The document discusses the top five cloud security threats, which include external sharing, compromised credentials, lost and stolen devices, unmanaged device access, and unsanctioned apps. It emphasizes the importance of control measures such as Cloud Access Security Brokers (CASBs) and data loss prevention (DLP) solutions for managing these threats effectively. Additionally, it provides insights into how organizations can mitigate risks associated with cloud adoption while maintaining data protection and compliance.

1. MITIGATING THE TOP 5
CLOUD SECURITY
THREATS
Shalmali Rajadhyax, Product Manager, Bitglass
2 8 F e b r u a r y 2 0 1 7

2. • Audio is streamed over your computer
• Dial in numbers and codes are on the
left
To receive your CPE credit:
1. Complete 3 checkpoints
- or -
2. Watch the recorded version from the
beginning to the very end
• Don’t forget to take the survey!
Use the Papers tab to find the
following:
• PDF Copy of today’s presentation
• CPE job aid
• Have a question for the speaker?
Access the Q&A tab
• Technical issues? Access the Help tab
• Questions or suggestions?
Visit https://support.isaca.org
2

3. 3
TODAY’S SPEAKER
Shalmali Rajadhyax
Product Manager
Bitglass, Inc.

4. 4
ENTERPRISE VS APP VENDOR
SECURITY RESPONSIBILITIES: The data
blind spot
enterprise
(CASB)
end-user devices
visibility & analytics
data protection
identity & access control
application
storage
servers
network
app vendor

5. 1. DLP
2. firewall
3. proxy-based solution
4. device management
POLL: How are you securing data in your
organization?

6. 6
1: EXTERNAL SHARING
 Made easier by cloud apps
 Can result in costly PCI PII leaks
 Challenge is to enable sharing while
maintaining control over sensitive
data

7. 7
 Cloud APIs allow for control over file
sharing
 How can enterprises know what
content to block , what to limit and
what to allow?
 Robust cloud DLP solutions are
context and content aware
LIMIT EXTERNAL SHARING WITH A
CASB: Cloud access security brokers are
controls

8. 8
2: COMPROMISED CREDENTIALS
 Privileged users, among others, have
access to all corporate data
 Orgs need a means to identify risky
logins
 Cloud apps have made identity a
critical piece of the security puzzle

9. 9
 CASBs offer integrated identity
management across apps
 Limit potential breaches with step-up
multi-factor auth for high risk logins
INTEGRATED IDENTITY MANAGEMENT:
Centralized identity is key to securing data

10. 10
3: LOST AND STOLEN DEVICES
 The most common cause of breach
 BYOD/unmanaged devices pose a
new threat

11. 11
4: UNMANAGED DEVICE ACCESS
 IT must enable secure access to
cloud apps from any device
 BYOD pose a threat to data security
due to a lack of visibility and control
after download
 CASBs accommodate user BYOD
demands and IT security needs
without agents

12. 12
5: UNSANCTIONED APPS
 Blocking access forces employees to
work around IT
 First step is discovering Shadow IT
usage
 Technical controls like firewalls and
proxies are effective
 Written policies aren’t as effective

13. 13
 Understand risk profiles of
frequently used apps
 Intelligent, time-saving alerts out
of the box
 UEBA enables IT to proactively
identify threats
IDENTIFY UNSANCTIONED APPS WITH
CASB DISCOVERY: Gain visibility into your
org’s cloud usage

14. 14
TOP THREATS:
1. External sharing
 use API-based controls and DLP to identify and limit sharing of sensitive data
2. Compromised credentials
 Cross-app identity solutions can force step up auth in risky contexts
3. Lost and stolen devices
 Choose a solutions that protects data on all devices, managed and
unmanaged
4. Unmanaged device access
 Routing users through a proxy can provide secure access
5. Unsanctioned applications
 Identify risky destinations without complex setup

15. 1. ….
2. ….
3. ….
4. ….
POLL: What are your casb deployment plans?

16. 16
 Cloud data doesn’t exist only “in the
cloud”
 IT must protect data at access and on
any device
o Granular DLP
o Context-aware to distinguish
between users, device type and
more
o Device controls on mobile
CASB SECURITY: A data-centric approach

17. 17
HOW CASB SECURITY WORKS
API
 Visibility + control over sharing
Reverse proxy
 Unmanaged device controls without
agents
Activesync proxy
 Secure email, calendar, etc on any mobile
device
 Device level security – wipe, encryption,
PIN etc

18. 18
TYPICAL USE CASE
hybrid CASBs provide real-time protection on any
device
managed
devices
application access access control data protection
unmanaged
devices / BYOD
in the cloud
Forward Proxy
ActiveSync Proxy
Device Profile: Pass
● Email
● Browser
● OneDrive Sync
● Full Access
Reverse Proxy + AJAX VM
ActiveSync Proxy
● DLP/DRM/encryption
● Device controls
API Control
External Sharing
Blocked
● Block external
shares
● Alert on DLP events
Device Profile: Fail
● Mobile Email
● Browser
● Contextual multi-factor
auth

19. CASE STUDIES

20. secure
google
apps +
byod
challenge
■ Mitigate risks of Google Apps adoption
■ Control sensitive data stored in the cloud
■ Limit data-access based on device risk level
■ Govern external sharing
competition
■ Skyhigh, Netskope, Cloudlock, Elastica/Bluecoat
solution
■ Real-time inline data protection on any
device
■ API control of data in the cloud

21. challenge
■ Needed complete CASB for enterprise-wide migration
to SaaS
■ Encryption of data-at-rest in Salesforce
■ Security for Office365
competition
■ Salesforce Shield, Skyhigh, Ciphercloud, Bluecoat
Perspecsys, Netskope, Adallom
solution
■ Searchable true encryption of data in Salesforce
■ Preserve SOQL API integrations
■ Full control of encryption keys
■ Real-time inline DLP on any device (Citadel)
■ Contextual access control on managed & unmanaged
devices (Omni)
■ API control in the cloud
■ Discover breach & Shadow IT
secure
salesforce
+ office 365

22. challenge
■ HIPAA Compliant cloud and mobile
■ Controlled access to Office 365 from managed &
unmanaged devices
■ Control external sharing
■ Real-time inline data protection
■ No agents on devices
■ Transparency, usability & privacy
competition
■ Skyhigh, Netskope, Adallom
solution
■ Real-time inline protection on any device
■ Contextual access control on managed & unmanaged
devices (Omni)
■ Real-time DLP on any device
■ API control in the cloud
■ Agentless BYOD with selective wipe
■ Enterprise-wide for all SaaS apps
180,000
seats
secure
office 365
+ byod

23. our
mission
total
data
protection

24. trusted
at over 100
enterprises
& more..
financial services
manufacturing
healthcare

25. bitglass.com
@bitglass

26. Questions?

27. THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL
FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING
THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-
INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.
YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS
DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND
THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE
PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR
CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF
THE CONTENT WILLASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING
PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE
APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.
Copyright © 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).

28. THANK YOU FOR
ATTENDING THIS
WEBINAR
For more information, visit www.ISACA.org