Presentation on theme: "The Effects of Cloud Services on Compliance and Data Protection"— Presentation transcript:
1The Effects of Cloud Services on Compliance and Data Protection Bring your own serviceThe Effects of Cloud Services on Compliance and Data ProtectionVaronis Systems. Proprietary and confidential.
2About varonis Founded in 2004, started operations in 2005 Over 1800 CustomersOver 4500 installationsOffices on 6 continentsBased on patented technology and a highly accurate analytics engine, Varonis solutions give organizations total visibility and control over their unstructured data, ensuring that only the right users have access to the right data at all times from all devices, all use is monitored, and abuse is flagged.Varonis Systems. Proprietary and confidential.
3BRING YOUR OWN DEVICEYou’ve all been bombarded with BYOD, right? Everyone has their own smartphone, tablet, or laptop (or all three), and they want to use them for work.
4More devices has meant a spike in services that easily keep data sync’d between them. These services are often:Cloud-basedFree or cheapCompletely outside of organizational control or oversightBRING YOUR OWN SERVICE
5Example: Cloud File Sharing Explosion Public cloud file sharing has explodedAs of November 2012, Dropbox claimed to have 100,000,000 customersOne of the services that many of you are likely grappling with already is Dropbox.It’s no secret that the way we share files has changed. File sync services like Dropbox have seen enormous growth. Dropbox reports having over 100 million customers now.Varonis Systems. Proprietary and confidential.
6Why do people love Dropbox? It’s easy!You have a folderYou put stuff in itIt syncsWith all your devicesWith the people you want to share withServices like this make BYOD work…but does BYOS work for business?There are a lot of factors contributing to this growth: the proliferation of smart phones and tables being a major driver. But perhaps more importantly: it’s easy.You have a folderYou put stuff it inIt syncs –With all your devicesWith the people you want to share withWithout services like Dropbox, BYOD wouldn’t work. You’d have to manually sync all of your data all of the time. It’d be so painful, you wouldn’t want to manage more than one device. Remember what is was like to have to manually sync songs to your iPod?Varonis Systems. Proprietary and confidential.
8Hey boss, can I use Dropbox? Varonis Systems. Proprietary and confidential.
9No. =(No.Bummer.Varonis Systems. Proprietary and confidential.
10Varonis BYOS Survey Results of companies currently do not allow cloud-based file synchronizationof companies are satisfied with the controls that cloud-based file sync services have in placeIn all seriousness, to gauge the adoption of BYOS, Varonis conducted research with the analyst firm IDG last year and found that:80% of organizations don’t allow their employees to use cloud file sync services like DropboxOn the other end of the spectrum, 14% were comfortable with BYOSAnd 6% weren’t satisfied by the control and security around BYOS, but are going ahead anywaySo, what are the main reasons 80% of organizations don’t allow BYOS?of companies are not satisfied but are going ahead anywayVaronis Systems. Proprietary and confidential.
11Access rights and Authorization Why not?worried about maintaining correct access rights and authorizationOver half of companies are worried that they won’t be able to ensure that only the right users have access to data that’s stored in a cloud service.If you think about it, many of these BYOS services were built with consumers in mind, and governance has been an afterthought – especially governance that is designed to stand up to corporate requirements.Varonis Systems. Proprietary and confidential.
12Authentication Why not? worried about authentication 39% of companies are concerned about authentication.For many companies, if authentication doesn’t go through their directory services, it becomes an added burden to control, if they can control it at all.Most BYOS use password authentication that’s linked to your personal account, so in many cases the company doesn’t even know an account has been created.Varonis Systems. Proprietary and confidential.
13Auditing & Data Loss Why not? worried about data loss or auditing access activity26% were opposed to BYOS for fear of data loss and lack of visibility into who is touching data.Organizations know that questions come up all the time about who has accessed data, or who has deleted data. And without an audit trail, these questions can’t be answered.Varonis Systems. Proprietary and confidential.
14FEARED Consequences Downtime Loss of productivity When considering BYOS, companies seem to be most afraid of falling victim to a number of things.Surprisingly, most people were afraid of downtime, which is not the first thing you might think of for BYOS. But there have been a number of high-profile instances with Amazon Web Services and other providers whose infrastructure powers a number of big businesses.Loss of productivity.Compliance violations.Data theft and loss.DowntimeLoss of productivityCompliance violationsData theftVaronis Systems. Proprietary and confidential.
15So, will you ever allow Dropbox? IT plans to allow cloud-based file syncLastly, we asked people if they’d ever adopt cloud services such as Dropbox.A resounding 69% said: no.NoYesVaronis Systems. Proprietary and confidential.
16Too bad! We’re using them anyway 1 in 5 employees already use Dropbox for work!Despite your plans to not use Dropbox, chances are users are doing it anyway.A survey by Nasuni reports that 1 in 5 employees (20%) are already using Dropbox for business data.Source: NasuniVaronis Systems. Proprietary and confidential.
17Doing nothing means we’ll lose control It’s clear that if we don’t take any action, users will take matters into their own hands.Varonis Systems. Proprietary and confidential.
18What if……you could manage them in the same way you can manage internal resources?YesNoVaronis Systems. Proprietary and confidential.
19Let’s Have our cake and eat it, too Give users what they want:SimplicityAccessibilityMobile supportGive organizations what they need:ControlComplianceSecuritySo what should we do about it?We have to give users what they want while maintaining control.We know that users want simplicity, accessibility, and mobile support.We know that organizations need control, compliance, and security.Varonis Systems. Proprietary and confidential.
20How do we do this?Varonis Systems. Proprietary and confidential.
21What are the options?CloudInternalIn order to achieve our goal, we either going to have to find a cloud service that provides the control we need.Or we’re going to have to bring the cloud functionality and simplicity inside where the controls already exist.Varonis Systems. Proprietary and confidential.
22To the cloud!CloudThe first option we’re going to look is moving data to the cloud.Assuming you’ve found a cloud service that meets your needs, how do you plan to get there?Varonis Systems. Proprietary and confidential.
23Do you have an existing infrastructure? Easy!Moving everything?No so hard.Oh boy.NoYesIf you don’t have an existing infrastructure, you don’t have to worry about this.But if you do, you have to ask questions like:Will we be moving everything and shutting down your existing infrastructure?If not, it’s important to ask some important questions:Can you determine which data you want to move?Are you going to have multiple user directories?Are you going to have multiple processes for granting and revoking access to data?If you need to figure out who’s been touching data, do you have one audit trail or many?If you’ve got copies of the same data inside and outside, how do you determine what the definitive copy is?How do people on the inside collaborate with people using cloud services?NoYesVaronis Systems. Proprietary and confidential.
24Controls in the CloudData stored in the cloud is still subject to the same risks as internal dataAccording to the Information Commissioner’s Office (ICO), you’re still responsible for your data even if it’s stored in the cloudEven if you aren’t going to end up with two environments to manage – inside and outside – there are still challenges.Data stored in the cloud is still subject to the same risks. According to the ICO, you’re still responsible for your data, even if it’s stored in the cloud. So if Dropbox has a breach and loses your customers’ data, you’re still on the hook.Even though you’re outsourcing the storage, you’re not outsourcing the risk.Varonis Systems. Proprietary and confidential.
25Don’t forget to pack… Backup & recovery processes (BCP/DR) Authorization processes (entitlement reviews, authorization workflows)Retention & DispositionContent inspectionAccess auditingChange managementLastly, when it comes down to physically moving your data to the cloud, some additional things to consider are:How you plan to backup that data?How would you fall-over in the event of a disaster?How are you going to manage who gets access to what?It’s not in cloud vendors’ interest to delete data – so how are you going to manage archiving?How are you going to find sensitive content, like PII? Or ensure it stays out of the cloud altogether.How are you going to answer questions about who’s been accessing or deleting data across multiple repositories?How do you do change management in the cloud?Varonis Systems. Proprietary and confidential.
26Extend your existing infrastructure InternalVaronis Systems. Proprietary and confidential.
27Do you have an existing infrastructure? This is a whole different presentationAdd cloud-like functionalityNoYesTODO: flow chartNo? Well, we’ll probably need a whole different presentation for that.Yes Add cloud-like functionality.What is that cloud-like functionality?File synchronization. Mobile device support. Third-party sharing. Easily integrates with existing controls. Leverages your data, permissions, and directory services.Varonis Systems. Proprietary and confidential.
28What do we need?We need to provide client for mobile devices and laptopsWe need to provide file syncWe need to authenticate with Active DirectoryWe need to enforce existing permissionsWe need to coexist with all the internal controls we mentioned before (backup, classification, etc.)Would be ideal to be able to have everything contained in our own infrastructureHere are some of the things we’d want if we were going to bring cloud-like functionality to our existing infrastructure.Does anything like this exist? At least one: Varonis DatAnywhere.Varonis Systems. Proprietary and confidential.
29Varonis DatAnywhereProvide cloud usability using only existing infrastructure:There’s a folderYou put stuff in itIt syncs…With your existing storage (NAS, file servers)Using Active Directory credentialsUsing your existing file system permissionsVaronis Systems. Proprietary and confidential.
30Step 1: LoginAD Domain credentialsLogin with your domain credentials (Active Directory) and/or multi-factor authenticationVaronis Systems. Proprietary and confidential.
31Step 2: Collaborate Your sync’d folders appear in explorer Changes sync to your CIFS serversVaronis Systems. Proprietary and confidential.
32See Sync Speeds and Notifications Varonis Systems. Proprietary and confidential.
33Mobile AppsVaronis Systems. Proprietary and confidential.
34Right click for instant Extra-net Varonis Systems. Proprietary and confidential.
35Secure Collaboration with 3rd Parties Set permissions and expiration dates.Share with partners, customers, vendors, and clients.Varonis Systems. Proprietary and confidential.
37One more thing…Some of you might be thinking “my internal infrastructure could benefit from better controls, too.”Varonis Systems. Proprietary and confidential.
38Integrates with Data Governance Suite Use DatAdvantage to manage permissionsUse DataPrivilege to automate authorizationDatAnywhere activity is recorded by DatAdvantageVaronis has been helping organizations with data governance for years.Varonis Systems. Proprietary and confidential.
39Summary Cloud-style sharing and BYOD may be inevitable Organizations must choose a direction before the employees choose one for themOrganizations have a choice between moving data to the cloud, or extending their existing infrastructure to provide cloud-style capabilities in-houseWhichever direction your organization chooses, governance will be instrumental for secure collaborationVaronis Systems. Proprietary and confidential.
40Varonis Solutions GOVERNANCE ACCESS RETENTION Ensure that only the right people has access to the right data at all times, access is monitored and abuse is flagged.ACCESSUse your existing file shares, on your own servers, to provide file synchronization, mobile access, and secure 3rd party sharing.RETENTIONIntelligently automate data disposition, archiving and migration process using the intelligence of the Varonis Metadata Framework
41Thank youVaronis Systems. Proprietary and confidential.