Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and privacy of cloud data: what you need to know (Interop)

1,127 views

Published on

Is your company thinking about the cloud or already in there but learning fast about the many challenges of the security and privacy of cloud data?

Learn more about the landscape of data in the cloud, and the obstacles that every company should consider when it comes to protecting their down.

Published in: Technology
  • Be the first to comment

Security and privacy of cloud data: what you need to know (Interop)

  1. 1. Security & Privacy of Cloud Data What You Need to Know Dave Packer, Vice President Product Marketing April, 2015
  2. 2. 2Data Protection and Governance at the Edge “Druva has been a phenomenal answer to Dell for protecting our data” About Druva Company •  Fastest growing data protection and governance company •  Over 3,000 customers •  Protecting 3.0m+ endpoints globally Ranked #1 by Gartner two years running Data Protection 2014 Brad Hammack IT Emerging Technologies
  3. 3. 3Data Protection and Governance at the Edge inSync Efficient Endpoint Backup to the Cloud
  4. 4. 4Data Protection and Governance at the Edge Dramatic Shift in Cloud Adoption 2013 75%   25%   2014 20%   80%  
  5. 5. 5Data Protection and Governance at the Edge The Global Hurdles of Cloud Adoption •  PRISM •  Sectoral Regulations o  HIPAA, FINRA, GLBA, COPPA, … •  Evolving Global Privacy Regulations o  EU, Germany, France, Russia, … •  Microsoft vs. United States •  Dropbox Transparency Report h"p://dlapiperdataprotec/on.com/  
  6. 6. 6 2015: The Top Security Challenges Source: 451 Group – Wave 8 Report 2015 (preliminary note)
  7. 7. 7Data Protection and Governance at the Edge But there’s the flip-side of the coin •  Almost all major breaches in 2014 were against on-premise systems •  Breaching the firewall can mean all systems become vulnerable (Sony) •  Breach attributions o  Malicious outsider: 50% o  Accidental loss / misplace: 25% o  Malicious Insider: 15%
  8. 8. 8Data Protection and Governance at the Edge What  type  of  data  is  the  most  sensi/ve  to  your  business?     Other People’s Data the Top Concern 1%   18%   19%   22%   33%   37%   41%   46%   52%   0%   10%   20%   30%   40%   50%   60%   We  do  not  have  sensi/ve  business  data   Planning  and  strategy  documents   Payroll   Unregulated  customer  data  (emails,  order  history,  etc.)   Accoun/ng  and  financial   Intellectual  property   Personal  employee  informa/on  (SSNs,  phone  numbers,  etc.)   Password  or  authen/ca/on  creden/als   Regulated  customer  data  (credit  cards,  health  records,  etc.)  
  9. 9. 9Data Protection and Governance at the Edge In  your  opinion,  which  environment  has  be"er     data  security  /  privacy  controls?   Cloud Security + Privacy Opinion is Changing On   premises   65%   Cloud   35%  
  10. 10. 10Data Protection and Governance at the Edge h"p://techcrunch.com/2015/04/04/the-­‐cloud-­‐could-­‐be-­‐your-­‐best-­‐security-­‐bet/?ncid=txtlnkusaolp00000629#.z48jaw:4RNJ   •  The difference between 1 security team and 1000’s of security teams •  Data durability / resiliency and replication •  Expanding regional coverage •  However, you do need to scrutinize your cloud provider stack
  11. 11. 11Data Protection and Governance at the Edge Common Cloud Security/Privacy Concerns •  Infrastructure Security: Where is the infrastructure? How is it controlled and to what extent certified? •  Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data? •  Data Residency: What are the regional, cross-geography data controls? •  Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access? •  SaaS Security: What certifications and security controls does the SaaS provider have in place? IaaS Infrastructure: Compute + Storage PaaS Distributed Database Services SaaS Application Services
  12. 12. 12Data Protection and Governance at the Edge As a Cloud Provider, Security = Survival •  SOC 1, SOC 2 & SOC 3 ISO 27001 •  PCI Level 1 •  FedRAMP •  AWS GovCloud (US) •  MPAA best practices alignment Customer are running SOX, HIPAA, FISMA, DIACAP MAC III sensitive ATO, ITAR, … Facilities Physical security Physical infrastructure Network infrastructure Virtualization infrastructure IaaS   PaaS  
  13. 13. 13Data Protection and Governance at the Edge Distributed  Denial  Of   Service  (DDoS)  A>ack   Man  In  the  Middle   (MITM)  A>ack   Port  Scanning               Packet  sniffing  by   other  tenant         IP  Spoofing   Firewall  security   groups   Vulnerability  tesLng   Continuous Network Monitoring and Response •  Protects customer data from network attacks: o  Intercepting in-transit data o  System breaches o  Blocking/disrupting services
  14. 14. 14Data Protection and Governance at the Edge AWS Global Footprint •  >1 million active customers across 190 countries •  900+ government agencies •  3,400+ educational institutions •  11 regions, including ITAR-compliant GovCloud and the new region in Germany •  28 availability zones •  53 edge locations
  15. 15. 15Data Protection and Governance at the Edge SaaS Provider Needs Build the Proper Controls •  ✔ Infrastructure Security: Where is the infrastructure? How is it controlled and to what extent certified? •  Data Security: How is the data encrypted in transit and stored at-rest •  Data Residency: What are the regional, cross-geography data controls? •  Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access? •  SaaS Security: What certifications and security controls does the SaaS provider have in place? IaaS Infrastructure: Compute + Storage PaaS Distributed Database Services SaaS Application Services
  16. 16. 16Data Protection and Governance at the Edge Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level IaaS Infrastructure: Compute + Storage PaaS Distributed Database Services SaaS Application Services •  Druva Certifications & Audits o  ISAE-3000 o  TRUSTe certified privacy o  EU Safe Harbor o  HIPAA Audited •  Regular VAPT Testing (White Hat) •  SkyHigh CloudTrust program partner •  Audits renewed annually ISAE 3000 TRUSTe EU Safe Harbor HIPAA BAA Skyhigh Enterprise-Ready
  17. 17. 17Data Protection and Governance at the Edge Addressing Enterprise Data Protection RequirementsUnderstand How Your Data is Stored S3 Buckets, Data Scrambling via Envelope Encryption Blocks-Only into Object Storage IaaS / Storage Layer (EC2, S3, Glacier) SSL   Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced) PaaS Layer (DynamoDB) 256  AES   Data   Metadata  
  18. 18. 18Data Protection and Governance at the Edge Encryption Key Models Vary Extensively Management  Method   Strength   Weakness   Keys  Stored  with  Data     •  Simple   •  Provider  access   •  System  wide  breach  poten/al   •  Consumer  designed   Keys  Stored  in  Escrow   •  No  provider  direct  access   •  S/ll  accessible  w/  subpoena,  warrant,  court   order     •  Key  rota/on,  management  may  be  needed   Key  Server   Keys  Stored  On-­‐premise   •  Secure,  no  provider  access   •  On-­‐premise  hardware,  must  be  managed   •  Introduces  system-­‐wide  failure  point   Envelope   Key  encrypted  in  cloud     •  Secure,  inaccessible  by  vendor   •  No  key  management   •  Session  based  key   •  No  access  =  provider  can’t  reset  client  key  
  19. 19. 19Data Protection and Governance at the Edge Envelope Key Management & Encryption •  Works like a bank safety-deposit box o  Unique encryption key generated per customer o  Key itself is encrypted with customer credentials and stored as a token •  They key itself is inaccessible by anyone o  Only exists during the client session o  Never leaves the system o  Removes the need for key management •  Druva cannot access/decrypt customer data with stored token
  20. 20. 20Data Protection and Governance at the Edge Authentication Controls (AD, SSO) Configurable Group Policies (Data Access, Sharing, Visibility) Full Admin and End-User Audit Trails SaaS Layer Application Addressing Enterprise Data Protection RequirementsSaaS Provider Security Approach Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced) PaaS Layer (DynamoDB) S3 Buckets, Data Scrambling via Envelope Encryption Block-Only Object Storage IaaS / Storage Layer (EC2, S3, Glacier)
  21. 21. 21 Lastly, Be Sure Data Privacy is Being Addressed Regional   Employee   Corporate   Scenario  
  22. 22. 22Data Protection and Governance at the Edge Addressing Regional Data Regulations •  11 admin-selectable data storage regions, data stays within the region •  Administrator segregation and delegation with pre-defined granular access rights •  No ability for vendor to access key or stored data Corporate Privacy Regional Management •  Data residency •  Local administration •  Data Storage Privacy
  23. 23. 23Data Protection and Governance at the Edge Walls for Corporate Data Privacy •  Policy group settings for classes via AD (Officers, Legal, …) restrict data visibility •  Full data auditing for compliance response for PHI & PII •  Proactive monitoring based on data classifications Corporate Privacy Material Data •  Officer data shielding •  Compliance auditing •  Tracking + monitoring
  24. 24. 24Data Protection and Governance at the Edge Protecting Employee Privacy •  End-user privacy controls either by policy or opt-out feature (no admin data visibility) •  Containerization on mobile devices, extendable via MDM (MobileIron) •  Exclusionary settings for backup and collection process •  Admin visibility to audit trails restricted via policy Employee Privacy •  Privacy controls •  Data segregation •  Corporate visibility
  25. 25. 25Data Protection and Governance at the Edge Scenario-based Privacy •  Delegated roles for compliance and legal counsel •  Full data and audit trail access for compliance, investigation and litigation requirements Scenario / Exceptions •  Compliance audits •  Investigations •  eDiscovery collection
  26. 26. 26Data Protection and Governance at the Edge Key Takeaways •  Be sure to check the certifications and how they apply to the overall stack, just because the IaaS/PaaS is certified it doesn’t mean the SaaS layer is. •  For data residency ensure your cloud data isn’t moving around to non-compliant locations, have the vendor sign an agreement and show documented ability to comply •  Encryption models continue to evolve, make sure your provider can’t divulge your data without you knowing •  Data privacy laws are still emerging and tend to be ambiguous, best place to get the answers to stay compliant is working with your legal team, don’t guess
  27. 27. 27 Questions? www.druva.com dave.packer@druva.com Thank You! The  Leader  in  Data  ProtecOon  and   Governance  at  the  Edge  

×