Maintaining Compliance in the New Era of Cloud Apps

1

@Zulfikar_Ramzan

CTO, Elastica

Renee Murphy

Sr. Analyst, Forrester

2

Agenda

› Cloud Compliance Landscape

› Industries Segments at Risk

› Corporate Liability with Cloud Technology

› Cloud Providers Role In Compliance

› Technical Challenges with Traditional Solutions

› 2015 Predictions

› Best Practices

3

Cloud Compliance Landscape

Q: Why is compliance in the cloud worth discussing?

4© 2014 Forrester Research, Inc. Reproduction Prohibited 4

Forecast: Global Public Cloud Market Size, 2011 To 2020April 2011 “Sizing The Cloud”

5© 2014 Forrester Research, Inc. Reproduction Prohibited

Data Governance


S&R Pros Must Adapt Strategies And Controls For Virtualization, Cloud Adoption (Cont.)

May 2014 “Brief: S&R Pros Remain Unprepared To Address Virtualization And Cloud Security Risks”

7

What About Enterprise-Grade

Apps?Q: Is this concern focused only on “rogue” apps or

Shadow IT? What about “enterprise-grade” SaaS?

8

Shadow Data: Not Just About Rogue Apps

Anymore

Mainstream adoption of “legitimate” apps

But… no understanding of where the data is

• Roughly 9% of files are broadly shared

• Of these, 68% shared company wide, 19% shared externally, 13%share publicly

• Speaks to ease of sharing!

9

Who Should Care?

Q: Which types of organizations should care? Is it just

heavily regulated companies, or is it everyone?


Who should care?

› Regulated Industries

• Government

• Banking

• Healthcare

• Insurance

› Non-Regulated

Industries

• Retail

• Non-profits

• NGO

• Technology


Healthcare Security Must Mature


Research Hospitals will See More Breaches


FTC will Find It’s Opening with Wearables

14

Liability

Q: What liability do corporations have as their data

moves to the cloud?


Cloud Liabilities

› What liability do corporations have as their data

moves to the cloud?

› Typical Civil Liabilities

• Contractual

• Data Protection

• Intellectual Property


Liability and Cyber Insurance

› Statistics about breaches from five years ago are worthless today.

› Target

• $100 million in insurance with a $10 million deductible.

• Cost to date $88 million and insurance will cover $58 million of that.

› $1.3 billion in premiums were paid last year

› No idea how to assess cloud providers

› No idea how aggregation into cloud infrastructure impacts risk. (Amazon’s breach are many company’s breaches.)

› Make sure you have at least $100 million in cyber insurance

17

Current State of Cloud

MonitoringQ: Given the liability, what are companies doing today?


Cloud Monitoring

19

Role of Cloud Providers

Q: Can cloud providers offer the necessary protections

for compliance?

20

Cloud providers focus on backdoor

Front door poses the most real

risk

Technical Risk: Front vs. Back Door

Need to protect both!

MALWARE

INSIDER THREATS

PHISHING

21

Cloud vs. Non-Cloud Processes

Q: What were companies doing before to handle these

issues? What process changes are needed?


Cloud vs. Non-Cloud

› It’s all the same, no matter where the data

resides.

• Data classification

• Risk Management

• Third Party Risk Management

• Endpoint Management

• IAM


Migration Requirement

› Old strategies are not the same in the cloud.

• Don’t look to the BC/DR plan to tell you what goes

into the cloud.

› Development, QA, Marketing

• Data Classification is a must, especially from a

liability perspective

• Monitor, Monitor, Monitor.

24

Cloud vs. Non-Cloud Technical

DifferencesQ: Why do traditional solutions no longer work for cloud

services?

25

Risk Assessment

IDS/IPS

Firewall

eDiscovery

DLP

SIEM

On Premise SOC 1.0

Unmonitored Activities

Outside SOC 1.0’s reach

Traditional Solutions Don’t Fit

26

Risk Assessment

IDS/IPS

Firewall

eDiscovery

DLP

SIEM

Risk Assessment

IDS/IPS

Firewall

eDiscovery

DLP

SIEM

Need a “Cloud Version” of each Function

27

Tectonic Shift in the Market Rethinking DLP for Cloud File Sharing

Services

New visibility requirements

Link Interpretation

New Perimeter Semantics

Full File Semantics

27

28

Predictions

Q: What does the future of cloud usage look like?


Cloud Adoption Predictions

41%

59%

44%

28%

15% 13%

0%

10%

20%

30%

40%

50%

60%

70%

2013 2018

% o

f To

tal C

lou

d W

ork

load

s2013 vs 2018

SaaS Becoming Dominant Form of Cloud


Cloud Adoption Predictions

2000

9222013

2018

811

186

0 200 400 600 800 1000

2013

2018

Consumer Internet Population using Personal Cloud Storage (millions)

53%

38%

Consumer Cloud Storage Traffic per user (megabytes/month)

31

Best Practices

Q: What are best practices for managing compliance risk

with regards to the cloud?


Best Practices

› Have a cloud policy and enforce it.

› Implement data classification and risk management.

› Automate as much of the compliance and policy work as you can.

› Ensure privacy and security clauses in the contract with the

provider.

› Really think about the appropriateness of the data going to the

cloud. (Dev/QA)

› Awareness Training

33

Regulations

34

Security Frameworks

35

Solutions

Q: What solutions are possible? How does Elastica view

the problem?

36

Tectonic Shift in the Market

On Premises SOC 1.0

Unmonitored activities

Outside reach of SOC 1.0

On-PremisesMany pieces to Buy, Assemble & Operate

The Need for Visibility

37

Elastica’s CloudSOCTM Taps Multiple

Sources

Elastica CloudSOC

Firewall

Gateway

MDM

API

Remote

Worker

Gateway

MDM

Firewall

BYOD

On-premises worker

Regaining Visibility and Control

38

Next Steps

Shadow Data Exposedhttp://www.elastica.net/wp-file-sharing/

The 7 Deadly Sins of Traditional DLP in the New World of Shadow IThttp://www.elastica.net/ebook-7sins-dlp

http://www.linkedin.com/company/elastica

https://www.facebook.com/ElasticaInc

@ElasticaInc, @zulfikar_ramzan

http://www.elastica.net/wp-file-sharing/

http://www.elastica.net/ebook-7sins-dlp

http://www.linkedin.com/company/elastica

https://www.facebook.com/ElasticaInc

Maintaining Compliance in the New Era of Cloud Apps

Technology

Transcript of Maintaining Compliance in the New Era of Cloud Apps