The document outlines ten essential tips for successful Cloud Access Security Broker (CASB) projects, emphasizing the importance of operationalizing cloud app security and continuous monitoring. Key recommendations include leveraging intelligent access controls, deploying data loss prevention (DLP) strategies, and ensuring comprehensive coverage of cloud application suites. It also underscores the need for automated protection and good cloud hygiene to safeguard sensitive data and mitigate risks associated with cloud services.

1. Tips for Successful CASB Projects
Eric Andrews
VP Cloud Security, Symantec

2. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY 2
IaaS/PaaSSaaSMobile
Cloud
Control
Enterprise
Mobile/BYOD/PublicWifi
CASB
Data Security
Threat Protection
Visibility
Understand & Monitor RiskExposure Across
PublicCloud Apps & Infrastructure
Govern Access to Critical Data,Extend
Protections Against Breach
Protect Against Threats,Detect,Investigate,
and Remediate Incidents

3. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Operationalize Cloud App Security
3
Tip #1

4. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Ongoing Monitoring of Cloud App Usage
4

5. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Consider the Impact of Mobile
5
Tip #2

6. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Cloud Service: Server-side App
Shadow IT is more than Cloud Apps
Cloud Service: Mobile App
6
No correspondingserver-side app
Track usage & find out how many mobile app
licenses you really need to pay for
Discovery & risk analysis of an otherwise
unmonitored app

7. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Other Mobile Considerations
• Monitoring and controlling cloud app activity from
mobile devices via APIs or inline gateways
• Support for native apps, like Salesforce or Box on
your mobile device
• Dependency on MDM solutions to provide cloud
app governance
• Conditional access based on security posture of
the device
7

8. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Leverage Intelligent Access Controls
8
Tip #3

9. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
SSO
Integration
9
CASB

10. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Adaptive
Authentication
10
Dynamically step up authentication based
on real time risk conditions in the network
CASB

11. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Cover your Bases
11
Tip #4

12. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Inline Gateway (Forward or Reverse
Proxy), real-time enforcement
Control Points for Cloud App Security
API’s for Sanctioned Apps Consider traffic engineering &
breadth of coverage
12
SaaS/PaaS/IaaS

13. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Web
Security
Service
Tightly coupled SWG and CASB
provides many benefits
DeployingWeb & Cloud App Security
Automated traffic steering,
single agent, automated log
ingestion, common fabric
Don’t just Discover Shadow IT,
control it
13
SaaS/PaaS/IaaS
Wild Web/Internet

14. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Inline Coverage of Cloud Apps
14
Sanctioned Apps Unsanctioned Apps
Managed Devices
Forward Proxy/
Reverse Proxy
Forward
Proxy
Unmanaged Devices
Reverse Proxy N/A
Addresses unmanaged devices,but . . .
• Requires extensive URL rewriting
• Limited number of apps supported

15. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Mirror Gateway Executes & Renders App Sessions Remotely
A Third Approach: Mirror Gateway
UserDevice
User gestures
Transparent
Clientless
Rendering
100% safe
visual stream
Isolation Platform
Secure DisposableContainer
Render Execute Download
Any Device
Unmanaged,
BYOD
Secure
No app data
processed or
storedlocally
Any App
All browser
based apps
(no limit)
Robust
No URL rewrites,
impervious to SaaS
app changes
Granular Policy
CASB gateway provides
full threat protection,
DLP & app controls
CASBGateway
5

16. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Dig Deep Into Coverage of Cloud App Suites
16
Tip #5

17. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Office 365 is more than OneDrive
17
OneDrive
Email
Yammer
Sharepoint
Teams
o O365is morethan
OneDrive;thereare
many apps
o Any oftheseappscan
beconduitsofdata
sharing(e.g.,contentin
an email,ormessaging
someonethrough
Yammer)
o Needextensive
coverageofall
componentsGroups
OfficeOnline Apps
Dynamics
Azure

18. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
And G Suite is more than Drive
Drive
Sites Google Cloud Platform
Gmail
Calendar
Team Drive
Forms
Groups
Hangouts
Hangouts Meet
Hangouts Chat
Admin
Vault
Cloud Search
Contacts
18

19. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Don’t Skimp on DLP
19
Tip #6

20. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Govern Sensitive Data in the Cloud
20
o Identify&remediateriskyexposure
o Automaticallyclassifysensitive
contentflowingin/outofcloudapps
o Definegranularcontent-basedand
context-basedpolicies
o HarnessBest-in-classDLP
technology:machinelearning
trainingprofiles,contextualanalysis,
extensivebuilt-inlibraries,
fingerprinting,sensitiveimage
recognition
Govern Access to Critical Data, Extend Protections Against Breach

21. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Other Workflow
Integrations
DLP Enforce
Management
Console
Policies /
Incidents
DLP Console
CASB
Policies /
Incidents
WebIaaS
Separate Islands of DLP
21
(on-premise)
Response

22. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
(on-premises)
Other Workflow
Integrations
DLP Enforce
Management
Console
Policies /
Incidents
DLP Console
CASB
Policies /
Incidents
WebIaaS
ICAP
Limited Remediation. How do you unshare a link?
Wasted Bandwidth
and Increased Latency
Rerouting all cloud traffic
to on-premises DLP engine
What about ICAP?
22
Response

23. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
On-premises
DLP Detection
DLP Management
Extend fine-tuned policies
and workflows to cloud
Other
Integrations
Native cloud solution
Enhance DLP solution
with CASB insights
Seamless DLP
Across All Channels
23
CASB

24. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Vendors
Clients
Partners
Co-workers
o Dynamically encrypt based on
contentclassification
o Contentstaysencrypted,
regardlessof where it travels
o Granularcontrolof who can
access content
o Contentis beaconized and may
be revoked at any time
Access
Granted
Access
Denied
Revoke
File
ICE
VIP
Digital Rights Management
24
CASB

25. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Automate, Automate, Automate
25
Tip #7

26. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Automated Protection
26
o Session Hijacking
malwareor bots, screen scraping
o Account Takeover
phishingor socialengineering
leadsto stolen credentials
o MaliciousInsider
legitimateend user
doing badthings
o Data Exfiltration
Trackcomplexpatternsof data
exfiltration
UEBA& Threat Detection
o Dynamic Threat
Scorebased on
UEBA
o Not justthreshold
based, but
behavioral based
o Built-in and
Custom Sequence
Detectors
o Automatedbots to
triage security
incidents

27. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Practice Good Cloud Hygiene
27
Tip #8

28. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Advanced Threat Protection
• Scanall contentuploaded
and storedin cloud apps
• Avoid sync & share
distributionof malware
• Extend best-of-breed
advanced malware
protectionto cloud content
Malware
Protection
28
CASB

29. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Protect IaaS (It’s Not Just for SaaS)
29
Tip #9

30. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
IaaS/PaaS Security
30
IaaS/PaaS+ SaaS IaaS/PaaS
InfoSec DevSecOps
WithinIaaSEnvironment
API&Gateway OS Hardening
Anti-Malware
App Isolation
Malware Protection
DLP Scanning
AdminMonitoring and Control
UEBA Account Protection
Discover Shadow IaaS Accounts
ComputeStorage
ConfigurationMonitoring
Compliance Assurance
Malware Protection
DLP Scanning
StoragePosture
Custom App Monitoring
AdminApp
User Activity,PolicyEnforcement
Real Time File Integrity Mgmt
App Control

31. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Consider the Ecosystem
31
Tip #10

32. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
CASB 1.0
Empower your SWG
with automated
controls for 35K+ apps
Extend enterpriseDLP
policies to the cloud
with high performance
Encrypt sensitive data as it leaves the cloud,
and track where it goes
Apply best-in-class anti-
malware, reputation,
and sandboxingto
protect the cloud
Dynamically trigger 2FA
based on risky activity,
not just at login
Track roaming users
for Shadow IT analysis
& endpoint integration
Protect inbound and
outbound email and
messaging
ProxySG/WSS
DLP
ATP
ICE
SEP, SEP Mobile
Email Security.Cloud
VIP
32IntegratedCyberDefense
The Power of
Integrations

33. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Top 10 Tips for Successful CASB Deployments
33
1. Operationalize Cloud App Security
2. Consider the Impact of Mobile
3. Leverage IntelligentAccess Controls
4. Cover your Bases
5. Dig Deep Into Coverage of Cloud App
Suites
6. Don’t Skimp on DLP
7. Automate, Automate, Automate
8. Practice Good Cloud Hygiene
9. Protect IaaS (It’s Not Just for SaaS)
10. Consider the Ecosystem

34. Thank You!