4/24/20

Extending Zero Trust Fencing beyond Corp Premises Growing SaaS Footprint – benefits of OpEx & Biz Agility

v Welcome Live 2PM-3:15PM JKT

v Changing IT landscape Thur 23 April 2020
v New security gaps
v Case studies
v Use cases & demo
v Take away
v Q&A

Frankie Lim, Regional Director, Bitglass

Patrick Koh, Regional Solution Consultant, Bitglass
Ray Sugiarto, Co-founder, ICION

1 2

3
Problem CASB : Cloud Access Security Broker
Cloud, collaboration and mobility are beyond the firewall...
Unmanaged apps Managed apps
data threat
visibility compliance protection protection
apps, data, users & apps, data, users & in the cloud, at
devices devices access, and on malware, APT,
hijack
devices
Legacy Tech

Firewall
Cloud access security brokers have become an essential element of
Web Proxy any cloud security strategy, helping organizations govern the use of
Security Gaps !! cloud and protect sensitive data in the cloud. Security and risk
IPS / IDS Data leakage & threat risk management leaders concerned about their organizations’ cloud use
DLP should investigate CASBs.
MDM
By 2022, 60% of large enterprises will use a CASB to govern some
cloud services, up from less than 20% today.
Unmanaged devices Managed devices

Through 2023, at least 99% of cloud security failures will be the

...leaving legacy security technologies obsolete. customer's fault.

3 4

Cloud and mobile are beyond the firewall... Bitglass is a Gartner Leader
unmanaged apps managed apps

Unmanaged devices Managed devices

...leaving legacy security technologies obsolete...

5 6

1
 4/24/20

Solution Architecture: Multi-mode Next-Gen CASB

Unmanaged Apps Managed Apps

1. API Scanning of Data in the cloud

Case Studies
CASB
DLP, Malware and Sharing control
for data created or existing in cloud
3. Reverse Proxy on any Device services
Real-time security for managed apps;
Access control, visibility and DLP with 2. Forward Proxy on Managed
no agent or change in user experience Devices
Block, coach, Read-only, DLP &
threat protection for managed and
unmanaged apps; Real-time
access control and visibility

7 8

Secure Remote Workers (any app, any device, any network) Secure File Sharing (OneDrive, Box, DropBox, GDrive, S3…)
Challenges Challenges
■ Remote employees at greater cyber risk ■ Poor visibility into data at rest in the cloud in SaaS and IaaS
■ VPN to corporate network is a bottleneck ■ Protect intellectual property leakage
■ Protect against malware
Solution ■ Meet compliance requirements
■ Enable secure access to cloud and on-prem applications
■ Restrict usage of risky applications
■ Enable secure use of personal devices Solution
■ Enforce DLP & threat protection ■ High-performance API scanning, scans finish for large data sets
■ DLP controls, data visibility and data classification
Bitglass Advantage ■ Malware and threat control
■ Real-time security on any device, with or without agents
■ High-performance Polyscale architecture for scalability Bitglass Advantage
■ High-performance Polyscale architecture for scalability

9 10

Secure Productivity Apps (O365, G Suite, Slack...) Secure HCM & ERP (Oracle, Workday, Salesforce, Success Factors, Ultipro…)
Challenges
■ Secure productivity on any device, anywhere Challenges
■ Protect intellectual property from leakage ■ Enable secure access from any device, anywhere
■ Growing cloud footprint with uncertain needs ■ HR & ERP apps are deeply integrated into payroll and internal
business and personnel processes
Solution ■ Visibility, access control and threat protection
■ Agentless AJAX-VM iproxy for any device,
■ Real-time proxy control for managed devices Solution
■ DLP & Malware protection on any device ■ Agentless, inline proxy for unmanaged devices
■ High-performance API scanning for data at rest in the cloud ■ Real-time proxy control for managed devices
■ 3 week rollout ■ Real-time malware protection on any device
■ Seamless integration with enterprise infrastructure
Bitglass Advantage
■ Multi-mode CASB deeply integrated with ecosystem Bitglass Advantage
■ Interoperable with existing infrastructure ■ Secure any app on any device, including custom apps
■ Dynamically handles application updates and changes
■ No change to the User Experience
■ High-performance Polyscale architecture

11 12

2
 4/24/20

Secure Other Apps (Atlassian, Smartsheet, ServiceNow, GitHub.. ) Secure Mobility

Challenges
Challenges
■ Secure productivity on any device, anywhere
■ Secure access to corporate apps from any BYOD
■ Enforce DLP and access control
■ Protect intellectual property and threats
■ Block threats and malware
■ Selective wipe upon separation
■ No agents of any kind
Solution
■ Agentless AJAX-VM proxy for any app on any device
Solution
■ Rapid deployment
■ Patented agentless mobile security solution
■ Transparent to the user
■ DLP, selective wipe, encryption and malware control
■ No agents, no profiles, no impact to user experience.
Bitglass Advantage
■ Secure any app on any device, including:
Bitglass Advantage
○ SaaS Apps with no APIs
■ Unique agentless technology, rapid deployment
○ Custom and Internal Apps Deployed to IaaS/Cloud
■ Preserves user privacy without compromising data protection
■ Future Proof - supports current and future cloud apps
■ Field Encryption - privacy and data protection

13 14

Sample Apps Secured at Customers Discover & Control Cloud App Usage
Challenges
■ Poor visibility into cloud application usage
■ Compliance and data leakage risks

Solution
■ Discover and analyze application usage
■ Coach, Block or read-only control of unlicensed apps

Bitglass Advantage
■ Largest index of cloud apps with 600K+ entries, constantly
updated threat intelligence on these and new applications
■ New apps in any language automatically classified
■ Make any app “read-only”
■ Polyscale technology scales globally

15 16

Managed Apps: Zero-Day Control for Any App

Internal apps Major SaaS Long-tail SaaS IaaS

Use Cases, Demo

Proxy + API
● Contextual access control
● DLP w/ adv. remediation ● Known & Zero-day malware
● Field and file encryption protection
● Account hijack protection
Identity & Zero Trust Access Control
● Zero-Trust Remote Access Data Threat
Protection Protection

Data Protection Zero-D ay C ore TM

Threat Mitigation ●
●
Integrated with leading IDP
Native SSO & SAML proxy
Identity Visibility
● UEBA (Behavioral Analytics)

Visibility & Polyscale Architecture ●

●
Step-up multi-factor auth
Session management
●
●
Policy-based remediation
CSPM reporting & remediation

Agent/Agentless Proxy Agentless Proxy

Managed Devices Unmanaged Devices

17 18

3
 4/24/20

Identity Management

Authenticate via Bitglass IdP, AD, or any 3rd party IAM

Identity & Zero Trust Bitglass auto-redirect via proxy

● SAML transparently redirects users from any cloud app
AD Sync +
SAML / WS-
Fed IdP

Access Control Data Threat ● No vanity URLs, device config, or user experience change Auth MFA
Protection Protection

Only CASB with native identity management

Identity Visibility
● AD/local authentication and sync SAML SP
● Contextual multifactor authentication
Agentless, Seamless experience, MFA,
managed/unmanaged devices, SSO Integration with existing solutions
● ActiveDirectory sync and provisioning
● Support for all major IdPs including ADFS, Ping, Okta

19 20

Seamless User Experience

Authentication Flow – AJAX-VM Reverse Proxy
Any Cloud App

1 User connects directly to app

2 User connects to Bitglass IdP

3 User proxied by Bitglass upon login

1 User connects directly to app

2 User redirected to Bitglass then to IdP

3 User redirected back to BG; proxied to app

Any SAML 2.0

Compliant IdP

Any User,
Any Device

21 22

Managed and Unmanaged Device Control Access Control – IP Address and Predefined locations

23 24

4
 4/24/20

Access Control – Two Factor Authentication SSO Landing Page to Cloud Apps for user-1

25 26

SSO Landing Page to Cloud Apps for user-2 Securing Bitglass employees

27 28

Expanding Cloud Footprint

First-Gen
CASB

Head: ~10 apps Long tail: 20,000 apps

Data Protection Data

Protection
Threat
Protection

Identity Visibility

O365, Any SaaS apps, BYOD mobile

Next-Gen CASB

29 30

5
 4/24/20

O365 setup Any App Connector: for Realtime Protection

31 32

Any App: Workday Any App: Oracle

33 34

Data Leakage Prevention – inline or API mode Full-Strength Cloud Encryption

Flexible DLP Policy options Store private cloud data in public cloud apps

● Encrypt structured (field) and unstructured (file) data

● Pre-built library for common identifiers (PCI, PII, SSN,
GDPR, PDPA, etc)
● Custom patterns - keyword, regex, exact match,
occurrence, proximity, advanced expression language
● Import from prem DLP (SYMC, McAfee, etc)
● ICAP integration to any prem DLP
● BYOK (via KMIP) or CloudHSM service
Maintain full application functionality
● Searchable and sortable
● Crypto-independent implementation

Full-strength security
Advanced remediation - allow without risk
● Alert, Track/Watermark, Encrypt, DRM, Redact, Block ● US Patent 9,047,480
● Read-only/Preview ● Operations-preserving 256-bit AES with 256-bit IV

35 36

6
 4/24/20

Data Loss Prevention for Files – Upload Block Data Loss Prevention for Files – Download Encrypt

37 38

Data Loss Prevention for Files – Download Block Data Loss Prevention for Files – Download DRM

39 40

Agentless Mobile BYOD + Active-sync Proxy Mobile – Download Encrypt

Deploy without MDM hassles

● Secure email, contacts, calendars
● No software or profiles
● Maintain privacy - only corporate traffic inspected
● Any mobile device + modern Outlook clients Data Threat
Protection Protection
Control flow of data to device
Zero-D ay C ore TM

● DLP, Access Control, Threat Protection

Identity Visibility
● Extend SSO to Activesync

Secure data on device

● Patented agentless selective wipe
● Agentless device config (PIN, encryption, etc)
● Control rogue apps (Cloudmagic, Outlook for iOS)

41 42

7
 4/24/20

Mobile – Upload Block Mobile – Agentless Selective Wipe (email)

43 44

Advanced Threat Protection

Threat Protection Data

Protection
Threat
Protection
Built-in Protection
● O365 and G Suite feature limited threat protection
● Other cloud apps offer no protection
Identity Visibility

Zero-day ATP, UEBA Advanced Threat Protection – powered by Cylance

● Block all zero-day threats with AI-based predictive engine
● Requires additional license

45 46

Malware – Upload Block UEBA alert

47 48

8
 4/24/20

Polyscale Architecture : hosted on AWS

Uptime
Visibility & Polyscale Data
Protection
Threat
Protection
99.99%
SLA, Metadata logs, Shadow-IT, CSPM
Identity Visibility
Since 2013

Elastic High performance Reliable

● Hosted globally on AWS ● Auto-scaling and replication ● Fully redundant architecture
● Or your private cloud ● Global load balancing ● 24x7x365 global support

49 50

SLA Performance Graphs Event & Config logs

51 52

Shadow IT Discovery to Unmanaged App Control Cloud Security Posture Management (CSPM)

95% of apps in use are not sanctioned by IT

● EFSS, content apps, social media

Discover Shadow IT

● Comprehensive reports on relative app risk, compliance,

more
● Automated index of over 600K apps, 4X the competition
● Detect, sanction, secure

Secure managed device access

● Block risky unsanctioned apps
● Coach users to a sanctioned enterprise cloud app
● Optional Zero-Day Read-only cloud apps

53 54

9
 4/24/20

Cloud Security Posture Management (CSPM) Take away…

Improve productivity on any device, anywhere

Cut costs on appliances & software

Improve scalability and performance

Secure data and any cloud apps

Rapid deployment & low overhead

55 56

Total Cloud
Q&A
Security
any app
any device
any network

57 58

10