Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sherry Michael Weller 4-17-2013 Bring Your Own Cloud: Data Management Challenges in a Click-Through World Sherry Michael Weller 4-17-2013.

Published byBarnard Blankenship Modified over 6 years ago

Similar presentations

Presentation on theme: "Sherry Michael Weller 4-17-2013 Bring Your Own Cloud: Data Management Challenges in a Click-Through World Sherry Michael Weller 4-17-2013."— Presentation transcript:

1 Sherry Michael Weller 4-17-2013
Bring Your Own Cloud: Data Management Challenges in a Click-Through World Sherry Michael Weller

2 University of Pennsylvania
Ivy League university located in Philadelphia Founded by Benjamin Franklin in 1740 Ranked in the top five research universities in the United States. 10,000 Undergraduate students There are twelve schools at the University. WHERE AGE RESEARCH SIZE The School of Arts and Sciences is the home of the humanities, social sciences natural sciences with 27 departments and 500 faculty.

3 School of Arts and Sciences Computing
Supports the effective use of information technology by the faculty, students and staff of the School. Five Main Divisions: Desktop Computing and Network Services Institutional Research and Application Development Instructional Technology Social Sciences Computing Information Security and Unix Systems So large, schools have their own IT ENIAC created by the Moore School come visit

4 The value of security assessments Share stories
Overview Explore a complex case study to examine a university group that turned to free cloud services to share sensitive data The value of security assessments Share stories Why they did it, what are the risks, and what we are doing to resolve

5 Case Study: Introduction
The University Civic Center (pseudonym) Provides charitable services as well as conducts research Dozens of outreach programs Located off and on campus Outreach programs: plant trees and study the effects and survey the benefits of tree planting

6 Case Study: Challenges
Many office locations off and on campus Decentralized management and supervision Non-university participants and volunteers Employs student workers Does not fit in a standard computing support model

7 Case Study: The Cloud Temptation
Free! Do-Gooders don't have a lot of cash Easy to use. Familiarity with consumer cloud storage services Portable. Important when offices are off-campus Low overhead, especially when IT support path is not clear

8 Case Study: Irresistible Pull
Click-through services seem to be a clear choice for a group with legitimate needs, little money, murky support channels, distributed locations and varied staff members. Cloud is agile, familiar and available on demand!

9 Case Study: The Data The Civic Center, unfortunately collects, stores and shares sensitive data: FERPA protected student data (grades, performance evaluations, attendance) Contact information for human research subjects Job applicant information and background checks Social Security Numbers So far, wouldn’t be so bad…but

10 Click-Through Cloud Dangers
So…what’s the problem? Ask them to yell them out

11 Particular Click-through Concerns
No terms protecting regulated data Intellectual property No storage management- where is the data? Who opened what free account? Lack of centralized access control with frequently changing staff

12 Penn Cloud Guidelines Consider availability of mission critical resources Must maintain access to Penn data for regulatory and legal purposes Weigh security risks storing confidential, contracted and regulated data Limited support

13 Move beyond click-through
Penn Cloud Services Move beyond click-through Negotiate Penn specific contracts: AWS, Google, Nasuni Leverage collaborations like Internet2: Box Explore new tools Develop in-house solutions when necessary Foster awareness ISC Cloud group In house: Secure share- secure web-based replacement for FTP and file attachments

14 Case Study: Analysis So what did we do to help the Civic Center better manage their confidential information? Allocated IT staff time Performed a full assessment Developed a plan to address critical concerns

15 Case Study: Finding Help
SAS Computing supports one of the many Civic Center offices Discovery began when the Center requested help developing an application It was determined that a general assessment of data management was in order Because the Center falls between several departments, someone needed to decide who was going to be responsible

16 Security and Privacy Impact Assessment- SPIA
To determine how sensitive information is handled and stored Process for vendors, applications and departments Identify risk factors To protect the university community, patients and research subjects From the Office Of Privacy and Compliance

17 We can’t fix what we don’t know! The SPIA tool:
SPIA: Discovery We can’t fix what we don’t know! The SPIA tool: Conduct detailed interviews Create an inventory Determine risk Follow up with an executive summary Not software Interviews preferably done by technologists aware of tech solutions " Data! Data! Data! I can't make bricks without clay." -Sherlock Holmes The Adventure of the Copper Beeches

18 SPIA: Developing Solutions
Not a paperwork exercise Redact, eliminate or move the most sensitive data at the greatest risk Explore more secure options Identify workflow problems

19 Case Study: Our Solutions
Where possible, move to contracted cloud services Limit click-throughs in the future Securely delete unnecessary sensitive information Review access controls and accounts Security awareness training

20 Case Study: Our Challenges
File ownerships and turnovers Migrating and mitigating from all the click-through providers User education IT staff resources and responsibilities Reviewing contracts for cloud services is time consuming

21 What Have We Learned? There is understandable temptation to use click-throughs When assistance is not provided, clients go for ease, not security Have a cloud policy and promote it Offer contracted solutions as alternatives Security assessments are a tool for problem solving

22 Security as Relationship Building
Assessments can build relationships Security creates solutions and not just barriers Chance to advocate for our clients Prevents future problems

23 Summary We support dynamic environments that often adopt free and easy to use cloud services for collaboration. Clients need to be aware of security risks when choosing to use such services. Guidelines and contracted alternatives should be provided. Schools should consider using audit tools like SPIA as a way to identify and mitigate sensitive information exposure and foster partnerships.

24 Further Information www.upenn.edu/computing/isc/cloud
Penn Cloud: Security and Privacy Impact Assessment: Contact:

Download ppt "Sherry Michael Weller 4-17-2013 Bring Your Own Cloud: Data Management Challenges in a Click-Through World Sherry Michael Weller 4-17-2013."

Similar presentations

Training to care for people with dementia Dementia Training Partner logo here Training support Skills development Competency Assessment Scholarships Education.

Training to care for people with dementia Dementia Training Partner logo here Training support Skills development Competency Assessment Scholarships Education.
From QA to QI: The Kentucky Journey. In the beginning, we were alone and compliance reigned.

From QA to QI: The Kentucky Journey. In the beginning, we were alone and compliance reigned.
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Cornell 18,000 students 2,000 faculty Twelve colleges on Ithaca campus Four are state colleges, eight are private (including grad school and school of.

Cornell 18,000 students 2,000 faculty Twelve colleges on Ithaca campus Four are state colleges, eight are private (including grad school and school of.
HOME-BASED AGENTS Welcome to Unit 7. Review of unit reading material from textbook: Travel Career Development 8 th ed. Authors: Gagnon,P. & Houser, S.

HOME-BASED AGENTS Welcome to Unit 7. Review of unit reading material from textbook: Travel Career Development 8 th ed. Authors: Gagnon,P. & Houser, S.
1 Solving the email records management problem A cloud-computing approach to email archiving Amanda Kleha Product Marketing, Google May 20, 2008.

1 Solving the records management problem A cloud-computing approach to archiving Amanda Kleha Product Marketing, Google May 20, 2008.
+ Email-SIG Information Systems & Computing University of Pennsylvania June 27, 2013 1/13.

+ -SIG Information Systems & Computing University of Pennsylvania June 27, /13.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
PCI-DSS: Guidelines & Procedures When Working With Sensitive Data.

PCI-DSS: Guidelines & Procedures When Working With Sensitive Data.
Chapter 3 Pre-Incident Preparation Spring 2016 - Incident Response & Computer Forensics.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Information Management and the Departing Employee.

Information Management and the Departing Employee.
Q2 2016 K-12 Blueprint Overview. 2 The K-12 Blueprint offers resources for education leaders involved in planning and implementing personalized learning.

Q K-12 Blueprint Overview. 2 The K-12 Blueprint offers resources for education leaders involved in planning and implementing personalized learning.
1 Visiting the IVT PhD candidates Oct-Nov 2012 From faculty adm: Vice Dean Research, Section head Research, Senior officer PhD. From the departments: totaly.

1 Visiting the IVT PhD candidates Oct-Nov 2012 From faculty adm: Vice Dean Research, Section head Research, Senior officer PhD. From the departments: totaly.
Best Things Done in Managing Hybrid Clouds. Businesses are moving to cloud set-up. However the concerns are security issues, regulatory obstacles, abnormal.

Best Things Done in Managing Hybrid Clouds. Businesses are moving to cloud set-up. However the concerns are security issues, regulatory obstacles, abnormal.

Similar presentations

Ads by Google