Data Security and Student Privacy

Colloque RISQ 2016

+ What security and privacy concerns keep you up at night?

+ What objections do you hear to implementing G Suite for Edu?

The bad guys have become increasingly sophisticated and effective

https://www.google.com/edu/trust/

● G Suite for Edu Online Agreement● G Suite Data Processing Agreement● Core v Additional Services

Security from the ground up

OS

Network

Servers

Chips

Control and secure the entire stack

Jupiter Superblocks & Pluto Switches

Global infrastructure

Data center locations

Lay our own cables

Project Shield

1 device

MTBF = 10 years

100K devices(servers, routers,

networking, power supplies, cooling, …)

MTBF = 1 hour

Predictable reliability comes from software

Data Center

Data Center

Data Replication for high availability and security

Data Center

Data Center

Requesting Data

G Suitefor Edu

● Gmail + Attachments● Calendar● Drive*● Docs*● Sheets*● Slides*● Hangouts & Talk (on the record only)● Sites*● Contacts● Groups● Vault

* - excluding video and third party content

Core Services

Two factor authentication

Maintain complete control

Maintain complete control

Choose who you externally collaborate with

● 500+ security engineers

● 24/7 active watch

● 160 academic research

papers on security

● Invest literally billions on

a quarterly basis

Investment and scale

We don’t get upset, we reward

How do we think about today’s challenges in data protection?

What do you expect from us?

How are we doing?

Being more transparent

Communicate Store & Share Collaborate Manage

Thank you!

Appendix

Security PrivacyData Protection

Businesses have different needs than consumers

Empower you to made good decisions

You are the data controller. We are only the processor

Industry standard audits

Traditional audits only focused on security

Accountability Legitimacy

Data Quality FairnessPurpose

OpennessSensitivitySecurity

0%

80%

60%

40%

20%

100%

International Data Transfers

Independent Data Protection Authority

Strong Agreement

Medium Agreement

Strong Disagreement

Disagreement across governing bodies

ISO 27018 working group and certification

● Defines the requirements for ISMS (Information Security Management System)

● 114 Controls in 14 GroupsISO 27001/2:2013

● Focused on Public Cloud Providers that process PII● 19 Controls in 11 GroupsISO 27018:2014

● Defines the standard and provides scope and definitions● 4 GroupsISO 27000

ISO 27000 standard broken out

Overview of the Standard

Information Security Policy

Organizational Security

Human Resources

Asset Management

Access Control Cryptography

Physical +Environmental

Security

Operations Security

Communications Security

System Development +Maintenance

Supplier Relationships

Consent & Choice

Purpose / Scope of Processing

Collection Limitation

Data Minimization

Use / Retention / Disclosure

Accuracy + Quality

Sub-processing Disclosure

Individual Access / Participation Accountability

Information Security Privacy Compliance

Business Continuity Compliance Incident

Management

References of the Standard

Terms / Definitions of the Standard

Scope of the Standard

Introduction of the Standard

143 controls within 49 groups

Continuous dialog with customers and regulators

What’s in your data center? ;)