A Secure Future in the Cloud

Data Governance & Protection

Gerry GrealishBlue Coat Systems, Inc.

Gartner

Source: Gartner 2015 Survey Analysis: Cloud Adoption Across Vertical Industries Exhibits More Similarities Than Differences

Top Inhibitors to Considering

Public Cloud Are Similar Across

Industries

Compliance & Governance Meets the Cloud

The “Big 5” @ Cloud Control Requirements

Recap

Agenda

– Examples– Tips & Recommendations

What Sort of Cloud Use Are We Talking About?

• Sanctioned Clouds

• My enterprise is dealing with sensitive and/or regulated data

• Internal governance or external compliance obligations

Cloud Compliance “Buckets”

DATAGOVERNANCE

IN THE CLOUDGENERATION

010110001010100010110010110001010100010110001010100010010101100010101000

SECTOR-BASEDIndustry-specific data

protection requirements in regulated industries

INTERNAL/COMPANY SPECIFICMany enterprises have policies that require sensitive data to have restricted access

RESIDENCY REGSLegal requirementsdata flows governing cross-border

Global Data Protection Reg

Russian Data Localization

LawPeoples Bank of

China RegsMonetary

Authority of Singapore

India Telcom Regs

Middle Eastern Banking Regs

Australian Prudential

Regulatory AuthorityNational Privacy

Principles

Nova Scotia Data Residency

Gramm Leach Bliley Law

Health Information

Portability Act

International Traffic in Arms Regs

Argentinian Banking Laws

BrazilianBanking Laws

Cloud Compliance Headaches (Sample)

What Needs to Be Done?

1

2

34

51

2

3

4

5

• “Control” the use of these sanctioned clouds

• Five control scenarios

Level Set – is Cloud aligned with my policies?

Don’t allow certain data into cloud

Allow data, but restrict access

Allow data, encrypt/tokenize & restrict access

Monitoring & logging requirements

CSP’s Align With Compliance Requirements

Examples:

• Use only CSP’s that have their primary datacenters in my home country

• Use only CSP’s that are SOC2 compliant

• Use only CSP’s that have:– Federated Identity Management– Multi-factor Authentication– IP-Based Access Control

1

Business Readiness RatingTM 38

. . .

Get to Know Your Sanctioned Clouds

Admin Audit Trail

Multi-factor Authentication

SOC2 Compliant

Federated Identity Management

Data at Rest Encryption

HIPAA Compliant

REST API Support

TIP

Block Certain Data From Cloud Apps

Examples:

• Healthcare provider that needs to ensure that no HIPAA-regulated data is stored in public cloud environments

• Retailer with policy that no credit card data is placed in cloud environments

• Law enforcement agency that needs to block CJIS regulated information from going to public clouds

2

The moment Linda realizes sensitive records are being

shared publicly

Accidental Over-sharing is Easy

Alice shares a file with Bob

Bob shares that file with others

Or shares via other apps

Miscellaneous errors and insider/privilege

misuse were the #1 and #2 most

common reasons for a security incident

in 2015.

Source: Verizon Data Breach Investigations Report, 2016

Causes of Accidental Exposure

Public Shares

Loose Shares

Inherited Files and Folders Permissions

Forgotten Shares

Oversharing

Inadvertent Sharing

Legacy Sharing

Plenty of Sensitive Data at Risk

10%contain confidential data

files per user are broadly shared (average)

of these files

48%

33%

14%

5%26%v

Create & enforce control policies based on wide range of criteria

Automatically classify, detect and remediate cloud content via semantic analysis

Automate Control of Shadow DataTIP

All Data Allowed, But Selectively Restrict Access

Example:

• Only employees with appropriate credentials should have access to specific data elements within application– PII, PHI, PCI DSS, etc.– Granular Controls at the app or individual level:

• Role based• Location based

3

• Device based

• Activity based

Get Precise Control

Build access policies based on:

USERS

DEVICE

LOCATION

FILE

PROPERTIES

ACTIVITY

CONTENT

TIP

Cloud Controls

Additional Cloud Data Protection Required

Examples:

• Medical collaboration portal in the cloud – PHI shared between patients, physicians, and medical device manufacture

• Customer support cloud application for products with sector-based compliance requirements (ITAR)

• Consumer lending banking application– Bank has internal policy that GLBA data needs to be encrypted

• Data sovereignty– Bank operating in Germany and Switzerland that needs to keep

customer banking data within specified countries

4

Patient Data in the Cloud

Medical Data Elements

• 18-20 fields of Personal HealthInformation (PHI)

• All scanned forms and images

• Breach Notification relief if strong encryption in place

Data Residency @ Canada

Updated guidance on the storage of information outside of Canada by public bodiesInformation & Privacy Commissioner for British Columbia - 2014

GDPR & Data Security

• Expressly states that Data Protection Officer’s must consider measures including the “pseudo-nymisation & encryption of personal data”

• In fact, strongly encrypted data is considered not to be personal data

=

User Experience

Authorized Users

Cloud Data Protection Platform(s)

What is the Benefit?

Non-authorized Users

Direct Connection to Salesforce.com

Info Stored & Processed in the Cloud

IN TRANSIT AT REST IN USE

ZZ

Secure Sensitive Data While it is in Your Control

“귏企専吁企倁ᐋ가귉”“企専吁企倁ᐋ”

“가귉귏企専吁企倁”“ᐋ귏企専吁企倁가귉”

TOKEN

“귏企専吁企倁ᐋ가귉”“企専吁企倁ᐋ”

“가귉귏企専吁企倁”“ᐋ귏企専吁企倁가귉”

TOKEN

“귏企専吁企倁ᐋ가귉”“企専吁企倁ᐋ”

“가귉귏企専吁企倁”“ᐋ귏企専吁企倁가귉”

TOKEN

“귏企専吁企倁ᐋ가귉”“企専吁企倁ᐋ”

“가귉귏企専吁企倁”“ᐋ귏企専吁企倁가귉”

TOKEN

TIP

Examples:

• Medical device provider using cloud-based application for customer support

− HIPAA requires the existence of a reliable audit trail to protect the personal data of medical patients, which must be able to provide “sufficient information to establish what events occurred, when they occurred, and who (or what) caused them.”

• Bank considering using Box for collaboration and document sharing

− Sarbanes Oxley:Log collection and monitoring systems must provide an audit trail of all access and activity to sensitive business information

Monitor, Audit & Log Interactions 5

Monitor, Audit & Log Interactions 5

Examples:

• Bank moving to a cloud-based accounting system

− GLBA mandates banks monitor activity captured by network device event logs and that they are reviewed on a regular and timely basis

• DMV using a cloud based system to manage vehicle registrations, etc., retains credit card details for payments

– PCI DSS:“Requirement 10: Track and monitor all access to network resources and cardholder data”The presence of logs in all environments allows thorough tracking, alerting and analysis when something does go wrong

Continuous Monitoring

Stay up-to-date & compliant with dashboards, alerts, & detailed logs

TIP

Closing Thoughts

• Understand the unique compliance/ governance issues associated with placing sensitive data in cloud apps– Partner closely with IT Risk &

Compliance and Data Governance peers

• Different hammers for different nails

• “Cloud First” enterprises will encounter all of the Big 5; it’s a matter of time

1

2

34

5

Questions/Comments?

Gerry Grealishgerry.grealish@bluecoat.com

https://www.linkedin.com/in/gerrygrealish