1 / 23

ASU – CABIT – Privacy Day Privacy in the Cloud

ASU – CABIT – Privacy Day Privacy in the Cloud. Ben Nelson. CISO, RightNow Technologies. Business Model Change. Transferring IT Responsibilities. Leveraging Economies of Scale. Providing (Receiving) Key Services. SaaS: Definition and Key Principles.

morton
Download Presentation

ASU – CABIT – Privacy Day Privacy in the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ASU – CABIT – Privacy DayPrivacy in the Cloud Ben Nelson CISO, RightNow Technologies

  2. Business Model Change Transferring ITResponsibilities Leveraging Economies of Scale Providing (Receiving) Key Services SaaS: Definition and Key Principles Software as a Service (SaaS) is a software application delivery model where a software vendor develops a web-native software application and hosts and operates (either independently or through a third-party) the application for use by its customers over the Internet - Wikepedia. SaaS = On Demand

  3. How many of you are consumers of SaaS or Cloud Services today? • How many of you, who aren’t consumers, are considering SaaS or Cloud Services? • How many of you are responsible for implementing SaaS or Cloud Services? • What are your biggest concerns?

  4. Background

  5. Who is RightNow? • Leader in SaaS/Cloud Customer Experience • Started in 1998 • Consistent growth throughout lifetime • Currently serving 1900+ companies • Publicly traded (NASDAQ: RNOW) • 100+ million transactions per year

  6. 1,900 Clients are Delivering Superior Customer Experiences

  7. Who is Ben Nelson? • Started with RightNow in Feb 2000 • Helped architect the SaaS infrastructure elements that are still in place today • Started doing full-time information security at RightNow in 2005 • Built compliance practice in 2007 • Achieved PCI-DSS SPL1 in 2009 • Received ATO for FISMA Moderate C&A in 2009 • Completed SAS 70 Type II audit of global operations in 2009

  8. Unique Challenges

  9. Multi-Tenancy • Any (and every) customer hosted on same infrastructure • Whole infrastructure is a target for any tenant • Infrastructure’s security/privacy requirements are the super-set of the requirements of *all* tenants

  10. Market Diversity • RightNow sells to clients in almost every major market vertical you can name • Each one with unique, specific requirements/regulation • RightNow sells to clients in almost every major geography • Again, each with their own unique, specific requirements/regulations

  11. Ultra-Flexible Product/Service • We don’t limit the type of data • Simple knowledge articles (how to fix my widget) • Personalized portal data • Consumer RMAs • Health data • Compensation/Benefits • Simple contact data • We don’t limit the quantity of data

  12. Defense In Depth

  13. Basic Principles • Protect the data at every layer possible: • Physical • Rigorous physical security requirements from top-tier vendors • Personnel • Background checks and employment verifications • Infrastructure • Firewalls, Intrusion Detection, etc. • Application • OWASP application development principles • 3rd party vulnerability assessment as part of QA

  14. Incident Handling • What to do when ‘it’ happens • Must be prepared in advance • Must know how to escalate • Must be aware of breach notification laws • Generally too many to manage • Outside counsel is your best ally in this situation • Must have your legal and corporate communications teams aware of the procedure • Must maintain a relationship w/ local law enforcement • Know how to contact federal law enforcement

  15. Security Awareness • People will always be the ‘weakest link’ • Technology is the easy part • Needs to come from the ‘top down’ • Executive-level support • Needs to be regular • Periodic training • Simple reminders • Can be a motivator too • Sense of pride in knowing that you’re part of protecting critical data/infrastructure

  16. Compliance:The Proof in the Pudding

  17. Know Your Customers • They probably have very specific requirements • They probably have some oversight • Don’t try to avoid or circumvent • Understand their motivation • Understand how they’re using your service

  18. Control Mapping • Multi-tenancy with diverse clientele makes it almost impossible to meet each one’s needs individually • Overlapping controls are your friend • Mapping ‘like’ controls together isn’t as hard as it seems • Many tools available to help you do this

  19. Certification • Your word only goes so far • Engage a 3rd party to certify you against • A custom control set (SAS 70) • A well known industry standard • PCI-DSS (varying levels of certification) • ISO 2700x series • NIST guidelines (federal government C&A)

  20. What SaaS Consumers Should Expect

  21. Transparency • Especially in data security/privacy practices • Also in operational metrics • SaaS vendors should be able to clearly articulate: • Their data security/privacy practices • Their legal obligations to individuals • Their contractual obligations to *you*

  22. Recognized Certifications • Preferably validated by an outside party • Applicable to your industry’s needs • If you’re not sure what control frameworks are applicable to you • Start with BITS/Santa Fe Group • Standardized Information Gathering (SIG) Questionnaire • http://www.sharedassessments.org

  23. THANK YOU Questions?

More Related