The state of data privacy with dimensional research

The State of Data Privacy: Why It’s Becoming More Urgent for IT

May 7th, 2015

2 Data Protection and Governance at the Edge

Today’s Presenters

Dave Packer Vice President, Product Marketing Druva, Inc.

Diane Hagglund Principal Analyst Dimensional Research

3

Agenda

•  What’s Driving Global Data Privacy Awareness

•  Survey Results, Assessment & Conclusions

•  Considerations for Assessing Privacy-Ready SaaS Vendors

•  Summary and Q&A


Trends Pushing Privacy to the Forefront

•  PRISM and the Patriot Act o  Microsoft vs United States

•  Evolving Global Privacy Regulations

o  EU, Germany, France, Russia, …

•  Sectoral Regulations o  HIPAA, SOX, FINRA, GLBA, COPPA, …

•  BYOD, blurring lines between personal and business data

•  Confidence in controls for safeguarding PII & PHI


Breaches Are Elevating Awareness Exponentially

•  Almost all major breaches in 2014 were against on-premise systems

•  Significant fines & reputation exposure

•  Breaching the firewall can mean extensive systems access (Sony)

•  Internal challenges are becoming

pervasive o  Malicious outsider: 50% o  Accidental loss / misplace: 25% o  Malicious Insider: 15%

6

2015: The Top Security Challenges

Source: 451 Group – Wave 8 Report 2015 (preliminary note)

Sponsored by:

The State of Data Privacy in 2015 A Survey of IT Professionals

8

Research Goal Understand recent experiences and trends with data privacy in modern IT organiza>ons.

Goals and Methodology

Methodology An online survey was fielded to IT professionals responsible for corporate data. A total of 214 individuals par>cipated in the survey. Par>cipants represented a wide range of company sizes, industries, regions and responsibility for data.

Defini>ons Data security -‐ Ensuring data is protected from unauthorized access or intercep>on Data privacy -‐ Ensuring that sensi>ve data isn’t misused, misappropriated or publicly exposed by those who have authorized access to it

9

Key Findings

Cloud data is growing, but privacy concerns persist •  88% expect their cloud data volume to increase in 2015 •  87% are concerned about privacy of data in the cloud

Data privacy is important – but don’t depend on employees •  84% report data privacy importance is increasing in 2015 •  82% have employees who don’t follow data privacy policies

Data privacy is challenging for IT •  93% report challenges with data privacy •  91% have data privacy controls, but they are incomplete •  77% struggle to keep up with regional requirements for data privacy

10

Participants Represented

LocaFon

EMEA 17%

APAC 23%

AMER 60% Job FuncFon

IT execu>ve 23%

IT team manager 39%

Individual contributor in IT 19%

Business stakeholder 10%

Service provider 9%

Company Size

Fewer than 100 24%

100 – 1,000 38%

1,000 – 5,000 17%

More than 5,000 21%

DETAILED FINDINGS


What type of data is the most sensi>ve to your business? Choose up to 3 of the following.

Businesses depend on sensitive data

1%

18%

19%

22%

33%

37%

41%

46%

52%

0% 10% 20% 30% 40% 50% 60%

We do not have sensi>ve business data

Planning and strategy documents

Payroll

Unregulated customer data (emails, order history, etc.)

Accoun>ng and financial

Intellectual property

Personal employee informa>on (SSNs, phone numbers, etc.)

Password or authen>ca>on creden>als

Regulated customer data (credit cards, health records, etc.)


Does your business have data privacy requirements to meet compliance and governance regula>ons?

Businesses must protect data privacy to meet regulations

Yes 81%

No 19%


How are your company’s efforts on protec>ng the privacy of sensi>ve data changing for 2015?

Focus on data privacy escalates in 2015

Increasing 84%

Decreasing 1%

No change 15%


Giving employees data privacy policies isn’t enough

All employees follow data privacy policies

18%

Have employees who do not follow data privacy policies

82%


Which employees are MOST likely to ignore data privacy policies? Choose up to 3 of the following.

All types of employees ignore data privacy policies

6%

16%

17%

20%

24%

29%

31%

35%

48%

0% 10% 20% 30% 40% 50% 60%

Legal

Engineering

Manufacturing

Finance and accoun>ng

IT

Opera>ons

Owner/Partner

Marke>ng

Sales


What level of employee is most likely to ignore data privacy policies?

All types of employees ignore data privacy policies (con’t)

Execu>ves 33%

Team managers 14%

Individual contributors or front-‐line staff

39%

Contractors 14%


How do you expect the volume of data in the cloud change in 2015?

Significant momentum in cloud data growth

n = have data in the cloud

Increase 88%

Decrease 5%

Stay the same 7%


How concerned are you about the privacy of sensi>ve business data in the cloud?

IT is concerned about data privacy in the cloud

n = have data in the cloud

32% 55% 13%

0% 20% 40% 60% 80% 100%

Very concerned

Concerned

Not concerned


Which of these challenges ensuring privacy of sensi>ve data does your IT team face?

93% face challenges ensuring with data privacy

7%

5%

24%

27%

34%

36%

45%

56%

0% 10% 20% 30% 40% 50% 60%

We have no challenges

Other

Lack of data privacy policies

IT team doesn’t have knowledge of laws and requirements

Lack of execu>ve visibility or priority into the problem

No processes in place to train or audit employee behavior

Lack budget to purchase and implement technology solu>ons

Insufficient employee awareness and understanding of data privacy policies


Do you face any challenges mee>ng regional requirements for data privacy?

Companies with operations in multiple countries find data privacy regulations challenging

n = have opera8ons in mul8ple countries

This is not challenging

23%

We don't try to keep up with differences

10% This is challenging 67%


Wide range of data privacy challenges for companies that operate globally

n = have opera8ons in mul8ple countries

17%

25%

29%

29%

41%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

IT team lacks compliance knowledge to understand requirements

Legal or compliance team does not communicate requirements to IT

Technology vendors not offering solu>ons or guidance in addressing regula>ons

Requirements are ambiguous making it difficult to determine the correct course

Emerging rules and regula>ons difficult to track and interpret


Companies are trying, but data privacy controls are incomplete

Have data privacy controls 91%

No data privacy controls

9%

38%

54%

61%

63%

0% 20% 40% 60% 80%

We conduct ad hoc employee educa>on

programs

We regularly train employees on data

privacy

We ask employees to sign a data privacy

agreement

We enforce data privacy controls with

technology


What technological controls does your organiza>on have in place to limit or audit access to sensi>ve data by authorized or unauthorized par>es?

Even those with technology controls could do more

37%

21%

36%

37%

41%

58%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

No technological controls for data privacy

Encrypt data on tablets and smartphones

Encrypt data on laptops

Mul>-‐factor authen>ca>on

Log all data access

Access control

25

Key Findings

Cloud data is growing, but privacy concerns persist •  88% expect their cloud data volume to increase in 2015 •  87% are concerned about privacy of data in the cloud

Data privacy is important – but don’t depend on employees •  84% report data privacy importance is increasing in 2015 •  82% have employees who don’t follow data privacy policies

Data privacy is challenging for IT •  93% report challenges with data privacy •  91% have data privacy controls, but they are incomplete •  77% struggle to keep up with regional requirements for data privacy

What You Need to Know About SaaS and Data Privacy


“Druva has been a phenomenal answer to Dell for protecting our data”

About Druva

Company •  Fastest growing data protection and

governance company •  Over 3,000 customers •  Protecting 3.0m+ endpoints globally

Ranked #1 by Gartner two years running

Brad Hammack IT Emerging Technologies

Data Protec>on 2014


inSync Efficient Cloud-based Endpoint Data Protection


Dramatic Shift in Cloud Adoption

2013

75% 25%

2014

20% 80%

30

Common Privacy Inquiries / Use Cases

Regional Employee

Corporate Scenario


Delivering Privacy on a Foundation of Security

•  Infrastructure Security & Operations: Where is the infrastructure? How is it controlled and to what extent certified?

•  SaaS Operations: What certifications and security controls does the SaaS provider have in place?

•  Data Residency: What are the regional, cross-geography data controls?

•  Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data?

•  Data Privacy: What controls are in place to provide ethical

walls? What data can my SaaS provider access?

IaaS Infrastructure: Compute + Storage

PaaS Distributed Database Services

SaaS Application Services


As a Cloud Provider, Security = Survival

•  SOC 1, SOC 2 & SOC 3 ISO 27001

•  PCI Level 1 •  FedRAMP •  AWS GovCloud (US) •  MPAA best practices alignment

Customer are running SOX, HIPAA, FISMA, DIACAP MAC III sensitive ATO, ITAR, …

Facilities Physical security

Physical infrastructure Network infrastructure

Virtualization infrastructure

IaaS PaaS


Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level




•  Druva Certifications & Audits o  ISAE-3000 o  TRUSTe certified privacy o  EU Safe Harbor o  HIPAA Audited

•  Regular VAPT Testing (White Hat) •  SkyHigh CloudTrust program partner •  Audits renewed annually

ISAE 3000 TRUSTe EU Safe Harbor

HIPAA BAA Skyhigh

Enterprise-Ready


AWS Global Footprint

•  >1 million active customers across 190 countries

•  900+ government agencies •  3,400+ educational institutions

•  11 regions, including ITAR-compliant GovCloud and the new region in Germany

•  28 availability zones •  53 edge locations


Authentication Controls (AD, SSO) Configurable Group Policies (Data Access, Sharing, Visibility)

Full Admin and End-User Audit Trails

SaaS Layer Application

Addressing Enterprise Data Protection Requirements SaaS Provider Security Approach

Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced)

PaaS Layer (DynamoDB)

S3 Buckets, Data Scrambling via Envelope Encryption Block-Only Object Storage

IaaS / Storage Layer (EC2, S3, Glacier)


Envelope Key Management & Encryption

•  Works like a bank safety-deposit box o  Unique encryption key generated per customer o  Key itself is encrypted with customer credentials and

stored as a token

•  They key itself is inaccessible by anyone o  Only exists during the client session o  Never leaves the system o  Removes the need for key management

•  Druva cannot access/decrypt customer data

with stored token


Internal Privacy Controls

•  End-user privacy controls either by policy or opt-out feature (no admin data visibility)

•  Containerization on mobile devices, extendable via MDM (MobileIron)

•  Exclusionary settings for backup and collection process

•  Full data auditing for compliance response for PHI & PII •  Admin visibility to audit trails restricted via policy

Employee Privacy

•  Privacy controls •  Data segregation •  Corporate visibility

Corporate Privacy Material Data

•  Officer data shielding •  Compliance auditing •  Tracking + monitoring


Scenario-based Privacy

•  Delegated roles for compliance and legal counsel

•  Full data and audit trail access for compliance, investigation and litigation requirements

Scenario / Exceptions

•  Compliance audits •  Investigations •  eDiscovery collection

39

Addressing Key Privacy Use Cases

Regional Employee

Corporate Scenario •  Compliance audits •  Investigations •  eDiscovery collection

•  Privacy controls •  Data segregation •  Restricted visibility

•  Officer data shielding •  Compliance auditing •  Tracking + monitoring

•  Data residency •  Local administration •  Data Storage Privacy


Key Takeaways

•  Be sure to check the certifications and how they apply to the overall stack, just because the IaaS/PaaS is certified it doesn’t mean the SaaS layer is.

•  For data residency ensure your cloud data isn’t moving around to non-compliant locations, have the vendor sign an agreement and show documented ability to comply

•  Encryption models continue to evolve, make sure your provider can’t divulge your data without you knowing

•  Data privacy laws are still emerging and tend to be ambiguous, best place to get the answers to stay compliant is working with your legal team, don’t guess

41

Next Steps: Experience the Druva Advantage Try Druva for yourself at druva.com/trial druva.com [email protected]


Delivering Privacy on a Foundation of Security

•  ✔ Infrastructure Security & Operations: Where is the infrastructure? How is it controlled and to what extent certified?

•  ✔ SaaS Operations: What certifications and security controls does the SaaS provider have in place?

•  ✔ Data Residency: What are the regional, cross-geography data controls?

•  ✔ Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data?

•  ✔ Data Privacy: What controls are in place to provide

ethical walls? What data can my SaaS provider access?


