VIDEO TRANSCRIPT
We're now moving on to uh question five so we'll start with you richard this time so what security and retention policies should we apply to data held in the cloud over and beyond what we would apply to data held on prem to minimize data leakage
Your retention policy is whatever your retention policy is that's not really the critical thing it is what it is and i personally think you can't separate your on-prem to what's in the cloud anymore your networks are trustless you know you've got to realize that you know any anything can be breached so really you've got to talk about what your security measures are now cloud does come with some specific specific exposures for us and for me they really come down to a number of things one is um most organizations don't have a good data classification system so and you need one to understand it when people want to go into the cloud what they're putting them and if that's okay um the second thing is uh as far as technology is concerned is uh you need to start developing crypto as a service within your organization you know a place where you can offer all the cryptographic services that are needed across all the user cases that are out there this uh and a lot of the timing cloud you hear a lot of us talk about bring your own key which is you know you're allowed to bring your own cryptographic key to the cloud but it's kind of like an illusion because the in the um infrastructure as a service or platform as a service or sas the administrators on that side of the fence could actually turn your encryption off and you wouldn't know about unless you're monitoring it so now you're getting into the realms of what they'd start talking about hold your own key and it might be the last thing that's left in your organization is yet you control your keys and who's got access to them so you can decrypt your data and what that means is that on premise you have a cryptographic service where you're holding your own keys that integrate into these cloud providers and that's really brings out my last point which is about key management and key rotation most people don't really get what that's about then it's really two things you want to be able to rotate your keys because of scope if any one key is compromised you can limit the amount of damage of exposure of what that's actually done so you it's damage limitation a key is compromised it encrypted one month of data so at least it's not got everything rather than one single key is compromised and then everything is exposed that's too massive a riskier and the other thing why key rotation is very important it's like it has then this relates to retention is but it's often lost is that gives you the ability to cryptographic to delete something and a portion of what it is to delete you if you've got one master key and you delete it you've got you've lost all your data but if you're rotating your keys and seven years ago or a month or there's some point in time where you're uncertain what happened there you can delete that key and that gives you back control because once your data is in the cloud you've got no control over it you've only got um what we call assurances through certifications that the the provider will take the disks and destroy them in a safe manner you don't know where it's been and corporate there's no way for you to ascertain that you know you know you you rely on auditors to say that they are they're running their operations to some uh level of assurance and you take their certification as assurance but you can't actually and they do the investigation for you so the only way is to have control is to be able to delete keys and that's going to become more important because friends you may end a relationship with a sas provider who've had your data for two or three years then what would be the last thing you did once you've moved it over to another provider is to delete the keys and that gives you some level of assurance that you've protected your data and and that's your due diligence that's expected of us by the regulators and again i think the third last point i'd make is again you need to uh the security measures you need to look at is what i call multi-factor authentication which leads onto zorro trust and multi-factor authentication is not about having two-factor like something you have and something your own multi-factor is about understanding context and risk so you bring into when you authenticate to something context such as geolocation that links back to a person's remote working maybe give them a different risk profile and because you know their geo location you can ring fence that and if they're not there maybe you don't let them into your network so these again relate to security measures and so when i say multi-factor i'm talking about all the risk elements that you can bring into it yeah and that is where we start bringing in those controls to minimize the data leakage and that people are accessing data in the right context not just that they have access to the data but they're doing it appropriately in the right context i don't want someone sitting in a cybernet cafe working from home or driven down to cornwall and decided to operate from there
All right lee
Thank you um this is one of the comments in this i've just put richard i keep nodding with everything you say and i'll catch you i agree i agree with them there um yeah it's you look at what you do but with your on-premise environments in your your cloud environments fundamentally you should be doing the same obviously there's more scope to do more within the cloud and you need to ensure that you are securing everything because it's much more visible but we take retention if you're governed by a certain um policy that says you need to delete or retain data for a certain period of time that policy needs to be applied regardless of where that data is held so as richard was saying you need to understand what your data is you know what what is stored in that data are you storing credit card information personal information health care information et cetera which will govern which part which governance is being applied to that and how long you need to store that data then you need to make sure that the systems are in place to either make sure that data doesn't get deleted for that period of time or is removed um cleanly from wherever that data is stored there you're on-premise storage or in your azure blob or you know office 365 salesforce or wherever it may be you need to ensure that data has been removed and that goes on to how you back up this stage and you look after your data as well you need to be ensuring that wherever it's stored you are getting access to it to then remove that data and so fundamentally your policies need to apply both for the on-premise environments and the cloud environments how you do it is obviously going to be different but the policies and security controls it should be should be the same
All right craig
Yeah i'm i'm obviously not going to repeat anything that the guys have already said um you know i think number one for me is it actually has to start with visibility and i think it's easy for us to say you know we want to have the same consistent controls but it's actually much tougher to do that when you are dealing in so many different environments and as richard as rightly pointed out a few times this is not just about data moving from you know our data center to a cloud uh you know it's that it moves from a cloud data center to a sas application to a sas application how do you have that consistent visibility across all of those different parts i think that's one point you know i would just uh amplify time and time again i think the second part we've slightly glossed over and i think it's critical is um as we move data into the cloud uh inherently there's almost this kind of business pressure of more data is good because then we can start doing cool things with it machine learning and ai so there's almost this uh encouragement to keep more data and store it longer just because we don't know quite what's gonna be the next cool thing uh and i think you know within that we have to challenge ourselves and go do we need all of the data can we turn into metadata uh and and that's kind of a really hard trade-off between those two but i think that's both the challenge back to business to go you know which bits are we keeping and why and actually how do we plan to correlate it uh because you know we don't get rid of all of it too quickly but likewise uh you know we don't want to just store everything and it kind of brings me to probably the the final point because actually the same applies for our cyber security data uh you know we used to keep it on prem and if i look at the simplest thing your file logs how long would you keep those four you know if you've got all the logging turned on they get huge very quickly and a lot of organizations may only store those for a week or a month if you're regulated you might have to store it longer but again you stop probably start filtering which bits you kept for longer periods of time but if i come back to soloins we saw around christmas actually you know we know organizations were breached as far back as early last year and you start to go how many companies had actually got the log data to go back and validate where that happened to them so i think that you know we have to look at it not just in terms of the data that we're putting in the cloud for data but also do we keep the security intelligence around that data and there'll be a regulatory drive around that but then there's also their own security driver around that and so we have to think about you know how long do we keep that and again how would we use that data uh if we needed to so sorry probably as many questions as answers in that one