do you know where your data is? - accellion infosec world 2013 conference presentation
DESCRIPTION
Cloud-based file sharing and collaboration solutions are ripe for the picking, but what’s right for one organization might not be right for another. Accellion presented the pros and cons of various cloud computing choices at the InfoSec World 2013 Conference & Expo last month. To learn more about the top cloud considerations for file sharing and collaboration and to find out where you stand on the privacy and public cloud debate, check out this presentation entitled ”Do You Know Where Your Data Is?TRANSCRIPT
MIS Training Institute Session # - Slide 1© COMPANY NAME
Do You Know Where Your Data Is?InfoSec World 2013 Conference & ExpoJohn Pincus, Senior VP Products.
2
Key points• Public cloud file sharing has risks as well as
advantages• Private cloud and hybrid solutions can be
good alternatives• Whether public or private, some key
considerations for evaluation
3
The Problem: Sharing Enterprise Content Securely in the iPad Era
4
What Does BYOD Look Like?
5
What Does BYOD Feel Like?
6
The BYOD Challenge
How to make enterprise content accessible on mobile devices while maintaining control and security?
7
Definitions• Cloud computing• Public cloud • Private cloud • Hybrid
8
What IT needs …
LDAP/AD IntegrationSSO (SAML, Kerberos, …)Access controlEncryption in transit, at restLogging & ReportingAV and DLP IntegrationAccess to Enterprise Content Archival Integration
9
File sharing in context
Enterprise Content
DLPAnti-virus
Archiving
MDM
File Sharing
10
… and what users want
Mobile AccessCollaborationFile CommentingFile Version TrackingSynced Files/FoldersFile TransferNotification
11
Why users love the public cloud
“It just works”
“Can get at it from anywhere”
“Can use whatever device I want”
“Can share with anybody”
“Don’t have to work with IT!”
12
Dropbox has become “problem child” of cloud security
iCloud Hacking Could Tarnish Apple’s Image
Patriot Act can “obtain” data in Europe, Researchers Say
Gmail, Google Drive, Chrome experience outages
Feds Tell Megaupload Users to Forget About Their Data
Safe Harbor not Safe Enough for EU Cloud Data
13
Why do you believe that public cloud computing services will have little or no impact on your organization’s IT
strategy over the next five years?
Souce: Evaluating Cloud File Sharing and Collaboration Solutions, ESG, 2012
14
Security concerns• Public cloud sites are big targets• You’re at the mercy of their operation
security• Who has access to the data?• Some sites don’t encrypt data or restrict
additional sharing
• But …• Public cloud security is generally
improving• Some sites do pay a lot of attention to
security• Have to weigh risks …
15
Legal and privacy concerns• Third-party doctrine• Data location
– Country-of-origin rules– Article 29 Working Party– PATRIOT Act concerns
• Will you get notified (and have a chance to fight) about any court orders?
• What rights does the service provider claim with respect to your data?
16
Terms of Service: Google Drivehttp://www.google.com/intl/en/policies/terms/
"When you upload or otherwise submit content to our Services, you give Google Drive (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services…”
17
Terms of Service: Google Drivehttp://www.google.com/intl/en/policies/terms/
"When you upload or otherwise submit content to our Services, you give Google Drive (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services…”
18
All about control• Our must-have feature checklist:
• Proven functionality that “works”• Tight security controls:
• File tracking and reporting• Access permissions• Encryption at rest and transit• LDAP/Active Directory integration
• Around-the-clock reliability• BYOD support
• Multiple OSs and devices• File synchronization• Remote wiping
• Support for all file sizes and formats• We wanted control within our own datacenter
19
Private cloud as an alternative
• Hosted in your own data center
• Under your control
20
Why users love the private cloud
“It just works”
“Can get at it from anywhere”(subject to corporate policies)
“Can use whatever device I want”(subject to corporate policies)
“Can share with anybody”(subject to corporate policies)
“Don’t have to work with IT!”(once the system’s up and running)
21
Private Cloud or Public Cloud?• Mininimize investment? Achieve
excellence? Investment in IT and operational security?
• CFO preference?CapEx vs OpEx?
• Patriot Act, Safe Harbor PrivacyData Physical
Location?
• No solution is 100% secureCorporate DNA and tolerance for risk?
22
Enterprise Considerations for File Sharing and Collaboration
• Security controls
• Compliance and reporting
• Scalability and availability
• Leverage existing content stores
• Enterprise integrations
Whether public or private cloud …
23Accellion Confidential
Compliance and ReportingReporting
Granularity of auditing and reporting
Export to 3rd party reporting
Log formatting for export
SNMP (Monitoring)
Accellion Confidential 24
Security ControlsEnterprise Security•Anti-Virus•Data Loss Prevention•Restricted Admin Access to Content•Hardened Server Appliance•Data Residency
Authentication / Authorization•SSO with SAML / OAuth / Kerberos•Multi-LDAP and AD integration•Two-Factor Authentication•Password Policies•RBAC•Granular Authorization
Encryption•Encryption – Data at Rest and in Motion•Encryption Strength•Ownership of Encryption Keys•FIPS 140-2 Certification
Mobile Security•Secure Mobile Container•Whitelisted Helper Applications•Server Side Viewing•Remote Wipe•Offline PIN
Accellion Confidential 25
And don’t forget about the users!“It just works”
“Can get at it from anywhere”(subject to corporate policies)
“Can use whatever device I want”(subject to corporate policies)
“Can share with anybody”(subject to corporate policies)
26
Conclusion
• No one right answer • Public cloud has risks along with benefits• Private cloud is a viable alternative• Hybrid approaches (mix of public and private
cloud) may be the best answer
• Security evaluation criteria apply no matter whether it’s public or private
Accellion provides enterprise-class mobile file sharing solutions that enable secure anytime, anywhere access to information while ensuring enterprise security and compliance.
The world’s leading corporations and government agencies select Accellion to protect intellectual property, ensure compliance, improve business productivity and reduce IT cost.
Learn more about Accellion here: www.accellion.com
Connect with Accellion here:
About Accellion