230 likes | 370 Vues
ASU – CABIT – Privacy Day Privacy in the Cloud. Ben Nelson. CISO, RightNow Technologies. Business Model Change. Transferring IT Responsibilities. Leveraging Economies of Scale. Providing (Receiving) Key Services. SaaS: Definition and Key Principles.
E N D
ASU – CABIT – Privacy DayPrivacy in the Cloud Ben Nelson CISO, RightNow Technologies
Business Model Change Transferring ITResponsibilities Leveraging Economies of Scale Providing (Receiving) Key Services SaaS: Definition and Key Principles Software as a Service (SaaS) is a software application delivery model where a software vendor develops a web-native software application and hosts and operates (either independently or through a third-party) the application for use by its customers over the Internet - Wikepedia. SaaS = On Demand
How many of you are consumers of SaaS or Cloud Services today? • How many of you, who aren’t consumers, are considering SaaS or Cloud Services? • How many of you are responsible for implementing SaaS or Cloud Services? • What are your biggest concerns?
Who is RightNow? • Leader in SaaS/Cloud Customer Experience • Started in 1998 • Consistent growth throughout lifetime • Currently serving 1900+ companies • Publicly traded (NASDAQ: RNOW) • 100+ million transactions per year
Who is Ben Nelson? • Started with RightNow in Feb 2000 • Helped architect the SaaS infrastructure elements that are still in place today • Started doing full-time information security at RightNow in 2005 • Built compliance practice in 2007 • Achieved PCI-DSS SPL1 in 2009 • Received ATO for FISMA Moderate C&A in 2009 • Completed SAS 70 Type II audit of global operations in 2009
Multi-Tenancy • Any (and every) customer hosted on same infrastructure • Whole infrastructure is a target for any tenant • Infrastructure’s security/privacy requirements are the super-set of the requirements of *all* tenants
Market Diversity • RightNow sells to clients in almost every major market vertical you can name • Each one with unique, specific requirements/regulation • RightNow sells to clients in almost every major geography • Again, each with their own unique, specific requirements/regulations
Ultra-Flexible Product/Service • We don’t limit the type of data • Simple knowledge articles (how to fix my widget) • Personalized portal data • Consumer RMAs • Health data • Compensation/Benefits • Simple contact data • We don’t limit the quantity of data
Basic Principles • Protect the data at every layer possible: • Physical • Rigorous physical security requirements from top-tier vendors • Personnel • Background checks and employment verifications • Infrastructure • Firewalls, Intrusion Detection, etc. • Application • OWASP application development principles • 3rd party vulnerability assessment as part of QA
Incident Handling • What to do when ‘it’ happens • Must be prepared in advance • Must know how to escalate • Must be aware of breach notification laws • Generally too many to manage • Outside counsel is your best ally in this situation • Must have your legal and corporate communications teams aware of the procedure • Must maintain a relationship w/ local law enforcement • Know how to contact federal law enforcement
Security Awareness • People will always be the ‘weakest link’ • Technology is the easy part • Needs to come from the ‘top down’ • Executive-level support • Needs to be regular • Periodic training • Simple reminders • Can be a motivator too • Sense of pride in knowing that you’re part of protecting critical data/infrastructure
Know Your Customers • They probably have very specific requirements • They probably have some oversight • Don’t try to avoid or circumvent • Understand their motivation • Understand how they’re using your service
Control Mapping • Multi-tenancy with diverse clientele makes it almost impossible to meet each one’s needs individually • Overlapping controls are your friend • Mapping ‘like’ controls together isn’t as hard as it seems • Many tools available to help you do this
Certification • Your word only goes so far • Engage a 3rd party to certify you against • A custom control set (SAS 70) • A well known industry standard • PCI-DSS (varying levels of certification) • ISO 2700x series • NIST guidelines (federal government C&A)
Transparency • Especially in data security/privacy practices • Also in operational metrics • SaaS vendors should be able to clearly articulate: • Their data security/privacy practices • Their legal obligations to individuals • Their contractual obligations to *you*
Recognized Certifications • Preferably validated by an outside party • Applicable to your industry’s needs • If you’re not sure what control frameworks are applicable to you • Start with BITS/Santa Fe Group • Standardized Information Gathering (SIG) Questionnaire • http://www.sharedassessments.org
THANK YOU Questions?