CASB + IdP + EMM: Securing Enterprise Mobile-Cloud Usage

By on Jun 13, 2016

Yesterday it was ransomware, today it is Zuckerberg’s Twitter and Pinterest accounts hack. Each day, stories of security breaches highlight new vulnerabilities that hackers are exploiting to break into enterprise systems. The furious pace of evolution in the security space has led to enterprises continually augmenting their security with new solutions. An infrastructure comprising of multiple security components is required because no single solution can possibly address the diverse security requirements faced by enterprises today.

Pre-built integrations between components of security infrastructure are critical to the strength of the overall security. Not only does this reduce IT overhead in ‘connecting the dots’, but the exchange of information is important to root out potential security threats. For instance, activities that may seem harmless from an on-premises perspective or a cloud perspective, when viewed together, may surface a credible threat.

The Mobile-Cloud Era Needs a Robust Security Solution

The massive adoption of cloud services by enterprises has been paired with a simultaneous increase in mobile usage, driving increased mobile to cloud traffic. Both of these megatrends have enabled companies to realize substantial productivity benefits as they have allowed employees to work from anywhere, anytime with access to all the corporate data. This capability, however, has also allowed employees to access and download corporate data onto personal devices, often on public networks. This contributes to security risk as data in personal devices is not always encrypted and is open to unauthorized access, especially if the device is lost or stolen.

McAfee MVISION Cloud and VMware Solution Brief

Download to learn how McAfee MVISION Cloud and VMware’s partnership enables security controls on enterprise mobile-cloud usage

Download Now

Cloud Access Security Broker (CASB), Identity Provider (IdP) (or Identity-as-a-Service (IDaaS)), and Enterprise Mobility Management (EMM) solutions enable enterprises to secure their mobile-cloud usage while allowing users to remain productive. These technologies are increasingly adopted by large enterprise and are quickly becoming ‘must-have’ components of enterprise security infrastructure in the cloud and mobile era.

CASB: Secures and enables cloud usage. CASBs provide visibility into cloud data and usage, protection from insider threats and compromised accounts, DLP policy enforcement, and granular access control and encryption to secure data residing in cloud services.

IdP (or IDaaS): Provides a central point to authenticate and authorize users to access applications. An IdP solution also provides a convenient launch point for applications, while offering risk mitigating controls such as 2-factor authentication.

EMM: Enforces security policies on end user devices, including mobile and desktop devices, while maintaining user privacy.

In the video below, Rajiv Gupta, Co-Founder and CEO of Skyhigh Networks, and Sanjay Poonen, Executive Vice President and General Manager, End-User Computing and Head Of Global Marketing and Communications, of VMware, discuss the value and impact of integration between the McAfee CASB and the VMware Identity Manager and AirWatch EMM products as part of the recently announced partnership between McAfee and VMware.

Integration Use Cases

An integrated CASB, IdP, and EMM solution helps address multiple security challenges resulting in increased mobile-cloud security.

Comprehensive control: Traditional security solutions are often restricted to covering on-premises and VPN connected devices. Using this solution, IT can now enforce security controls pervasively across all users, including BYOD users as well as third party users such as partners, customers and contractors who access company data via corporate cloud services.

Device-based controls: Companies require that employees be able to access data anywhere, anytime, from any device, but also want to protect against data loss. A CASB/EMM integration can enforce policies that limit access to enterprise data based on whether the device is managed or unmanaged. For example, an employee using a personal mobile device accessing Office 365 may preview documents with sensitive data but not download them.

Contextual 2-factor authentication: This control balances the security requirements posed by password challenges, such as weak or compromised passwords, with the impact to end user experience that 2-factor authentication creates. In this scenario, an enterprise can trigger the second factor requirements when specific contextual factors, such as location, network, data, and user are encountered. For example, employees logging into salesforce using an unmanaged device, or using a managed device but from a new location, could be asked to complete the 2-factor authentication process.

Native app controls: The integrated CASB-IdP-EMM solution allows native apps to connect to cloud services only from managed devices. Native apps such as sync clients download data from the cloud into a desktop or mobile device at the backend, so the native app controls protect enterprise data by blocking downloads to unmanaged devices where it could be open to unauthorized access.

Threat protection: The CASB actively monitors cloud activity and uses thresholds and machine learning to detect threats from insiders, privileged users and compromised accounts. The integration with IdP and EMM solutions enables the CASB to consume logs from these applications to provide a more holistic picture of the usage, and to enable threat detection across devices and applications. The CASB can also notify the EMM solution of suspicious users so that the corresponding devices are flagged for additional monitoring and authentication.

How the Integration Works

CASB + IdP: The CASB and IdP integrate to ensure security controls for cloud services are enforced across all users and all devices. The IdP provides a central point of authentication to users accessing sanctioned cloud services such as Salesforce, Office 365 and Box. After successful authentication, the IdP redirects all traffic going to that cloud service via the CASB. The CASB inspects the cloud traffic for threats and applies the necessary security controls. Optionally, the IdP sends an attribute within the SAML assertion that gives the CASB more information about the user’s role and group, enabling it to apply more granular policy and access controls.

CASB + EMM: The CASB and EMM integration enables enterprises to secure cloud access from mobile devices. The corporate (or managed) devices are provisioned with a device certificate from the EMM solution at the time of registration. The CASB pulls this certificate information from the EMM provider and uses it to validate the device that is requesting access to the cloud service. Depending on whether the certificate is valid, the CASB enforces policies accordingly. So, an unmanaged device can be blocked from accessing sensitive data.

McAfee MVISION Cloud – VMware Partnership

McAfee and VMware have announced a partnership to provide enterprises with an end-to-end solution to secure their mobile-cloud usage. McAfee integrates with VMware Workspace One, which includes the VMware Identity Manager and VMware AirWatch products.

McAfee’s integration with VMware Identity Manager is frictionless and seamlessly applies policies and controls across all users and devices. McAfee’s integration with AirWatch allows the enforcement of device-based policies to restrict access to unmanaged devices, while applying contextual access controls based on user, device, location and activity on managed devices. This integration brings together the leading EMM, IDaaS and CASB solutions to provide enterprises with a comprehensive security solution across all users and endpoints. Learn more about this integration here.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs