DATA

PROTECTION
AND THE CLOUD
V.Jay LaRosa
VP Global Security
Architecture

Basic Data Protection Principles

Data Classification: What is it?

Who/What generated it?
Where is it stored?
What controls access to it?
Who should have access to it?
What should they be able to do with it?
When should access be reviewed?
Should it be encrypted/masked?
Logging: 5Ws, Who, What, When, Where, Why
How long should it be retained?

The realities of the complexity

Unilateral Challenges
Cloud services can
not be blocked or
controlled
Lack of
heterogeneous
transparent controls
Lack of enabling
technologies
Lack of Data
Classification
Data fluidity and
sprawl
Ability to access the
network from anything
Corporate VS.
personal data?
Lack of critical data
asset and repository
inventory
Inability to monitor
data access across
the spectrum
Inability to apply
ubiquitous controls
and policies
Inability to attest to
access rights

Problem Breaches are increasing in sophistication

and successfulness
2014 Most Significant Breaches
Sony ~100TB of data stolen, down for days,
critical systems destroyed via malware
JPMC 80 Million US Households, 7 Million SMBs

2014

Ebay 145 million records, $250M hit to 2014

revenue
Target 70M Credit Cards, profits down 46%
Home Depot 56M Credit Cards, 53M Email
addresses

2010

My Role Dual Concerns for Security

SaaS Cloud Provider

Cloud Consumer

Cloud Provider Security Concerns

Infrastructur
e

Operations

Availability

Data Protections

Scalability

Cloud Consumer Security Concerns

Monitoring/I
dentification

Access
Managemen
t
Data Protections

Encryption/
Key
Managemen
t

Cloud Provider Data Protections

Threats

Security Controls

End Point Security

Authentication
Locally Managed Authentication
IDS/SIEM
Policy Compliance Tools
Privileged Identity Monitoring
Identity and Account Management

Authorization (OS ACLs)

SIEM
File Integrity Monitoring
Host Based Integrity Verification

Identity and Account Management

Authorization (DB ACLs)
Policy Compliance Tools
Privileged Identity Monitoring
SIEM
DB Log Monitoring
Host Based Integrity Verification

Application Layer

OS Layer

Filesystem Layer

Database Layer

Primary
Primary Risk
Risk is
is Privileged
Privileged User
User

Risk Based Authentication

Authorization
Privileged Identity Monitoring
Data Masking
Encryption
ASM/IDS/SIEM
Pen Testing

Privileged user abuse

- Account takeover
- Add additional users
- Grant additional rights
- Unmask and steal data
Application Attacks
- SQLi, XSS, XSRF

Privileged user abuse

- Account takeover
- Add additional user
- Grant additional rights
- Steal data
System Level Attacks
- Buffer Overflow

Privileged user abuse

- Account takeover
- Add additional user
- Grant additional rights
- Steal data
Service Level Attacks
- Buffer Overflow

External

Internal

Cloud Consumer Data Protections

Requirement

Deliverable

Monitoring and Cloud Usage Analytics

Passive technology to analyze existing logs to monitor

cloud service usage and identify/evaluate risk

Access Management

Integration to cloud providers with standard ADP IT

Federation process

Data Protection

Transparent encryption of data going to cloud providers

with encryption keys stored at ADP

Cloud Provider Data Protection Challenges

1) Stores
Provider does
not need
client data
visibility

2) Processes
Provider
MUST have
visibility to
client data

Encrypt - Harder

Encrypt - Easier

Two Types of Cloud SaaS Providers

Cloud Consumer Data Protection Challenges

Data
What users are accessing the cloud?
Who else can access the same
cloud?
What data should be allowed to go to
the cloud?
Once data is in the cloud where else
can/does it go?

Clou
d
Can I trust the cloud provider?
What controls does the provider
expose to me?
How many different control sets do I
want?

Cloud Provider Data Protection Options

Copyright 2014 ADP, Inc. Proprietary and Confidential Information.

Cloud Provider Data Protection Challenges

Solution

Benefits
o
o
o
o

Integrated Application
Encryption

Highest level of protection from

privileged user attack
Policy/Encryption Keys held in
house
Flexibility in applied encryption
strategies (FPE, Tokenization,
Etc)
Scalability and level of
protection determined by key
implementation strategy
Proper data dis-association
strategy reduces amount of
data elements requiring
encryption
Properly protected data easily
available for downstream
test/development with no
obfuscation required
Data destruction accomplished
through key destruction for
forget my data
laws/regulations

Copyright 2014 ADP, Inc. Proprietary and Confidential Information.

Challenges

o
o
o
o
o
o

Doesnt scale to allow the customer to own

the controls
Massive inter-application data integration
Downstream support processes impacted
Additional development and support costs
Performance impact must be accounted for in
application infrastructure stack
Proper Key management practices must be
implemented and validated routinely

Cloud Consumer Data Protection Options

Cloud Consumer Data Protection Options: Type 1

SaaS Cloud Provider
Solution

Good
For

Solves For

Benefits

Challenges
o

Proxy Based
Cloud Access
Brokers
(CASB)

o
Cloud
Consumers

Type 1 Cloud
Provider:
Stores

o
o

o
o

Endpoint Cloud
Access Broker

Cloud
Consumers

Type 1 Cloud
Provider:
Stores

o
o
o

Easy to deploy
Policy/Encryption
Keys held in house

No single POF
No reliance on
corporate network
Policy Globally
available via cloud
replication
Encryption Keys
held in house
Complete visibility
into cloud usage
activity

o
o
o

o
o
o
o

Creates reliance on corporate

network for cloud accessibility
May require customization for
cloud providers
Doesnt support all cloud
providers out of the box
Single point of failure
Cloud usage monitoring
technology deployed
separately
May require customization for
cloud providers
Doesnt support all cloud
providers out of the box
Requires
packaging/mgt/deployment of
endpoint agent
Supporting infrastructure
required for policy/Encryption
Key replication and
management

Cloud Consumer Data Protection Options: Type 2

SaaS Cloud Provider

Solution

Good
For

Solves For

Benefits

Challenges

NONE TODAY!!!!!

A brighter future someday?

Cloud

ADP Approved
Devices

Products

Enterprise

50,000 Foot view of the situation

Data Classification: What is it?

Who generated it?
Where is it stored?
What controls access to it?
Who should have access to it?
What should they be able to do with it?
When should access be reviewed?
Should it be encrypted/masked?
Logging: 5Ws

Nirvana
Protection Principle

Control Point

Data Classification: What is it?

Metadata

Who/What generated it?

Metadata

Where is it stored?

Metadata

What controls access to it?

Metadata

Who should have access to it?

Metadata

What should they be able to do

with it?

Metadata

When should access be reviewed?

Metadata

Should it be encrypted/masked?

Metadata

Logging: 5Ws, Who, What, When,

Where, Why

Metadata

How long should it be retained?

Metadata

Control Requirements

1) Industry adoptable
API controls
framework
2) Endpoint agnostic
agent (Servers,
Workstations,
Databases, Cloud
Providers)
3) Enterprise class
controls orchestration
console

Nirvana

Data Classification: What is it?

Who generated it?
Where is it stored?
What controls access to it?
Who should have access to it?

What should they be able to do with it?

When should access be reviewed?
Should it be encrypted/masked?
Logging: 5Ws

Thank You!
V.Jay LaRosa
VP Global Security Architecture
ADP
vjay.larosa@adp.com
508-962-1482