Securing Data in the Age of Cloud Computing – UCLA Anderson – Big Data Conference

an organization is complacent in their obligations to protect their information they're complete they have complacency in terms of how they are preparing for the possibility of a security breach and security incident mm-hm from a consumer perspective I see a lot of complacency is the lack of appreciation of the data they're providing to these organizations not appreciating the consents that they are providing or the agreements that they are agreeing to so from a high level I think that would be the number one place in see there's certain sectors that you worry about more than others I mean we talk about banking we talk about media we talk about healthcare etcetera the certain sectors because of the type of data they have or intrinsically their focus on this you worry about more or not and give us an example or two and if you can give us a name that's great but if you want to disguise the the guilty here you can do that absolutely so I would say that the the organizations that face the greatest amount of threats are those that have the valuable information we're talking financial data they're the biggest targets for a lot of security incidents but the problem is that they also recognize and appreciate the risk that they're facing where we see some organizations like I mentioned the complacency arena are those that have sense of information but it's not the traditional credit card information where they don't appreciate the the risks that those organizations face so the the example that I would use would be an organization that for example provides web-based email where they have a a security breach of the usernames and passwords that they maintain now normally if you have a free service where you're just giving out access to here's a free webmail type of scenario they're not necessarily appreciating the concerns and the risks of that data and where we see that is the attackers recognize that that information is valuable it's recognized that maybe the security precautions put in place on that data are not as high as let's say baking a baking website but they know that if I can get the username and passwords for this information and I know how people operate they use the same username and password across multiple sites now the attackers are leveraging those attacks against those companies that maybe don't have security in mind and using that data against different organizations that have more robust security mm-hmm I see that healthcare is one of the biggest targets but that's because there's so much personal data in there and you gather that information and you can then attack the individuals as well as hospitals attempting to shut down you know the equipment in the hospital which we've seen in recent years but also the utilities they don't believe that they're open to the public and they have been attacked recently we've seen it in several municipalities in Alaska recently where they were shut down the entire municipality was shut down because they had security holes that they did not believe were there and you shut down an entire municipality and you have no emergency services you have no health services and you come to a standstill right that's enough seeing that in the spirit of technology do you see promising young new ventures then on a predictive basis basis on an offensive basis can identify where these risks occur or candidly this is you've got to be less complacent you've got to react to stuff more quickly etcetera more hygiene oriented I think that what we're seeing is the younger people coming in who are just fresh out of school they look at things a little bit differently and bring a fresh perspective but you need to marry that with the people who have the experience to close up the although all those holes I the word holes all the time because there's there's little gaps in security and those little gaps have a big problem and you see a lot of people now and you know social networking it's the way everybody communicates with with everybody else but that's that's a big data leak is social networking you're putting all your information out there the threat actors go and use that and with that information they can come in and target specific people in a company as opposed to just targeting the company but you also see constant bombardment out there it's brute force attacks constantly bombarding everything that's connected to the Internet it's random it's just out there they're trying to find a place to get in and once they get in they expand on that stay so let me just stay with this point about social networks there was a scathing article written yesterday in the New York Times about Facebook and about their response to a lot of the privacy issues and fake news issues etc and said that the company was more focused on protecting its image than it was really solving root cause what is your view on all that well I didn't read the article so it's a good read I will have to do that but I think one of the the biggest problems is companies don't want to own up to the problem once they've they've been breached they're trying to protect themselves and their PR I think it would be better for companies like that such as Facebook is the moment you know that something has happened go public don't try and hide it and I think that's the biggest problem is is everyone wants to hide it and because of that it looks like you're trying to cover things up and you're not being transparent and the world around you sees that looks at you in a different light sky that's an interesting point there when we're doing these investigations there is constantly internal pressure there is a desire in most of my clients that they want to notify as soon as they can they want to go out public the problem is and what I think that sometimes it's not fully recognized is that first of all there are incidents that happen all the time here at Baker Hostetler we do statistics in terms of what we're seeing in our annual data report and we see that from from a statistic perspective we only notify in almost 30 percent of breach investigations because the vast majority of those incidents don't involve the theft or unauthorized access to that information so the danger of notifying right away right off the bat is that a you may be in a situation where no information was really exposed maybe the maybe they attempted to get in but didn't access the the data where the information was actually housed or there's no evidence of data exfiltration and that does take some time you know there is I know we're going to talk about the GPR which has a 72-hour kind of notification component to it and that is just not a reasonable or practical amount of time to do an investigation once you've learned of an incident at 72 hours you're still figuring out what happened and so there is this kind of like I said this competing pressures to notify most of my clients when we have discussions they they know that that they're gonna have to notify and they want to do that but they want to be not only protect the organization but they be accurate in what they're saying so you don't want to just to say somebody hey we had a security breach we don't know what happened we don't know if your informations impacted but we just want to let you know about it I mean that a that would happen all the time and be you know that would cause some apprehension I mean you know when my information is impacted do I need to freeze my credit do I need to you know what step should I take and if you notify kind of that oh we just wanted to be transparent about the process you end up creating more concern for the effect individual yeah so how do you take that decision about when to disclose and when you don't you know it's it is a case-by-case basis but from from a legal perspective we have a phrase that says you know let the forensics drive the decision-making so when do you have something that is not going to change that is solid in terms of your conclusions and the the case example that I like to use is the situation would target if you remember target back in 2014 originally they came out and they said you know 40 million people were affected and and it was this credit card information but don't worry your pins your PIN numbers weren't impacted that statement the forty first of all was not derived based on solid forensic findings because we know as they eventually did their investigation they they learn more information was was impacted I think it was up to like 100 million and include you know personal information and then not only that but the initial conclusion that pin numbers weren't impacted a they didn't need to go out with that information I think that they had a desire to provide a positive spin but that wasn't the basis of solid forensic evidence but by going out and having that statement they actually had to issue another notice because that information was inaccurate so they they say should a second I said oh yes pin numbers were impacted but they were encrypted and yet they wouldn't have had to do that if if they hadn't made that initial incorrect statement the beginning and they ultimately lost their CEO over this absolutely yeah well not just a CEO but a number of other roots of their employees we know what rolls downhill right absolutely yeah let's say I'm going to privacy a little bit more because you've mentioned GDP are tell us a bit more about GDP are versus the California proposed kind of privacy regulation how do they differ and what's your view on on both well there's that that's a topic for that could be a couple hour presentation all by itself the differences between the two from a high level that the GDP our component of it is kind of the European privacy law it applies to information collected on those European citizens and it gives them certain rights regarding the axis of their information the right to be forgotten and certain consent requirements that are more rigorous than here in the US currently now the the California consumer Privacy Act which was just passed amended and is going to go into effect in January of 2020 has very similar provisions it not only includes you know certain rights that consumers have to access the data and delete their data but it also gives those consumers you know a certain private rights of actions against companies who have data breaches so they're both very very similar although they have some very fundamental differences but both of them are are focused on kind of the the rights of the consumer notifying them and requiring companies to disclose what they're doing with their data yeah Stacey I can only say that I agree with what Scott said he's got a little bit more information on this than I do but privacy and security are two different things that work together in order to protect your privacy you need to have the security and privacy to me and to a lot of people has to do with all of their personal information and when you're talking about personal information it's not just you know name and address but social security numbers passport numbers driver's license your medical information it all falls in to personal information that needs to be protected and I think we're doing a much better job at protecting that privacy let me drill down on this issue on GDP are on one side and I guess gonna ask your view on which side you fall has it improved privacy has an improved security or on the other side in the media panel that was before this late morning there was a very interesting comment saying that small companies are being disadvantaged by GDP are they don't have the resources to comply with all the things that are necessary and many of those companies that Scott Brady shared earlier those small companies are innovators they're trying to create new services of benefit consumers etc where do you come out on it its GDP are adding more value saying no no it's actually just created an additional level of burden so I may be biased in this area but I feel that the the GDP are is at a certain level of overly burdensome to a lot of organizations it's it's very expensive to comply with those with those regs and there are significant ramifications if you don't we're talking major you know fines and penalties that could potentially be levied against you so from a but from a from a privacy perspective it's a good thing because it it does that the idea of consent to the to the individuals the idea to be able to to know where your data I think is a very positive aspect of it I think that it is at least on GDP our it's a little it can be a little bit burdensome on the security aspect of it the the security kind of the hammer is the fines and penalties so organizations are in some cases reluctant to collect that information and reluctant to go into new lines of business because of these massive threats of fines and assessments at least on the gdpr side the CCPA side is also have a certain level of burdensome requirements I think not as much as a as a GE PR but for example there are certain ways in which you cannot distinguish or discriminate against the collection of data and the way the example I'll use is under the CCP a is you have to give people the ability to opt out of the sale of their personal information now there are some businesses on the internet quite a few that are free to the consumer by virtue of the fact of they sell that information externally or they use you know targeted ad based advertisements are interest based advertisements and that provides a benefit to those consumers it's an innovative product and in many cases it's an it's a new business front and I feel like both of the GDP are and there see cpa some of those business models are going to be jeopardized and them entrepreneurs are gonna take a look at those laws and say you know what this this new idea of a business is just too risky because of the fines and penalties associated with it yep yep any stats by the way on the percent of people that opt out of sharing their information and all these disclosures now we're getting you have to say I agree etc what percent are saying I'm worried and I'm not gonna share my information you know what that's at least so the CCPA hadn't gone to an effect yet so we're talking just on the gdpr side and from my clients who have who kind of experienced that most people just ignore they just so accept and they they kind of gloss over it which is why when I was talking about the place and see with the on the individual side you know they're not appreciating of what they're disclosing what they're authorizing these companies to do despite the fact that all these laws and regulations say you know tell us exactly what you're doing with my data I mean most people don't read the terms of conditions most people will get those emails that oh I I just want to I just want to log into Facebook I'm just gonna press accept I mean there how many of you have gone to a website and have a little banner at the bottom that says we have cookies and you accept the use of the cookies I mean it just becomes automatic it's that one absolutely Stacey RV yeah it is definitely automatic nobody reads through those those long disclosures everybody just Scrolls to the bottom and clicks okay or I agree and you're giving up your right to privacy you're giving it away everything they can collect whatever they want because you've just agreed to it without knowing what you're agreeing to I I'm as guilty as anybody I do the same thing I don't want to read through all of that and I just scroll to the bottom and click yes we all need to be a little more careful with that yeah let me now ask you mean obviously one of the big areas of focus of the conference are the leadership imperatives you know everybody here is a leader or aspiring leader etc what is your advice Stacy want to start with you what is the number one or two things you would advise people as leaders here in this whole area well one thing I wait vice is for your network for your entire environment have an outside consulting company come in and do a review of your environment and give you a report that shows you this is the security you have in place this is what you should add into it here's your high level you know risks and your medium and low level and and have an outside team work with your internal team you know you setup you you have an IT group in there set up everything and they believe they've they've covered all your security they believe that there are no gaps and if you have somebody come in and show them where they have gaps you know most of the time it's something small occasionally it's something large but another another issue is with your security you're opening up by allowing people to bring in their personal devices you're opening up that network right there if they bring in their personal device and plug that in what if there's malware on that what kind of security do you have on that personal device and you know the big corporations or the small companies they don't filter that security down to that little you know that personal device and and that's a big gap that needs to be filled yeah it's good I'm going to go to you any of you have questions please come up to the microphone will take audience questions it's about your so I would say for the entrepreneurs for the future leaders what you have to do is you have to understand this arena you have to understand cybersecurity it is it is imperative as a leader as a high functioning member of any organization you know a CEO needs to understand operations marketing you know finance HR they have to have all of these different skill sets and while they don't need to be a high level expert on cybersecurity like myself or like Stasi they do need to I think to know that the acronyms they need to know the common threats against the organization because it's it's essential it's part of the job function now and we see this not only in you know CEOs but we see it in various companies who are exposed to liability they need to establish that they are taking security seriously and if you have executives who basically don't know anything about security and they say oh I do all paper and pencil I mean you know that's great and all but you are causing a severe disservice to you to the organization so my advice is learn about cybersecurity learn about the risks facing the organization because this is something that affects every company I mean there is there is no company out there that does not have a risk of cybersecurity and if you say hey I you know I operate a farm and you know I I'm not at risk well you know I guarantee you there's something that you have if you have employees you have their personal information you are at risk so there's really no organization that's not that shouldn't be concerned with this job security and it's not just threat of disservice it's threat of loss of job – right we've already seen that happen and boards have got legal liability etcetera let's take the question back there yeah with respect to utilities I know with our country's deteriorating infrastructure how do you mitigate the risk so with respect to utilities mitigate the risks it's again it's all about the security that you put in and separating different aspects of the utilities you don't want everything being controlled by the same servers and you don't want the you you want to have a split between them so that this area controls over here this area controls over here don't let those two talk to each other anything that's open to the Internet is at risk so things that don't have to be open to the Internet controlling the water the power it doesn't have to be open to the internet so block it off completely not just from the internet but from your internal systems good yes so when it comes to accepting terms and conditions on websites and apps so as you said we just skip all of that and we just accept it but what is the alternative if you don't accept it they do not give you access to their services or their websites is there any solution to this so on on the the terms of musician side I know that what's contemplated under the CCPA which again it hasn't gone to effect yet is that you can't discriminate against somebody who decides not to opt out of the selling of their personal information so that idea of opting out and yet still having access to those to those services or being able to access it it based off of a reasonable value of what your personal data might be worth so just by virtue of example let's say the your personal information is worth $10 to the to the company if you pay $10 a month you can opt out and yet still have access to the service so some of those are contemplated under the CCPA I'd be interested to see how that action plays out once it goes into effect but as of right now I mean that's kind of the only alternative on the kind of the business side on the personal side I think like I mentioned the consumers I think over time and become more some of them are of course jaded and don't pay attention but I feel like there is a movement where people are recognizing that in many cases they're the product that their personal information is is the valuable thing and the fact that they're using a website for free is you know is the trade-off there so consent and disclosure are all very good but if until they recognize the what they're doing and what the disclosures are making that's that's really gonna be the the fundamental change there good thank you yeah in the back there how do companies choose between on-prem infrastructure versus a cloud from my perspective I don't see I think there are real values in having it be cloud-based there's you know cost efficiencies there sometimes in which case if you can leverage the resources of a hosting platform of some sort so in reality I'm for my clients I ask them what will fit best for their needs and I'm not one of the ones that says well don't do cloud because it's you know all this information at risk you're still going to be at risk if it's on Prem it's just a matter of now you're also responsible for securing and maintaining it so in reality a lot of the threats because of the interconnected nature of these networks are going to be the same across across environments so if you can appreciate those risks and make sure that it fits for your organization then I don't see an issue with the the cloud versus the on Prem type of environment now there are some regulatory issues associated with that and for example there are some companies where they say well we you must house all of our data in the US and in that situation if your cloud provider can't you know agree to those terms then then yeah then then you need to do something on Prem alternatively there are also situations where like for example the big cloud providers like Amazon and Microsoft you may have contract provisions or indemnification language you want your contracts that Microsoft just won't agree to or Amazon just not going to agree to because you don't have the the leveraging negotiating leverage to to get them to change those so in those situations if you really want to control it then you may have to move it on Prem but in terms of the threats I feel like they're the same I I would agree the threats are the same we see that breaches in in both on Prem and the cloud in either case you need to make sure that your security is in place in the cloud you're you're going to have to deal with your vendor and make sure that they put the right security in place if it's on Prem you're still going to have to deal with a vendor whoever is putting that you know providing you with that software the the risk really doesn't change between on Prem in the cloud because let's take a final question up here obviously the security issues from the internet just grow exponentially as the Internet expands so I wanted to ask each one of you in a scale of one to ten one being very secure and 10 not you spoke about the gaps and the complacency is and so forth I wanted you to know just at this point in time the u.s. overall whether it's government services utility a private sector and even just individual home computers where are we on a vulnerability of being secure and I'm very confident this is going to become a maturing industry and we'll have more lawyers and more senior directors in this space but at this point in time how vulnerable is the u.s. relative to where we were and where we're going thank you well I don't think we're nearly as vulnerable as we were I think security has come a long way I don't know I I can't pinpoint a number for you sorry but I think it as the internet changes and grows we have to grow with it and I think we do and and it's just a matter of keeping on top of it oh I don't think I can quantify it either and it's not necessarily because I you know don't have my own opinions on you know what number might fit but in reality security is not a state it's not your secure you're not secure security is a process and it's a matter of identifying the rest of the organization mitigating those risks and then reevaluating so it's an ongoing and those threats that face those those systems change I will use a case a case in point you know we've had electric voting systems for a while and yet the the amount of attacks against those have you know escalated in recent years and so now we've recognized those threats we've appreciate those and now they're moving more towards focusing on some of those so you know same thing with utility systems we in many cases there are a lot of our utilities which were vulnerable to hacking and it took one I think there's a couple in Europe where some hackers took over a power plant and shut it down to kind of you know be that that trigger point where we now oh my gosh this is actually a major threat this can have some major issues and so all of a sudden now they're they're refocusing on that so security it's again it's an ongoing process and it involves based on the threats I think that as more and more of our society utilizes that data I think that there's there's going to be even more threats it's gonna you know jeopardize how you know that's that state is going to be so it didn't quite answer your question but it's it's a difficult one let me just in closing a time to that last question I think there's a very interesting one that my general read of what you've said is the challenge is going to continue there's more and more data out there it is going to become a big issue number two we all have responsibilities as leaders here we've already seen evidence of that in the past there's regulation that is coming that we need to it's already here and more coming potentially this is a real issue and for all the great innovation if this doesn't get addressed it's a big it's a big concern I just want to thank Scott you and Stacy for really raising the level of awareness on a critical issue and thanks to all of you for good questions [Applause]

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *