Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation

Proprietary and confidential

Will My SaaS Provider Leak My Corporate Data?


A Strategic Guide to Avoiding System and Network Breaches

“Against a sufficiently skilled, funded and

motivated attacker, all networks are

vulnerable.

But good security makes many kinds of

attack harder, costlier and riskier.

Against attackers who aren’t sufficiently

skilled, good security may protect you

completely.”

BRUCE SCHNEIERDec. 19, 2014

—Chief Technology Officer of Resilient Systems, a fellow at

Harvard's Berkman Center, and a board member of EFF


Overview

Who’s Really Vulnerable?

Spoiler: it’s all of us.

What am I afraid of?

Share your story

Can I Trust This Guy?

Focused topics on (not) sharing data


Who’s Really Vulnerable?


What Am I Afraid Of?

Part 1:

What top 2 or 3 things

scare you the most

about your current

situation?


What Am I Afraid Of?

Part 2:

● What makes you

interested in Security

today?

● What do you hope to

get from today’s

discussion?


What’s on Our Mind?

● Does my provider know what they’re doing?

● PCI compliance will protect me● How secure is my system● How other people failed● How much is security worth● ...Others?


Does my provider know what they’re doing?

● Is SaaS provider more

knowledgeable and experienced

than my staff?

● Is provider more scalable than

my staff/systems?

● Who owns the data?

● Can they answer the hard

questions?


The Hard Questions

● Security: The system is protected, both logically and physically, against unauthorized access.

● Availability: The system is available for operation and use as committed or agreed to.

● Processing Integrity: System processing is complete, accurate, timely, and authorized.

● Confidentiality: Information that is designated “confidential” is protected as committed or agreed.

● Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).


SOC2

● Operation conforms to strict and

detailed standards

● Adherence verified continually

● Formal audit by third party


PCI Compliance Will Protect Me

● Gaps

● Strengths

● Evolution


How Secure Is My Own System

Can you tell if your system was penetrated today?

Are you using…

● Malware scanning

● IDS/IPS

● Vulnerability scanning

Do your users know how to...

● Use strong passwords

● React to Pfishing

● Recognize fake sites


How Other People Failed

● Attacks in the news

● Common attacks


How Much Is Security Worth

“Sony made its situation worse by

having substandard security.”

BRUCE SCHNEIER

Sony Pictures’ executive director of information security Jason Spaltro told CIO Magazine in 2007 that it may be “a valid business decision to accept the risk” of a security breach.

http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html







The Guide to Secure Partner Relationships

● Admit you’re vulnerable

● Assess the risk

● Choose your partners

● Prioritize your improvements

● Monitor your environment

● Evolve