© 2014 CipherCloud | All rights reserved 1
Taking a Data-Centric
Approach to Security in the
Cloud
Bob West Chief Trust Officer
CipherCloud
© 2014 CipherCloud | All rights reserved 2
Taking a Data-Centric Approach to Cloud Data Protection Bob West Chief Trust Officer
© 2014 CipherCloud | All rights reserved 3
Evolving Networking & Security Models
1970’s
Mainframe Computing model
Centralized
Connectivity
Limited
Data storage
Centralized
Security model
Perimeter
1990’s
Client Server Computing model
Distributed, internal
Connectivity
Internal only
Data storage
Within enterprise
Security model
Perimeter, endpoint
2000’s
Internet Computing model
Enterprise-centric
Connectivity Global messaging
Data storage
Enterprise silos
Security model
Perimeter, endpoint, tunneling, identity
2010’s
Cloud Era Computing model
Public, private cloud
Connectivity
Application level
Data storage
Hybrid
Security model
Data-centric for any location
© 2014 CipherCloud | All rights reserved 4
Today’s Reality – Data is Flowing Everywhere
Databases ERP
Collaboration
External User
Internal Users
HR
File Sharing
Enterprise Boundary
External User
CRM
© 2014 CipherCloud | All rights reserved 5
Changing Nature of IT with De-Perimeterization
Protecting infrastructure is not enough – Business critical systems now outside the network
Key applications are outside your control – Reliance on cloud providers to secure systems
Cloud customers ask the wrong questions – Focus on transferring old legacy security models
Need to change to a data-centric model – Cloud providers don’t accept liability for your data – You own the data – you need to secure it
Security needs to travel with your data – You need to control access regardless of location
| © 2013 CipherCloud | All rights
reserved. 6
Where Cloud Data Resides and What Laws Might Apply
Chile
Law for the Protection of Private Life
Argentina
Personal Data Protection Law, Information Confidentiality Law
New Zealand
Privacy Act
Philippines
Propose Data Privacy Law
Canada
PIPEDA, FOIPPA, PIPA
Taiwan
Computer-Processed Personal Data Protection
Hong Kong
Personal Data Privacy Ordinance
Japan
Personal Information Protection Act
South Korea
Network Utilization and Data Protection Act
European Union
EU Data Protection Directive, State Data Protection Laws
India
Pending Laws under discussion
United Kingdom
ICO Privacy and Electronic Communications Regulations
Australia
National Privacy Principals, State Privacy Bills, Email Spam and Privacy Bills
US States
Breach notification in 47 states
USA Federal
CALEA, CCRA, CIPA, COPPA, EFTA, FACTA, ECPA, FCRA, FISMA, FERPA, GLBA, HIPAA, HITECH, PPA, RFPA, Safe Harbor, US PATRIOT Act
Brazil
Article 5 of Constitution Colombia
Data Privacy Law 1266
Mexico
Personal Data Protection Law
Morocco
Data Protection Act
Thailand
Official Information Act B.E. 2540
Europe Privacy laws in 28 countries
South Africa
Electronic Communications and Transactions Act
Singapore
Personal & Financial Data Protection Acts
©CipherCloud | All rights reserved
© 2014 CipherCloud | All rights reserved 7
Common Regulatory Themes
Mandates to protect personally identifiable information (PII) – Penalties include steep fines, and personal liability for executives
Breach notification is a ‘big stick’ – Risks of public breach disclosure can be hugely damaging (example: Target)
Data ‘owners’ are responsible, regardless of where data goes – Cloud providers may share some limited responsibility, but that does not get data
owners off the hook
Regulations don’t typically tell you what technology to use – Legislation rarely can keep up with technological changes
Best practices evolve, changing the definition of ‘reasonable’ – As solutions become widely adopted, not adopting them becomes risky
© 2014 CipherCloud | All rights reserved 8
Seeking a “Safe Harbor” Regulation Region Breach Notification Safe Harbor
Exemptions Recommendations on Encryption
PCI DSS Encryption a “critical component”
GLBA Safe harbor “if encryption has been applied adequately”
HIPAA, HITECH Safe harbor “if encryption has been applied adequately”
EU Directives Proposed Proposed New regulation proposes safe harbor exemption if data was adequately encrypted.
ICO Privacy Amendment
Notification not required if there are “measures in place which render the data unintelligible.”
Privacy Amendment Not specified
Not specified but you should to “take adequate measures to prevent the unlawful disclosure”
US State Privacy Laws Generally Yes
Typical breach definitions: - Personal Information: “data that is not encrypted” - Breach: “access to unencrypted data”
© 2014 CipherCloud | All rights reserved 9
Top 3 US Bank’s Consumer Self-Service Loan Origination Portal
UK Education Organization Deploys Global Cloud-Based Portal
Non-Technology Leader Trust Sensitive Data in Cloud Email
German Cosmetics Giants Meets International Security Regulations
Major European Telco Consolidates Call Centers for 25 Countries
Largest Hospital Chain Meets HIPAA & HITECH in the Cloud
Top Canadian Bank Safeguards Proprietary Information in the Cloud
Major Wall Street Firm Adopts Cloud Applications with Confidence
Global Leader in Customer Loyalty Moves Email to the Cloud
Genomics Testing Leader Protects Patient Data while Using the Cloud
New Zealand Bank Collaborates in the Cloud and Meets Compliance
Medical Audit Leader Launches Cloud-Based Customer Portal
Large Pharmaceutical Company Uses Encrypted Email
Credit Reporting Giant Deploys Cloud Collaboration with DLP Controls
Government-Owned Mortgage Backer Protect PII Data in the Cloud
World’s Leading Enterprises Trust CipherCloud
© 2014 CipherCloud | All rights reserved 10
CipherCloud Complete Platform
Protecting sensitive data from leaks
Extending corporate DLP to the cloud Data Loss Prevention
Preventing unauthorized access to data
Maintaining application functionality Data Protection
Monitoring user and data activity
Detecting anomalies in user behavior
Activity Monitoring
© 2014 CipherCloud | All rights reserved 11
Protect Your Sensitive Data in the Cloud
Ground breaking security controls Protect sensitive information in real time, before it is sent to the cloud while preserving application usability.
Searchable Strong Encryption
Key Management Tokenization
Malware Detection Data Loss Prevention
© 2014 CipherCloud | All rights reserved 12
Where Should You Protect Your Data?
Data in Transit
Data at Rest
* Top Threats
Vulnerabilities • Account hijacking* • Forced disclosure • Data breaches* • Malicious insiders* • Insecure APIs* • Shared technology*
Data in Use
© 2014 CipherCloud | All rights reserved 13
Key Questions for Cloud Data Protection
What data do you need to protect?
Who should or shouldn’t access it?
What functionality needs to be preserved?
Are there additional technical requirements?
Where should sensitive data reside?
© 2014 CipherCloud | All rights reserved 14
One Size Does Not Fit All
High-performance encryption and tokenization at the enterprise gateway
Searchable encryption
Tokenization
Format preserving
Partial encryption
Transparent to users Preserves database functionality
Range of protection options preserve data structure, format and searching
© 2014 CipherCloud | All rights reserved 15
Tokenization
FUNCTIONALITY SECURITY OVERHEAD
Internal Network Enterprise Control
Internal User
Cloud Application
Token Credit Card
Token database
© 2014 CipherCloud | All rights reserved 16
Conventional Encryption
FUNCTIONALITY SECURITY OVERHEAD
Internal Network Enterprise Control
Encryption Keys Internal User
Cloud Application
ऑપમમऑપમएপમમથજए Confidential
© 2014 CipherCloud | All rights reserved 17
Format Preserving Encryption
FUNCTIONALITY SECURITY OVERHEAD
Standard AES Encryption
r丏軸与80l1zx1丏k与5与40l1丏h最与2l1丏邈与41x
Format Preserving Encryption
4811 8522 1744
2231
Credit Card Number
Maintains 16-digit numeric
format
© 2014 CipherCloud | All rights reserved 18
Partial Encryption Techniques
Internal Network Enterprise Control
Encryption Keys
Authorized User
Cloud Application
ऑપમऑપમएથજए Customers
Search query
ଶढଯতઈଌਲऑપ ఌত John Smith
OVERHEAD FUNCTIONALITY
Varies
SECURITY
Varies
© 2014 CipherCloud | All rights reserved 19
Authorized User
Data is encrypted field-by-field basis, based on your security policies
Credit card numbers fully encrypted with AES 256
Fields can be partially encrypted
Unauthorized User United Oil & Gas
© 2014 CipherCloud | All rights reserved 20
Searchable Strong Encryption (SSE)
Internal Network Enterprise Control
Encryption Keys
Authorized User
Cloud Application
ऑપમऑપમएથજए Customers
Search query
ଶढଯতઈଌਲऑપ ఌত John Smith
OVERHEAD FUNCTIONALITY
Varies
SECURITY
Varies
© 2014 CipherCloud | All rights reserved 23
Solutions
Cloud Discovery
Cloud DLP
Strong Encryption
Tokenization
Activity Monitoring
Anomaly Detection
450+ Employees
Company
3.8+ Million Active Users
13 Industries
25 Countries
7 Languages
P 13 Patents
Customers
5 out of 10 Top US Banks
3 out of 5 Top Health Providers
Top 2 Global Telecomm Company
40% of Global Mail Delivery
Largest US Media Company
3 out of 5 Top Pharmaceuticals
About CipherCloud
© 2014 CipherCloud | All rights reserved 24
Thank You
For additional information : • Website: www.ciphercloud.com
• Twitter: @ciphercloud
• Email: [email protected]
• LinkedIn: www.linkedin.com/company/ciphercloud
• Phone: +1 855-5CIPHER
Bob West Chief Trust Officer