2. STORYBOAR
8%
of healthcare orgs
had cloud apps
deployed in 2014
37%
of healthcare orgs
had cloud apps
deployed in 2015
cloud
adoption is
rising fast
Bitglass Cloud Adoption Report
4. STORYBOAR
native security features can’t be relied upon:
the data blind spot
components
usage/consumption
data
application
services
servers & storage
network
layer
data
application
infrastructure
owner
enterprise
5. STORYBOAR
security must
evolve to
protect data
outside the
firewall
cloud:
attack on SaaS
vendor risks
sensitive data
access:
uncontrolled
access from
any device
network:
data breach -
exfiltration &
Shadow IT
mobile:
lost device with
sensitive data
5
6. STORYBOAR
HIPAA technical safeguards for cloud
■ access control
○ granular context-based controls over access
to both managed and unmanaged devices
○ secure identity/authentication
■ transmission security
○ end-to-end encryption
■ audit and visibility
7. STORYBOAR
access controls
the new data reality requires a new security architecture
■ cross-device, cross-platform agentless
data protection
■ granular DLP for data at rest and in
motion
■ contextual access control
8. STORYBOAR
controlling access from unmanaged mobile devices
■ secure mobile devices without invasive
profiles or certificates; support multiple
affiliations
■ protect data in “unwrappable” native apps
like mail, contacts, calendar
■ selectively wipe corporate data
■ enforce device security policies
■ full data control and visibility for IT
9. STORYBOAR
identity
centralized identity management is key to securing data
■ cloud app identity management should
maintain the best practices of on-prem
identity
■ SSO enables cross-app visibility into
suspicious access activity
■ contextual multi-factor authentication
mitigates risk
10. STORYBOAR
transmission security
end-to-end protection
■ cloud data doesn’t exist only “in the cloud”
■ a complete solution must provide visibility and
control over data in the cloud
■ solution must also protect data on end-user
devices
■ leverage contextual access controls
11. STORYBOAR
audit and visibility
■ detailed logging for compliance and
audit.
■ identify PHI data at rest and external
sharing
■ easily modify sharing permissions and
quarantine files for review
■ detect and be alerted instantly of
suspicious behavior
12. STORYBOAR
data integrity
■ secure the data in the cloud - where you
have versioning and control over
permissions
■ apply granular DLP to sensitive data with
spectrum of actions from watermarking to
encryption.
BYOD has long been a part of IT in higher education
Most universities have migrated to a cloud app such as Google Apps or O365 in the last year
23% of institutions had cloud apps deployed in 2014.
83% of institutions had cloud apps deployed by 2015.
Only 20% of institutions use single sign-on
Needs of universities:
Secure unsanctioned apps like Dropbox and Box, widely used but unsecured.
Secure other cloud apps.
Provide DLP, not native to solutions like Dropbox.
Control access from BYOD.
The old approach to the problem is to secure the infrastructure. Historically this has been where the spend for large organizations has been.
Secure your network, put agents on every trusted device to manage the device etc.
Fact is that the "trusted device" approach makes you more vulnerable to breaches since users take their devices home for the weekend, and come back infected on monday.
Malware Mondays!
Issues with this approach - cumbersome. expensive to administer since you have to manage every device and network.
And usability is poor too, especially when it comes to mdm
One of the big problems with this architecture -- unmanaged devices accessing the cloud directly. No visibility or control for IT teams. Complex to deploy/ Poor user experience/ Data-sync proliferation/ BYOD blindspot
When talking to potential customers, sometimes this comes up. Aren’t cloud vendors already protecting their apps with native security features?
Very simple framework for thinking about this. WSJ test.