Most secure organizations that have achieved a reasonable level of maturity in a security program have likely done so by using best practices such as data classification, data encryption, auditing, log management and the like. As disruptive technologies like mobile and SaaS come along, the same disciplines should be adapted and applied in an agile and dynamic manner; in other words, the data classification approach must be more than a document or a policy sitting in a shared drive on the company intranet. The data classification and tagging process discipline should be a bridge between the applications portfolio and certification and compliance.
2. Joe Faghani, Lead Enterprise Application Architect, VMware As Lead EA for Corporate IT at VMware, Joe is responsible for the continuous refinement of current state solution architectures, the development of future state solution architectures and the delivery of the company’s application portfolio roadmap. He also directs VMware’s Architecture Review Board and oversees a team of system domain architects in charge of reviewing solution and technical architectures. Prior to VMware Joe worked at Rambus (Software Architect Emerging Technologies), Juniper Networks (EA), the US Army (Soldier of Future Project SBIR), Cadence and Learning Tree (Software Architect Distance Learning) Joe earned a bachelors degree in Computer Science from University of London Steve Tout, Technical Director of IAM at VMware Steve leads an IAM program at VMware and has designed, implemented and managed systems to support VMware’s explosive growth into a $5B company. He has day-to-day responsibility for the IAM domain at the EA board level, defining and executing against a 3-year roadmap and plays a key role in IAM strategy and governance. Steve studied Information Technology at the University of Phoenix and has held senior roles in engineering, security, operations and consulting at AT&T Wireless, US Bank and Oracle Corporation. He lives with his wife, daughter and two basset hounds in Morgan Hill, California.
3. Compliance (IAM) 3
4. IDG Enterprise, Cloud Research Report, 2013 According to a 2013 IDG Enterprise cloud computing research study, it was found that 66% of IT decision makers cite security concerns as a barrier to implementing a cloud computing strategy, and 56% say they won't fully embrace the cloud until they are more confident in cloud service providers ability to meet their compliance requirements.
5. Can you tell me… • Are you using SaaS in your organization for major business processes? • What are the public cloud risks I should be concerned about? – What is our As-Is state of SaaS? • Which SaaS applications your organizes uses that stores PCI, HIPPA or other sensitive data? • How are you managing, monitoring, auditing and controlling the SaaS applications your business uses? • Which of your SaaS applications is most at risk of being compromised? – Where do you start to invest in security and remediate risks?
6. IAM Governance using Troux • Know what your standards are, where you use SSO and how you audit and monitor your users in a SaaS world • Using Troux, inventory, identify, correlate, tag and understand - create Troux Insights for the business • Develop the practices and tools so you can demonstrate appropriate levels of control are in place over regulated data and contribute towards security and compliance
7. The bottom line • Lower the cost of compliance • Achieve more efficient compliance in SaaS • Use a simple data classification model to manage and understand where your risks are – E.g. Low, Medium, High – This is possible to do in Troux without any customizations