a secure future in the cloud - client.blueskybroadcast.coma secure future in the cloud data...
TRANSCRIPT
A Secure Future in the Cloud
Data Governance & Protection
Gerry GrealishBlue Coat Systems, Inc.
Gartner
Source: Gartner 2015 Survey Analysis: Cloud Adoption Across Vertical Industries Exhibits More Similarities Than Differences
Top Inhibitors to Considering
Public Cloud Are Similar Across
Industries
Compliance & Governance Meets the Cloud
The “Big 5” @ Cloud Control Requirements
Recap
Agenda
– Examples– Tips & Recommendations
What Sort of Cloud Use Are We Talking About?
• Sanctioned Clouds
• My enterprise is dealing with sensitive and/or regulated data
• Internal governance or external compliance obligations
Cloud Compliance “Buckets”
DATAGOVERNANCE
IN THE CLOUDGENERATION
010110001010100010110010110001010100010110001010100010010101100010101000
SECTOR-BASEDIndustry-specific data
protection requirements in regulated industries
INTERNAL/COMPANY SPECIFICMany enterprises have policies that require sensitive data to have restricted access
RESIDENCY REGSLegal requirementsdata flows governing cross-border
Global Data Protection Reg
Russian Data Localization
LawPeoples Bank of
China RegsMonetary
Authority of Singapore
India Telcom Regs
Middle Eastern Banking Regs
Australian Prudential
Regulatory AuthorityNational Privacy
Principles
Nova Scotia Data Residency
Gramm Leach Bliley Law
Health Information
Portability Act
International Traffic in Arms Regs
Argentinian Banking Laws
BrazilianBanking Laws
Cloud Compliance Headaches (Sample)
What Needs to Be Done?
1
2
34
51
2
3
4
5
• “Control” the use of these sanctioned clouds
• Five control scenarios
Level Set – is Cloud aligned with my policies?
Don’t allow certain data into cloud
Allow data, but restrict access
Allow data, encrypt/tokenize & restrict access
Monitoring & logging requirements
CSP’s Align With Compliance Requirements
Examples:
• Use only CSP’s that have their primary datacenters in my home country
• Use only CSP’s that are SOC2 compliant
• Use only CSP’s that have:– Federated Identity Management– Multi-factor Authentication– IP-Based Access Control
1
Business Readiness RatingTM 38
. . .
Get to Know Your Sanctioned Clouds
Admin Audit Trail
Multi-factor Authentication
SOC2 Compliant
Federated Identity Management
Data at Rest Encryption
HIPAA Compliant
REST API Support
TIP
Block Certain Data From Cloud Apps
Examples:
• Healthcare provider that needs to ensure that no HIPAA-regulated data is stored in public cloud environments
• Retailer with policy that no credit card data is placed in cloud environments
• Law enforcement agency that needs to block CJIS regulated information from going to public clouds
2
The moment Linda realizes sensitive records are being
shared publicly
Accidental Over-sharing is Easy
Alice shares a file with Bob
Bob shares that file with others
Or shares via other apps
Miscellaneous errors and insider/privilege
misuse were the #1 and #2 most
common reasons for a security incident
in 2015.
Source: Verizon Data Breach Investigations Report, 2016
Causes of Accidental Exposure
Public Shares
Loose Shares
Inherited Files and Folders Permissions
Forgotten Shares
Oversharing
Inadvertent Sharing
Legacy Sharing
Plenty of Sensitive Data at Risk
10%contain confidential data
files per user are broadly shared (average)
of these files
48%
33%
14%
5%26%v
Create & enforce control policies based on wide range of criteria
Automatically classify, detect and remediate cloud content via semantic analysis
Automate Control of Shadow DataTIP
All Data Allowed, But Selectively Restrict Access
Example:
• Only employees with appropriate credentials should have access to specific data elements within application– PII, PHI, PCI DSS, etc.– Granular Controls at the app or individual level:
• Role based• Location based
3
• Device based
• Activity based
Get Precise Control
Build access policies based on:
USERS
DEVICE
LOCATION
FILE
PROPERTIES
ACTIVITY
CONTENT
TIP
Cloud Controls
Additional Cloud Data Protection Required
Examples:
• Medical collaboration portal in the cloud – PHI shared between patients, physicians, and medical device manufacture
• Customer support cloud application for products with sector-based compliance requirements (ITAR)
• Consumer lending banking application– Bank has internal policy that GLBA data needs to be encrypted
• Data sovereignty– Bank operating in Germany and Switzerland that needs to keep
customer banking data within specified countries
4
Patient Data in the Cloud
Medical Data Elements
• 18-20 fields of Personal HealthInformation (PHI)
• All scanned forms and images
• Breach Notification relief if strong encryption in place
Data Residency @ Canada
Updated guidance on the storage of information outside of Canada by public bodiesInformation & Privacy Commissioner for British Columbia - 2014
GDPR & Data Security
• Expressly states that Data Protection Officer’s must consider measures including the “pseudo-nymisation & encryption of personal data”
• In fact, strongly encrypted data is considered not to be personal data
=
User Experience
Authorized Users
Cloud Data Protection Platform(s)
What is the Benefit?
Non-authorized Users
Direct Connection to Salesforce.com
Info Stored & Processed in the Cloud
IN TRANSIT AT REST IN USE
ZZ
Secure Sensitive Data While it is in Your Control
“귏企専吁企倁ᐋ가귉”“企専吁企倁ᐋ”
“가귉귏企専吁企倁”“ᐋ귏企専吁企倁가귉”
TOKEN
“귏企専吁企倁ᐋ가귉”“企専吁企倁ᐋ”
“가귉귏企専吁企倁”“ᐋ귏企専吁企倁가귉”
TOKEN
“귏企専吁企倁ᐋ가귉”“企専吁企倁ᐋ”
“가귉귏企専吁企倁”“ᐋ귏企専吁企倁가귉”
TOKEN
“귏企専吁企倁ᐋ가귉”“企専吁企倁ᐋ”
“가귉귏企専吁企倁”“ᐋ귏企専吁企倁가귉”
TOKEN
TIP
Examples:
• Medical device provider using cloud-based application for customer support
− HIPAA requires the existence of a reliable audit trail to protect the personal data of medical patients, which must be able to provide “sufficient information to establish what events occurred, when they occurred, and who (or what) caused them.”
• Bank considering using Box for collaboration and document sharing
− Sarbanes Oxley:Log collection and monitoring systems must provide an audit trail of all access and activity to sensitive business information
Monitor, Audit & Log Interactions 5
Monitor, Audit & Log Interactions 5
Examples:
• Bank moving to a cloud-based accounting system
− GLBA mandates banks monitor activity captured by network device event logs and that they are reviewed on a regular and timely basis
• DMV using a cloud based system to manage vehicle registrations, etc., retains credit card details for payments
– PCI DSS:“Requirement 10: Track and monitor all access to network resources and cardholder data”The presence of logs in all environments allows thorough tracking, alerting and analysis when something does go wrong
Continuous Monitoring
Stay up-to-date & compliant with dashboards, alerts, & detailed logs
TIP
Closing Thoughts
• Understand the unique compliance/ governance issues associated with placing sensitive data in cloud apps– Partner closely with IT Risk &
Compliance and Data Governance peers
• Different hammers for different nails
• “Cloud First” enterprises will encounter all of the Big 5; it’s a matter of time
1
2
34
5