blog-banner.jpg

Total Cloud Security Blog

Securing Remote Work Part 2: Bitglass CASB for SaaS

By Jacob Serpa | April 27, 2020 at 5:00 AM
Businessman hand working with a Cloud Computing diagram on the new computer interface as concept-3

In part one, we set the stage by discussing the rise of cloud, BYOD, and remote work, as well as the need for organizations to refresh their approaches to security so they can address these three trends. In this blog, we will discuss how organizations can secure managed SaaS like Office 365, ServiceNow, Salesforce, and G Suite with Bitglass. While cloud app vendors are responsible for securing the underlying infrastructure that supports their apps, it is up to their customers to use the apps safely, which can be a challenge when it comes to remote work. Fortunately, Bitglass’ cloud access security broker (CASB) can secure the use of any SaaS app anywhere. Read on to learn how!

 

Architecture

Bitglass delivers a proven, multi-mode CASB with API integrations for securing cloud data at rest, forward proxy for securing managed devices, and agentless reverse proxy for securing managed app access on any device. Naturally, the agentless reverse proxy is critical for securing remote and personal endpoints as it requires no software installations or physical device access (making for a rapid deployment). Bitglass is the only vendor able to offer this agentless deployment option due to its patented AJAX-VM technology. Additionally, as the solution is fully deployed in the cloud, Bitglass boasts a Polyscale Architecture that automatically scales to the IT needs of your organization without having to backhaul traffic--no appliances are required. The solution offers robust identity management, granular data protection, zero-day threat protection, and comprehensive visibility wherever data goes. 

Identity

Authentication and identity management are the cornerstones of proper security. Without knowing who is who, enforcing contextual security policies becomes impossible. Bitglass integrates with any SAML-2.0-compliant identity provider (IdP) and also provides single sign-on (SSO) and multi-factor authentication (MFA) natively. Users can either sign in as they access managed applications directly, or sign in to a portal from which they can access any of their company’s apps (see example below).

Login Portal

Once users have authenticated on any device, Bitglass can enforce security policies based on their identities and other items like device type and location--more on that below.

Data Protection

Data loss prevention (DLP) is a core component of any data protection suite. It refers to a variety of capabilities that provide varied levels of data access in order to prevent leakage. For example, digital rights management (DRM) with Bitglass “wraps” files upon download when the user is accessing particularly sensitive information and needs to demonstrate further authorization. When a user triggers the policy, an inline notification is displayed (shown below). Upon opening the file, the user is redirected to a password-protected portal in the web browser which, if proper credentials are provided, grants access to a read-only version of the file (preventing leakage and preserving data integrity).

Alert to DRMing of File

With Bitglass, DLP policies are easily configured. Simply select the user groups, web apps, access methods, devices, and locations for which you would like the policy to be enforced, then choose the DLP policy (or action) you want to employ. The product provides predefined data patterns that can be protected via DLP, but also grants the ability to create custom patterns. Once policies are set, they are automatically enforced without IT intervention. Below is an image of the DRM policy being chosen to protect documents that contain PCI (payment card industry data) in Office 365. 

DRM config

Threat Protection

Users of infected endpoints (particularly remote or personal devices) can unknowingly upload malware to corporate app instances--where infections can then spread to connected apps as well as other devices upon download. Bitglass addresses this problem by automatically detecting and remediating known and zero day threats at rest as well as at upload and download for any device or application--without the use of agents. If users attempt to upload infected files from even a personal device, they are presented with customizable block messages like the one seen below in Slack.

Block malware upload

Like with DLP, policies for identifying and remediating malware are easily configured. An example can be found in the image below. Simply select the option to block the download of infected files--they are then automatically blocked in real time.

ATP Config

Visibility

Maintaining visibility over your apps, users, files, and data is critical. Bitglass provides a dashboard that details all activity across your entire cloud footprint. In this way, you can generate comprehensive reports, enable audits with ease, and inform your data protection policies. As users and devices access data remotely, having this level of visibility only increases in importance. Below, one can see how application activity, DLP activity, and event logs are displayed. The second image shows how Bitglass displays global access details.

Activity Log

Overview Global Access

Want to learn more about how Bitglass can help your organization and its remote workers stay safe in today’s trying times? Download the white paper below. You can also request a free trial of Bitglass’ solution.

Enabling Zero Trust Remote Work

FOLLOW US

BLOG TOPICS