IDM Europe 2017 Conference - GDPR & Data Breaches

1. GDPR & Data Breaches
Kannan Rasappan
PSD2 Solution Architect, Lloyds Banking Group
Past - Worldpay HSBC RBS

2. Disclaimers
The opinions expressed in this presentation is my own & doesn’t reflect
my current or past organizations I work or worked with.
I am from Technical Team & NOT Legal/Compliance J

3. What’s for today
GDPR is Business transformation and not an IT project
From IT perspective
- Who has access?
- Where is it stored?
- How is it shared?
- How is it protected?
- How is it leaked?
So you hold
Cust Data

4. Why?
• Businesses building on basis Data is new Oil
• API, APP & IoT World Emerging - Data Mashup
• Corporate too Powerful
• GDPR is regulating industry keeping Customer at its heart
• Customers have been Guinea Pigs - Marketing Labs
• Need Digital Identity Sovereignty
Customer
Decides

5. GDPR Intro
• Trust & Protect
• Ask business to change – Protect Customer
• Customer owns his Data
• Take it serious
• Fine – 2-4% group turnover / €10m-20m – the higher one
Not just
another
Regulation!

6. Why breach?
• Steal Identity
• Financial gains
• Advert & Marketing
• Spying, Stalking, Bullying
Breach Impact
• Brand & Reputation damage
• Loss of business
• Fine
Defensible Position
• Admit there will be breach
• No hacker proof system
• Justify you did best to protect

7. Breach Stats
Source

8. www.informationisbeautiful.net

9. Humans in Breaches
Customers DSAR
{Accidental Leak}
Sponsored Hacking
by Competitors
Breach/Ransomware
by hackers
Disgruntled malicious
employee
business

10. Data Stream
Website &
Customer
Transit Storage Processing
Protect your Web Site
Protect your customer machine
Protect Customer Identity
Protect the Comms
- TLS 1.2
- VPN
Protect the Data
- Physical Security
- Encrypted
Governance
- Access Controls
- Privileged Access Management
CRM
Report generation
Sharing with Third-party
IT Developers, Operations
Protect Employee machines

11. Hackers
• Motivation – Money
• GDPR may lead to more Ransomware
• Pay the ransom
• Or face Breach Impacts
• Still need to report
• Currently
• Any profile data that helps Identity theft & Ads Industry
• Financially attractive companies – rich in data volume
Breach is a
Breach!

12. Web App Vulnerabilities
Source

13. Hacking Journey
includes
human
element as
well

14. Protect Your Customer
• Anti-Virus
• Anti-Malware
• Cookies Encrypted
• TLS 11.2
• Know their Behavior
• List of Trusted Devices
• Trusted Location/Network
• Protect yourself from Customer 2nd Factor
Authentication

15. Baseline Safeguards
• No external drive
• Laptop Encrypted
• Websites Access Controlled
• Shared Admin Password
• No plaintext passwords in DB
• Antivirus & OS updates
• TLS Security for Websites
• VPN from home or outside
• Legal Contracts with Third-party Data Processors
• Consent Management Software

16. Intermediate Safeguards
• Protect your network – DMZ, Internal, Secure, Firewalls
• Open only selected ports
• DB & Backups encrypted
• 2nd Factor Authentication
• Vulnerability Scanner Software
• Anti-malware – eg Trusteer
• Unix desktops if possible – MacOSX J
• Pseudonymisation whenever possible

17. Advanced Safeguards
• Defense in Depth – Multi Ring fence
• Industry Standard IAM Products
• Threat Detection & Prevention
• Cyber Security Software
• Web Application Firewalls
• Privileged Access Management {PAM}
• Secure Restricted Zone
• Penetration Testing
• Hardware Security Module Encryption {HSM}
• Total Pseudonymisation

18. Are you tracking online Customers?
• Cookies
• Online Customer Tracking on your websites?
• Google Analytics Websites?
• Search Engines Indexing?
• Blog/Comments on your websites
• Date feeding Ads industry
• Real time bidding {RTB}
• Google, Facebook, Amazon are changing ways they operate

19. PSD2 Dimension
• Breach - Fintech are responsible & they are DC
• Debate – Banks are still Data Controllers wrt Fintech
Customers
Fintech CompaniesBanksThird Party
DP DC DC

20. Questions?
Thank You All!