cloud storage: how to fight off data security threats & stay compliant

© 2016 Blancco Oy Ltd. All Rights Reserved.

Cloud Storage: How to Fight Off Data Security Threats & Stay Compliant

MEET OUR SPEAKERS

2

Russ ErnstVP, Product

ManagementBlancco Technology

Group

Roger GrimesSecurity

ColumnistInfoWorld

Alice MacGregor

Deputy Editor at the Stack


What We’ll Cover:

Key Factors Driving Cloud Storage Adoption

Top Data Security Priorities in the Cloud

The Realities & Dangers of Shadow IT

Uncertainty of Data Loss/Theft and Need for Data Removal Can Exacerbate Security Risks

Why Regular Audits & Monitoring Can Help Thwart Security Threats

Data Erasure Is Key When Migrating Data & Decommissioning Data Centers


4

Enterprise Adoption of Cloud Storage Grows

Key Factors Driving Reliance on Cloud Storage:• Migrating away from internal data centers• Lower costs • Greater flexibility• Centralized IT control & management


5

Choosing the Right Cloud Storage Provider Isn’t Always Easy

• Know when to diversify & consolidate

• Think about the physical location of data

• Don’t overlook data security regulations

• Learn about all scenarios where data removal is essential


6

Fighting Off APTs, Compromised Credentials and Hacked Interfaces Are Top Cloud Security Priorities

Reasons Why Incomplete/Improper Data Removal Is Often Low Priority:• Lack of understanding about the

difference between insecure deletion and secure erasure

• Insufficient budgets to implement necessary policies, processes and tools

• Unaware of dangers that persist if/when data isn’t properly erased in various scenarios

• Incomplete view and management of data across its lifecycle


7

Live Poll

How confident are you that your IT team knows about all cloud storage providers being used?

• Very Confident• Confident• Somewhat Confident• Not Confident


8

Shadow IT Is a Serious Problem for Organizations

Ways to Reduce Shadow IT:• Identify where all data resides (in-house, data

centers and in the cloud)• Monitor if, where and when shadow IT occurs• Monitor if employees install WiFi hotspots on

company network• Monitor network for known and unknown devices• Establish guidelines for how cloud data is

managed by cloud providers• Conduct frequent, unscheduled audits of cloud

providers• Assess security of data in the cloud


9

Uncertainty of Data Loss/Theft & Need for Data Removal Looms

Important Scenarios When Data Removal Is Critical:• When migrating to a new cloud provider• When migrating from one physical server to another• When servers or storage devices are being replaced• When regulatory requirements dictate• When customers based in EU cite “right to be

forgotten”• When terminating virtual machines in Infrastructure

as a Service environments• When spinning down unneeded development server• When data cleansing as part of regular document

management and archiving practices• After disaster recovery exercises are performed


10

Live Poll

How frequently do you conduct audits of your cloud storage providers?

• Once every month• Once every 3 months• Once every 6 months• Once every 9 months• Once a year• Every 2-3 years• Rarely• Never• I don’t know


11

Why Regular Audits & Monitoring Are Important


12

UK Data Protection Act

Data Protection principlesSchedule 1 to the Data Protection Act lists the data protection principles in the following terms:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.5. Personal data processed for any purpose or purposes shall not be kept longer

than is necessary for that purpose or those purposes.6. Personal data shall be processed in accordance with the rights of data subjects

under this act.7. Appropriate technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


13

EU GDPR’s Right to Erasure

When does the right to erasure apply?

The right to erasure does not provide an absolute ‘right to be forgotten’.Individuals have a right to have personal data erased and to prevent processing in specific circumstances;• Where the personal data is no longer necessary in relation to the purpose

for which it was originally collected/processed.• When the individual withdraws consent.• When the individual objects to the processing and there is no overriding

legitimate interest for continuing the processing.• The personal data was unlawfully processed (ie otherwise in breach of the

GDPR).• The personal data has to be erased in order to comply with a legal

obligation.• The personal data is processed in relation to the offer of information society

services to a child.

Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.


Cloud Industry recommendations for all providers

Data Life CycleAccording to the Cloud Security Alliance, it falls to “…the provider to keep that data secure, and when it is deleted, the provider should ensure (or be able to prove) that it is permanently destroyed.”


ISO Security Standards impacting Data Centers and Cloud providers

Protection of privacy and personal data in the cloud - IMPLEMENTED in H2 2014

Includes:• Cloud provider should enable the right to erase

personal data.

• Cloud provider should securely erase any temporary files in systems.

• Cloud provider should ensure that whenever data storage space is re-assigned, previously residing data is not recoverable.


16

Data Erasure Is Key When Migrating Data & Decommissioning Data Centers


Blancco Data Erasure Management

LUNs andVirtual Machines

17


Blancco LUN Blancco Virtual

Why Blancco Data Erasure Solutions?

Benefits:• Automated erasure• Simultaneous shredding of

multiple units• More cost effective than

replacing or destroying hard drives

• Improved operational efficiencies

• Detailed reporting for audit trail and regulatory compliance

Benefits:• Enhance existing cloud security

offering (‘right to be forgotten’)• Ensure compliance with

customers’ internal requirements• Drive compliance with regulatory

requirements (i.e. PCI DSS, HIPAA, ISO 27001, EU GDPR, etc.)

• Detailed reporting for audit trail and regulatory compliance


20

Content You May Find Useful:

“Lost in the Cloud: Data Security Challenges & Risks”:http://info.blancco.com/en-rs-lost-in-the-cloud-data-security-challenges-and-risks.html

“The CIO’s Guide to Optimizing Data Security in the Cloud”:https://www.blancco.com/resources/white-papers/optimizing-data-security-cloud/

“The Information End Game: What You Need to Know to Protect Corporate Data Throughout its Lifecycle”:

http://www2.blancco.com/en/white-paper/the-information-end-game-what-you-need-to-know-to-protect-corporate-data

http://info.blancco.com/en-rs-lost-in-the-cloud-data-security-challenges-and-risks.html

https://www.blancco.com/resources/white-papers/optimizing-data-security-cloud/

