You must unlearn what you have learned the

  • Slides: 44
Download presentation

“You must unlearn what you have learned. ”

“You must unlearn what you have learned. ”

“…the process of encoding a message or information in such a way that only

“…the process of encoding a message or information in such a way that only authorized parties can access it. ” Access read view process compute use a key

> Well? Shoes fit well. RIP Fred. Well? >Shoes fit well. RIP Fred.

> Well? Shoes fit well. RIP Fred. Well? >Shoes fit well. RIP Fred.

> Well? Shoes fit well. RIP Fred. Well? >Shoes fit well. RIP Fred.

> Well? Shoes fit well. RIP Fred. Well? >Shoes fit well. RIP Fred.

“You must unlearn what you have learned. ”

“You must unlearn what you have learned. ”

Saa. S Software as a Service Software Application

Saa. S Software as a Service Software Application

Software as a Service Processes user data. Platform as a Service May or may

Software as a Service Processes user data. Platform as a Service May or may not process user data. Infrastructure as a Service Does not process user data.

BYOK Bring Your Own Key HYOK Hold Your Own Key CYOK Control Your Own

BYOK Bring Your Own Key HYOK Hold Your Own Key CYOK Control Your Own Key best response What I have learned is that when folks use those terms there is an underlying business problem that they assume it might solve. Let’s define the business problem and then we can see how encryption might be used

Business Problems

Business Problems

Define the business problem.

Define the business problem.

“If I own the encryption keys for my Saa. S service, I’m safe from

“If I own the encryption keys for my Saa. S service, I’m safe from legal demands. ” What’s implied? That Saa. S can work without seeing customer data. Violates the fundamentals of Saa. S

“I have a regulatory and compliance obligation to have sole control of encryption keys.

“I have a regulatory and compliance obligation to have sole control of encryption keys. ” Regulatory mandates are very, very rare Regulators want to lower risk, and sole ownership increases risk

How did this get so misunderstood? Let’s look at some examples.

How did this get so misunderstood? Let’s look at some examples.

http: //www. slate. com/blogs/future_tense/2014/04/03/box _is_working_on_a_feature_that_would_let_companies_keep _their_own_encryption. html

http: //www. slate. com/blogs/future_tense/2014/04/03/box _is_working_on_a_feature_that_would_let_companies_keep _their_own_encryption. html

BOX “BYOK” https: //blog. box. com/blog/box-keysafe/ https: //www. box. com/legal/termsofservice

BOX “BYOK” https: //blog. box. com/blog/box-keysafe/ https: //www. box. com/legal/termsofservice

How does trust work in commerce?

How does trust work in commerce?

enforceable at law as a binding legal agreement

enforceable at law as a binding legal agreement

Trust Current events Historical record Public statements Motivation Capabilities / Audit Contract

Trust Current events Historical record Public statements Motivation Capabilities / Audit Contract

Technology follows contract.

Technology follows contract.

We’ve learned…

We’ve learned…

 Software as a Service processes user data Contracts determine Saa. S privacy Seek

Software as a Service processes user data Contracts determine Saa. S privacy Seek encryption truth, not hype Define your business problem

 Microsoft Online Service Terms Getting started with Office 365 Customer Key FAQ Encryption

Microsoft Online Service Terms Getting started with Office 365 Customer Key FAQ Encryption in the Microsoft Cloud Whitepaper International Cryptography Regulation and the Global Information Economy Revised Banking Supervision Guidelines on Cloud Computing Design for and implement security controls for cloud services US Do. D Cloud Computing Security Requirements Guide

Title Session info Saa. S Encryption: lies, damned lies, and hard truths Session Code

Title Session info Saa. S Encryption: lies, damned lies, and hard truths Session Code BRK 2392 Manage and control your data to help meet compliance needs with Customer Key Session Code BRK 3104 Implementing Bring Your Own Key with Azure Information Protection and Azure Key Vault Hands on Labs Room Encryption key management strategies for compliance Session Code BRK 2000 Protect and control your sensitive emails with new Office 365 Message Encryption capabilities Session Code BRK 2203 Taming the Beast - How We Secure the World's Largest Enterprise Cloud Service Session Code BRK 2141 Understanding best practices in classifying sensitive data Session Code BRK 3385 Configure and use Microsoft Office 365 security and compliance features Session Code HOL 3105 Session Type Hands-on Lab Level Advanced (300) Azure security in four steps Session Code THR 2143 Learn about enterprise security and compliance with Microsoft Teams Session Code BRK 4000

https: //myignite. microsoft. com/evaluations https: //aka. ms/ignite. mobileapp

https: //myignite. microsoft. com/evaluations https: //aka. ms/ignite. mobileapp

“Encryption is a technical tool. Let’s establish a clear business problem first. Then we

“Encryption is a technical tool. Let’s establish a clear business problem first. Then we can see if encryption is an appropriate solution. ” “I think when you want to talk about encryption you are really talking about data protection and privacy – let’s get to the root of your data protection and privacy concerns. ” “In my experience, encryption and the law are always intertwined. We need to focus on contractual representations because those are legally binding. Let’s ensure we are clear how our service provider will handle legal demands for data. ” “To avoid disaster, follow industry best practices and ensure that operational procedures are documented and regularly tested. ” “Let’s keep in mind that encryption can be a weapon for data destruction and choose a Saa. S provider that helps safeguard both keys and data!”