Is your company thinking about the cloud or already in there but learning fast about the many challenges of the security and privacy of cloud data?
Learn more about the landscape of data in the cloud, and the obstacles that every company should consider when it comes to protecting their down.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Cloud Data Security and Privacy
1. Security & Privacy of Cloud Data
What You Need to Know
Dave Packer, Vice President Product Marketing
April, 2015
2. 2Data Protection and Governance at the Edge
“Druva has been a
phenomenal answer to Dell
for protecting our data”
About Druva
Company
• Fastest growing data protection and
governance company
• Over 3,000 customers
• Protecting 3.0m+ endpoints globally
Ranked #1 by Gartner two years running
Data Protection 2014
Brad Hammack
IT Emerging Technologies
3. 3Data Protection and Governance at the Edge
inSync
Efficient Endpoint Backup to the Cloud
4. 4Data Protection and Governance at the Edge
Dramatic Shift in Cloud Adoption
2013
75%
25%
2014
20%
80%
5. 5Data Protection and Governance at the Edge
The Global Hurdles of Cloud Adoption
• PRISM
• Sectoral Regulations
o HIPAA, FINRA, GLBA, COPPA, …
• Evolving Global Privacy Regulations
o EU, Germany, France, Russia, …
• Microsoft vs. United States
• Dropbox Transparency Report h"p://dlapiperdataprotec/on.com/
6. 6
2015: The Top Security Challenges
Source: 451 Group – Wave 8 Report 2015 (preliminary note)
7. 7Data Protection and Governance at the Edge
But there’s the flip-side of the coin
• Almost all major breaches in 2014 were
against on-premise systems
• Breaching the firewall can mean all
systems become vulnerable (Sony)
• Breach attributions
o Malicious outsider: 50%
o Accidental loss / misplace: 25%
o Malicious Insider: 15%
8. 8Data Protection and Governance at the Edge
What
type
of
data
is
the
most
sensi/ve
to
your
business?
Other People’s Data the Top Concern
1%
18%
19%
22%
33%
37%
41%
46%
52%
0%
10%
20%
30%
40%
50%
60%
We
do
not
have
sensi/ve
business
data
Planning
and
strategy
documents
Payroll
Unregulated
customer
data
(emails,
order
history,
etc.)
Accoun/ng
and
financial
Intellectual
property
Personal
employee
informa/on
(SSNs,
phone
numbers,
etc.)
Password
or
authen/ca/on
creden/als
Regulated
customer
data
(credit
cards,
health
records,
etc.)
9. 9Data Protection and Governance at the Edge
In
your
opinion,
which
environment
has
be"er
data
security
/
privacy
controls?
Cloud Security + Privacy Opinion is Changing
On
premises
65%
Cloud
35%
10. 10Data Protection and Governance at the Edge
h"p://techcrunch.com/2015/04/04/the-‐cloud-‐could-‐be-‐your-‐best-‐security-‐bet/?ncid=txtlnkusaolp00000629#.z48jaw:4RNJ
• The difference between 1 security
team and 1000’s of security teams
• Data durability / resiliency and
replication
• Expanding regional coverage
• However, you do need to scrutinize
your cloud provider stack
11. 11Data Protection and Governance at the Edge
Common Cloud Security/Privacy Concerns
• Infrastructure Security: Where is the infrastructure? How is
it controlled and to what extent certified?
• Data Security: How is the data encrypted in transit and
stored at-rest? What is the durability of the data?
• Data Residency: What are the regional, cross-geography
data controls?
• Data Privacy: What controls are in place to provide ethical
walls? What data can my SaaS provider access?
• SaaS Security: What certifications and security controls
does the SaaS provider have in place?
IaaS
Infrastructure: Compute + Storage
PaaS
Distributed Database Services
SaaS
Application Services
12. 12Data Protection and Governance at the Edge
As a Cloud Provider, Security = Survival
• SOC 1, SOC 2 & SOC 3
ISO 27001
• PCI Level 1
• FedRAMP
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running SOX, HIPAA, FISMA,
DIACAP MAC III sensitive ATO, ITAR, …
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
IaaS
PaaS
13. 13Data Protection and Governance at the Edge
Distributed
Denial
Of
Service
(DDoS)
A>ack
Man
In
the
Middle
(MITM)
A>ack
Port
Scanning
Packet
sniffing
by
other
tenant
IP
Spoofing
Firewall
security
groups
Vulnerability
tesLng
Continuous Network Monitoring and Response
• Protects customer data from
network attacks:
o Intercepting in-transit data
o System breaches
o Blocking/disrupting services
14. 14Data Protection and Governance at the Edge
AWS Global Footprint
• >1 million active customers across
190 countries
• 900+ government agencies
• 3,400+ educational institutions
• 11 regions, including ITAR-compliant
GovCloud and the new region in
Germany
• 28 availability zones
• 53 edge locations
15. 15Data Protection and Governance at the Edge
SaaS Provider Needs Build the Proper Controls
• ✔ Infrastructure Security: Where is the infrastructure?
How is it controlled and to what extent certified?
• Data Security: How is the data encrypted in transit and
stored at-rest
• Data Residency: What are the regional, cross-geography
data controls?
• Data Privacy: What controls are in place to provide ethical
walls? What data can my SaaS provider access?
• SaaS Security: What certifications and security controls
does the SaaS provider have in place?
IaaS
Infrastructure: Compute + Storage
PaaS
Distributed Database Services
SaaS
Application Services
16. 16Data Protection and Governance at the Edge
Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level
IaaS
Infrastructure: Compute + Storage
PaaS
Distributed Database Services
SaaS
Application Services
• Druva Certifications & Audits
o ISAE-3000
o TRUSTe certified privacy
o EU Safe Harbor
o HIPAA Audited
• Regular VAPT Testing (White Hat)
• SkyHigh CloudTrust program partner
• Audits renewed annually
ISAE 3000
TRUSTe EU Safe Harbor
HIPAA BAA
Skyhigh
Enterprise-Ready
17. 17Data Protection and Governance at the Edge
Addressing Enterprise Data Protection RequirementsUnderstand How Your Data is Stored
S3 Buckets, Data Scrambling via Envelope Encryption
Blocks-Only into Object Storage
IaaS / Storage Layer
(EC2, S3, Glacier)
SSL
Global Deduplication (unique blocks) &
Metadata Separation (data is dereferenced)
PaaS Layer
(DynamoDB)
256
AES
Data
Metadata
18. 18Data Protection and Governance at the Edge
Encryption Key Models Vary Extensively
Management
Method
Strength
Weakness
Keys
Stored
with
Data
• Simple
• Provider
access
• System
wide
breach
poten/al
• Consumer
designed
Keys
Stored
in
Escrow
• No
provider
direct
access
• S/ll
accessible
w/
subpoena,
warrant,
court
order
• Key
rota/on,
management
may
be
needed
Key
Server
Keys
Stored
On-‐premise
• Secure,
no
provider
access
• On-‐premise
hardware,
must
be
managed
• Introduces
system-‐wide
failure
point
Envelope
Key
encrypted
in
cloud
• Secure,
inaccessible
by
vendor
• No
key
management
• Session
based
key
• No
access
=
provider
can’t
reset
client
key
19. 19Data Protection and Governance at the Edge
Envelope Key Management & Encryption
• Works like a bank safety-deposit box
o Unique encryption key generated per customer
o Key itself is encrypted with customer credentials and
stored as a token
• They key itself is inaccessible by anyone
o Only exists during the client session
o Never leaves the system
o Removes the need for key management
• Druva cannot access/decrypt customer data
with stored token
20. 20Data Protection and Governance at the Edge
Authentication Controls (AD, SSO)
Configurable Group Policies (Data Access, Sharing, Visibility)
Full Admin and End-User Audit Trails
SaaS Layer
Application
Addressing Enterprise Data Protection RequirementsSaaS Provider Security Approach
Global Deduplication (unique blocks) &
Metadata Separation (data is dereferenced)
PaaS Layer
(DynamoDB)
S3 Buckets, Data Scrambling via Envelope Encryption
Block-Only Object Storage
IaaS / Storage Layer
(EC2, S3, Glacier)
21. 21
Lastly, Be Sure Data Privacy is Being Addressed
Regional
Employee
Corporate
Scenario
22. 22Data Protection and Governance at the Edge
Addressing Regional Data Regulations
• 11 admin-selectable data storage regions, data
stays within the region
• Administrator segregation and delegation with
pre-defined granular access rights
• No ability for vendor to access key or stored data
Corporate Privacy
Regional Management
• Data residency
• Local administration
• Data Storage Privacy
23. 23Data Protection and Governance at the Edge
Walls for Corporate Data Privacy
• Policy group settings for classes via AD
(Officers, Legal, …) restrict data visibility
• Full data auditing for compliance response for
PHI & PII
• Proactive monitoring based on data
classifications
Corporate Privacy
Material Data
• Officer data shielding
• Compliance auditing
• Tracking + monitoring
24. 24Data Protection and Governance at the Edge
Protecting Employee Privacy
• End-user privacy controls either by policy or
opt-out feature (no admin data visibility)
• Containerization on mobile devices, extendable
via MDM (MobileIron)
• Exclusionary settings for backup and collection
process
• Admin visibility to audit trails restricted via policy
Employee Privacy
• Privacy controls
• Data segregation
• Corporate visibility
25. 25Data Protection and Governance at the Edge
Scenario-based Privacy
• Delegated roles for compliance and legal
counsel
• Full data and audit trail access for compliance,
investigation and litigation requirements
Scenario / Exceptions
• Compliance audits
• Investigations
• eDiscovery collection
26. 26Data Protection and Governance at the Edge
Key Takeaways
• Be sure to check the certifications and how they apply to the overall stack, just because the
IaaS/PaaS is certified it doesn’t mean the SaaS layer is.
• For data residency ensure your cloud data isn’t moving around to non-compliant locations,
have the vendor sign an agreement and show documented ability to comply
• Encryption models continue to evolve, make sure your provider can’t divulge your data
without you knowing
• Data privacy laws are still emerging and tend to be ambiguous, best place to get the
answers to stay compliant is working with your legal team, don’t guess