Bitglass, profile picture
Uploaded byBitglass
PPTX, PDF324 views

Webinar bitglass - complete deck-2

The document outlines a cloud security action plan presented by experts from Maxim Integrated and Bitglass, focusing on key safety considerations such as identity management, access control, data protection, availability, and monitoring for cloud services. It emphasizes the importance of integrating multi-factor authentication, active directory for access management, and robust data protection strategies to mitigate risks associated with cloud environments. The document also highlights the necessity for businesses to ensure compliance and the efficient management of cloud service configurations to maintain security.

Embed presentation

Downloaded 18 times
Your 2017 Cloud Security Action Plan Matt Hollcraft, Maxim Integrated CISO Dave Ruedger, Maxim Integrated CSA Salim Hafid, Bitglass Product Marketing Sponsored by:
Our Presenters Matt Hollcraft Chief Information Security Officer Maxim Integrated 2© 2017 Security Current Dave Ruedger Chief Security Architect Maxim Integrated Salim Hafid Product Marketing Bitglass
Building Secure Cloud 3© 2017 Security Current Dave Ruedger Chief Security Architect Maxim Integrated
Cloud Security Considerations  Identity  Access  Data Protection  Availability  Hosted Services (SaaS/IaaS)  Monitoring © 2017 Security Current 4
Cloud Security – Identity  Single Sign On  Requires effort and planning to integrate with cloud services  Not all providers support SSO integration  Synchronization is critical  Cloud Service Native  Per service provider  Difficult to manage  Changes to accounts handled manually  Password policy enforcement  Enable Multi Factor Authentication  Admin access at a minimum © 2017 Security Current 5
Cloud Security – Access  Apply same process as internal controls  Onboarding/Offboarding  Personnel changes must be managed  Integrate with Active Directory or Open LDAP  Group and Role permissions easier to manage  Keeps User permissions for data in sync  Restrict use of shared accounts  Password rotation is difficult to manage  Not auditable for individual usage © 2017 Security Current 6
Cloud Security – Data Protection  It’s still YOUR data = your RISK  3rd Party and Vendor Assessments are necessary  Admin access controls  Multi factor authentication  Monitoring and Auditing  Multi-tenancy increases risk of breach  Review data segmentation  Encryption at rest reduces risk  Geographic considerations  EU privacy compliance  Must consider data storage and transmission © 2017 Security Current 7
Cloud Security – Availability  Availability is a security concern  Build for redundancy  Recovery may be impacted during a disaster  Certificate Management  Monitor certificate expiration  Impacts all web services and applications, not just corporate website!  SPF records may be required  Cloud service sending email on your behalf  Prevents critical alerts from being flagged as spam © 2017 Security Current 8
Cloud Security – Hosted Services (SaaS/IaaS)  Backup your data  Even Amazon has encountered service outages  Some cloud failures are unrecoverable  Use scheduled exports or replication  Review default access security policies  May be too permissive  Could allow public access to restricted systems/data  Utilize IP Whitelisting to further restrict access  Penetration testing and vulnerability scanning requires permission  Failure to notify could result in your network being blocked  Could lead to service outage  Protect your API keys © 2017 Security Current 9
Cloud Security – Monitoring  Network monitoring in the cloud is limited or non-existent  Only Amazon has VPC monitoring currently  Must rely on logging  Detection is only as good as what you log  Multi cloud environments are even more challenging  IP Address space collisions/duplication  Inconsistent view of log data  Constant monitoring needed to identify shadow IT  Next Gen firewalls can tag traffic to the cloud for alerting  Implement a CASB for better control  Detects and limits/blocks access © 2017 Security Current 10
The Business Case 11© 2017 Security Current Matt Hollcraft Chief Information Security Officer Maxim Integrated
Risk: Identity and Access © 2017 Security Current
Risk: Data Protection © 2017 Security Current
Risk: Governance and Compliance © 2017 Security Current
Your 2017 Security Action Plan 15© 2017 Security Current Salim Hafid Product Marketing Bitglass
What best describes your current public cloud strategy? AUDIENCE POLL: © 2017 Security Current
17© 2017 Security Current Office 365 is the leading SaaS productivity suite: No signs of public cloud slowing down
Major cloud app vendors doing their part to secure cloud apps: ○ Haven’t had massive breaches many naysayers expected ○ Spend more on security personnel and infrastructure ○ Patch vulnerabilities quickly ○ Achieve stringent compliance certifications (ISO 27001, SOC 2, FedRAMP, CSA, etc) Enterprises must use cloud apps securely ○ Still responsible for use of enterprise data and accounts ○ Still responsible for compliance 18© 2017 Security Current Is the cloud secure? It can be, if used securely
19© 2017 Security Current Public Cloud App Separation of Duties enterprise (CASB) end-user devices visibility & analytics data protection identity & access control application storage servers network cloud app vendor
What are your top cloud security concerns? AUDIENCE POLL: © 2017 Security Current
Critical Cloud Control Areas 21© 2017 Security Current
Where to get controls? Existing Security, App Native, Third Party Existing Investments VPN, NGFW/SWG, DLP (Endpt/Ntwk) Pros: - Minimal new investment (time, $) - Existing expertise Cons: - Backhauling inefficient, poor performance - BYOD blindspot - May not be cloud aware App Native Varies by application Pros: - No additional products/vendors to deploy Cons: - Requires different strategy/execution per app - Capabilities vary widely across apps - App team controls data/security Third Party (CASB) CASB, IdaaS Pros: - Single policy across all apps - Comprehensive security model - Dual controls (app vs sec team) Cons: - Additional vendor, new expertise 22© 2017 Security Current
Major Healthcare Firm 23© 2017 Security Current Secure Office 365 & BYOD Client ■ 180,000 employees ■ Among the largest US healthcare orgs Challenge ■ HIPAA Compliant cloud and mobile ■ Controlled access to Office 365 from managed & unmanaged devices ■ Control external sharing ■ Real-time inline data protection Solution ■ Real-time inline protection on any device ■ Contextual access control on managed & unmanaged devices (Omni) ■ Real-time DLP on any device ■ API control in the cloud ■ Agentless BYOD with selective wipe ■ Enterprise-wide for all SaaS apps
Financial services client 24© 2017 Security Current Secure Salesforce and Office 365 Client ■ 20,000 employees ■ Global presence ■ $6T in assets under management Challenge ■ Needed complete CASB for enterprise-wide migration to SaaS ■ Security for Office 365 ■ Encryption of data-at-rest in Salesforce Solution ■ Searchable true encryption of data in Salesforce ■ Real-time inline DLP on any device (Citadel) ■ Contextual access control on managed & unmanaged devices (Omni) ■ API control in the cloud ■ Discover breach & Shadow IT
✓ Prioritize critical applications ✓ Identify security & compliance gaps ✓ Evaluate built-in controls vs third party (CASB, IdAAS, etc) ✓ Design/implement policies ✓ Align to app deployment timeline 25© 2017 Security Current Your 2017 Cloud Security Action Plan
bitglass mission total data protection outside the firewall 26 #1 CASB real-time data protection founded 2013 tier 1 funding award-winning tech leader 3 patents, 3 pending
■ Gartner Marketguide to CASBs ■ Whitepaper: Definitive Guide to CASBs ■ Case Study: fortune 100 healthcare firm secures o365 27© 2017 Security Current Resources: More About Public Cloud Security
Thank you for joining us Matt Hollcraft Chief Information Security Officer Maxim Integrated 28© 2017 Security Current Dave Ruedger Chief Security Architect Maxim Integrated Salim Hafid Product Marketing Bitglass
bitglass.com @bitglass securitycurrent.com @SecurityCurrent Connect with us

More Related Content

PPTX
Mitigating the Top 5 Cloud Security Threats
byBitglass
 
PPTX
5 Security Questions To Ask When Deploying O365
byBitglass
 
PPTX
securing the cloud for financial services
byBitglass
 
PPTX
Bitglass Webinar - Top 6 CASB Use Cases
byBitglass
 
PPTX
Webinar - Bitglass and CyberEdge - Hidden Security Threats
byBitglass
 
PPTX
Bitglass Webinar - A Primer on CASBs and Cloud Security
byBitglass
 
PPTX
Bitglass Webinar - 5 Cloud Security Best Practices for 2018
byBitglass
 
PPTX
Security O365 Using AI-based Advanced Threat Protection
byBitglass
 
Mitigating the Top 5 Cloud Security Threats
byBitglass
 
5 Security Questions To Ask When Deploying O365
byBitglass
 
securing the cloud for financial services
byBitglass
 
Bitglass Webinar - Top 6 CASB Use Cases
byBitglass
 
Webinar - Bitglass and CyberEdge - Hidden Security Threats
byBitglass
 
Bitglass Webinar - A Primer on CASBs and Cloud Security
byBitglass
 
Bitglass Webinar - 5 Cloud Security Best Practices for 2018
byBitglass
 
Security O365 Using AI-based Advanced Threat Protection
byBitglass
 

What's hot

PPTX
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
byBitglass
 
PPTX
CASBs and Office 365: The Security Menace
byBitglass
 
PPTX
CASB Cases: How Your Peers are Securing the Cloud
byBitglass
 
PPTX
The Future of CASBs - A Cloud Security Force Awakens
byBitglass
 
PPTX
Bitglass Webinar - BlueCross BlueShield of Tennessee's CASB Journey to Secure...
byBitglass
 
PPTX
Closing the Cloud Security Gap with a CASB (in partnership with Forrester)
byBitglass
 
PPTX
CASBs - A New Hope
byBitglass
 
PPTX
Webinar Express: What is a CASB?
byBitglass
 
PPTX
Office 365 Security: How to Safeguard Your Data
byBitglass
 
PPTX
4 Essential Components of Office 365 Security
byBitglass
 
PDF
Stop Hackers with Integrated CASB & IDaaS Security
byCloudLock
 
PDF
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
byIBM Security
 
PPTX
CASBs: 8 Critical Capabilities in partnership with ISMG Media Group
byBitglass
 
PPTX
#ALSummit: Accenture - Making the Move: Enabling Security in the Cloud
byAlert Logic
 
PPTX
Office365 security in depth
byAlberto Pascual
 
PPTX
Security and Accountability in the Cloud (in partnership with SANS)
byBitglass
 
PPTX
The Four Horsemen of the O365 Apocalypse
byBitglass
 
PPTX
5 Highest-Impact CASB Use Cases
byNetskope
 
PPTX
Bridging the Office 365 Security Gap - Redmond Media
byBitglass
 
PDF
The Security Policy Management Maturity Model: How to Move Up the Curve
byAlgoSec
 
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
byBitglass
 
CASBs and Office 365: The Security Menace
byBitglass
 
CASB Cases: How Your Peers are Securing the Cloud
byBitglass
 
The Future of CASBs - A Cloud Security Force Awakens
byBitglass
 
Bitglass Webinar - BlueCross BlueShield of Tennessee's CASB Journey to Secure...
byBitglass
 
Closing the Cloud Security Gap with a CASB (in partnership with Forrester)
byBitglass
 
CASBs - A New Hope
byBitglass
 
Webinar Express: What is a CASB?
byBitglass
 
Office 365 Security: How to Safeguard Your Data
byBitglass
 
4 Essential Components of Office 365 Security
byBitglass
 
Stop Hackers with Integrated CASB & IDaaS Security
byCloudLock
 
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
byIBM Security
 
CASBs: 8 Critical Capabilities in partnership with ISMG Media Group
byBitglass
 
#ALSummit: Accenture - Making the Move: Enabling Security in the Cloud
byAlert Logic
 
Office365 security in depth
byAlberto Pascual
 
Security and Accountability in the Cloud (in partnership with SANS)
byBitglass
 
The Four Horsemen of the O365 Apocalypse
byBitglass
 
5 Highest-Impact CASB Use Cases
byNetskope
 
Bridging the Office 365 Security Gap - Redmond Media
byBitglass
 
The Security Policy Management Maturity Model: How to Move Up the Curve
byAlgoSec
 

Similar to Webinar bitglass - complete deck-2

PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PPTX
Softchoice & Microsoft: Public Cloud Security Webinar
bySoftchoice Corporation
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PDF
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
PDF
Take It to the Cloud: The Evolution of Security Architecture
byPriyanka Aash
 
PPTX
Cloud Security By Dr. Anton Ravindran
byGSTF
 
PPTX
Unc charlotte prezo2016
bySanjay R. Gupta
 
PPT
Presentation to Irish ISSA Conference 12-May-11
byMichael Ofarrell
 
PDF
mcafee-cloud-acceleration-and-risks.pdf
byAndreBolo1
 
PPTX
ciso-workshop-1-cybersecurity-briefing.pptx
bypravinsp141
 
PDF
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
PDF
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
byBill Burns
 
PDF
Cloud Security 101 by Madhav Chablani
byOWASP Delhi
 
PDF
Daniel Grabski | Microsofts cybersecurity story
byMicrosoft Österreich
 
PPTX
Enterprise Security in Cloud
byLenin Aboagye
 
PPTX
Enterprise Security in Hybrid Cloud ISACA-SV 2012
bySymosis Security (Previously C-Level Security)
 
PPTX
CSA Atlanta Q1'2016 Chapter Meeting
byPhil Agcaoili
 
PPTX
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
byKarim Vaes
 
PDF
Secure the modern Enterprise
byMicrosoft Österreich
 
PPTX
Secure Your Cloud Migration - Secureworld 2019 Charlotte
byMike Brannon
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Softchoice & Microsoft: Public Cloud Security Webinar
bySoftchoice Corporation
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
Take It to the Cloud: The Evolution of Security Architecture
byPriyanka Aash
 
Cloud Security By Dr. Anton Ravindran
byGSTF
 
Unc charlotte prezo2016
bySanjay R. Gupta
 
Presentation to Irish ISSA Conference 12-May-11
byMichael Ofarrell
 
mcafee-cloud-acceleration-and-risks.pdf
byAndreBolo1
 
ciso-workshop-1-cybersecurity-briefing.pptx
bypravinsp141
 
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
byBill Burns
 
Cloud Security 101 by Madhav Chablani
byOWASP Delhi
 
Daniel Grabski | Microsofts cybersecurity story
byMicrosoft Österreich
 
Enterprise Security in Cloud
byLenin Aboagye
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
bySymosis Security (Previously C-Level Security)
 
CSA Atlanta Q1'2016 Chapter Meeting
byPhil Agcaoili
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
byKarim Vaes
 
Secure the modern Enterprise
byMicrosoft Österreich
 
Secure Your Cloud Migration - Secureworld 2019 Charlotte
byMike Brannon
 

More from Bitglass

PPTX
Webinar - Mobile Security Trends
byBitglass
 
PPTX
Empowering the Cloud Through G Suite
byBitglass
 
PPTX
Securing IaaS Applications
byBitglass
 
PPTX
6 essentials for secure BYOD in healthcare
byBitglass
 
PPTX
Webinar: are casbs ready for primetime?
byBitglass
 
PPTX
CASBs and Office 365 (with Argyle)
byBitglass
 
PPTX
Webinar Express: Securing BYOD without MDM
byBitglass
 
PPTX
Top 5 Cloud Security Threats in Healthcare
byBitglass
 
PPTX
CSA Research: Mitigating Cloud Threats
byBitglass
 
PPTX
The Security Gap: Protecting Healthcare Data in Office 365
byBitglass
 
PPTX
Data-Centric Protection: The Future of BYOD Security
byBitglass
 
Webinar - Mobile Security Trends
byBitglass
 
Empowering the Cloud Through G Suite
byBitglass
 
Securing IaaS Applications
byBitglass
 
6 essentials for secure BYOD in healthcare
byBitglass
 
Webinar: are casbs ready for primetime?
byBitglass
 
CASBs and Office 365 (with Argyle)
byBitglass
 
Webinar Express: Securing BYOD without MDM
byBitglass
 
Top 5 Cloud Security Threats in Healthcare
byBitglass
 
CSA Research: Mitigating Cloud Threats
byBitglass
 
The Security Gap: Protecting Healthcare Data in Office 365
byBitglass
 
Data-Centric Protection: The Future of BYOD Security
byBitglass
 

Recently uploaded

PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
final.pdf
byomarbishtawi04
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
final.pdf
byomarbishtawi04
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 

Webinar bitglass - complete deck-2

  • 1.
    Your 2017 CloudSecurity Action Plan Matt Hollcraft, Maxim Integrated CISO Dave Ruedger, Maxim Integrated CSA Salim Hafid, Bitglass Product Marketing Sponsored by:
  • 2.
    Our Presenters Matt Hollcraft ChiefInformation Security Officer Maxim Integrated 2© 2017 Security Current Dave Ruedger Chief Security Architect Maxim Integrated Salim Hafid Product Marketing Bitglass
  • 3.
    Building Secure Cloud 3© 2017 SecurityCurrent Dave Ruedger Chief Security Architect Maxim Integrated
  • 4.
    Cloud Security Considerations Identity  Access  Data Protection  Availability  Hosted Services (SaaS/IaaS)  Monitoring © 2017 Security Current 4
  • 5.
    Cloud Security –Identity  Single Sign On  Requires effort and planning to integrate with cloud services  Not all providers support SSO integration  Synchronization is critical  Cloud Service Native  Per service provider  Difficult to manage  Changes to accounts handled manually  Password policy enforcement  Enable Multi Factor Authentication  Admin access at a minimum © 2017 Security Current 5
  • 6.
    Cloud Security –Access  Apply same process as internal controls  Onboarding/Offboarding  Personnel changes must be managed  Integrate with Active Directory or Open LDAP  Group and Role permissions easier to manage  Keeps User permissions for data in sync  Restrict use of shared accounts  Password rotation is difficult to manage  Not auditable for individual usage © 2017 Security Current 6
  • 7.
    Cloud Security –Data Protection  It’s still YOUR data = your RISK  3rd Party and Vendor Assessments are necessary  Admin access controls  Multi factor authentication  Monitoring and Auditing  Multi-tenancy increases risk of breach  Review data segmentation  Encryption at rest reduces risk  Geographic considerations  EU privacy compliance  Must consider data storage and transmission © 2017 Security Current 7
  • 8.
    Cloud Security –Availability  Availability is a security concern  Build for redundancy  Recovery may be impacted during a disaster  Certificate Management  Monitor certificate expiration  Impacts all web services and applications, not just corporate website!  SPF records may be required  Cloud service sending email on your behalf  Prevents critical alerts from being flagged as spam © 2017 Security Current 8
  • 9.
    Cloud Security –Hosted Services (SaaS/IaaS)  Backup your data  Even Amazon has encountered service outages  Some cloud failures are unrecoverable  Use scheduled exports or replication  Review default access security policies  May be too permissive  Could allow public access to restricted systems/data  Utilize IP Whitelisting to further restrict access  Penetration testing and vulnerability scanning requires permission  Failure to notify could result in your network being blocked  Could lead to service outage  Protect your API keys © 2017 Security Current 9
  • 10.
    Cloud Security –Monitoring  Network monitoring in the cloud is limited or non-existent  Only Amazon has VPC monitoring currently  Must rely on logging  Detection is only as good as what you log  Multi cloud environments are even more challenging  IP Address space collisions/duplication  Inconsistent view of log data  Constant monitoring needed to identify shadow IT  Next Gen firewalls can tag traffic to the cloud for alerting  Implement a CASB for better control  Detects and limits/blocks access © 2017 Security Current 10
  • 11.
    The Business Case 11© 2017Security Current Matt Hollcraft Chief Information Security Officer Maxim Integrated
  • 12.
  • 13.
  • 14.
  • 15.
    Your 2017 Security Action Plan 15©2017 Security Current Salim Hafid Product Marketing Bitglass
  • 16.
    What best describes yourcurrent public cloud strategy? AUDIENCE POLL: © 2017 Security Current
  • 17.
    17© 2017 SecurityCurrent Office 365 is the leading SaaS productivity suite: No signs of public cloud slowing down
  • 18.
    Major cloud appvendors doing their part to secure cloud apps: ○ Haven’t had massive breaches many naysayers expected ○ Spend more on security personnel and infrastructure ○ Patch vulnerabilities quickly ○ Achieve stringent compliance certifications (ISO 27001, SOC 2, FedRAMP, CSA, etc) Enterprises must use cloud apps securely ○ Still responsible for use of enterprise data and accounts ○ Still responsible for compliance 18© 2017 Security Current Is the cloud secure? It can be, if used securely
  • 19.
    19© 2017 SecurityCurrent Public Cloud App Separation of Duties enterprise (CASB) end-user devices visibility & analytics data protection identity & access control application storage servers network cloud app vendor
  • 20.
    What are yourtop cloud security concerns? AUDIENCE POLL: © 2017 Security Current
  • 21.
    Critical Cloud Control Areas 21©2017 Security Current
  • 22.
    Where to getcontrols? Existing Security, App Native, Third Party Existing Investments VPN, NGFW/SWG, DLP (Endpt/Ntwk) Pros: - Minimal new investment (time, $) - Existing expertise Cons: - Backhauling inefficient, poor performance - BYOD blindspot - May not be cloud aware App Native Varies by application Pros: - No additional products/vendors to deploy Cons: - Requires different strategy/execution per app - Capabilities vary widely across apps - App team controls data/security Third Party (CASB) CASB, IdaaS Pros: - Single policy across all apps - Comprehensive security model - Dual controls (app vs sec team) Cons: - Additional vendor, new expertise 22© 2017 Security Current
  • 23.
    Major Healthcare Firm 23© 2017 SecurityCurrent Secure Office 365 & BYOD Client ■ 180,000 employees ■ Among the largest US healthcare orgs Challenge ■ HIPAA Compliant cloud and mobile ■ Controlled access to Office 365 from managed & unmanaged devices ■ Control external sharing ■ Real-time inline data protection Solution ■ Real-time inline protection on any device ■ Contextual access control on managed & unmanaged devices (Omni) ■ Real-time DLP on any device ■ API control in the cloud ■ Agentless BYOD with selective wipe ■ Enterprise-wide for all SaaS apps
  • 24.
    Financial services client 24© 2017 SecurityCurrent Secure Salesforce and Office 365 Client ■ 20,000 employees ■ Global presence ■ $6T in assets under management Challenge ■ Needed complete CASB for enterprise-wide migration to SaaS ■ Security for Office 365 ■ Encryption of data-at-rest in Salesforce Solution ■ Searchable true encryption of data in Salesforce ■ Real-time inline DLP on any device (Citadel) ■ Contextual access control on managed & unmanaged devices (Omni) ■ API control in the cloud ■ Discover breach & Shadow IT
  • 25.
    ✓ Prioritize criticalapplications ✓ Identify security & compliance gaps ✓ Evaluate built-in controls vs third party (CASB, IdAAS, etc) ✓ Design/implement policies ✓ Align to app deployment timeline 25© 2017 Security Current Your 2017 Cloud Security Action Plan
  • 26.
    bitglass mission total data protection outside the firewall 26 #1CASB real-time data protection founded 2013 tier 1 funding award-winning tech leader 3 patents, 3 pending
  • 27.
    ■ Gartner Marketguideto CASBs ■ Whitepaper: Definitive Guide to CASBs ■ Case Study: fortune 100 healthcare firm secures o365 27© 2017 Security Current Resources: More About Public Cloud Security
  • 28.
    Thank you forjoining us Matt Hollcraft Chief Information Security Officer Maxim Integrated 28© 2017 Security Current Dave Ruedger Chief Security Architect Maxim Integrated Salim Hafid Product Marketing Bitglass
  • 29.

Editor's Notes

  • #3 Salim Intros
  • #13 Key points to present: IAM is key for cloud security because: - Naturally accessible via public internet - Multi-tenant environments are only as strong as the weakest link - Just like any network, lacks access control standards causes issues in areas such as separation of duties, change management and confidentiality. Risk reduction strategies should include: - Multi-factor authentication - Review and approval of cloud provider admins and personnel - Consideration for prohibition of competitor provisioning in adjacent servers
  • #14 Key points to present: Focus on the data. It’s all about the data, because: - Data, unlike almost any other asset, can be replicated in many places - Data stored on someone else’s servers should be encrypted, if needed, just like any other place. - Your data is like your kids, you just don’t allow anyone to be responsible for it and you always agree on the return process (i.e. exiting the cloud provider) Risk reduction strategies for data include: - Understand you data map and flows, physically where the data is stored (privacy) - Encryption, encryption , encryption – in transit and rest! - Robust Ts & C’s language and negotiation for return or deletion of data when exiting a provider (including cloud provider back ups)
  • #15 Key points to present: Don’t forget the due diligence: - The data owner is still responsible for G&C - Cloud providers feel they are not responsible - Your controls are only as strong as their validation Risk reduction strategies should include: - Require completion of SSAE 16 SOC 2 annually - Ensure your access to ALL audit and monitoring tools provided – ideally at no charge with the service - For any adverse findings in the audit reports, demand an action plan for remediation (success depends on the spend with the provider) and possibly include language in the T’s and C’s
  • #17 what best describes your organization’s current public cloud strategy? Cloud only Cloud first Cloud sometimes Cloud if we have to Cloud never
  • #18 Explosion of SaaS in the enterprise, leveraging Bitglass Cloud Adoption Report data O365 and productivity suites as proxy for broader cloud adoption in the enterprise across all verticals and all software functions.
  • #21 what best describes your organization’s current public cloud strategy? Cloud only Cloud first Cloud sometimes Cloud if we have to Cloud never
  • #22 Critical control areas Cloud - data-at-rest protection - encryption, sharing/backend sync controls, etc. Access - who has access to what and in which context? access controls, DLP, etc Identity - SSO, 2FA, identity best practices from prem, etc. Mobile - protecting cloud data sync'd/downloaded to devices, both managed and BYOD.