Download pdf - Making Cloud Security Part of Your DNA Webinar Slides

Making Cloud Security Part of Your DNA

Featuring:

Craig GuinassoChief Security Officer, Genomic Health

Sanjay Beri

CEO, Netskope

Missy Krasner

Managing Director of Healthcare, Box

David Baker

Chief Security Officer, Okta


Craig Guinasso

Chief Security Officer

Genomic Health

Sanjay Beri

Netskope

CEO Co-Founder

Missy Krasner

Managing Director of Healthcare

& Life Sciences, Box

David Baker

Chief Security Officer

Okta


About the MD AndersonCancer Center

Genomic Health

Key Facts

• Established in 2000 and is the world’s leading provider of genetic cancer diagnostic tests

• Corporate HQ – Redwood City, CA

• Company’s lead product, the Oncotype Dx breast cancer test has been shown to predict the likelihood of chemotherapy benefits as well as recurrence of invasive breast cancers

• 500,000 patient tests to date conducted by more than 1,400 physicians in 70 countries

• 800+ employees globally, $275M revenue in 2014


Business vs. Mission Critical

Information Technology is not Genomic Health’s core

business; however information delivery is fundamental

to our unique science and patient value.

HistoryGenomic Health had “purpose built” systems maintained by

“in-house” resources. This model wasn’t going to scale or

support growing business needs.

IT CharterAgility

Integrated & Innovative

Scalable & Secure


Cloud storageData & analytics

Collaboration

Payor and pricing management

Line of business apps

Order management

Sample management


Genomic Health’s Data & Analytics Requirements

vs. Twitter’s

!


LIFE AT GENOMIC HEALTH

10 parallel work streams

60 major system integration points

100s of cross team and system

dependencies


Genomic Health: Inadequate File Sharing Breeds opportunities for Data Loss, Breach and Shadow IT

Staff transferring files and collaborating in various

ways:

• Big concerns around traditional data storage,

using file servers and outside sharing was hard

• E-mail attachments – hard to stop from being

forwarded

• Need to share externally and internally

• Need to transfer large files and marketing

collateral


Genomic Health - Box Deployment Phase 1: IT, Marketing and Latin America

• 900 seats purchased; 500 deployed.

• Used as an approved file sharing tool that can be accessed through normal employee

credentials (single sign on via Okta)

• Early adopters – IT Staff, Marketing, Legal, and groups that collaborate internationally

• Used at conferences to send Box shared links instead of printing paper brochures

• Used in combination with Windows Surface tablets

• Used for large file transfers between collaboration partners (internal to internal and internal to

external)

• Used to access documents across platforms (desktops and mobile) regardless of location

• Replaces e-mail attachments with hyperlinks to Box documents


Collaborators

Benefits

• Encryption at transit & rest

• HIPAA compliant

• Back-end log files (audit

trails and alerts)

• Enterprise oversight &

management

• Easy to deploy; low cost to

maintain

• Consumer Centric UI; very

simple to use

Studies,

Validations


Cloud Security Considerations

• Enable global collaboration

• Make it secure

COLLABORATION

• HIPAA• EUDD• PCI• Safe Harbor

COMPLIANCE

• ISO 27002• EHNAC• COBIT• NIST

AUDIT STANDARDS

• MFA• Encryption• Pen-testing• Role-based access

DATA PROTECTION

• Reduce apps• Understand usage/

forensics• Inform decisions

SHADOW IT

• Understand app shortcomings

• Mitigate risk• Facilitate negotiations

VENDOR ASSESSMENT

Best Practices


#1: Standardize on yourenterprise-approved apps

COLLABOR-ATION

COMPLIANCE

DATA PROTECTION

SHADOW IT

AUDIT STANDARDS

VENDOR ASSESSMENT

Context-DrivenAllow Block


#2: Provide secure access to the right people (and the right resources)

CLONEDACCESS

COLLABOR-ATION

COMPLIANCE

DATA PROTECTION

SHADOW IT

AUDIT STANDARDS

VENDOR ASSESSMENT


Do Don’t

• Encourage users to use Okta for personal applications

• Use Just-In-Time provisioning and deprovisioning APIs

• Deploy Multi-Factor Authentication to protect valuable assets

• Ignore mobile phones and tablets as means of ingress

• Depend on end users to employ best security practices

• Let security trump efficiency and collaboration – balance is the key


Easy, automated management of your cloud applications

Standardize on service providers that support authentication based on SAML or WS-Fed

Just-In-Time provisioning and deprovisioning keeps access tied to role

Choose an Identity Provider that will validate users through a second factor

Partners

Employees

Contractors

Customers

Single Identity

You don’t own all of your users anymore, and they’re accessing your resources from multiple devices.

WS-Fed

Identity is the New Perimeter

New Security Model: Extend Security Controls Beyond the Legacy Perimeters

Vulnerability Management

Identity & Authentication

Network Controls

Security Information & Events Mgmt (SIEM)/Analytics

Core Cloud Service

Mo

bile

Sec

uri

ty

Go

vern

ance

Ris

k &

C

om

plia

nce

Dat

a Lo

ss

Pre

ven

tio

n

eDis

cove

ry

End

po

int

Pro

tect

ion

Secr

et M

anag

emen

t

Basic Controls

Core Controls

Specialized Use Case Controls


• Too risky• Unacceptable

terms

Block Speed Bump Block/Coach Context-Driven

• Unsanctioned app• Alert/guidance/

justification• “Data may be

made public”

• Sanctioned app/ activity

• DLP• Data = PHI

• If-then context• Person/group• Activity• Data residency

Enforce granular policies

#3:COLLABOR-

ATIONCOMPLIANCE

DATA PROTECTION

SHADOW IT

AUDIT STANDARDS

VENDOR ASSESSMENT


#4: Remediate shadow IT

…to which

content…

See what users

did…

…and see the who,

what, when, where,

and with whom

COLLABOR-ATION

COMPLIANCE

DATA PROTECTION

SHADOW IT

AUDIT STANDARDS

VENDOR ASSESSMENT

(hint: you need to understand usage)


#5: Make security champions…

COLLABOR-ATION

COMPLIANCE

DATA PROTECTION

SHADOW IT

AUDIT STANDARDS

VENDOR ASSESSMENT

…out of yourbusiness counterparts


Cliff Notes

1. Standardize on enterprise-approved apps

2. Secure access – right people, right resources

3. Enforce granular policies

4. Remediate shadow IT

5. Foster security champions

Thank You!

@Genomic_Health@Netskope, @sanjberi@Box_HQ, @missykras@Okta, @bazaker