Viva la Cloud IAPP Privacy Academy 2013

Speaker Intros

Varun Badhwar VP of Product

Strategy

Chris Zoladz Founder

-2-

Use of the cloud will continue to explode

Security and privacy risks are not insurmountable

Encryption is a powerful tool to manage many security and privacy risks

Basic Premises for this Session

-3-

Today’s Reality

Collaboration

Email Custom Apps

CRM

Mobile Users

Remote Users

Other Clouds

-4-

Cloud Application’s Market Explosive Growth

0

20

40

60

80

100

120

140

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020Source: IDC

$B

illio

ns

>$50 Billion by 2014

-5-

Balancing Cloud Initiatives with Privacy & Compliance

Cloud benefits are compelling

• Rapid transformation of business processes

• Low upfront investment

• Minimal administration

• Scalable and flexible

of business managers believe cloud computing will transform their business - Knowledge@Wharton

85% Cloud concern: unauthorized access to or leaks of sensitive information - InformationWeek

#1

Cloud risks are real

• Loss of control of sensitive information

• Maintaining privacy and compliance

• Reliance on cloud provider security

• Array of data privacy and disclosure laws

-6-

Recent Cloud Information Protection Challenges

Major US Newspapers Allege Chinese Hack Attacks January, 2013

Reporter accessed customer data to

track down a lead May, 2013

“Businesses must radically rethink their approach to cloud security” June, 2013

Cloud concern: unauthorized access to or leaks of sensitive information - InformationWeek

#1

Data leaks

Data residency

Forced disclosure GLBA

PCI HIPAA

We’ve been Hacked, personal

information exposed February, 2013

FISMA

-7-

Chile

Protection of Personal Data Act

Argentina

Personal Data Protection Act, Information Confidentiality Law

South Africa

Electronic Communications and Transactions Act

Australia

National Privacy Principals, State Privacy Bills, Email Spam and Privacy Bills

New Zealand

Privacy Amendment Act

Philippines

Propose Data Privacy Law

Canada

PIPEDA, FOIPPA, PIPA

US States

Breach notification in 47 States

Taiwan

Computer-Processed Personal Data Protection

Hong Kong

Personal Data Privacy Ordinance

Japan

Personal Information Protection Act

South Korea

Network Utilization and Data Protection Act

European Union

EU Data Protection Directive, State Data Protection Laws

India

Information Technology Act

United Kingdom

ICO Privacy and Electronic Communications Regulations

Where Cloud Data Resides and What Laws Apply

USA Federal

CALEA, CCRA, CIPA, COPPA, EFTA, FACTA, ECPA, FCRA, FISMA, FERPA, GLBA, HIPAA, HITECH, PPA, RFPA, Safe Harbor, US PATRIOT Act

Brazil

Article 5 of Constitution Colombia

Data Privacy Law 1266 Malaysia

Personal & Financial Data Protection Acts

Mexico

Personal Data Protection Law

Morocco

Data Protection Act Thailand

Official Information Act B.E. 2540

-8-

On-going and precise visibility

• Flexible reporting on application usage, user, data and context

• Monitoring for DLP policies, violations and anomalies

• Correlation across multiple clouds

Don’t break the application

• Preserve application functionality

• Support searching and sorting of encrypted data in the cloud

• Provides a single security platform across multiple cloud applications

Powerful cloud security

• Granular control over specific types of data and security levels

• Range of encryption, tokenization, malware detection, DLP, auditing

• Assure exclusive enterprise control over encryption keys

Effective data classification

• Who should have access

• What content needs protection

• How can it be identified

• Where this data will reside

• What regional laws apply

Best Practices for Cloud Information Protection

-9-

Gartner Recommends Encrypting Sensitive Information

Simplify audits such as PCI, HIPAA, etc.

Address data residency issues by addressing geographic-based controls

Avoid data breach notification requirements for PII and ePHI

Don’t rely on cloud providers to delete all copies of data in the cloud • Digitally shred sensitive data at end of life by deleting encryption keys and tokens

Source: Simplify Operations and Compliance in the Cloud by Encrypting Sensitive Data

Published: 15 August, 2013

-10-

Encryption Offers a “Safe Harbor”

Regulation Region Breach Notification

Safe Harbor Exemptions

Recommendations on Encryption

PCI DSS Encryption a “critical component”

GLBA Safe harbor “if encryption has been applied adequately”

HIPAA, HITECH

Safe harbor “if encryption has been applied adequately”

EU Directives Proposed Proposed New regulation proposes safe harbor exemption if data was adequately encrypted.

ICO Privacy Amendment

Notification not required if there are “measures in place which render the data unintelligible.”

Privacy Amendment

Not specified

Not specified but you should to “take adequate measures to prevent the unlawful disclosure”

US State Privacy Laws

Generally Yes

Typical breach definitions: - Personal Information: “data that is not encrypted” - Breach: “access to unencrypted data”

-11-

Collaboration

Email Custom Apps

CRM

Cloud Information Protection Gateways

Other Clouds

-12-

Encryption keys never leave the enterprise

• Transparent to user • Preserves usability and

functionality

Complete visibility for all user cloud activity

Encrypted data is indecipherable

Taking Control of Your Data in the Cloud

• Real-time encryption • Near-zero latency • Malware detection • Data loss prevention

-13-

Retain Your Keys

----14

Key management plays an extremely important role in the world of data security/privacy - CNet

In a well-architected system, the cloud services provider does not have direct access to the keys.

If a legal request is made for access to the data, the enterprise must be involved.

Early Adopters of Such Technology

Banking

Financial Services

Healthcare

Technology

Government

-15-

Major Hospital Chain

Challenges and Opportunities

• Developing portal for connecting hospitals to service providers

• Assuring privacy, HIPAA, and HITECH compliance for patient records

• Reducing high-costs and obsolescence of building custom in-house systems

Objectives

• Encrypting sensitive healthcare data

• Delivering cloud-based email without storing unencrypted data in the cloud

• Providing simple partner interface while assuring visibility

Highlights • AES 256 encryption of sensitive data

• Secure email integration via Easylink

• High availability, load balanced, architecture

Benefits

• Able to leverage cloud-based platforms while assuring data security

• Reduced cost and internal infrastructure

• More up-to-date systems continually managed by cloud providers

QUICK FACTS

• One of the world’s largest private operators of healthcare facilities

• Employees: 200,000

• Over 162 hospitals, 113 surgery centers in 20 US states and London

-16-

Top Three US Bank

Challenges and Opportunities • Develop a consumer self service loan

origination portal

• Process millions of mortgage loans

• Comply with Dodd-Frank and consumer protection act

• Protect structured and unstructured information

Objectives • Encrypt consumer identities

• Encrypt uploaded tax & income statements

• Scan for malware

• Avoid large potential fines – millions of dollars per day

Highlights • Integration with IBM AS 400 iSeries via

Informatica

• AES 256 encryption, malware detection

• Real-time web services, custom VisualForce pages / Apex/SSP SAML assertion

• Clustered high availability deployment with hot disaster recovery

Benefits • Drove 95% adoption rate

• Process over 1.5M loans, 1.6M cases, 8M activity tasks

• Encrypting 2.5K files per hour

• Established single point of contact [SPOC] operating model

QUICK FACTS

• Industry: Banking

• Employees: 200,000+

• Encrypts sensitive consumer

information on-the-fly for over 100K

customers per month

-17-

Consumer Goods

Challenges and Opportunities • Leveraging cloud infrastructure to

streamline partner interactions

• Complying with strict German and international privacy laws

• Government contracts restrict storage of data offshore

Objectives • Creating secure customer service

portal with the Salesforce platform

• Ensuring strong encryption for sensitive and private data

• Complying with government contracts restricting off-shore data residency

Highlights • Initial deployment live in 6 weeks

• AES-256 bit encryption of sensitive data

• Encryption of comments, notes and attachments

• Web-to-case and email-to-case solution

Benefits • Enabled broad adoption of customer

service portal

• Assures compliance with data privacy and residency laws

• Safe Harbor exemption for data breach notifications in many countries

NOTABLE HIGHLIGHTS • 130 year-old company • Leading skin care research center

QUICK FACTS

• Headquarters: Hamburg, Germany

• Industry: Consumer Products

• Products: Major skincare brands 150 affiliates in 6 continents, over 70 countries

Global leader in skin care products

-18-

Strong IT leadership – they seek and embrace opportunities to enable the business and reduce costs.

Strong Security & Privacy leadership – they focus not only on risk identification but practical risk management solutions.

Realistic expectations – they understand and accept that no cloud service provider can guarantee the security of their information or provide indemnification provisions that would cover all potential losses from a data breach.

Reduced reliance on the cloud service provider – they implement controls that minimize or eliminate reliance on the cloud service provider to secure their data.

Characteristics of Organizations that Effectively Use the Cloud

-19-

Q&A

Contact Information: Varun Badhwar

vbadhwar@ciphercloud.com

(415) 683-0062

Chris Zoladz

chris@navigatellc.net

(240) 475-3640

-20-