Upload
druva
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
2 Data Protection and Governance at the Edge
Today’s Presenters
Dave Packer Vice President, Product Marketing Druva, Inc.
Diane Hagglund Principal Analyst Dimensional Research
3
Agenda
• What’s Driving Global Data Privacy Awareness
• Survey Results, Assessment & Conclusions
• Considerations for Assessing Privacy-Ready SaaS Vendors
• Summary and Q&A
4 Data Protection and Governance at the Edge
Trends Pushing Privacy to the Forefront
• PRISM and the Patriot Act o Microsoft vs United States
• Evolving Global Privacy Regulations
o EU, Germany, France, Russia, …
• Sectoral Regulations o HIPAA, SOX, FINRA, GLBA, COPPA, …
• BYOD, blurring lines between personal and business data
• Confidence in controls for safeguarding PII & PHI
5 Data Protection and Governance at the Edge
Breaches Are Elevating Awareness Exponentially
• Almost all major breaches in 2014 were against on-premise systems
• Significant fines & reputation exposure
• Breaching the firewall can mean extensive systems access (Sony)
• Internal challenges are becoming
pervasive o Malicious outsider: 50% o Accidental loss / misplace: 25% o Malicious Insider: 15%
8
Research Goal Understand recent experiences and trends with data privacy in modern IT organiza>ons.
Goals and Methodology
Methodology An online survey was fielded to IT professionals responsible for corporate data. A total of 214 individuals par>cipated in the survey. Par>cipants represented a wide range of company sizes, industries, regions and responsibility for data.
Defini>ons Data security -‐ Ensuring data is protected from unauthorized access or intercep>on Data privacy -‐ Ensuring that sensi>ve data isn’t misused, misappropriated or publicly exposed by those who have authorized access to it
9
Key Findings
Cloud data is growing, but privacy concerns persist • 88% expect their cloud data volume to increase in 2015 • 87% are concerned about privacy of data in the cloud
Data privacy is important – but don’t depend on employees • 84% report data privacy importance is increasing in 2015 • 82% have employees who don’t follow data privacy policies
Data privacy is challenging for IT • 93% report challenges with data privacy • 91% have data privacy controls, but they are incomplete • 77% struggle to keep up with regional requirements for data privacy
10
Participants Represented
LocaFon
EMEA 17%
APAC 23%
AMER 60% Job FuncFon
IT execu>ve 23%
IT team manager 39%
Individual contributor in IT 19%
Business stakeholder 10%
Service provider 9%
Company Size
Fewer than 100 24%
100 – 1,000 38%
1,000 – 5,000 17%
More than 5,000 21%
12 Data Protection and Governance at the Edge
What type of data is the most sensi>ve to your business? Choose up to 3 of the following.
Businesses depend on sensitive data
1%
18%
19%
22%
33%
37%
41%
46%
52%
0% 10% 20% 30% 40% 50% 60%
We do not have sensi>ve business data
Planning and strategy documents
Payroll
Unregulated customer data (emails, order history, etc.)
Accoun>ng and financial
Intellectual property
Personal employee informa>on (SSNs, phone numbers, etc.)
Password or authen>ca>on creden>als
Regulated customer data (credit cards, health records, etc.)
13 Data Protection and Governance at the Edge
Does your business have data privacy requirements to meet compliance and governance regula>ons?
Businesses must protect data privacy to meet regulations
Yes 81%
No 19%
14 Data Protection and Governance at the Edge
How are your company’s efforts on protec>ng the privacy of sensi>ve data changing for 2015?
Focus on data privacy escalates in 2015
Increasing 84%
Decreasing 1%
No change 15%
15 Data Protection and Governance at the Edge
Giving employees data privacy policies isn’t enough
All employees follow data privacy policies
18%
Have employees who do not follow data privacy policies
82%
16 Data Protection and Governance at the Edge
Which employees are MOST likely to ignore data privacy policies? Choose up to 3 of the following.
All types of employees ignore data privacy policies
6%
16%
17%
20%
24%
29%
31%
35%
48%
0% 10% 20% 30% 40% 50% 60%
Legal
Engineering
Manufacturing
Finance and accoun>ng
IT
Opera>ons
Owner/Partner
Marke>ng
Sales
17 Data Protection and Governance at the Edge
What level of employee is most likely to ignore data privacy policies?
All types of employees ignore data privacy policies (con’t)
Execu>ves 33%
Team managers 14%
Individual contributors or front-‐line staff
39%
Contractors 14%
18 Data Protection and Governance at the Edge
How do you expect the volume of data in the cloud change in 2015?
Significant momentum in cloud data growth
n = have data in the cloud
Increase 88%
Decrease 5%
Stay the same 7%
19 Data Protection and Governance at the Edge
How concerned are you about the privacy of sensi>ve business data in the cloud?
IT is concerned about data privacy in the cloud
n = have data in the cloud
32% 55% 13%
0% 20% 40% 60% 80% 100%
Very concerned
Concerned
Not concerned
20 Data Protection and Governance at the Edge
Which of these challenges ensuring privacy of sensi>ve data does your IT team face?
93% face challenges ensuring with data privacy
7%
5%
24%
27%
34%
36%
45%
56%
0% 10% 20% 30% 40% 50% 60%
We have no challenges
Other
Lack of data privacy policies
IT team doesn’t have knowledge of laws and requirements
Lack of execu>ve visibility or priority into the problem
No processes in place to train or audit employee behavior
Lack budget to purchase and implement technology solu>ons
Insufficient employee awareness and understanding of data privacy policies
21 Data Protection and Governance at the Edge
Do you face any challenges mee>ng regional requirements for data privacy?
Companies with operations in multiple countries find data privacy regulations challenging
n = have opera8ons in mul8ple countries
This is not challenging
23%
We don't try to keep up with differences
10% This is challenging 67%
22 Data Protection and Governance at the Edge
Wide range of data privacy challenges for companies that operate globally
n = have opera8ons in mul8ple countries
17%
25%
29%
29%
41%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
IT team lacks compliance knowledge to understand requirements
Legal or compliance team does not communicate requirements to IT
Technology vendors not offering solu>ons or guidance in addressing regula>ons
Requirements are ambiguous making it difficult to determine the correct course
Emerging rules and regula>ons difficult to track and interpret
23 Data Protection and Governance at the Edge
Companies are trying, but data privacy controls are incomplete
Have data privacy controls 91%
No data privacy controls
9%
38%
54%
61%
63%
0% 20% 40% 60% 80%
We conduct ad hoc employee educa>on
programs
We regularly train employees on data
privacy
We ask employees to sign a data privacy
agreement
We enforce data privacy controls with
technology
24 Data Protection and Governance at the Edge
What technological controls does your organiza>on have in place to limit or audit access to sensi>ve data by authorized or unauthorized par>es?
Even those with technology controls could do more
37%
21%
36%
37%
41%
58%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
No technological controls for data privacy
Encrypt data on tablets and smartphones
Encrypt data on laptops
Mul>-‐factor authen>ca>on
Log all data access
Access control
25
Key Findings
Cloud data is growing, but privacy concerns persist • 88% expect their cloud data volume to increase in 2015 • 87% are concerned about privacy of data in the cloud
Data privacy is important – but don’t depend on employees • 84% report data privacy importance is increasing in 2015 • 82% have employees who don’t follow data privacy policies
Data privacy is challenging for IT • 93% report challenges with data privacy • 91% have data privacy controls, but they are incomplete • 77% struggle to keep up with regional requirements for data privacy
27 Data Protection and Governance at the Edge
“Druva has been a phenomenal answer to Dell for protecting our data”
About Druva
Company • Fastest growing data protection and
governance company • Over 3,000 customers • Protecting 3.0m+ endpoints globally
Ranked #1 by Gartner two years running
Brad Hammack IT Emerging Technologies
Data Protec>on 2014
29 Data Protection and Governance at the Edge
Dramatic Shift in Cloud Adoption
2013
75% 25%
2014
20% 80%
31 Data Protection and Governance at the Edge
Delivering Privacy on a Foundation of Security
• Infrastructure Security & Operations: Where is the infrastructure? How is it controlled and to what extent certified?
• SaaS Operations: What certifications and security controls does the SaaS provider have in place?
• Data Residency: What are the regional, cross-geography data controls?
• Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data?
• Data Privacy: What controls are in place to provide ethical
walls? What data can my SaaS provider access?
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services
32 Data Protection and Governance at the Edge
As a Cloud Provider, Security = Survival
• SOC 1, SOC 2 & SOC 3 ISO 27001
• PCI Level 1 • FedRAMP • AWS GovCloud (US) • MPAA best practices alignment
Customer are running SOX, HIPAA, FISMA, DIACAP MAC III sensitive ATO, ITAR, …
Facilities Physical security
Physical infrastructure Network infrastructure
Virtualization infrastructure
IaaS PaaS
33 Data Protection and Governance at the Edge
Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services
• Druva Certifications & Audits o ISAE-3000 o TRUSTe certified privacy o EU Safe Harbor o HIPAA Audited
• Regular VAPT Testing (White Hat) • SkyHigh CloudTrust program partner • Audits renewed annually
ISAE 3000 TRUSTe EU Safe Harbor
HIPAA BAA Skyhigh
Enterprise-Ready
34 Data Protection and Governance at the Edge
AWS Global Footprint
• >1 million active customers across 190 countries
• 900+ government agencies • 3,400+ educational institutions
• 11 regions, including ITAR-compliant GovCloud and the new region in Germany
• 28 availability zones • 53 edge locations
35 Data Protection and Governance at the Edge
Authentication Controls (AD, SSO) Configurable Group Policies (Data Access, Sharing, Visibility)
Full Admin and End-User Audit Trails
SaaS Layer Application
Addressing Enterprise Data Protection Requirements SaaS Provider Security Approach
Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced)
PaaS Layer (DynamoDB)
S3 Buckets, Data Scrambling via Envelope Encryption Block-Only Object Storage
IaaS / Storage Layer (EC2, S3, Glacier)
36 Data Protection and Governance at the Edge
Envelope Key Management & Encryption
• Works like a bank safety-deposit box o Unique encryption key generated per customer o Key itself is encrypted with customer credentials and
stored as a token
• They key itself is inaccessible by anyone o Only exists during the client session o Never leaves the system o Removes the need for key management
• Druva cannot access/decrypt customer data
with stored token
37 Data Protection and Governance at the Edge
Internal Privacy Controls
• End-user privacy controls either by policy or opt-out feature (no admin data visibility)
• Containerization on mobile devices, extendable via MDM (MobileIron)
• Exclusionary settings for backup and collection process
• Full data auditing for compliance response for PHI & PII • Admin visibility to audit trails restricted via policy
Employee Privacy
• Privacy controls • Data segregation • Corporate visibility
Corporate Privacy Material Data
• Officer data shielding • Compliance auditing • Tracking + monitoring
38 Data Protection and Governance at the Edge
Scenario-based Privacy
• Delegated roles for compliance and legal counsel
• Full data and audit trail access for compliance, investigation and litigation requirements
Scenario / Exceptions
• Compliance audits • Investigations • eDiscovery collection
39
Addressing Key Privacy Use Cases
Regional Employee
Corporate Scenario • Compliance audits • Investigations • eDiscovery collection
• Privacy controls • Data segregation • Restricted visibility
• Officer data shielding • Compliance auditing • Tracking + monitoring
• Data residency • Local administration • Data Storage Privacy
40 Data Protection and Governance at the Edge
Key Takeaways
• Be sure to check the certifications and how they apply to the overall stack, just because the IaaS/PaaS is certified it doesn’t mean the SaaS layer is.
• For data residency ensure your cloud data isn’t moving around to non-compliant locations, have the vendor sign an agreement and show documented ability to comply
• Encryption models continue to evolve, make sure your provider can’t divulge your data without you knowing
• Data privacy laws are still emerging and tend to be ambiguous, best place to get the answers to stay compliant is working with your legal team, don’t guess
41
Next Steps: Experience the Druva Advantage Try Druva for yourself at druva.com/trial druva.com [email protected]
42 Data Protection and Governance at the Edge
Delivering Privacy on a Foundation of Security
• ✔ Infrastructure Security & Operations: Where is the infrastructure? How is it controlled and to what extent certified?
• ✔ SaaS Operations: What certifications and security controls does the SaaS provider have in place?
• ✔ Data Residency: What are the regional, cross-geography data controls?
• ✔ Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data?
• ✔ Data Privacy: What controls are in place to provide
ethical walls? What data can my SaaS provider access?
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services