At ConnectED in January Marshall Lamb and Lisa Lucadamo Jarrett from IBM spoke on one of the top concerns for moving collaboration to the cloud: managing enterprise data. In their presentation, they look at business and technical concerns with moving to the cloud; they also cover 7 facets of secure data management:
• Ownership
• Creation
• Residency
• Transit
• Access
• Management
• Resiliency
The tip below covers details around the first three facets (Ownership, Creation and Residency). The full slide deck is available for free download in our IBM ConnectED community; make sure to be signed in to your free account to get download access.
Tip from ConnectED 2015: Managing your Enterprise Data in the Cloud – Security, Privacy and Governance
1. INV117: Managing your
Enterprise Data in the Cloud –
Security, Privacy and
Governance
Marshall Lamb, IBM Connections Cloud
Platform Chief Architect
Lisa Lucadamo Jarrett, Program Director,
Offerings, IBM Connections Cloud
2. Please Note
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole
discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied
on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver
any material, code or functionality. Information about potential future products may not be incorporated into any contract. The
development, release, and timing of any future features or functionality described for our products remains at our sole
discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The
actual throughput or performance that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve
results similar to those stated here.
5. I need to classify some data as sensitive and want it
treated differently.
§ Customer owns data
§ IBM only processes data in operation of the cloud solution – no
ownership
§ IBM treats all data as sensitive
– No knowledge of some data being more important than others
– No special treatment of some customers over others
– Our responsibility is to protect your data, whatever it is
§ Can tag data to identify or classify it
§ Can selectively encrypt files as appropriate
6. How can I find out when someone uploads something
inappropriate?
§ A user’s collaboration data is only accessible by that
user
– Organization admins don’t have access
§ Organization admins can be given access to mailboxes
§ Customers can monitor their user’s activity
– Journals
§ No way to know the nature of the data uploaded or sent
§ Customers need to establish rules of use
7. What are the access and visibility options for data?
§ Data created by a user is owned by that user
§ Users may select to share data with other users
– As editors or readers
§ Users may select to share data with the entire organization
§ Can share data with other people in your network
– Inside or outside the organization
– Ability to share outside the organization is controlled at the organization level
§ Communities are a way to define groups of users for controlling access to data
– Scope access to the Community only
9. I need to keep the cloud synchronized with my directory.
§ Bulk provisioning based on CSV upload
or API
§ Leverage Directory Integrator pipelines
to keep the cloud synchronized
§ Real-time directory sync for email
contacts and type-ahead
10. I need to leverage the cloud where I work.
§ Desktop connectors
§ Desktop applications
§ Mobility
– Native applications
§ Portlets (use in Intranets/Extranets)
§ APIs and Oauth
– Allow applications to act on your behalf
11. How do I get existing data into the cloud?
§ Mailbox transfer
– During on-boarding
§ Collaboration APIs for creating or uploading
content
13. I care where my data is physically located.
§ Not just the continent, but the country too
§ Industry compliance
– E.g. BAFN, HIPAA, FISMA
§ Government access
– US PATRIOT Act
– Canadian Anti-Terrorism Act
– EU Schengen Information System (SIS) II
§ Primary and disaster recovery sites as well as any replicas or backups
of data remain in the same region
14. How do I know the data on my mobile device is secure?
§ IBM Connections Cloud provides mobile device
management through IBM Traveler
– Device/user association
– Remote wipe
§ SSO can be supported through SAML and a basic
auth end point
– Or alternatively through application passwords
§ Connections mobile administration
§ Synchronized data encryption
15. I don’t want any of my data co-mingled with other
customer data.
§ Storage and network multi-tenancy makes that virtually impossible in
the cloud
§ Collaboration data is logically segregated by organization
§ Mailboxes are physically separated by user
§ Do you want it, or do you need it?
– Compliance versus trust
– Relinquishing control
16. Even though it is the cloud, I still care about data center
security.
§ Personnel Authorization
– Access requires current business requirement and revoked when business need ends
– List of individuals with access re-validated quarterly
§ Access Monitoring
– Biometric controls at all physical access points
– Slab-to-slab barriers
– Man traps, motion sensors, alarms, and video cameras
§ Access Logging
– Logs are periodically reviewed
§ Security personnel
– Manned 365 days a year, 24 hours a day
§ High Availability
– Redundant power and network connectivity
– Backup generators
17. Who has operational access to the system and data?
§ Security processes cover all aspects of the Connections Cloud life cycle
§ Formal change management process
§ Separation of duty matrix covers all Connections Cloud and IBM personnel
– Segregation of activities and personnel with change access to the Connections Cloud code base and change
access to the operational configuration and data
– Processes and tools to ensure that support and debugging information shared across that boundary does not
carry private and sensitive information
– IBM personnel do not have access to mail data unless they are members of the mail file's access control list,
administered by the customer
§ Privileged operational use requests reviewed against the separation of duties matrix
– Require two levels of management approval
– Access monitored and logs reviewed regularly
18. How is data encrypted at rest?
§ All mail files are protected with 128-bit symmetric
encryption
§ Connections Files are optionally encrypted using
128-bit AES encryption
§ For encrypted data, no one individual has the ability
to gain access
§ Unencrypted data access limited to those with
operational responsibility for that data