It's 2 AM, do you know where your data is?

Webinar transcript - View the full webinar


Host:  Good morning, or good afternoon, everybody. Thank you very much for joining us. Welcome to today's webinar, "It's 2 AM, do you know where your data is?" Today's session will cover the challenges organizations are facing in this new world of cloud services, and what to do about them.

Your presenter today is Jay Bhansali, Senior Product Marketing Lead for Cloud Security. Jay spends his days working on these types of issues and how to solve them. Jay, I'm going to turn it over to you.

[distorted phone connection]

Jay Bhansali:  ...key challenges that customers run into as they go from some services to adopting services in the cloud. We'll take Q&A at the end of the session.

To kick things off, to put this conversation into perspective, I want to talk about one of our early customers that had this challenge. It's a legal company called Perkins Coie based out of Seattle, Washington.

They are a global law firm with about 19 offices across the globe and about thousand‑plus attorneys that are, on daily basis, working with a large variety of customers that span from Fortune 500 organizations to smaller tech startups.

Perkins Coie is heavily investing in a variety of cloud services, such as Salesforce, Office365, and Google's productivity suite, G Suite, with the goal of one, being able to provide their attorneys with information readily on‑the‑go, as they travel amongst different offices globally and as they travel to different customer locations.

Two, also making sure that their attorneys have the right tools to collaborate with customers. Oftentimes, they will run into an organization that either uses Office365, G Suite, or it's different kind of platform for internal collaboration and cloud sharing.

They want to make sure no matter what the customer uses, their attorneys are equipped to support the customer and collaborate with them using technologies that are approved by the customer's organization.

The big challenge that they've had as they've transitioned to cloud services is the question of, how do you effectively secure, in their case, client data? The information that they have from their clients is highly sensitive information.

The challenge they've had is how do you secure that data that resides in the cloud, specifically on mobile devices as employees are accepting it from across the globe.

The real challenge is, or the problem is, it is such a huge problem, because losing data, as it stands today, is very easy. This is primarily because, on a mobile device, all the employee has to do to access an enterprise cloud service is download the corresponding app, in this case, an employee would download Salesforce1, use that copied credentials and get access to all of the data within Salesforce on this mobile device.

Just by the virtue of doing that, copy data is now on a device that is potentially unsecure. As an organization, you can't control, or you have no control over the device and the ability to wipe the data. It's possibly within the unmanaged app, and also possibly connected to other unsanctioned services.

We'll take a look at each one of these use‑cases in a little more detail.

Keep in mind that this isn't a problem that's only specific to Salesforce, the Office suite of applications, or the Google Productivity Suite. It's actually something that's wider and would apply to any cloud service, be it HR systems like Workday, IT service management systems like ServiceNow, collaboration and internal communications tools like Facebook Workplace and WebEx and so on. Any of these systems that are available on the mobile device puts the organization data at risk.

The real source of this problem is, when you look at this two key shifts within the industry, one is the move to mobile devices and the other one the move from on‑premise services to cloud services, securing has been very siloed in the approach as they've tried to lock down either the devices, where they've used things like MDM and enterprise mobility management suits to lock down devices and they've used other systems on the backend, but what they really lack is a combined solution.

Specifically, when you think of cloud services, and the strategy, usually for most organizations, is to use identity‑based solutions, like username and password, or at times multi‑factor authentication.

What's missing though is, as an employee, connecting to cloud services only using an identity base of access control mechanisms, there is a couple of things that are taken into account, which is the state of the device and so on, and which is why username/passwords are no longer sufficient for securing data in the cloud.

Specific risks, again, from a data security perspective is that, you have no control over unsecured devices connecting to the network, you have no control over unmanaged applications connecting to the enterprise cloud services, and you have no control over other third‑party unsanctioned cloud services getting access to enterprise data.

In addition to that, the username/password experience for a end‑user on a mobile device is very painful. Just the fact [inaudible 6:09], having to enter credentials on a tiny screen, it's not the most optimal experience for end‑users.

Then, there's also the question of being able to get complete visibility into the types of devices, types of users, and so on, that are connecting to your services.

To take a slightly closer look at how these use‑cases manifest within the organization, we're going to compare the experience for a user on a unsecured device, versus a secured device, and see how easy it is, actually, to lose data from that unsecured device.

In this case, the secure device is protected and managed by an enterprise mobility suite. It has a passcode enforced, as a result of which, all the data on the device is encrypted.

Now, as the user goes to access the enterprise cloud service ‑‑ in this case we will use Salesforce1 as the example ‑‑ the employee downloads the application, enters their corporate credentials, and gets access to all of the corporate data on the device.

The risk occurs if a user was to lose that device. On the secured device, IT still has some control over it, and has the ability to remotely wipe the device, and wipe the corporate application.

The challenge, though, is on the unsecured device. IT has absolutely no visibility, and absolutely no control over the data that's there. In this case, the data stored on that device is unencrypted, and outside IT control, which is a compliance violation for a lot of organizations, especially organizations like Perkins Coie that operate in highly‑regulated industry.

The question then arises, is how do you prevent that unsecured device from ever connecting to your enterprise cloud services, and getting access to that data? A username/password solution is not sufficient to prevent this.

The second use case is that of a unmanaged app, versus a managed app. In this case, even though you may have an EMM solution deployed to a mobile device, there are still instances where unmanaged applications would get access to the corporate data. Let's take a look here at how that manifests.

In this case, again, like I said, both devices are managed, both of apps' MDM or EMM profile's on, the device's passcode is enforced, but the difference between the two devices is, how the user downloads the Salesforce1 application.

On the unmanaged app version on your left, you will see that the user downloads it from the public app store, which is the Apple App Store, and on the right, the user's going to get that application from the enterprise app store.

By virtue of getting the application from the public app store, or Apple Store in this case, that application is installed as a personal application, and IT or the MDM system in this case, will have zero control over that application. Our data is shared from that application, or even the ability to wipe that application. Again, in this case, the user, all they have to do is enter their username credentials, and they get complete access to the data.

The risk occurs when, if the user tries to share that information, what you see is on the unmanaged app, the user can share it with a variety of different applications, other malicious applications that might be on their device, or unsanctioned services. Also, we are airdropped with other devices.

If you look at the managed application, the user can only open that data and share that data with approved cloud services, and other approved applications like, in this case, would be PowerPoint and the G Drive Suite.

The question then arises is, how do you ever prevent the unmanaged app from connecting to the enterprise cloud service so the user may not be able to share that data from the unmanaged app to other unsanctioned apps and services?

The third challenge, and this is one of the unsanctioned cloud service. In this case, again, most cloud platforms have a robust set of APIs, yielding which third‑party developers will build solutions and other applications for services such as Salesforce, Box, Dropbox, and so on.

A lot of times these third‑party services are very valuable and provide better user experiences and niche use cases that allow the end user to access Salesforce data or data from Box in very unique ways, but every once in awhile you will have a malicious application that will find its way into the app store or the ecosystem for these applications, which opens up the risk of data loss.

Also in certain times, if a service that is connecting to an enterprise cloud service is not sanctioned, there might be the possibility of data from the enterprise cloud service such as Box residing in a third‑party unsanctioned cloud service that may or may not be approved by IT.

In this case, again, from an example perspective, we're going to see how a user can very easily connect a third‑party cloud service to your Salesforce environment. All you have to do on their device is download a application. In this case we're going to use a application called Tact as an example.

Tact is a very powerful tool, actually, for Salesforce integration, which allows representatives to selectively sync Salesforce data on their device, making it easy for them to work when they're not connected to the network and need quick access to specific information.

It is a very powerful tool when sanctioned by IT, but when unsanctioned there is the risk of sensitive data from Salesforce residing in a third‑party cloud service.

Here again, all the user has to do is launch the Tact application, hit the Connect button, enter their corporate credentials for Salesforce, and all of your Salesforce data is now potentially available in that third‑party Salesforce client.

The question again here is how do you prevent the unsanctioned cloud service from connecting to your enterprise cloud services to prevent data from going into them? This is where MobileIron Access, which is a mobile cloud security platform that we've developed, comes into play.

Continuing with that example of the unsanctioned cloud service, what you will see here if an organization has Access installed and deployed across their cloud services, when a unsanctioned service is attempting to connect to your enterprise cloud services, Access is able to prevent that connection.

The end‑user receives a customizable remediation workflow which in this case tells them to contact the administrator because that third‑party service is not sanctioned. If they can make the case to IT as to why they want to use that application or that service to improve productivity, IT can then go on, procure the service, secure it, lock it down, and then make it available to users.

In the previous two use cases, where we spoke about the unsecured device or the unmanaged application, IT can customize the screen and prompt the user to, either enroll the device with EMM, enroll it with MobileIron, or also, prompt the user to convert the application from a unmanaged application to the managed application, by downloading it from the enterprise app store.

This is a very powerful remediation workflow. The customization that this allows the user to identify and self‑remediate from their situation of non‑compliance, as opposed to having to open a help desk ticket, and waiting for a couple of days for help desk to resolve it.

Again, this customizable workflow that Access provides, allows organizations to, one, deploy conditional access policies, and two, also help users remediate themselves and continue to be productive.

Another really powerful service that Access provides is, single sign‑on. A key challenge for a lot of users is, as organizations continue to roll‑out additional cloud services, users often have to remember a variety of unique username/password combinations, for each of the cloud services.

Oftentimes, when passwords are reset every 60 or 90 days, users continue to forget these, and put in the wrong credentials. They'll often mistype their credentials on a mobile device, and as a result, will be locked out of IT services, which could significantly hamper productivity, and put a lot of pressure on help desk resources to reset passwords, reset account lockouts, and so on.

Which is why, again, MobileIron Access provides a very robust single sign‑on solution, that's developed for mobile applications and mobile devices specifically. It's very different from your traditional single sign‑on solutions, that are very apt for browser‑based access, but not so much on mobile devices.

On the next screen, what I will walk you through is, what the user experience looks like when a user tries to access Salesforce for the first time, when they launch it on a registered device.

In this case, you'll see the user attempting to launch Salesforce, they click on the company's single sign‑on policy, and without having to enter their username or password ever on a mobile device, they have secure access to the Salesforce back‑end.

Throughout this process, we've verified that the device is compliant, that the app is managed, and obviously we've verified who the user is, without them having to provide a username/password, because we use certificate‑based authentication in the back‑end, making the front‑end process completely seamless and secure for the end‑user.

Continuing on, there's also the aspect of compliance and visibility. Traditionally, organizations don't have a single point to go to, and then try and get all of the information about, how many types of devices are connecting to enterprise cloud services, they don't have the visibility into how many of them are managed, versus unmanaged devices, and so on.

With MobileIron Access, customers get a single point of view into what types of devices are on the network, what the different locations from where users are accessing corporate information, and so on. The ability to get and correlate that information across all your cloud services, is really powerful.

Without Access, customers today would have to either go into individual cloud services, get the logs, put them through a different tool, and then still manually have to correlate between what the managed device, versus an unmanaged device, it's actually a very long process. Access significantly simplifies this, by being able to correlate data from the mobile world and the cloud world.

A key advantage that we've seen some customers really said about is, the Geo Dashboard, where they get a very quick view into seeing where different authentications requests are coming from.

IT can use this information in two ways. One is, if there is a known office location where they're seeing a lot of block or warn requests coming in from, IT can go to that location, talk to the end‑users, and identify what types of services they'd like to use, and then onboard those services in a secure manner, enabling user productivity.

The second aspect is, if IT starts seeing a set of authentication requests coming in from areas where you have no office location, or no known employees, IT can very quickly realize that this is something malicious that's going on, and they can start taking corrective actions, or investigate those authentications further.

Just walking into the office and pulling up this dashboard, gives them a very quick set of actionable data, using which they can decide how to process the information, and take corrective measures.

Having said that, MobileIron Access is a truly comprehensive mobile cloud security platform, that allows organizations to discover their risks, protect them by providing contextual policies, deploying single sign‑ons, and also providing users with easy remediation workflows, and at the end of it all, once they have it all deployed, to provide continuous compliance monitoring and auditing, to make sure things are going as they should.

Benefits, obviously, of having Access is ‑‑ or what are key benefits are ‑‑ it's a unified mobile cloud security platform that ties‑in both of your environment, it is very deeply integrated with the MobileIron EMM platform, giving us the unique ability into being able to correlate mobile and app‑specific information, with authentication requests against your cloud services.

It's completely standards‑based, which allows us to scale across a variety of cloud services. It's not just a solution for Office365, or Salesforce, it will secure any cloud service that you have today, or will plan to deploy in the future, which truly allows you to deploy solutions that will scale with your business needs.

Finally, Access provides a seamless, secure, single sign‑on experience that's customized for the mobile world. This is very different from your traditional sign‑on solutions, that are designed for browser‑based environments, and this is something that's very unique, and works very well on mobile devices.

Going back to the Perkins Coie example, as a customer, their key challenge was to roll‑out Salesforce and a couple of other cloud services to their attorneys, who were on‑the‑go. Very quickly, Access has been a game‑changer for them. Their users have really been excited and happy with the experience that we've been able to provide with single sign‑on.

At the same time, one of the key requirements, from a security perspective for them, was how you would prevent unmanaged devices, unsecured applications, or unsanctioned services from connecting to their enterprise environment. They were able to solve this challenge with MobileIron Access.

Traditionally, when they kicked‑off the project of rolling‑out cloud services for mobile devices, they were very concerned, because they didn't have a was a topic that wasn't really spoken about, just because they didn't have a good solution for the problem.

There's a lot of customers that we find in the same bucket, that tend to ignore this set of problems, because they just aren't aware of the solutions. We've seen some very successful deployments, and seen a lot of customers accelerate their deployment of cloud services to mobile devices, with MobileIron Access.

MobileIron Access is available today for all of our customers using MobileIron Core and Cloud. It's available on iOS, Android, and Windows platforms, supports a variety of cloud services, including Workday, Workplace by Facebook, Tableau, Office365, Salesforce, integrates with a variety of identity service providers, such as ADFS, Okta, Ping, OneLogIn, and so on, and gives you the ability to provide conditional access policies, native single sign‑on, and reporting across all of these.

In addition, I'm also very excited to announce the availability of the risk assessment workshop, which is a workshop that's available for free to all of our existing customers, where we will conduct a 60‑minute workshop with you, and give you a quick preview, we'll analyze your data from your EMM systems and your cloud service providers, such as Office365 and Salesforce.

We'll analyze logs, we have a assessment service that will give you a report at the end of that 60‑minute workshop, which will very clearly highlight, how many unsecured devices you have in your environment that are accessing Office365 and Salesforce, how many unmanaged apps are actively accessing your enterprise cloud services, and the same for how many unsanctioned cloud services and unregistered users you have.

It just gives you a concrete data about your environment, and lets you decide how best to proceed, and lock down those services and users, and get more control over your data in the cloud.

If you're ready and would like to participate, if you're a MobileIron customer, please contact your MobileIron representative today. We'd be happy to run the assessment in your environment.

With that, I'd like to thank you for joining us today and we'll go to Q&A. There's a question that we've received, if there's a way to use Access for mobile traffic, and only leaving the PC traffic as‑is.

Yes, we allow organizations to be able to enforce policies for mobile traffic, but just allow the PC traffic to pass through as‑is, without changing any of the user experience for the end‑users accessing cloud services from desktops.

There's also a question's a unrelated question on the topic, that there's a question about the MobileIron Threat Defense solution, and as a result of our partnership and announcing the MobileIron threat solution.

Yes, we provide very specific capabilities around malware detection and testing malicious applications, for both iOS and Android devices. For more information, please contact your MobileIron representative, and we'd be happy to give you the specific details on how that solution works.

There's another question around pricing and packaging, around which bundle of MobileIron EMM licenses that access would be included.

As Access is a standalone SKU today, so it is a product license that you would have to buy, in addition to your MobileIron EMM licenses.

There's also a question, if whether the risk assessment workshop is only available for MobileIron customers.

Yes, as it stands today, the assessment, it's only available to MobileIron customers, because we need the data from your EMM platform and data from your cloud services, to be able to correlate access and get visibility into kinds of devices, and so on, that are accessing your network.

If you are in early stages of a proof of concept, do let us know. We'd definitely be able to run a risk assessment if you're actively pursuing an EMM deployment.

With that, we're going to continue answering some of the questions through the text box. If you have any last‑minute questions, please send them in. If not, I'd like to take this time to thank you for spending...