View
245
Download
1
Category
Tags:
Preview:
Citation preview
Security & Privacy of Cloud Data What You Need to Know
Dave Packer, Vice President Product Marketing April, 2015
2 Data Protection and Governance at the Edge
“Druva has been a phenomenal answer to Dell for protecting our data”
About Druva
Company • Fastest growing data protection and
governance company • Over 3,000 customers • Protecting 3.0m+ endpoints globally
Ranked #1 by Gartner two years running
Data Protection 2014
Brad Hammack IT Emerging Technologies
4 Data Protection and Governance at the Edge
Dramatic Shift in Cloud Adoption
2013
75% 25%
2014
20% 80%
5 Data Protection and Governance at the Edge
The Global Hurdles of Cloud Adoption
• PRISM
• Sectoral Regulations o HIPAA, FINRA, GLBA, COPPA, …
• Evolving Global Privacy Regulations o EU, Germany, France, Russia, …
• Microsoft vs. United States
• Dropbox Transparency Report h"p://dlapiperdataprotec/on.com/
7 Data Protection and Governance at the Edge
But there’s the flip-side of the coin
• Almost all major breaches in 2014 were against on-premise systems
• Breaching the firewall can mean all systems become vulnerable (Sony)
• Breach attributions o Malicious outsider: 50% o Accidental loss / misplace: 25% o Malicious Insider: 15%
8 Data Protection and Governance at the Edge
What type of data is the most sensi/ve to your business?
Other People’s Data the Top Concern
1%
18%
19%
22%
33%
37%
41%
46%
52%
0% 10% 20% 30% 40% 50% 60%
We do not have sensi/ve business data
Planning and strategy documents
Payroll
Unregulated customer data (emails, order history, etc.)
Accoun/ng and financial
Intellectual property
Personal employee informa/on (SSNs, phone numbers, etc.)
Password or authen/ca/on creden/als
Regulated customer data (credit cards, health records, etc.)
9 Data Protection and Governance at the Edge
In your opinion, which environment has be"er data security / privacy controls?
Cloud Security + Privacy Opinion is Changing
On premises 65%
Cloud 35%
10 Data Protection and Governance at the Edge
h"p://techcrunch.com/2015/04/04/the-‐cloud-‐could-‐be-‐your-‐best-‐security-‐bet/?ncid=txtlnkusaolp00000629#.z48jaw:4RNJ
• The difference between 1 security
team and 1000’s of security teams
• Data durability / resiliency and replication
• Expanding regional coverage
• However, you do need to scrutinize your cloud provider stack
11 Data Protection and Governance at the Edge
Common Cloud Security/Privacy Concerns
• Infrastructure Security: Where is the infrastructure? How is it controlled and to what extent certified?
• Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data?
• Data Residency: What are the regional, cross-geography data controls?
• Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access?
• SaaS Security: What certifications and security controls does the SaaS provider have in place?
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services
12 Data Protection and Governance at the Edge
As a Cloud Provider, Security = Survival
• SOC 1, SOC 2 & SOC 3 ISO 27001
• PCI Level 1 • FedRAMP • AWS GovCloud (US) • MPAA best practices alignment
Customer are running SOX, HIPAA, FISMA, DIACAP MAC III sensitive ATO, ITAR, …
Facilities Physical security
Physical infrastructure Network infrastructure
Virtualization infrastructure
IaaS PaaS
13 Data Protection and Governance at the Edge
Distributed Denial Of Service (DDoS) A>ack
Man In the Middle (MITM) A>ack Port Scanning
Packet sniffing by other tenant
IP Spoofing Firewall security groups
Vulnerability tesLng
Continuous Network Monitoring and Response
• Protects customer data from network attacks: o Intercepting in-transit data o System breaches o Blocking/disrupting services
14 Data Protection and Governance at the Edge
AWS Global Footprint
• >1 million active customers across 190 countries
• 900+ government agencies • 3,400+ educational institutions
• 11 regions, including ITAR-compliant GovCloud and the new region in Germany
• 28 availability zones • 53 edge locations
15 Data Protection and Governance at the Edge
SaaS Provider Needs Build the Proper Controls
• ✔ Infrastructure Security: Where is the infrastructure? How is it controlled and to what extent certified?
• Data Security: How is the data encrypted in transit and stored at-rest
• Data Residency: What are the regional, cross-geography data controls?
• Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access?
• SaaS Security: What certifications and security controls does the SaaS provider have in place?
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services
16 Data Protection and Governance at the Edge
Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services
• Druva Certifications & Audits o ISAE-3000 o TRUSTe certified privacy o EU Safe Harbor o HIPAA Audited
• Regular VAPT Testing (White Hat) • SkyHigh CloudTrust program partner • Audits renewed annually
ISAE 3000 TRUSTe EU Safe Harbor
HIPAA BAA Skyhigh
Enterprise-Ready
17 Data Protection and Governance at the Edge
Addressing Enterprise Data Protection Requirements Understand How Your Data is Stored
S3 Buckets, Data Scrambling via Envelope Encryption Blocks-Only into Object Storage
IaaS / Storage Layer (EC2, S3, Glacier)
SSL
Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced)
PaaS Layer (DynamoDB)
256 AE
S
Data
Metadata
18 Data Protection and Governance at the Edge
Encryption Key Models Vary Extensively
Management Method Strength Weakness
Keys Stored with Data
• Simple • Provider access • System wide breach poten/al • Consumer designed
Keys Stored in Escrow • No provider direct access • S/ll accessible w/ subpoena, warrant, court order
• Key rota/on, management may be needed
Key Server Keys Stored On-‐premise
• Secure, no provider access • On-‐premise hardware, must be managed • Introduces system-‐wide failure point
Envelope Key encrypted in cloud
• Secure, inaccessible by vendor • No key management • Session based key
• No access = provider can’t reset client key
19 Data Protection and Governance at the Edge
Envelope Key Management & Encryption
• Works like a bank safety-deposit box o Unique encryption key generated per customer o Key itself is encrypted with customer credentials and
stored as a token
• They key itself is inaccessible by anyone o Only exists during the client session o Never leaves the system o Removes the need for key management
• Druva cannot access/decrypt customer data
with stored token
20 Data Protection and Governance at the Edge
Authentication Controls (AD, SSO) Configurable Group Policies (Data Access, Sharing, Visibility)
Full Admin and End-User Audit Trails
SaaS Layer Application
Addressing Enterprise Data Protection Requirements SaaS Provider Security Approach
Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced)
PaaS Layer (DynamoDB)
S3 Buckets, Data Scrambling via Envelope Encryption Block-Only Object Storage
IaaS / Storage Layer (EC2, S3, Glacier)
22 Data Protection and Governance at the Edge
Addressing Regional Data Regulations
• 11 admin-selectable data storage regions, data stays within the region
• Administrator segregation and delegation with pre-defined granular access rights
• No ability for vendor to access key or stored data
Corporate Privacy Regional Management • Data residency • Local administration • Data Storage Privacy
23 Data Protection and Governance at the Edge
Walls for Corporate Data Privacy
• Policy group settings for classes via AD (Officers, Legal, …) restrict data visibility
• Full data auditing for compliance response for PHI & PII
• Proactive monitoring based on data classifications
Corporate Privacy Material Data
• Officer data shielding • Compliance auditing • Tracking + monitoring
24 Data Protection and Governance at the Edge
Protecting Employee Privacy
• End-user privacy controls either by policy or opt-out feature (no admin data visibility)
• Containerization on mobile devices, extendable via MDM (MobileIron)
• Exclusionary settings for backup and collection process
• Admin visibility to audit trails restricted via policy
Employee Privacy
• Privacy controls • Data segregation • Corporate visibility
25 Data Protection and Governance at the Edge
Scenario-based Privacy
• Delegated roles for compliance and legal counsel
• Full data and audit trail access for compliance, investigation and litigation requirements
Scenario / Exceptions
• Compliance audits • Investigations • eDiscovery collection
26 Data Protection and Governance at the Edge
Key Takeaways
• Be sure to check the certifications and how they apply to the overall stack, just because the IaaS/PaaS is certified it doesn’t mean the SaaS layer is.
• For data residency ensure your cloud data isn’t moving around to non-compliant locations, have the vendor sign an agreement and show documented ability to comply
• Encryption models continue to evolve, make sure your provider can’t divulge your data without you knowing
• Data privacy laws are still emerging and tend to be ambiguous, best place to get the answers to stay compliant is working with your legal team, don’t guess
Recommended