The Cloud Beckons, But is it Safe?Presentation Transcript
The Cloud Beckons, But is it Safe? You should hear voices. If you can’t hear anything, check thatyour computer volume is turned up and un-muted, and the “Use Mic” radio button is selected. Or you can use a phone to listen to the same audio by calling (914) 339-0030, Access Code: 742-024-148
Logistics: Audio Via Phone Speakers not working? Prefer the phone? Dial in: (914) 339-0030 742-024-148 (If you can’t see this panel, click the “Show ControlChoose “Use Telephone” Panel” button)
Logistics: Ask QuestionsAsk questions! Otherwise I’m speaking to a blackhole! Click to open the chat window Raise your hand and I’ll unmute you Not hearing anything? Call 773-945-1010, access 257-723-187
Having Trouble?You should hear voices. If you can’t hearanything, check that your computer volume isturned up and un-muted, and the “Use Mic” radiobutton is selected.Or you can use a phone to listen to the same audioby calling (914) 339-0030, Access Code: 742-024-148
The Cloud Beckons, But is it Safe? July 2012
Introductions Laura Quinn Executive Director Idealware Jeff Hogue Legal Assistance of Western New York What are you hoping to get out of this session?
What is The Cloud?
LSC Grantees are Using It• 46% said that “some or all of their servers are hosted externally”• 18% said they were using Google Apps for email• 13% said they were using Google Docs
The Lure of the CloudLow cost of entryEasy remote accessNo complex infrastructure
But What About Security?
Cloud Security in the News
Technology and Legal EthicsThe ABA is prepared to vote in newmodel rules requiring lawyers to"make reasonable efforts" to prevent"inadvertent or unauthorizeddisclosure of, or unauthorized accessto" confidential client information.This doesn’t preclude the cloud, but itrequires you to think through it’s use.
Under Siege To be on the Internet is to be vulnerable to attack. If you’re on the Internet, you’re in The Cloud
But We Do Lots of Things on the InternetWe shop onlineWe bank onlineWe post crazythings on Facebook Why is the cloud different? It’s not.
How Secure is Your On-Site Data? Do any of these sound familiar? • No one patches computers or is responsible for network security • You haven’t really thought about passwords or permissions • No disaster recovery plans • Staff hasn’t had any security training
Myth “We’re a small nonprofit. We’re safe because no one would target us for cyber attack.”
FactMany data security breachesare crimes of opportunity.Organizations don’t alwaysconsider the sensitivity of theirdata until it’s exposed.
Myth “Our data is safer not in the cloud”
A Cloud Data Center
Is This Your Server Closet?
What Does Security Mean?
The Three Pillars of Information Security
Confidentiality Information is available only to authorized parties.
Integrity Information isn’t modified inappropriately, and that you can track who made what change.
Availability Assurance that data is accessible when needed by authorized parties.
Also: Physical PossessionWhoever has thedata could, intheory, turn itover to thegovernment
What Does Security Mean For You?
Rules for Absolute SafetyTurn off your Internetconnection.Allow no one access toyour data and systems. But let’s be realistic…
Know What You’re Protecting What kinds of data are you storing, and how sensitive are they? Think about its value on the open market.
Red Flags You need extremely tight security to store: • Donor’s credit card numbers. • Scanned images of checks. • Donor’s bank account information.
Privilege and WaiverIs storing data in the clouddisclosure that destroys theprivileged nature of data?No, but you have to spend timethinking through the problem.
What’s Your Exposure?Consider the impact ofexposure of yourconfidentialinformation, both inmonetary terms andreputation.
What’s The Impact of an Outage?How much stafftime could youlose from a shortterm or prolongedoutage?
Testing Your On-Site SecurityHave you recently performed a: • Check on whether your systems have been recently patched? • Systems penetration test ? • Employee training on security procedures? • Backup/recovery test?If not, you’d likely increase your security by movingto the cloud.
A Multi-Level Security Model
Multi-Level Security is the Ideal
Physical Security• Guarded facilities• Protection of your hardware and devices• Power redundancy• Co-location (redundant facilities)
Transmission SecurityIs data encrypted intransit?Is the networksecure?
Access Controls• Ensuring the right people have access to the right data• Physical access to the server• Training on appropriate passwords and security measures
Data Protection• Data encryption• Solid backup and restore policies• Ability to purge deleted data• Ability to prevent government entities from getting your data with a subpoena
What to Look For in a Vendor
Description of Security MechanismsDocumentation of all the facets ofsecurity, and the staff can talkabout it intelligently.Proves information security is onthe “front burner”
UptimeDo they provide any guarantee ofuptime? Any historic uptimefigures?Uptime figures are typically in 9s--99%, 99.9% or 99.99% Your connection to the internet may well be the weakest link.
Terms of Service What’s in the terms of service in terms of privacy and use of your data? Do they need to tell you if they change their terms of service?
Regulatory Compliance: HIPAADoes the vendor supportorganizations that need to becompliant with HIPAA (theHealth Insurance Portabilityand Accountability Act)?
Regulatory Compliance: SAS70 and SSAE16 Audit for security standards, hardware, and processes. Statement on Accounting Standards 70 (SAS70) Statement of Standards for Attestation Engagements 16 (SSAE16)
Regulatory Compliance: PCI DSS ComplianceIf you’re storing credit cardnumbers, your vendorneeds to be compliant withPCI DSS (Payment CardIndustry Payment DataSecurity Standard)
Your Data Is No Safer Than You Make It Any computer attached to the internet is vulnerable unless you protect it. The cloud isn’t, in of itself, more or less secure
Understand the Value of Your Data What is it worth to you? To others? What measures are appropriate to protect it?
But Many Vendors Make Your Data Really SafeChoose vendors whoshow they’re seriousabout data protection(not all vendors arecreated equal).Consider a vendor’sregulatory compliance.