Data, Data Everywhere: Maintaining Compliance and

Privacy in a Post-perimeter World

May 24, 2013

Tim Choi | Sr. Director of Products

What We Will Discuss Today

• How are the ways we work changing and

why?

• What are the compliance impacts to our

world?

• What technologies are available and what are

the trade-offs?

THE DEVICE

The Work Devices We Use Are Changing

2012 KPCB Internet Trends Year-End Update,

Mary Meeker

Who Are Some Users Driving the Adoption of Post-PC

Devices?

41% Percentage of CEOs who

use an iPad for work

BYOD is now the growing

trend

2012 CEO & Senior Business

Executive Survey, Gartner Research

Welcome to the Age of BYOD

Okay – Not that BYOD… Let’s try again…

• BYOD (Bring Your Own Device)

–Trend is driven by popularity of

iOS and Android devices

–“Freedom of choice” for

employees to work on their

preferred device

–Cost reduction by shifting

purchase of devices to employees

–Employee satisfaction through

freedom of choice

The Trend is Towards BYOD

76%

13%

6% 5%

Percent of Enterprises that Support BYOD

Currently supported

Planning to support,next 12 mos

Considering, but nospecific timeframe

Not planning to support

Good Technology’s 2012 BYOD Report

What Are the Potential Risk Factors of BYOD?

• 65% of organizations feel that accessing documents via mobile devices and tablets create a significant security risk1

• The “Absent-Minded” Employee

– Losing personal work devices

– Loss of sensitive data (Personal Identifiable or Intellectual Property)

– Compliance considerations (HIPAA, GLBA, PCI, etc.)

• The “Disgruntled” Employee

– Malicious distribution of work content to competitors

– Walk out of company with Intellectual Property

– Business loss considerations

Source: 1Ponemon Institute 2012 Confidential Documents at Risk Study

Market Solutions Available for Device Management

• Mobile Device Management

– Centralized control of the mobile device tier

– Features:

• OTA (Over the Air) provisioning of device

– Turn On/Off device functionality

– Remote wipe

• Telcom expense management

– Points of consideration

• Applicable only to employee devices architecture

requires that the whole device is registered and

managed by the company

• How does one manage devices of business partners?

Especially important if they are BYOD devices that

have access to your information?

THE APPS

There’s an App for Everything; Consumerization of IT

The Convenience of Apps

• There are lots of Apps available to choose from

– 775,000 iOS Apps available1

– 625,000 Android Apps available2

• Apps are more affordable3

– Average price per iOS app: $1.58/app

– Average price per Android app: $3.74/app

• Apps are easier to download

– 1 (okay, 2 if you need to input your password)

1 Apple, Jan 2013 2 AppBrain, Feb 2013 3 Canalys, Feb 23, 2012

Where is Your Enterprise Data Going?

Market Solutions Available for App Management

• Mobile Application Management

– Centralized control of the application tier

– Features:

• Provision apps to employee devices

• Remote wipe of apps

• Control of interactions between apps (e.g. “Open In”)

– Points of consideration

• Applicable only to employees

• How does one manage the distribution of apps to

business partners?

THE DATA

Let’s Recap – Some Incidents from 2012

Incidents involving inadvertent data disclosure or a data

governance/process/policy failure

Jan Feb March April May June July Aug Sept Oct Nov Dec

Source: CyberFactors, LLC, a wholly owned subsidiary of CyberRisk Partners, LLC and sister company of CloudInsure.com, LLC

Wells Fargo: 130

records (SSNs, PII)

Valencia College:

9,000 records (PII)

Certified General

Accountants (CGA)

Association of

British Columbia:

4,600 records (PII)

Texas A&M: 4,000

records (SSNs, PII)

Elections New

Brunswick:

553,000 records

(PII)

Cunard Cruise Line:

1,225 records (PII)

Wisconsin Dept.

of Revenue:

110,795 records

(PII)

Essex County

Council: 400 records

(PII, Financial data)

Aegon: 35

records (PII)

Groene Hart

Ziekenhuis (Green

Heart Hospital):

493,000 records (PHI)

Plymouth City

Council: 1

record (PII)

Jackson North

medical Center:

566 records (PHI)

Not all breaches come from hacks

Source: CyberFactors, LLC, a wholly owned subsidiary of CyberRisk Partners, LLC

and sister company of CloudInsure.com, LLC

External 50% Internal

40%

Third-party contractor/

vendor 6%

Unknown 4%

2012 Security Incidents By Source

It’s All About the Data…

Source: Ponemon Institute 2012 Confidential Documents at Risk Study

What Data is Most at Risk?

“What types of data were potentially compromised or breached in the past 12

months?” (select all that apply)

1%

3%

4%

7%

10%

10%

13%

14%

15%

19%

20%

Other

Payment/credit card data

Account numbers

Website defacement

Don't know

Corporate financial data

Authentication credentials (user IDs and passwords,…

Other sensitive corporate data (e.g., marketing/strategy…

Other personal data (e.g., customer service data)

Personally identifiable Information (name, address,…

Intellectual property

Source: Forrester Research Forrsights Security Survey, Q2, 2012

The Need for Security in Documents

If you believe that the security of browser-based file sharing tools will become “more important,” why do you feel this way? (More than one choice permitted)

3%

39%

43%

48%

56%

61%

63%

68%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

Cost of non-compliance will increase

More privacy and data security regulations to complywith

Increase in cyber criminal attacks

Increase in the need to share documents for purposesof collaboration

Managing user access at the document level willbecome more complex

Increase in the volume of documents

Increase in the access requirements for users becauseof mobility

Source: Ponemon Institute 2012 Confidential Documents at Risk Study

What Defines Document-Centric Security?

Following are features of a document-centric security solution

(Very important and important response presented)

31%

32%

35%

39%

43%

36%

38%

41%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Easily and effectively access, share and control all importantdocuments across the extended and mobile enterprise on any

device

Enables users to easily and safely send files and collaboratewith business partners or other outside parties. Shared files

remain protected even as business partners use their owncorporate or personal mobile devices

Allows employees to access their corporate documents on PCand mobile devices with an intuitive interface that displays

documents on any screen

Enterprises have full control over every protected document.The platform provides granular capabilities such as controlling

printing, copying and forwarding, as well as the ability towatermark or wipe the document

Very important Important

Source: Ponemon Institute 2012 Confidential Documents at Risk Study

WHAT’S MOST IMPORTANT AND

WHAT’S THE SOLUTION?

Emergence of Shadow IT

Creates Compliance Exposure on Enterprise Data

• Storing Data in the App

– Is the content encrypted and protected?

– Can one easily forward the content to competitors?

• Storing Data in the Public Cloud

– Is the content encrypted and protected?

– Who has ownership of the content?

• Sharing To Outside Parties

– Who outside my company has access to this data?

– What kind of devices are being used?

1 Palo Alto Networks 2 Ponemon Institute 2012 Confidential Documents at Risk Study

Three Steps to Address Application Shadow IT

Step 1: Visibility Into What’s Going On In Your Company

(Example: Is there use of Dropbox in my company?)

Track sessions to Dropbox

Track data Track users/hosts

Palo Alto Networks PA-500 Check Point Gateway WebSense Triton

Blue Coat ProxySG

Cisco ASA

Juniper Networks SRX

Three Steps to Address Application Shadow IT

WHAT USERS WANT

Sync:

Mobile / Tablet /

Desktop / Web /

BYOD

Collaborate:

Share / Annotate /

Manage

Just Works:

Picture Perfect

Documents, Fast,

Elegant, Interface

Data Security

and Control

Tracking and

Compliance

Cloud or On Premise

Deployment

WHAT ENTERPRISE IT NEEDS

Integration to

Enterprise Portals,

Systems and Workflow

Step 2: Find the Balance In the Enterprise App

Three Steps to Address Application Shadow IT

Step 3: Track Adoption – “Germs Don’t Grow Under Sunlight”

Week

1 3 5 7 9

11

13

15

17

19

21

23

Inte

rna

l U

se

rs

Week

Inte

rna

l U

se

rs

1 5 9

13

17

21

25

29

33

Week

Ex

tern

al U

se

rs

1 9

17

25

33

41

Week

Global Private Equity Firm Global Sporting Goods Manufacturer

TYING IT ALL TOGETHER

How Each Technology Approach is Different

Lost Device

Accidental Sharing

Insider

Lost Device

Accidental Sharing

External Attack

Insider Etc

MDM

MAM Consumer Apps

Source: Forrester Research 9/2012

Document-centric Security

Three Things to Remember…

• It’s all about the data; secure the data to remove the

burden of other issues

• Have visibility into what’s going on… Shadow IT

exists because it’s in the dark

• Consumerization of IT doesn’t mean that one should

compromise on Enterprise needs find the

balance in the correct Enterprise App!

Do Not Fear the Shadow IT… It’s Just a Bunny…

Thank You!

Tim Choi

tim@watchdox.com