free)
Easy to use whereby users can simple leverage their mobile device as a credential and simple use your fingerprint or accepting a push notification for authentication
Easy to integrate where your investment can extend to different use cases such as SSO, VPN, B2C applications, etc.
------
Provide strong authentication and easy access for employees, partners and customers to corporate networks and applications from any device or location while complying with regulations, reducing risks to corporate assets, and keeping infrastructure costs low.
Get the latest software without updates and upgrades – always relevant to protect you against attacks and provide the latest and greatest.