managing challenges of cloud and compliance...

Managing Challenges of Cloud and Compliance Under GDPR Laz Macias, CISSP – Sr. Sales Engineer

2017 © Netskope. All rights reserved. Netskope confidential.

2 2017 © Netskope. All rights reserved.

Data Center

YESTERDAY TODAY

Mobile Users

Branch HQ Remote Users

VPN

HQ Branch

Data Center

Remote Users

VPN

Netw

ork Perim

eter


There are 25,000+ enterprise cloud services today

1,000+ cloud services per enterprise – how do they get in?


5%

75%

20%

App ecosystems connect IT-led and user-led apps


25 “ecosystem” apps on average per “anchor tenant” app or suite

Cloud + mobile presents sensitive data loss challenge


33 %

1/3 of business data is in the cloud

50% of cloud activity is mobile and 1/3 of DLP policy violations

occur on a mobile device

Cloud presents new challenges for compliance

2017 © Netskope. All rights reserved. Confidential.

GDPR

GLBA PII SOX

PHI, HIPAA, HITECH FINRA

PCI-DSS

ACCESS (Browser, mobile app, sync client)

REMOTE (Airplanes, coffee shops, etc.)

ON-PREMISES (HQ, Branch office)

Lack of visibility and control = non-compliance

• Where is my sensitive data? • Who has access to it? • Is it protected?

EU GENERAL DATA PROTECTION REGULATION:

‣ Single regulation that supersedes all others ‣ Applies to European and non-European

entities ‣ Penalties up to $20M or 4% of annual turnover ‣ Adopted in 2016; enforcement on May 25,

2018

PERSONAL DATA =

“…any information relating to an individual, whether it relates to his or her private, professional or public life.” “…can be anything from a NAME, a PHOTO, an EMAIL ADDRESS, BANK DETAILS, POSTS on social networking websites, MEDICAL INFORMATION, or a computer’s IP ADDRESS.”

SUPERVISORY AUTHORITY

(Data Protection Authority)

‣  Public authority that supervises and enforces GDPR for member state

‣  Levies fines, conducts investigations, and receives breach notifications from controllers

CONTROLLER (Your Organization)

‣  Determines purposes and means of processing data

‣  Must have reason, use only for reason, ensure accuracy, protect, inform supervisory authority of breach, prevent transfer to insecure processors

PROCESSOR (Cloud Service)

‣  Processes data on behalf of controllers

‣  Must protect, use only for specified reason, have a signed agreement, and erase data once services are terminated

DATA SUBJECT (Your Employee or

Customer)

‣  Individual who is or can be identified, directly or indirectly

‣  Rights include consent/opt out, obtain data, know where data is, and have data deleted

Entities tied to compliance

‣ KNOW what personal data is processed by workers using cloud services

‣  IDENTIFY which cloud services workers are using

‣ PREVENT personal data from being processed in unmanaged cloud services

‣ PROTECT personal data stored or processed in cloud services

Controller’s Obligation:

Source: Netskope Cloud Report

Many cloud services are not GDPR-ready


Sensitive data loss

Non-com

pliance

Threats (malw

are and ransomw

are)

Cloud delivers business value

Why current security approach is not good enough

Office 365 enables collaboration for any user, anywhere, on any device

HR, Finance, Marketing, and R&D are rapidly deploying cloud services and helping our business innovate

AWS gives us access to unlimited compute resources for our demanding workloads

• Blind to users outside the perimeter • Blind to activities on mobile • Limited protection for personal devices • Blind to data exfiltration to unsanctioned cloud

Cloud Risk

• Blind to risky activities • No granular control • Forces difficult block or allow decision

• Limited visibility into sensitive data in AWS • No sensitive data protection • Auditing is limited

Shadow IT

Cloud value, risk, and security and compliance gaps

Cloud Access Security Broker


VISIBILITY

DATA SECURITY

COMPLIANCE

THREAT PROTECTION

The Four Pillars of CASB

“CASB is a required security platform for organizations using cloud services.”

How a CASB is deployed


API (out-of-band)

Proxy (inline, TLS decryption at scale)




CASB services

2017 © Netskope. All rights reserved. Netskope confidential. 17




CASB

Safely permit unsanctioned, yet necessary, cloud services

Identify ecosystems, non-corporate instances, and create category-level and context-based policies

Block risky activities

Skipping this step may lead to user revolt and a decrease in productivity

Safely enable cloud services you have sanctioned

Apply adaptive access control

Implement granular policies and workflows

Prevent data loss

Protect against threats

Encrypt when necessary

The cloud security journey in phases

18 2017 © Netskope. All rights reserved. Netskope confidential.

Unsanctioned and optionally blocked

Optionally block the most risky services and coach users to use

alternatives

Block risky services

Coach users

Continuously discover cloud services and

assess risk

Discovered = 1000 Blocked = 300

Sanctioned = 50 Safely Permitted = 650

Use of Granular Control

Protect against threats 450 Prevent data loss 300 Block risky activities 200 Govern access 150

Unsanctioned and permitted

Sanctioned

How Are You Addressing Cloud

GDPR Compliance?

2017 © Netskope. All rights reserved.

1

Know location

No personal data for other purposes

2

Only “necessary” data; no “special” data unless

exemption is in place

4

Take security measures

5

Data deleted post-service

3

Data processing agreement

6

Acr

oss

any

devi

ce, i

nclu

ding

m

obile

and

BY

OD

1. KNOW LOCATION

Are apps, data in EU? Could data be leaked?

excellent high medium low poor

2. TAKE SECURITY

MEASURES

Data security features such as encryption, auditing, physical security?

If not, compensating controls.

Features? If no, controls!

3. DATA PROCESSING AGREEMENT

Find. Consolidate. Sanction. Execute agreement.

✔ ✔ ✔ ✔ …

4. ONLY “NECESSARY”

DATA; NO “SPECIAL”

DATA UNLESS EXEMPTION IS

IN PLACE

Specify in agreement. Verify in practice.

1 0 1 1 0 1 1 0 0 1 0 1

1 0 1 1 0 1 1 0 0 1 0 1 1 0 1 1 0 1 1 0 0 1 0 1

SPECIAL

1 0 1 1 0 1 1 0 0 1 0 1

‣ Assess service functionality ‣ Block non-necessary data ‣ Block “special” data unless

exemption is in place

5. NO PERSONAL DATA FOR

OTHER PURPOSES

Understand privacy terms of discovered services. Consolidate services that don’t meet

requirements. Specify in agreement for the rest.

6. DATA DELETED

POST-SERVICE

Understand data deletion terms after service terminated. Consolidate services that don’t

meet requirements. Specify in agreement for the rest.

BYOD … … …

Across all device types, including BYOD and mobile devices, and sync clients

Know Location

Take Security Measures

Data Processing Agreement

Only “Necessary” Data; No “Special” Data unless with

exemption

No Personal Data for Other Purposes

Data Deleted Post-Service

Reg

ardl

ess

of w

here

you

are

or

wha

t dev

ice

you’

re o

n

In Summary

managing challenges of cloud and compliance...

Documents