Doug Meier, Director of Security and Compliance at Pandora, shares how Pandora defines and handles “shadow IT”, assesses and onboards vendors, all while keeping pace with the company’s must-do business in the cloud. He covers hot topics such as single sign-on, identity management, and active directory integration.

1. Webinar
Pandora’s Story: Securing The
Reality of Multiple Cloud Apps

2. Continuing Professional Education (CPE) Credits
Claim your CPE credit for attending this webinar
https://www.isc2.org/
For more information or questions please contact us
info@cloudlock.com
2

3. Agenda
01
02
03
04
Why Cloud Security Matters in Pandora
Fundamentals: Data and Cloud Vendors
Making Security Happen - Best Practices
CloudLock Overview
3
05 Q&A

4. Disclaimer
These slides are based on my experience working for Internet firms in Silicon
Valley.
I do not presume to speak for IT pros using different methods that may be
equally effective.
Doug Meier
Director, Security & Compliance
Pandora Media Inc.
Twitter: @TurkEllis
blog: riskof.ghost.io

5. Why Security Matters at Pandora
● We are public
● We are fast paced and unusually
collaborative
● We grow in the context of cloud apps
● We must adhere to compliance
regulations

6. Same Security Concerns - Different Approach
Similarity: Still dealing with someone else’s
product.
Dis-similarity: Defense in depth and layered
approaches can be irrelevant... external,
open, and deperimiterized.
Approach to business cloud environment
security:
● Vendor-dependent as much as ntwk team
dependent
● Requires security processes that network
security templates can’t provide

7. Yes It Is About the Data… That Matters
“Data-Centric” Security
● Most have DLP cart in front of the horse
● Fundamentals of data management
○ Classification
○ Mapping
○ Retention
○ Handling
○ Disposal
● DLP isn’t a single, one-time solution
● Identify, classify, protect data that matters
most

8. Fundamentals: The Vendor Security & Resilience Audit
1) Establish overall vendor risk
2) Verify vendor resilience:
● Appropriate Logical access
● Appropriate change mgmt of
production code
● Clear problem resolution
● Data backup & recovery methods
● Means of data integration
● Evidence of regulatory compliance /
certs
● Adequate support, resources
Pandora’s Onboarding Certification: 60+ Questions

9. PR Challenge: Instilling Security Awareness
● Fact: in de-perimeterized, ultra-
socialized business cloud >>>
business is conducted in & out of
band.
● All confidential discussions,
collabs, chats can’t be filtered or
blocked at the firewall
● Depend on ongoing security
awareness training/comms
● Leverage internal training group,
Legal team, exec staff

10. Compliance Is Not The Enemy
Truism: Good standard secure IT ops leads to
compliance.
Truism: Compliance standards ensure transparency &
accountability.
● SOX controls
● PCI-DSS 3.0 standard
● SSAE 16 reporting standard: SOC1 & SOC2
● ISO 27001
● COBIT 5 (ISACA)
● CSA Cloud Controls Matrix (CCM)
● STAR

11. Enlist The Business Owner and PM
“Soooo… about my urgent vendor onboard request
…”
• Slow it down:
– Do we support an app that does this?
– Are other groups asking for a similar hosted
app/service?
– Have we looked at alternatives?
• Simple question: how did you hear about this
vendor?
• Position a strong point person(s)
• Enlist PMs
• Communicate the positives of cloud security
process/program

12. Fencing The De-Perimeter
• Acknowledge the risk
• Vendor assessment and onboarding
process as business resilience
• Obtain exec staff support
• Prioritize security awareness and training
• Beware the freemium service, and the
endless POC
• Ask for SOC1s and SOC2s
• Use a central auth mechanism
• Enlist network & PM teams, biz owners
• Enlist IT to support
• AND monitor
• AND re-assess

13. The Enterprise Business Cloud
Business Backbone People Apps & API’s
Legacy Security
Solutions
ON - PREMISE
CLOUD
Messaging & Collaboration
Sales & marketing
HR & Skills
Finance
Sharepoint
Apps
App Server
Database

14. SaaS Security is a Shared Responsibility
USERS &
APPS
DATA
INFRASTRUCTURE
● Behavioral Anomaly
● 3rd Party Apps granted access to data
● Cloud Data Protection
● Regulatory Compliance
● Audit Logs
● Security APIs
SaaS Security
Solution

15. Controlling Data in SaaS Applications
Sanctioned
IT
Unsanctioned
Shadow IT
Sanctioned
Apps
Personal
Apps
Work Related
Apps

16. Pandora & CloudLock: Unified Cloud Security Solution
Unsanctioned
“Shadow”IT
Sanctioned
IT
API

17. Final Advice
Do Right By Your Company
• It’s a conversation
• Reduce noise & complexity
• Establish a reliable process
• Embrace compliance
• Don’t go it alone
• Don’t trust, but verify (the new normal)
• Keep your sense of humor, confidence
• Do what’s right for your company
• Use the growing body of knowledge

18. Trusted by the Largest Brands
5,000
Trade Secrets
Technology
20,000
Data Privacy
Federal
250,000
PCI-DSS
Retail
250,000
PCI-DSS
Retail
140,000
Reg Compliance
Financial Services
10,000
PHI/IP
Life Sciences
540,000
PII / FERPA
Education
12,000
Data Privacy
High Tech
80,000
PII / PCI
Transportation
27,000
Data Privacy
Manufacturing
72,000
Trust
Cloud Vendor

19. Use Cases: Cybersecurity for SaaS
Cloud Data
Protection
Apps Discovery &
Control
User Behavioral
Monitoring
Regulatory
Compliance
Threat
Protection
Auditing /
Forensics
Discover, Classify &
Control Sensitive Data
Control: Notify,
Quarantine, Encrypt
Content-based:
PCI/PHI/PII/IP
Community trust rating
for classification
Discover, Classify &
Control Shadow Apps
Control: Notify, Rate,
Revoke
Reduce Inside threat
Alert on compromised
account
Control: Notify, Rate,
Revoke
Security
Awareness

20. Cloud Security Fabric: How it Works
Content
Analysis
Context
Analysis
User Behavior
Monitoring
Central
Auditing
Incident
Management
Encryption
Management
Policy
Automation
Security
Analytics
Enterprise
Incident API
Ticketing
SIEM
Public Cloud Apps
ITSecurity
End - User

21. Next Step: Get a 1:1 Demo
bit.ly/cloudlock-demo Also Find Us At:

22. 05 Q&A

23. Thank You
Questions & Answers
www.cloudlock.com info@cloudlock.com 781.996.4332
23