Exploring the Good and Evil in the Internet Cloud!

John L. Baines, AD IT Policy & Compliance, OIT

CSAM 2012 - “U R Cyber Security”

Monday, October 29, 2012 12:00 PM

Scott Hall 216

go.ncsu.edu/csam2012. 

Agenda

• Good and bad on the Internet• Big data and Cloud maturity• Sensitive data factors at NC State• The Data Sensitivity Framework• Some practical advice

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 2

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 3

licensed under a Creative Commons License.

The Good

• Collaborative research

• Public information availability

• Access to experts• Free speech

information exchange• Connected

communications

• Banking and shopping convenience

• Entertainment • Save energy• Cure diseases • Predict trends• Promotes involved

discussion rather than violence or apathy

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 4

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 5

by Hamad Subani / Techtangerine.com licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License

The Bad • Pornography explosion• Inappropriate access• Fraud• Piracy• Personal data on mobile

devices – Stolen – identity theft– Used real-time GPS –

you can’t hide• Stalking• Government

• No privacy – All you do is on Google

• Plagiarism  • Free speech excesses• Data lacks verification • Mis-information• Hypochondria• Security infections• Cybernetic warfare

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 6

• The good 53%– improve social,

political, and economic intelligence

• ‘nowcasting’• ‘inferential software’• ‘algorithms for

advanced correlations’• move from ‘measure

twice, cut once’ to ‘place small bets fast’.

– greater research, and world knowledge

• The bad 39%– data aggregation – loss

of all privacy– false confidence in

predictions - hurtful mistakes

– manipulate findings - make selfish cases

– abused by powerful people, government and/or organizations

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 7

Big Data Scenarios – by 2020?

The Pew Research Center’s Internet & American Life Project with Elon University surveyed 1,021 Internet experts and users recruited by email.

The Internet Cloud

From Wikipedia, the free encyclopedia

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 8

Software-as-a-Service (SaaS)

CSA/ISACA 2012 Cloud Computing Market Maturity Study

• 252 participants representing cloud users, providers, consultants and integrators

• 85% self-identified cloud users• Positions from C-level executives to staff• 15 different industry segments• 48 countries, most America or Europe

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 9

Overall findings on maturity• Cloud needs to transition from

technology solution to business resource

• Infrastructure and Platform offerings– Infancy– About 3 years to reach ‘established growth’

• Software as a Service (SaaS) offerings– Early growth– 2+ years to reach ‘established growth’

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 10

Cloud infancy

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 11

SaaS Black Box• Simple interface• Complexities

o Hiddeno Layerso Orders of

magnitude more

• You have to be able to trust the implementation!

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 12

Positive Influence Factors

1. Agility

2. Time to market

3. Business unit demand

4. New technology

1. Cost management

2. Efficiency

3. Productivity

4. Resilience

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 13

CSA/ISACA 2012 Cloud Computing Market Maturity Study Survey

Time

MoneyBusiness Growth Influence Process Enablement

Negative Influences on Cloud Adoption and Innovation

1. Information security

2. Data ownership/ custodian responsibilities

3. Regulatory compliance

4. Legal and contractual issues

5. Information assurance

6. Contract lock-in

7. Longevity of suppliers

8. Disaster recovery/ business continuity

9. Performance standards

10. Performance monitoring

11. Technology stability

CSA/ISACA 2012 Cloud Computing Market Maturity Study Survey

Securit

y

10/29/2012 Exploring the Good and Evil in the Internet Cloud 14

Sensitive data factors at NC State• Legislation• Data Stewards assessment• University revenues and expenses• University image and reputation• Confidentiality agreements / contracts• Research (IP and Export Controls, etc.)• Copyright and Intellectual Property• Personal privacy

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 15

Legislation

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 16

– Family Educational Rights and Privacy Act (FERPA) – Health Insurance Portability and Accountability Act of 1

996 (HIPAA)

– Gramm Leach Bliley Act (GLBA) – Payment Card Industry (PCI) Data Security Standard – Red Flag Rule– North Carolina Identity Theft Protection Act of 2005 – North Carolina Public Records Act – North Carolina State Personnel Act

Lots of sensitive data - examples• Personally Identifiable Information (PII)

• Credit card information

• Research data

• Public safety information

• Financial donor information

• Security controls such as:– System access passwords

– Information file encryption keys  

– Information security records

A few really ‘Red-hot’ items

• Social Security Numbers• Credit Card Numbers• Banking account info• PINS and passwords

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 18

FERPA data is pervasive• Any record, with certain exceptions, maintained

by an institution that is directly related to a student or students. This record can contain a student’s name(s) or information from which an individual student can be personally (individually) identified.

• These records include: files, documents, and materials in whatever medium (handwriting, print, tapes, disks, film, microfilm, microfiche) which contain information directly related to students and from which students can be personally (individually) identified.

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 19

FERPA conclusions• FERPA data is held by most, if not all,

academic and administrative offices of our institution– Do we need to protect the security of “Education

Records” and “Student Privacy”?• Absolutely

– Can we afford to protect them at the same level as social security numbers and credit card data?

• Certainly not– Too expensive– Too intrusive for access

• FERPA at NC State from OGC

A framework for the availability and security of your data.

• Data classification statement• Data sensitivity framework• List of controls

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 21

Data Classification Statement Matrix

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 22

Level Risk Regulation Financial Reputation Business Other

Red-Hot Two of Multiple Significant Serious Serious Litigation

High Two of Violation Significant Serious Serious

Moderate One of Violation Some Some Adverse

Normal No major

Access control

Not sensitive

None

Data sensitivity framework

Data Management Procedures Regulation REG 08.00.03

New draft includes:– Data Classification Statement– Links to:

• Data sensitivity framework• List of controls

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 23

Controls for Securing Sensitive Information in University Applications

• Best Practices for:– Application owner (and developers)– Data steward

• Three types of IS controls:– Administrative and procedural design – Computer server technical controls and

techniques– End-user devices technical controls and

techniques. 10/29/2012 Exploring the Good and Evil in the Internet

Cloud Slide 24

Who’s protecting your data & how?

• On your mobile device – you are• Removable storage – you are• On your desktop – you and your sys

admin• On University servers - OIT or college/

dept IT staff (or you!)• In the cloud – the vendor

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 25

Google and sensitive information

• http://google.ncsu.edu/usinggoogleapps/best-practices-data-security-google-apps-nc-state

• Google docs OK for FERPA data• E-mail more of an issue

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 26

Precautions with cloud vendors

• From CSA/ISACA study either– Less than 100 staff or– Many thousands

• Be careful if you have sensitive data• Look at Cloud Security Alliance STAR • Ask OIT S&C for security assessment

of product and data being considered

10/29/2012 ring the Good and Evil in the Internet Cloud Slide 27

Where is it OK to store your data?Location Red-hot Red Yellow Green Un-classified

Removable storage

Never Encrypted… Yes… Yes… Yes

Mobile device

Never No Yes Yes Yes

Local PC Never Encrypted… Yes… Yes Yes

University server

Encrypted Restricted

Yes… Yes Yes… Yes

Email Never Encrypted Some… Yes Yes

Print Restricted Restricted Restricted Yes Yes

Cloud Encrypted Restricted

Restricted… Restricted… Yes… Yes

Google Never No Yes… Yes Yes

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 28

Questions

10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 29

The golink: http://GO.NCSU.EDU/CSAM2012E

and the security code word Cloud for prizes that will be given away on Oct. 31John_Baines@ncsu.edu