privacy. security. risk. 2016€¦ · dana simberkoff, jd, cipp chief compliance & risk officer...
TRANSCRIPT
Dana Simberkoff, JD, CIPP Chief Compliance & Risk Officer AvePoint
Sanjay Jacob Global Head, Intelligent Cloud
Strategic Industries Microsoft Corporation
Privacy. Security. Risk. 2016 IAPP Privacy Academy and CSA Congress
Presenter
Dana Louise Simberkoff, JD, CIPP Chief Compliance and Risk Officer, AvePoint
Blog: www.DocAve.com
https://www.linkedin.com/in/danalouisesimberkoff
@danalouise
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
A new era of digital transformation is upon us
Cloud momentum continues to accelerate
“If you’re resisting the cloud because of security concerns, you’re running out of excuses.”
“The question is no longer: ‘How do I move to the cloud?’ Instead, it’s ‘Now that I’m in the cloud, how do I make sure I’ve optimized my investment and risk exposure?’”
“By 2020 clouds will stop being referred to as ‘public’ and ‘private’. It will simply be the way business is done and IT is provisioned.”
OPPORTUNITIES
SECURITY & PRIVACY POLICY & CONTROLS
SECURITY RISKS
Balance Opportunities and Risks
DATA GOVERNANCE
Data is a new currency
Hyperscale infrastructure is the enabler 28 Regions Worldwide, 22 ONLINE…huge capacity around the world…growing every year
100+ datacenters
West US
California
East US
Virginia
US Gov
Virginia
North Central US
Illinois
South Central US
Texas
Brazil South
Sao Paulo State
West Europe
Netherlands
China North *
Beijing
China South *
Shanghai
Japan East
Tokyo, Saitama
Japan West
Osaka
India South
Chennai
East Asia
Hong Kong
SE Asia
Singapore
Australia South East
Victoria
Australia East
New South Wales
India Central
Pune
Canada East
Quebec City
Canada Central
Toronto
India West
Mumbai
Germany North East **
Magdeburg
Germany Central **
Frankfurt North Europe
Ireland
East US 2
Virginia
United Kingdom
Regions United Kingdom
Regions
Pacific NW
Washington
Central US
Iowa
US Gov
Iowa
Cloud Trust pillars
Microsoft IT cloud vision
“We’re comfortable with 93% of our portfolio
moving to the cloud, and we’re well on our
way to that. By the time we're complete
with that part of our portfolio, the remainder
will be ready to move to the cloud.”
Jim DuBois, CIO of Microsoft
Five steps to data governance adoption Executive sponsorship is crucial
How should you determine what data lives in the cloud? Understand the risk of unintended disclosure of data and safeguards
DATA HANDLING TECHNIQUES
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Rapidly changing
information
landscape creates
more business
opportunities, but
also increases risk
throughout the
data lifecycle.
• Over-retention
• Inadvertent
disposal
• Excessive collection
• Inadequate records • Inappropriate
access
• Accidental misuse
• Breach or response
failure
• Cross-border restrictions
• Excessive sharing
Create & Collect
Use
Share
Dispose
DATA
LIFECYCLE
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
What is this?
• Client records
• Employee records
• Previous project
files
The Challenge
What you use…
What you need to keep…
• Current project files
• Current reference docs
Dark Data
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Someone else’s Computer
Cloud ‘flavors’ Cloud Service Provider manages
You manage
Data Governance and Rights Management
Client End-points
Account and Access Management
Identity and Directory Infrastructure
Application
Network Controls
Operating System
Physical Hosts
Physical Network
Physical Datacenter
Security
Privacy and Control
Compliance
Transparency
SaaS
PaaS
IaaS
On-Prem
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Build “controls”
into containers
Make sure no
one messes with
your controls
Ensure the system
is used as intended
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Cloud is a chance for “Housekeeping” Restructure your IA, consolidate Check for poor security settings
Migrate
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Mixed Junk IN
Filter for Compliance Prioritize for
Business Need
Structure for
Governance
Organized
Gold OUT
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Data Discovery Data Identification Data Migration
40TB 30TB 4TB
Business Information
Business Critical Data
/Important Data
Scan the
content
Identify ROT &
duplicates
Remove duplicate Data
Data and File Analysis Process
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Plan for the future
Remove what’s unnecessary
Keep what’s required
Protect what’s important
Establish a way to identify it
Find out what it really is
Reduce Cost. Increase
Productivity.
$
Users:
Relevant Information
IT Admins:
Easier Maintenance
Compliance Officers:
Lowered Risks
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Where is it?
File Share
SharePoint
Office 365
Databases
Who can access it?
Who owns it?
Who can read it?
Who can edit it?
What is it? ?
File Level Analysis
Content Level Analysis
• Redundant, outdated and
trivial (ROT) data
• File types (Music, log files,
etc..)
• Sensitive data
• Date Created
• Owner
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Tags
Ownership Purpose
Audience Sensitivity level
Classify
Is it a record? Is it high business
impact?
Who should have
access? Where should it live?
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Delete
Archive Does it need to be
reorganized?
• Is it a record?
• Does it belong somewhere
else?
Can I get rid of it?
• Is it a record?
• Is it a duplicate?
• Is there a later version?
• Is it relevant?
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
• Which is the “golden copy”?
• Do you need multiple copies?
• Does it need to be indelible?
• Does it need to be stored off site?
• Who can access it?
• What’s the retention period?
Is it a record? Is it high business
impact?
• Does it need to be encrypted or redacted?
• How often is it accessed?
• How many people have access?
• Are multiple versions necessary?
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Compliant Migration to…
End-of-Life
Another location on the
file system for archiving
Another system
(SharePoint, Office 365, storage,
etc.)
Another location for
“legal hold”
Another location on
the file system
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Incident
Tracking
Prove It
Assess Prioritize
Say It Do It
1 2 3 4 5
Ongoing
Monitoring
7
Incident
Management
6
8
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Privacy Impact Assessment
Yes, risky data will be stored
Implement Controls
Restrict and control access
Tag and Classify, Move, Quarantine, Delete,
Redact, Encrypt, Block, and Audit
Enforce internal policies
Reporting / Certification
No, no risky data stored
Verify and Report Reporting/ Monitor
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
• Developed by AvePoint
• Distributed exclusively by IAPP
• Global Support provided by AvePoint
• Educational Resource ***Cost Free***! (AvePoint Global Research and Development Team)
• Extended by the Privacy Community!
• https://www.privacyassociation.org/resource_center/avepoint_privacy_impact_assessment_system
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Microsoft Azure Trust Center https://azure.microsoft.com/en-us/support/trust-center/
Office 365 Trust Center https://www.microsoft.com/en-us/TrustCenter/CloudServices/Office-365
AvePoint Data Governance Solutions http://www.avepoint.com/solutions/data-governance/
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
AvePoint Data Governance Workshop http://www.avepoint.com/assets/pdf/Advisory_Data_Governance_Workshop_Product_Brochure.pdf
AvePoint Privacy Impact Assessment https://iapp.org/resources/apia/
AvePoint Compliance Guardian Market Place https://azure.microsoft.com/en-us/marketplace/partners/avepoint/avepoint-compliance-guardian/
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Q & A
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Whitepaper – The Operational Impact of the
European Union General Data Protection
Regulation (GDPR) on IT
www.avepoint.com/GDPR
GDPR Survey Benchmark Survey
www.avepoint.com/GDPR-Survey
AvePoint Privacy Impact Assessment
System
http://www.avepoint.com/privacy-impact-
assessment/
https://iapp.org/resources/apia/
Resources