Taking a Data-Centric Approach to Security in the Cloud Bob West Chief Trust Officer CipherCloud 2014 CipherCloud All rights reserved 1
Taking a Data-Centric Approach to Cloud Data Protection Bob West Chief Trust Officer 2014 CipherCloud All rights reserved 2
Evolving Networking & Security Models 1970 s 1990 s 2000 s 2010 s Mainframe Client Server Internet Cloud Era Computing model Centralized Computing model Distributed, internal Computing model Enterprise-centric Computing model Public, private cloud Connectivity Limited Connectivity Internal only Connectivity Global messaging Connectivity Application level Data storage Centralized Data storage Within enterprise Data storage Enterprise silos Data storage Hybrid Security model Perimeter Security model Perimeter, endpoint Security model Perimeter, endpoint, tunneling, identity Security model Data-centric for any location 2014 CipherCloud All rights reserved 3
Today s Reality Data is Flowing Everywhere ERP Databases Email File Sharing HR CRM Collaboration External User Internal Users Enterprise Boundary External User 2014 CipherCloud All rights reserved 4
Changing Nature of IT with De-Perimeterization Protecting infrastructure is not enough Business critical systems now outside the network Key applications are outside your control Reliance on cloud providers to secure systems Cloud customers ask the wrong questions Focus on transferring old legacy security models Need to change to a data-centric model Cloud providers don t accept liability for your data You own the data you need to secure it Security needs to travel with your data You need to control access regardless of location 2014 CipherCloud All rights reserved 5
Where Cloud Data Resides and What Laws Might Apply USA Federal CALEA, CCRA, CIPA, COPPA, EFTA, FACTA, ECPA, FCRA, FISMA, FERPA, GLBA, HIPAA, HITECH, PPA, RFPA, Safe Harbor, US PATRIOT Act Canada PIPEDA, FOIPPA, PIPA United Kingdom ICO Privacy and Electronic Communications Regulations Europe Privacy laws in 28 countries European Union EU Data Protection Directive, State Data Protection Laws South Korea Network Utilization and Data Protection Act Japan Personal Information Protection Act Mexico Personal Data Protection Law US States Breach notification in 47 states Brazil Morocco Data Protection Act India Pending Laws under discussion Thailand Official Information Act B.E. 2540 Taiwan Computer-Processed Personal Data Protection Hong Kong Personal Data Privacy Ordinance Colombia Data Privacy Law 1266 Article 5 of Constitution Singapore Personal & Financial Data Protection Acts Philippines Propose Data Privacy Law Chile Law for the Protection of Private Life CipherCloud 2013 CipherCloud All rights 6 All rights reserved reserved. Argentina Personal Data Protection Law, Information Confidentiality Law South Africa Electronic Communications and Transactions Act Australia National Privacy Principals, State Privacy Bills, Email Spam and Privacy Bills Privacy Act New Zealand
Common Regulatory Themes Mandates to protect personally identifiable information (PII) Penalties include steep fines, and personal liability for executives Breach notification is a big stick Risks of public breach disclosure can be hugely damaging (example: Target) Data owners are responsible, regardless of where data goes Cloud providers may share some limited responsibility, but that does not get data owners off the hook Regulations don t typically tell you what technology to use Legislation rarely can keep up with technological changes Best practices evolve, changing the definition of reasonable As solutions become widely adopted, not adopting them becomes risky 2014 CipherCloud All rights reserved 7
Seeking a Safe Harbor Regulation Region Breach Notification Safe Harbor Exemptions Recommendations on Encryption PCI DSS Encryption a critical component GLBA HIPAA, HITECH EU Directives Proposed Proposed ICO Privacy Amendment Privacy Amendment Not specified US State Privacy Laws Generally Yes Safe harbor if encryption has been applied adequately Safe harbor if encryption has been applied adequately New regulation proposes safe harbor exemption if data was adequately encrypted. Notification not required if there are measures in place which render the data unintelligible. Not specified but you should to take adequate measures to prevent the unlawful disclosure Typical breach definitions: - Personal Information: data that is not encrypted - Breach: access to unencrypted data 2014 CipherCloud All rights reserved 8
World s Leading Enterprises Trust CipherCloud Top 3 US Bank s Consumer Self- Service Loan Origination Portal Largest Hospital Chain Meets HIPAA & HITECH in the Cloud German Cosmetics Giants Meets International Security Regulations Top Canadian Bank Safeguards Proprietary Information in the Cloud Non-Technology Leader Trust Sensitive Data in Cloud Email Major European Telco Consolidates Call Centers for 25 Countries Global Leader in Customer Loyalty Moves Email to the Cloud UK Education Organization Deploys Global Cloud-Based Portal Large Pharmaceutical Company Uses Encrypted Email Major Wall Street Firm Adopts Cloud Applications with Confidence Genomics Testing Leader Protects Patient Data while Using the Cloud New Zealand Bank Collaborates in the Cloud and Meets Compliance Medical Audit Leader Launches Cloud-Based Customer Portal Credit Reporting Giant Deploys Cloud Government-Owned Mortgage Collaboration with DLP Controls 2014 CipherCloud Backer Protect All rights PII Data reserved in the Cloud 9
CipherCloud Complete Platform Data Loss Prevention Protecting sensitive data from leaks Extending corporate DLP to the cloud Data Protection Preventing unauthorized access to data Maintaining application functionality Activity Monitoring Monitoring user and data activity Detecting anomalies in user behavior 2014 CipherCloud All rights reserved 10
Protect Your Sensitive Data in the Cloud Ground breaking security controls Protect sensitive information in real time, before it is sent to the cloud while preserving application usability. Key Management Searchable Strong Encryption Tokenization Malware Detection Data Loss Prevention 2014 CipherCloud All rights reserved 11
Where Should You Protect Your Data? Data in Transit Data at Rest Vulnerabilities Account hijacking* Forced disclosure Data breaches* Malicious insiders* Insecure APIs* Shared technology* Data in Use * Top Threats 2014 CipherCloud All rights reserved 12
Key Questions for Cloud Data Protection What data do you need to protect? Who should or shouldn t access it? What functionality needs to be preserved? Are there additional technical requirements? Where should sensitive data reside? 2014 CipherCloud All rights reserved 13
One Size Does Not Fit All Range of protection options preserve data structure, format and searching Searchable encryption High-performance encryption and tokenization at the enterprise gateway Tokenization Format preserving Partial encryption Transparent to users Preserves database functionality 2014 CipherCloud All rights reserved 14
Tokenization Internal Network Enterprise Control Cloud Application Credit Card Token Internal User Token database FUNCTIONALITY SECURITY OVERHEAD 2014 CipherCloud All rights reserved 15
Conventional Encryption Internal Network Enterprise Control Cloud Application Confidential ऑપમમऑપમएপમમથજए Internal User Encryption Keys FUNCTIONALITY SECURITY OVERHEAD 2014 CipherCloud All rights reserved 16
Format Preserving Encryption Standard AES Encryption r 丏 軸 与 80l1zx1 丏 k 与 5 与 40l1 丏 h 最 与 2l1 丏 邈 与 41x Credit Card Number Format Preserving Encryption 4811 8522 1744 2231 Maintains 16- digit numeric format FUNCTIONALITY SECURITY OVERHEAD 2014 CipherCloud All rights reserved 17
Partial Encryption Techniques Internal Network Enterprise Control Cloud Application Customers Search query John Smith ऑપમऑપમएથજए ଶढଯতઈଌਲऑપ ఌত Authorized User Encryption Keys Varies Varies FUNCTIONALITY SECURITY OVERHEAD 2014 CipherCloud All rights reserved 18
Authorized User United Oil & Gas Unauthorized User Data is encrypted field-by-field basis, based on your security policies Fields can be partially encrypted Credit card numbers fully encrypted with AES 256 2014 CipherCloud All rights reserved 19
Searchable Strong Encryption (SSE) Internal Network Enterprise Control Cloud Application Customers Search query John Smith ऑપમऑપમएથજए ଶढଯতઈଌਲऑપ ఌত Authorized User Encryption Keys Varies Varies FUNCTIONALITY SECURITY OVERHEAD 2014 CipherCloud All rights reserved 20
About CipherCloud Company 3.8+ Million Active Users 13 Industries 25 Countries 7 Languages Solutions Cloud Discovery Cloud DLP Strong Encryption Tokenization Activity Monitoring Anomaly Detection Customers 5 out of 10 Top US Banks 3 out of 5 Top Health Providers Top 2 Global Telecomm Company 3 out of 5 Top Pharmaceuticals P 13 Patents 450+ Employees 40% of Global Mail Delivery Largest US Media Company 2014 CipherCloud All rights reserved 23
Thank You For additional information : Website: www.ciphercloud.com Twitter: @ciphercloud Email: info@ciphercloud.com LinkedIn: www.linkedin.com/company/ciphercloud Phone: +1 855-5CIPHER Bob West Chief Trust Officer bwest@ciphercloud.com 2014 CipherCloud All rights reserved 24