VIDEO TRANSCRIPT
So we're now going to go to question four and greg this is going to be coming your way so we've got a predetermined question which is uh what cloud specific governance and privacy policies should we adopt to accommodate probable regulatory changes in the near future given brexit gaiax for instance and i'd like to combine this with a question from malcolm which is all nations have information protection laws some of these require data to remain within their borders and as and as if to prove the naivety of this some are extraterrestrial extra territorial what advice would the panel give to organizations trying to ensure they can use cloud services without breaking the law there you go greg
I'm laughing because i'm thinking uh you know it's enough today let alone dealing with extraterrestrial data control laws um but this is an area we look at a lot uh for those that don't know palo alto networks you know we are very much focused around how do we deliver cyber security capabilities from the cloud uh for the cloud and um if you haven't come across it guy x for example is uh a new group that's formed in the eu trying to define what are the standards around using the cloud um i'm sure probably many of you will have read about either shrims ii uh or the safe harbor agreement collapse which was the agreement of data moved between europe and the us uh all of this means you take all of these things where we put our data is becoming more and more important um and let me kind of give you a few tips i guess from my side we started a project about three years ago i called cloud mythbusters because i think the first thing is there is so much misunderstanding around a lot of this uh you know we challenged ourselves and the companies we work with to go what really are the facts um so i challenge all of you to figure out you know firstly where have you got office premises uh you know firstly which laws apply to you where are you putting data so which laws apply to you um and you know part of that unfortunately is you're gonna have to you know befriend if you don't already your own legal team get your own guidance to really understand that once you kind of understand kind of what things are going to apply to you the you know the next bit of that is to actually go uh you know what does that mean in terms of requirements uh and you need to think about that in terms of your entire data life cycle so you know when i create data when i gather data where am i putting it if i'm putting it in a cloud where is that cloud if something happens to that cloud in there you know it's hosted let's say an island uh what happens if that goes down where's the redundancy is that in europe or is that now in the us if that i've got a support issue who does the sport is that sports center in europe or is that in the us um you know where's my contractual agreement when i sign to use that is that in uh you know the uk now or you're in europe uh so you have to understand all of these bits of detail i'm afraid to start to go actually you know how does that apply to you know my business being successful um you know have i got the data in the right place more importantly uh you start to get into who am i else am i gonna have access to if i'm sharing this with somebody else uh you know where are they replicating that data to and of course all of that applies to the next level to your cyber security controls because you need to firstly think about where are those cyber securities uh you know based this is almost like now am i shadowing that data somewhere else um how are they actually helping me enforce the controls of who get access to it so unfortunately this is going to become an ever more complicated area i talked to more and more cso saying i feel like i'm a regulatory expert rather than the security expert but i think the key tip here is number one understand your own organization understand your organization's requirements where they're based where they use data befriend your own legal team uh you know there's me more and more regulations to understand what gdpr means california consumer protection act if you work in the u.s um if you deal in you know southern africa they've got poppy there's more and more bits of regulation there understand them and then start to think about how do you enforce that and also think about you know what are the requirements that puts in your cybersecurity capabilities
Very good okay richard your thoughts
Yes so uh pragmatically you have to choose a controls framework of some kind yeah that's agnostic um so the csa and the ccm which the cloud security alliance is a good starting point and many people will know about it or ever that gives you an agnostic dialing point to dialing which regulators you're of concern which is gdpr which is your you know your privacy by design you know so and when you're looking at um a maturity step there are other frameworks out there that were even more encompassing like the security controls framework which is under the open standard and you can think of this about taking 128 regulators and distilling them down into an agnostic set of controls you can then dial in the regulator that you're in of concern or the one that you want but it means that you don't have to monitor all these regulators it's being done for you so i say support the csa try and contribute to the scf because it's trying to do that work and then from them you'll find that there's digital security programs that then fall out of that that can help you deal with this governance perspective because you may internally be say i want to be iso um related like iso 27001 but then but then that doesn't relate to you know the the the mass so you might if you're a global company the mass may come to you with its concerns and so what you need is to whoever you're talking to geographically dial into what their concerns are but keep some agnostic key so this this is what these frameworks do for you so i say start looking at them if you're doing the cloud start with the csa and the ccm um and again um these uh these uh these regulator bodies then give you the ability to then create what i call a digital security program because then they start focusing on on on the privacy concerns and when you talk about privacy if you take something like say box for example which is trying to give you enterprise storage that you now can ask the correct questions of them so if you say for example you're a global company you've got an ad or some kind of enterprise directory and then one person's in say tokyo and another person's in new york that that you can put a policy in place that says well put the data that they they're concerned with in that geographic location and these are the things that can then bring out on your technology designs for the vendors that you want to take on can these vendors support me especially in sas with my geographic uh location and what is the regulatory concerns if um if i move uh from uh uh one jurisdiction to the another and does gdpr for example have equivalents to um the japan uh body and so having these control frameworks you can quickly look at the gap if there is any and what it is you do and also have these controls related to your risks and what are your objectives so for me you really need to have a controls framework in this place or at least one that's agnostic that can work for you and think of it as a dial you can dial in to whichever regulator you want
Excellent lee
Yeah um this is probably one of the most complex questions because you go down a real rabbit warren with this one uh not just the glo the uh regulations uh at country and eu level within each industry you've got your own regulations obviously finance is one of the big ones there so as richard was saying you need to understand what applies to you as an organization and what you're interested in what what your what is relevant to you and what you're interested in and really drill down on that and focus on on how that applies to you some organizations have entire departments so in the finance sector that are just focused purely on ensuring that it regulations are applied correctly um it comes down to things like data residency as richard was saying and there's actually a just was raised in the chat actually about one organization creating separate office 365 tenants due to this one in europe and uh one in the us so it's working with those providers to make sure that data is in the right locations i do know now with microsoft you can it can be set up so that depending on where the user is located um that data will be located in that region actually there are some caveats and requirements around microsoft and the way that works but you can now deliver that as a service directly within within microsoft so it's working with those providers to make sure that you are aligned with whatever regulations and governance that apply to you as an organisation