ASU – CABIT – Privacy Day Privacy in the Cloud

© 2010 RightNow Technologies, Inc.

ASU – CABIT – Privacy DayPrivacy in the CloudBen NelsonCISO, RightNow

Technologies


SaaS: Definition and Key Principles

Software as a Service (SaaS) is a software application delivery model where a software vendor develops a web-native software application and hosts and operates (either independently or through a third-party) the application for use by its customers over the Internet - Wikepedia.

Business ModelChange

Transferring ITResponsibilities

Leveraging Economies

of Scale

Providing (Receiving)

Key Services

SaaS = On Demand


How many of you are consumers of SaaS or Cloud Services today?How many of you, who aren’t consumers, are considering SaaS or Cloud Services?How many of you are responsible for implementing SaaS or Cloud Services?What are your biggest concerns?


Background


Who is RightNow?

Leader in SaaS/Cloud Customer Experience

Started in 1998

Consistent growth throughout lifetime– Currently serving 1900+ companies– Publicly traded (NASDAQ: RNOW)

100+ million transactions per year


1,900 Clients are Delivering Superior Customer Experiences


Who is Ben Nelson?

Started with RightNow in Feb 2000Helped architect the SaaS infrastructure elements that are still in place todayStarted doing full-time information security at RightNow in 2005Built compliance practice in 2007Achieved PCI-DSS SPL1 in 2009Received ATO for FISMA Moderate C&A in 2009Completed SAS 70 Type II audit of global operations in 2009


Unique Challenges


Multi-Tenancy

Any (and every) customer hosted on same infrastructureWhole infrastructure is a target for any tenantInfrastructure’s security/privacy requirements are the super-set of the requirements of *all* tenants


Market Diversity

RightNow sells to clients in almost every major market vertical you can name– Each one with unique, specific

requirements/regulationRightNow sells to clients in almost every major geography– Again, each with their own unique, specific

requirements/regulations


Ultra-Flexible Product/Service

We don’t limit the type of data– Simple knowledge articles (how to fix my

widget)– Personalized portal data

• Consumer RMAs• Health data• Compensation/Benefits• Simple contact data

We don’t limit the quantity of data


Defense In Depth


Basic Principles

Protect the data at every layer possible:– Physical

• Rigorous physical security requirements from top-tier vendors

– Personnel• Background checks and employment

verifications– Infrastructure

• Firewalls, Intrusion Detection, etc.– Application

• OWASP application development principles• 3rd party vulnerability assessment as part of QA


Incident Handling

What to do when ‘it’ happensMust be prepared in advanceMust know how to escalateMust be aware of breach notification laws– Generally too many to manage– Outside counsel is your best ally in this situation

Must have your legal and corporate communications teams aware of the procedureMust maintain a relationship w/ local law enforcement– Know how to contact federal law enforcement


Security Awareness

People will always be the ‘weakest link’– Technology is the easy part

Needs to come from the ‘top down’– Executive-level support

Needs to be regular– Periodic training– Simple reminders

Can be a motivator too– Sense of pride in knowing that you’re part of

protecting critical data/infrastructure


Compliance:The Proof in the Pudding


Know Your Customers

They probably have very specific requirementsThey probably have some oversight– Don’t try to avoid or circumvent

Understand their motivationUnderstand how they’re using your service


Control Mapping

Multi-tenancy with diverse clientele makes it almost impossible to meet each one’s needs individuallyOverlapping controls are your friendMapping ‘like’ controls together isn’t as hard as it seems– Many tools available to help you do this


Certification

Your word only goes so farEngage a 3rd party to certify you against– A custom control set (SAS 70)– A well known industry standard

• PCI-DSS (varying levels of certification)• ISO 2700x series• NIST guidelines (federal government C&A)


What SaaS Consumers Should Expect


Transparency

Especially in data security/privacy practicesAlso in operational metrics

SaaS vendors should be able to clearly articulate:– Their data security/privacy practices– Their legal obligations to individuals– Their contractual obligations to *you*


Recognized Certifications

Preferably validated by an outside partyApplicable to your industry’s needs

If you’re not sure what control frameworks are applicable to you– Start with BITS/Santa Fe Group

• Standardized Information Gathering (SIG) Questionnaire

• http://www.sharedassessments.org

http://www.sharedassessments.org/


THANK YOU

Questions?

Documents

ASU – CABIT – Privacy Day Privacy in the Cloud