CASB delivers must-have protection for your SaaS apps

NetSkope edges CipherCloud and Bitglass in test of three ingenious and powerful cloud access security brokers.

Bitglass

Bitglass is an online CASB portal that’s preconfigured for use with a variety of SaaS sources, including Google Apps, Microsoft Office 365, Box, Dropbox, ServiceNow, Concur, Evernote, Egnyte, Exchange, and Jive, although mobile devices are limited to a smaller list.

Bitglass has strong situational knowledge to make access decisions. Using browser intelligence, Bitglass knows a lot about who’s accessing what and when.

Bitglass also watermarks data flowing through it, including email attachments, and provides tracking/tracing controls based upon user behavior of files/data that are sent through its forward proxy portal. Bitglass had the fastest initial setup of the three products tested, but that doesn’t mean that Bitglass is shallow, rather it is benefited by its own portal controls.

+ ALSO ON NETWORK WORLD Is this the Holy Grail? Bitglass gets patent for searchability over encrypted files +

Bitglass has done a lot of homework in terms of the tasklist of items needed to migrate to its services, but administration of the BitGlass portal requires above average administrative detail work to achieve the depth that competitor CipherCloud has in terms of encryption and DLP control. After testing, we agreed: non-trivial but definitely do-able.

Bitglass encrypts, and does something further than CipherCloud: it can watermark files in such a way as to trace exfiltration forensically. It geo-locates users and establishes the foundation to monitor weird user data behavior. Logged on from Santa Monica, then an hour later accessed something from London? Yes, Bitglass can sense this and throw a red flag. The geolocation feature can be thwarted, but it takes serious talent and timing to get past such a feature.

We found that Bitglass could accommodate other SaaS portals if we did the work, and single sign-on support can be enabled as well. We chose Active Directory Federation Services with Bitglass as a SAML provider. Okta, an SSO service, can also be used.

Another Bitglass strength is tending to devices both inside and outside an organization’s “secure perimeter,” although smartphones (we tested Android and iOS) have comparatively limited control compared to Windows or Mac OSX.

Initial setup was straightforward, and included directions to the correct scripts to join our small test Active Directory domain. A circuit to an organization’s Active Directory is necessary for authentication.

The Bitglass administrative portal renders a lot of information, and is the nexus of control. The administrative portal has object filters, including a set of pre-defined libraries of patterns for things like credit card data fields as keywords, used to stanch information flow upon a match with the object filter.

DLP is good, but not perhaps as good as CipherCloud or Netskope and not as programmable, either.

Starting a new Salesforce instance with Bitglass involved creating a Salesforce subdomain, then modifying it so that an installed (self-signed Bitglass) certificate was used to force browser re-direction through Bitglass’s portal for rules/policy purposes, and subsequent data imprisonment. This locks in Bitglass as a provider and circuit for users, thus allowing agentless clients to use Bitglass for SSO, audit, and DLP features. It’s pretty easy, we found.

What’s less trivial is the need for staff to monitor exception handling, including noise generated from high volume user activity across a potentially broad spectrum of SaaS and supported cloud resources, but this is the same stress that CASB will impose for any good level of activity with any CASB product. The noise, however, can be “smoothed” to a manageable level.

Here, the Activity Dashboard of Bitglass became very useful. We felt like we had a handle on activity that needed addressing, and that a variety of activities with a high volume of load would be acceptable to us, although we lack the capacity to emulate the shenanigans of thousands of users doing cloud plus Exchange, Google or Office365 apps, Evernote — plus Salesforce. You might assume that your user base is well-behaved, but we all know that users do odd things, and sometimes try to get around the rules. This is why the BitGlass UI made us happy, in that it separates the trivial from the ghastly.

Scorecard

ProductCipherCloud Trust Platform Netskope GoScope PlatformBitglass
Configuation, Flexibility, Installation 4 4 3.5
Administration, Overall User Experience 5 4.5 4.5
Features, Integration with Third Parties 4.5 4 4
Documentation/Programmability 4 4.5 4
TOTAL 4.37 4.25 4

The potential downside is that a clear communications circuit needs to be maintained to the cloud-based Bitglass portal, which isn’t under your control, unlike the on-premises, appliance-based products reviewed here. BitGlass meets high standards for its own security, but does not have worldwide points of presence all in sync with each other.

No one reviewed did, although the CipherCloud architecture uses an autonomous internal gateway VM methodology which places the onus of circuit protection strictly on IT staff. We found other minor foibles mostly relating to our sense of quieting noise; we like a security package that’s nervous. Heaven help us if Bitglass’s portal is ever compromised, a thought that nagged us.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Amazon Web ServicesAWSBitDefenderCipherCloudDellDLPDropboxEvernoteGatewayGoogleHPindeedIPSLenovoLinuxMicrosoftNetskopeOktaSafeNetServiceNowUbuntu

Show Comments
[]