Cloud Storage and Security: Solving Compliance Challenges
-
Upload
eric-vanderburg -
Category
Technology
-
view
123 -
download
0
Transcript of Cloud Storage and Security: Solving Compliance Challenges
CLOUD STORAGE & SECURITY:SOLVING COMPLIANCE CHALLENGES
MEET THE PANEL
Director, Information Systems and
Security, Jurinnov LLC
Eric Vanderburg Partner, DLA
Piper
Giulio Coraggio
Presenters
Director of Cloud & Data
Center Erasure
Solutions, Blancco
Technology Group
Fredrik Forslund
Moderator
WHAT WE’LL EXPLOREThe Realities & Pain Points of Storing Data in the Cloud
How, Where & When Cloud Security Could Be Compromised
Navigating Through Legal & Regulatory Compliance
What to Consider in Deploying the RightCloud Storage Strategy
Recommendations to Store, Manage & Protect Data in the Cloud
THE REALITIES & PAIN POINTS OF STORING DATA IN THE CLOUD
Source: SkyHigh Q4 2015 Cloud Report
15.8% OF FILES IN THE CLOUD CONTAIN SENSITIVE DATA
6
Source: SkyHigh Q4 2015 Cloud Report
SENSITIVE DATA
7.6%
2.3%
1.6% Protected Health Information
Payment Data Documents in File Sharing Services
Personally Identifiable Information
4.3%
MANAGING DATA IN THE CLOUD IS
COMPLICATED & TOUGH
7
Organizations that experienced breaches in the cloud cited malware as the top private cloud attack vector
Cloud Breaches
33%
Cite unauthorized access to data from other tenants as the most pressing concern with public cloud deployments
Unauthorized Access
40%
Store or process sensitive data in the cloud
Sensitive Data
40%
Do not currently have visibility into their public cloud providers’ operations
Lack of Visibility
33%
*Source: SANS Institute, ‘Orchestrating Security in the Cloud’ Paper, 2015
Webinar Audience Poll
Question: What type of cloud strategy does your business implement?
Responses: • Private• Public• Hybrid• I don’t know
Hybrid Cloud
More scalable than private
Requires some higher upfront costs
More control over data flows
Private Cloud
High degree of controlHigher upfront costsMore difficult to scale
Public Cloud
Highly scalablePay for what you useEasy to deploy and
manage
MANY CLOUD STRATEGIES TO CHOOSE
HOW, WHERE & WHEN CLOUD SECURITY COULD BE COMPROMISED
Webinar Audience Poll
Question: Has your company suffered a cloud data breach in the last 12 months?
Responses: • Yes• No• I don’t know
INTERNAL & EXTERNAL THREATS CAN’T BE IGNORED
Source: SkyHigh Q4 2015 Cloud Report
WHEN/WHERE IS DATA MOST AT RISK?
During Data Migration
During Data Use or Storage
Data End-of-Life Equipment End-of-Life
NAVIGATING THROUGH LEGAL & REGULATORY COMPLIANCE
15
ENTERPRISE BUSINESSES MUST GET ON BOARD
National Data Protection Law
EU Data Protection
Regulation 2015
Right to be Forgotten
ISO Standard 27001, 27040
etc.
Sarbanes-Oxley
HIPAA (Health Insurance Portabiltiy
and Accountability
)
Credit Card Industry PCI-
DSS
0102
03
04
ISO/IEC 27001: SETTING THE BAR HIGH FOR SECURITY STANDARDS
16
TOP MANAGEMEN
TMust implement
information security policy
themselves
RISK MANAGEMEN
TRelevant
security risks should be
addressed and mitigated
INTERNAL AUDITS
Must verify all security risks
have been addressed and
operational processes are
set
DATA REMOVAL
Sensitive data and licensed
software must be securely
removed prior to disposal or
reuse
ISO 27018: PROTECTION OF PRIVACY &
PERSONAL DATA IN THE CLOUD
17
Home PCPush SyncBack Up All
Files
Work Laptop
Push SyncWork Files
Notebook
Smart Sync
Select Files
TabletSync LocalStream the
Rest
Smartphone
Sync a FewStream the
Rest
!My
Documents
My Photos
My Music
My Work Files
Special Project
Webinar Audience Poll
Question: How Prepared Is Your Organization for GDPR?
Responses: • Fully Prepared • Somewhat Prepared • Early Preparation Stages • Unprepared• Don’t Know
Source: ‘EU GDPR: A Corporate Dilemma’, Blancco Technology Group, 2016
Somewhat Prepared; Still
Need to Find Right Data Removal
Software
Fully Prepared (Established
Processes, Policies & Technology)
Unprepared; Don’t Know
How or Where to Start
Don’t Know
On Right Track (Currently Researching
& Developing Processes/Policies
WHAT CHANGES WITH THE GENERAL DATA
PROTECTION REGULATION?
20
New Sanctions for Violations & Breaches New Liabilities for Cloud Providers
New Obligations/ Protections
Environmental Protection
Physical Protection
Network Protection
Hardware Protection
Breach Notification
Secure Communications
Computing Security
DATA PROTECTION REGULATION CONSIDERATIONS
Right to be Forgotten
WHAT TO CONSIDER IN DEPLOYING THE RIGHT CLOUD STORAGE STRATEGY
CAPACITY PLANNING• Pre-allocate = Low ROI with
unused space• Grow as you need =
Inconsistent IT spending and potentials for compromise
BACKUP AND RECOVERY• Archiving costs (equipment and
time)• Offsite storage or offsite location• Testing and validation
PRIVATE CLOUD STORAGE HURDLES
DIRECT CAPITAL
EXPENDITURE
MAINTAINENCE AND SUPPORT
ADEQUATE DUE DILIGENCE ON CLOUD PROVIDER AND CONTRACT NEGOTIATION
25
DATA MANAGEMENT CONSIDERATIONS
Specialized Skills
Sets Required
Data Analytics
Data Inventory
Future Scalability
into Hybrid Cloud
Cloud Software
Customization
RECOMMENDATIONS TO STORE, MANAGE & PROTECT DATA IN THE CLOUD
27
Know Your Vendors
Evaluate Cost Benefits
Implement Industry Standards
Prepare for Future (Scalability, Technology, Security)
Establish a Way to Measure ROI
THINGS TO REMEMBER WHEN STORING, MANAGING &
PROTECTING DATA IN THE CLOUD
DATA LIFECYCLE IN THE CLOUD
3. Data Use/Storage
5. Data End-Of-Life
1. Data Creation& Classification
6. Decommissioning of Device/Server
4. Data at Rest
2. Data Migration
Q&A
CONTENT YOU MAY FIND USEFUL:“Cloud & Data Center Erasure: Why Delete Doesn’t Suffice”:
http://www2.blancco.com/en/white-paper/cloud-and-data-center-erasure-why-delete-doesnt-suffice
“The Information End Game: What You Need to Know to Protect Corporate Data Throughout its Lifecycle”: http://www2.blancco.com/en/white-paper/the-information-end-game-what-you-need-to-know-to-protect-corporate-data
“Data Storage Dilemmas & Solutions”:
http://www.slideshare.net/BlanccoTechnologyGroup/data-storage-dilemmas-solutions
“EU GDPR: A Corporate Dilemma”: http://www2.blancco.com/EU-GDPR-Corporate-Dilemma-Research-Study
Blancco Technology Group is a leading, global provider of mobile device diagnostics and secure data erasure solutions. We help our clients’ customers test, diagnose, repair and repurpose IT devices with the most proven and certified software. Our clientele consists of equipment manufacturers, mobile network operators, retailers, financial institutions, healthcare providers and government organizations worldwide. The company is headquartered in Alpharetta, GA, United States, with a distributed workforce and customer base across the globe.
DLA Piper is a global law firm with lawyers in the Americas, Asia Pacific, Europe, Africa and the Middle East, positioning us to help companies with their legal needs around the world. We strive to be the leading global business law firm by delivering quality and value to our clients. We achieve this through practical and innovative legal solutions that help our clients succeed. We deliver consistent services across our platform of practices and sectors in all matters we undertake.Our clients range from multinational, Global 1000, and Fortune 500 enterprises to emerging companies developing industry-leading technologies. They include more than half of the Fortune 250 and nearly half of the FTSE 350 or their subsidiaries. We also advise governments and public sector bodies.
JURINNOV works with IT and legal departments in a wide variety of industries and sectors. We become a link, an extension of both departments. We help them adopt the most current standards and tools. We help companies better manage and track electronic information, uncover evidence, plan for data recovery, and relax a little bit like in the good old days when everything was filed neatly in its place.
ABOUT US