Security and privacy of cloud data: what you need to know (Interop)
-
Upload
druva -
Category
Technology
-
view
245 -
download
1
Transcript of Security and privacy of cloud data: what you need to know (Interop)
Security & Privacy of Cloud Data What You Need to Know
Dave Packer, Vice President Product Marketing April, 2015
2 Data Protection and Governance at the Edge
“Druva has been a phenomenal answer to Dell for protecting our data”
About Druva
Company • Fastest growing data protection and
governance company • Over 3,000 customers • Protecting 3.0m+ endpoints globally
Ranked #1 by Gartner two years running
Data Protection 2014
Brad Hammack IT Emerging Technologies
4 Data Protection and Governance at the Edge
Dramatic Shift in Cloud Adoption
2013
75% 25%
2014
20% 80%
5 Data Protection and Governance at the Edge
The Global Hurdles of Cloud Adoption
• PRISM
• Sectoral Regulations o HIPAA, FINRA, GLBA, COPPA, …
• Evolving Global Privacy Regulations o EU, Germany, France, Russia, …
• Microsoft vs. United States
• Dropbox Transparency Report h"p://dlapiperdataprotec/on.com/
7 Data Protection and Governance at the Edge
But there’s the flip-side of the coin
• Almost all major breaches in 2014 were against on-premise systems
• Breaching the firewall can mean all systems become vulnerable (Sony)
• Breach attributions o Malicious outsider: 50% o Accidental loss / misplace: 25% o Malicious Insider: 15%
8 Data Protection and Governance at the Edge
What type of data is the most sensi/ve to your business?
Other People’s Data the Top Concern
1%
18%
19%
22%
33%
37%
41%
46%
52%
0% 10% 20% 30% 40% 50% 60%
We do not have sensi/ve business data
Planning and strategy documents
Payroll
Unregulated customer data (emails, order history, etc.)
Accoun/ng and financial
Intellectual property
Personal employee informa/on (SSNs, phone numbers, etc.)
Password or authen/ca/on creden/als
Regulated customer data (credit cards, health records, etc.)
9 Data Protection and Governance at the Edge
In your opinion, which environment has be"er data security / privacy controls?
Cloud Security + Privacy Opinion is Changing
On premises 65%
Cloud 35%
10 Data Protection and Governance at the Edge
h"p://techcrunch.com/2015/04/04/the-‐cloud-‐could-‐be-‐your-‐best-‐security-‐bet/?ncid=txtlnkusaolp00000629#.z48jaw:4RNJ
• The difference between 1 security
team and 1000’s of security teams
• Data durability / resiliency and replication
• Expanding regional coverage
• However, you do need to scrutinize your cloud provider stack
11 Data Protection and Governance at the Edge
Common Cloud Security/Privacy Concerns
• Infrastructure Security: Where is the infrastructure? How is it controlled and to what extent certified?
• Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data?
• Data Residency: What are the regional, cross-geography data controls?
• Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access?
• SaaS Security: What certifications and security controls does the SaaS provider have in place?
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services
12 Data Protection and Governance at the Edge
As a Cloud Provider, Security = Survival
• SOC 1, SOC 2 & SOC 3 ISO 27001
• PCI Level 1 • FedRAMP • AWS GovCloud (US) • MPAA best practices alignment
Customer are running SOX, HIPAA, FISMA, DIACAP MAC III sensitive ATO, ITAR, …
Facilities Physical security
Physical infrastructure Network infrastructure
Virtualization infrastructure
IaaS PaaS
13 Data Protection and Governance at the Edge
Distributed Denial Of Service (DDoS) A>ack
Man In the Middle (MITM) A>ack Port Scanning
Packet sniffing by other tenant
IP Spoofing Firewall security groups
Vulnerability tesLng
Continuous Network Monitoring and Response
• Protects customer data from network attacks: o Intercepting in-transit data o System breaches o Blocking/disrupting services
14 Data Protection and Governance at the Edge
AWS Global Footprint
• >1 million active customers across 190 countries
• 900+ government agencies • 3,400+ educational institutions
• 11 regions, including ITAR-compliant GovCloud and the new region in Germany
• 28 availability zones • 53 edge locations
15 Data Protection and Governance at the Edge
SaaS Provider Needs Build the Proper Controls
• ✔ Infrastructure Security: Where is the infrastructure? How is it controlled and to what extent certified?
• Data Security: How is the data encrypted in transit and stored at-rest
• Data Residency: What are the regional, cross-geography data controls?
• Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access?
• SaaS Security: What certifications and security controls does the SaaS provider have in place?
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services
16 Data Protection and Governance at the Edge
Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level
IaaS Infrastructure: Compute + Storage
PaaS Distributed Database Services
SaaS Application Services
• Druva Certifications & Audits o ISAE-3000 o TRUSTe certified privacy o EU Safe Harbor o HIPAA Audited
• Regular VAPT Testing (White Hat) • SkyHigh CloudTrust program partner • Audits renewed annually
ISAE 3000 TRUSTe EU Safe Harbor
HIPAA BAA Skyhigh
Enterprise-Ready
17 Data Protection and Governance at the Edge
Addressing Enterprise Data Protection Requirements Understand How Your Data is Stored
S3 Buckets, Data Scrambling via Envelope Encryption Blocks-Only into Object Storage
IaaS / Storage Layer (EC2, S3, Glacier)
SSL
Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced)
PaaS Layer (DynamoDB)
256 AE
S
Data
Metadata
18 Data Protection and Governance at the Edge
Encryption Key Models Vary Extensively
Management Method Strength Weakness
Keys Stored with Data
• Simple • Provider access • System wide breach poten/al • Consumer designed
Keys Stored in Escrow • No provider direct access • S/ll accessible w/ subpoena, warrant, court order
• Key rota/on, management may be needed
Key Server Keys Stored On-‐premise
• Secure, no provider access • On-‐premise hardware, must be managed • Introduces system-‐wide failure point
Envelope Key encrypted in cloud
• Secure, inaccessible by vendor • No key management • Session based key
• No access = provider can’t reset client key
19 Data Protection and Governance at the Edge
Envelope Key Management & Encryption
• Works like a bank safety-deposit box o Unique encryption key generated per customer o Key itself is encrypted with customer credentials and
stored as a token
• They key itself is inaccessible by anyone o Only exists during the client session o Never leaves the system o Removes the need for key management
• Druva cannot access/decrypt customer data
with stored token
20 Data Protection and Governance at the Edge
Authentication Controls (AD, SSO) Configurable Group Policies (Data Access, Sharing, Visibility)
Full Admin and End-User Audit Trails
SaaS Layer Application
Addressing Enterprise Data Protection Requirements SaaS Provider Security Approach
Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced)
PaaS Layer (DynamoDB)
S3 Buckets, Data Scrambling via Envelope Encryption Block-Only Object Storage
IaaS / Storage Layer (EC2, S3, Glacier)
22 Data Protection and Governance at the Edge
Addressing Regional Data Regulations
• 11 admin-selectable data storage regions, data stays within the region
• Administrator segregation and delegation with pre-defined granular access rights
• No ability for vendor to access key or stored data
Corporate Privacy Regional Management • Data residency • Local administration • Data Storage Privacy
23 Data Protection and Governance at the Edge
Walls for Corporate Data Privacy
• Policy group settings for classes via AD (Officers, Legal, …) restrict data visibility
• Full data auditing for compliance response for PHI & PII
• Proactive monitoring based on data classifications
Corporate Privacy Material Data
• Officer data shielding • Compliance auditing • Tracking + monitoring
24 Data Protection and Governance at the Edge
Protecting Employee Privacy
• End-user privacy controls either by policy or opt-out feature (no admin data visibility)
• Containerization on mobile devices, extendable via MDM (MobileIron)
• Exclusionary settings for backup and collection process
• Admin visibility to audit trails restricted via policy
Employee Privacy
• Privacy controls • Data segregation • Corporate visibility
25 Data Protection and Governance at the Edge
Scenario-based Privacy
• Delegated roles for compliance and legal counsel
• Full data and audit trail access for compliance, investigation and litigation requirements
Scenario / Exceptions
• Compliance audits • Investigations • eDiscovery collection
26 Data Protection and Governance at the Edge
Key Takeaways
• Be sure to check the certifications and how they apply to the overall stack, just because the IaaS/PaaS is certified it doesn’t mean the SaaS layer is.
• For data residency ensure your cloud data isn’t moving around to non-compliant locations, have the vendor sign an agreement and show documented ability to comply
• Encryption models continue to evolve, make sure your provider can’t divulge your data without you knowing
• Data privacy laws are still emerging and tend to be ambiguous, best place to get the answers to stay compliant is working with your legal team, don’t guess
27
Questions?
www.druva.com [email protected]
Thank You!
The Leader in Data ProtecOon and Governance at the Edge