For many Infosec professionals, one of the scariest things about moving to the public cloud is also one of its key selling points - anybody can log in from any device, anywhere. For this reason, one of the first policies that many enterprises implement is contextual access control - putting parameters around the key variables (what group, what device, what location, what app, what data and more) associated with a given cloud app session or transaction.
In this post we're taking a look at how to configure a subset of access control with a CASB - controlling access from unmanaged devices. Our hypothetical customer is a multinational snack and beverage company embarking on a project to protect Office 365 in order to keep PII and trade secrets safe.
The first thing we want to do is figure out how we want to identify managed devices. Since there is no single answer to this question, a good CASB will give you flexibility in what this policy looks like. You can typically identify managed devices based on domain membership, installed certificates, serial numbers, MDM enrollment, machine fingerprints, and more. In this example screenshot, we've created a few device profiles. For the rest of this post, we'll use an easy one - we'll pull an attribute out of the SAML assertion that comes from the Identity Provider during SSO - if the authentication attribute tells us the machine authenticated with a digital certificate, it'll match the policy.
Next, we'll add that Device Profile to our Office 365 policy.
Then, we setup the rest of the policies. Devices that match the "SAML Attribute" policy will have full access, but we want to do some (fully customizable) monitoring and notification when people access Personally Identifiable Information (from Bitglass' library of pre-defined DLP templates) and "Secret Projects" (a custom DLP pattern that our example customer is using).
From the screenshot below, the top row matches on our managed devices, and the bottom row is the policy that will apply to unmanaged devices.
On unmanaged devices, we want to put some more restrictions in place. While we want to ensure that our employees are able to work anytime, anywhere, and from any device, we also don't want to unnecessarily increase risk. So when unmanaged devices access PII, we're going to mask/redact that data from email, and encrypt any files matching that pattern. Since "Secret Projects" are particularly sensitive, we're going to block all access from BYOD altogether. After all, the R&D team is working on a new formula for a caffeine-free, clear alternative to normal colas that we know is going to be a blockbuster hit - we don't want our competitors getting their hands on it.
Hit save and y'er done. As my 5-year old daughter is fond of saying, "easy peasy lemon squeezy."