Exploring the Good and Evil in the Internet Cloud! John L. Baines, AD IT Policy & Compliance, OIT...
-
Upload
noelle-jameson -
Category
Documents
-
view
215 -
download
2
Transcript of Exploring the Good and Evil in the Internet Cloud! John L. Baines, AD IT Policy & Compliance, OIT...
Exploring the Good and Evil in the Internet Cloud!
John L. Baines, AD IT Policy & Compliance, OIT
CSAM 2012 - “U R Cyber Security”
Monday, October 29, 2012 12:00 PM
Scott Hall 216
go.ncsu.edu/csam2012.
Agenda
• Good and bad on the Internet• Big data and Cloud maturity• Sensitive data factors at NC State• The Data Sensitivity Framework• Some practical advice
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 2
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 3
licensed under a Creative Commons License.
The Good
• Collaborative research
• Public information availability
• Access to experts• Free speech
information exchange• Connected
communications
• Banking and shopping convenience
• Entertainment • Save energy• Cure diseases • Predict trends• Promotes involved
discussion rather than violence or apathy
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 4
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 5
by Hamad Subani / Techtangerine.com licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License
The Bad • Pornography explosion• Inappropriate access• Fraud• Piracy• Personal data on mobile
devices – Stolen – identity theft– Used real-time GPS –
you can’t hide• Stalking• Government
• No privacy – All you do is on Google
• Plagiarism • Free speech excesses• Data lacks verification • Mis-information• Hypochondria• Security infections• Cybernetic warfare
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 6
• The good 53%– improve social,
political, and economic intelligence
• ‘nowcasting’• ‘inferential software’• ‘algorithms for
advanced correlations’• move from ‘measure
twice, cut once’ to ‘place small bets fast’.
– greater research, and world knowledge
• The bad 39%– data aggregation – loss
of all privacy– false confidence in
predictions - hurtful mistakes
– manipulate findings - make selfish cases
– abused by powerful people, government and/or organizations
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 7
Big Data Scenarios – by 2020?
The Pew Research Center’s Internet & American Life Project with Elon University surveyed 1,021 Internet experts and users recruited by email.
The Internet Cloud
From Wikipedia, the free encyclopedia
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 8
Software-as-a-Service (SaaS)
CSA/ISACA 2012 Cloud Computing Market Maturity Study
• 252 participants representing cloud users, providers, consultants and integrators
• 85% self-identified cloud users• Positions from C-level executives to staff• 15 different industry segments• 48 countries, most America or Europe
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 9
Overall findings on maturity• Cloud needs to transition from
technology solution to business resource
• Infrastructure and Platform offerings– Infancy– About 3 years to reach ‘established growth’
• Software as a Service (SaaS) offerings– Early growth– 2+ years to reach ‘established growth’
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 10
Cloud infancy
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 11
SaaS Black Box• Simple interface• Complexities
o Hiddeno Layerso Orders of
magnitude more
• You have to be able to trust the implementation!
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 12
Positive Influence Factors
1. Agility
2. Time to market
3. Business unit demand
4. New technology
1. Cost management
2. Efficiency
3. Productivity
4. Resilience
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 13
CSA/ISACA 2012 Cloud Computing Market Maturity Study Survey
Time
MoneyBusiness Growth Influence Process Enablement
Negative Influences on Cloud Adoption and Innovation
1. Information security
2. Data ownership/ custodian responsibilities
3. Regulatory compliance
4. Legal and contractual issues
5. Information assurance
6. Contract lock-in
7. Longevity of suppliers
8. Disaster recovery/ business continuity
9. Performance standards
10. Performance monitoring
11. Technology stability
CSA/ISACA 2012 Cloud Computing Market Maturity Study Survey
Securit
y
10/29/2012 Exploring the Good and Evil in the Internet Cloud 14
Sensitive data factors at NC State• Legislation• Data Stewards assessment• University revenues and expenses• University image and reputation• Confidentiality agreements / contracts• Research (IP and Export Controls, etc.)• Copyright and Intellectual Property• Personal privacy
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 15
Legislation
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 16
– Family Educational Rights and Privacy Act (FERPA) – Health Insurance Portability and Accountability Act of 1
996 (HIPAA)
– Gramm Leach Bliley Act (GLBA) – Payment Card Industry (PCI) Data Security Standard – Red Flag Rule– North Carolina Identity Theft Protection Act of 2005 – North Carolina Public Records Act – North Carolina State Personnel Act
Lots of sensitive data - examples• Personally Identifiable Information (PII)
• Credit card information
• Research data
• Public safety information
• Financial donor information
• Security controls such as:– System access passwords
– Information file encryption keys
– Information security records
A few really ‘Red-hot’ items
• Social Security Numbers• Credit Card Numbers• Banking account info• PINS and passwords
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 18
FERPA data is pervasive• Any record, with certain exceptions, maintained
by an institution that is directly related to a student or students. This record can contain a student’s name(s) or information from which an individual student can be personally (individually) identified.
• These records include: files, documents, and materials in whatever medium (handwriting, print, tapes, disks, film, microfilm, microfiche) which contain information directly related to students and from which students can be personally (individually) identified.
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 19
FERPA conclusions• FERPA data is held by most, if not all,
academic and administrative offices of our institution– Do we need to protect the security of “Education
Records” and “Student Privacy”?• Absolutely
– Can we afford to protect them at the same level as social security numbers and credit card data?
• Certainly not– Too expensive– Too intrusive for access
• FERPA at NC State from OGC
A framework for the availability and security of your data.
• Data classification statement• Data sensitivity framework• List of controls
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 21
Data Classification Statement Matrix
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 22
Level Risk Regulation Financial Reputation Business Other
Red-Hot Two of Multiple Significant Serious Serious Litigation
High Two of Violation Significant Serious Serious
Moderate One of Violation Some Some Adverse
Normal No major
Access control
Not sensitive
None
Data sensitivity framework
Data Management Procedures Regulation REG 08.00.03
New draft includes:– Data Classification Statement– Links to:
• Data sensitivity framework• List of controls
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 23
Controls for Securing Sensitive Information in University Applications
• Best Practices for:– Application owner (and developers)– Data steward
• Three types of IS controls:– Administrative and procedural design – Computer server technical controls and
techniques– End-user devices technical controls and
techniques. 10/29/2012 Exploring the Good and Evil in the Internet
Cloud Slide 24
Who’s protecting your data & how?
• On your mobile device – you are• Removable storage – you are• On your desktop – you and your sys
admin• On University servers - OIT or college/
dept IT staff (or you!)• In the cloud – the vendor
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 25
Google and sensitive information
• http://google.ncsu.edu/usinggoogleapps/best-practices-data-security-google-apps-nc-state
• Google docs OK for FERPA data• E-mail more of an issue
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 26
Precautions with cloud vendors
• From CSA/ISACA study either– Less than 100 staff or– Many thousands
• Be careful if you have sensitive data• Look at Cloud Security Alliance STAR • Ask OIT S&C for security assessment
of product and data being considered
10/29/2012 ring the Good and Evil in the Internet Cloud Slide 27
Where is it OK to store your data?Location Red-hot Red Yellow Green Un-classified
Removable storage
Never Encrypted… Yes… Yes… Yes
Mobile device
Never No Yes Yes Yes
Local PC Never Encrypted… Yes… Yes Yes
University server
Encrypted Restricted
Yes… Yes Yes… Yes
Email Never Encrypted Some… Yes Yes
Print Restricted Restricted Restricted Yes Yes
Cloud Encrypted Restricted
Restricted… Restricted… Yes… Yes
Google Never No Yes… Yes Yes
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 28
Questions
10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 29
The golink: http://GO.NCSU.EDU/CSAM2012E
and the security code word Cloud for prizes that will be given away on Oct. [email protected]