Professional Documents
Culture Documents
Cloud Data Protection Guidance - V1 Draft
Cloud Data Protection Guidance - V1 Draft
PROTECTION
AND THE CLOUD
V.Jay LaRosa
VP Global Security
Architecture
Unilateral Challenges
Cloud services can
not be blocked or
controlled
Lack of
heterogeneous
transparent controls
Lack of enabling
technologies
Lack of Data
Classification
Data fluidity and
sprawl
Ability to access the
network from anything
Corporate VS.
personal data?
Lack of critical data
asset and repository
inventory
Inability to monitor
data access across
the spectrum
Inability to apply
ubiquitous controls
and policies
Inability to attest to
access rights
2014
2010
Cloud Consumer
Infrastructur
e
Operations
Availability
Data Protections
Scalability
Monitoring/I
dentification
Access
Managemen
t
Data Protections
Encryption/
Key
Managemen
t
Security Controls
Application Layer
OS Layer
Filesystem Layer
Database Layer
Primary
Primary Risk
Risk is
is Privileged
Privileged User
User
External
Internal
Deliverable
Access Management
Data Protection
1) Stores
Provider does
not need
client data
visibility
2) Processes
Provider
MUST have
visibility to
client data
Encrypt - Harder
Encrypt - Easier
Data
What users are accessing the cloud?
Who else can access the same
cloud?
What data should be allowed to go to
the cloud?
Once data is in the cloud where else
can/does it go?
Clou
d
Can I trust the cloud provider?
What controls does the provider
expose to me?
How many different control sets do I
want?
Benefits
o
o
o
o
Integrated Application
Encryption
Challenges
o
o
o
o
o
o
Good
For
Solves For
Benefits
Challenges
o
Proxy Based
Cloud Access
Brokers
(CASB)
o
Cloud
Consumers
Type 1 Cloud
Provider:
Stores
o
o
o
o
Endpoint Cloud
Access Broker
Cloud
Consumers
Type 1 Cloud
Provider:
Stores
o
o
o
Easy to deploy
Policy/Encryption
Keys held in house
No single POF
No reliance on
corporate network
Policy Globally
available via cloud
replication
Encryption Keys
held in house
Complete visibility
into cloud usage
activity
o
o
o
o
o
o
o
Solution
Good
For
Solves For
Benefits
Challenges
NONE TODAY!!!!!
ADP Approved
Devices
Products
Enterprise
Nirvana
Protection Principle
Control Point
Metadata
Metadata
Where is it stored?
Metadata
Metadata
Metadata
Metadata
Metadata
Should it be encrypted/masked?
Metadata
Metadata
Metadata
Control Requirements
1) Industry adoptable
API controls
framework
2) Endpoint agnostic
agent (Servers,
Workstations,
Databases, Cloud
Providers)
3) Enterprise class
controls orchestration
console
Nirvana
Thank You!
V.Jay LaRosa
VP Global Security Architecture
ADP
vjay.larosa@adp.com
508-962-1482