Glass Class - Reining in Cloud Apps
Hi, I'm Mike from Bitglass. I wanted to tell you about a journey that we see in regulated verticals, like financial services, with unmanaged applications. Typically, in environments like financial services, things are locked down quite a bit. You have PCs and you're not allowed to do very much. There's a lot of blocking that's going on. Let's say that we're connecting up to cloud applications.
A lot of times, there’ll be issues with access to things like Facebook, LinkedIn, and then, of course, there are the normal applications like Box and others that may be either sanctioned by the company and deployed with licenses and protected – or not. Sometimes, there are personal applications here. One of the key things when you have a regulated vertical that's trying to control what's going on, is you don't want data exfiltration.
I have files over here that exist on my PC. Let's say I generated one and I created it. It might be alright for me to take it and upload it and put it in O365. That's good, because that's the corporate sanctioned app that we use all the time. But it’s not okay for me to take that file and post it onto Facebook. From a blocking perspective, you have a couple options. One is to deploy something like a secure web gateway, or a next-gen firewall, or even a CASB, to try to control the data access. What happens there is they're able to track things like posts of texts that go up to Facebook, which could be copied and pasted of the content in that actual file. They could be actual file uploads. They can block that.
Typical things like, say, Palo Alto Networks, has a signature for Facebook posting. That'll block. The problem with that, and the problem with all these signature-based approaches, is that they're based on configuration and knowledge of the application. What happens when the application changes? What we see a lot of times is that all of a sudden, the file that wasn't supposed to be in Facebook is up there again. That's because, from a signature perspective, they didn't know about the changes in the app.
The apps like Facebook, or Box, or with LinkedIn, or whatever, aren't going to tell the company that a change has been made to the code. They have a portion of time before the signature updates come out, if they can even come out and actually catch the new upload mechanism, where the data can be exfiltrated. What they're looking for, a lot of times, from a pervasiveness perspective, is to allow more of these applications, allow people to do the work they need to do.
A lot of times, you're doing things that require you to go to LinkedIn or require you to search from things. They require you to do research. Sometimes those applications need to be allowed. They really want to lock them down, block access from uploads of content that's corporate related into those apps.
What you really want is an approach that involves machine learning and AI to learn about these upload paths. That's what you get from a Next-Gen CASB. Bitglass has developed a technology that allows leakage path learning on the fly. As soon as someone tries to upload the document, we're able to learn about that new path, regardless of if we've seen it or not, so that we can block the upload of the corporate data.
All of a sudden, you can check all the boxes from a compliance perspective. You don't have to worry about those time periods where data gets uploaded. We've seen a number of different companies – we have seen a couple of hedge funds, for example – that have policies like this, and have been trying to use other CASBs, that don't even know that the blocking technology’s not working.
All of a sudden their data gets exfiltrated. That's because they don't have this machine learning and AI technology that you get from a Next-Gen CASB. If you'd like to hear more, we have a few webinars on this. We'd love to engage a little bit to discuss the amazing technology. Thank you.