Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 RightNow Technologies, Inc. ASU – CABIT – Privacy Day Privacy in the Cloud Ben Nelson CISO, RightNow Technologies.

Published byClement Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2010 RightNow Technologies, Inc. ASU – CABIT – Privacy Day Privacy in the Cloud Ben Nelson CISO, RightNow Technologies."— Presentation transcript:

1 © 2010 RightNow Technologies, Inc. ASU – CABIT – Privacy Day Privacy in the Cloud Ben Nelson CISO, RightNow Technologies

2 © 2010 RightNow Technologies, Inc. SaaS: Definition and Key Principles Software as a Service (SaaS) is a software application delivery model where a software vendor develops a web-native software application and hosts and operates (either independently or through a third-party) the application for use by its customers over the Internet - Wikepedia. Business Model Change Transferring IT Responsibilities Leveraging Economies of Scale Providing (Receiving) Key Services SaaS = On Demand

3 © 2010 RightNow Technologies, Inc. How many of you are consumers of SaaS or Cloud Services today? How many of you, who aren’t consumers, are considering SaaS or Cloud Services? How many of you are responsible for implementing SaaS or Cloud Services? What are your biggest concerns?

4 © 2010 RightNow Technologies, Inc. Background

5 © 2010 RightNow Technologies, Inc. Who is RightNow? Leader in SaaS/Cloud Customer Experience Started in 1998 Consistent growth throughout lifetime –Currently serving 1900+ companies –Publicly traded (NASDAQ: RNOW) 100+ million transactions per year

6 © 2010 RightNow Technologies, Inc. 1,900 Clients are Delivering Superior Customer Experiences

7 © 2010 RightNow Technologies, Inc. Who is Ben Nelson? Started with RightNow in Feb 2000 Helped architect the SaaS infrastructure elements that are still in place today Started doing full-time information security at RightNow in 2005 Built compliance practice in 2007 Achieved PCI-DSS SPL1 in 2009 Received ATO for FISMA Moderate C&A in 2009 Completed SAS 70 Type II audit of global operations in 2009

8 © 2010 RightNow Technologies, Inc. Unique Challenges

9 © 2010 RightNow Technologies, Inc. Multi-Tenancy Any (and every) customer hosted on same infrastructure Whole infrastructure is a target for any tenant Infrastructure’s security/privacy requirements are the super-set of the requirements of *all* tenants

10 © 2010 RightNow Technologies, Inc. Market Diversity RightNow sells to clients in almost every major market vertical you can name –Each one with unique, specific requirements/regulation RightNow sells to clients in almost every major geography –Again, each with their own unique, specific requirements/regulations

11 © 2010 RightNow Technologies, Inc. Ultra-Flexible Product/Service We don’t limit the type of data –Simple knowledge articles (how to fix my widget) –Personalized portal data Consumer RMAs Health data Compensation/Benefits Simple contact data We don’t limit the quantity of data

12 © 2010 RightNow Technologies, Inc. Defense In Depth

13 © 2010 RightNow Technologies, Inc. Basic Principles Protect the data at every layer possible: –Physical Rigorous physical security requirements from top-tier vendors –Personnel Background checks and employment verifications –Infrastructure Firewalls, Intrusion Detection, etc. –Application OWASP application development principles 3 rd party vulnerability assessment as part of QA

14 © 2010 RightNow Technologies, Inc. Incident Handling What to do when ‘it’ happens Must be prepared in advance Must know how to escalate Must be aware of breach notification laws –Generally too many to manage –Outside counsel is your best ally in this situation Must have your legal and corporate communications teams aware of the procedure Must maintain a relationship w/ local law enforcement –Know how to contact federal law enforcement

15 © 2010 RightNow Technologies, Inc. Security Awareness People will always be the ‘weakest link’ –Technology is the easy part Needs to come from the ‘top down’ –Executive-level support Needs to be regular –Periodic training –Simple reminders Can be a motivator too –Sense of pride in knowing that you’re part of protecting critical data/infrastructure

16 © 2010 RightNow Technologies, Inc. Compliance: The Proof in the Pudding

17 © 2010 RightNow Technologies, Inc. Know Your Customers They probably have very specific requirements They probably have some oversight –Don’t try to avoid or circumvent Understand their motivation Understand how they’re using your service

18 © 2010 RightNow Technologies, Inc. Control Mapping Multi-tenancy with diverse clientele makes it almost impossible to meet each one’s needs individually Overlapping controls are your friend Mapping ‘like’ controls together isn’t as hard as it seems –Many tools available to help you do this

19 © 2010 RightNow Technologies, Inc. Certification Your word only goes so far Engage a 3 rd party to certify you against –A custom control set (SAS 70) –A well known industry standard PCI-DSS (varying levels of certification) ISO 2700x series NIST guidelines (federal government C&A)

20 © 2010 RightNow Technologies, Inc. What SaaS Consumers Should Expect

21 © 2010 RightNow Technologies, Inc. Transparency Especially in data security/privacy practices Also in operational metrics SaaS vendors should be able to clearly articulate: –Their data security/privacy practices –Their legal obligations to individuals –Their contractual obligations to *you*

22 © 2010 RightNow Technologies, Inc. Recognized Certifications Preferably validated by an outside party Applicable to your industry’s needs If you’re not sure what control frameworks are applicable to you –Start with BITS/Santa Fe Group Standardized Information Gathering (SIG) Questionnaire http://www.sharedassessments.org

23 © 2010 RightNow Technologies, Inc. THANK YOU Questions?

Download ppt "© 2010 RightNow Technologies, Inc. ASU – CABIT – Privacy Day Privacy in the Cloud Ben Nelson CISO, RightNow Technologies."

Similar presentations

Implementing a Behavior Based Safety Process at Rockwell Automation

Implementing a Behavior Based Safety Process at Rockwell Automation
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Life Science Services and Solutions

Life Science Services and Solutions
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
1 CLOUD AND SaaS-BASED PLATFORMS: ENSURING DATA PRIVACY May, 2011.

1 CLOUD AND SaaS-BASED PLATFORMS: ENSURING DATA PRIVACY May, 2011.
Risk & Safety Presentation January 8, 2013 Bryan Sabari, CUSP Manager Corporate Safety 425-213-2149

Risk & Safety Presentation January 8, 2013 Bryan Sabari, CUSP Manager Corporate Safety
Maritime Security: Our Approach. Who is CUBIC?  Cubic Corporation (Amex) is an innovative supplier of products, systems and services to government and.

Maritime Security: Our Approach. Who is CUBIC?  Cubic Corporation (Amex) is an innovative supplier of products, systems and services to government and.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Strategic Planning and the Marketing Management Process

Strategic Planning and the Marketing Management Process
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.

© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance Graham J. Hill IT Advisory Services November 21, 2007.

1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance Graham J. Hill IT Advisory Services November 21, 2007.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
2 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

2 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Business Careers & Practices Week 1 Careers and Jobs in Accounting and Management Work Functions of Accounting and Management Technicians Business Functions.

Business Careers & Practices Week 1 Careers and Jobs in Accounting and Management Work Functions of Accounting and Management Technicians Business Functions.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
User Group 2015 Security Best Practices. Presenters Steve Kelley, COO 31 years experience building and managing operations and service delivery organizations.

User Group 2015 Security Best Practices. Presenters Steve Kelley, COO 31 years experience building and managing operations and service delivery organizations.
A NASSCOM ® Initiative Security and Quality Kamlesh Bajaj CEO, DSCI May 23, 2009 NASSCOM Quality Summit Hyderabad 1.

A NASSCOM ® Initiative Security and Quality Kamlesh Bajaj CEO, DSCI May 23, 2009 NASSCOM Quality Summit Hyderabad 1.

Similar presentations

Ads by Google