DATA PROTECTION AND THE CLOUD

V.Jay LaRosa

VP Global Security Architecture

Basic Data Protection Principles

Data Classification: What is it? Who/What generated it? Where is it stored? What controls access to it? Who should have access to it? What should they be able to do with it? When should access be reviewed? Should it be encrypted/masked? Logging: 5W’s, Who, What, When, Where, Why How long should it be retained?

The realities of the complexity

Unilateral Challenges Cloud services can

not be blocked or controlled

Lack of heterogeneous transparent controls

Lack of enabling technologies

Lack of Data Classification

Data fluidity and sprawl

Ability to access the network from anything

Corporate VS. personal data?

Lack of critical data asset and repository inventory

Inability to monitor data access across the spectrum

Inability to apply ubiquitous controls and policies

Inability to attest to access rights

4

Problem – Breaches are increasing in sophistication and successfulness

2010

2014

2014 Most Significant Breaches

Sony – ~100TB of data stolen, down for days, critical systems destroyed via malware

JPMC – 80 Million US Households, 7 Million SMB’s

Ebay – 145 million records, $250M hit to 2014 revenue

Target – 70M Credit Cards, profits down 46%

Home Depot – 56M Credit Cards, 53M Email addresses

My Role – Dual Concerns for Security

SaaS Cloud Provider

Cloud Consumer

Cloud Provider – Security Concerns

Infrastructure Operations Availability Scalability

Data Protections

Cloud Consumer – Security Concerns

Monitoring/Identification

Access Management

Encryption/Key

Management

Data Protections

Cloud Provider – Data Protections

Risk Based AuthenticationAuthorizationPrivileged Identity MonitoringData MaskingEncryptionASM/IDS/SIEMPen Testing

End Point SecurityAuthenticationLocally Managed AuthenticationIDS/SIEMPolicy Compliance ToolsPrivileged Identity MonitoringIdentity and Account Management

Authorization (OS ACL’s)SIEMFile Integrity MonitoringHost Based Integrity Verification

Identity and Account ManagementAuthorization (DB ACL’s)Policy Compliance ToolsPrivileged Identity MonitoringSIEMDB Log MonitoringHost Based Integrity Verification

Security Controls Threats

Privileged user abuse- Account takeover- Add additional users- Grant additional rights- Unmask and steal dataApplication Attacks- SQLi, XSS, XSRF

Privileged user abuse- Account takeover- Add additional user- Grant additional rights- Steal dataSystem Level Attacks- Buffer Overflow

Privileged user abuse- Account takeover- Add additional user- Grant additional rights- Steal dataService Level Attacks- Buffer Overflow

Application Layer

OS Layer

Filesystem Layer

Database Layer

Prim

ary Risk is P

rivileged User

External

Internal

Cloud Consumer – Data Protections

9

Requirement Deliverable

Monitoring and Cloud Usage AnalyticsPassive technology to analyze existing logs to monitor cloud service usage and identify/evaluate risk

Access ManagementIntegration to cloud providers with standard ADP IT Federation process

Data ProtectionTransparent encryption of data going to cloud providers with encryption keys stored at ADP

Cloud Provider – Data Protection Challenges

1) Stores

Provider does not need

client data visibility

2) Processes

Provider MUST have visibility to client data

Enc

rypt

- E

asie

rE

ncrypt - Harder

Two Types of Cloud SaaS Providers

Cloud Consumer – Data Protection Challenges

Data

• What users are accessing the cloud?• Who else can access the same

cloud?• What data should be allowed to go to

the cloud?• Once data is in the cloud where else

can/does it go?

Cloud

• Can I trust the cloud provider?• What controls does the provider

expose to me?• How many different control sets do I

want?

Cloud Provider – Data Protection Options

© Copyright 2014 ADP, Inc. Proprietary and Confidential Information.

Cloud Provider – Data Protection Challenges

© Copyright 2014 ADP, Inc. Proprietary and Confidential Information.

Solution Benefits Challenges

Integrated Application Encryption

o Highest level of protection from privileged user attack

o Policy/Encryption Keys held “in house”

o Flexibility in applied encryption strategies (FPE, Tokenization, Etc)

o Scalability and level of protection determined by key implementation strategy

o Proper data dis-association strategy reduces amount of data elements requiring encryption

o Properly protected data easily available for downstream test/development with no obfuscation required

o Data destruction accomplished through key destruction for “forget my data” laws/regulations

o Doesn’t scale to allow the customer to own the controls

o Massive inter-application data integrationo Downstream support processes impactedo Additional development and support costso Performance impact must be accounted for in

application infrastructure stacko Proper Key management practices must be

implemented and validated routinely

Cloud Consumer – Data Protection Options

Cloud Consumer – Data Protection Options: Type 1 SaaS Cloud Provider

SolutionGood For

Solves For Benefits Challenges

Proxy Based Cloud Access

Brokers (CASB)

Cloud Consumers

Type 1 Cloud Provider:

Stores

o Easy to deployo Policy/Encryption

Keys held “in house”

o Creates reliance on corporate network for cloud accessibility

o May require customization for cloud providers

o Doesn’t support all cloud providers out of the box

o Single point of failureo Cloud usage monitoring

technology deployed separately

Endpoint Cloud Access Broker

Cloud Consumers

Type 1 Cloud Provider:

Stores

o No single POFo No reliance on

corporate networko Policy Globally

available via cloud replication

o Encryption Keys held “in house”

o Complete visibility into cloud usage activity

o May require customization for cloud providers

o Doesn’t support all cloud providers out of the box

o Requires packaging/mgt/deployment of endpoint agent

o Supporting infrastructure required for policy/Encryption Key replication and management

Cloud Consumer – Data Protection Options: Type 2 SaaS Cloud Provider

SolutionGood For

Solves For Benefits Challenges

NONE TODAY!!!!!

A brighter future someday?

Cloud ADP Approved

Devices

EnterpriseProducts

50,000 Foot view of the situation

Data Classification: What is it?Who generated it?Where is it stored?What controls access to it?Who should have access to it?

What should they be able to do with it?When should access be reviewed?Should it be encrypted/masked?Logging: 5W’s

Nirvana

Protection Principle Control Point Control Requirements

Data Classification: What is it? Metadata

1) Industry “adoptable” API controls framework

2) Endpoint agnostic agent (Servers, Workstations, Databases, Cloud Providers)

3) Enterprise class controls orchestration console

Who/What generated it? Metadata

Where is it stored? Metadata

What controls access to it? Metadata

Who should have access to it? Metadata

What should they be able to do with it?

Metadata

When should access be reviewed? Metadata

Should it be encrypted/masked? Metadata

Logging: 5W’s, Who, What, When, Where, Why

Metadata

How long should it be retained? Metadata

Nirvana

Data Classification: What is it?Who generated it?Where is it stored?What controls access to it?Who should have access to it?

What should they be able to do with it?When should access be reviewed?Should it be encrypted/masked?Logging: 5W’s

Thank You!V.Jay LaRosa

VP Global Security Architecture

ADP

vjay.larosa@adp.com

508-962-1482