Tip:
Highlight text to annotate it
X
Hello, my name is Rob Cameron from Netskope, and I'm here on
Movie Line Monday to talk about my
favorite movie, WarGames.
And so let's use a quote from that movie.
"How about playing a nice game of chess?" something that the
WOPR says back to Matthew Broderick's character.
I always loved that movie growing up because of the idea
of hacking, and it was just so exciting.
And I think it's funny, growing up for myself in
Detroit, seeing that they're dialing these 408 numbers,
which are all around me now in Silicon Valley.
So let's talk about what matters.
Let's talk about what's really important for customers, which
I feel is compliance.
Now, compliance is this idea that, in some
ways, is very annoying.
You have to meet these requirements.
You have to validate it.
You have to audit it.
But I think about it this way.
I want to build a product that customers love.
I want to build a product that customers trust.
And I can go out and say, well, here's all my security
principles now.
I'm doing it.
And that's great.
But can you really trust it?
Well, you can trust it if it's audited by a third party.
So that way, when you receive this information, you know
what we say is what we do.
It's audited, validated.
And you can ensure that you're building a cloud with
confidence on Netskope.
So let's talk about two different components of
compliance that are very important--
SOC-2 and SOC-2.
These are relatively new, replacing some of the older
specifications, such as SAS 70, which SOC- 1 replaces.
SOC-1 covers things like management financials and then
user entities.
And this is very typical for data center environments.
So all of our data centers are SOC-1 compliant.
What that allows us to do is know that all the
security is in place.
Things are audited.
Physical access is audited--
all of the components to ensure just somebody's not
walking up to your server and taking all your data out.
Now, this is great.
And a lot of organizations just
rely on that for security.
But what happens inside the cage?
What happens inside the servers?
And that's where the SOC-2 compliance comes into play for
about these five categories--
security, availability, processing integrity,
confidentiality, and privacy.
At Netskope, we chose four--
everything except processing integrity.
We're not a data processor--
something like a credit union or a bank--
so that does not necessarily apply to us.
But things like security, availability, confidentiality,
and privacy do.
So for SOC-1, all this from us is coming from a data center.
And then SOC-2--
we work with an auditor to be able to come up with these
categories and the components to that categories that builds
the best possible cloud for the customer.
So with security, this tells you how we do our process of
accessing hosts, what the hosts are doing, what software
they're running, and how we manage
access into these devices.
Funny enough, people just throw hosts on the internet,
have very weak authentication, and they just allow people to
get into them.
It's surprising to me, as well.
But it's not too uncommon.
Recently, over 100,000 servers were hacked through an IPMI
vulnerability, which would give you console-like access
if you were physically at the server.
I could never imagine putting that out there.
But instead of just doing it, I'll tell you how I do it and
how I secure it.
Availability--
once you're running on our service, especially a service
like Netskope where we're in the cloud between you and your
applications, providing that security, you don't only want
it to be secure, but you need it to be up.
So we talk about how we provide availability.
And then again, that whole procedure is audited so we can
validate what we're doing is actually what we're doing.
And then in the end, you know because you have a secure and
available cloud.
Lastly, we have confidentiality and privacy.
And those two kind of sound the same.
Confidentiality relates to the information of the business.
So if your organization works with Netskope, this is how we
handle your data-- who has access to it, what are the
procedures, how is it backed up, where does the data go.
Privacy relates to the individual user.
So if you're using our service and coming through our cloud,
it's how we handle the data that you individually have.
For this, we're not keeping any of this information, but
we felt it's very important, with all this information out
there about the NSA and all this information leakage,
exactly how Netskope covers your data.
So instead of just being compliant and saying that
we're here and we fill out a spreadsheet, we're going to
sit down, have the compliance and have the auditing done.
The last piece about this is there's a type one and type
two of each stock--
again, just another number thrown out there.
What a type one does is this is where I fill out a form and
I say, this is what I do.
A type two is when an auditing firm will audit the type one
and validate what's done.
So we've completed our type one.
And we're in our type two phase where we're doing all
the procedures, and then we're going to have our auditor come
back and validate and give us the thumbs up that we're
compliant with it--
that with that, we have all this information available to
our customers and we're able to share with it.
There's lastly one other type of SOC called SOC-3.
This is very rarely used.
And what it is-- it allows the customer to know that the
SOC-2 is in place without disclosing
how the SOC-2 works.
So if I had some complex security algorithm, I wouldn't
want to post that on my website.
The SOC-3 would basically be a link for that.
It's very rarely used, because typically, people go with the
SOC-2 and leave it at that.
And even our auditor suggested that.
So thanks for joining us here at the Movie Line Monday.
If you have a question, you can email us at
movelinemonday@netscope.com.
And we'd be happy to answer your questions and really just
engage with you.
Thank you so much.
I'm Rob from Netskope.
See you soon.