Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

CASB delivers must-have protection for your SaaS apps

Tom Henderson | Aug. 9, 2016
Cloud Access Security Brokers are products that can be described as firewall plus identity management plus anti-malware plus DLP plus encryption control/implementation plus threat management.

Bitglass has done a lot of homework in terms of the tasklist of items needed to migrate to its services, but administration of the BitGlass portal requires above average administrative detail work to achieve the depth that competitor CipherCloud has in terms of encryption and DLP control. After testing, we agreed: non-trivial but definitely do-able.

Bitglass encrypts, and does something further than CipherCloud: it can watermark files in such a way as to trace exfiltration forensically. It geo-locates users and establishes the foundation to monitor weird user data behavior. Logged on from Santa Monica, then an hour later accessed something from London? Yes, Bitglass can sense this and throw a red flag. The geolocation feature can be thwarted, but it takes serious talent and timing to get past such a feature.

We found that Bitglass could accommodate other SaaS portals if we did the work, and single sign-on support can be enabled as well. We chose Active Directory Federation Services with Bitglass as a SAML provider. Okta, an SSO service, can also be used.

Another Bitglass strength is tending to devices both inside and outside an organization’s “secure perimeter,” although smartphones (we tested Android and iOS) have comparatively limited control compared to Windows or Mac OSX.

Initial setup was straightforward, and included directions to the correct scripts to join our small test Active Directory domain. A circuit to an organization’s Active Directory is necessary for authentication.

The Bitglass administrative portal renders a lot of information, and is the nexus of control. The administrative portal has object filters, including a set of pre-defined libraries of patterns for things like credit card data fields as keywords, used to stanch information flow upon a match with the object filter.

DLP is good, but not perhaps as good as CipherCloud or Netskope and not as programmable, either.

Starting a new Salesforce instance with Bitglass involved creating a Salesforce subdomain, then modifying it so that an installed (self-signed Bitglass) certificate was used to force browser re-direction through Bitglass’s portal for rules/policy purposes, and subsequent data imprisonment. This locks in Bitglass as a provider and circuit for users, thus allowing agentless clients to use Bitglass for SSO, audit, and DLP features. It’s pretty easy, we found.

What’s less trivial is the need for staff to monitor exception handling, including noise generated from high volume user activity across a potentially broad spectrum of SaaS and supported cloud resources, but this is the same stress that CASB will impose for any good level of activity with any CASB product. The noise, however, can be “smoothed” to a manageable level.

Here, the Activity Dashboard of Bitglass became very useful. We felt like we had a handle on activity that needed addressing, and that a variety of activities with a high volume of load would be acceptable to us, although we lack the capacity to emulate the shenanigans of thousands of users doing cloud plus Exchange, Google or Office365 apps, Evernote — plus Salesforce. You might assume that your user base is well-behaved, but we all know that users do odd things, and sometimes try to get around the rules. This is why the BitGlass UI made us happy, in that it separates the trivial from the ghastly.


Previous Page  1  2  3  4  5  6  7  8  9  Next Page