© 2010 RightNow Technologies, Inc. ASU – CABIT – Privacy Day Privacy in the Cloud Ben Nelson CISO, RightNow Technologies

© 2010 RightNow Technologies, Inc. SaaS: Definition and Key Principles Software as a Service (SaaS) is a software application delivery model where a software vendor develops a web-native software application and hosts and operates (either independently or through a third-party) the application for use by its customers over the Internet - Wikepedia. Business Model Change Transferring IT Responsibilities Leveraging Economies of Scale Providing (Receiving) Key Services SaaS = On Demand

© 2010 RightNow Technologies, Inc. How many of you are consumers of SaaS or Cloud Services today? How many of you, who aren’t consumers, are considering SaaS or Cloud Services? How many of you are responsible for implementing SaaS or Cloud Services? What are your biggest concerns?

© 2010 RightNow Technologies, Inc. Background

© 2010 RightNow Technologies, Inc. Who is RightNow? Leader in SaaS/Cloud Customer Experience Started in 1998 Consistent growth throughout lifetime –Currently serving companies –Publicly traded (NASDAQ: RNOW) 100+ million transactions per year

© 2010 RightNow Technologies, Inc. 1,900 Clients are Delivering Superior Customer Experiences

© 2010 RightNow Technologies, Inc. Who is Ben Nelson? Started with RightNow in Feb 2000 Helped architect the SaaS infrastructure elements that are still in place today Started doing full-time information security at RightNow in 2005 Built compliance practice in 2007 Achieved PCI-DSS SPL1 in 2009 Received ATO for FISMA Moderate C&A in 2009 Completed SAS 70 Type II audit of global operations in 2009

© 2010 RightNow Technologies, Inc. Unique Challenges

© 2010 RightNow Technologies, Inc. Multi-Tenancy Any (and every) customer hosted on same infrastructure Whole infrastructure is a target for any tenant Infrastructure’s security/privacy requirements are the super-set of the requirements of *all* tenants

© 2010 RightNow Technologies, Inc. Market Diversity RightNow sells to clients in almost every major market vertical you can name –Each one with unique, specific requirements/regulation RightNow sells to clients in almost every major geography –Again, each with their own unique, specific requirements/regulations

© 2010 RightNow Technologies, Inc. Ultra-Flexible Product/Service We don’t limit the type of data –Simple knowledge articles (how to fix my widget) –Personalized portal data Consumer RMAs Health data Compensation/Benefits Simple contact data We don’t limit the quantity of data

© 2010 RightNow Technologies, Inc. Defense In Depth

© 2010 RightNow Technologies, Inc. Basic Principles Protect the data at every layer possible: –Physical Rigorous physical security requirements from top-tier vendors –Personnel Background checks and employment verifications –Infrastructure Firewalls, Intrusion Detection, etc. –Application OWASP application development principles 3 rd party vulnerability assessment as part of QA

© 2010 RightNow Technologies, Inc. Incident Handling What to do when ‘it’ happens Must be prepared in advance Must know how to escalate Must be aware of breach notification laws –Generally too many to manage –Outside counsel is your best ally in this situation Must have your legal and corporate communications teams aware of the procedure Must maintain a relationship w/ local law enforcement –Know how to contact federal law enforcement

© 2010 RightNow Technologies, Inc. Security Awareness People will always be the ‘weakest link’ –Technology is the easy part Needs to come from the ‘top down’ –Executive-level support Needs to be regular –Periodic training –Simple reminders Can be a motivator too –Sense of pride in knowing that you’re part of protecting critical data/infrastructure

© 2010 RightNow Technologies, Inc. Compliance: The Proof in the Pudding

© 2010 RightNow Technologies, Inc. Know Your Customers They probably have very specific requirements They probably have some oversight –Don’t try to avoid or circumvent Understand their motivation Understand how they’re using your service

© 2010 RightNow Technologies, Inc. Control Mapping Multi-tenancy with diverse clientele makes it almost impossible to meet each one’s needs individually Overlapping controls are your friend Mapping ‘like’ controls together isn’t as hard as it seems –Many tools available to help you do this

© 2010 RightNow Technologies, Inc. Certification Your word only goes so far Engage a 3 rd party to certify you against –A custom control set (SAS 70) –A well known industry standard PCI-DSS (varying levels of certification) ISO 2700x series NIST guidelines (federal government C&A)

© 2010 RightNow Technologies, Inc. What SaaS Consumers Should Expect

© 2010 RightNow Technologies, Inc. Transparency Especially in data security/privacy practices Also in operational metrics SaaS vendors should be able to clearly articulate: –Their data security/privacy practices –Their legal obligations to individuals –Their contractual obligations to *you*

© 2010 RightNow Technologies, Inc. Recognized Certifications Preferably validated by an outside party Applicable to your industry’s needs If you’re not sure what control frameworks are applicable to you –Start with BITS/Santa Fe Group Standardized Information Gathering (SIG) Questionnaire

© 2010 RightNow Technologies, Inc. THANK YOU Questions?