data security: best practices in the hybrid cloud | fpwebinar
DESCRIPTION
Presentation from our latest webinar entitled "Data Security: Best Practices in the Hybrid Cloud" with CipherPoint. In this webinar we focused on security in an Office 365/Dedicated hybrid cloud model. Organizations need to consider the confidentiality and availability implications of SharePoint when offered by a private hosting provider as opposed to a public Cloud offering. These differences include data residency, your ability to perform due diligence, and confidentiality/availability guarantees. Restricted information, however, needs to be secured no matter where it’s stored and processed. Watch our discussion of private and public hosted SharePoint offerings and the strategies you can use to architect a hybrid approach to meet both your business and security objectives.TRANSCRIPT
Please direct any questions to usvia Twitter using hashtag
#fpwebinar
Data Security:Best Practices in the Hybrid Cloud
#fpwebinar
#fpwebinar
Data Security:Best Practices in the Hybrid Cloud
Please direct any questions to usvia Twitter using hashtag
#fpwebinar
We want to hear from you!
#fpwebinar
What’s in this Fpwebinar?
A Strategy for Data Security
Cloud Adoption
Cloud Security Challenges
Closing the Gaps
#fpwebinar
Jesse RocheVice President, SalesFpweb.net
#fpwebinar
Mike FleckCEOCipherPoint
POLL:Which deployment option is your organization currently
using or planning to use in the next 12 months?
On-Prem, Private Cloud Only, Public Cloud Only, Hybrid
#fpwebinar
Data Security transcends the Cloud.
Restricted information needs security wherever
it resides.
#fpwebinar
POLL:Do you have a strategy for securing data?
Yes, No, or Not Sure
#fpwebinar
Information Security Program
#fpwebinar
OVERALL PRINCIPLES & CONTROLS
NETWORK
HOSTING
APPLICATION
DATA
DEVICE
PHYSICAL
HUMAN
COMPLIANCE
INCIDENT RESPONSE
Information Security Program
#fpwebinar
OVERALL PRINCIPLES & CONTROLS
DATA
DEVICE
• LEAST PRIVILEGE DESIGN
• SEPARATION OF DUTIES PRINCIPLE
• UNIQUE USER IDENTITIES, NO SHARED ACCOUNTS
• COMPLEX PASSWORDS, NEVER SENT AS CLEAR
TEXT
Information Security Program
#fpwebinar
OVERALL PRINCIPLES & CONTROLS
NETWORK
HOSTING
APPLICATION
DATA
DEVICE
• NETWORK FIREWALLS AND SEGMENTATION
• NETWORK MONITORING
• PENETRATION TESTING & VULNERABILITY SCANNING
• INTRUSION DETECTION
• PATCH MANAGEMENT
• ANTI-VIRUS, ANTI-MALWARE
Information Security Program
#fpwebinar
OVERALL PRINCIPLES & CONTROLS
NETWORK
HOSTING
PHYSICAL
HUMAN
COMPLIANCE
INCIDENT RESPONSE
• BUILDING ACCESS CONTROL, VISITOR LOGS
• PHYSICAL DATA CENTER SECURITY
• EMPLOYEE SCREENING
• EMPLOYEE AWARENESS TRAINING, JOB DESCRIPTIONS
Information Security Program
#fpwebinar
OVERALL PRINCIPLES & CONTROLS
NETWORK
HOSTING
PHYSICAL
HUMAN
COMPLIANCE
INCIDENT RESPONSE
• INCIDENT RESPONSE POLICY, ANNUAL TESTING
• CORPORATE INFORMATION SECURITY POLICY
• THIRD PARTY AUDITING AND ACCREDITATION
• DESIGNATED COMPLIANCE OFFICER/TEAM
#fpwebinar
Ownership of Controls
Controls On-Premises Private Cloud Public Cloud
Network
Hosting
Application Shared
Data Shared
Device
Physical
Human
Compliance Shared Shared
Incident Response Shared Shared
#fpwebinar
Cloud as Anti-Security
• Data Loss Prevention
• Network Access Control
• Network Perimeter
Trust but verify.
Always perform your due diligence on the Cloud
Service Provider
#fpwebinar
#fpwebinar
Topics for Due Diligence
Maturity of controls and principles
Uptime statistics and Service Level Agreements
Third party access: Subcontractors & Foreign and domestic
governments
Data destruction and remanence
Privileged user controls and monitoring
Facts of Public Cloud Providers
• Superior economies of scale achieved through cookie
cutter offering
• Highly limited ability to perform due diligence
• Highly limited ability to customize
• Lower service levels
• High volume of compelled disclosures
#fpwebinar
Beware of CSP Spin
#fpwebinar
Microsoft does it too
#fpwebinar
Point by PointMicrosoft provided information for 79% of requests for data from
foreign and domestic law enforcement agencieshttp://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/03/06/microsoft-releases-2013-law-enforcement-requests-
report.aspx
Microsoft database administrators, by definition, have access to all the resources on a database, including customer data
http://www.microsoft.com/online/legal/v2/?docid=24
Microsoft honored legal orders for data belonging to 15 businesseshttp://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
US ordered MS to hand over customer data stored in Irelandhttp://www.bbc.co.uk/news/technology-27191500
#fpwebinar
So, what do we do?
#fpwebinar
Triage the Data
#fpwebinar
COST EFFICIENCIES
TRUST
On-Premises Hosted / Private Cloud Public Cloud
The Gaps
#fpwebinar
Controls On-Premises Private Cloud Public Cloud
Network
Hosting
Application
Data Shared
Device
Physical
Human
Compliance Shared Shared
Incident Response Shared Shared
Please direct any questions to usvia Twitter using hashtag
#fpwebinar
#fpwebinar
Q&A
Data Security:Best Practices in the Hybrid Cloud
Thank you!Twitter @fpweb • [email protected] • www.fpweb.net
Please fill out the survey as you exit the webinar and help us choose the next topic!
Also, CipherPoint is giving away $5 gift cards to the first 50 people to complete their survey
and everyone is entered to win a $50 gift card.
Link to survey will be in the webinar recording email you will receive and in the chat pane.
#fpwebinar