Bitglass is a cloud access security broker (CASB) vendor, and one of their defining characteristics is that they emphasize mobile data security and position themselves as an alternative to EMM.
CASBs are getting a lot of attention right now, and anything provides a new angle on EMM is also very interesting, so recently I talked to Rich Campagna, Bitglass’s VP of products, to learn about what they do.
Bitglass was founded in 2013, and they do all of the typical CASB things. What does a typical CASB do? If you’re not familiar with this somewhat new space, take a minute to read my recent introduction. The short version is that by using a combination of APIs and proxies, CASBs give IT more control and visibility over the usage of cloud apps. They’re another new tool to deal with the cloud and mobile era, alongside EMM and identity management.
On mobile devices, Bitglass’s goal is to control and secure enterprise data, so that devices don’t have to be enrolled in MDM or use any type of mobile app management. This way, they can avoid the privacy and usability issues that can come up when using MDM to manage BYOD.
How do they do this? The first key part is taking advantage of whatever access and data protection controls that cloud apps expose to Bitglass (and other CASBs) via APIs.
The other key part is proxying traffic to and from enterprise cloud apps. Bitglass does this by integrating with the single sign on process. This means companies have to do identity federation with SAML, but any company that cares about cloud security is already doing this anyway. With this process, Bitglass ensures that enterprise app traffic from any device will go through the proxy no matter what—regardless of whether or not the device is on a specific network, managed or unmanaged, or using a mobile app or a browser. Bitglass also proxies Exchange ActiveSync to get control over email and attachments.
With the APIs and proxies in place, Bitglass can perform various mobility management tasks:
- To prevent data leakage, they can use APIs to disable sharing features in apps (if the app happens to provide them). Alternately, they can use the proxy and traffic inspection/manipulation to apply encryption, rights management, and other policies to any data that’s downloaded to a device.
- A DLP engine can be used to classify sensitive data and apply different policies.
- Bitglass can detect if a device does happen to be enrolled in MDM and apply different policies. (They usually detect it by looking for certificates installed by the MDM server. Many other CASBs do this using APIs provided by EMM servers, but later we’ll see why Bitglass doesn’t use this method.)
- To do a selective remote wipe of enterprise data (as opposed to a full remote wipe of the entire device), Bitglass can again use APIs provided by the cloud apps if they’re available. Or, using the proxy, Bitglass can sync all data values in mobile apps to null (and for email, use ActiveSync to sync the user’s mailbox to be empty).
- Traffic from personal apps on unmanaged devices just goes straight out to the internet.
As I mentioned earlier, with all of these mobile capabilities Bitglass is marketing itself as an alternative to EMM. They emphasize the privacy and BYOD angle, and talk about displacing EMM vendors. This is in contrast to many other CASBs that have partnerships with EMM vendors.
Their marketing is certainly attention-grabbing: Recently they did a study that looked at all the ways that MDM can be misused, and published the results in a white paper called MDM Mayhem. The results included tracking user location; using MDM to install a forward proxy and then inspecting SSL traffic from personal apps; draining the battery; and restricting device functionality.
While of course everything in the MDM Mayhem report is possible, I do think it is a bit extreme. It assumes that MDM is being misused and administrators are willfully acting in bad faith, and it ignores the many other reasons to use MDM (including for BYOD).
Anyway, as an independant blogger it’s my job to break things down and get to the underlying point. (Though I have to note that their marketing obviously works, because the MDM Mayhem report is what drew my attention to them in the first place.)
Bitglass is indeed getting to some key issues in enterprise mobility: MDM for BYOD is still very much debated and many users aren’t comfortable with it. And for many cloud apps, stand alone MAM isn’t an option because the vendors aren’t going to hand over their mobile clients for customers to wrap, nor will they be excited about incorporating half a dozen different MAM SDKs.
Bitglass’s approach is a way to address these issues, so I like that they’re doing that and I’ll be following them closely.