Cloud Security: Is It Safe To Go In Yet?

Cloud Security: Is It Safe To Go In Yet? Execu1ve Breakfast Roundtable June 22, 2011 Boston Chapter WAY TO GO BRUINS!

Welcome, Introduc4ons AGENDA Legal Perspec4ve, Bingham McCutchen Break Featured Speakers Ping Iden4ty, Courion, Oracle Break Closed Door Session, Members Only, Rob Cryan, Mapfre USA Q&A, Wrap Up

INTRODUCTIONS Name Company Role What is primary security challenge of going to the cloud?

LEGAL PERSPECTIVE Host: Bingham McCutchen, Sarah Gagan

BREAK

Bill s Key Thoughts The Cloud is.(insert adjec4ve here) Major hurdles seem to be: Where data resides (regulatory restric4ons, e- discovery concerns) IAM (trust) Lack of visibility into controls (loss of governance) We MUST help get there

Featured Speaker

The Cloud Identity Security Leader

Ping Identity Mission Enable & Protect Identity Secure the Cloud Defend Privacy 2011 Ping Identity Corporation 9

Megatrends in IT 2011 Ping Identity Corporation 10

What s holding your business back? Customer Satisfaction Do customers or partners login more than once? 75% of online shoppers may leave or not use a site that requires registration USA Today March 23, 2011 Productivity Do employees have five, ten, or twenty separate logins? Do your employees, partners, or customers have tablets or smartphones with applets and multiple passwords? Security Risks How long does it take to remove access to critical private and public cloud applications when an employee or partner leaves? X 2011 Ping Identity Corporation

Why is it so hard to secure the Cloud? ebusiness Enterprise Firewall Existing AAA Portal Directory 2011 Ping Identity Corporation

Secure the Cloud - Best Practices 1 Separate identity from applications centralize IT control of identities and access Do not proliferate passwords Integrate identity at the application layer not the presentation layer to lower maintenance and avoid user involvement 2 Eliminate passwords don t sync, replicate or hide them Adhere to secure and proven industry standards leverage customer and cloud vendor adoption of trusted approaches to Cloud and Mobile SSO 3 Leverage existing identity infrastructure look for supported integrations and standards to avoid fragile, high maintenance identity architecture 4 Adhere to standards leverage secure and proven identity standards to maximize interoperability and scale Avoid multiple purpose-built identity silos design for flexibility and scale with a single identity architecture supporting different use cases 5 Leverage existing identity infrastructure look for supported integrations and standards to avoid costly, fragile or high maintenance architectures Avoid purpose-built identity silos design a single identity architecture that supports all required use cases 2011 Ping Identity Corporation 13

Different ways to secure the Cloud Separate Identity from Applications Eliminate Passwords Adhere to Standards Leverage Existing Identity Infrastructure Avoid Purposebuilt Identity Silo Password Vaulting Identity as a Service Traditional IAM Cloud Identity Management 2011 Ping Identity Corporation

The Cloud Identity Security Leader Enterprise Solutions More than 160 Partners Denver Boston Cloud SSO Customer & Employee IAM Mobile App Support API Security Centralized Access Control 98% of Customers Recommend Ping to others! - TechValidate Survey 2011 More than 600 Customers SaaS Vendors, Cloud Integrators & Resellers Thought Leadership Vancouver London Tens of millions of employees, customers, consumers, and partners use Ping Identity solutions every day! 2011 Ping Identity Corporation 15

Cloud Identity Management 2011 Ping Identity Corporation

How it Works Token Token 2011 Ping Identity Corporation 17

Cloud Identity Management Deploys in hours Elegant, lightweight scalable Standards-based SAML, OpenID & WS Federation OAuth, WS-Trust Strong Auth 30 Turn-Key Integrations Anywhere, anytime, any device 600+ Enterprise and SaaS customers 98% customers willing to recommend Ping 40 of the Fortune 100 130+ Cloud SaaS Highly scalable & performance tested Support for all use cases Passwords and identities never leave your control Users only need one secure password Eliminate the effects of password & policy change Centralize policy and support for all cloud apps Enable Cloud application deprovisioning 2011 Ping Identity Corporation

Secure the Cloud. Free your Business: A Case Study 2011 Ping Identity Corporation 19

Our Customers 600+ enterprises, government agencies and services providers worldwide trust Ping Identity including 40+ of the Fortune 100. Finance Healthcare Consumer International Telecom 2011 Ping Identity Corporation 20

Featured Speaker

June, 2011

What do you need to protect? Impact How do you control ACCESS? Likelihood 23 CONFIDENTIAL

" More data accessible by more people via more devices " Whose hand is the device in? " Can you trust that they are who they say they are? " Identity is more than who " It includes what you are doing, and to what " Introduces exposure on accessibility to critical data " New supplier relationships who may have access to sensitive information 24 CONFIDENTIAL

Enterprise Applications Consumer- Facing Applications Consumers and Partners Enterprise's Outsourced Applications Employees Partner Applications Software as Service (SaaS) 25 CONFIDENTIAL

We are often asked whether the Cloud factors into many of the breaches we investigate. The easy answer is No not really. It s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud. Verizon Data Breach Report, 2011 26 CONFIDENTIAL

Internal & External Users Have the Right Access Ensure the Right People and are doing the Right Things with it! To the Right Resources 27 CONFIDENTIAL

Translate business policy into access policy Manage policy lifecycle Assess effectiveness of policy Discovery Identify access risk Evaluate risk Prioritize action Analyze trending Entitlements Identity Activity Data Policy Access certification Access reports For entitlements, data access, and activity Disable access Remediate access Create access Manage credentials 28 CONFIDENTIAL

Same information: " Privacy data " Health information " Key financial data " Credit card information " Company confidential data " Other high risk Same IAM requirements: " All access must connect to enterprise identities " Access certification " Separation of Duties for operators and users " Privileged Access Management " Access management " Who has access? " Who has accessed? 29 CONFIDENTIAL

Silos 1 per System Shared (AD) Global Federated 30 CONFIDENTIAL

A change can have a ripple effect Change is isolated Change is semi isolated Change is global Change is cross domain No impact to other systems May impact systems that share the security model Impacts all systems Impacts internal and external systems 31 CONFIDENTIAL

32 CONFIDENTIAL Enterprises will continue to use more SaaS and cloud applications Requests - policy and catalog driven On-premise IAM must extend to this environment Define Assess Enforce - Verify

33 www.flickr.com/owlflurty CONFIDENTIAL

Featured Speaker Michael Mettenheimer VPof Security Privacy Solutions 703 408 1289 Michael.mettenheimer@oracle.com

BREAK

MEMBER ONLY SESSION Sponsors Depart Featuring Member Rob Cryan, Mapfre USA

Cloud Services One Approach to the Question Rob Cryan, CISSP Sr. Manager, Information Security

Agenda Definition Directive Approach (Risk, Candidacy, & Volume) Summary Lessons Learned

Cloud Services Defined For this Presentation: Off Premise Software as a Service or; Hardware as a Service or; Combination

Directive Service Operating Costs

Approach Business Case Assess Data Volume Evaluate Cloud Candidate Understand, Mitigate and/or Accept Risks

Risk Availability Internal Upstream Provider Cloud Vendor (Add Another n Tiers to Availability) Confidentiality Internal Cloud Vendor (Their Internal is Your External Threat) Integrity Internal Cloud Vendor (Application Stability/ Changes) Mitigation Increased Cost Increased Cost Reduced Cloud Appeal

Ownership New Questions Who owns the data? What can the vendor do with your data? Data Breach Number 1 Answer: Contractually Bind Cloud Vendor to Sufficiently Answer These Questions Cloud Vendor or Customer Responsibility? Coordinated Damage Control (PR) Plan? If There is a Breach of Contract Off Premise Protection Where is your data/service Encryption, Access Controls, etc. Who handles forensics? during litigation?

Composition and Criticality

Assessing Volume How much data at rest? Time to Migrate How much data in flight? Bandwidth Usage In-Flight Volume At-Rest Volume Email High High IT Service Requests Probable Need Increased Bandwidth Low Medium None

Evaluation of high data volume in-flight revealed limited cost savings Low-Medium in-flight volumes were more cost effective Business Case

Email Summary Exceeded Business Risk Appetite Not Necessarily Cost Effective IT Service Requests More Cost Effective than Email Given Initial Charter, Within Business Risk Appetite

Cloud Lessons Learned Cloud Business Case Per Se High Data Volume Cloud Benefit Risk Transferred Risk Reduced Commodity Cloud Candidate

Contact Information Rob Cryan Sr. Manager, Information Security MAPFRE USA Office: 508.949.4777 Email: rcryan@mapfreusa.com

CHAPTER BUSINESS Next Chapter Mee1ngs: July 27, Mobile Device Security Need a member to lead discussion Seeking sponsor vendors September 14, Applica1on Security & Assurance October 19, Data Protec1on in the Enterprise

Q&A & Wrap Up

THANKS Return Badges See you July 27