We are now three plus years into widespread adoption across industries of public SaaS apps like Office 365. Despite this momentum, security and compliance remain top challenges. This webinar, featuring Matt Hollcraft, CISO for Maxim Integrated, Dave Ruedger, Chief Security Architect for Maxim Integrated, and Rich Campagna, SVP of Products for Bitglass, will help you build a 2017 action plan to embrace public cloud without sacrificing security and compliance.
While offering practical, actionable advice for major apps like Office 365, Matt, Dave and Rich will address your top concerns, such as unmanaged device access, external sharing, and mitigating controls. They also will provide real world examples of how other organizations have securely navigated the public cloud.
Key points to present:
IAM is key for cloud security because:
- Naturally accessible via public internet
- Multi-tenant environments are only as strong as the weakest link
- Just like any network, lacks access control standards causes issues in areas such as separation of duties, change management and confidentiality.
Risk reduction strategies should include:
- Multi-factor authentication
- Review and approval of cloud provider admins and personnel
- Consideration for prohibition of competitor provisioning in adjacent servers
Key points to present:
Focus on the data. It’s all about the data, because:
- Data, unlike almost any other asset, can be replicated in many places
- Data stored on someone else’s servers should be encrypted, if needed, just like any other place.
- Your data is like your kids, you just don’t allow anyone to be responsible for it and you always agree on the return process (i.e. exiting the cloud provider)
Risk reduction strategies for data include:
- Understand you data map and flows, physically where the data is stored (privacy)
- Encryption, encryption , encryption – in transit and rest!
- Robust Ts & C’s language and negotiation for return or deletion of data when exiting a provider (including cloud provider back ups)
Key points to present:
Don’t forget the due diligence:
- The data owner is still responsible for G&C
- Cloud providers feel they are not responsible
- Your controls are only as strong as their validation
Risk reduction strategies should include:
- Require completion of SSAE 16 SOC 2 annually
- Ensure your access to ALL audit and monitoring tools provided – ideally at no charge with the service
- For any adverse findings in the audit reports, demand an action plan for remediation (success depends on the spend with the provider) and possibly include language in the T’s and C’s
what best describes your organization’s current public cloud strategy?
Cloud only
Cloud first
Cloud sometimes
Cloud if we have to
Cloud never
Explosion of SaaS in the enterprise, leveraging Bitglass Cloud Adoption Report data
O365 and productivity suites as proxy for broader cloud adoption in the enterprise across all verticals and all software functions.
what best describes your organization’s current public cloud strategy?
Cloud only
Cloud first
Cloud sometimes
Cloud if we have to
Cloud never
Critical control areas
Cloud - data-at-rest protection - encryption, sharing/backend sync controls, etc.
Access - who has access to what and in which context? access controls, DLP, etc
Identity - SSO, 2FA, identity best practices from prem, etc.
Mobile - protecting cloud data sync'd/downloaded to devices, both managed and BYOD.