Making Cloud Security Part of Your DNA Featuring: Craig Guinasso Chief Security Officer, Genomic Health Sanjay Beri CEO, Netskope Missy Krasner Managing Director of Healthcare, Box David Baker Chief Security Officer, Okta
Jul 19, 2015
Making Cloud Security Part of Your DNA
Featuring:
Craig GuinassoChief Security Officer, Genomic Health
Sanjay Beri
CEO, Netskope
Missy Krasner
Managing Director of Healthcare, Box
David Baker
Chief Security Officer, Okta
Making Cloud Security Part of Your DNA
Craig Guinasso
Chief Security Officer
Genomic Health
Sanjay Beri
Netskope
CEO Co-Founder
Missy Krasner
Managing Director of Healthcare
& Life Sciences, Box
David Baker
Chief Security Officer
Okta
About the MD AndersonCancer Center
Genomic Health
Key Facts
• Established in 2000 and is the world’s leading provider of genetic cancer diagnostic tests
• Corporate HQ – Redwood City, CA
• Company’s lead product, the Oncotype Dx breast cancer test has been shown to predict the likelihood of chemotherapy benefits as well as recurrence of invasive breast cancers
• 500,000 patient tests to date conducted by more than 1,400 physicians in 70 countries
• 800+ employees globally, $275M revenue in 2014
Making Cloud Security Part of Your DNA
Business vs. Mission Critical
Information Technology is not Genomic Health’s core
business; however information delivery is fundamental
to our unique science and patient value.
HistoryGenomic Health had “purpose built” systems maintained by
“in-house” resources. This model wasn’t going to scale or
support growing business needs.
IT CharterAgility
Integrated & Innovative
Scalable & Secure
Making Cloud Security Part of Your DNA
Cloud storageData & analytics
Collaboration
Payor and pricing management
Line of business apps
Order management
Sample management
Making Cloud Security Part of Your DNA
Genomic Health’s Data & Analytics Requirements
vs. Twitter’s
!
Making Cloud Security Part of Your DNA
LIFE AT GENOMIC HEALTH
10 parallel work streams
60 major system integration points
100s of cross team and system
dependencies
Making Cloud Security Part of Your DNA
Genomic Health: Inadequate File Sharing Breeds opportunities for Data Loss, Breach and Shadow IT
Staff transferring files and collaborating in various
ways:
• Big concerns around traditional data storage,
using file servers and outside sharing was hard
• E-mail attachments – hard to stop from being
forwarded
• Need to share externally and internally
• Need to transfer large files and marketing
collateral
Making Cloud Security Part of Your DNA
Genomic Health - Box Deployment Phase 1: IT, Marketing and Latin America
• 900 seats purchased; 500 deployed.
• Used as an approved file sharing tool that can be accessed through normal employee
credentials (single sign on via Okta)
• Early adopters – IT Staff, Marketing, Legal, and groups that collaborate internationally
• Used at conferences to send Box shared links instead of printing paper brochures
• Used in combination with Windows Surface tablets
• Used for large file transfers between collaboration partners (internal to internal and internal to
external)
• Used to access documents across platforms (desktops and mobile) regardless of location
• Replaces e-mail attachments with hyperlinks to Box documents
Making Cloud Security Part of Your DNA
Collaborators
Benefits
• Encryption at transit & rest
• HIPAA compliant
• Back-end log files (audit
trails and alerts)
• Enterprise oversight &
management
• Easy to deploy; low cost to
maintain
• Consumer Centric UI; very
simple to use
Studies,
Validations
Making Cloud Security Part of Your DNA
Cloud Security Considerations
• Enable global collaboration
• Make it secure
COLLABORATION
• HIPAA• EUDD• PCI• Safe Harbor
COMPLIANCE
• ISO 27002• EHNAC• COBIT• NIST
AUDIT STANDARDS
• MFA• Encryption• Pen-testing• Role-based access
DATA PROTECTION
• Reduce apps• Understand usage/
forensics• Inform decisions
SHADOW IT
• Understand app shortcomings
• Mitigate risk• Facilitate negotiations
VENDOR ASSESSMENT
Making Cloud Security Part of Your DNA
#1: Standardize on yourenterprise-approved apps
COLLABOR-ATION
COMPLIANCE
DATA PROTECTION
SHADOW IT
AUDIT STANDARDS
VENDOR ASSESSMENT
Making Cloud Security Part of Your DNA
#2: Provide secure access to the right people (and the right resources)
CLONEDACCESS
COLLABOR-ATION
COMPLIANCE
DATA PROTECTION
SHADOW IT
AUDIT STANDARDS
VENDOR ASSESSMENT
Making Cloud Security Part of Your DNA
Do Don’t
• Encourage users to use Okta for personal applications
• Use Just-In-Time provisioning and deprovisioning APIs
• Deploy Multi-Factor Authentication to protect valuable assets
• Ignore mobile phones and tablets as means of ingress
• Depend on end users to employ best security practices
• Let security trump efficiency and collaboration – balance is the key
Making Cloud Security Part of Your DNA
Easy, automated management of your cloud applications
Standardize on service providers that support authentication based on SAML or WS-Fed
Just-In-Time provisioning and deprovisioning keeps access tied to role
Choose an Identity Provider that will validate users through a second factor
Partners
Employees
Contractors
Customers
Single Identity
You don’t own all of your users anymore, and they’re accessing your resources from multiple devices.
WS-Fed
Identity is the New Perimeter
New Security Model: Extend Security Controls Beyond the Legacy Perimeters
Vulnerability Management
Identity & Authentication
Network Controls
Security Information & Events Mgmt (SIEM)/Analytics
Core Cloud Service
Mo
bile
Sec
uri
ty
Go
vern
ance
Ris
k &
C
om
plia
nce
Dat
a Lo
ss
Pre
ven
tio
n
eDis
cove
ry
End
po
int
Pro
tect
ion
Secr
et M
anag
emen
t
Basic Controls
Core Controls
Specialized Use Case Controls
Making Cloud Security Part of Your DNA
• Too risky• Unacceptable
terms
Block Speed Bump Block/Coach Context-Driven
• Unsanctioned app• Alert/guidance/
justification• “Data may be
made public”
• Sanctioned app/ activity
• DLP• Data = PHI
• If-then context• Person/group• Activity• Data residency
Enforce granular policies
#3:COLLABOR-
ATIONCOMPLIANCE
DATA PROTECTION
SHADOW IT
AUDIT STANDARDS
VENDOR ASSESSMENT
Making Cloud Security Part of Your DNA
#4: Remediate shadow IT
…to which
content…
See what users
did…
…and see the who,
what, when, where,
and with whom
COLLABOR-ATION
COMPLIANCE
DATA PROTECTION
SHADOW IT
AUDIT STANDARDS
VENDOR ASSESSMENT
(hint: you need to understand usage)
Making Cloud Security Part of Your DNA
#5: Make security champions…
COLLABOR-ATION
COMPLIANCE
DATA PROTECTION
SHADOW IT
AUDIT STANDARDS
VENDOR ASSESSMENT
…out of yourbusiness counterparts
Making Cloud Security Part of Your DNA
Cliff Notes
1. Standardize on enterprise-approved apps
2. Secure access – right people, right resources
3. Enforce granular policies
4. Remediate shadow IT
5. Foster security champions