moving to the cloud: a security and hosting introduction
DESCRIPTION
By Ron RainvilleTRANSCRIPT
Service Delivery Operations
BBCON 2014
Ron Rainville – VP/Service Delivery Operations
2
Overview• Today’s Landscape
• What is Blackbaud doing?• Protection thru technology• Protection thru people• Protection thru certifications• Protection thru process
Blackbaud Confidential2
3
Today’s LandscapeBreaches in the News
• Banks• Massive bank hack: What you need to know - CNN
• Retailers• Home Depot hack could lead to $3 billion in fake charges –
CBS News• Target store chain security breach
• Healthcare• There is an epidemic of medical identity theft – USA Today
• Universities• Ex-contractor says he hacked into U-Md. databases to alert
others to security flaws – Washington Post• Governments
• U.S. Probes Hacking of Government Computers at Personnel Agency – The Wall Street Journal
Breaches in the News• Banks
• Massive bank hack: What you need to know - CNN• Retailers
• Home Depot hack could lead to $3 billion in fake charges – CBS News
• Target store chain security breach• Healthcare
• There is an epidemic of medical identity theft – USA Today• Universities
• Ex-contractor says he hacked into U-Md. databases to alert others to security flaws – Washington Post
• Governments• U.S. Probes Hacking of Government Computers at Personnel
Agency – The Wall Street Journal
4
Theft has been Automated and Targeted
A variety of adversaries• Script Kiddies• Organized Crime• Nation States
The value of targeted data is rising• Cardholder data• Personally Identifiable Information (“PII”)• Protected Health Information (“PHI”)• Social network handles (Twitter, Facebook)
5
Attack VectorsZero-Day Vulnerabilities
• Vulnerabilities discovered by criminals within software, sold in Black Markets to the highest bidder
Social Engineering• Targeted campaigns against key resources within an
organization for the purpose of gaining access to confidential information
Insider Threat• Disgruntled employees looking to get even• User mistakes (e.g. bringing data home)
Best source for statistics: Verizon Data Breach Investigations Report
6
How Do Large Credit Card Breaches Happen?
The Advanced Persistent Threat (“APT”)
Recon Infiltration Delivery & Exploitation Exfiltration Monetization
Reconnaissance
Adversaries probe targets for holes and vulnerabilities and/or steal credentials Infiltration
Exploit these weaknesses to get inside
Delivery & Exploitation
Hook malware into processing streams
Exfiltration
Get data out as quietly as possible
Monetization
Data sold on the black market
This can occur over months at a time
7
ImpactReputational
• Brand damage• Customers will seek alternative choices
Financial and Liability• Stock price tumbles• Cost of data breach• Legal issues• Post-mortem audits – regulatory (e.g. HIPAA) or
contractual (PCI)
So What is Blackbaud Doing?
9
Protection thru TechnologyStrong Perimeter
• Firewalls• IDS Control• DDoS• 2FA
Access Control• Granted on an as needed basis• Role separation
Password/Account Management
Environment Awareness• Log and activity monitoring
Data Centers• All tier III+ certified
No Special cases
10
Protection thru PeopleBlackbaud Security Team
• Dedicated to Security – complete focus• All personal heavily trained• High level of visibility
Training• All employees receive security training – social engineering & best practices – annually and
NEO• ITIL training
Certifications • CISSP, GISM, GSEC, CCNA, CNSS, DoD 85
Partnerships • PCI/SOC: Brightline CPAs • Pen-testing: Praetorian (annual rotation)• PCI validation scans: Qualys • Ethical hacking and forensics: eMagined Security Consultants
Vendor Management • all service providers we use are required to meet or exceed our security standards
11
Protection thru Certifications
PCI – Credit Card• PCI level 1 – Annual Event, Brightline
SSAE16 – PII, Best Practices – risk mitigation• SOC2, Level 2: based on Security, Availability, Confidentiality
principles - Brightline• SOC1, Level 2: based on Financial Reporting for Ledger based
products - Brightline
ITIL Based• Annual Security Audit – 3rd Party, eMagined Security
• Policy validation and Perimeter testing• Internal LAN – Ethical hacking; Credentialed and non-
Credentialed
12
Protection thru ProcessSecurity Patching – all platforms
• Monthly and on-demand• Heartbleed, Shellshock
Change Management• Rigorous process• Completely documented• Multi-level management approval
Event and Incident Management• Complete log and event monitoring and response• 7X24 NOCC• eMagined on retainer and used often – false positives
Security Testing• Vulnerability management (monthly)• Penetration testing / ethical hacking (annually and after major changes)
After all that…
Are we completely Protected?