1
@Zulfikar_Ramzan
CTO, Elastica
Renee Murphy
Sr. Analyst, Forrester
2
Agenda
› Cloud Compliance Landscape
› Industries Segments at Risk
› Corporate Liability with Cloud Technology
› Cloud Providers Role In Compliance
› Technical Challenges with Traditional Solutions
› 2015 Predictions
› Best Practices
3
Cloud Compliance Landscape
Q: Why is compliance in the cloud worth discussing?
4© 2014 Forrester Research, Inc. Reproduction Prohibited 4
Forecast: Global Public Cloud Market Size, 2011 To 2020April 2011 “Sizing The Cloud”
5© 2014 Forrester Research, Inc. Reproduction Prohibited
Data Governance
6© 2014 Forrester Research, Inc. Reproduction Prohibited
S&R Pros Must Adapt Strategies And Controls For Virtualization, Cloud Adoption (Cont.)
May 2014 “Brief: S&R Pros Remain Unprepared To Address Virtualization And Cloud Security Risks”
7
What About Enterprise-Grade
Apps?Q: Is this concern focused only on “rogue” apps or
Shadow IT? What about “enterprise-grade” SaaS?
8
Shadow Data: Not Just About Rogue Apps
Anymore
Mainstream adoption of “legitimate” apps
But… no understanding of where the data is
• Roughly 9% of files are broadly shared
• Of these, 68% shared company wide, 19% shared externally, 13%share publicly
• Speaks to ease of sharing!
9
Who Should Care?
Q: Which types of organizations should care? Is it just
heavily regulated companies, or is it everyone?
10© 2014 Forrester Research, Inc. Reproduction Prohibited
Who should care?
› Regulated Industries
• Government
• Banking
• Healthcare
• Insurance
› Non-Regulated
Industries
• Retail
• Non-profits
• NGO
• Technology
11© 2014 Forrester Research, Inc. Reproduction Prohibited
Healthcare Security Must Mature
12© 2014 Forrester Research, Inc. Reproduction Prohibited 12
Research Hospitals will See More Breaches
13© 2014 Forrester Research, Inc. Reproduction Prohibited 13
FTC will Find It’s Opening with Wearables
14
Liability
Q: What liability do corporations have as their data
moves to the cloud?
15© 2014 Forrester Research, Inc. Reproduction Prohibited
Cloud Liabilities
› What liability do corporations have as their data
moves to the cloud?
› Typical Civil Liabilities
• Contractual
• Data Protection
• Intellectual Property
16© 2014 Forrester Research, Inc. Reproduction Prohibited 16
Liability and Cyber Insurance
› Statistics about breaches from five years ago are worthless today.
› Target
• $100 million in insurance with a $10 million deductible.
• Cost to date $88 million and insurance will cover $58 million of that.
› $1.3 billion in premiums were paid last year
› No idea how to assess cloud providers
› No idea how aggregation into cloud infrastructure impacts risk. (Amazon’s breach are many company’s breaches.)
› Make sure you have at least $100 million in cyber insurance
17
Current State of Cloud
MonitoringQ: Given the liability, what are companies doing today?
18© 2014 Forrester Research, Inc. Reproduction Prohibited 18
Cloud Monitoring
19
Role of Cloud Providers
Q: Can cloud providers offer the necessary protections
for compliance?
20
Cloud providers focus on backdoor
Front door poses the most real
risk
Technical Risk: Front vs. Back Door
Need to protect both!
MALWARE
INSIDER THREATS
PHISHING
21
Cloud vs. Non-Cloud Processes
Q: What were companies doing before to handle these
issues? What process changes are needed?
22© 2014 Forrester Research, Inc. Reproduction Prohibited
Cloud vs. Non-Cloud
› It’s all the same, no matter where the data
resides.
• Data classification
• Risk Management
• Third Party Risk Management
• Endpoint Management
• IAM
23© 2014 Forrester Research, Inc. Reproduction Prohibited
Migration Requirement
› Old strategies are not the same in the cloud.
• Don’t look to the BC/DR plan to tell you what goes
into the cloud.
› Development, QA, Marketing
• Data Classification is a must, especially from a
liability perspective
• Monitor, Monitor, Monitor.
24
Cloud vs. Non-Cloud Technical
DifferencesQ: Why do traditional solutions no longer work for cloud
services?
25
Risk Assessment
IDS/IPS
Firewall
eDiscovery
DLP
SIEM
On Premise SOC 1.0
Unmonitored Activities
Outside SOC 1.0’s reach
Traditional Solutions Don’t Fit
26
Risk Assessment
IDS/IPS
Firewall
eDiscovery
DLP
SIEM
Risk Assessment
IDS/IPS
Firewall
eDiscovery
DLP
SIEM
Need a “Cloud Version” of each Function
27
Tectonic Shift in the Market Rethinking DLP for Cloud File Sharing
Services
New visibility requirements
Link Interpretation
New Perimeter Semantics
Full File Semantics
27
28
Predictions
Q: What does the future of cloud usage look like?
29© 2014 Forrester Research, Inc. Reproduction Prohibited 29
Cloud Adoption Predictions
41%
59%
44%
28%
15% 13%
0%
10%
20%
30%
40%
50%
60%
70%
2013 2018
% o
f To
tal C
lou
d W
ork
load
s2013 vs 2018
SaaS Becoming Dominant Form of Cloud
30© 2014 Forrester Research, Inc. Reproduction Prohibited 30
Cloud Adoption Predictions
2000
9222013
2018
811
186
0 200 400 600 800 1000
2013
2018
Consumer Internet Population using Personal Cloud Storage (millions)
53%
38%
Consumer Cloud Storage Traffic per user (megabytes/month)
31
Best Practices
Q: What are best practices for managing compliance risk
with regards to the cloud?
32© 2014 Forrester Research, Inc. Reproduction Prohibited
Best Practices
› Have a cloud policy and enforce it.
› Implement data classification and risk management.
› Automate as much of the compliance and policy work as you can.
› Ensure privacy and security clauses in the contract with the
provider.
› Really think about the appropriateness of the data going to the
cloud. (Dev/QA)
› Awareness Training
33
Regulations
34
Security Frameworks
35
Solutions
Q: What solutions are possible? How does Elastica view
the problem?
36
Tectonic Shift in the Market
On Premises SOC 1.0
Unmonitored activities
Outside reach of SOC 1.0
On-PremisesMany pieces to Buy, Assemble & Operate
The Need for Visibility
37
Elastica’s CloudSOCTM Taps Multiple
Sources
Elastica CloudSOC
Firewall
Gateway
MDM
API
Remote
Worker
Gateway
MDM
Firewall
BYOD
On-premises worker
Regaining Visibility and Control
38
Next Steps
Shadow Data Exposedhttp://www.elastica.net/wp-file-sharing/
The 7 Deadly Sins of Traditional DLP in the New World of Shadow IThttp://www.elastica.net/ebook-7sins-dlp
http://www.linkedin.com/company/elastica
https://www.facebook.com/ElasticaInc
@ElasticaInc, @zulfikar_ramzan