Dana Simberkoff, JD, CIPP Chief Compliance & Risk Officer AvePoint

Sanjay Jacob Global Head, Intelligent Cloud

Strategic Industries Microsoft Corporation

Privacy. Security. Risk. 2016 IAPP Privacy Academy and CSA Congress

Presenter

Dana Louise Simberkoff, JD, CIPP Chief Compliance and Risk Officer, AvePoint

Dana.Simberkoff@avepoint.com

Blog: www.DocAve.com

https://www.linkedin.com/in/danalouisesimberkoff

@danalouise

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

A new era of digital transformation is upon us

Cloud momentum continues to accelerate

“If you’re resisting the cloud because of security concerns, you’re running out of excuses.”

“The question is no longer: ‘How do I move to the cloud?’ Instead, it’s ‘Now that I’m in the cloud, how do I make sure I’ve optimized my investment and risk exposure?’”

“By 2020 clouds will stop being referred to as ‘public’ and ‘private’. It will simply be the way business is done and IT is provisioned.”

OPPORTUNITIES

SECURITY & PRIVACY POLICY & CONTROLS

SECURITY RISKS

Balance Opportunities and Risks

DATA GOVERNANCE

Data is a new currency

Hyperscale infrastructure is the enabler 28 Regions Worldwide, 22 ONLINE…huge capacity around the world…growing every year

100+ datacenters

West US

California

East US

Virginia

US Gov

Virginia

North Central US

Illinois

South Central US

Texas

Brazil South

Sao Paulo State

West Europe

Netherlands

China North *

Beijing

China South *

Shanghai

Japan East

Tokyo, Saitama

Japan West

Osaka

India South

Chennai

East Asia

Hong Kong

SE Asia

Singapore

Australia South East

Victoria

Australia East

New South Wales

India Central

Pune

Canada East

Quebec City

Canada Central

Toronto

India West

Mumbai

Germany North East **

Magdeburg

Germany Central **

Frankfurt North Europe

Ireland

East US 2

Virginia

United Kingdom

Regions United Kingdom

Regions

Pacific NW

Washington

Central US

Iowa

US Gov

Iowa

Customer examples

Cloud Trust pillars

Microsoft IT cloud vision

“We’re comfortable with 93% of our portfolio

moving to the cloud, and we’re well on our

way to that. By the time we're complete

with that part of our portfolio, the remainder

will be ready to move to the cloud.”

Jim DuBois, CIO of Microsoft

Five steps to data governance adoption Executive sponsorship is crucial

How should you determine what data lives in the cloud? Understand the risk of unintended disclosure of data and safeguards

DATA HANDLING TECHNIQUES

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Rapidly changing

information

landscape creates

more business

opportunities, but

also increases risk

throughout the

data lifecycle.

• Over-retention

• Inadvertent

disposal

• Excessive collection

• Inadequate records • Inappropriate

access

• Accidental misuse

• Breach or response

failure

• Cross-border restrictions

• Excessive sharing

Create & Collect

Use

Share

Dispose

DATA

LIFECYCLE

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

What is this?

• Client records

• Employee records

• Previous project

files

The Challenge

What you use…

What you need to keep…

• Current project files

• Current reference docs

Dark Data

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Someone else’s Computer

Cloud ‘flavors’ Cloud Service Provider manages

You manage

Data Governance and Rights Management

Client End-points

Account and Access Management

Identity and Directory Infrastructure

Application

Network Controls

Operating System

Physical Hosts

Physical Network

Physical Datacenter

Security

Privacy and Control

Compliance

Transparency

SaaS

PaaS

IaaS

On-Prem

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Build “controls”

into containers

Make sure no

one messes with

your controls

Ensure the system

is used as intended

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Cloud is a chance for “Housekeeping” Restructure your IA, consolidate Check for poor security settings

Migrate

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Mixed Junk IN

Filter for Compliance Prioritize for

Business Need

Structure for

Governance

Organized

Gold OUT

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Data Discovery Data Identification Data Migration

40TB 30TB 4TB

Business Information

Business Critical Data

/Important Data

Scan the

content

Identify ROT &

duplicates

Remove duplicate Data

Data and File Analysis Process

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Plan for the future

Remove what’s unnecessary

Keep what’s required

Protect what’s important

Establish a way to identify it

Find out what it really is

Reduce Cost. Increase

Productivity.

$

Users:

Relevant Information

IT Admins:

Easier Maintenance

Compliance Officers:

Lowered Risks

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Where is it?

File Share

SharePoint

Office 365

Databases

Who can access it?

Who owns it?

Who can read it?

Who can edit it?

What is it? ?

File Level Analysis

Content Level Analysis

• Redundant, outdated and

trivial (ROT) data

• File types (Music, log files,

etc..)

• Sensitive data

• Date Created

• Owner

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Tags

Ownership Purpose

Audience Sensitivity level

Classify

Is it a record? Is it high business

impact?

Who should have

access? Where should it live?

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Delete

Archive Does it need to be

reorganized?

• Is it a record?

• Does it belong somewhere

else?

Can I get rid of it?

• Is it a record?

• Is it a duplicate?

• Is there a later version?

• Is it relevant?

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

• Which is the “golden copy”?

• Do you need multiple copies?

• Does it need to be indelible?

• Does it need to be stored off site?

• Who can access it?

• What’s the retention period?

Is it a record? Is it high business

impact?

• Does it need to be encrypted or redacted?

• How often is it accessed?

• How many people have access?

• Are multiple versions necessary?

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Compliant Migration to…

End-of-Life

Another location on the

file system for archiving

Another system

(SharePoint, Office 365, storage,

etc.)

Another location for

“legal hold”

Another location on

the file system

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Incident

Tracking

Prove It

Assess Prioritize

Say It Do It

1 2 3 4 5

Ongoing

Monitoring

7

Incident

Management

6

8

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Privacy Impact Assessment

Yes, risky data will be stored

Implement Controls

Restrict and control access

Tag and Classify, Move, Quarantine, Delete,

Redact, Encrypt, Block, and Audit

Enforce internal policies

Reporting / Certification

No, no risky data stored

Verify and Report Reporting/ Monitor

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

• Developed by AvePoint

• Distributed exclusively by IAPP

• Global Support provided by AvePoint

• Educational Resource ***Cost Free***! (AvePoint Global Research and Development Team)

• Extended by the Privacy Community!

• https://www.privacyassociation.org/resource_center/avepoint_privacy_impact_assessment_system

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Microsoft Azure Trust Center https://azure.microsoft.com/en-us/support/trust-center/

Office 365 Trust Center https://www.microsoft.com/en-us/TrustCenter/CloudServices/Office-365

AvePoint Data Governance Solutions http://www.avepoint.com/solutions/data-governance/

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

AvePoint Data Governance Workshop http://www.avepoint.com/assets/pdf/Advisory_Data_Governance_Workshop_Product_Brochure.pdf

AvePoint Privacy Impact Assessment https://iapp.org/resources/apia/

AvePoint Compliance Guardian Market Place https://azure.microsoft.com/en-us/marketplace/partners/avepoint/avepoint-compliance-guardian/

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Q & A

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

Whitepaper – The Operational Impact of the

European Union General Data Protection

Regulation (GDPR) on IT

www.avepoint.com/GDPR

GDPR Survey Benchmark Survey

www.avepoint.com/GDPR-Survey

AvePoint Privacy Impact Assessment

System

http://www.avepoint.com/privacy-impact-

assessment/

https://iapp.org/resources/apia/

Resources