You must unlearn what you have learned the

  • Slides: 44
Download presentation

“You must unlearn what you have learned. ”

“You must unlearn what you have learned. ”

“…the process of encoding a message or information in such a way that only

“…the process of encoding a message or information in such a way that only authorized parties can access it. ” Access read view process compute use a key

> Well? Shoes fit well. RIP Fred. Well? >Shoes fit well. RIP Fred.

> Well? Shoes fit well. RIP Fred. Well? >Shoes fit well. RIP Fred.

> Well? Shoes fit well. RIP Fred. Well? >Shoes fit well. RIP Fred.

> Well? Shoes fit well. RIP Fred. Well? >Shoes fit well. RIP Fred.

“You must unlearn what you have learned. ”

“You must unlearn what you have learned. ”

Saa. S Software as a Service Software Application

Saa. S Software as a Service Software Application

Software as a Service Processes user data. Platform as a Service May or may

Software as a Service Processes user data. Platform as a Service May or may not process user data. Infrastructure as a Service Does not process user data.

BYOK Bring Your Own Key HYOK Hold Your Own Key CYOK Control Your Own

BYOK Bring Your Own Key HYOK Hold Your Own Key CYOK Control Your Own Key best response What I have learned is that when folks use those terms there is an underlying business problem that they assume it might solve. Let’s define the business problem and then we can see how encryption might be used

Business Problems

Business Problems

Define the business problem.

Define the business problem.

“If I own the encryption keys for my Saa. S service, I’m safe from

“If I own the encryption keys for my Saa. S service, I’m safe from legal demands. ” What’s implied? That Saa. S can work without seeing customer data. Violates the fundamentals of Saa. S

“I have a regulatory and compliance obligation to have sole control of encryption keys.

“I have a regulatory and compliance obligation to have sole control of encryption keys. ” Regulatory mandates are very, very rare Regulators want to lower risk, and sole ownership increases risk

How did this get so misunderstood? Let’s look at some examples.

How did this get so misunderstood? Let’s look at some examples.

http: //www. slate. com/blogs/future_tense/2014/04/03/box _is_working_on_a_feature_that_would_let_companies_keep _their_own_encryption. html

http: //www. slate. com/blogs/future_tense/2014/04/03/box _is_working_on_a_feature_that_would_let_companies_keep _their_own_encryption. html

BOX “BYOK” https: //blog. box. com/blog/box-keysafe/ https: //www. box. com/legal/termsofservice

BOX “BYOK” https: //blog. box. com/blog/box-keysafe/ https: //www. box. com/legal/termsofservice

How does trust work in commerce?

How does trust work in commerce?

enforceable at law as a binding legal agreement

enforceable at law as a binding legal agreement

Trust Current events Historical record Public statements Motivation Capabilities / Audit Contract

Trust Current events Historical record Public statements Motivation Capabilities / Audit Contract

Technology follows contract.

Technology follows contract.

We’ve learned…

We’ve learned…

Software as a Service processes user data Contracts determine Saa. S privacy Seek

Software as a Service processes user data Contracts determine Saa. S privacy Seek encryption truth, not hype Define your business problem

Microsoft Online Service Terms Getting started with Office 365 Customer Key FAQ Encryption

Microsoft Online Service Terms Getting started with Office 365 Customer Key FAQ Encryption in the Microsoft Cloud Whitepaper International Cryptography Regulation and the Global Information Economy Revised Banking Supervision Guidelines on Cloud Computing Design for and implement security controls for cloud services US Do. D Cloud Computing Security Requirements Guide

Title Session info Saa. S Encryption: lies, damned lies, and hard truths Session Code

Title Session info Saa. S Encryption: lies, damned lies, and hard truths Session Code BRK 2392 Manage and control your data to help meet compliance needs with Customer Key Session Code BRK 3104 Implementing Bring Your Own Key with Azure Information Protection and Azure Key Vault Hands on Labs Room Encryption key management strategies for compliance Session Code BRK 2000 Protect and control your sensitive emails with new Office 365 Message Encryption capabilities Session Code BRK 2203 Taming the Beast - How We Secure the World's Largest Enterprise Cloud Service Session Code BRK 2141 Understanding best practices in classifying sensitive data Session Code BRK 3385 Configure and use Microsoft Office 365 security and compliance features Session Code HOL 3105 Session Type Hands-on Lab Level Advanced (300) Azure security in four steps Session Code THR 2143 Learn about enterprise security and compliance with Microsoft Teams Session Code BRK 4000

https: //myignite. microsoft. com/evaluations https: //aka. ms/ignite. mobileapp

https: //myignite. microsoft. com/evaluations https: //aka. ms/ignite. mobileapp

“Encryption is a technical tool. Let’s establish a clear business problem first. Then we

“Encryption is a technical tool. Let’s establish a clear business problem first. Then we can see if encryption is an appropriate solution. ” “I think when you want to talk about encryption you are really talking about data protection and privacy – let’s get to the root of your data protection and privacy concerns. ” “In my experience, encryption and the law are always intertwined. We need to focus on contractual representations because those are legally binding. Let’s ensure we are clear how our service provider will handle legal demands for data. ” “To avoid disaster, follow industry best practices and ensure that operational procedures are documented and regularly tested. ” “Let’s keep in mind that encryption can be a weapon for data destruction and choose a Saa. S provider that helps safeguard both keys and data!”

Unlearn What You Have Learned Yoda The CriticalUnlearn What You Have Learned Yoda The Critical
MUST OR HAVE TO MUST MUST express aMUST OR HAVE TO MUST MUST express a
HAVE TO MUST Have to must a BirHAVE TO MUST Have to must a Bir
Must and Have To Must and Have toMust and Have To Must and Have to
Learning to Unlearn moving educators from a charityLearning to Unlearn moving educators from a charity
It is hard to unlearn the misconception thatIt is hard to unlearn the misconception that
UNLEARN STEREOTYPES INFERENCING REVIEW DEFINITION AN IDEA ORUNLEARN STEREOTYPES INFERENCING REVIEW DEFINITION AN IDEA OR
Continuous Learning Unlearn ReLearn ELearn IN TODAYS FASTPACEDContinuous Learning Unlearn ReLearn ELearn IN TODAYS FASTPACED
NGLZCE MUST MUSTNT 1 NGLZCE MUST MUSTNT MUSTNGLZCE MUST MUSTNT 1 NGLZCE MUST MUSTNT MUST
Modal verb must Must 1 I must cleanModal verb must Must 1 I must clean
Lets remember Must I must study Must ILets remember Must I must study Must I
MUST HAVE SHOULD HAVE Module 020 COULD HAVEMUST HAVE SHOULD HAVE Module 020 COULD HAVE
MUST HAVE SHOULD HAVE COULD HAVE Module 110MUST HAVE SHOULD HAVE COULD HAVE Module 110
MUST HAVE SHOULD HAVE Module 150 COULD HAVEMUST HAVE SHOULD HAVE Module 150 COULD HAVE
MUST HAVE SHOULD HAVE Module 130 COULD HAVEMUST HAVE SHOULD HAVE Module 130 COULD HAVE
MUST HAVE SHOULD HAVE COULD HAVE Module 050MUST HAVE SHOULD HAVE COULD HAVE Module 050
What have you learned What have you forgottenWhat have you learned What have you forgotten
Must Have 2 IDdesign March 2015 PURPOSE MUSTMust Have 2 IDdesign March 2015 PURPOSE MUST
You must always wear protective eyewear You mustYou must always wear protective eyewear You must
LESSONS LEARNED WHAT HAVE WE LEARNED FROM PASTLESSONS LEARNED WHAT HAVE WE LEARNED FROM PAST
DBA LESSONS LEARNED Ten Lessons I Have LearnedDBA LESSONS LEARNED Ten Lessons I Have Learned
SKILLS LEARNED What have I learned over theSKILLS LEARNED What have I learned over the
To have a healthy mind you must haveTo have a healthy mind you must have
Have a Seat You MUST have a senteoHave a Seat You MUST have a senteo