myths and realities of cloud data security
DESCRIPTION
Debunking some of the "sound bite" myths around Cloud Data Security. Presentation done for the MinneAnalytics "Life Science Lean-In: Analytics & Big Data in Healthcare & Life Science"TRANSCRIPT
© 2012
Myths & Realitiesof Cloud Data Security
Michael J. KrouzeChief Technology OfficerCharter Solutions, Inc.
Copyright © 2013, Charter Solutions, Inc. 2.
“The first step toward change is awareness. The second step is acceptance.”
- Nathaniel Branden
“All our knowledge has its origins in our perceptions.”
- Leonardo da Vinci
“The thing about quotes on the internet is you can not confirm their validity.”
- Abraham Lincoln
Copyright © 2013, Charter Solutions, Inc. 3.
We don’t use the cloud.
Copyright © 2013, Charter Solutions, Inc. 4.
Copyright © 2013, Charter Solutions, Inc. 5.
• Files are encrypted at rest• Files are encrypted during transit• Provide “business” version that
allows multiple user access control• Strict policy and technical access
controls that prohibit employee access
• Users can have weak passwords• Files are ‘synced’ to multiple
devices• API allows programs to access
your files (with permission)
• Always use strong passwords• Encrypt files before you put them there and only share key with the other
people who should see that file• Never give permission for API access
Copyright © 2013, Charter Solutions, Inc. 6.
Yes, your organization uses the cloud… you just may not know it.
Copyright © 2013, Charter Solutions, Inc. 7.
The cloud simply cannot be secure.
My provider has my security covered.
The cloud isn't safe.If it's on the Internet, it's more vulnerable to hackers.
Private cloud computing is secure by default.
Data stored in the cloud is more vulnerable.
Copyright © 2013, Charter Solutions, Inc. 8.
Security is a Shared ResponsibilityOn-Premise
Network
Storage
Server
VM
OS
Services
Application
On-Premise(hosted)
Network
Storage
Server
VM
OS
Services
Application
IaaS
Network
Storage
Server
VM
OS
Services
Application
PaaS
Network
Storage
Server
VM
OS
Services
Application
SaaS
Network
Storage
Server
VM
OS
Services
Application
Organization Shares Control with VendorOrganization has Control Vendor has Control
Copyright © 2013, Charter Solutions, Inc. 9.
Industry Groups Targeted
Other
Information
Health Care and Social Assistance
Finance and Insurance
Retail Trade
Accommodation and Food Services
0 10 20 30 40 50 60
% of Breaches
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Copyright © 2013, Charter Solutions, Inc. 10.
Who’s Behind Data Breaches?
Business Partners
Internal Employees
External Agents
0 10 20 30 40 50 60 70 80 90 100
% of Breaches
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Copyright © 2013, Charter Solutions, Inc. 11.
Threat Agent Change Over Time
'04-'07 2008 2009 2010 20110
10
20
30
40
50
60
70
80
90
100
External Internal Partner
% o
f Bre
ache
s
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Copyright © 2013, Charter Solutions, Inc. 12.
How Do Breaches Occur?
Priviledge Misuse
Social Tactics
Physical Attacks
Malware
Hacking
0 10 20 30 40 50 60 70 80 90 100
% of BreachesSource: 2012 Data Breach Investigations Report (Verizon/USSS)
Copyright © 2013, Charter Solutions, Inc. 13.
Attack Commonalities
97% Avoidable through simple or intermediate controls
96% Were not highly difficult94% Of all data compromised involved
servers92% Were discovered by a third party85% Took weeks or more to discover79% Were targets of opportunity
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Copyright © 2013, Charter Solutions, Inc. 14.
Hacking Methods
Unknown
Abuse of functionality
Remote file inclusion
SQL Injection
Exploit insufficient authentication
Exploit backdoor
Brute force/dictionary attacks
Stolen login credentials
Default/guessable credentials
0 10 20 30 40 50 60
% of Breaches
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Copyright © 2013, Charter Solutions, Inc. 15.
Not Just About Data Encryption
Application
Database
OS File System
Storage System
Public Network
Private Network
SSL Encrypted
Encrypted at Rest
Clear Text Data
Copyright © 2013, Charter Solutions, Inc. 16.
It’s not that the cloud isn’t secure…
It’s that you need to think differently about how to secure it
Copyright © 2013, Charter Solutions, Inc. 17.
My datacenter is more secure than the cloud.
Copyright © 2013, Charter Solutions, Inc. 18.
A little obvious after the last myth
Security is often taken for granted behind the firewall
Copyright © 2013, Charter Solutions, Inc. 19.
Data Breaches by Hosting Location
Mobile
Co-located
External
Internal
0 10 20 30 40 50 60 70 80 90
% of Breaches
Source: 2012 Data Breach Investigations Report (Verizon/USSS)
Copyright © 2013, Charter Solutions, Inc. 20.
Your datacenter (on-premise or cloud) is only as secure as you make it!
Both can be equally secure or insecure.
Copyright © 2013, Charter Solutions, Inc. 21.
Concluding thoughts…
Copyright © 2013, Charter Solutions, Inc. 22.
Understand your data risks & security needs
Establish a set of cloud-specific security processes / policies
Copyright © 2013, Charter Solutions, Inc. 23.
Review cloud vendors closely to ensure their sphere of control aligns with your cloud-specific processes / policies
Implement, monitor, react, review, improve
Copyright © 2013, Charter Solutions, Inc. 24.
Thank You!
[email protected]://www.linkedin.com/in/mjkrouze
@mjkrouze