1. The Cloud Beckons, But is it Safe?
You should hear voices. If you can’t hear anything, check that
your computer volume is turned up and un-muted, and the “Use
Mic” radio button is selected.
Or you can use a phone to listen to the same audio by calling
(914) 339-0030, Access Code: 742-024-148

2. Logistics: Audio Via Phone
Speakers not working? Prefer the phone? Dial in:
(914) 339-0030
742-024-148 (If you can’t
see this
panel, click the
“Show Control
Choose “Use Telephone”
Panel” button)

3. Logistics: Ask Questions
Ask questions! Otherwise I’m speaking to a black
hole!
Click to
open the
chat
window
Raise your
hand and
I’ll unmute
you
Not hearing anything? Call 773-945-1010, access 257-723-187

4. Having Trouble?
You should hear voices. If you can’t hear
anything, check that your computer volume is
turned up and un-muted, and the “Use Mic” radio
button is selected.
Or you can use a phone to listen to the same audio
by calling (914) 339-0030, Access Code: 742-024-148

5. The Cloud Beckons, But is it Safe?
July 2012

6. Introductions
Laura Quinn
Executive Director
Idealware
Jeff Hogue
Legal Assistance of Western New York
What are you hoping to get out of this session?

8. What is The Cloud?

9. LSC Grantees are Using It
• 46% said that “some or all of their
servers are hosted externally”
• 18% said they were using
Google Apps for email
• 13% said they were using
Google Docs

10. The Lure of the Cloud
Low cost of entry
Easy remote access
No complex infrastructure

11. But What About Security?

12. Cloud Security in the News

13. Technology and Legal Ethics
The ABA is prepared to vote in new
model rules requiring lawyers to
"make reasonable efforts" to prevent
"inadvertent or unauthorized
disclosure of, or unauthorized access
to" confidential client information.
This doesn’t preclude the cloud, but it
requires you to think through it’s use.

14. Under Siege
To be on the
Internet is to be
vulnerable to attack.
If you’re on the Internet, you’re in The Cloud

15. But We Do Lots of Things on the Internet
We shop online
We bank online
We post crazy
things on Facebook
Why is the cloud different? It’s not.

16. How Secure is Your On-Site Data?
Do any of these sound familiar?
• No one patches computers or is
responsible for network security
• You haven’t really thought
about passwords or
permissions
• No disaster recovery plans
• Staff hasn’t had any security
training

17. Myth
“We’re a small
nonprofit. We’re safe
because no one would
target us for cyber
attack.”

18. Fact
Many data security breaches
are crimes of opportunity.
Organizations don’t always
consider the sensitivity of their
data until it’s exposed.

19. Myth
“Our data is safer
not in the cloud”

20. A Cloud Data Center

21. Is This Your Server Closet?

22. What Does Security Mean?

23. The Three Pillars of Information Security

24. Confidentiality
Information is available only to authorized parties.

25. Integrity
Information isn’t modified inappropriately, and that
you can track who made what change.

26. Availability
Assurance that data is
accessible when needed
by authorized parties.

27. Also: Physical Possession
Whoever has the
data could, in
theory, turn it
over to the
government

28. What Does Security Mean For You?

29. Rules for Absolute Safety
Turn off your Internet
connection.
Allow no one access to
your data and systems.
But let’s be realistic…

30. Know What You’re Protecting
What kinds of data are you
storing, and how sensitive are they?
Think about its value on the open
market.

31. Red Flags
You need extremely tight
security to store:
• Donor’s credit card
numbers.
• Scanned images of checks.
• Donor’s bank account
information.

32. Privilege and Waiver
Is storing data in the cloud
disclosure that destroys the
privileged nature of data?
No, but you have to spend time
thinking through the problem.

33. What’s Your Exposure?
Consider the impact of
exposure of your
confidential
information, both in
monetary terms and
reputation.

34. What’s The Impact of an Outage?
How much staff
time could you
lose from a short
term or prolonged
outage?

35. Testing Your On-Site Security
Have you recently performed a:
• Check on whether your systems
have been recently patched?
• Systems penetration test ?
• Employee training on security
procedures?
• Backup/recovery test?
If not, you’d likely increase your security by moving
to the cloud.

36. A Multi-Level Security Model

37. Multi-Level Security is the Ideal

38. Physical Security
• Guarded facilities
• Protection of your hardware and devices
• Power redundancy
• Co-location (redundant facilities)

39. Network Security
• Intrusion prevention
• Intrusion detection
• Firewalled systems
• Network proactive anti-virus protection

40. Transmission Security
Is data encrypted in
transit?
Is the network
secure?

41. Access Controls
• Ensuring the right people
have access to the right data
• Physical access to the server
• Training on appropriate
passwords and security
measures

42. Data Protection
• Data encryption
• Solid backup and
restore policies
• Ability to purge
deleted data
• Ability to prevent
government entities
from getting your data
with a subpoena

43. What to Look For in a Vendor

44. Description of Security Mechanisms
Documentation of all the facets of
security, and the staff can talk
about it intelligently.
Proves information security is on
the “front burner”

45. Uptime
Do they provide any guarantee of
uptime? Any historic uptime
figures?
Uptime figures are typically in 9s--
99%, 99.9% or 99.99%
Your connection to the internet may well be the weakest link.

46. Terms of Service
What’s in the terms of
service in terms of
privacy and use of your
data? Do they need to
tell you if they change
their terms of service?

47. Regulatory Compliance: HIPAA
Does the vendor support
organizations that need to be
compliant with HIPAA (the
Health Insurance Portability
and Accountability Act)?

48. Regulatory Compliance: SAS70 and SSAE16
Audit for security
standards, hardware, and
processes.
Statement on Accounting
Standards 70 (SAS70)
Statement of Standards for
Attestation Engagements 16
(SSAE16)

49. Regulatory Compliance: PCI DSS Compliance
If you’re storing credit card
numbers, your vendor
needs to be compliant with
PCI DSS (Payment Card
Industry Payment Data
Security Standard)

50. In Summary

51. Your Data Is No Safer Than You Make It
Any computer
attached to the
internet is
vulnerable unless
you protect it.
The cloud isn’t, in
of itself, more or
less secure

52. Understand the Value of Your Data
What is it worth to you?
To others?
What measures are
appropriate to protect it?

53. But Many Vendors Make Your Data Really Safe
Choose vendors who
show they’re serious
about data protection
(not all vendors are
created equal).
Consider a vendor’s
regulatory compliance.

54. Questions?