Vendors are lured by visions of long-term residual subscription income, while customers dream of IT services and software without significant upfront costs. Sounds like techno Shangri-La, but what of security? Pessimists warn us away from the Cloud on the grounds that we should maintain control over the security of our property. Those bullish on the Cloud argue often delusionaly that your data is safer in the Cloud than on your own hard drives. Make no mistake: the Internet is the lion's den, and the Cloud sits squarely in it. This session will discuss the security realities of traditional IT software and infrastructure, and contrast them with those of Cloud-based resources.
2. The Cloud
Beckons, But is it
Safe?
#12NTCCSec
Laura Quinn
Michael Enos
3. Evaluate This Session!
Each entry is a chance to win an NTEN engraved iPad!
or Online at www.nten.org/ntc/eval
4. Introductions
Laura Quinn
Executive Director
Idealware
Michael Enos
Chief Technology Officer,
Second Harvest Food Bank of Santa
Clara and San Mateo Counties
What are you hoping to get out of this session?
11. Under Siege
To be on the
Internet is to be
vulnerable to attack.
If you’re on the Internet, you’re in The Cloud
12. But We Do Lots of Things on the Internet
We shop online
We bank online
We post crazy
things on Facebook
Why is the cloud different? It’s not.
13. How Secure is Your On-Site Data?
Do any of these sound familiar?
• No one patches computers or is
responsible for network security
• You haven’t really thought
about passwords or
permissions
• No disaster recovery plans
• Staff hasn’t had any security
training
14. Myth
“We’re a tiny nonprofit.
We’re safe because no
one would target us for
cyber attack.”
15. Fact
Many data security breaches
are crimes of opportunity.
Organizations don’t always
consider the sensitivity of their
data until it’s exposed.
26. Cloud Security
The use of the term “Cloud” is cloudy!
Three general types of clouds:
– Software-as-a-Service
– Hosted Private Cloud
– Co-located Private Cloud
All three have different security
models
27. Software as a Service
The vendor owns and manages all aspects of the environment.
For instance:
28. Hosted Private Cloud
The vendor owns and manages the equipment only, but all
software is managed by the client. The equipment is on the
vendors network. For instance:
29. Co-located Private Cloud
The vendor provides the physical environment only in a data
center, the client maintains the hardware and the software. For
instance:
31. Rules for Absolute Safety
Turn off your Internet
connection.
Allow no one access to
your data and systems.
But let’s be realistic…
32. Know What You’re Protecting
What kinds of data are you
storing, and how sensitive are they?
Think about its value on the open
market.
33. Red Flags
You need extremely tight
security to store:
• Donor’s credit card
numbers.
• Scanned images of checks.
• Donor’s bank account
information.
34. What’s Your Exposure?
Consider the impact of
exposure of your
confidential
information, both in
monetary terms and
reputation.
35. What’s The Impact of an Outage?
How much staff
time could you
lose from a short
term or prolonged
outage?
36. Testing Your On-Site Security
Have you recently performed a:
• Check on whether your systems
have been recently patched?
• Systems penetration test ?
• Employee training on security
procedures?
• Backup/recovery test?
If not, you’d likely increase your security by moving
to the cloud.
42. Access Controls
• Ensuring the right people
have access to the right data
• Physical access to the server
• Training on appropriate
passwords and security
measures
43. Data Protection
• Data encryption
• Solid backup and
restore policies
• Ability to purge
deleted data
• Ability to prevent
government entities
from getting your data
with a subpoena
45. Description of Security Mechanisms
Documentation of all the facets of
security, and the staff can talk
about it intelligently.
Proves information security is on
the “front burner”
46. Uptime
Do they provide any guarantee of
uptime? Any historic uptime
figures?
Uptime figures are typically in 9s--
99%, 99.9% or 99.99%
Your connection to the internet may well be the weakest link.
47. Regulatory Compliance: HIPAA
Does the vendor support
organizations that need to be
compliant with HIPAA (the
Health Insurance Portability
and Accountability Act)?
48. Regulatory Compliance: SAS70 and SSAE16
Audit for security
standards, hardware, and
processes.
Statement on Accounting
Standards 70 (SAS70)
Statement of Standards for
Attestation Engagements 16
(SSAE16)
49. Regulatory Compliance: PCI DSS Compliance
If you’re storing credit card
numbers, your vendor
needs to be compliant with
PCI DSS (Payment Card
Industry Payment Data
Security Standard)
51. Understand the Value of Your Data
What is it worth to you?
To others?
What measures are
appropriate to protect it?
52. Your Data Is No Safer Than You Make It
Any computer
attached to the
internet is
vulnerable unless
you protect it.
The cloud isn’t, in
of itself, more or
less secure
53. But Many Vendors Make Your Data Really Safe
Choose vendors who
show they’re serious
about data protection
(not all vendors are
created equal).
Consider a vendor’s
regulatory compliance.
Those were examples that illustrate that the Internet itself is a dangerous place. Yet who would give up their Internet connection?
If you shop and bank online, and share personal info via social media, you already use the cloud. You probably trust your bank and online merchants like Amazon because you believe they have the capability and the incentive to protect your information. You probably also realize that “free” social media vendors make money by selling information about you.
Here are some vulnerabilities that apply to all systems connected to the Internet, including systems in the cloud.Reputable cloud vendors significant resources and teams of computer and security specialists devoted to maintaining the security of the data they handle. They can be far better positioned to protect your data than you are.
People target systems for attack when that they know have valuable information, like account numbers, social security numbers and the like. Things that nonprofits don’t typically have.Hackers after fame are more likely to attack big ACME Bancorp, International, than a community food bank’s systems.This means your risk of attack is lower than that of some big company, but it doesn’t mean you’re safe.
Cyber crime is often the computer equivalent of trying front doors until you find an unlocked house. IMPORTANT: Payment information SHOULD NOT be stored on your systems. If you have donor’s credit card data for recurring payments, move to a reputable payment processing vendor. Then delete this information. Thieves can’t steal data that you don’t have.
People target systems for attack when that they know have valuable information, like account numbers, social security numbers and the like. Things that nonprofits don’t typically have.Hackers after fame are more likely to attack big ACME Bancorp, International, than a community food bank’s systems.This means your risk of attack is lower than that of some big company, but it doesn’t mean you’re safe.
Reputable cloud vendors significant resources and teams of computer and security specialists devoted to maintaining the security of the data they handle. They can be far better positioned to protect your data than you are.
If you have no full time IT and your server lives in a broom closet, your data is not likely secure.
Information security boils down to these three areas, plus privacy.
You know whether there is integrety. Like going in to change your salary because everyone has access, no accountablity. No universal login
One of the most common. DNS attack. Systems are reliable.
If you avoid automobiles, you’ll never be in a car accident. But you won’t get very far, either.Avoiding the Internet will cut your information security risk, but your productivity will be set back a few decades.There are ways to maximize information security, but you can’t entirely eliminate risk.
This kind of “discovery” exercise is important. You may find that the data you think you have differs from what you actually. Maybe you have sensitive data that you’re not aware of. Secret Service level security might not be warranted, but its nice to know what protection is appropriate.How old is your server? Is it near the end of its life? What would you do if it crashed tomorrow?Can someone just walk up to your server? Do they need to log in? Is the admin password “letmein”?
Don’t keep financial information related to donors on your system. Thieves can’t steal data you don’t have, and there’s no reason for you to take on the risk of handling such sensitive information. Better to outsource to a payment vendor who can guarantee the security of this information.
Might the exposure of donor data hurt your ability to raise money in the future? What if that “anonymous” major donor was outted?What would be the financial impact if you couldn’t access key systems (wasted staff hours, missed fundraising opportunities, etc)?
Might the exposure of donor data hurt your ability to raise money in the future? What if that “anonymous” major donor was outted?What would be the financial impact if you couldn’t access key systems (wasted staff hours, missed fundraising opportunities, etc)?
If data and systems are in house, what are you doing to protect them? Could a cloud vendor do a better job than you can?Systems penetration – reverse engineer passwords, social engineering, known vulnerabilitiesinformation handling/protection procedures? Policies for changing passwords, what you do with old users
The greater the depth of security measures, the longer a potential attacker will be delayed. This is important
Computer intrusion detection and prevention systems alert you to possible systems breaches and try to thwart them. Look for abnormal patterns. Prevention – alerting someone. More harm than good for small orgs – so many false postives. Data center has “intrusion guy”Firewalls attempt to block entry to your systems by malicious people and information. Let’s in an out things in a circuit. HTTP is generally open, but there are rules to help with attacksAnti-virus software helps prevent malware from installing on your systems, and attempts to clean exisiting infections.
Websites use security certificates to encrypt data while in transit *and* verify to you that the URL belongs to the organization you think it belongs to. FTP or secure FTP. PGP. VPN= encrypted tunnel between two trusted partners.https rather than http indicates that the site you’re using has a certificate and is encrypting the data you send. Newer browser allow you to click on icon near the URL (a picture of a lock in the case of Chrome) to show information on the encryption used and the site’s owner.
Stolen data is of little use if it’s encryptedUnderstand what is recoverable from backups, and how. Disaster recovery backups do not necessarily mean that you’ll be able to restore data you accidentally overwrite.Business continuity/disaster recovery
Designed to protect private health related data, but HIPAA compliance can speak well of how other sensitive data is handled.
Designed to protect private health related data, but HIPAA compliance can speak well of how other sensitive data is handled.
These audits are performed by CPA firms and verify that a vendor has procedures in place that allow it to meet standards for handling sensitive data and for meeting regulatory requirements like HIPAA.SSAE16 is the newer audit standard and is slowly replacing SAS70. SSAE16 is more internationalized than SAS70
Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.
Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.
Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.