Cloud Storage and Security: Solving Compliance Challenges
Download as PPTX, PDF1 like476 views
This document discusses challenges and best practices for cloud storage and security. It begins by introducing the panelists and outlining the topics to be discussed, which include realities and pain points of cloud storage, how and where cloud security could be compromised, navigating legal and regulatory compliance, and recommendations for deploying the right cloud storage strategy. Key points made include that sensitive data is often stored in the cloud without visibility, cloud breaches and unauthorized access are concerns, and regulations like GDPR and ISO 27001 provide security standards to consider. The document emphasizes knowing cloud vendors, evaluating costs and benefits, and establishing secure data management practices throughout the data lifecycle.
Cloud Storage and Security: Solving Compliance Challenges
- 1. CLOUD STORAGE & SECURITY: SOLVING COMPLIANCE CHALLENGES
- 2. MEET THE PANEL Director, Information Systems and Security, Jurinnov LLC Eric Vanderburg Partner, DLA Piper Giulio Coraggio Presenters Director of Cloud & Data Center Erasure Solutions, Blancco Technology Group Fredrik Forslund Moderator
- 3. WHAT WE’LL EXPLORE The Realities & Pain Points of Storing Data in the Cloud How, Where & When Cloud Security Could Be Compromised Navigating Through Legal & Regulatory Compliance What to Consider in Deploying the Right Cloud Storage Strategy Recommendations to Store, Manage & Protect Data in the Cloud
- 4. THE REALITIES & PAIN POINTS OF STORING DATA IN THE CLOUD
- 5. Source: SkyHigh Q4 2015 Cloud Report
- 6. 15.8% OF FILES IN THE CLOUD CONTAIN SENSITIVE DATA 6 Source: SkyHigh Q4 2015 Cloud Report SENSITIVE DATA 7.6% 2.3% 1.6% Protected Health Information Payment Data Documents in File Sharing Services Personally Identifiable Information 4.3%
- 7. MANAGING DATA IN THE CLOUD IS COMPLICATED & TOUGH 7 Organizations that experienced breaches in the cloud cited malware as the top private cloud attack vector Cloud Breaches 33% Cite unauthorized access to data from other tenants as the most pressing concern with public cloud deployments Unauthorized Access 40% Store or process sensitive data in the cloud Sensitive Data 40% Do not currently have visibility into their public cloud providers’ operations Lack of Visibility 33% *Source: SANS Institute, ‘Orchestrating Security in the Cloud’ Paper, 2015
- 8. Webinar Audience Poll Question: What type of cloud strategy does your business implement? Responses: • Private • Public • Hybrid • I don’t know
- 9. Hybrid Cloud More scalable than private Requires some higher upfront costs More control over data flows Private Cloud High degree of control Higher upfront costs More difficult to scale Public Cloud Highly scalable Pay for what you use Easy to deploy and manage MANY CLOUD STRATEGIES TO CHOOSE
- 10. HOW, WHERE & WHEN CLOUD SECURITY COULD BE COMPROMISED
- 11. Webinar Audience Poll Question: Has your company suffered a cloud data breach in the last 12 months? Responses: • Yes • No • I don’t know
- 12. INTERNAL & EXTERNAL THREATS CAN’T BE IGNORED Source: SkyHigh Q4 2015 Cloud Report
- 13. WHEN/WHERE IS DATA MOST AT RISK? During Data Migration During Data Use or Storage Data End-of-Life Equipment End-of-Life
- 14. NAVIGATING THROUGH LEGAL & REGULATORY COMPLIANCE
- 15. 15 ENTERPRISE BUSINESSES MUST GET ON BOARD National Data Protection Law EU Data Protection Regulation 2015 Right to be Forgotten ISO Standard 27001, 27040 etc. Sarbanes-Oxley HIPAA (Health Insurance Portabiltiy and Accountability) Credit Card Industry PCI-DSS
- 16. 01 02 03 04 ISO/IEC 27001: SETTING THE BAR HIGH FOR SECURITY STANDARDS 16 TOP MANAGEMENT Must implement information security policy themselves RISK MANAGEMENT Relevant security risks should be addressed and mitigated INTERNAL AUDITS Must verify all security risks have been addressed and operational processes are set DATA REMOVAL Sensitive data and licensed software must be securely removed prior to disposal or reuse
- 17. ISO 27018: PROTECTION OF PRIVACY & PERSONAL DATA IN THE CLOUD 17 Home PC Push Sync Back Up All Files Work Laptop Push Sync Work Files Notebook Smart Sync Select Files Tablet Sync Local Stream the Rest Smartphon e Sync a Few Stream the Rest ! My Documents My Photos My Music My Work Files Special Project
- 18. Webinar Audience Poll Question: How Prepared Is Your Organization for GDPR? Responses: • Fully Prepared • Somewhat Prepared • Early Preparation Stages • Unprepared • Don’t Know
- 19. Source: ‘EU GDPR: A Corporate Dilemma’, Blancco Technology Group, 2016 Somewhat Prepared; Still Need to Find Right Data Removal Software Fully Prepared (Established Processes, Policies & Technology) Unprepared; Don’t Know How or Where to Start Don’t Know On Right Track (Currently Researching & Developing Processes/Policies
- 20. WHAT CHANGES WITH THE GENERAL DATA PROTECTION REGULATION? 20 New Sanctions for Violations & Breaches New Liabilities for Cloud Providers New Obligations/ Protections
- 21. Environmental Protection Physical Protection Network Protection Hardware Protection Breach Notification Secure Communications Computing Security DATA PROTECTION REGULATION CONSIDERATIONS Right to be Forgotten
- 22. WHAT TO CONSIDER IN DEPLOYING THE RIGHT CLOUD STORAGE STRATEGY
- 23. CAPACITY PLANNING • Pre-allocate = Low ROI with unused space • Grow as you need = Inconsistent IT spending and potentials for compromise BACKUP AND RECOVERY • Archiving costs (equipment and time) • Offsite storage or offsite location • Testing and validation PRIVATE CLOUD STORAGE HURDLES DIRECT CAPITAL EXPENDITURE MAINTAINENCE AND SUPPORT
- 24. ADEQUATE DUE DILIGENCE ON CLOUD PROVIDER AND CONTRACT NEGOTIATION
- 25. 25 DATA MANAGEMENT CONSIDERATIONS Specialized Skills Sets Required Data Analytics Data Inventory Future Scalability into Hybrid Cloud Cloud Software Customization
- 26. RECOMMENDATIONS TO STORE, MANAGE & PROTECT DATA IN THE CLOUD
- 27. 27 Know Your Vendors Evaluate Cost Benefits Implement Industry Standards Prepare for Future (Scalability, Technology, Security) Establish a Way to Measure ROI THINGS TO REMEMBER WHEN STORING, MANAGING & PROTECTING DATA IN THE CLOUD
- 28. DATA LIFECYCLE IN THE CLOUD 3. Data Use/Storage 5. Data End-Of-Life 1. Data Creation & Classification 6. Decommissioning of Device/Server 4. Data at Rest 2. Data Migration
- 29. &
- 30. CONTENT YOU MAY FIND USEFUL: “Cloud & Data Center Erasure: Why Delete Doesn’t Suffice”: http://www2.blancco.com/en/white-paper/cloud-and-data-center- erasure-why-delete-doesnt-suffice “The Information End Game: What You Need to Know to Protect Corporate Data Throughout its Lifecycle”: http://www2.blancco.com/en/white-paper/the-information-end-game-what-you-need-to-know-to-protect-corporate-data “Data Storage Dilemmas & Solutions”: http://www.slideshare.net/BlanccoTechnologyGroup/data-storage-dilemmas-solutions “EU GDPR: A Corporate Dilemma”: http://www2.blancco.com/EU-GDPR-Corporate-Dilemma-Research-Study
- 31. Blancco Technology Group is a leading, global provider of mobile device diagnostics and secure data erasure solutions. We help our clients’ customers test, diagnose, repair and repurpose IT devices with the most proven and certified software. Our clientele consists of equipment manufacturers, mobile network operators, retailers, financial institutions, healthcare providers and government organizations worldwide. The company is headquartered in Alpharetta, GA, United States, with a distributed workforce and customer base across the globe. DLA Piper is a global law firm with lawyers in the Americas, Asia Pacific, Europe, Africa and the Middle East, positioning us to help companies with their legal needs around the world. We strive to be the leading global business law firm by delivering quality and value to our clients. We achieve this through practical and innovative legal solutions that help our clients succeed. We deliver consistent services across our platform of practices and sectors in all matters we undertake. Our clients range from multinational, Global 1000, and Fortune 500 enterprises to emerging companies developing industry- leading technologies. They include more than half of the Fortune 250 and nearly half of the FTSE 350 or their subsidiaries. We also advise governments and public sector bodies. JURINNOV works with IT and legal departments in a wide variety of industries and sectors. We become a link, an extension of both departments. We help them adopt the most current standards and tools. We help companies better manage and track electronic information, uncover evidence, plan for data recovery, and relax a little bit like in the good old days when everything was filed neatly in its place. ABOUT US
Editor's Notes
- #2: Brief housekeeping items (how to submit Q&A questions and that we will have a number of audience poll Q’s
- #3: See ‘Intro’ in webinar flow notes
- #6: FREDRIK SLIDE.
- #7: FREDRIK SLIDE
- #8: ERIC V. TO USE THIS AS HE ANSWERS QUESTION
- #9: OPEN WITH A POLL QUESTION TO LEAD INTO NEXT SLIDES/TALKING POINTS.
- #10: FREDRIK ASKS ERIC QUESTION -- When a company looks to store data in the cloud, what should they know about the different types of cloud strategies – the pros and cons of each?
- #12: OPEN WITH A POLL QUESTION TO LEAD INTO NEXT SLIDES/TALKING POINTS.
- #13: FREDRIK TO ASK GIULIO IF THIS MATCHES WHAT HE HEARS FROM DLA PIPER CUSTOMERS AND WHY IT’S SOMETHING NOT ENOUGH BUSINESSES THINK ABOUT.
- #16: ISO 27018 is already released and ensures protection of privacy and personal data. ISO 27017 is coming. It ensures security controls for cloud providers.
- #17: GIULIO TO SPEAK HERE.
- #18: ISO 27018 is already released and ensures protection of privacy and personal data. ISO 27017 is coming. It ensures security controls for cloud providers.
- #20: GIULIO TO SPEAK HERE.
- #24: ERIC V. TO DISCUSS HERE.
- #29: END WITH FREDRIK – TALK ABOUT WHY CLOUD STORAGE/SECURITY CHALLENGES CAN’T BE ADDRESSED WITHOUT FIRST UNDERSTANDING DATA’S LIFECYCLE IN THE CLOUD.