Will My SaaS Provider Leak My Corporate Data? A Strategic Guide to Avoiding System and Network Security Data Breaches

1. Proprietary and confidential
Will My SaaS Provider Leak My
Corporate Data?

2. Proprietary and confidential
A Strategic Guide to Avoiding
System and Network Breaches
“Against a sufficiently skilled, funded and
motivated attacker, all networks are
vulnerable.
But good security makes many kinds of
attack harder, costlier and riskier.
Against attackers who aren’t sufficiently
skilled, good security may protect you
completely.”
BRUCE SCHNEIER
Dec. 19, 2014
—Chief Technology Officer of Resilient Systems, a fellow at
Harvard's Berkman Center, and a board member of EFF

3. Proprietary and confidential
Overview
Who’s Really Vulnerable?
Spoiler: it’s all of us.
What am I afraid of?
Share your story
Can I Trust This Guy?
Focused topics on (not) sharing data

4. Proprietary and confidential
Who’s Really Vulnerable?

5. Proprietary and confidential
What Am I Afraid Of?
Part 1:
What top 2 or 3 things
scare you the most
about your current
situation?

6. Proprietary and confidential
What Am I Afraid Of?
Part 2:
● What makes you
interested in Security
today?
● What do you hope to
get from today’s
discussion?

7. Proprietary and confidential
What’s on Our Mind?
● Does my provider know what they’re
doing?
● PCI compliance will protect me
● How secure is my system
● How other people failed
● How much is security worth
● ...Others?

8. Proprietary and confidential
Does my provider know what they’re doing?
● Is SaaS provider more
knowledgeable and experienced
than my staff?
● Is provider more scalable than
my staff/systems?
● Who owns the data?
● Can they answer the hard
questions?

9. Proprietary and confidential
The Hard Questions
● Security: The system is protected, both logically and
physically, against unauthorized access.
● Availability: The system is available for operation and
use as committed or agreed to.
● Processing Integrity: System processing is
complete, accurate, timely, and authorized.
● Confidentiality: Information that is designated
“confidential” is protected as committed or agreed.
● Privacy: Personal information is collected, used,
retained, and disclosed in conformity with the
commitments in the entity’s privacy notice and with
the privacy principles put forth by the American
Institute of Certified Public Accountants (AICPA) and
the Canadian Institute of Chartered Accountants
(CICA).

10. Proprietary and confidential
SOC2
● Operation conforms to strict and
detailed standards
● Adherence verified continually
● Formal audit by third party

11. Proprietary and confidential
PCI Compliance Will Protect Me
● Gaps
● Strengths
● Evolution

12. Proprietary and confidential
How Secure Is My Own System
Can you tell if your system was
penetrated today?
Are you using…
● Malware scanning
● IDS/IPS
● Vulnerability scanning
Do your users know how to...
● Use strong passwords
● React to Pfishing
● Recognize fake sites

13. Proprietary and confidential
How Other People Failed
● Attacks in the news
● Common attacks

14. Proprietary and confidential
How Much Is Security Worth
“Sony made its situation worse by
having substandard security.”
BRUCE SCHNEIER
Sony Pictures’ executive
director of information
security Jason Spaltro told
CIO Magazine in 2007
that it may be “a valid
business decision to accept
the risk” of a security
breach.
http://www.cio.com/article/2439324/risk-
management/your-guide-to-good-enough-
compliance.html

15. Proprietary and confidential
The Guide to Secure Partner Relationships
● Admit you’re vulnerable
● Assess the risk
● Choose your partners
● Prioritize your improvements
● Monitor your environment
● Evolve