Security in the Age of Cloud Kaushik Narayan CTO, Cloud Business Unit
CASB Connect MVISION Cloud Innovation Pre- and Post-Acquisition Acquisition announced Expansion to IaaS Skyhigh API control: Sanctioned Apps Networks Custom Apps Expand IaaS Only CASB to be named “Leader” in every analyst report Skyhigh granted 14 th Salesforce Compliance Founded in 2012 Skyhigh seminal Hyperscale Networks backed by: CASB Patent E2E DLP Shadow E2E Threat Protection IT Q4 2018 The CASB Market is Born 2
Customer Drivers for Cloud Adoption Consumer 1 Personal Productivity SaaS Network 2 Business Agility IaaS/Paas 3 Business Devices Transformation 3
Where is your sensitive data? Custom Med/Low-Risk Shadow Apps High-Risk Shadow 5% ServiceNow 11% 5% AWS 8% • 65% in top 5 SaaS apps 13% • 25% in IaaS/PaaS Salesforce 16% 2% Slack • 10% in shadow/permitted 2% Google Docs 7% Box 31% Office 365 (or Gsuite) 4
Enterprise SaaS McAfee Confidentiality Language
Sanctioned SaaS Use Cases 1. Data Protection Prevent sensitive data from being stored and shared externally 2. Contextual Access Control Sanction Block sync/download of corporate O365 data to personal devices SaaS . 3. Advanced Threat Protection Detect compromised accounts, insider/privileged threats, malware . Source: McAfee Cloud Adoption Report, Nov 2018 6
Shadow SaaS Use Cases 1. Discover & Govern Discover & Coach on use of high risk . 2. Conditional Access Control Activity and Instance based access control Shadow IT 3. Data Loss Prevention Prevent data exfiltration to medium risk services. Source: McAfee Cloud Adoption Report, Nov 2018 7
Key Considerations for SaaS Security Frictionless solutions are key to success Operational integration with Enterprise Data Protection stack Coverage for all SaaS applications including long tail. 8
Frictionless Controls : Cloud Native Brokering CASB CASB 3 rd Party Corp Desktop BYOD Remote 3 rd Party Corp Desktop BYOD Remote 9
Microsoft’s position on network intermediation for O365* 1. Microsoft support requires proxies to be turned off For MSFT to provide support, they require proxies to be turned off before they can handle the case. 2. Terms of use violation Proxies intercepting/decrypting network requests cause changes to O365 protocols & data streams which violate the terms of use 3. No guarantee of compatibility Except for public O365 APIs, Microsoft will make changes to O365 without informing proxy solution providers Source : https://support.microsoft.com/en-us/help/2690045/using-third-party-network-devices-or-solutions-with-office-365 10
Frictionless Controls : Realtime API controls Enforcement Gap Others CASBs API 00:00 05:00 User shares file Remediation Skyhigh Sky Link 00:00 00:30 User shares file Remediation Skyhigh Lightning Link 00:00 User shares file Remediation 11 11
Frictionless Controls - Marketplace controls via Connected App Firewall Control exfiltration of data from • sanctioned apps to unsanctioned marketplace apps. For e.g. Sales reporting apps connected to SF.com. Control malicious marketplace • applications from exploiting your SaaS instance. For e.g. High risk Gsuite apps.
End to End Data Protection ▪ “Any Cloud” Protection ▪ Inline CASB controls ▪ MCP for mobile protection CASB Web ▪ Threat protection for Unsanctioned Cloud ▪ Pervasive Data Protection • Unified Management ▪ Cloud Native or Hybrid Services ▪ Inline DLP & ICAP support ▪ Unified Policies ▪ Endpoint & Network Coverage ▪ Unified Reporting Enterprise ▪ Endpoint & Cloud Coverage DLP 13
End to End Data Protection Device Network Cloud Device-centric controls Cloud-native controls Network-centric controls (DLP, device control, encryption, (Web protection, DLP, threat (DLP, configuration management, threat protection, etc.) protection, etc.) threat protection, etc.) End-to-end Policy Unified Incident Management 14
Introducing McAfee CASB Connect SAAS Coverage : Security Long Tail SaaS CASB Connect Universal API Connector McAfee Skyhigh Cloud Apps Security Cloud API framework and Only 2 hours to complete Adopted by over 25 toolkit for native with no coding required Cloud apps in just one integration month 15
SAAS Coverage : CASB Connect Catalog (API + Inline) Largest catalog of SAAS services • Single pane of all sanctioned services • supported by Skyhigh Business goals (use cases) • Search for apps in CASB Connect Catalog… Shadow metrics • Ownership of integration • Validating user inputs while enabling • Cisco Spark Egnyte Intralinks API access. Submit new app requests • Workplace GitHub Citrix ShareFile 16
SaaS Security - Day Zero Microsoft Teams Support Extend DLP policies to • Microsoft teams for both files and messages. Scan existing Microsoft Teams • accounts to identify compliance issues. Extend Conditional Access • policies to Microsoft Teams. Apply EUBA to Microsoft • Teams. 17
Enterprise IaaS/PaaS Enabling Cloud Native Architectures McAfee Confidentiality Language
Cloud Native Architectures What is Different ? Traditional Applications Cloud Native Tight coupling between infrastructure and apps Loosely coupled apps and micro-services ▪ ▪ Siloed infrastructure, operations, and dev teams Service-focused DevOps ▪ ▪ Security is custom and technical controls based Security is standard and specification based ▪ ▪ PAAS 19
Enterprise IaaS/PaaS Use Cases 1. Managing Drift Identify IaaS resources with security settings that are non-compliant 2. Advanced Threat Protection Detect compromised accounts, privileged user threats, malware. 3. Sensitive Data Visibility Manage risk of sensitive information/data. Source: McAfee Cloud Adoption Report, Nov 2018 20
Key Considerations for Enterprise IaaS/Paas Security Developer/Devops centric models are key to success. Multi Cloud & Hybrid Cloud support. Information risk driving context and priority. 21
Integrating Security Into The DevOps Process Compliance protection on • CloudFormation templates and Landing Zone scripts Prevent misconfigurations from being • deployed as opposed to correctly them after the fact Integrate with DevOps Tools • 22
Multi-Cloud & Hybrid Cloud Coverage • Seamless workflow for discovery of compute resources and recommendations for agent deployment. • Server workload threat protection via Mcafee Server Protection Suite. • Single console for all Threat protection – UEBA, Malware, Workloads 23
Tying Information Risk to Drift and Threat. 24
Comprehensive Security for the Cloud IaaS SaaS Custom App Custom App Custom Custom App App Custom Custom App App Custom App Support for Custom Apps SaaS Catalog 25
Operational Simplification & Automation Prescriptive Adoption Methodology Threat Protection 1. SaaS UEBA Shadow Controls Depth of Use Case Coverage 2. IaaS Host, Network 1. Shadow IaaS and Platform threats Governance Data Protection 3. IaaS Privilege Mgmt 2. SaaS Application 1. O365 DLP & Control Collaboration Hygiene 3. Shadow/Web DLP 2. O365 Conditional 1. O365 Collaboration Blacklists Cloud Threat Access 2. IaaS Configuration Assurance Protection 3. IaaS Storage DLP 3. IaaS Storage Malware Scanning STAGE 4 Control Shadow IT 4. Shadow Visibility & Governance (CLR) STAGE 3 Sanctioned Cloud Protection STAGE 2 Sanctioned Cloud Hygiene STAGE 1 Adoption Stages 26
Operational Simplification & Automation Customer cloud maturity and value reporting 27
Shadow IT McAfee (Skyhigh) customer since 2014 65,000 Employees Why McAfee Skyhigh Security Cloud Collaboration Control ▪ Data Loss Prevention ▪ Governance ▪ Project Champion Jeff Haskill (Group CSO) ▪ ▪ Won CSO50 Award for use of Skyhigh to accelerate business 28
65,000 Employees Why MVISION Cloud ▪ Governance of cloud services Shadow IT ▪ Comprehensive cloud security (on path to CASB+WG+DLP) ▪ Microsoft-recommended approach to Office365 data security 29
MVISION Cloud Cloud Security that Accelerates Business FOR MORE INFORMATION: Kaushik_Narayan@mcafee.com
Recommend
More recommend