The Cloud Beckons, But is it Safe? #12NTCCSecLaura QuinnMichael Enos
Evaluate This Session!Each entry is a chance to win an NTEN engraved iPad! or Online at www.nten.org/ntc/eval
Introductions Laura Quinn Executive Director Idealware Michael Enos Chief Technology Officer, Second Harvest Food Bank of Santa Clara and San Mateo Counties What are you hoping to get out of this session?
Under Siege To be on the Internet is to be vulnerable to attack. If you’re on the Internet, you’re in The Cloud
But We Do Lots of Things on the InternetWe shop onlineWe bank onlineWe post crazythings on Facebook Why is the cloud different? It’s not.
How Secure is Your On-Site Data? Do any of these sound familiar? • No one patches computers or is responsible for network security • You haven’t really thought about passwords or permissions • No disaster recovery plans • Staff hasn’t had any security training
Myth “We’re a tiny nonprofit. We’re safe because no one would target us for cyber attack.”
FactMany data security breachesare crimes of opportunity.Organizations don’t alwaysconsider the sensitivity of theirdata until it’s exposed.
Rules for Absolute SafetyTurn off your Internetconnection.Allow no one access toyour data and systems. But let’s be realistic…
Know What You’re Protecting What kinds of data are you storing, and how sensitive are they? Think about its value on the open market.
Red Flags You need extremely tight security to store: • Donor’s credit card numbers. • Scanned images of checks. • Donor’s bank account information.
What’s Your Exposure?Consider the impact ofexposure of yourconfidential information,both in monetary terms andreputation.
What’s The Impact of an Outage?How much stafftime could youlose from a shortterm or prolongedoutage?
Testing Your On-Site SecurityHave you recently performed a: • Check on whether your systems have been recently patched? • Systems penetration test ? • Employee training on security procedures? • Backup/recovery test?If not, you’d likely increase your security by movingto the cloud.
Description of Security MechanismsDocumentation of all the facets ofsecurity, and the staff can talkabout it intelligently.Proves information security is onthe “front burner”
UptimeDo they provide any guarantee ofuptime? Any historic uptimefigures?Uptime figures are typically in 9s--99%, 99.9% or 99.99% Your connection to the internet may well be the weakest link.
Regulatory Compliance: HIPAADoes the vendor supportorganizations that need to becompliant with HIPAA (theHealth Insurance Portabilityand Accountability Act)?
Regulatory Compliance: SAS70 and SSAE16 Audit for security standards, hardware, and processes. Statement on Accounting Standards 70 (SAS70) Statement of Standards for Attestation Engagements 16 (SSAE16)
Regulatory Compliance: PCI DSS ComplianceIf you’re storing credit cardnumbers, your vendorneeds to be compliant withPCI DSS (Payment CardIndustry Payment DataSecurity Standard)