Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The State of Data Privacy:
Why It’s Becoming More Urgent for IT
May 7th, 2015
2Data Protection and Governance at the Edge
Today’s Presenters
Dave Packer
Vice President, Product Marketing
Druva, Inc.
D...
3
Agenda
•  What’s Driving Global Data Privacy Awareness
•  Survey Results, Assessment & Conclusions
•  Considerations for...
4Data Protection and Governance at the Edge
Trends Pushing Privacy to the Forefront
•  PRISM and the Patriot Act
o  Micros...
5Data Protection and Governance at the Edge
Breaches Are Elevating Awareness Exponentially
•  Almost all major breaches in...
6
2015: The Top Security Challenges
Source: 451 Group – Wave 8 Report 2015 (preliminary note)
Sponsored	
  by:	
  
The	
  State	
  of	
  Data	
  Privacy	
  in	
  2015	
  
A	
  Survey	
  of	
  IT	
  Professionals	
  
...
8
Research	
  Goal	
   Understand	
  recent	
  experiences	
  and	
  trends	
  with	
  data	
  
privacy	
  in	
  modern	
 ...
9
Key Findings
Cloud	
  data	
  is	
  growing,	
  but	
  privacy	
  concerns	
  persist	
  
• 	
  88%	
  expect	
  their	
...
10
Participants Represented
LocaFon	
  
EMEA	
  
17%	
  
APAC	
  
23%	
  
AMER	
  
60%	
  Job	
  FuncFon	
  
IT	
  execu>v...
DETAILED FINDINGS
12Data Protection and Governance at the Edge
What	
  type	
  of	
  data	
  is	
  the	
  most	
  sensi>ve	
  to	
  your	
  ...
13Data Protection and Governance at the Edge
Does	
  your	
  business	
  have	
  data	
  privacy	
  requirements	
  to	
  ...
14Data Protection and Governance at the Edge
How	
  are	
  your	
  company’s	
  efforts	
  on	
  protec>ng	
  the	
  privac...
15Data Protection and Governance at the Edge
Giving employees data privacy
policies isn’t enough
All	
  employees	
  follo...
16Data Protection and Governance at the Edge
Which	
  employees	
  are	
  MOST	
  likely	
  to	
  ignore	
  data	
  privac...
17Data Protection and Governance at the Edge
	
  What	
  level	
  of	
  employee	
  is	
  most	
  likely	
  to	
  ignore	
...
18Data Protection and Governance at the Edge
How	
  do	
  you	
  expect	
  the	
  volume	
  of	
  data	
  in	
  the	
  clo...
19Data Protection and Governance at the Edge
How	
  concerned	
  are	
  you	
  about	
  the	
  privacy	
  of	
  sensi>ve	
...
20Data Protection and Governance at the Edge
Which	
  of	
  these	
  challenges	
  ensuring	
  privacy	
  of	
  sensi>ve	
...
21Data Protection and Governance at the Edge
Do	
  you	
  face	
  any	
  challenges	
  mee>ng	
  regional	
  requirements	...
22Data Protection and Governance at the Edge
Wide range of data privacy challenges for
companies that operate globally
n	
...
23Data Protection and Governance at the Edge
Companies are trying, but data privacy
controls are incomplete
Have	
  data	
...
24Data Protection and Governance at the Edge
What	
  technological	
  controls	
  does	
  your	
  organiza>on	
  have	
  i...
25
Key Findings
Cloud	
  data	
  is	
  growing,	
  but	
  privacy	
  concerns	
  persist	
  
• 	
  88%	
  expect	
  their	...
What You Need to Know About
SaaS and Data Privacy
27Data Protection and Governance at the Edge
“Druva has been a
phenomenal answer to Dell
for protecting our data”
About Dr...
28Data Protection and Governance at the Edge
inSync
Efficient Cloud-based Endpoint Data Protection
29Data Protection and Governance at the Edge
Dramatic Shift in Cloud Adoption
2013
75%	
  
25%	
  
2014
20%	
  
80%	
  
30
Common Privacy Inquiries / Use Cases
Regional	
   Employee	
  
Corporate	
   Scenario	
  
31Data Protection and Governance at the Edge
Delivering Privacy on a Foundation of Security
•  Infrastructure Security & O...
32Data Protection and Governance at the Edge
As a Cloud Provider, Security = Survival
•  SOC 1, SOC 2 & SOC 3
ISO 27001
• ...
33Data Protection and Governance at the Edge
Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level
IaaS
Infrastructur...
34Data Protection and Governance at the Edge
AWS Global Footprint
•  >1 million active customers across
190 countries
•  9...
35Data Protection and Governance at the Edge
Authentication Controls (AD, SSO)
Configurable Group Policies (Data Access, S...
36Data Protection and Governance at the Edge
Envelope Key Management & Encryption
•  Works like a bank safety-deposit box
...
37Data Protection and Governance at the Edge
Internal Privacy Controls
•  End-user privacy controls either by policy or op...
38Data Protection and Governance at the Edge
Scenario-based Privacy
•  Delegated roles for compliance and legal
counsel
• ...
39
Addressing Key Privacy Use Cases
Regional	
   Employee	
  
Corporate	
   Scenario	
  
•  Compliance audits
•  Investiga...
40Data Protection and Governance at the Edge
Key Takeaways
•  Be sure to check the certifications and how they apply to th...
41
Next Steps:
Experience the Druva Advantage
Try Druva for yourself at druva.com/trial
druva.com
dave.packer@druva.com
42Data Protection and Governance at the Edge
Delivering Privacy on a Foundation of Security
•  ✔ Infrastructure Security &...
Upcoming SlideShare
Loading in …5
×

The state of data privacy with dimensional research

858 views

Published on

Here are the slides from the Data Privacy webinar we hosted with Dimensional Research. Full access to the full data privacy report that's referenced in the slides, go here: http://bit.ly/1EoYo3r

Published in: Technology
  • Be the first to comment

The state of data privacy with dimensional research

  1. 1. The State of Data Privacy: Why It’s Becoming More Urgent for IT May 7th, 2015
  2. 2. 2Data Protection and Governance at the Edge Today’s Presenters Dave Packer Vice President, Product Marketing Druva, Inc. Diane Hagglund Principal Analyst Dimensional Research
  3. 3. 3 Agenda •  What’s Driving Global Data Privacy Awareness •  Survey Results, Assessment & Conclusions •  Considerations for Assessing Privacy-Ready SaaS Vendors •  Summary and Q&A
  4. 4. 4Data Protection and Governance at the Edge Trends Pushing Privacy to the Forefront •  PRISM and the Patriot Act o  Microsoft vs United States •  Evolving Global Privacy Regulations o  EU, Germany, France, Russia, … •  Sectoral Regulations o  HIPAA, SOX, FINRA, GLBA, COPPA, … •  BYOD, blurring lines between personal and business data •  Confidence in controls for safeguarding PII & PHI
  5. 5. 5Data Protection and Governance at the Edge Breaches Are Elevating Awareness Exponentially •  Almost all major breaches in 2014 were against on-premise systems •  Significant fines & reputation exposure •  Breaching the firewall can mean extensive systems access (Sony) •  Internal challenges are becoming pervasive o  Malicious outsider: 50% o  Accidental loss / misplace: 25% o  Malicious Insider: 15%
  6. 6. 6 2015: The Top Security Challenges Source: 451 Group – Wave 8 Report 2015 (preliminary note)
  7. 7. Sponsored  by:   The  State  of  Data  Privacy  in  2015   A  Survey  of  IT  Professionals              
  8. 8. 8 Research  Goal   Understand  recent  experiences  and  trends  with  data   privacy  in  modern  IT  organiza>ons.   Goals and Methodology Methodology   An  online  survey  was  fielded  to  IT  professionals   responsible  for  corporate  data.    A  total  of  214  individuals   par>cipated  in  the  survey.  Par>cipants  represented  a   wide  range  of  company  sizes,  industries,  regions  and   responsibility  for  data.       Defini>ons   Data  security  -­‐  Ensuring  data  is  protected  from   unauthorized  access  or  intercep>on   Data  privacy  -­‐  Ensuring  that  sensi>ve  data  isn’t  misused,   misappropriated  or  publicly  exposed  by  those  who  have   authorized  access  to  it    
  9. 9. 9 Key Findings Cloud  data  is  growing,  but  privacy  concerns  persist   •   88%  expect  their  cloud  data  volume  to  increase  in  2015   •   87%  are  concerned  about  privacy  of  data  in  the  cloud   Data  privacy  is  important  –  but  don’t  depend  on  employees   •     84%  report  data  privacy  importance  is  increasing  in  2015   •     82%  have  employees  who  don’t  follow  data  privacy  policies   Data  privacy  is  challenging  for  IT   •     93%  report  challenges  with  data  privacy   •     91%  have  data  privacy  controls,  but  they  are  incomplete   •     77%  struggle  to  keep  up  with  regional  requirements  for  data  privacy  
  10. 10. 10 Participants Represented LocaFon   EMEA   17%   APAC   23%   AMER   60%  Job  FuncFon   IT  execu>ve   23%   IT    team  manager   39%   Individual  contributor   in  IT   19%   Business  stakeholder       10%   Service  provider   9%   Company  Size   Fewer  than  100   24%   100  –  1,000   38%   1,000  –  5,000   17%   More  than  5,000   21%  
  11. 11. DETAILED FINDINGS
  12. 12. 12Data Protection and Governance at the Edge What  type  of  data  is  the  most  sensi>ve  to  your  business?     Choose  up  to  3  of  the  following.   Businesses depend on sensitive data 1%   18%   19%   22%   33%   37%   41%   46%   52%   0%   10%   20%   30%   40%   50%   60%   We  do  not  have  sensi>ve  business  data   Planning  and  strategy  documents   Payroll   Unregulated  customer  data  (emails,  order  history,  etc.)   Accoun>ng  and  financial   Intellectual  property   Personal  employee  informa>on  (SSNs,  phone  numbers,  etc.)   Password  or  authen>ca>on  creden>als   Regulated  customer  data  (credit  cards,  health  records,  etc.)  
  13. 13. 13Data Protection and Governance at the Edge Does  your  business  have  data  privacy  requirements  to  meet     compliance  and  governance  regula>ons?   Businesses must protect data privacy to meet regulations Yes   81%   No   19%  
  14. 14. 14Data Protection and Governance at the Edge How  are  your  company’s  efforts  on  protec>ng  the  privacy  of     sensi>ve  data  changing  for  2015?   Focus on data privacy escalates in 2015 Increasing   84%   Decreasing   1%   No  change   15%  
  15. 15. 15Data Protection and Governance at the Edge Giving employees data privacy policies isn’t enough All  employees  follow   data  privacy  policies   18%   Have  employees   who  do  not  follow   data  privacy  policies   82%  
  16. 16. 16Data Protection and Governance at the Edge Which  employees  are  MOST  likely  to  ignore  data  privacy  policies?       Choose  up  to  3  of  the  following.   All types of employees ignore data privacy policies 6%   16%   17%   20%   24%   29%   31%   35%   48%   0%   10%   20%   30%   40%   50%   60%   Legal   Engineering   Manufacturing   Finance  and  accoun>ng   IT   Opera>ons   Owner/Partner   Marke>ng   Sales  
  17. 17. 17Data Protection and Governance at the Edge  What  level  of  employee  is  most  likely  to  ignore  data  privacy  policies?       All types of employees ignore data privacy policies (con’t) Execu>ves   33%   Team  managers   14%   Individual   contributors  or   front-­‐line  staff   39%   Contractors   14%  
  18. 18. 18Data Protection and Governance at the Edge How  do  you  expect  the  volume  of  data  in  the  cloud  change  in  2015?   Significant momentum in cloud data growth n  =  have  data  in  the  cloud   Increase   88%   Decrease   5%   Stay  the  same   7%  
  19. 19. 19Data Protection and Governance at the Edge How  concerned  are  you  about  the  privacy  of  sensi>ve  business     data  in  the  cloud?   IT is concerned about data privacy in the cloud n  =  have  data  in  the  cloud   32%   55%   13%   0%   20%   40%   60%   80%   100%   Very  concerned   Concerned   Not  concerned  
  20. 20. 20Data Protection and Governance at the Edge Which  of  these  challenges  ensuring  privacy  of  sensi>ve  data  does  your  IT   team  face?         93% face challenges ensuring with data privacy 7%   5%   24%   27%   34%   36%   45%   56%   0%   10%   20%   30%   40%   50%   60%   We  have  no  challenges   Other   Lack  of  data  privacy  policies   IT  team  doesn’t  have  knowledge  of  laws  and  requirements   Lack  of  execu>ve  visibility  or  priority  into  the  problem   No  processes  in  place  to  train  or  audit  employee  behavior   Lack  budget  to  purchase  and  implement  technology  solu>ons   Insufficient  employee  awareness  and  understanding  of  data  privacy  policies  
  21. 21. 21Data Protection and Governance at the Edge Do  you  face  any  challenges  mee>ng  regional  requirements     for  data  privacy?   Companies with operations in multiple countries find data privacy regulations challenging n  =  have  opera8ons  in  mul8ple  countries   This  is  not   challenging   23%   We  don't  try  to   keep  up  with   differences   10%  This  is  challenging   67%  
  22. 22. 22Data Protection and Governance at the Edge Wide range of data privacy challenges for companies that operate globally n  =  have  opera8ons  in  mul8ple  countries   17%   25%   29%   29%   41%   0%   5%   10%  15%  20%  25%  30%  35%  40%  45%   IT  team  lacks  compliance  knowledge  to   understand  requirements   Legal  or  compliance  team  does  not   communicate  requirements  to  IT   Technology  vendors  not  offering  solu>ons   or  guidance  in  addressing  regula>ons   Requirements  are  ambiguous  making  it   difficult  to  determine  the  correct  course   Emerging  rules  and  regula>ons  difficult  to   track  and  interpret  
  23. 23. 23Data Protection and Governance at the Edge Companies are trying, but data privacy controls are incomplete Have  data   privacy   controls   91%   No  data   privacy   controls   9%   38%   54%   61%   63%   0%   20%   40%   60%   80%   We  conduct  ad  hoc   employee  educa>on   programs   We  regularly  train   employees  on  data   privacy   We  ask  employees  to   sign  a  data  privacy   agreement   We  enforce  data   privacy  controls  with   technology  
  24. 24. 24Data Protection and Governance at the Edge What  technological  controls  does  your  organiza>on  have  in  place  to  limit  or   audit  access  to  sensi>ve  data  by  authorized  or  unauthorized  par>es?       Even those with technology controls could do more 37%   21%   36%   37%   41%   58%   0%  10%  20%  30%  40%  50%  60%  70%  80%  90%  100%   No  technological  controls  for  data  privacy   Encrypt  data  on  tablets  and  smartphones   Encrypt  data  on  laptops   Mul>-­‐factor  authen>ca>on   Log  all  data  access   Access  control  
  25. 25. 25 Key Findings Cloud  data  is  growing,  but  privacy  concerns  persist   •   88%  expect  their  cloud  data  volume  to  increase  in  2015   •   87%  are  concerned  about  privacy  of  data  in  the  cloud   Data  privacy  is  important  –  but  don’t  depend  on  employees   •     84%  report  data  privacy  importance  is  increasing  in  2015   •     82%  have  employees  who  don’t  follow  data  privacy  policies   Data  privacy  is  challenging  for  IT   •     93%  report  challenges  with  data  privacy   •     91%  have  data  privacy  controls,  but  they  are  incomplete   •     77%  struggle  to  keep  up  with  regional  requirements  for  data  privacy  
  26. 26. What You Need to Know About SaaS and Data Privacy
  27. 27. 27Data Protection and Governance at the Edge “Druva has been a phenomenal answer to Dell for protecting our data” About Druva Company •  Fastest growing data protection and governance company •  Over 3,000 customers •  Protecting 3.0m+ endpoints globally Ranked #1 by Gartner two years running Brad Hammack IT Emerging Technologies Data  Protec>on  2014  
  28. 28. 28Data Protection and Governance at the Edge inSync Efficient Cloud-based Endpoint Data Protection
  29. 29. 29Data Protection and Governance at the Edge Dramatic Shift in Cloud Adoption 2013 75%   25%   2014 20%   80%  
  30. 30. 30 Common Privacy Inquiries / Use Cases Regional   Employee   Corporate   Scenario  
  31. 31. 31Data Protection and Governance at the Edge Delivering Privacy on a Foundation of Security •  Infrastructure Security & Operations: Where is the infrastructure? How is it controlled and to what extent certified? •  SaaS Operations: What certifications and security controls does the SaaS provider have in place? •  Data Residency: What are the regional, cross-geography data controls? •  Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data? •  Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access? IaaS Infrastructure: Compute + Storage PaaS Distributed Database Services SaaS Application Services
  32. 32. 32Data Protection and Governance at the Edge As a Cloud Provider, Security = Survival •  SOC 1, SOC 2 & SOC 3 ISO 27001 •  PCI Level 1 •  FedRAMP •  AWS GovCloud (US) •  MPAA best practices alignment Customer are running SOX, HIPAA, FISMA, DIACAP MAC III sensitive ATO, ITAR, … Facilities Physical security Physical infrastructure Network infrastructure Virtualization infrastructure IaaS   PaaS  
  33. 33. 33Data Protection and Governance at the Edge Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level IaaS Infrastructure: Compute + Storage PaaS Distributed Database Services SaaS Application Services •  Druva Certifications & Audits o  ISAE-3000 o  TRUSTe certified privacy o  EU Safe Harbor o  HIPAA Audited •  Regular VAPT Testing (White Hat) •  SkyHigh CloudTrust program partner •  Audits renewed annually ISAE 3000 TRUSTe EU Safe Harbor HIPAA BAA Skyhigh Enterprise-Ready
  34. 34. 34Data Protection and Governance at the Edge AWS Global Footprint •  >1 million active customers across 190 countries •  900+ government agencies •  3,400+ educational institutions •  11 regions, including ITAR-compliant GovCloud and the new region in Germany •  28 availability zones •  53 edge locations
  35. 35. 35Data Protection and Governance at the Edge Authentication Controls (AD, SSO) Configurable Group Policies (Data Access, Sharing, Visibility) Full Admin and End-User Audit Trails SaaS Layer Application Addressing Enterprise Data Protection RequirementsSaaS Provider Security Approach Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced) PaaS Layer (DynamoDB) S3 Buckets, Data Scrambling via Envelope Encryption Block-Only Object Storage IaaS / Storage Layer (EC2, S3, Glacier)
  36. 36. 36Data Protection and Governance at the Edge Envelope Key Management & Encryption •  Works like a bank safety-deposit box o  Unique encryption key generated per customer o  Key itself is encrypted with customer credentials and stored as a token •  They key itself is inaccessible by anyone o  Only exists during the client session o  Never leaves the system o  Removes the need for key management •  Druva cannot access/decrypt customer data with stored token
  37. 37. 37Data Protection and Governance at the Edge Internal Privacy Controls •  End-user privacy controls either by policy or opt-out feature (no admin data visibility) •  Containerization on mobile devices, extendable via MDM (MobileIron) •  Exclusionary settings for backup and collection process •  Full data auditing for compliance response for PHI & PII •  Admin visibility to audit trails restricted via policy Employee Privacy •  Privacy controls •  Data segregation •  Corporate visibility Corporate Privacy Material Data •  Officer data shielding •  Compliance auditing •  Tracking + monitoring
  38. 38. 38Data Protection and Governance at the Edge Scenario-based Privacy •  Delegated roles for compliance and legal counsel •  Full data and audit trail access for compliance, investigation and litigation requirements Scenario / Exceptions •  Compliance audits •  Investigations •  eDiscovery collection
  39. 39. 39 Addressing Key Privacy Use Cases Regional   Employee   Corporate   Scenario   •  Compliance audits •  Investigations •  eDiscovery collection •  Privacy controls •  Data segregation •  Restricted visibility •  Officer data shielding •  Compliance auditing •  Tracking + monitoring •  Data residency •  Local administration •  Data Storage Privacy
  40. 40. 40Data Protection and Governance at the Edge Key Takeaways •  Be sure to check the certifications and how they apply to the overall stack, just because the IaaS/PaaS is certified it doesn’t mean the SaaS layer is. •  For data residency ensure your cloud data isn’t moving around to non-compliant locations, have the vendor sign an agreement and show documented ability to comply •  Encryption models continue to evolve, make sure your provider can’t divulge your data without you knowing •  Data privacy laws are still emerging and tend to be ambiguous, best place to get the answers to stay compliant is working with your legal team, don’t guess
  41. 41. 41 Next Steps: Experience the Druva Advantage Try Druva for yourself at druva.com/trial druva.com dave.packer@druva.com
  42. 42. 42Data Protection and Governance at the Edge Delivering Privacy on a Foundation of Security •  ✔ Infrastructure Security & Operations: Where is the infrastructure? How is it controlled and to what extent certified? •  ✔ SaaS Operations: What certifications and security controls does the SaaS provider have in place? •  ✔ Data Residency: What are the regional, cross-geography data controls? •  ✔ Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data? •  ✔ Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access? IaaS Infrastructure: Compute + Storage PaaS Distributed Database Services SaaS Application Services

×