Mention the phrase “Bring Your Own Device” (or BYOD) in an IT department, and you’re bound to hear cries of despair. Add the term “Software as a Service” (or SaaS) to the conversation, and a riot of protests might well drown out those cries of despair.
Okay, I may be exaggerating a little bit. In all seriousness, though, BYOD and cloud app management remain problematic for IT managers and administrators. After all, these technologies remove control from IT while simultaneously adding responsibility. Campbell, CA-based startup Bitglass aims to assuage those worries with a hosted offering that brings security and control back to enterprise IT without negatively impacting the end user.
The BYOD and cloud problem
To truly understand what Bitglass has to offer, one has to consider the problems facing IT today. The mobilization of the work force is one. More and more, employees are leveraging mobile devices to enhance productivity. Those mobile devices come in many shapes and sizes, run a multitude of operating systems, and often have only one thing in common: their use to access corporate resources and intellectual property.
Managing those devices has become a challenge for many IT departments, thanks to concerns around ownership, compatibility, rapid change, and potential loss. And all too often, the focus on managing the devices obscures the real issue: managing the users and the data they create or consume.
Further complicating the device management conundrum, many organizations (and, in some cases, employees, without the consent of their employers or IT) now consume cloud services and applications such as Google Apps, Microsoft’s Office 365, Salesforce, and Box to handle documents, emails and files. Combine an unmanaged mobile device with unsecured access to a cloud service, and you compound the potential for security breaches and data leakage.
Bitglass brings security to cloud applications and control to mobile devices using a new paradigm, one that unifies the security management of cloud services and mobile devices into a single service that is easy to deploy, manage and use.
The origins of Bitglass
I visited Bitglass’s headquarters in Campbell, CA to put the service through its paces and see exactly what the company can offer. After spending several hours with the service, both as a user and an administrator, I was quite impressed with the robustness of Bitglass’s service. In fact, I wondered why no one has approached BYOD and cloud services security the way Bitglass has. Perhaps a look at the company’s origins will give insight.
Bitglass was conceived as a service to bring security and accountability to the use of cloud services. While on that developmental journey, however, company engineers concluded that mobile devices are just as problematic. Employees frequently use them to access cloud services, and, in most cases, the businesses don’t own those devices. The end users do.
When used for work, those unmanaged devices may generate, access, or store corporate information, rendering them a very weak link in the security chain. What’s more, cloud-based applications often offer little in the form of auditable access and IT controls.
The engineers at Bitglass took a long, hard look at how data traverses across corporate resources into cloud services and how those same services work with mobile devices. They then came up with a novel solution: incorporate SAML (Security Assertion Markup Language), an XML-based open standard data format for exchanging authentication and authorization between parties.
With SAML in the picture, Bitglass designed a proxy-based system to redirect traffic to cloud service providers through Bitglass technology, which secures access and traffic, logs activity, and even “watermarks” files and information for further protection by embedding security tags into documents and other files to track their movement. Amazingly, all that happens without impacting the end user. No software to load on endpoints, no changes to be made to end user configurations. End users don’t need to be involved in the process whatsoever. Instead, Bitglass’s implementation of SAML takes over the SSO (Single Sign On) chores for authenticating to a web service. After the initial SSO event, IT admins have full control over access to the services, as well as the tracking and watermarking of data.
Bitglass uses a proxy to take control of traffic to web services and protect data
A closer look at Bitglass
In practice, Bitglass makes the transition to secure cloud service access easy. The main console is user-friendly, with step-by-step methods to incorporate applications and users into the system. Configuration begins by defining an account on the Bitglass platform, then configuring groups, users, applications and basic policies. There is no need to install anything on local machines, portable devices or servers. Everything is self-contained in the Bitglass environment.
A simple-to-understand dashboard hides the sophistication of the Bitglass platform
User accounts and groups can be imported from Active Directory to quickly populate the service and keep it up-to-date. Administrators can also set up separate local accounts and groups to isolate security from corporate directories. Once users/groups are in the system, administrators can quickly add cloud applications. Those applications will use SAML to pass authentication data through Bitglass to the end user. Applications are then assigned to groups, as are users, completing the security chain.
Policies are quick and easy to implement and clearly identify what users can do
As far as control goes, Bitglass has a lot to offer. First and foremost, the platform logs traffic, creating an auditable chain of events to provide the who, what, when, and where of user activity, critical to forensics and security validation. Watermarking adds an extra layer of accountability. Simply put, if Bob emails a file to Tom, Bitglass creates and logs an alert and begins tracking the history of the file. And tracking goes even further than that. If Bob copies and pastes an element from the file to another file, Bitglass tracks that, too.
That capability brings Data Leakage Protection (DLP) to web applications, something that has, historically, proven nearly impossible. Another feature that bodes well for those leveraging BYOD is the “remote wipe” capability. If a device gets lost or stolen, or if the employee leaves the company, administrators can immediately remove all corporate information from the device without impacting the user’s personal data. Bitglass thus enables employees to use personal devices on corporate networks and with cloud services without impacting either the enterprise’s security or the employee’s personal use and ownership of the device.
File activity, access, and usage are tracked
Bitglass also features an alerting system to notify administrators of critical events like failed logins, suspicious activity, and logins from unexpected locations. This provides a quick way to keep an eye on the security of cloud applications without having to individually check each one for suspicious activity.
An alert system shows information that may be pertinent to security events
All things considered, Bitglass brings several benefits to enterprises looking to deploy cloud applications or to enable BYOD. What’s more, Bitglass simplifies the process by eliminating complex installations, new hardware purchases, and extensive training for IT staffers and end users. It can also reduce costs. Unlike standard MDM products, Bitglass is billed based on user counts. That approach does away with the need for device licenses, as well as other hidden costs frequently found in MDM solutions. What’s more, fixed costs based on user counts are a much simpler budgeting proposition for most IT departments.
By now, the productivity boosts and cost savings often inherent in BYOD and cloud services have made them standard in many enterprises. Unfortunately, employee adherence to corporate BYOD policy often is not. For organizations looking to close security holes without limiting their employees’ mobility, Bitglass may offer the solution.