securing the reality of multiple cloud apps: pandora's story
TRANSCRIPT
Continuing Professional Education (CPE) Credits
Claim your CPE credit for attending this webinarhttps://www.isc2.org/
For more information or questions please contact us
2
Agenda
01
02
03
04
Why Cloud Security Matters in Pandora
Fundamentals: Data and Cloud Vendors
Making Security Happen - Best Practices
CloudLock Overview
3
05 Q&A
Disclaimer
These slides are based on my experience working for Internet firms in Silicon Valley.
I do not presume to speak for IT pros using different methods that may be equally effective.
Doug MeierDirector, Security & CompliancePandora Media Inc.
Twitter: @TurkEllis blog: riskof.ghost.io
Why Security Matters at Pandora
● We are public● We are fast paced and unusually
collaborative● We grow in the context of cloud apps● We must adhere to compliance
regulations
Same Security Concerns - Different Approach
Similarity: Still dealing with someone else’s product. Dis-similarity: Defense in depth and layered approaches can be irrelevant... external, open, and deperimiterized.
Approach to business cloud environment security: ● Vendor-dependent as much as ntwk team
dependent● Requires security processes that network
security templates can’t provide
Yes It Is About the Data… That Matters
“Data-Centric” Security● Most have DLP cart in front of the horse● Fundamentals of data management
○ Classification○ Mapping○ Retention○ Handling○ Disposal
● DLP isn’t a single, one-time solution● Identify, classify, protect data that matters
most
Fundamentals: The Vendor Security & Resilience Audit
1) Establish overall vendor risk2) Verify vendor resilience:
● Appropriate Logical access● Appropriate change mgmt of
production code● Clear problem resolution ● Data backup & recovery methods● Means of data integration ● Evidence of regulatory compliance /
certs● Adequate support, resources
Pandora’s Onboarding Certification: 60+ Questions
PR Challenge: Instilling Security Awareness
● Fact: in de-perimeterized, ultra-socialized business cloud >>> business is conducted in & out of band.
● All confidential discussions, collabs, chats can’t be filtered or blocked at the firewall
● Depend on ongoing security awareness training/comms
● Leverage internal training group, Legal team, exec staff
Compliance Is Not The Enemy
Truism: Good standard secure IT ops leads to compliance.
Truism: Compliance standards ensure transparency & accountability.● SOX controls● PCI-DSS 3.0 standard ● SSAE 16 reporting standard: SOC1 & SOC2● ISO 27001● COBIT 5 (ISACA)● CSA Cloud Controls Matrix (CCM)● STAR
Enlist The Business Owner and PM
“Soooo… about my urgent vendor onboard request …” • Slow it down:
– Do we support an app that does this?– Are other groups asking for a similar hosted
app/service?– Have we looked at alternatives?
• Simple question: how did you hear about this vendor?
• Position a strong point person(s)• Enlist PMs• Communicate the positives of cloud security
process/program
Fencing The De-Perimeter
• Acknowledge the risk• Vendor assessment and onboarding
process as business resilience• Obtain exec staff support• Prioritize security awareness and training• Beware the freemium service, and the
endless POC• Ask for SOC1s and SOC2s• Use a central auth mechanism• Enlist network & PM teams, biz owners• Enlist IT to support • AND monitor • AND re-assess
The Enterprise Business Cloud
Business Backbone People Apps & API’s
Legacy Security Solutions
ON - PREMISE
CLOUD
Messaging & Collaboration
Sales & marketing
HR & Skills
Finance
Sharepoint
Apps
App Server
Database
SaaS Security is a Shared Responsibility
USERS &
APPS
DATA
INFRASTRUCTURE
● Behavioral Anomaly● 3rd Party Apps granted access to data
● Cloud Data Protection● Regulatory Compliance
● Audit Logs● Security APIs
SaaS Security Solution
Controlling Data in SaaS Applications
SanctionedIT
UnsanctionedShadow IT
SanctionedApps
PersonalApps
Work RelatedApps
Final Advice
Do Right By Your Company• It’s a conversation • Reduce noise & complexity• Establish a reliable process • Embrace compliance• Don’t go it alone• Don’t trust, but verify (the new normal)• Keep your sense of humor, confidence• Do what’s right for your company• Use the growing body of knowledge
Trusted by the Largest Brands
5,000Trade Secrets
Technology
20,000Data Privacy
Federal
250,000PCI-DSS
Retail
250,000PCI-DSS
Retail
140,000Reg Compliance
Financial Services
10,000PHI/IP
Life Sciences
540,000PII / FERPAEducation
12,000Data Privacy
High Tech
80,000PII / PCI
Transportation
27,000Data Privacy
Manufacturing
72,000Trust
Cloud Vendor
Use Cases: Cybersecurity for SaaS
Cloud Data Protection
Apps Discovery & Control
User Behavioral Monitoring
Regulatory Compliance
Threat Protection
Auditing / Forensics
Discover, Classify & Control Sensitive Data
Control: Notify, Quarantine, Encrypt
Content-based: PCI/PHI/PII/IP
Community trust rating for classification
Discover, Classify & Control Shadow Apps
Control: Notify, Rate, Revoke
Reduce Inside threat
Alert on compromised account
Control: Notify, Rate, Revoke
Security Awareness
Cloud Security Fabric: How it Works
ContentAnalysis
ContextAnalysis
User BehaviorMonitoring
CentralAuditing
IncidentManagement
EncryptionManagement
Policy Automation
SecurityAnalytics
Enterprise
Incident API
Ticketing
SIEM
Public Cloud Apps
IT Security
End - User
Next Step: Get a 1:1 Demo
bit.ly/cloudlock-demo Also Find Us At: