Managing Challenges of Cloud and Compliance Under GDPR Laz Macias, CISSP – Sr. Sales Engineer
2017 © Netskope. All rights reserved. Netskope confidential.
2 2017 © Netskope. All rights reserved.
Data Center
YESTERDAY TODAY
Mobile Users
Branch HQ Remote Users
VPN
HQ Branch
Data Center
Remote Users
VPN
Netw
ork Perim
eter
1,000+ cloud services per enterprise – how do they get in?
4 2017 © Netskope. All rights reserved.
5%
75%
20%
App ecosystems connect IT-led and user-led apps
5 2017 © Netskope. All rights reserved.
25 “ecosystem” apps on average per “anchor tenant” app or suite
Cloud + mobile presents sensitive data loss challenge
6 2017 © Netskope. All rights reserved.
33 %
1/3 of business data is in the cloud
50% of cloud activity is mobile and 1/3 of DLP policy violations
occur on a mobile device
Cloud presents new challenges for compliance
2017 © Netskope. All rights reserved. Confidential.
GDPR
GLBA PII SOX
PHI, HIPAA, HITECH FINRA
PCI-DSS
ACCESS (Browser, mobile app, sync client)
REMOTE (Airplanes, coffee shops, etc.)
ON-PREMISES (HQ, Branch office)
Lack of visibility and control = non-compliance
• Where is my sensitive data? • Who has access to it? • Is it protected?
EU GENERAL DATA PROTECTION REGULATION:
‣ Single regulation that supersedes all others ‣ Applies to European and non-European
entities ‣ Penalties up to $20M or 4% of annual turnover ‣ Adopted in 2016; enforcement on May 25,
2018
PERSONAL DATA =
“…any information relating to an individual, whether it relates to his or her private, professional or public life.” “…can be anything from a NAME, a PHOTO, an EMAIL ADDRESS, BANK DETAILS, POSTS on social networking websites, MEDICAL INFORMATION, or a computer’s IP ADDRESS.”
SUPERVISORY AUTHORITY
(Data Protection Authority)
‣ Public authority that supervises and enforces GDPR for member state
‣ Levies fines, conducts investigations, and receives breach notifications from controllers
CONTROLLER (Your Organization)
‣ Determines purposes and means of processing data
‣ Must have reason, use only for reason, ensure accuracy, protect, inform supervisory authority of breach, prevent transfer to insecure processors
PROCESSOR (Cloud Service)
‣ Processes data on behalf of controllers
‣ Must protect, use only for specified reason, have a signed agreement, and erase data once services are terminated
DATA SUBJECT (Your Employee or
Customer)
‣ Individual who is or can be identified, directly or indirectly
‣ Rights include consent/opt out, obtain data, know where data is, and have data deleted
Entities tied to compliance
‣ KNOW what personal data is processed by workers using cloud services
‣ IDENTIFY which cloud services workers are using
‣ PREVENT personal data from being processed in unmanaged cloud services
‣ PROTECT personal data stored or processed in cloud services
Controller’s Obligation:
14 2017 © Netskope. All rights reserved.
Sensitive data loss
Non-com
pliance
Threats (malw
are and ransomw
are)
Cloud delivers business value
Why current security approach is not good enough
Office 365 enables collaboration for any user, anywhere, on any device
HR, Finance, Marketing, and R&D are rapidly deploying cloud services and helping our business innovate
AWS gives us access to unlimited compute resources for our demanding workloads
• Blind to users outside the perimeter • Blind to activities on mobile • Limited protection for personal devices • Blind to data exfiltration to unsanctioned cloud
Cloud Risk
• Blind to risky activities • No granular control • Forces difficult block or allow decision
• Limited visibility into sensitive data in AWS • No sensitive data protection • Auditing is limited
Shadow IT
Cloud value, risk, and security and compliance gaps
Cloud Access Security Broker
15 2017 © Netskope. All rights reserved.
VISIBILITY
DATA SECURITY
COMPLIANCE
THREAT PROTECTION
The Four Pillars of CASB
“CASB is a required security platform for organizations using cloud services.”
How a CASB is deployed
16 2017 © Netskope. All rights reserved.
API (out-of-band)
Proxy (inline, TLS decryption at scale)
ACCESS (Browser, mobile app, sync client)
REMOTE (Airplanes, coffee shops, etc.)
ON-PREMISES (HQ, Branch office)
CASB services
2017 © Netskope. All rights reserved. Netskope confidential. 17
ACCESS (Browser, mobile app, sync client)
REMOTE (Airplanes, coffee shops, etc.)
ON-PREMISES (HQ, Branch office)
CASB
Safely permit unsanctioned, yet necessary, cloud services
Identify ecosystems, non-corporate instances, and create category-level and context-based policies
Block risky activities
Skipping this step may lead to user revolt and a decrease in productivity
Safely enable cloud services you have sanctioned
Apply adaptive access control
Implement granular policies and workflows
Prevent data loss
Protect against threats
Encrypt when necessary
The cloud security journey in phases
18 2017 © Netskope. All rights reserved. Netskope confidential.
Unsanctioned and optionally blocked
Optionally block the most risky services and coach users to use
alternatives
Block risky services
Coach users
Continuously discover cloud services and
assess risk
Discovered = 1000 Blocked = 300
Sanctioned = 50 Safely Permitted = 650
Use of Granular Control
Protect against threats 450 Prevent data loss 300 Block risky activities 200 Govern access 150
Unsanctioned and permitted
Sanctioned
2017 © Netskope. All rights reserved.
1
Know location
No personal data for other purposes
2
Only “necessary” data; no “special” data unless
exemption is in place
4
Take security measures
5
Data deleted post-service
3
Data processing agreement
6
Acr
oss
any
devi
ce, i
nclu
ding
m
obile
and
BY
OD
2. TAKE SECURITY
MEASURES
Data security features such as encryption, auditing, physical security?
If not, compensating controls.
Features? If no, controls!
4. ONLY “NECESSARY”
DATA; NO “SPECIAL”
DATA UNLESS EXEMPTION IS
IN PLACE
Specify in agreement. Verify in practice.
1 0 1 1 0 1 1 0 0 1 0 1
1 0 1 1 0 1 1 0 0 1 0 1 1 0 1 1 0 1 1 0 0 1 0 1
SPECIAL
1 0 1 1 0 1 1 0 0 1 0 1
‣ Assess service functionality ‣ Block non-necessary data ‣ Block “special” data unless
exemption is in place
5. NO PERSONAL DATA FOR
OTHER PURPOSES
Understand privacy terms of discovered services. Consolidate services that don’t meet
requirements. Specify in agreement for the rest.
6. DATA DELETED
POST-SERVICE
Understand data deletion terms after service terminated. Consolidate services that don’t
meet requirements. Specify in agreement for the rest.
Know Location
Take Security Measures
Data Processing Agreement
Only “Necessary” Data; No “Special” Data unless with
exemption
No Personal Data for Other Purposes
Data Deleted Post-Service
Reg
ardl
ess
of w
here
you
are
or
wha
t dev
ice
you’
re o
n
In Summary