The Cloud Beckons, But is it Safe?

You should hear voices. If you can’t hear anything, check that your computer volume is turned up and un-muted, and the “Use

Mic” radio button is selected.

Or you can use a phone to listen to the same audio by calling (914) 339-0030, Access Code: 742-024-148

Logistics: Audio Via Phone

Speakers not working? Prefer the phone? Dial in:

Choose “Use Telephone”

(If you can’t

see this panel, click the “Show Control Panel”

button)

(914) 339-0030742-024-148

Logistics: Ask Questions

Not hearing anything? Call 773-945-1010, access 257-723-187

Raise your hand and I’ll unmute

you

Ask questions! Otherwise I’m speaking to a black hole!

Click to open the

chat window

Having Trouble?

You should hear voices. If you can’t hear anything, check that your computer volume is turned up and un-muted, and the “Use Mic” radio button is selected.

Or you can use a phone to listen to the same audio by calling (914) 339-0030, Access Code: 742-024-148

The Cloud Beckons, But is it Safe?

July 2012

Introductions

Laura QuinnExecutive Director

Idealware

What are you hoping to get out of this session?

Jeff Hogue

Legal Assistance of Western New York

What is The Cloud?

LSC Grantees are Using It

• 46% said that “some or all of their servers are hosted externally”

• 18% said they were using Google Apps for email

• 13% said they were using Google Docs

The Lure of the Cloud

Low cost of entry

Easy remote access

No complex infrastructure

But What About Security?

Cloud Security in the News

Technology and Legal Ethics

The ABA is prepared to vote in new model rules requiring lawyers to "make reasonable efforts" to prevent "inadvertent or unauthorized disclosure of, or unauthorized access to" confidential client information.

This doesn’t preclude the cloud, but it requires you to think through it’s use.

Under Siege

To be on the Internet is to be vulnerable to attack.

If you’re on the Internet, you’re in The Cloud

But We Do Lots of Things on the Internet

We shop online

We bank online

We post crazy things on Facebook

Why is the cloud different? It’s not.

How Secure is Your On-Site Data?

Do any of these sound familiar?

• No one patches computers or is responsible for network security

• You haven’t really thought about passwords or permissions

• No disaster recovery plans

• Staff hasn’t had any security training

Myth“We’re a small nonprofit. We’re safe because no one would target us for cyber attack.”

Fact

Many data security breaches are crimes of opportunity.

Organizations don’t always consider the sensitivity of their data until it’s exposed.

Myth

“Our data is safer not in the cloud”

A Cloud Data Center

Is This Your Server Closet?

What Does Security Mean?

The Three Pillars of Information Security

Confidentiality

Information is available only to authorized parties.

Integrity

Information isn’t modified inappropriately, and that you can track who made what change.

Availability

Assurance that data is accessible when needed by authorized parties.

Also: Physical Possession

Whoever has the data could, in theory, turn it over to the government

What Does Security Mean For You?

Rules for Absolute Safety

Turn off your Internet connection.

Allow no one access to your data and systems.

But let’s be realistic…

Know What You’re Protecting

What kinds of data are you storing, and how sensitive are they?

Think about its value on the open market.

Red Flags

You need extremely tight security to store:

• Donor’s credit card numbers.

• Scanned images of checks.

• Donor’s bank account information.

Privilege and Waiver

Is storing data in the cloud disclosure that destroys the privileged nature of data? 

No, but you have to spend time thinking through the problem.

What’s Your Exposure?

Consider the impact of exposure of your confidential information, both in monetary terms and reputation.

What’s The Impact of an Outage?

How much staff time could you lose from a short term or prolonged outage?

Testing Your On-Site Security

Have you recently performed a:

• Check on whether your systems have been recently patched?

• Systems penetration test ?• Employee training on security

procedures?• Backup/recovery test?

If not, you’d likely increase your security by moving to the cloud.

A Multi-Level Security Model

Multi-Level Security is the Ideal

Physical Security

• Guarded facilities

• Protection of your hardware and devices

• Power redundancy

• Co-location (redundant facilities)

Network Security

• Intrusion prevention• Intrusion detection• Firewalled systems• Network proactive anti-virus protection

Transmission Security

Is data encrypted in transit?

Is the network secure?

Access Controls

• Ensuring the right people have access to the right data

• Physical access to the server• Training on appropriate

passwords and security measures

Data Protection

• Data encryption• Solid backup and

restore policies• Ability to purge

deleted data• Ability to prevent

government entities from getting your data with a subpoena

What to Look For in a Vendor

Description of Security Mechanisms

Documentation of all the facets of security, and the staff can talk about it intelligently.

Proves information security is on the “front burner”

Uptime

Your connection to the internet may well be the weakest link.

Do they provide any guarantee of uptime? Any historic uptime figures?

Uptime figures are typically in 9s-- 99%, 99.9% or 99.99%

Terms of Service

What’s in the terms of service in terms of privacy and use of your data? Do they need to tell you if they change their terms of service?

Regulatory Compliance: HIPAA

Does the vendor support organizations that need to be compliant with HIPAA (the Health Insurance Portability and Accountability Act)?

Regulatory Compliance: SAS70 and SSAE16

Audit for security standards, hardware, and processes.

Statement on Accounting Standards 70 (SAS70)

Statement of Standards for Attestation Engagements 16 (SSAE16)

Regulatory Compliance: PCI DSS Compliance

If you’re storing credit card numbers, your vendor needs to be compliant with PCI DSS (Payment Card Industry Payment Data Security Standard)

In Summary

Your Data Is No Safer Than You Make It

Any computer attached to the internet is vulnerable unless you protect it.

The cloud isn’t, in of itself, more or less secure

Understand the Value of Your Data

What is it worth to you? To others?

What measures are appropriate to protect it?

But Many Vendors Make Your Data Really Safe

Choose vendors who show they’re serious about data protection (not all vendors are created equal).

Consider a vendor’s regulatory compliance.

Questions?