ISSA Phoenix Chapter Meeting Topic: Security Enablement & Risk Reducing Best Practices for BYOD + SaaS Cloud Apps
Agenda Security Enablement Concepts for BYOD & SaaS Cloud Apps! Intro and background! BYOD & SaaS adop@on and growth projec@ons! Quan@fying the risk: Users/devices VS SaaS CSP! Paradigm shik from No to Enablement! Security enablement concepts Discovery and Risk Assessment Access, authen@ca@on and SSO Managed vs Unmanaged BYOD devices User ac@vity monitoring, audi@ng, and analy@cs Account Centric Threat Detec@on Deployment considera@ons Larger eco- system! Q&A
Data Proliferation Mobile/BYOD Corporate Applica6ons becoming SaaS Applica6ons Customer- Facing Applica6ons moving to IaaS or PaaS providers Data Data Data InfoSec paradigm shik from no to enablement Data Data What s driving cloud? Tradi6onal Data Center Cost effec6ve Collabora6ve Scalable Always on No hardware Accessibility
The horse has left the barn and it s not a bad thing for InfoSec Source: Everest Group
BYOD access to cloud has increased 20% in three years Source: Cisco
More of what you already know Source: Intel
Business execs want anywhere, anytime cloud app access Source: Cisco
Not surprisingly, Security is the concern for cloud enablement Source: Forbes survey
To encrypt or not to encrypt in the cloud(s) Quan@fying the risk: Users/devices VS Cloud Service Provider?
Where is the greater risk the CSP or your users? Corporate Users Users with creden@als s@ll have access to the apps! SaaS Cloud Service Provider (CSP) Roaming Users Hackers CSP admins Knee jerk reaction? Encrypt data going to the Cloud Provider What about your 20,000 Salesforce.com users w/acct credentials? Phishing, wireless hijacking, insiders All user/device focused Prioritize based on risk
Yes you can Enablement Cloud Applications Corporate Users Cloud Security Paradigm shik from No to Enablement
SaaS Security Landscape BYOD users are biggest risk Encryption Data Leakage Prevention Account Centric Threat Prevention User & Device Activity Monitoring SaaS Discovery! Data at rest at Cloud Svs Provider Highest Risk Areas! Cyber hackers & malicious employees are the biggest security threat! Discover & prioritize Shadow IT
Best Practice data risk and security rules do not change Risk & Compliance Threat Prevention Activity Monitoring & Analytics Cloud Apps Discovery & BYOD enrollment Automa6c Cyber- Intrusion Preven6on Consistent & Granular Data Access Logs Sensi6ve Data Access Reports Tracking Config. & User Permission Changes Automa6c Insider Threat Preven6on SIEM Enablement Ac6vity Analy6cs with Drill Down Privileged User Monitoring
So you want to enable, now what? Security enablement & risk reducing best prac@ces Discovery and Risk Assessment Access, authen@ca@on and SSO Managed vs Unmanaged BYOD devices User ac@vity monitoring, audi@ng, and analy@cs Account Centric Threat Detec@on Deployment considera@ons and larger eco- system
Risk and Compliance Risk & Compliance Cloud Apps Discovery & BYOD enrollment Sensi6ve Data Access Reports Tracking Config. & User Permission Changes
Your network firewall/web proxy logs are a good place to start Cloud apps in use on your network will help jus6fy managing BYOD access
Cloud Apps Discovery tool Select files / folders
Cloud App Discovery tool scan progress
SkyFence Manage discovered Cloud Apps
Access, Authentication, & SSO
Access, Authentication and Single Sign On (SSO)! Consider leveraging your existing AD environment Using Cloud SSO Providers such as Ping, Centrify, Okta, Symplified who provide pre-integrated AD based Single Sign on to 1000 s of cloud apps! Carrot and Stick approach Users get the SSO and ease of access they want IT gets centralized visibility, management and deprovisioning thru AD users and groups Some solutions synch to their cloud directory; some proxy to on-prem AD instance! Cloud Security Gateways integrate with leading SSO Providers For cloud-based access control and monitoring SSO Portals Corporate Users SSO Providers Skyfence Cloud Security Cloud Gateway
Managed vs Unmanaged BYOD Devices
Managed vs Unmanaged devices Considera@ons Push device agent sokware or agentless? User transparency - What assump@ons about device risk posture can be made if: It has already connected from the corporate network in the past? It has a correct MDM cer@ficate? It is connec@ng from a trusted IP range? If device is unmanaged: Prompt manual enrollment for unmanaged BYOD devices to connect to corporate cloud apps? Force two factor authen@ca@on? Allow limited access and ac@ons to the cloud app?
Examples of Managed/Unmanaged endpoints work flow
Endpoint Enrollment
Endpoint-based Policies
User Activity Monitoring
Activity Monitoring Activity Monitoring & Analytics Consistent & Granular Data Access Logs Corporate Users Cloud Applications Ac6vity Analy6cs with Drill Down Cloud Security Privileged User Monitoring
Activity Monitoring Cloud monitoring requirements should not have to differ from tradi6onal infrastructure Who- What- How- Where- When
Threat Prevention
In the news
Operationalize threat prevention Learn what s normal Ability to learn from past experience to apply improvements Threat Prevention Automa6c Cyber- Intrusion Preven6on Automa6c Insider Threat Preven6on SIEM Enablement Data Processing Fingerprint Creation Anomaly Detection Engine GEO Intelligence IP Intelligence Authorized devices Data restriction rules Identity-based Account Takeover Abnormal user activity (insider) Man-in-the-middle
Leveraging Your Existing Infrastructure in Deployment! Firewall, Web Proxies & Web Gateways! Use log files from perimeter devices as a primary source for app discovery Palo Alto Networks, Blue Coat, Websense and others! Forward cloud app traffic from these devices to a Cloud Security Gateway Most vendors offer both cloud and appliance (on premise) deployment options Some offer Endpoint agent approach! SIEM Tools! Integrate cloud app analytics for better insight! Correlate cloud activity! User Authentication! Active Directory integration for user and group info! Integration with SSO Portals! Mobile Device Management! Leverage certificates and existing device enrollment
Comprehensive Data Security: Imperva-Incapsula-Skyfence Cloud Apps www External Apps Amazon Web Services Data Center Databases File Servers Internal Apps
The Skyfence Advantage! Automated Scalable Secure! Intelligent endpoint fingerprinting! Automated behavioral profiling! Application intelligence and data aware! Scalable and flexible cloud +/- on premise deployment options! Accurate threat detection! Secures your data Scalable, Automatic Protection + Low TCO = Secure Cloud Enablement