Your SlideShare is downloading. ×
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing Apps & Data in the Cloud by Spyders & Netskope

330

Published on

Securing Apps & Data in the Cloud Presented by Spyders & Netskope - a discussion of shadow IT and the emergence of Cloud Access Security Brokers (CASBs) like Netskope, Spyders latest technology …

Securing Apps & Data in the Cloud Presented by Spyders & Netskope - a discussion of shadow IT and the emergence of Cloud Access Security Brokers (CASBs) like Netskope, Spyders latest technology partner, have emerged to help solve the issue of shadow IT. Cloud Access Security Brokers were listed as the #1 technology in the Gartner 2014 Top 10 Technologies for Information Security. If your wondering about what cloud access security brokers are, Gartner defines CASBs as “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. Essentially, CASBs consolidate multiple types of security policy enforcement.”

As organizations embrace cloud applications, new risks and complexities have arisen. Staying on top of the ever-changing policy, legal and tech landscapes is daunting and gives rise to complex legal and business challenges.

Privacy and security expert, Lisa Abe-Oldenburg, and Pranav Shah, a CIO advocate and security specialist, go over latest considerations facing Canadian organizations transitioning to cloud-based apps.

Lisa provides insight and guidance from a legal perspective, and Pranav addresses the business challenges related to architecture, technology, and human capital. Participants also gain insight into how organizations are successfully leveraging one of Gartner's newest categories, Cloud Access Security Brokers (CASB), as an integral component of their secure, SaaS business and security strategies.

Visit http://www.spyders.ca to learn more about Netskope and Cloud Access Security Brokers.

Published in: Art & Photos
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
330
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • By understanding cloud computing, the risks, and following the proposed recommendations, your organization can implement cloud computing that delivers better outcomes for your business at a lower cost.
  • The complexity of legal compliance is sometimes overwhelming and many organizations have mistakenly assumed, or simply taken the position, that they cannot use a cloud service. However, that is not necessarily the case. For example, the Canadian federal Personal Information Protection and Electronic Documents Act (PIPEDA) and OSFI do not prohibit cloud computing, even when the cloud service provider (or a part of the cloud service provided) is in another country. In certain industries and provinces, such as the public sector and healthcare in BC and Nova Scotia, cross-border outsourcing or cloud services is prohibited unless certain exceptions apply.
    Regardless of what the cloud or SaaS contract says, your organization cannot escape compliance with the laws and regulations that apply to it -- and your organization is ultimately responsible for any liability that arises through the use of a third party service provider. In other words, you cannot contract out of your legal liability under the various statutes, regulations and guidelines that apply to your business. For example, financial institutions in Canada are subject to numerous rules and regulations governing outsourcing (which includes material cloud services) and data or records retention. As an organization using cloud services you must be careful to ensure the Cloud provider has the standards, controls and notification processes in place that meet regulatory compliance and guidance requirements applicable to your organization.
    ---
    The cloud model has been highly criticized for risk of data privacy and security breaches. Data protection and preservation in the cloud is a critical issue, in particular with respect to your regulatory and litigation compliance. As such, your organization must be able to halt the destruction of data done in the normal course of a cloud service provider's business. Your organization would also need the ability to retrieve the data in a usable form.
    The process by which electronic records retention and litigation holds are implemented in a cloud environment should be clearly established in the contract before procuring cloud services. Typical cloud service provider electronic data recycling processes and procedures involve the destruction of vast amounts of data across the entire cloud environment affecting more customers than just your organization. Thus, a cloud service provider may not be able to suspend these retention procedures without affecting other unrelated customers. Your organization should contractually ensure any requirements for data preservation are clearly understood and able to be implemented by its cloud service providers.
    Additionally, metadata associated with organization's data should be preserved. Depending on the system configuration and cloud service, the original metadata for electronic information stored in the cloud may no longer technically exist. It's important to note that in some cases, courts have sanctioned parties that did not produce metadata associated with their documents. Metadata can often assist in establishing the authenticity of the data and may be needed for a variety of e-discovery processing, review, or admissibility functions. Your procurement team should raise this issue with cloud service providers in the due diligence process and when negotiating the agreement.
  • Cloud service providers often have a business model that includes profiting from BIG DATA analysis and sale. For example, mobile banking and payments involves the collection of more than just transaction data. Individuals' geolocations and movement patterns can be mapped, their product searches or preferences tagged, and their metadata analyzed and sold for marketing or other purposes. As an organization providing a service to your customers, you need to be aware of what the possible implications of BIG DATA usage could be, and ensure that your customers are protected and that their privacy rights are not being unknowingly violated. You also have to be prepared for new legal developments in this area (which requires the ability to amend your contracts for future legal compliance), as the Privacy Commissioner of Canada has issued a report with recommendations to make changes to PIPEDA in order to address BIG DATA concerns.
  • Having a software license does not necessarily mean you are permitted to store and run the app in a cloud environment. You have to ensure, from a proper legal analysis, that the rights and restrictions in the license agreement permit you to do so.
  • .
  • We do these things in real-time, across any cloud app, and from any device, including mobile
  • New Data – consumer behavior, likes, journey, purchase history, emotions,
  • But blocking runs counter to business process. We found that 90% of cloud app usage was in apps that have blocked in some way shape or form at the perimeter, e.g., a next-gen firewall. Read this short blog entry for a description of how this happens: http://www.netskope.com/blog/netskope-cloud-report-exception-sprawl/
    Source: The Netskope Cloud Report, April 2014
  • However, for all of this cloud app goodness also comes tremendous cloud app sprawl. We at Netskope perform cloud assessments for our prospects and find that while IT usually estimates that they have about 40-50 apps running in their organizations (only a handful of which they manage), we discover between 400 and 500. Beyond the sheer volume of apps, the number of apps in business-critical or risky categories is surprising. In HR we find an average of 41 apps, and in finance/accounting, we find an average of 27. We also measure these apps’ enterprise-readiness, and find that more than three-quarters of them score a “medium” or below in our Cloud Confidence Index, which means they don’t meet enterprise standards for security, auditability, and business continuity. With the majority of cloud app procurement happening outside of IT, there is risk – risk of security events, data loss, and non-compliance. For IT, this creates a catch-22: Enable the cloud, but protect the business. Source: The Netskope Cloud Report, April 2014
    72% of apps aren’t sanctioned by IT
  • .
  • Consider adding ‘admin’ audit related actions
  • Transcript

    • 1. Securing Your Enterprise; Protecting Your Brand Securing Apps & Data in the Cloud Executive Breakfast | Toronto Board of Trade .
    • 2. Securing Apps and Data in the Cloud Presented By: Lisa Abe-Oldenburg Toronto Board of Trade July 23, 2014
    • 3. Introduction • Overview of Cloud Computing • Issues and Risks • Risk Mitigation Strategies • Responding to Data Breaches • Organizational Data and App Practices • Summary of Best Practices and Tips
    • 4. Overview of Cloud Computing • "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models." - National Institute of Standards and Technology (NIST) v. 15 • Rearden LLC v. Rearden Commerce, Inc., 597 F.Supp. 2d 1006 (N.D. Cal. Jan. 27, 2009) – “Cloud Computing” defined as a software as a service platform for the online delivery of products and services • “Surge computing” analogous to electricity providers, where players intra cloud (or in cloud stacks) or inter-cloud, are essentially trading processing and storage capacity. Data, software and servers are able to be moved instantaneously to available computation resources
    • 5. Cloud Computing Essential Characteristics • On-demand self-service. A consumer can unilaterally provision computing capabilities, such as applications, server time and network storage, as needed automatically without requiring human interaction with each service’s provider. • Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. • Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
    • 6. Cloud Computing Essential Characteristics • Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
    • 7. Cloud Computing Essential Characteristics • Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
    • 8. Cloud Computing Benefits • Opportunity to purchase a broad range of IT services in a utility- based model • Refocus efforts on IT operational expenditures and only pay for IT services consumed instead of buying IT with a focus on capacity • Storage, provisioning and management of apps, data and other personal information in a cloud computing model or SaaS model, can help companies increase operational efficiencies, resource utilization, and innovation, delivering a higher return on our investments to stakeholders • Simpler issuance of cloud based apps • Consumer device capabilities: Ubiquitous – Only requires data connection
    • 9. Deployment Models • Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. • Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. • Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. • Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
    • 10. Cloud Delivery/Service Models • Software as a Service (SaaS) • cloud provider supplies the software • user can set limited configuration of the software • Platform as a Service (PaaS) • cloud provider supplies the programming language and tools • user selects and controls applications and hosting environments • Infrastructure as a Service (IaaS) • cloud provider manages and controls underlying cloud infrastructure • user selects and configures operating systems, storage, applications, networking components (e.g. firewalls, load balancers) • Cloud service integrators bundle multiple services into a single offering, to appear as a seamless consolidated application • E.g. customer relationship and reservations system, e-signature/e- commerce app, payment processing, billing platform, etc.
    • 11. Cloud Delivery/Service Models Data / Content Software Application Platform Computing Infrastructure (processing, storage, networks) Cloud Infrastructure user user user CLOUD Cloud Stack
    • 12. Issues and Risks in Cloud Computing • Regulatory and Document/Data Retention Risk • How will the cloud provider meet your organization's regulatory compliance requirements? • Access and retrieval of software and data for the purposes of audit, compliance, litigation/eDiscovery, correction, deletion, end of service/termination, breach/failure, disaster or insolvency of cloud provider • Risk of insufficient backups, disaster recovery and business continuity plans – often obligations and costs are pushed onto customer (i.e. your company) • Watch out for freezing of accounts and no access to data upon termination or breach – data could be deleted (hijacked until fees paid or dispute resolved)
    • 13. Issues and Risks (cont.) • Operational, compliance and legal risk • IT dept loses control • Where is the Cloud and which laws apply? • Where is the data and apps? Cloud is flexible and data (and software) can move easily across borders if network is big enough - moved around to where storage or processing is more cost effective, efficient or available • Your organization could be unwillingly subjecting itself to the laws of a foreign jurisdiction • Contracts or services in foreign jurisdictions could have conflicts with local laws, storage, handling of disputes, export controls, etc.
    • 14. Issues and Risks (cont.) • Operational, compliance and legal risk (cont.) • CASL applies to not just electronic communications, but also transmission data and software • CASL currently prohibits the alteration of transmission data in an electronic message in the course of a commercial activity, without express consent, so that the message is delivered to a destination other than, or in addition to, that specified by the sender
    • 15. Issues and Risks (cont.) • Operational, compliance and legal risk (cont.) • CASL will also prohibit the installation of a computer program on any other person’s computer system, in the course of commercial activity without express consent. To aid, induce, procure or cause to be procured any of the foregoing activities is also prohibited. • These software prohibitions will apply effective January 15, 2015 to any computer system or person (whether contravening or directing) located in Canada at the relevant time.
    • 16. Issues and Risks (cont.) • Business Operations, Liability and Reputational Risks • Risk of asset/data loss, security and privacy breaches, inability to retrieve or use data, failure to properly retain records • No common cloud standards; PCI DSS, EMV and ISO standards may provide some security, reliability and interoperability • Aggregation of vast amounts of personal information is possible especially when using mobile technologies • Clouds are a target for criminals – lots of information
    • 17. Issues and Risks (cont.) • IP ownership and infringement risk • Loss of ownership and control over software and data - how being used and by whom? • Ownership complications if cloud used for any development – need to examine applicable jurisdiction's copyright law and cloud service agreement • Software or systems being migrated to the cloud could also give rise to copyright infringement or breach of 3rd party licenses - creation of virtual servers or applications could be making a “copy” and require additional license rights and payment of fees to licensors/owners
    • 18. Issues and Risks (cont.) • Legal Contract and Liability risk • Limits on provider's liability may be too low - disclaimers, exclusions, short limitation periods; risk of liability shifts to your organization • What is your recourse if provider is in breach? If there is a service interruption/outage, errors, damages, loss, data disclosure ? • Cloud providers often will not give indemnities and will ask for broad indemnities from the customer – must renegotiate! • Watch out for terms that could be unilaterally amended by service provider, deemed accepted by use, or cross-referenced in other documents or hyperlinks – you need to know in advance what your organization is agreeing to
    • 19. Risk Mitigation Strategies • Compliance vs. Security • Assess compliance requirements under applicable laws and regulations • Preparation is key to prevention of data loss or breach • Establish baselines for security, confidentiality, data integrity, access and retention • Keep core business and data in-house or encrypted – establish policies • Incorporate e-discovery tools and information management processes • Consult with all stakeholders and legal counsel • Analysis of data collection, storage, use, disclosure, transfer • Transparency of equipment, premises, personnel, processes • Internal governance, employee policies for BYOC and training • Plan for transitioning (e.g. end of term, sale of business, subcontracting, affiliates) & knowledge transfer by employees
    • 20. Risk Mitigation Strategies (cont.) • Legal review of Contracts – existing and new • Negotiate limitations on liability and disclaimers, warranties and indemnities, parental/prime contractor guarantees, hold-backs, alternative dispute resolution, performance bonds, insurance and other contract terms • Must deal with changes to laws and regulations, technology and risk over time • Need reporting, breach notification and assistance, monitoring, management oversight, audit rights, control, record keeping and data return, change process, confidentiality and privacy terms, security and encryption schemes, testing, data segregation, export controls, maintenance, disaster and continuity/recovery planning, data backup, early termination , etc. • Have clear service & security level requirements that align with your organizational requirements – scope and remedies? • Thresholds of risk tolerance will affect negotiations • What is the harm that could occur as a result of breach and which party is best able to mitigate risk? Cost? Should indirect damages be allowed? Are caps on liability enough? • Don’t sign a standard form contract!
    • 21. Responding to Data Breaches • What are your legal obligations if there is a data breach? • Note, this presentation only covers data breaches in the private sector and not breaches with respect to public sector, health or employee information. • Under federal private sector privacy law, PIPEDA, breach notification is currently voluntary - to notify individuals of breaches involving their personal information, or to notify the OPC
    • 22. Responding to Data Breaches (cont.) • The Canadian Data Breach Guidelines drafted in 2007 in consultation with commissioners' offices, advocacy groups and representatives from industry, encourage organizations to: • Contain the breach and conduct a preliminary assessment of what occurred; • Evaluate the risks associated with the breach; • Notify the parties affected by the breach; • Take adequate steps to ensure that such an incident does not recur in the future.
    • 23. Responding to Data Breaches (cont.) • The OPC encourages organizations to notify the office or appropriate provincial privacy commissioners of “material” breaches of security safeguards that involve personal information—determining whether a breach is “material” involves, among other considerations, assessing the sensitivity of personal information and the number of individuals affected. • PIPEDA does include requirements around adequately safeguarding personal information through the use of physical, technological and organizational measures. • Absence of “appropriate” controls resulting in breaches currently does not trigger any regulatory consequences, such as fines or penalties.
    • 24. Responding to Data Breaches (cont.) • Proposed amendments to Canada's federal privacy legislation (PIPEDA) under Bill S-4 (introduced in the Senate April 8, 2014) will require businesses and organizations to track data breaches and report them to individuals and the OPC if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm, e.g. identity theft • The Bill sets out factors to assess risk, requirements for the content and timing of the notification and record keeping requirements of all breaches • May also be obligation to report to other organizations or government if risk could be reduced • Non-compliance would be punishable by fines of up to $100,000
    • 25. Responding to Data Breaches (cont.) • The Bill also gives new powers to the privacy commissioner to: • negotiate voluntary but binding compliance agreements with organizations that commit to taking action on privacy violations; • right to ask the Federal Court of Canada to order compliance or award damages to someone harmed by a privacy violation up to a year after an investigation; and • release information about non-compliant organizations if it is in the public interest.
    • 26. Responding to Data Breaches (cont.) • Alberta is only province which has enacted amendments to its private sector Personal Information Protection Act (PIPA) to address incidents involving the “loss of or unauthorized access to or disclosure of the personal information.” • Note that recent SCC decision (Alberta (Information and Privacy Commissioner ) v. United Food and Commercial Workers, Local 401, 2013 SCC 62) struck down Alberta's PIPA in its entirety as unconstitutional. This declaration of invalidity has been stayed for 12 months in order to provide enough time to legislators to decide how to make this act constitutional – amendments planned for this fall • Other provinces, e.g. Ontario, New Brunswick and Newfoundland and Labrador, only require breach notification with respect to personal health information.
    • 27. Responding to Data Breaches (cont.) • Alberta PIPA requires notice to the province’s Privacy Commissioner of loss of, or unauthorized access to, personal information under the organizations' control - only if a reasonable person would consider that there exists a real risk of significant harm to an individual. Commissioner decides whether individuals should be notified.
    • 28. Responding to Data Breaches (cont.) • “real risk of harm” must be more than merely speculative and not simply hypothetical or theoretical. A breach relating to highly sensitive personal information, such as financial information, is more likely to meet this standard and require reporting. • The commissioner has interpreted “significant harm” to mean “a material harm...[having] non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”
    • 29. Responding to Data Breaches (cont.) • Manitoba's Personal Information Protection and Identity Theft Prevention Act (PIPITPA) – private sector law not yet in force • PIPITPA will generally require breach notification to an individual directly if personal information is lost, accessed or disclosed without authorization – no harm threshold • In Québec, the Commission d'accès à l'information du Québec ("CAI") in its 2011 Quinquennial Report entitled "Technology and Privacy, in a Time of Societal Choices" recommends to include, in both its public sector and private sector data protection laws, mandatory security breach reporting.
    • 30. Responding to Data Breaches (cont.) • PIPITPA will also create a private right of action for an individual to sue an organization for damages arising from its failure to: • protect personal information that is in its custody or control; or • provide reasonable notice if the organization was not satisfied that the lost, stolen or accessed information would be used lawfully. • Jurisdictions outside Canada may have extraterritorial implications, e.g. California has its own breach notification law
    • 31. Organizational Data and App Practices • Designate privacy and technology officers to ensure compliance under Canadian and foreign laws • Consult with the regulators when in doubt about systems and privacy policies • Have a data breach protocol plan in place - how to notify, who, and when? E.g. the regulators, individuals, ASAP • Limit access to electronic records to a need-to-know basis and password protect; control dissemination of apps • Draft and keep records of proper consents prior to collecting, using or disclosing any personal information or providing apps
    • 32. Organizational Data and App Practices (cont.) • Identify purposes for the collection, use and disclosure, and limit collection, use and disclosure to those purposes, which must be reasonable • Develop, implement and review privacy and security policies, CASL policy (see new CRTC Bulletin 2014-326), technology policy, including procurement, software, BYOD and services policies • Train employees and get acknowledgments • Protect personal information and data from theft, modification, and unauthorized access
    • 33. Organizational Data and App Practices (cont.) • Keep personal information only for as long as reasonable to carry out the business or legal purpose or as required by law and destroy or anonymize records once no longer needed • Develop a procedure for information requests/access, correction and deletion • Review and revise all contracts with third parties to ensure obligations flow through • “Stress test” data and app operations - privacy and data policies can be a marketing opportunity • After a data breach occurs, comply with data breach guidelines and notification requirements • Offer credit monitoring to clients
    • 34. Summary of Best Practices and Tips • The legal implications of cloud computing, privacy, security, confidentiality and data breaches involve many complex issues • Insist on provider transparency: participants/subcontractors, jurisdictions, data flow and processing, type of cloud and who has access • Engage all organizational teams that may have input to the cloud relationship, e.g. operational, procurement, contracts negotiation, privacy, employment (HR), compliance, audit, insurance, IT, security, risk, Board of Directors • Directors' liability for breach of their duties in risk management and oversight • Have proper testing, plans and policies in place • Get early involvement of experienced legal counsel
    • 35. Lisa K. Abe- Oldenburg, B.Comm., J.D. Abe-oldenburgL@bennettjones.com Tel.: 416-777-7475 www.bennettjones.com • This presentation contains statements of general principles and not legal opinions and should not be acted upon without first consulting a lawyer who will provide analysis and advice on a specific matter.
    • 36. Newsflash: Shift to Cloud Beats the Street IT spending forecast revised lower, amid shift to cloud and commodity products. Global IT spending will grow 2.1% to $3.7 trillion this year, a weaker performance than originally expected, although one that is still far stronger than the marginal gain of 2013, according to research firm Gartner Inc. The downward revision of more than one percentage point was attributed to product commoditization, heightened competition, and the shift to the cloud. “Things are starting to become commoditized faster than we expected,” Gartner analyst John Lovelock tells CIO Journal. And as individual lines of business command their own ever-growing technology budgets, spending on cloud-based applications is drawing funds away from traditional IT departments, whose spending power is “in trouble,”
    • 37. Cloud App Explosion 39 Driven by individual and line of business adoption of cloud and mobile. It’s how we do business. 2011 2016 $21.2B $92.8B 4.4xgrowth SaaSRevenue Forrester
    • 38. 40 There are 5,000 enterprise apps today (and growing).
    • 39. 41 Security & Risk Compliance Control Business Benefits Agility Cost Savings “To SaaS or not To SaaS….That is the Question!”
    • 40. Perspectives 42 • Legal – Bennett Jones, LLP • Corporate IT (CIO/CSO) – Sony • IT Sector: Cloud Access Security Broker – Netskope
    • 41. Highlights 43 • Business users are adopting consumer behaviors • Everything about data is changing • Consumerization is shifting IT architectures • Security risks arise with new architectures • A prescription for better security!
    • 42. Business users are adopting consumer behaviors 44 • Today’s Business Users – Do not ask if they can use new applications. They just install them. – Choose where they store data – Bring consumer attitudes to work…and expect IT to adapt! – Want to comply with security and compliance rules ..but want freedom to make decision on apps, data, and devices • Implication for IT: IT has no choice but to adapt, manage and control
    • 43. Everything about DATA is changing 45 Big Data Cloud Mobile
    • 44. 46 Why would you invest in Data Security ?
    • 45. Major SHIFT in enterprise architecture 47 Change your Security Strategy! Discover - Monitor - Control
    • 46. 48 Source: Netskope Data
    • 47. Security risks associated with a new architecture 49 • Network perimeter has blurred…or doesn’t exist • Multiple copies of data…only contractual based control with 3rd party • Access control…..no tools • If they get hacked, your data security is compromised – How do you disconnect from your responsibility? • IT will not have view into mobile apps transactions • Low standards to evaluate security of mobile apps • Security skills shortage
    • 48. A prescription for better security 50 • Create a security policy for Cloud – Include Apps, Data, Access Control • Do a skill set inventory – what you have and what you will need? • Build a future security architecture… it will not be perfect – How are you going to measure and manage? • Redefine your risk management process – Identify your assets…… you do not know. • Assess data security – Prepare to manage the security of data that is not in your control
    • 49. 51
    • 50. 52 Actual: 461 IT estimate: 40-50 76% cloud apps aren’t enterprise-ready Cloud procurement happens outside of IT Challenge: Get visibility and empower safe cloud usage App redundancy: •41 HR •27 storage •27 finance Source: Netskope Data
    • 51. 53 #1 Technology for Information Security in 2014 Analysts Examine Industry Trends at Gartner Security & Risk Management Summit, June 23-26, National Harbor, MD Cloud Access Security Brokers Cloud access security brokers are on-premises or cloud-based security policy enforcement points placed between cloud services consumers and cloud services providers to interject enterprise security policies as the cloud-based resources are accessed. In many cases, initial adoption of cloud-based services has occurred outside the control of IT, and cloud access security brokers offer enterprises to gain visibility and control as its users access cloud resources.
    • 52. 54 “Cool Vendors offer innovative, forward-thinking solution sets designed to address emerging and newly identified security challenges.”
    • 53. Mitigate Business Risk 55 Take Control of Cloud Apps Take Control of Cloud Apps Take Control of User Activities Take Control of User Activities Take Control of Data Take Control of Data Take Control of Compliance Take Control of Compliance 1. Understand the Cloud Apps usage, category, business function and Risk Assessment 2. Baseline sanctioned, departmental and individual cloud apps 3. Understand the high-level of data movement to/from the clouds 4. Coach & Establish Acceptable Use Policies (AUP) for cloud apps across business, departments and users 5. Understand the risky activity usage such as share, upload, download & administration across cloud apps 6. Understand the activities related to data movement across geo- locations between users and cloud apps 7. Monitor for Cloud App Usage Anomalies and Irregularities 8. Coach and establish Acceptable Use Policies (AUP) for Cloud App activities, users, devices, geo- locations and time 9. Audit and alert on sensitive data existing in & moving across cloud apps •PII, PCI, PHI, Intellectual Property 10. Coach, Alert and Block Sensitive Data uploads and shares 11. Encrypt data in the cloud for data- at-rest and use protection 12. Establish Acceptable Use Policy & Protection (AUP) for your corporate data based on app, content classification, app, department, user and geo-location 15% 40% 75% 90+% 13. Employ data audit & forensics 14. Records retention and retrieval 15. E-discovery compliance 16. PCI, PHIPA industry specific compliance 17. Business Compliance CASL, SOX, GLBA, .. 18. FINRA advanced regulation with ethical walls
    • 54. Provision-by-Purpose • Best User Experience, Security & Performance • Easy to deploy and Quick to value 56 Netskope: Comprehensive Cloud Security Platform Any App Any Device Anywhere DISCOVERY ANALYTICS ENFORCEMENT AppID Cloud App, Category, CCI AppID Cloud App, Category, CCI ActivityID Share, Upload, Download, Admin ActivityID Share, Upload, Download, Admin DataID PII, PCI, PHI, IP, … DataID PII, PCI, PHI, IP, … ActorID User, Device, Geo, Time, … ActorID User, Device, Geo, Time, … Deep Context Rich Enablement Services Sanctioned Business Apps Unsanctioned Apps Consumer Apps DLP, ENCRYPTION

    ×