Here are the slides from the Data Privacy webinar we hosted with Dimensional Research. Full access to the full data privacy report that's referenced in the slides, go here: http://bit.ly/1EoYo3r
1. The State of Data Privacy:
Why It’s Becoming More Urgent for IT
May 7th, 2015
2. 2Data Protection and Governance at the Edge
Today’s Presenters
Dave Packer
Vice President, Product Marketing
Druva, Inc.
Diane Hagglund
Principal Analyst
Dimensional Research
3. 3
Agenda
• What’s Driving Global Data Privacy Awareness
• Survey Results, Assessment & Conclusions
• Considerations for Assessing Privacy-Ready SaaS Vendors
• Summary and Q&A
4. 4Data Protection and Governance at the Edge
Trends Pushing Privacy to the Forefront
• PRISM and the Patriot Act
o Microsoft vs United States
• Evolving Global Privacy Regulations
o EU, Germany, France, Russia, …
• Sectoral Regulations
o HIPAA, SOX, FINRA, GLBA, COPPA, …
• BYOD, blurring lines between personal and
business data
• Confidence in controls for safeguarding PII &
PHI
5. 5Data Protection and Governance at the Edge
Breaches Are Elevating Awareness Exponentially
• Almost all major breaches in 2014 were
against on-premise systems
• Significant fines & reputation exposure
• Breaching the firewall can mean extensive
systems access (Sony)
• Internal challenges are becoming
pervasive
o Malicious outsider: 50%
o Accidental loss / misplace: 25%
o Malicious Insider: 15%
6. 6
2015: The Top Security Challenges
Source: 451 Group – Wave 8 Report 2015 (preliminary note)
7. Sponsored
by:
The
State
of
Data
Privacy
in
2015
A
Survey
of
IT
Professionals
8. 8
Research
Goal
Understand
recent
experiences
and
trends
with
data
privacy
in
modern
IT
organiza>ons.
Goals and Methodology
Methodology
An
online
survey
was
fielded
to
IT
professionals
responsible
for
corporate
data.
A
total
of
214
individuals
par>cipated
in
the
survey.
Par>cipants
represented
a
wide
range
of
company
sizes,
industries,
regions
and
responsibility
for
data.
Defini>ons
Data
security
-‐
Ensuring
data
is
protected
from
unauthorized
access
or
intercep>on
Data
privacy
-‐
Ensuring
that
sensi>ve
data
isn’t
misused,
misappropriated
or
publicly
exposed
by
those
who
have
authorized
access
to
it
9. 9
Key Findings
Cloud
data
is
growing,
but
privacy
concerns
persist
•
88%
expect
their
cloud
data
volume
to
increase
in
2015
•
87%
are
concerned
about
privacy
of
data
in
the
cloud
Data
privacy
is
important
–
but
don’t
depend
on
employees
•
84%
report
data
privacy
importance
is
increasing
in
2015
•
82%
have
employees
who
don’t
follow
data
privacy
policies
Data
privacy
is
challenging
for
IT
•
93%
report
challenges
with
data
privacy
•
91%
have
data
privacy
controls,
but
they
are
incomplete
•
77%
struggle
to
keep
up
with
regional
requirements
for
data
privacy
10. 10
Participants Represented
LocaFon
EMEA
17%
APAC
23%
AMER
60%
Job
FuncFon
IT
execu>ve
23%
IT
team
manager
39%
Individual
contributor
in
IT
19%
Business
stakeholder
10%
Service
provider
9%
Company
Size
Fewer
than
100
24%
100
–
1,000
38%
1,000
–
5,000
17%
More
than
5,000
21%
12. 12Data Protection and Governance at the Edge
What
type
of
data
is
the
most
sensi>ve
to
your
business?
Choose
up
to
3
of
the
following.
Businesses depend on sensitive data
1%
18%
19%
22%
33%
37%
41%
46%
52%
0%
10%
20%
30%
40%
50%
60%
We
do
not
have
sensi>ve
business
data
Planning
and
strategy
documents
Payroll
Unregulated
customer
data
(emails,
order
history,
etc.)
Accoun>ng
and
financial
Intellectual
property
Personal
employee
informa>on
(SSNs,
phone
numbers,
etc.)
Password
or
authen>ca>on
creden>als
Regulated
customer
data
(credit
cards,
health
records,
etc.)
13. 13Data Protection and Governance at the Edge
Does
your
business
have
data
privacy
requirements
to
meet
compliance
and
governance
regula>ons?
Businesses must protect data privacy
to meet regulations
Yes
81%
No
19%
14. 14Data Protection and Governance at the Edge
How
are
your
company’s
efforts
on
protec>ng
the
privacy
of
sensi>ve
data
changing
for
2015?
Focus on data privacy escalates in 2015
Increasing
84%
Decreasing
1%
No
change
15%
15. 15Data Protection and Governance at the Edge
Giving employees data privacy
policies isn’t enough
All
employees
follow
data
privacy
policies
18%
Have
employees
who
do
not
follow
data
privacy
policies
82%
16. 16Data Protection and Governance at the Edge
Which
employees
are
MOST
likely
to
ignore
data
privacy
policies?
Choose
up
to
3
of
the
following.
All types of employees ignore data
privacy policies
6%
16%
17%
20%
24%
29%
31%
35%
48%
0%
10%
20%
30%
40%
50%
60%
Legal
Engineering
Manufacturing
Finance
and
accoun>ng
IT
Opera>ons
Owner/Partner
Marke>ng
Sales
17. 17Data Protection and Governance at the Edge
What
level
of
employee
is
most
likely
to
ignore
data
privacy
policies?
All types of employees ignore data
privacy policies (con’t)
Execu>ves
33%
Team
managers
14%
Individual
contributors
or
front-‐line
staff
39%
Contractors
14%
18. 18Data Protection and Governance at the Edge
How
do
you
expect
the
volume
of
data
in
the
cloud
change
in
2015?
Significant momentum in cloud
data growth
n
=
have
data
in
the
cloud
Increase
88%
Decrease
5%
Stay
the
same
7%
19. 19Data Protection and Governance at the Edge
How
concerned
are
you
about
the
privacy
of
sensi>ve
business
data
in
the
cloud?
IT is concerned about data privacy
in the cloud
n
=
have
data
in
the
cloud
32%
55%
13%
0%
20%
40%
60%
80%
100%
Very
concerned
Concerned
Not
concerned
20. 20Data Protection and Governance at the Edge
Which
of
these
challenges
ensuring
privacy
of
sensi>ve
data
does
your
IT
team
face?
93% face challenges ensuring with
data privacy
7%
5%
24%
27%
34%
36%
45%
56%
0%
10%
20%
30%
40%
50%
60%
We
have
no
challenges
Other
Lack
of
data
privacy
policies
IT
team
doesn’t
have
knowledge
of
laws
and
requirements
Lack
of
execu>ve
visibility
or
priority
into
the
problem
No
processes
in
place
to
train
or
audit
employee
behavior
Lack
budget
to
purchase
and
implement
technology
solu>ons
Insufficient
employee
awareness
and
understanding
of
data
privacy
policies
21. 21Data Protection and Governance at the Edge
Do
you
face
any
challenges
mee>ng
regional
requirements
for
data
privacy?
Companies with operations in multiple countries
find data privacy regulations challenging
n
=
have
opera8ons
in
mul8ple
countries
This
is
not
challenging
23%
We
don't
try
to
keep
up
with
differences
10%
This
is
challenging
67%
22. 22Data Protection and Governance at the Edge
Wide range of data privacy challenges for
companies that operate globally
n
=
have
opera8ons
in
mul8ple
countries
17%
25%
29%
29%
41%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
IT
team
lacks
compliance
knowledge
to
understand
requirements
Legal
or
compliance
team
does
not
communicate
requirements
to
IT
Technology
vendors
not
offering
solu>ons
or
guidance
in
addressing
regula>ons
Requirements
are
ambiguous
making
it
difficult
to
determine
the
correct
course
Emerging
rules
and
regula>ons
difficult
to
track
and
interpret
23. 23Data Protection and Governance at the Edge
Companies are trying, but data privacy
controls are incomplete
Have
data
privacy
controls
91%
No
data
privacy
controls
9%
38%
54%
61%
63%
0%
20%
40%
60%
80%
We
conduct
ad
hoc
employee
educa>on
programs
We
regularly
train
employees
on
data
privacy
We
ask
employees
to
sign
a
data
privacy
agreement
We
enforce
data
privacy
controls
with
technology
24. 24Data Protection and Governance at the Edge
What
technological
controls
does
your
organiza>on
have
in
place
to
limit
or
audit
access
to
sensi>ve
data
by
authorized
or
unauthorized
par>es?
Even those with technology controls
could do more
37%
21%
36%
37%
41%
58%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
No
technological
controls
for
data
privacy
Encrypt
data
on
tablets
and
smartphones
Encrypt
data
on
laptops
Mul>-‐factor
authen>ca>on
Log
all
data
access
Access
control
25. 25
Key Findings
Cloud
data
is
growing,
but
privacy
concerns
persist
•
88%
expect
their
cloud
data
volume
to
increase
in
2015
•
87%
are
concerned
about
privacy
of
data
in
the
cloud
Data
privacy
is
important
–
but
don’t
depend
on
employees
•
84%
report
data
privacy
importance
is
increasing
in
2015
•
82%
have
employees
who
don’t
follow
data
privacy
policies
Data
privacy
is
challenging
for
IT
•
93%
report
challenges
with
data
privacy
•
91%
have
data
privacy
controls,
but
they
are
incomplete
•
77%
struggle
to
keep
up
with
regional
requirements
for
data
privacy
27. 27Data Protection and Governance at the Edge
“Druva has been a
phenomenal answer to Dell
for protecting our data”
About Druva
Company
• Fastest growing data protection and
governance company
• Over 3,000 customers
• Protecting 3.0m+ endpoints globally
Ranked #1 by Gartner two years running
Brad Hammack
IT Emerging Technologies
Data
Protec>on
2014
28. 28Data Protection and Governance at the Edge
inSync
Efficient Cloud-based Endpoint Data Protection
29. 29Data Protection and Governance at the Edge
Dramatic Shift in Cloud Adoption
2013
75%
25%
2014
20%
80%
31. 31Data Protection and Governance at the Edge
Delivering Privacy on a Foundation of Security
• Infrastructure Security & Operations: Where is the
infrastructure? How is it controlled and to what extent
certified?
• SaaS Operations: What certifications and security controls
does the SaaS provider have in place?
• Data Residency: What are the regional, cross-geography
data controls?
• Data Security: How is the data encrypted in transit and
stored at-rest? What is the durability of the data?
• Data Privacy: What controls are in place to provide ethical
walls? What data can my SaaS provider access?
IaaS
Infrastructure: Compute + Storage
PaaS
Distributed Database Services
SaaS
Application Services
32. 32Data Protection and Governance at the Edge
As a Cloud Provider, Security = Survival
• SOC 1, SOC 2 & SOC 3
ISO 27001
• PCI Level 1
• FedRAMP
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running SOX, HIPAA, FISMA,
DIACAP MAC III sensitive ATO, ITAR, …
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
IaaS
PaaS
33. 33Data Protection and Governance at the Edge
Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level
IaaS
Infrastructure: Compute + Storage
PaaS
Distributed Database Services
SaaS
Application Services
• Druva Certifications & Audits
o ISAE-3000
o TRUSTe certified privacy
o EU Safe Harbor
o HIPAA Audited
• Regular VAPT Testing (White Hat)
• SkyHigh CloudTrust program partner
• Audits renewed annually
ISAE 3000
TRUSTe EU Safe Harbor
HIPAA BAA
Skyhigh
Enterprise-Ready
34. 34Data Protection and Governance at the Edge
AWS Global Footprint
• >1 million active customers across
190 countries
• 900+ government agencies
• 3,400+ educational institutions
• 11 regions, including ITAR-compliant
GovCloud and the new region in
Germany
• 28 availability zones
• 53 edge locations
35. 35Data Protection and Governance at the Edge
Authentication Controls (AD, SSO)
Configurable Group Policies (Data Access, Sharing, Visibility)
Full Admin and End-User Audit Trails
SaaS Layer
Application
Addressing Enterprise Data Protection RequirementsSaaS Provider Security Approach
Global Deduplication (unique blocks) &
Metadata Separation (data is dereferenced)
PaaS Layer
(DynamoDB)
S3 Buckets, Data Scrambling via Envelope Encryption
Block-Only Object Storage
IaaS / Storage Layer
(EC2, S3, Glacier)
36. 36Data Protection and Governance at the Edge
Envelope Key Management & Encryption
• Works like a bank safety-deposit box
o Unique encryption key generated per customer
o Key itself is encrypted with customer credentials and
stored as a token
• They key itself is inaccessible by anyone
o Only exists during the client session
o Never leaves the system
o Removes the need for key management
• Druva cannot access/decrypt customer data
with stored token
37. 37Data Protection and Governance at the Edge
Internal Privacy Controls
• End-user privacy controls either by policy or opt-out feature
(no admin data visibility)
• Containerization on mobile devices, extendable via MDM
(MobileIron)
• Exclusionary settings for backup and collection process
• Full data auditing for compliance response for PHI & PII
• Admin visibility to audit trails restricted via policy
Employee Privacy
• Privacy controls
• Data segregation
• Corporate visibility
Corporate Privacy
Material Data
• Officer data shielding
• Compliance auditing
• Tracking + monitoring
38. 38Data Protection and Governance at the Edge
Scenario-based Privacy
• Delegated roles for compliance and legal
counsel
• Full data and audit trail access for compliance,
investigation and litigation requirements
Scenario / Exceptions
• Compliance audits
• Investigations
• eDiscovery collection
39. 39
Addressing Key Privacy Use Cases
Regional
Employee
Corporate
Scenario
• Compliance audits
• Investigations
• eDiscovery collection
• Privacy controls
• Data segregation
• Restricted visibility
• Officer data shielding
• Compliance auditing
• Tracking + monitoring
• Data residency
• Local administration
• Data Storage Privacy
40. 40Data Protection and Governance at the Edge
Key Takeaways
• Be sure to check the certifications and how they apply to the overall stack, just because the
IaaS/PaaS is certified it doesn’t mean the SaaS layer is.
• For data residency ensure your cloud data isn’t moving around to non-compliant locations,
have the vendor sign an agreement and show documented ability to comply
• Encryption models continue to evolve, make sure your provider can’t divulge your data
without you knowing
• Data privacy laws are still emerging and tend to be ambiguous, best place to get the
answers to stay compliant is working with your legal team, don’t guess
41. 41
Next Steps:
Experience the Druva Advantage
Try Druva for yourself at druva.com/trial
druva.com
dave.packer@druva.com
42. 42Data Protection and Governance at the Edge
Delivering Privacy on a Foundation of Security
• ✔ Infrastructure Security & Operations: Where is the
infrastructure? How is it controlled and to what extent
certified?
• ✔ SaaS Operations: What certifications and security
controls does the SaaS provider have in place?
• ✔ Data Residency: What are the regional, cross-geography
data controls?
• ✔ Data Security: How is the data encrypted in transit and
stored at-rest? What is the durability of the data?
• ✔ Data Privacy: What controls are in place to provide
ethical walls? What data can my SaaS provider access?
IaaS
Infrastructure: Compute + Storage
PaaS
Distributed Database Services
SaaS
Application Services