© 2014 CipherCloud | All rights reserved 1

Taking a Data-Centric

Approach to Security in the

Cloud

Bob West Chief Trust Officer

CipherCloud

© 2014 CipherCloud | All rights reserved 2

Taking a Data-Centric Approach to Cloud Data Protection Bob West Chief Trust Officer

© 2014 CipherCloud | All rights reserved 3

Evolving Networking & Security Models

1970’s

Mainframe Computing model

Centralized

Connectivity

Limited

Data storage

Centralized

Security model

Perimeter

1990’s

Client Server Computing model

Distributed, internal

Connectivity

Internal only

Data storage

Within enterprise

Security model

Perimeter, endpoint

2000’s

Internet Computing model

Enterprise-centric

Connectivity Global messaging

Data storage

Enterprise silos

Security model

Perimeter, endpoint, tunneling, identity

2010’s

Cloud Era Computing model

Public, private cloud

Connectivity

Application level

Data storage

Hybrid

Security model

Data-centric for any location

© 2014 CipherCloud | All rights reserved 4

Today’s Reality – Data is Flowing Everywhere

Databases ERP

Collaboration

Email

External User

Internal Users

HR

File Sharing

Enterprise Boundary

External User

CRM

© 2014 CipherCloud | All rights reserved 5

Changing Nature of IT with De-Perimeterization

Protecting infrastructure is not enough – Business critical systems now outside the network

Key applications are outside your control – Reliance on cloud providers to secure systems

Cloud customers ask the wrong questions – Focus on transferring old legacy security models

Need to change to a data-centric model – Cloud providers don’t accept liability for your data – You own the data – you need to secure it

Security needs to travel with your data – You need to control access regardless of location

| © 2013 CipherCloud | All rights

reserved. 6

Where Cloud Data Resides and What Laws Might Apply

Chile

Law for the Protection of Private Life

Argentina

Personal Data Protection Law, Information Confidentiality Law

New Zealand

Privacy Act

Philippines

Propose Data Privacy Law

Canada

PIPEDA, FOIPPA, PIPA

Taiwan

Computer-Processed Personal Data Protection

Hong Kong

Personal Data Privacy Ordinance

Japan

Personal Information Protection Act

South Korea

Network Utilization and Data Protection Act

European Union

EU Data Protection Directive, State Data Protection Laws

India

Pending Laws under discussion

United Kingdom

ICO Privacy and Electronic Communications Regulations

Australia

National Privacy Principals, State Privacy Bills, Email Spam and Privacy Bills

US States

Breach notification in 47 states

USA Federal

CALEA, CCRA, CIPA, COPPA, EFTA, FACTA, ECPA, FCRA, FISMA, FERPA, GLBA, HIPAA, HITECH, PPA, RFPA, Safe Harbor, US PATRIOT Act

Brazil

Article 5 of Constitution Colombia

Data Privacy Law 1266

Mexico

Personal Data Protection Law

Morocco

Data Protection Act

Thailand

Official Information Act B.E. 2540

Europe Privacy laws in 28 countries

South Africa

Electronic Communications and Transactions Act

Singapore

Personal & Financial Data Protection Acts

©CipherCloud | All rights reserved

© 2014 CipherCloud | All rights reserved 7

Common Regulatory Themes

Mandates to protect personally identifiable information (PII) – Penalties include steep fines, and personal liability for executives

Breach notification is a ‘big stick’ – Risks of public breach disclosure can be hugely damaging (example: Target)

Data ‘owners’ are responsible, regardless of where data goes – Cloud providers may share some limited responsibility, but that does not get data

owners off the hook

Regulations don’t typically tell you what technology to use – Legislation rarely can keep up with technological changes

Best practices evolve, changing the definition of ‘reasonable’ – As solutions become widely adopted, not adopting them becomes risky

© 2014 CipherCloud | All rights reserved 8

Seeking a “Safe Harbor” Regulation Region Breach Notification Safe Harbor

Exemptions Recommendations on Encryption

PCI DSS Encryption a “critical component”

GLBA Safe harbor “if encryption has been applied adequately”

HIPAA, HITECH Safe harbor “if encryption has been applied adequately”

EU Directives Proposed Proposed New regulation proposes safe harbor exemption if data was adequately encrypted.

ICO Privacy Amendment

Notification not required if there are “measures in place which render the data unintelligible.”

Privacy Amendment Not specified

Not specified but you should to “take adequate measures to prevent the unlawful disclosure”

US State Privacy Laws Generally Yes

Typical breach definitions: - Personal Information: “data that is not encrypted” - Breach: “access to unencrypted data”

© 2014 CipherCloud | All rights reserved 9

Top 3 US Bank’s Consumer Self-Service Loan Origination Portal

UK Education Organization Deploys Global Cloud-Based Portal

Non-Technology Leader Trust Sensitive Data in Cloud Email

German Cosmetics Giants Meets International Security Regulations

Major European Telco Consolidates Call Centers for 25 Countries

Largest Hospital Chain Meets HIPAA & HITECH in the Cloud

Top Canadian Bank Safeguards Proprietary Information in the Cloud

Major Wall Street Firm Adopts Cloud Applications with Confidence

Global Leader in Customer Loyalty Moves Email to the Cloud

Genomics Testing Leader Protects Patient Data while Using the Cloud

New Zealand Bank Collaborates in the Cloud and Meets Compliance

Medical Audit Leader Launches Cloud-Based Customer Portal

Large Pharmaceutical Company Uses Encrypted Email

Credit Reporting Giant Deploys Cloud Collaboration with DLP Controls

Government-Owned Mortgage Backer Protect PII Data in the Cloud

World’s Leading Enterprises Trust CipherCloud

© 2014 CipherCloud | All rights reserved 10

CipherCloud Complete Platform

Protecting sensitive data from leaks

Extending corporate DLP to the cloud Data Loss Prevention

Preventing unauthorized access to data

Maintaining application functionality Data Protection

Monitoring user and data activity

Detecting anomalies in user behavior

Activity Monitoring

© 2014 CipherCloud | All rights reserved 11

Protect Your Sensitive Data in the Cloud

Ground breaking security controls Protect sensitive information in real time, before it is sent to the cloud while preserving application usability.

Searchable Strong Encryption

Key Management Tokenization

Malware Detection Data Loss Prevention

© 2014 CipherCloud | All rights reserved 12

Where Should You Protect Your Data?

Data in Transit

Data at Rest

* Top Threats

Vulnerabilities • Account hijacking* • Forced disclosure • Data breaches* • Malicious insiders* • Insecure APIs* • Shared technology*

Data in Use

© 2014 CipherCloud | All rights reserved 13

Key Questions for Cloud Data Protection

What data do you need to protect?

Who should or shouldn’t access it?

What functionality needs to be preserved?

Are there additional technical requirements?

Where should sensitive data reside?

© 2014 CipherCloud | All rights reserved 14

One Size Does Not Fit All

High-performance encryption and tokenization at the enterprise gateway

Searchable encryption

Tokenization

Format preserving

Partial encryption

Transparent to users Preserves database functionality

Range of protection options preserve data structure, format and searching

© 2014 CipherCloud | All rights reserved 15

Tokenization

FUNCTIONALITY SECURITY OVERHEAD

Internal Network Enterprise Control

Internal User

Cloud Application

Token Credit Card

Token database

© 2014 CipherCloud | All rights reserved 16

Conventional Encryption

FUNCTIONALITY SECURITY OVERHEAD

Internal Network Enterprise Control

Encryption Keys Internal User

Cloud Application

ऑપમમऑપમएপમમથજए Confidential

© 2014 CipherCloud | All rights reserved 17

Format Preserving Encryption

FUNCTIONALITY SECURITY OVERHEAD

Standard AES Encryption

r丏軸与80l1zx1丏k与5与40l1丏h最与2l1丏邈与41x

Format Preserving Encryption

4811 8522 1744

2231

Credit Card Number

Maintains 16-digit numeric

format

© 2014 CipherCloud | All rights reserved 18

Partial Encryption Techniques

Internal Network Enterprise Control

Encryption Keys

Authorized User

Cloud Application

ऑપમऑપમएથજए Customers

Search query

ଶढଯতઈଌਲऑપ ఌত John Smith

OVERHEAD FUNCTIONALITY

Varies

SECURITY

Varies

© 2014 CipherCloud | All rights reserved 19

Authorized User

Data is encrypted field-by-field basis, based on your security policies

Credit card numbers fully encrypted with AES 256

Fields can be partially encrypted

Unauthorized User United Oil & Gas

© 2014 CipherCloud | All rights reserved 20

Searchable Strong Encryption (SSE)

Internal Network Enterprise Control

Encryption Keys

Authorized User

Cloud Application

ऑપમऑપમएથજए Customers

Search query

ଶढଯতઈଌਲऑપ ఌত John Smith

OVERHEAD FUNCTIONALITY

Varies

SECURITY

Varies

© 2014 CipherCloud | All rights reserved 23

Solutions

Cloud Discovery

Cloud DLP

Strong Encryption

Tokenization

Activity Monitoring

Anomaly Detection

450+ Employees

Company

3.8+ Million Active Users

13 Industries

25 Countries

7 Languages

P 13 Patents

Customers

5 out of 10 Top US Banks

3 out of 5 Top Health Providers

Top 2 Global Telecomm Company

40% of Global Mail Delivery

Largest US Media Company

3 out of 5 Top Pharmaceuticals

About CipherCloud

© 2014 CipherCloud | All rights reserved 24

Thank You

For additional information : • Website: www.ciphercloud.com

• Twitter: @ciphercloud

• Email: info@ciphercloud.com

• LinkedIn: www.linkedin.com/company/ciphercloud

• Phone: +1 855-5CIPHER

Bob West Chief Trust Officer

bwest@ciphercloud.com