Yesterday we hosted a visit from the CISO of a top 5 Global Bank. The hot topic of course was preventing data breaches and how to apply DLP and Contextual Access Control to Cloud and Mobile.
On the one hand, the organization had invested in legacy DLP software on-premise from a leading vendor. Could we leverage that, asked the CISO. As we talked through the solution requirements the following became clear
Pros of routing traffic from Cloud-Access Security Broker (CASB) through legacy DLP installation:
(a) Leverage existing investment to cut costs.
Cons of routing traffic from CASB through legacy DLP installation:
(a) The legacy software could only handle simple protocols like SMTP and files. No support for protocols like ActiveSync or IMAP that are important for mobiity.
(b) Routing traffic from the CASB proxy to legacy DLP on-premise requires opening up the firewall. More security headaches, more breaches!
(c) Routing traffic through on-premise legacy DLP installation would cause performance to drop like a bomb. For example, to apply DLP for the file-sharing service Box, traffic from a mobile device would first go to the CASB proxy, then to the on-premise DLP server, back to the CASB proxy, then to a secure web gateway, and then on to Box. Five WAN hops, including two through the already congested corporate firewall.
Daisy-chaining on-premise gear is easy since LAN latency is neglible. Daisy-chaining cloud services with WAN latency is wise only if you want users to hate you. Which is why Salesforce does not use your legacy investment in databases in combination with their application.
The CISO came to a quick decision. "I want to empower users, not make life difficult for them. Don't want them to hate me."