In our latest webinar in partnership with ISC(2), we discussed how leading organizations are using Cloud Access Security Brokers (CASBs) to secure BYOD. Live attendees asked several questions, some of which we are addressing in this post.
Read on to learn how CASBs protect unmanaged devices, apply DLP, and can replace most MDM functionality without agents or employee privacy concerns.
How can a CASB, without an agent, monitor an unmanaged device used by an employee from going to, say, portal.office.com to login to their O365 portal, while sitting at a Starbucks?
At the core of any CASB solution is the ability to control access by distinguishing between devices and users. By limiting data flows in certain risky contexts and applying more restrictive controls around that data, IT can limit data leakage while enabling secure access from any device. By integrating into the identity and single sign-on process, CASBs are able to redirect users in the CASB service, even if their device is completely unmanaged. Users that attempt to log into a cloud app like O365 are automatically routed through the Bitglass reverse proxy which enables real-time data protection.
Talking about O365, I thought the EMS suite natively meets the requirement that Bitglass solution is trying to solve?
Microsoft EMS is another MDM solution, with the same drawbacks as the more well-known offerings. The offering may be included in your Office 365 license, but you'll pay in low adoption, employee privacy concerns, deployment complexity, and more.
Does the BYOD solution also provide remote wipe or do I still need MDM to do this? How do you selectively wipe only corporate data from an unmanaged device when there is no agent?
The Bitglass BYOD solution supports selective remote wipe without agents (in addition to setting device security configuration such as PIN codes and device encryption). No MDM required.
How do CASBs apply DLP if the traffic is encrypted from cloud provider to mobile device?
CASBs sit inline, between cloud apps and user devices. While fully encrypted in transit, all corporate traffic is scanned and appropriate DLP applied in real-time based on the policies in place.
How do you create DLP rules/Fingerprinting?
Our customers can use our pre-built DLP policies, import existing policies, or work with us to create new policies.
Does Bitglass support both cloud apps and premises-based apps?
Yes. While built for the cloud first, the Bitglass mobile solution works across any application deployed in your organization.
What kind of workload is involved in setting up the context-aware engine?
Setting up the Bitglass context-aware engine is incredibly easy. The solution is ready to distinguish between managed and unmanaged devices, secured and unsecured networks, out of the box. Since it's a cloud-based solution with nothing to install, we can have you up and running in about a half hour.
What about CASB protection in collaboration tools such as Slack and HipChat?
The Bitglass solution can proxy any web application that supports single sign-on.
What impact does the reverse proxy redirect have on response time?
While there is an additional hop when traversing the Bitglass proxy, our globally load-balanced, distributed architecture is very high performance. In fact, Bitglass is sometimes even faster than going direct to a cloud app!
Okta provides a password reset and sync with AD, does Bitglass offer password reset capabilites that fall within our password policies?
Bitglass works with existing IAM providers like Okta and Ping. We also have our own integrated identity management solution capable contextual multifactor authentication and more.
Does each client device need to be licensed?
Bitglass is licensed on a per-user basis.
Learn more about our mobile solution here.