google peter logli & jake shea
TRANSCRIPT
Data Security and Student Privacy
Colloque RISQ 2016
+ What security and privacy concerns keep you up at night?
+ What objections do you hear to implementing G Suite for Edu?
The bad guys have become increasingly sophisticated and effective
https://www.google.com/edu/trust/
● G Suite for Edu Online Agreement● G Suite Data Processing Agreement● Core v Additional Services
Security from the ground up
OS
Network
Servers
Chips
Control and secure the entire stack
Jupiter Superblocks & Pluto Switches
Global infrastructure
Data center locations
Lay our own cables
Project Shield
1 device
MTBF = 10 years
100K devices(servers, routers,
networking, power supplies, cooling, …)
MTBF = 1 hour
Predictable reliability comes from software
Data Center
Data Center
Data Replication for high availability and security
Data Center
Data Center
Requesting Data
G Suitefor Edu
● Gmail + Attachments● Calendar● Drive*● Docs*● Sheets*● Slides*● Hangouts & Talk (on the record only)● Sites*● Contacts● Groups● Vault
* - excluding video and third party content
Core Services
Two factor authentication
Maintain complete control
Maintain complete control
Choose who you externally collaborate with
● 500+ security engineers
● 24/7 active watch
● 160 academic research
papers on security
● Invest literally billions on
a quarterly basis
Investment and scale
We don’t get upset, we reward
How do we think about today’s challenges in data protection?
What do you expect from us?
How are we doing?
Being more transparent
Communicate Store & Share Collaborate Manage
Thank you!
Appendix
Security PrivacyData Protection
Businesses have different needs than consumers
Empower you to made good decisions
You are the data controller. We are only the processor
Industry standard audits
Traditional audits only focused on security
Accountability Legitimacy
Data Quality FairnessPurpose
OpennessSensitivitySecurity
0%
80%
60%
40%
20%
100%
International Data Transfers
Independent Data Protection Authority
Strong Agreement
Medium Agreement
Strong Disagreement
Disagreement across governing bodies
ISO 27018 working group and certification
● Defines the requirements for ISMS (Information Security Management System)
● 114 Controls in 14 GroupsISO 27001/2:2013
● Focused on Public Cloud Providers that process PII● 19 Controls in 11 GroupsISO 27018:2014
● Defines the standard and provides scope and definitions● 4 GroupsISO 27000
ISO 27000 standard broken out
Overview of the Standard
Information Security Policy
Organizational Security
Human Resources
Asset Management
Access Control Cryptography
Physical +Environmental
Security
Operations Security
Communications Security
System Development +Maintenance
Supplier Relationships
Consent & Choice
Purpose / Scope of Processing
Collection Limitation
Data Minimization
Use / Retention / Disclosure
Accuracy + Quality
Sub-processing Disclosure
Individual Access / Participation Accountability
Information Security Privacy Compliance
Business Continuity Compliance Incident
Management
References of the Standard
Terms / Definitions of the Standard
Scope of the Standard
Introduction of the Standard
143 controls within 49 groups
Continuous dialog with customers and regulators
What’s in your data center? ;)