cloud data protection guidance - v1 draft
DESCRIPTION
CSA NY Metro Meeting 4/2015TRANSCRIPT
DATA PROTECTION AND THE CLOUD
V.Jay LaRosa
VP Global Security Architecture
Basic Data Protection Principles
Data Classification: What is it? Who/What generated it? Where is it stored? What controls access to it? Who should have access to it? What should they be able to do with it? When should access be reviewed? Should it be encrypted/masked? Logging: 5W’s, Who, What, When, Where, Why How long should it be retained?
The realities of the complexity
Unilateral Challenges Cloud services can
not be blocked or controlled
Lack of heterogeneous transparent controls
Lack of enabling technologies
Lack of Data Classification
Data fluidity and sprawl
Ability to access the network from anything
Corporate VS. personal data?
Lack of critical data asset and repository inventory
Inability to monitor data access across the spectrum
Inability to apply ubiquitous controls and policies
Inability to attest to access rights
4
Problem – Breaches are increasing in sophistication and successfulness
2010
2014
2014 Most Significant Breaches
Sony – ~100TB of data stolen, down for days, critical systems destroyed via malware
JPMC – 80 Million US Households, 7 Million SMB’s
Ebay – 145 million records, $250M hit to 2014 revenue
Target – 70M Credit Cards, profits down 46%
Home Depot – 56M Credit Cards, 53M Email addresses
My Role – Dual Concerns for Security
SaaS Cloud Provider
Cloud Consumer
Cloud Provider – Security Concerns
Infrastructure Operations Availability Scalability
Data Protections
Cloud Consumer – Security Concerns
Monitoring/Identification
Access Management
Encryption/Key
Management
Data Protections
Cloud Provider – Data Protections
Risk Based AuthenticationAuthorizationPrivileged Identity MonitoringData MaskingEncryptionASM/IDS/SIEMPen Testing
End Point SecurityAuthenticationLocally Managed AuthenticationIDS/SIEMPolicy Compliance ToolsPrivileged Identity MonitoringIdentity and Account Management
Authorization (OS ACL’s)SIEMFile Integrity MonitoringHost Based Integrity Verification
Identity and Account ManagementAuthorization (DB ACL’s)Policy Compliance ToolsPrivileged Identity MonitoringSIEMDB Log MonitoringHost Based Integrity Verification
Security Controls Threats
Privileged user abuse- Account takeover- Add additional users- Grant additional rights- Unmask and steal dataApplication Attacks- SQLi, XSS, XSRF
Privileged user abuse- Account takeover- Add additional user- Grant additional rights- Steal dataSystem Level Attacks- Buffer Overflow
Privileged user abuse- Account takeover- Add additional user- Grant additional rights- Steal dataService Level Attacks- Buffer Overflow
Application Layer
OS Layer
Filesystem Layer
Database Layer
Prim
ary Risk is P
rivileged User
External
Internal
Cloud Consumer – Data Protections
9
Requirement Deliverable
Monitoring and Cloud Usage AnalyticsPassive technology to analyze existing logs to monitor cloud service usage and identify/evaluate risk
Access ManagementIntegration to cloud providers with standard ADP IT Federation process
Data ProtectionTransparent encryption of data going to cloud providers with encryption keys stored at ADP
Cloud Provider – Data Protection Challenges
1) Stores
Provider does not need
client data visibility
2) Processes
Provider MUST have visibility to client data
Enc
rypt
- E
asie
rE
ncrypt - Harder
Two Types of Cloud SaaS Providers
Cloud Consumer – Data Protection Challenges
Data
• What users are accessing the cloud?• Who else can access the same
cloud?• What data should be allowed to go to
the cloud?• Once data is in the cloud where else
can/does it go?
Cloud
• Can I trust the cloud provider?• What controls does the provider
expose to me?• How many different control sets do I
want?
Cloud Provider – Data Protection Options
© Copyright 2014 ADP, Inc. Proprietary and Confidential Information.
Cloud Provider – Data Protection Challenges
© Copyright 2014 ADP, Inc. Proprietary and Confidential Information.
Solution Benefits Challenges
Integrated Application Encryption
o Highest level of protection from privileged user attack
o Policy/Encryption Keys held “in house”
o Flexibility in applied encryption strategies (FPE, Tokenization, Etc)
o Scalability and level of protection determined by key implementation strategy
o Proper data dis-association strategy reduces amount of data elements requiring encryption
o Properly protected data easily available for downstream test/development with no obfuscation required
o Data destruction accomplished through key destruction for “forget my data” laws/regulations
o Doesn’t scale to allow the customer to own the controls
o Massive inter-application data integrationo Downstream support processes impactedo Additional development and support costso Performance impact must be accounted for in
application infrastructure stacko Proper Key management practices must be
implemented and validated routinely
Cloud Consumer – Data Protection Options
Cloud Consumer – Data Protection Options: Type 1 SaaS Cloud Provider
SolutionGood For
Solves For Benefits Challenges
Proxy Based Cloud Access
Brokers (CASB)
Cloud Consumers
Type 1 Cloud Provider:
Stores
o Easy to deployo Policy/Encryption
Keys held “in house”
o Creates reliance on corporate network for cloud accessibility
o May require customization for cloud providers
o Doesn’t support all cloud providers out of the box
o Single point of failureo Cloud usage monitoring
technology deployed separately
Endpoint Cloud Access Broker
Cloud Consumers
Type 1 Cloud Provider:
Stores
o No single POFo No reliance on
corporate networko Policy Globally
available via cloud replication
o Encryption Keys held “in house”
o Complete visibility into cloud usage activity
o May require customization for cloud providers
o Doesn’t support all cloud providers out of the box
o Requires packaging/mgt/deployment of endpoint agent
o Supporting infrastructure required for policy/Encryption Key replication and management
Cloud Consumer – Data Protection Options: Type 2 SaaS Cloud Provider
SolutionGood For
Solves For Benefits Challenges
NONE TODAY!!!!!
A brighter future someday?
Cloud ADP Approved
Devices
EnterpriseProducts
50,000 Foot view of the situation
Data Classification: What is it?Who generated it?Where is it stored?What controls access to it?Who should have access to it?
What should they be able to do with it?When should access be reviewed?Should it be encrypted/masked?Logging: 5W’s
Nirvana
Protection Principle Control Point Control Requirements
Data Classification: What is it? Metadata
1) Industry “adoptable” API controls framework
2) Endpoint agnostic agent (Servers, Workstations, Databases, Cloud Providers)
3) Enterprise class controls orchestration console
Who/What generated it? Metadata
Where is it stored? Metadata
What controls access to it? Metadata
Who should have access to it? Metadata
What should they be able to do with it?
Metadata
When should access be reviewed? Metadata
Should it be encrypted/masked? Metadata
Logging: 5W’s, Who, What, When, Where, Why
Metadata
How long should it be retained? Metadata
Nirvana
Data Classification: What is it?Who generated it?Where is it stored?What controls access to it?Who should have access to it?
What should they be able to do with it?When should access be reviewed?Should it be encrypted/masked?Logging: 5W’s
Thank You!V.Jay LaRosa
VP Global Security Architecture
ADP
508-962-1482