Security and privacy of cloud data: what you need to know (Interop)

Security & Privacy of Cloud Data What You Need to Know

Dave Packer, Vice President Product Marketing April, 2015

2 Data Protection and Governance at the Edge

“Druva has been a phenomenal answer to Dell for protecting our data”

About Druva

Company •  Fastest growing data protection and

governance company •  Over 3,000 customers •  Protecting 3.0m+ endpoints globally

Ranked #1 by Gartner two years running

Data Protection 2014

Brad Hammack IT Emerging Technologies


inSync Efficient Endpoint Backup to the Cloud


Dramatic Shift in Cloud Adoption

2013

75% 25%

2014

20% 80%


The Global Hurdles of Cloud Adoption

•  PRISM

•  Sectoral Regulations o  HIPAA, FINRA, GLBA, COPPA, …

•  Evolving Global Privacy Regulations o  EU, Germany, France, Russia, …

•  Microsoft vs. United States

•  Dropbox Transparency Report h"p://dlapiperdataprotec/on.com/

6

2015: The Top Security Challenges

Source: 451 Group – Wave 8 Report 2015 (preliminary note)


But there’s the flip-side of the coin

•  Almost all major breaches in 2014 were against on-premise systems

•  Breaching the firewall can mean all systems become vulnerable (Sony)

•  Breach attributions o  Malicious outsider: 50% o  Accidental loss / misplace: 25% o  Malicious Insider: 15%


What type of data is the most sensi/ve to your business?

Other People’s Data the Top Concern

1%

18%

19%

22%

33%

37%

41%

46%

52%

0% 10% 20% 30% 40% 50% 60%

We do not have sensi/ve business data

Planning and strategy documents

Payroll

Unregulated customer data (emails, order history, etc.)

Accoun/ng and financial

Intellectual property

Personal employee informa/on (SSNs, phone numbers, etc.)

Password or authen/ca/on creden/als

Regulated customer data (credit cards, health records, etc.)


In your opinion, which environment has be"er data security / privacy controls?

Cloud Security + Privacy Opinion is Changing

On premises 65%

Cloud 35%


h"p://techcrunch.com/2015/04/04/the-‐cloud-‐could-‐be-‐your-‐best-‐security-‐bet/?ncid=txtlnkusaolp00000629#.z48jaw:4RNJ

•  The difference between 1 security

team and 1000’s of security teams

•  Data durability / resiliency and replication

•  Expanding regional coverage

•  However, you do need to scrutinize your cloud provider stack


Common Cloud Security/Privacy Concerns

•  Infrastructure Security: Where is the infrastructure? How is it controlled and to what extent certified?

•  Data Security: How is the data encrypted in transit and stored at-rest? What is the durability of the data?

•  Data Residency: What are the regional, cross-geography data controls?

•  Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access?

•  SaaS Security: What certifications and security controls does the SaaS provider have in place?

IaaS Infrastructure: Compute + Storage

PaaS Distributed Database Services

SaaS Application Services


As a Cloud Provider, Security = Survival

•  SOC 1, SOC 2 & SOC 3 ISO 27001

•  PCI Level 1 •  FedRAMP •  AWS GovCloud (US) •  MPAA best practices alignment

Customer are running SOX, HIPAA, FISMA, DIACAP MAC III sensitive ATO, ITAR, …

Facilities Physical security

Physical infrastructure Network infrastructure

Virtualization infrastructure

IaaS PaaS


Distributed Denial Of Service (DDoS) A>ack

Man In the Middle (MITM) A>ack Port Scanning

Packet sniffing by other tenant

IP Spoofing Firewall security groups

Vulnerability tesLng

Continuous Network Monitoring and Response

• Protects customer data from network attacks: o  Intercepting in-transit data o  System breaches o  Blocking/disrupting services


AWS Global Footprint

•  >1 million active customers across 190 countries

•  900+ government agencies •  3,400+ educational institutions

•  11 regions, including ITAR-compliant GovCloud and the new region in Germany

•  28 availability zones •  53 edge locations


SaaS Provider Needs Build the Proper Controls

•  ✔ Infrastructure Security: Where is the infrastructure? How is it controlled and to what extent certified?

•  Data Security: How is the data encrypted in transit and stored at-rest

•  Data Residency: What are the regional, cross-geography data controls?

•  Data Privacy: What controls are in place to provide ethical walls? What data can my SaaS provider access?

•  SaaS Security: What certifications and security controls does the SaaS provider have in place?





Most IaaS/PaaS Certifications Don’t Pass to the SaaS Level




•  Druva Certifications & Audits o  ISAE-3000 o  TRUSTe certified privacy o  EU Safe Harbor o  HIPAA Audited

•  Regular VAPT Testing (White Hat) •  SkyHigh CloudTrust program partner •  Audits renewed annually

ISAE 3000 TRUSTe EU Safe Harbor

HIPAA BAA Skyhigh

Enterprise-Ready


Addressing Enterprise Data Protection Requirements Understand How Your Data is Stored

S3 Buckets, Data Scrambling via Envelope Encryption Blocks-Only into Object Storage

IaaS / Storage Layer (EC2, S3, Glacier)

SSL

Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced)

PaaS Layer (DynamoDB)

256 AE

S

Data

Metadata


Encryption Key Models Vary Extensively

Management Method Strength Weakness

Keys Stored with Data

•  Simple •  Provider access •  System wide breach poten/al •  Consumer designed

Keys Stored in Escrow •  No provider direct access •  S/ll accessible w/ subpoena, warrant, court order

•  Key rota/on, management may be needed

Key Server Keys Stored On-‐premise

•  Secure, no provider access •  On-‐premise hardware, must be managed •  Introduces system-‐wide failure point

Envelope Key encrypted in cloud

•  Secure, inaccessible by vendor •  No key management •  Session based key

•  No access = provider can’t reset client key


Envelope Key Management & Encryption

•  Works like a bank safety-deposit box o  Unique encryption key generated per customer o  Key itself is encrypted with customer credentials and

stored as a token

•  They key itself is inaccessible by anyone o  Only exists during the client session o  Never leaves the system o  Removes the need for key management

•  Druva cannot access/decrypt customer data

with stored token


Authentication Controls (AD, SSO) Configurable Group Policies (Data Access, Sharing, Visibility)

Full Admin and End-User Audit Trails

SaaS Layer Application

Addressing Enterprise Data Protection Requirements SaaS Provider Security Approach

Global Deduplication (unique blocks) & Metadata Separation (data is dereferenced)

PaaS Layer (DynamoDB)

S3 Buckets, Data Scrambling via Envelope Encryption Block-Only Object Storage

IaaS / Storage Layer (EC2, S3, Glacier)

21

Lastly, Be Sure Data Privacy is Being Addressed

Regional Employee

Corporate Scenario


Addressing Regional Data Regulations

•  11 admin-selectable data storage regions, data stays within the region

•  Administrator segregation and delegation with pre-defined granular access rights

•  No ability for vendor to access key or stored data

Corporate Privacy Regional Management •  Data residency •  Local administration •  Data Storage Privacy


Walls for Corporate Data Privacy

•  Policy group settings for classes via AD (Officers, Legal, …) restrict data visibility

•  Full data auditing for compliance response for PHI & PII

•  Proactive monitoring based on data classifications

Corporate Privacy Material Data

•  Officer data shielding •  Compliance auditing •  Tracking + monitoring


Protecting Employee Privacy

•  End-user privacy controls either by policy or opt-out feature (no admin data visibility)

•  Containerization on mobile devices, extendable via MDM (MobileIron)

•  Exclusionary settings for backup and collection process

•  Admin visibility to audit trails restricted via policy

Employee Privacy

•  Privacy controls •  Data segregation •  Corporate visibility


Scenario-based Privacy

•  Delegated roles for compliance and legal counsel

•  Full data and audit trail access for compliance, investigation and litigation requirements

Scenario / Exceptions

•  Compliance audits •  Investigations •  eDiscovery collection


Key Takeaways

•  Be sure to check the certifications and how they apply to the overall stack, just because the IaaS/PaaS is certified it doesn’t mean the SaaS layer is.

•  For data residency ensure your cloud data isn’t moving around to non-compliant locations, have the vendor sign an agreement and show documented ability to comply

•  Encryption models continue to evolve, make sure your provider can’t divulge your data without you knowing

•  Data privacy laws are still emerging and tend to be ambiguous, best place to get the answers to stay compliant is working with your legal team, don’t guess

27

Questions?

www.druva.com [email protected]

Thank You!

The Leader in Data ProtecOon and Governance at the Edge

Security and privacy of cloud data: what you need to know (Interop)

Technology

Transcript of Security and privacy of cloud data: what you need to know (Interop)