Cloud Adop)on, Risks & Security & GDPR An Ac)on Guide

Transcription

1 April 2016 Cloud Adop)on, Risks & Security & GDPR An Ac)on Guide Nigel Hawthorn, Skyhigh Networks

2 Cloud Adop)on and Risk Agenda Skyhigh Networks An Introduc)on European Cloud Adop)on and Risk Report Q Nordic Cloud Adop)on CSA Global Survey Results Swedish Data Protec)on Act and EU GDPR GDPR An Ac)on Guide Links: How to Find The Data Q & A

3 Skyhigh Solving The Cloud Dilemma Business Shadow IT Personal Sanc)oned IT VISBILITY: Understand services in demand. Quickly respond to requests from users. COMPLIANCE: Comply with regulatory requirements. Enforce governance policies. RISK MANAGEMENT: Understand risk to business. Comply with corporate policies. THREAT DETECTION: Iden)fy exfiltra)on events indica)ng security breaches. Denied Permi4ed Approved ENTERPRISE SECURITY: Detect and prevent compromised accounts and insider threats. DATA SECURITY: Protect data from breaches and blind subpoenas.

4 Cloud Adop)on & Risk Report

5 Cloud Adop)on and Risk Report Europe Q Real-Life Data from Skyhigh Customers Anonymised data across 3 million European users Data taken from December 2015, published January 2016

6 Average Number of Cloud Services Per company, unique services

7 Average Number of Cloud Services Per company, unique services

8 Security Controls Vary by Provider

9 Authen)ca)on and Logging

10 A Safe Place for EU Personal Data

11 Nordic Customer Results CSPs in Use High Risk CSPs in Use Services Allowing Anonymous Use 7.2MB 21GB Uploaded Services Owning Your Intellectual Property 691MB 3GB Uploaded PDF Converters Inconsistent Policies 100% 100%

12 Specific Example Findings - Nordic 413 cloud services with inconsistent blocking policies 56 Different cloud storage services in use 18 of them high risk 499 Users of Prezi, though its not a supported service 185 services with unknown legal jurisdic)on 8.4 TB of data uploaded to by one user 41,000 requests to Fitbit in one day from one machine infected?

13 Real Nordic Assessment

14 Shared Files Possible Data Loss

15 CSA Survey: Most Important Cloud Security Controls

16 Swedish Personal Data Act & EU GDPR

17 Swedish Data Inspec)on Board Statement hkp://

18 Overview of the Regula)on

19

20 Top Ten Provisions Increased fines 4% of global turnover or 20,000,000 Opt-in consent Breach no)fica)on Territorial Scope Joint Liability Right to removal Removes ambiguity Data transfer Common enforcement Collec)ve redress

21 How Skyhigh Can Help (1/3) Track Cloud Services In Use Tracking cloud services in use, data transfer sta)s)cs, approved and unapproved service, set policies and warning pages for users Impact Assessment The Skyhigh cloud registry records risk profiles based on 65+ akributes about each service, including country of data storage, T&Cs, data ownership, previous history of security issues, encryp)on, leak sources, anonymous use and shares with 3 rd par)es. Data upload / download informa)on File names, user ac)vity (though users only viewed by customer GUI), unusual ac)vity Data Leak Preven)on Skyhigh has its own DLP technology or can integrate with exis)ng DLP systems to review data inside files on cloud services. Data can be scanned as uploaded on or demand and mul)ple remedial ac)ons taken

22 How Skyhigh Can Help (2/3) Privileged User Monitoring Cloud services are oqen set with many privileged users, Skyhigh can monitor and report on privileged user ac)ons Transfer of data outside the EU Skyhigh tracks mul)ple country parameters; HQ country, data held and jurisdic)on to facilitate controls Compliance of cloud providers The registry includes a wealth of detail about technical and privacy standards, including ISO27018 (protec)on of Personally Iden)fiable Informa)on in public cloud providers) Adding Encryp)on Mul)ple encryp)on techniques can be deployed before data is uploaded to the cloud and keys can be held by customer (in the EU)

23 How Skyhigh Can Help (3/3) Third Party Service Monitoring Monitor and set policies for external collabora)on, such as shared directories in cloud services. Eg. Whitelists/blacklists and API integra)on for data upload/downloads from 3 rd par)es. Infected Device No)fica)on Infected devices show unusual traffic pakerns that Skyhigh can monitor Anomalous Ac)vity Unusual ac)vity of users (based on historical pakerns) can show disgruntled employees or highlight data loss incidents from lost creden)als Audit Trail If breaches occur, Skyhigh s audi)ng capabili)es provides valuable forensic informa)on, such as broader audit logs of cloud ac)vi)es than oqen provided by the service provider. Ongoing Change Threats are never sta)c, Skyhigh updates the registry constantly and watches for new threats, new concerns and new risks

24 GDPR Implemen)ng An Ac)on Plan Cross-Func.onal Team Get legal advice New privacy policy, likely impact, scope of changes to policies Cloud Adop)onTeam IT, Legal, Compliance/Risk, Finance, HR, Employees, Lines of Business, Marke)ng User Communica)on Training, ongoing updates, splash pages reminding users as they access new services Regular Review New cloud services are being accessed each day, keep everything under review

25 Cloud Adop)on Team Responsibili)es Review current data sets and services Don t forget employee data Set minimum standards for cloud services Implement contracts with approved services Define approved cloud services Migrate users to approved services Implement policies to block/allow/warn users of risks Implement monitoring, DLP, anomaly checking Integrate with LDAP, AD, SSO services Publish approved cloud services list Review requests for new cloud services

26 Enhancing Approved Cloud Services User redirection Splash Pages to approved services Single-sign-on ease of use & change control Encrypt or tokenize data keeping keys on-premises Add data loss prevention On-demand scanning, in-line scanning, API-scanning Activity monitoring users and admins Anomaly detection Insider threat detection Compromised accounts / devices Granular access control geo-location, OS, managed, unmanaged Keep logs for forensics Consider Digital Rights Management

27 Gartner: Market Guide for Cloud Access Security Brokers hkp://info.skyhighnetworks.com/wp-gartner-market-guide-for-casb_download_gray.html

28 GDPR A Final Thought Its Not Your Car Its Not YOUR Data

29 Cloud Audit and Risk Assessment O365, Box, SFDC Audit Shadow IT Audit 1. Sensi)ve data in the cloud (PII, PHI, payment data) 2. Sensi)ve docs shared externally 3. High-risk ac)vi)es indica)ng insider threats 4. High-risk ac)vi)es indica)ng compromised accounts 5. High-risk ac)vi)es indica)ng privileged user abuse 1. All IaaS, PaaS, and SaaS cloud in use 2. Objec)ve risk ra)ngs for each cloud service 3. High-risk ac)vi)es indica)ng data exfiltra)on 4. Audit of firewall/proxy policy enforcement effec)veness 5. Consolida)on opportuni)es for unused licenses

30 Links to Data Allianz Risk Barometer 2016: hkp:// Skyhigh European Cloud Adop)on & Risk Report: hkp://info.skyhighnetworks.com/wpcarrq12016eu_download_white.html Cloud Security Alliance 2016 Survey: hkp://info.skyhighnetworks.com/wpcsasurvey2016_download_green.html Gartner Cloud Access Security Broker Market Guide: hkp://info.skyhighnetworks.com/wp-gartner-market-guide-for-casb_download_gray.html

31 Thank You