Proprietary and confidential
Will My SaaS Provider Leak My Corporate Data?
Proprietary and confidential
A Strategic Guide to Avoiding System and Network Breaches
“Against a sufficiently skilled, funded and
motivated attacker, all networks are
vulnerable.
But good security makes many kinds of
attack harder, costlier and riskier.
Against attackers who aren’t sufficiently
skilled, good security may protect you
completely.”
BRUCE SCHNEIERDec. 19, 2014
—Chief Technology Officer of Resilient Systems, a fellow at
Harvard's Berkman Center, and a board member of EFF
Proprietary and confidential
Overview
Who’s Really Vulnerable?
Spoiler: it’s all of us.
What am I afraid of?
Share your story
Can I Trust This Guy?
Focused topics on (not) sharing data
Proprietary and confidential
Who’s Really Vulnerable?
Proprietary and confidential
What Am I Afraid Of?
Part 1:
What top 2 or 3 things
scare you the most
about your current
situation?
Proprietary and confidential
What Am I Afraid Of?
Part 2:
● What makes you
interested in Security
today?
● What do you hope to
get from today’s
discussion?
Proprietary and confidential
What’s on Our Mind?
● Does my provider know what they’re doing?
● PCI compliance will protect me● How secure is my system● How other people failed● How much is security worth● ...Others?
Proprietary and confidential
Does my provider know what they’re doing?
● Is SaaS provider more
knowledgeable and experienced
than my staff?
● Is provider more scalable than
my staff/systems?
● Who owns the data?
● Can they answer the hard
questions?
Proprietary and confidential
The Hard Questions
● Security: The system is protected, both logically and physically, against unauthorized access.
● Availability: The system is available for operation and use as committed or agreed to.
● Processing Integrity: System processing is complete, accurate, timely, and authorized.
● Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
● Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Proprietary and confidential
SOC2
● Operation conforms to strict and
detailed standards
● Adherence verified continually
● Formal audit by third party
Proprietary and confidential
PCI Compliance Will Protect Me
● Gaps
● Strengths
● Evolution
Proprietary and confidential
How Secure Is My Own System
Can you tell if your system was penetrated today?
Are you using…
● Malware scanning
● IDS/IPS
● Vulnerability scanning
Do your users know how to...
● Use strong passwords
● React to Pfishing
● Recognize fake sites
Proprietary and confidential
How Other People Failed
● Attacks in the news
● Common attacks
Proprietary and confidential
How Much Is Security Worth
“Sony made its situation worse by
having substandard security.”
BRUCE SCHNEIER
Sony Pictures’ executive director of information security Jason Spaltro told CIO Magazine in 2007 that it may be “a valid business decision to accept the risk” of a security breach.
http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html
Proprietary and confidential
The Guide to Secure Partner Relationships
● Admit you’re vulnerable
● Assess the risk
● Choose your partners
● Prioritize your improvements
● Monitor your environment
● Evolve