ISSA Phoenix Chapter Meeting Topic:
Security Enablement & Risk Reducing Best Practices for BYOD + SaaS Cloud Apps
Agenda – Security Enablement Concepts for BYOD & SaaS Cloud Apps
!
Intro and background
!
BYOD & SaaS adop@on and growth projec@ons
!
Quan@fying the risk: Users/devices VS SaaS CSP
!
Paradigm shiK from “No” to Enablement
!
Security enablement concepts
•
Discovery and Risk Assessment
•
Access, authen@ca@on and SSO
•
Managed vs Unmanaged BYOD devices
•
User ac@vity monitoring, audi@ng, and analy@cs
•
Account Centric Threat Detec@on
•
Deployment considera@ons
•
Larger eco-‐system
!
Q&A
Data Proliferation
• What’s driving cloud?
• Cost effec6ve • Collabora6ve • Scalable • Always on • No hardware • Accessibility
Tradi6onal Data Center
Data Data Data Data Data Corporate Applica6ons becoming SaaS Applica6ons Customer-‐Facing Applica6ons
moving to IaaS or PaaS providers
Mobile/BYOD
InfoSec paradigm shiK from “no” to “enablement”
The horse has left the barn…and it’s not a bad thing for InfoSec
BYOD access to cloud has increased 20% in three years
More of what you already know…
Business execs want anywhere, anytime cloud app access
Not surprisingly, Security is the concern for cloud enablement
To encrypt or not to encrypt…in the cloud(s)
Where is the greater risk – the CSP or your users? SaaS Cloud Service Provider (CSP) Corporate Users Roaming Users Hackers
Knee jerk reaction? Encrypt data going to the Cloud Provider…
What about your 20,000 Salesforce.com users w/acct credentials?
Phishing, wireless hijacking, insiders – All user/device focused
Prioritize based on risk
Users with creden@als s@ll have access to the apps!
“Yes you can” Enablement
Paradigm shiK from “No” to Enablement
Corporate UsersCloud
Applications
Cloud Security
SaaS Security Landscape – BYOD users are biggest risk Encryption Data Leakage Prevention Account Centric Threat Prevention
User & Device Activity Monitoring SaaS Discovery
Highest Risk
Areas
! Cyber hackers & malicious employees are the biggest security threat
! Discover & prioritize “Shadow IT” ! Data at rest at Cloud Svs Provider
Best Practice data risk and security rules do not change
Cloud Apps Discovery & BYOD enrollment
Automa6c Insider Threat Preven6on
Threat Prevention Risk & Compliance
Sensi6ve Data Access Reports
Automa6c Cyber-‐ Intrusion Preven6on
SIEM Enablement Tracking Config. & User
Permission Changes
Activity Monitoring & Analytics
Privileged User Monitoring
Consistent & Granular Data Access Logs Ac6vity Analy6cs with Drill Down
So you want to enable, now what?
Security enablement & risk reducing best prac@ces
• Discovery and Risk Assessment
• Access, authen@ca@on and SSO
• Managed vs Unmanaged BYOD devices
• User ac@vity monitoring, audi@ng, and analy@cs
• Account Centric Threat Detec@on
• Deployment considera@ons and larger eco-‐system
Risk and Compliance
Cloud Apps Discovery & BYOD enrollment
Risk & Compliance
Sensi6ve Data Access Reports
Tracking Config. & User Permission Changes
Your network firewall/web proxy logs are a good place to start
Cloud apps in use on your network will help jus6fy managing
Access, Authentication, &
Access, Authentication and Single Sign On (SSO)
! Consider leveraging your existing AD environment
• Using Cloud SSO Providers such as Ping, Centrify, Okta, Symplified who provide pre-integrated AD based Single Sign on to 1000’s of cloud apps
! “Carrot and Stick” approach
• Users get the SSO and ease of access they want
• IT gets centralized visibility, management and de-provisioning thru AD users and groups
• Some solutions synch to their cloud directory; some proxy to on-prem AD instance
! Cloud Security Gateways integrate with leading SSO Providers
• For cloud-based access control and monitoring
SSO Portals
Skyfence Cloud SSO Providers
Corporate Users
Managed vs Unmanaged
Managed vs Unmanaged devices
Considera@ons
•
Push device agent soKware or agentless?
•
User transparency -‐ What assump@ons about device
risk posture can be made if:
• It has already connected from the corporate network in
the past?
• It has a correct MDM cer@ficate?
• It is connec@ng from a trusted IP range?
•
If device is unmanaged:
• Prompt manual enrollment for unmanaged BYOD devices
to connect to corporate cloud apps? • Force two factor authen@ca@on?
Activity Monitoring
Privileged User Monitoring
Consistent & Granular Data Access Logs Ac6vity Analy6cs with Drill Down Corporate Users Cloud Applications Activity Monitoring & Analytics Cloud Security
Activity Monitoring
Cloud monitoring requirements should not have
to differ from tradi6onal infrastructure
Operationalize threat prevention – Learn what’s normal
Automa6c Insider Threat Preven6on Threat Prevention Automa6c Cyber-‐ Intrusion Preven6on SIEM Enablement
Ability to “learn” from past experience to apply improvements
GEO Intelligence IP Intelligence Authorized devices Data restriction rules
Data Processing Fingerprint Creation Anomaly Detection Engine
Identity-based Account Takeover Abnormal user activity (insider) Man-in-the-middle
Leveraging Your Existing Infrastructure in Deployment
!
Firewall, Web Proxies & Web Gateways
! Use log files from perimeter devices as a primary source for app discovery • Palo Alto Networks, Blue Coat, Websense and others
! Forward cloud app traffic from these devices to a Cloud Security Gateway • Most vendors offer both cloud and appliance (on premise) deployment options
• Some offer Endpoint agent approach
!
SIEM Tools
! Integrate cloud app analytics for better insight ! Correlate cloud activity
!
User Authentication
! Active Directory integration for user and group info ! Integration with SSO Portals
!
Mobile Device Management
Comprehensive Data Security: Imperva-Incapsula-Skyfence
Cloud Apps
Data Center
External Apps Amazon Web Services Databases File Serverswww
Internal AppsThe Skyfence Advantage
!
Automated
Scalable
Secure
! Intelligent endpoint fingerprinting ! Automated behavioral profiling
! Application intelligence and data aware
! Scalable and flexible cloud +/- on premise deployment options ! Accurate threat detection
! Secures your data