viva la cloud - international association of privacy ... · avoid data breach notification...
TRANSCRIPT
Viva la Cloud IAPP Privacy Academy 2013
Speaker Intros
Varun Badhwar VP of Product
Strategy
Chris Zoladz Founder
-2-
Use of the cloud will continue to explode
Security and privacy risks are not insurmountable
Encryption is a powerful tool to manage many security and privacy risks
Basic Premises for this Session
-3-
Today’s Reality
Collaboration
Email Custom Apps
CRM
Mobile Users
Remote Users
Other Clouds
-4-
Cloud Application’s Market Explosive Growth
0
20
40
60
80
100
120
140
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020Source: IDC
$B
illio
ns
>$50 Billion by 2014
-5-
Balancing Cloud Initiatives with Privacy & Compliance
Cloud benefits are compelling
• Rapid transformation of business processes
• Low upfront investment
• Minimal administration
• Scalable and flexible
of business managers believe cloud computing will transform their business - Knowledge@Wharton
85% Cloud concern: unauthorized access to or leaks of sensitive information - InformationWeek
#1
Cloud risks are real
• Loss of control of sensitive information
• Maintaining privacy and compliance
• Reliance on cloud provider security
• Array of data privacy and disclosure laws
-6-
Recent Cloud Information Protection Challenges
Major US Newspapers Allege Chinese Hack Attacks January, 2013
Reporter accessed customer data to
track down a lead May, 2013
“Businesses must radically rethink their approach to cloud security” June, 2013
Cloud concern: unauthorized access to or leaks of sensitive information - InformationWeek
#1
Data leaks
Data residency
Forced disclosure GLBA
PCI HIPAA
We’ve been Hacked, personal
information exposed February, 2013
FISMA
-7-
Chile
Protection of Personal Data Act
Argentina
Personal Data Protection Act, Information Confidentiality Law
South Africa
Electronic Communications and Transactions Act
Australia
National Privacy Principals, State Privacy Bills, Email Spam and Privacy Bills
New Zealand
Privacy Amendment Act
Philippines
Propose Data Privacy Law
Canada
PIPEDA, FOIPPA, PIPA
US States
Breach notification in 47 States
Taiwan
Computer-Processed Personal Data Protection
Hong Kong
Personal Data Privacy Ordinance
Japan
Personal Information Protection Act
South Korea
Network Utilization and Data Protection Act
European Union
EU Data Protection Directive, State Data Protection Laws
India
Information Technology Act
United Kingdom
ICO Privacy and Electronic Communications Regulations
Where Cloud Data Resides and What Laws Apply
USA Federal
CALEA, CCRA, CIPA, COPPA, EFTA, FACTA, ECPA, FCRA, FISMA, FERPA, GLBA, HIPAA, HITECH, PPA, RFPA, Safe Harbor, US PATRIOT Act
Brazil
Article 5 of Constitution Colombia
Data Privacy Law 1266 Malaysia
Personal & Financial Data Protection Acts
Mexico
Personal Data Protection Law
Morocco
Data Protection Act Thailand
Official Information Act B.E. 2540
-8-
On-going and precise visibility
• Flexible reporting on application usage, user, data and context
• Monitoring for DLP policies, violations and anomalies
• Correlation across multiple clouds
Don’t break the application
• Preserve application functionality
• Support searching and sorting of encrypted data in the cloud
• Provides a single security platform across multiple cloud applications
Powerful cloud security
• Granular control over specific types of data and security levels
• Range of encryption, tokenization, malware detection, DLP, auditing
• Assure exclusive enterprise control over encryption keys
Effective data classification
• Who should have access
• What content needs protection
• How can it be identified
• Where this data will reside
• What regional laws apply
Best Practices for Cloud Information Protection
-9-
Gartner Recommends Encrypting Sensitive Information
Simplify audits such as PCI, HIPAA, etc.
Address data residency issues by addressing geographic-based controls
Avoid data breach notification requirements for PII and ePHI
Don’t rely on cloud providers to delete all copies of data in the cloud • Digitally shred sensitive data at end of life by deleting encryption keys and tokens
Source: Simplify Operations and Compliance in the Cloud by Encrypting Sensitive Data
Published: 15 August, 2013
-10-
Encryption Offers a “Safe Harbor”
Regulation Region Breach Notification
Safe Harbor Exemptions
Recommendations on Encryption
PCI DSS Encryption a “critical component”
GLBA Safe harbor “if encryption has been applied adequately”
HIPAA, HITECH
Safe harbor “if encryption has been applied adequately”
EU Directives Proposed Proposed New regulation proposes safe harbor exemption if data was adequately encrypted.
ICO Privacy Amendment
Notification not required if there are “measures in place which render the data unintelligible.”
Privacy Amendment
Not specified
Not specified but you should to “take adequate measures to prevent the unlawful disclosure”
US State Privacy Laws
Generally Yes
Typical breach definitions: - Personal Information: “data that is not encrypted” - Breach: “access to unencrypted data”
-11-
Collaboration
Email Custom Apps
CRM
Cloud Information Protection Gateways
Other Clouds
-12-
Encryption keys never leave the enterprise
• Transparent to user • Preserves usability and
functionality
Complete visibility for all user cloud activity
Encrypted data is indecipherable
Taking Control of Your Data in the Cloud
• Real-time encryption • Near-zero latency • Malware detection • Data loss prevention
-13-
Retain Your Keys
----14
Key management plays an extremely important role in the world of data security/privacy - CNet
In a well-architected system, the cloud services provider does not have direct access to the keys.
If a legal request is made for access to the data, the enterprise must be involved.
Early Adopters of Such Technology
Banking
Financial Services
Healthcare
Technology
Government
-15-
Major Hospital Chain
Challenges and Opportunities
• Developing portal for connecting hospitals to service providers
• Assuring privacy, HIPAA, and HITECH compliance for patient records
• Reducing high-costs and obsolescence of building custom in-house systems
Objectives
• Encrypting sensitive healthcare data
• Delivering cloud-based email without storing unencrypted data in the cloud
• Providing simple partner interface while assuring visibility
Highlights • AES 256 encryption of sensitive data
• Secure email integration via Easylink
• High availability, load balanced, architecture
Benefits
• Able to leverage cloud-based platforms while assuring data security
• Reduced cost and internal infrastructure
• More up-to-date systems continually managed by cloud providers
QUICK FACTS
• One of the world’s largest private operators of healthcare facilities
• Employees: 200,000
• Over 162 hospitals, 113 surgery centers in 20 US states and London
-16-
Top Three US Bank
Challenges and Opportunities • Develop a consumer self service loan
origination portal
• Process millions of mortgage loans
• Comply with Dodd-Frank and consumer protection act
• Protect structured and unstructured information
Objectives • Encrypt consumer identities
• Encrypt uploaded tax & income statements
• Scan for malware
• Avoid large potential fines – millions of dollars per day
Highlights • Integration with IBM AS 400 iSeries via
Informatica
• AES 256 encryption, malware detection
• Real-time web services, custom VisualForce pages / Apex/SSP SAML assertion
• Clustered high availability deployment with hot disaster recovery
Benefits • Drove 95% adoption rate
• Process over 1.5M loans, 1.6M cases, 8M activity tasks
• Encrypting 2.5K files per hour
• Established single point of contact [SPOC] operating model
QUICK FACTS
• Industry: Banking
• Employees: 200,000+
• Encrypts sensitive consumer
information on-the-fly for over 100K
customers per month
-17-
Consumer Goods
Challenges and Opportunities • Leveraging cloud infrastructure to
streamline partner interactions
• Complying with strict German and international privacy laws
• Government contracts restrict storage of data offshore
Objectives • Creating secure customer service
portal with the Salesforce platform
• Ensuring strong encryption for sensitive and private data
• Complying with government contracts restricting off-shore data residency
Highlights • Initial deployment live in 6 weeks
• AES-256 bit encryption of sensitive data
• Encryption of comments, notes and attachments
• Web-to-case and email-to-case solution
Benefits • Enabled broad adoption of customer
service portal
• Assures compliance with data privacy and residency laws
• Safe Harbor exemption for data breach notifications in many countries
NOTABLE HIGHLIGHTS • 130 year-old company • Leading skin care research center
QUICK FACTS
• Headquarters: Hamburg, Germany
• Industry: Consumer Products
• Products: Major skincare brands 150 affiliates in 6 continents, over 70 countries
Global leader in skin care products
-18-
Strong IT leadership – they seek and embrace opportunities to enable the business and reduce costs.
Strong Security & Privacy leadership – they focus not only on risk identification but practical risk management solutions.
Realistic expectations – they understand and accept that no cloud service provider can guarantee the security of their information or provide indemnification provisions that would cover all potential losses from a data breach.
Reduced reliance on the cloud service provider – they implement controls that minimize or eliminate reliance on the cloud service provider to secure their data.
Characteristics of Organizations that Effectively Use the Cloud
-19-
Q&A
Contact Information: Varun Badhwar
(415) 683-0062
Chris Zoladz
(240) 475-3640
-20-