This document discusses security challenges with Office 365 adoption and the need for a Cloud Access Security Broker (CASB). It identifies four main security risks with Office 365: identity, access, mobile, and cloud. Native Office 365 security provides limited visibility and control. A CASB can provide cross-device, cross-application data security and real-time protection for Office 365 and other cloud apps. Case studies describe how CASBs help secure Office 365 for large healthcare and financial services firms by controlling access and sharing, and enforcing data loss prevention policies.

1. webinar
oct 12 2016
the four security
horsemen of the
office365 apocalypse

2. Ben Kepes
Technology Evangelist &
Journalist
@benkepes
Rich Campagna
VP, Products
Bitglass
@bitglass

3. STORYBOARDS
office 365 is the leading SaaS productivity suite:
no signs of slowing down
2014 2015
google apps
office 365
other
16.3%
7.7%
76%
22.8%
25.2%52%

4. poll:
what are your
office 365
adoption plans?

5. STORYBOARDS
a security balancing act:
empower users, maintain control
■ Visibility and control over corporate data in Office 365
■ Prevent unauthorized access
■ Limit external sharing
■ Restrict access on unmanaged devices
○ Managing OneDrive sync, access in risky contexts, more

6. STORYBOARDS
The real risk vector
■ In an increasing number of security
breaches, findings show that user
"error" is the root cause

7. STORYBOARDS
the four
security
horsemen
identityaccessmobilecloud

8. STORYBOARDS
cloud:
protect data-at-rest in o365
■ External sharing opens the door to
unintended leaks
○ API-based controls can restrict sharing
of sensitive data
■ Encryption, when needed
■ User behavior analytics, logging

9. STORYBOARDS
mobile:
protect cloud data sync’d to ANY device
■ Employees have rejected MDM and MAM
■ Protect data sync’d/downloaded to user
devices
■ Allow different levels of mobile access
based on device type, user, etc.

10. STORYBOARDS
access:
native security provides limited visibility
■ More access, greater risk of data leakage
○ Granular access controls can limit risky
access
■ DLP is critical to securing sensitive data in
risky contexts
○ Complete security solutions should be
content-aware, apply DLP at access

11. STORYBOARDS
identity:
centralized identity management is key to securing data
■ Cloud app identity management should
maintain the best practices of on-prem
identity
■ O365 can identify some but not all high-
risk logins
■ Prevent use of compromised credentials
with cross-app IAM, step-up MFA

12. STORYBOARDS
cloud apps can be secure:
but will they protect everything?
enterprise
(CASB)
end-user devices
visibility & analytics
data protection
identity & access control
application
storage
servers
network
12

13. STORYBOARDS
■ BYOD blindspot - O365 DLP is not geared toward protecting data on BYOD
■ High operational overhead - Complex to configure and maintain
■ Difficult deployment - Sharepoint/OneDrive DLP integration requires Office 2016
on PCs
■ High cost - Must have top of the line license
■ Point solution - Support focused on Office 365, what about other cloud apps?
office 365 native dlp:
complex, costly, and doesn’t work across apps

14. poll:
what cloud security
functions are most
important?

15. STORYBOARDS
benefits of using a casb
o365 requires a new security architecture
■ Cross-device, cross-application agentless
data security
■ Real-time data protection
■ Limit high-risk activities like external file
sharing, unmanaged access
■ User behavior analytics

16. STORYBOARDS
managed
devices
application access mode data protection
unmanaged
devices &
mobiles
in the cloud
● profile-agent
● VPN+IP-restriction
● DLP/DRM/encryption
● Device controls, e.g PIN
● Agentless Selective wipe
● Client apps: allow/block
● OneDrive
● Sharepoint
● API
● Quarantine DLP
● Block external shares
● Alert on DLP events
office 365 use case:
real-time inline data protection on any device
Legacy Auth Apps
e.g Office 2010
● Full access
Modern Auth Apps
e.g Office 2013+
● profile agent
● VPN+IP-restriction
● certificates
● Full access
● Browser
● ActiveSync Mail
● Client apps
● Reverse-proxy + AJAX-VM
● ActiveSync Proxy
16

17. STORYBOARDS
client
■ 180,000 employees
■ Among the largest US healthcare orgs
challenge
■ HIPAA Compliant cloud and mobile
■ Controlled access to Office 365 from managed &
unmanaged devices
■ Control external sharing
■ Real-time inline data protection
solution
■ Real-time inline protection on any device
■ Contextual access control on managed &
unmanaged devices (Omni)
■ Real-time DLP on any device
■ API control in the cloud
■ Agentless BYOD with selective wipe
secure
office 365
+ byod
major
healthcare
firm

18. STORYBOARDS
secure
salesforce +
office 365
18
■ 20,000 employees
■ Global presence
■ $6T in assets under management
challenge
■ Needed complete CASB for enterprise-wide
migration to SaaS
■ Security for Office 365
■ Encryption of data-at-rest in Salesforce
solution
■ Searchable true encryption of data in Salesforce
■ Real-time inline DLP on any device (Citadel)
■ Contextual access control on managed &
unmanaged devices (Omni)
financial
services
client

19. STORYBOARDS
our
mission
total
data
protection est. jan
2013
200+
customer
s
tier 1
VCs

20. resources:
more info about office 365 security
■ whitepaper: definitive guide to casbs
■ case study: fortune 100 healthcare firm secures o365
■ video: securing office 365

21. STORYBOARDS
bitglass.com
@bitglass