6 steps to addressing your cloud security risks

Netskope © 2015, Optiv Security Inc. © 2015

STEPS TO ADDRESSING YOUR CLOUD SECURITY RISKS

Scott Hogrefe, VP of Market Data


‣ Strong technology and services partnerships

‣ Discover cloud apps and assess risk‣ Govern all apps and data‣ Safely enable sanctioned cloud apps

‣ $131.4M from top Silicon Valley VCs‣Accel, Lightspeed, Iconiq,

Social+Capital‣Customers include

‣ 250+ employees globally, including North America, throughout Europe, and Asia-Pacific

‣ Early architects/executives from Palo Alto Networks, NetScreen, Cisco, McAfee, VMware

‣ 40+ patent claims across four categories


Confessions of “Dr. No”


I really likeVISIBILITY AND CONTROL


40 to 50


Actual:

1,017

IT estimate:

40-50 Cloud procurement in many healthcare organizations

happens outside of IT

More than just Dropbox and Evernote. EHR, billing,

healthcare consultation…not to mention HR,

finance, CRM, etc.No visibility or control

Source: Netskope Cloud Report


What are the risks of cloud?

There known knowns… known unknowns… unknown unknowns



Why do people rob banks?




People aren’t evil, people are reckless





People aren’t evil, people are reckless



What are the risks of not using cloud?


IT estimates 30% business data is in cloud…

With ⅓“unknown”

Source: Ponemon


IT estimates 30% business data is in cloud…

With ⅓“unknown”

Source: Ponemon

Is this your quantifiable risk?


28 “Ecosystem” apps on average connected to Box alone


28 “Ecosystem” apps on average connected to Box alone

Should we factor these in to your equation?


Nearly Halfof all cloud app activities originate from a mobile device

One Thirdof all DLP policy violations occur on a mobile device


Nearly Halfof all cloud app activities originate from a mobile device

One Thirdof all DLP policy violations occur on a mobile device

Is this part of your cloud risk?


+ +Cloud App Risk

=

We could say…


+ +Cloud App Risk

=

We could say…

Right?


Just Block!In 2005 we said…


Just Block!Sanction one app and

then…

In the last few years we’ve said…


But I need to use that app, can I get

an exception?



an exception?Me too!

Me too!

Don’t forget about me!




Me too!


90% of cloud usage is in apps blocked by the firewall




Me too!


90% of cloud usage is in apps blocked by the firewall

Not me… I found

another app!


BESIDES…THESE APPS ARE

GOODFOR BUSINESS


Even Customer Supportis in the cloud…“ ”


LEADING BIOTECH‣ Leverages the cloud to

process petabytes of clinical trial data at a fraction of the time

‣ Results: Faster time to approval

LARGE HMO‣ Securely stores health

records‣ Collaborates on patient

data via workflows‣ Coordinates care via

cloud

TEACHING HOSPITAL‣ Ensure that medical

students and staff safely collaborate in the cloud

‣ Find and secure PHI en route to or at rest in cloud apps


How Are YouAddressing

Risk?


FIND UNDERSTAND SECURE


FIND

Bob Jones in IT

Ashok Kumar in Marketing

Amy Bishop in Finance

Pierre Bonaparte in Research

Side-by-sidecomparisons


UNDERSTAND

✔ Who? What group/OU? Where?

✔ What app/category? From what device?

✔ To whom? What content?Dr. Porter sent a patient’s MRI to a

counterpart via Box


SECURE✔ Block and coach

✔ Encrypt

✔ Prevent sharing outside of co.

✔ Require justification

✔ Perform “quiet” legal hold

Activity- and data-level

policies

✔ Quarantine and alert users


76.2% Of Cloud DLP Violations occur in healthcare and life sciences

68.5% Of DLP violations are protected health information (PHI)


Is Your Leadership Paying Attention?

Do They Care?


Sample NACD QuestionsQuestions Directors Can Ask to Assess the Board’s “Cyber Literacy”

#2 Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels?” What would it take to feel comfortable that those assets were protected?

From the National Association of Corporate Director’s Cyber-Risk Oversight Director’s Handbook Series 2014 Edition, page 17: http://www.aig.com/Chartis/internet/US/en/Financial%20Lines_Cybersecurity_Handbook_Global_tcm3171-639223.pdf.


So, What’s YourStrategy for Talkingto Your Leadership?


1. CURRENT STATE OF AFFAIRS

Apps, users, devices, data, risk


2. CLOUD’S ROLE IN YOUR

SUCCESS

Time to value for on-premises

Time to value for cloud

Best tools, lack of in-house talent, speed and ease of deployment and use, user preferences


3. YOUR CLOUDVISION

How, when, and under what circumstances, you’re in SaaS, PaaS, and IaaS…

Finance

HR

Software Development

Storage CRM

ResearchRisk Management

Trading

Analysis


4. SAFE CLOUD

ENABLEMENT PLAN

Requirements, plan, policies (e.g., vendor assurance)


5. STRATEGIC ROADMAP,

RESOURCES, AND

OWNERS

Roadmap, stakeholders, sequence, resources…


6. PLAN FOR TRANSPAREN

CYAND

GOVERNANCE

Ongoing reporting to leadership and lines of business


In Summary…

Current State of Affairs

Cloud’s Role in Your Success

Your Cloud Vision

Safe Cloud Enablement Plan

Strategic Roadmap

Ongoing Governance, Transparency


So, “Dr. No” became a “Yes Man”

(and Vicken and Clark lived happily ever after)


THANK YOU!

6 steps to addressing your cloud security risks

Technology