your data center boundaries don’t exist anymore!

1 © Copyright 2012 EMC Corporation. All rights reserved.

Your Data Center Boundaries Don’t Exist Anymore!

Joram Borenstein (CISSP, CISA) Director, Compliance & Risk Management RSA, The Security Division of EMC


Agenda

Boundaries don’t exist … let me prove it to you!

A Cautionary Tale: What This Presentation is NOT About

Proof-Points (aka “Critical Issues in Oversight & Compliance”)

OK, So What’s Going On Here?

Real-Life Best Practices to Mitigate These Challenges

Conclusion: Open Questions


Boundaries


Boundaries: In Our Personal Lives


Boundaries: In Our Devices


Boundaries: Employees’ Access to Cloud

Amazon

VMWare

Google

salesforce.com

Mozy

DropBox

Facebook

EverNote

… and others


What This Presentation Is NOT About


What This Presentation is NOT About

Using Virtualization for new-fangled Data Center tricks

New Product Announcements

How to re-architect your Data Center

It is about – Compliance – Auditing – Adjustments in organizational culture


Data Center Compliance Challenges Visibility Lack of visibility into servers, storage or network infrastructure

Automation Difficult to validate technical control measurement

Audit No centralized record keeping as audit trail

Virtualization New abstraction layers complicate compliance validation


Proof-Points


Proof: Press & Analyst Community #s

“Morgan Stanley estimates the percentage of IT departments using the public cloud to rise from 28% in 2011 to 51% by 2014.”

– (April 2012 source: http://www.marketwatch.com/story/mozy-expanding-cloud-footprint-within-enterprise-2012-04-10 )

“More Than One-Third of IT Budgets Now Spent on Cloud” – (April 2012, source: http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-

budgets-now-spent-on-cloud-survey/ based on IDG Enterprise Cloud Computing Study (Jan 2012))

“55% ... are using cloud in some capacity today” – (Feb 2012 source:

http://www.thedatachain.com/news/2012/2/mid_size_businesses_lead_the_way_in_cloud_adoption )

http://www.marketwatch.com/story/mozy-expanding-cloud-footprint-within-enterprise-2012-04-10�

http://www.marketwatch.com/story/mozy-expanding-cloud-footprint-within-enterprise-2012-04-10�

http://www.thedatachain.com/news/2012/2/mid_size_businesses_lead_the_way_in_cloud_adoption�


Proof: Start-Up Funding No boundaries lead to … lots of concern (risk scenarios)

Thesis: basic security building blocks for clouds

Sample Companies

– CloudSwitch (now VRZN/TRMK)

– enStratus – Vaultive

– PerspecSys – Co3Sys – salesforce.com

(acquiring Navajo

Systems) – Gazzang – High Cloud

Security – Many others …

Some of these are simple email encryption gateway vendors

Some assist with migration from legacy OP to cloud


Proof: An Increasing # of Certifications…

AICPA (American Institute of Certified Public Accountants)

AT 101 = Attest Engagements

3 new reporting designations (“Service Organization Control (SOC) reports”) – SOC 1 – SOC 2 – SOC 3

FYI … SAS-70 = SOC 1 = ISAE-3402


Certifications: General Questions

What does my business do?

Who are my customers?

What are they buying from me?

What sort of customer information do/will I have?

What guarantees/confidence do my customers need from my company?

What certifications do my competitors have?

What IT certifications do my financial auditors recommend I get?

Do I have an IT auditor? Should I? I thought this was only for PII and PHI data such as PCI and HIPAA?

OK, so I chose a SOC 1 … now do I need a Type 1 or a Type 2?

SOC 1 Type 2

?

SOC 2 Type 1

?

SOC 3 ?


Certifications: Data Center–Specific Questions

Am I prepared as an organization to go through an IT audit? – Do I have a consistent set of controls in place?

Can I get my DC provider to answer IT audit questions? – What does my contract allow?

Does my DC provider have its own certifications? – Which one(s)? – Do they suffice?

What is my DC architecture? – Is it still applicable? – Is the IT Auditor going to understand it? Agree with it?

Allow it?


OK, So What’s Going On Here?


Do Your Own People Understand These Issues? “In-The-Trenches” personnel

– Can they articulate the changes?

Your Sales Force – Are they aware of how to talk with customers? – Of how contracts might need to change?

Your Legal Department – Are they aware of new privacy legislation? – Are they aware of new compliance needs?

Senior Management – Do they understand the risks? – Can they articulate a vision to customers, partners, and employees?

Your HR Team – “7/10 think their IT departments need to expand their skills to keep up

with cloud trends.” – (April 2012, source: http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-budgets-now-

spent-on-cloud-survey/ based on IDG Enterprise Cloud Computing Study (Jan 2012))


What Are the Compliance Implications?

Industrial – Consortia – Standards groups

Governmental – Within your own country – In other countries you do business in

Internal – Audit – Compliance


What Are the Regulatory Issues?

Forbidding certain countries

Scoping audits

Virtualization – … make this more complicated for most people

“Elastic” environments

Shared equipment


What Are the Governance Issues?

Are we prepared?

Do we understand the implications?

Do our existing models still work?

Include our service providers within our governance model?



1. Educate EVERYONE

2. Re-assess contractual agreements with Service Providers

3. Keep Track of Certifications

4. Keep Track of New Legislation

5. Pick a set of controls which are adaptive


#1: Educate Everyone

Yes … this takes time

Yes … people won’t understand you at first

Especially the executives!! – Helps $ – Helps when escalation occur – Just plain helps to provide transparency

The Legal Team is your friend

Why Is This Important? – You will need these people! – Decisions across functions will be impacted by these realities – These teams will eventually have to adjust


#2: Re-Assess Contracts

With Who? – Data Center providers – Service providers – Customers

Why? – You have new risks to consider! – Contractual language may no longer be applicable – SLAs take on new meaning in new contexts – You (might) need new protections


#3: Keep Track of New Certifications

What do your customers want?

What does your Internal Audit Team demand?

What do your IT Auditors recommend?

What do your financial auditors recommend?

What are you committed to contractually?


#4: Keep Track of New Legislation

Cloud-related legislation is appearing in many places

Here’s one recent example

European Commission (Jan 2012)

Revising the EU’s 1995 Data Protection Directive

“ ... the transfer of data to third countries has become an important factor in daily life. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore.” (source: http://ec.europa.eu/justice/newsroom/data-

protection/news/120125_en.htm)

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm�

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm�


#5: Pick a Control Set(s)

Which adapts as your needs change

Which has industry support

Which makes sense for your organization

Which your customers will respect & support

Keep track of new sets coming out – e.g. HITRUST in the US is not only for healthcare

Re-visit alternative control set(s) regularly

Considering layering them on top of one another


Conclusion: Open Questions


Conclusion:

There are emerging best practices that will help in managing the “data center without boundaries”

– An effective strategy based on governance, controls and visibility is essential.

There are still lots of open questions – What impact will regulatory changes have? – How do you articulate your vision of the data center without boundaries?

Get involved – Participate in working groups from consortia and others – Attend events such as these to hear about new revelations and

innovations – Comment on privacy legislation


Provide Feedback & Win!

125 attendees will receive $100 iTunes gift cards. To enter the raffle, simply complete:

– 5 sessions surveys – The conference survey

Download the EMC World Conference App to learn more: emcworld.com/app

your data center boundaries don’t exist anymore!

Technology