Cloud Crunch
Cloud Crunch

Episode · 2 years ago

S1E11: Unraveling Cloud Security, Compliance and Regulations


 Cloud compliance, cloud security...NOT the same thing. Victoria Geronimo, Security & Compliance Product Manager at 2nd Watch who also happens to have an internet law and internet policy background, joins us today as we look at how security, compliance, and state regulations affect architecting your cloud environment and the farther-reaching effects they have on business.

Involve solve evolved. Welcome to cloud crunch, the podcast for any large enterprise planning on moving to or is in the midst of moving to, the cloud, hosted by the cloud computing experts from Second Watch, Ian will be chief architect cloud solutions, and Skip Berry Executive Director of cloud enablement. And now here are your hosts of cloud crunch. Hey, everybody, this is Ian Willoughby, chief architect of Second Watch, here and I'm joined with my cohost, skip berry. On today's episode we have a special guest. It was a colleague of ours, Victoria Geronimo, and she is our security compliance product manager. We've had the great opportunity to be working with her for a while and we're going to hear some very insightful insights from the security world. Victory, welcome to the show. Thank you for having me, and welcome Victoria. Now, Victoria, what I want to do is get started on a question for you, and it's a little bit about your background. I had the opportunity to interview you when you came on board and I was fascinated with both your education and your work background and and I think it lends so well to why you were an expert in this field. So if you could elaborate on some of that that would be fantastic. Yeah, sure. So one knots a little in fact about me now is that I am originally went to schooled for law. I loved being a lawyer. I love all that nitty gritty law DORC stuff and one of the things that I really enjoyed in law school was policy, especially Internet law and Internet policy. So after I graduated law school I had a pretty clear idea that I didn't want to be a lawyer. I had had a couple summer internships where you did a lot of paperwork and there's a lot of late nights internal politics over very dry stuff and just the policy and the dynamicism of that really interested me. So I went to do a Internet law and Policy Fellowship after I graduated law school and that was really great. We did a lot of cool stuff, especially with Ed Tech, because that was a bursioning field sort of what rights does Google had to like record your children in the classroom, etc. And the one thing that you you started to learn very quickly was a lot of the people creating the laws don't know anything about the underlying technology for which they're creating the laws about. So you would have a lot of just laws being made that didn't take into accounts some really basic fundamental foundations of the technology. So the law of really just didn't make sense to the people who it was supposed to apply to, so like your facebook's etc. So with that I was like, okay, if I want to go back into policy eventually I really ought to learn more about the underlying technology and really learn more about it, and I was always really involved with privacy law, which kind of segued into security. So I had a job in security working under this guy, cve Schwartz, who was, you know, a Navy cryptographer, pain Tester, kind of really hardcore straight security person, and he taught me a lot about what I know today about security in from there I had it up Info St could have been tech startup, and and I came to second launch. It's fantastic. Yeah, that's it's I would say that's a very unique background how you handed up there and I think it's pretty impressive. So your title is security and compliance product manager, and often people use these terms interchangeably, but yeah, obviously they're not the same thing. Could you elaborate on what the differences are. Yeah, so the way I like to frame it is security should always be the baseline and that should always inform your compliance regime. So security are really the the processes and the technological controls that are governing the CIA triad,...

...which essentially is confidentiality, integrity and availability of data. Security is all about protecting data at the end of the day. So that can be physical controls, like if you go to an aws data center, if you can never find one because they don't like to give that the address, you know it will have armed guards and H vacuant temperature controls. That's one aspect of security, but then you also have your technological controls, like encryption, etc. Compliance is the set of standards that either some sort of governing body, whether that be a federal government or something like a council like the PCI Council, which is what gives you the credit card standards. They'll give a set of guidelines that you should adhere to if you want to be considered in compliance, which basically means somebody can give you a repercussion for having not complied with those standards. So they're basing that off of what good security controls are basically, at the end of the day, security is what you should always be doing and then compliance is what you should be doing according to some council that has authority over you. That's that's a great answer. Actually, I subscribe to that. Victoria. Tell me a little bit about you know regulations I keep on cropping up and GDPR, CCPA. Those are seemed to be the two, probably most prominent at the moment around we're security and compliance. ME. Can you help the still those a little bit? First, yeah, so at their core they're really both privacy statutes and they use security in some ways and compliance in some ways to achieve privacy right for individuals. GDPR is Europe's the use version of its privacy control and EU is technically very, very privacy driven, much more than say, the United States. And then CCPA is California State Law and and it's by no means the first or only state law to try to do some privacy provision, but it is the most comprehensive. GDPR is giving a lot of privacy rights to the individual by giving them control over their data. So what that does is it essentially gives a number of like right of a rature right of modification, of right of knowledge, essentially of an individual person in the euse data. So say you want to know what data Google has on you, you should be allowed to call up Google, put in a request for them and Google has to tell you what data they have on you, and then, if it's inaccurate, you can submit hey, this data is not correct, you have to amend it to say x, Y Z, and it gives you people a lot of rights over that, as well as what happens to their data when they submit it to somebody else. SECPA is is similar. It doesn't go quite as far as GDP are in terms of giving people absolute right over what happens to their data and what their data says, but it does give people one the right to opt out of the collection of their personal data, as well as gives them the right to delete it in some cases and to know where their data is being sold to. So the right to know, hey, we are selling your data to a marketing company down the line. That's great. Thank you. Where do you think they stand as far as being enforced and in the arc of time? Do they have any teeth really? Yeah, so GDP are. They have already had a few high profile cases, like against Google and British Airways, and hundreds of millions of dollars. Realistically is I think they just had a another fine against Google go through which is about forty million. That's a drop in the bucket for Google. So a lot of it... also PR use a little bit more anti Google than the US has. And for CCPA, it actually has not started to be enforced yet. It was originally supposed to be enforced on January one of this year, but they push it out to either July first or October first. They're still deciding. Cool, if you were need to comply with both of those, if you just followed GDP, are compliances and examples there one that supersedes the other and you would be covered on both. Or did they unique? So they are unique. They have a lot of similarities but a couple of different aspects to them. For example, CCPA, while you can opt out of having a if you're above the age of eighteen, you are allowed to do you have to have an optout in on your website saying I opt out of the collection of my data. However, if you are a minor, so thirteen or under, you have to have an opt in instead of an opt out. There's no distinction really there in the GDPR language in terms of the basics and like what what the similarities are. It is one the right to deletion and having a portal for people to be able to field requests as well submit requests, as well as having an audit trail to prove that you've been complying with these requests. In terms of straight security, one interesting thing is the CCPA actually expands liability for security breaches to citizens of California. So, while a lot of people are like, okay, well, CCPA having teeth as it really have, there's this component of it that says if your company undergoes data breach and it was because your ducks were not in a row as harder security as concerned, it wasn't up to standards. It doesn't really define what those standards are, but up to standards, then, instead of just the AG having a right of action against you, each person whose data was breached also has a right of action against you. So now they're opening themselves up to class action, lawsuits, etc. Which is, in my opinion, pretty interesting. So it's great the litigious society. Yeah, continue is, what about what happens in in the archive world, backup world, like the long term, you know, say like glacier and all that? How does that how does that count in this world? So this is actually something that we don't really know. Another big aspect to these these laws is that they do have a number of exceptions for them. So, for instance, if somebody says you have to delete my data, if it's for a good business purpose, you don't have to delete their data. So say, if like, you need to like, please delete my name and address, but you still need to send them billing requests all the time because they're still in contract and still taking services from you. Then you can say no, we need your data in order to be able to conduct our business, for things like glacier, where another long term backups. On one hand, these laws are saying you need to have adequate security, you need to comply. In gprs case, they use ISO twenty seven thousand and one, which is a very long list of security controls, and a big part of that is having data backups, having data backups, being able to bring them back for disaster recovery, making sure your information is available. That's very important for business and security and data protection. However, at the same time it's also saying you need to delete data if you have a data request. So that's an area where it's going to be unclear whether having those backups is going to outweigh the privacy right. I think that at least in the US we will say backups do out weigh the privacy right. I know the Danish authorities in the you have said...

...we're technically possible you should delete somebody's information from backups. However, that's a really vague. Yeah thing that definitely got let it gated. At some point you start to get into that that world. Yeah, kind of breaking down at CIA. Write the triangle again, because now you take away integrity of other data, you take away the confidentiality of other data. Yes, that's very interesting, very perplexing probably, but yeah, exactly. So I see in this is exactly like the policy nerd that I was always interested in when I first got into security. Is like, well, how do you weigh those individual aspects of it and and how do you architect a system to you know, I do believe in privacy rights to some extent and certainly security, but at what point are you just kind of shooting yourself on the foot, right, so to use a technical term. This sounds hard, but but what that stated, when you're designing an architecture or an application, how do you how do you go about doing that to make sure that you're compliant with all these emerging laws? There's existing once a GDPR ISCPA and then in other states as well, and then your security frameworks on top of that. Well, yeah, and obviously that it's an easy question to ask, but I'm sure it's a complicated answer. But what are some of the overall arching approaches that people should be looking for? Yeah, so this is actually something that rob whalen and I, who you know he has up our data practice, have been talking about recently because, you know, he's building data lakes and data practices. And where does all the PII live, if not in data lakes or random assary buckets here and there? So we've been working together to try to try to answer that exact question and we've identified areas that every no matter if it's GDPR or CCPA or another privacy framework, is really you want to always the first step is nowhere your data lives. It's really important to have data flows. How does your data come into you? How does it get into your system and what data is that and where does it what different resources is it hitting, and then where does it finally end up? So data discovery as well as data mapping and knowing at every point where your data lives is is square one for anything, no matter what what law you're trying to comply with. That also kind of necessity to a tagging strategy. You want to make sure, even though everyone has always said you need to have a good tagging strategy and always tag your assets. I'm sure Ian, as a solution's architect, you know how difficult that is, like when you come back a year later whether whether they're still tagging as per your specifications. You also want to make sure you have some sort of notification mechanism and way to field data requests. So one hey, you have to have a portal for allowing people to field request, and I know Amazon has like connect, which is kind of basically a good call center that you can use and it will field request for you and automate that. But you also want to have a way to comply with those requests, so a purge mechanism, so you basically need a way of queering that data and saying, Hey, Joe Smith needs to access the data. What data do we have on Joe Smith? Hey, is that actually the Joe Smith that is contacting us right now, or is this another Joe Smith? And what is he want us to do? Wants to to delete it because it meet an exception. So you need ways to automate all of those different compliance policies, like all those different questions. That would maybe hopefully one day be machine learning. And then you need a way of auditing it to so you know, audit trail to prove to you know, having forbid a lawsuit comes against you, that you've been actually complying with these requests within what a reasonable person would think you've been doing. Another aspect that's actually say, I'm nerding out a little bit. That's actually very...

...going interesting is people have tried to comply with these policies and in trying to comply with them, they've actually messed it up a fair amount by giving away somebody's personal information. So say, if you IAN, you hit up a company like, say I want to know what seamless has on me and what information seems has on me. Or, sorry, it wouldn't be you say, somebody, your mortal enemy, wants to know this about you. They want to know what you order for dinner every night. Yeah, just get my mortal anime. Yeah, yeah, so skip wants to know. He writes them and he goes, Hey, I'm Ian. Will it be like? Can you please let me know what information you have on me? In an effort, in an over zealousness, to comply with UDPR requests, there have been cases where they've just given it to skip. Give an EANS information to skip, because they haven't really validated Ian or skip is Ian. So that's another aspect that you need is how do we validate that this person is who they say they are? And what is going to be considered the gold standard? Some people are like, maybe I'll email them my driver's license are but then that gets into now you're just emailing your personal information. All of your were often times over uncipted Internet. So it's what a loop. Exactly how do you so? I guess we're in touch as many facets of the business and where we are right now, again, just in the nascent years, if you will, of this. What's a great place for businesses to start in approaching and looking at this kind of problem from your experience and know how here call a lawyer. And now there so no lawyers don't know anything about this yet either. So it really it's data mapping, data mapping, data mapping. You know what data you have, where it lives, and make sure, please make sure you're encrypting your data. It's all about data discovery from the Getto, I would say, square one. That's great too, because there's, you know, there's a lot of tools, I on the cloud providers as well that can help with these governance tasks as well, to make sure that they're there, and I think that's very helpful as well, such as aws can fig and yeah, may see as well. Yeah, may see, and as you've got the whole security center as well associated with that. So like that, those are some great ways to really engage with those tools. Now there's been a shifting gears as a little bit. There's been a lot of questions about when to use a tows outposts and there's some specific industry related whether it be low latency for technical reasons, but what are some of the other advantages were outpost should be used for security wise issues? So this I think is a fun question because it really there's this other concept called fips, which is there's different levels of do want one, two, three or four? And when you get they refer to the level of security on, say, like a given server something like that. So you who could technically there's something called phips level four, which is you essentially have armed guards guarding your server day and night. Theoretically we could come out with a second watch out post where we have fips level for me, just hire arm guards to hang out outside of it all day. But that's that is an interesting question of if you have a WS outposts, what additional security controls can you place around that to make it even more supercircure? I really think that outpost is an interesting concept for security because traditionally we've always thought of things like it Wus being more secure than a data center because, one, there's just hire availability, higher latency, but also because nobody knows where their data...

...centers are. So if people start to use a WS outposts, then you are reintroducing some of the old security concerns. Essentially is it. Will companies use it as well, maybe for avoiding or being evasive to the GDPR and in CCPA requirements. I know they know because really there you can't evade those requirements, because it's all about where there is the data going, and they will know, essentially, if you are collecting data about somebody. Now that I'm thinking about it, I guess you could, you know, completely isolate it, have it off the books and they can like put it in the channel islands or something like that. Yeah, there you go. The thing is, is data. It's supposed to follow the person itself, so no matter where it lives. So in the case of Gding be are there's a misconception that it can't leave you boorders, that if you have data, I'm a EU citizen, that it can't leave you borders. That is technically true, but really the truth behind that is the EU's allowed to okay countries. So they can say, Hey, the US is an okay country. We like their laws, we like their security controls that they have in their laws. So if you can transfer data to to the United States. The point being, though, that the right is with the citizen itself, in the citizens data. So it doesn't matter where that data goes, it's always going to be subject to GDP are. So jurisdiction is more with the with the person, that it is I'm where the data resides. Correct. Yeah, that's good, that's great distinction. Yeah. Now, Victoria, I know you have a crystal ball on your desk there, and that's good. That's good. Is everybody should have one. So you're going to predict the future of security and compliance the cloud, in the trends where they could get help? Where do you see that direction going with Azure, Google and aws? Yeah, how they're going to help their customers reach security and complaints? You know, a couple years ago I would have said people just want a out of the box solution. They want to be able to click on something that says each hip a compliance and it will just implement all the controls that you could ever want. I do think that is sort of the case, but I'm surprised that a lot of customers have not gone to that, because usually people here compliance in their eyes bleeze over and they just want to hand it off to somebody else. I was that person for for a long time, where they handed it off to and I would say that that's actually not so much the case anymore. Really, the where I think they're going is one towards data lakes and David discovery and then, somewhat curiously, is there there each kind of moving in different directions when it comes to how much they're focusing on security. So I would say Azure has focused a lot on let's have a seamed sore, which is essentially like monitoring network trafficking and responding to potential breaches and threats. A WS is a lot about centralization with their configued tools, like how do we all make sure that we can see something in one portal and then affect changes throughout the environment, and so that's really direction I I see them going. I also see a big play just with multi cloud. Security is like how are we going to play to each cloud strengths and then, on top of that, optimize for you know, pricing and performance. Great. Last question. So enterprises, or let's say up and coming companies. They're obviously they're growing. They're starting to realize that their cloud footprint... bigger, their customers are mass is growing every day and they start to freak out. What's the first step that the should be looking at towards moving towards a more compliance and secure environment? Encryption, make sure you've crypt everything, make sure that your I am policies are up to date. So actually this is this is really good because we have our security assessment with that Second Watch, which is essentially this four phased approach where we're first running essentially automatic scan of their environment and looking to see the most common vulnerabilities. And ten out of ten cases it's always the same vulnerabilities that are happening. It's problems with their I am. There's, you know, keys everywhere. They haven't rotated their keys, admin credentials to people who who shouldn't have admin credentials. There's no incident response policy. So, especially with something like covid that's very pertinent right now, where if some thing where to happen, they don't have a process. For one, what do we do? How do we get servers back up and running as soon as possible? How do we get our business back up and running as soon as possible? And then how do we preserve evidence? If, you know, if it's a hacker, malicious attack, how do we make sure that we're preserving evidence so we can do a post mortem of it? They have no scene, so they have nobody monitoring their network traffic. So those are really the things that we always, always fine and we always try to get them to remediate over again after that, based on what we're talking about with compliance, it would definitely be knowing what data you have in where it goes. Fantastic. Well, Victoria, it's an honor to work with you. Thank you so much for joining our show this week. Thank you and great discussion. Skip, great seeing you too. Yeah, here of course. Likewise, thanks again, Victoria, for joining us this week. Thanks for having me so really appreciated pleasure and thank you absolutely joined as next week for another episode of cloud crunch. You've been listening to cloud crunch with Ian Willoughby and skip Berry. For more information, check out the block second watchcom company block, or reach out to Second Watch on twitter.

In-Stream Audio Search


Search across all episodes within this podcast

Episodes (43)