This presentation covers security principles for On-Premise organizations, security principles in the Cloud including Azure Deployment and Azure Build Services, and Environment Monitoring.
3. #FUELGOOD18
• Discover – What data is under your control?
• Manage – Control how data is captured and used.
• Protect – Keep data out of harms way.
• Report – Collect records for auditing.
AGENDA
6. #FUELGOOD18
What Data is Important?
Personal Information
• PIPEDA – legislation defining responsibilities and penalties regarding personal information.
Health Information
• PHIPA – legislation defining responsibilities and penalties regarding health/medical information.
GDPR (General Data Protection Regulation)
• Protecting personal data by design and default.
7. #FUELGOOD18
Factors to Determine If Your Data is Part of These Acts
• The sensitivity of the information involved in the breach.
• The probability that the information has been, is being, could be or will be misused.
• Essentially, any data that could be used to identify an individual could be considered of
"significant harm".
8. #FUELGOOD18
Where is your Data?
• Need to understand where data is kept to protect it.
• Is it only in once place? Or is it being duplicated and kept elsewhere?
• If on the Cloud, where is that info kept? If it crosses borders how does
that change liability?
• Where are the scheduled backups kept?
9. #FUELGOOD18
On-Premise
SQL Server
• Primary place for data storage: database servers (no surprise here…)
• Need to understand how systems function & which database they use for specific data.
Users Machines
• It’s much more difficult to centrally manage what data could be kept on a user’s machine.
• System Center allows for scanning for specific data on user’s machines.
10. #FUELGOOD18
Cloud
• Data is not necessarily all kept in a single location.
• Integrated tools allow for easier management with the complexities of how Cloud vs. On-premise
works.
• Microsoft Azure helps you search and identify personal data with Azure Search, Azure Data
Catalog, and Azure Active Directory, along with specialized tools such as Power Query and
Query Explorer
13. #FUELGOOD18
ADD TITLE HERE FOR THIS SLIDE
Under GDPR individuals to whom data relates can request:
• Information on the processing of the data
• Transfer of their data to other services
• Correction of mistakes in their data
• Restriction of processing certain data in certain cases
Requests must be processed within fixed period of times
14. #FUELGOOD18
Data Governance
• You need to understand what types of personal data your organization
processes, how, and for what purpose.
• A data governance plan can help define policies, roles, and responsibilities for
the access, management, and use of personal data.
15. #FUELGOOD18
Data in Use
• We limit the amount of people and access time
• Application level access
• Encryption Management
17. #FUELGOOD18
Data At Rest
• Securely store data
• Servers
• Client devices
• Cloud
• Data Separation
• Storage Location (physical)
• Encryption Key Management
18. #FUELGOOD18
Cloud Tools
• Azure Data Factory and Azure HDInsight help you trace and locate personal data.
• The Azure infrastructure can host customized privacy notices to help meet GDPR notification requirements.
• Azure Active Directory enables requesting and obtaining consent to use of data, and Azure SQL Database
can be used to document data subjects who have granted affirmative consent.
• Inaccurate or incomplete personal data can be identified and rectified using Azure Search, Azure Active
Directory, Azure SQL Explorer, and Query Explorer.
20. #FUELGOOD18
Protecting Your Data
• Potential risks could range from physical intrusions to hackers
to rogue employees to accidental loss.
• Risk Management Plans and risk mitigating steps such as
password protection, audit logs, and encryption can prevent
losses & ensure compliance.
• Don’t forget about physical security!
22. #FUELGOOD18
On-Premise Tools
• Encryption from Data at Rest to Data in Use to Data in Transit
• SQL Dynamic Data Masking to hide sensitive information by default.
• Device protection
• Bit Locker
• Password policies and strength requirements.
• Anti-virus, spam filter
• Network device
• Firewall: DDOS, Anti-virus detection, Certificate Inspection, Rules…etc
• VPN: Site to Site VPN, Client to Site VPN..etc
• Switches: VLAN, Port access control, RADIUS…etc
23. #FUELGOOD18
On-Premise Monitoring
• Monitoring and control over your network infrastructure, virtual machines, as well as
end-users’ computers and other devices.
• All data access permissions should be regularly checked and implemented using a
minimal access by default methodology.
• Create disaster recovery plan and regularly practice
24. #FUELGOOD18
Cloud Tools and Monitoring
Microsoft Azure Services: developed with Microsoft Secure Development Lifecycle, including
privacy-by-design & privacy-by-default methodologies.
Azure & related tools: comply with GDPR data protection requirements by providing ways to secure
personal data in rest and transit, detect and respond to data breaches, and facilitate security
measures.
Azure Security Center: prevents & detects threats with Security Health Monitoring & Security
Incident Response Management tools that monitor traffic, collect logs, and analyze data sources.
25. #FUELGOOD18
Cloud Tools and Monitoring
• Single Sign On and Two Forms Authentication
• Devices Removal practise
• All data access permissions should be regularly checked and implemented using
a minimal access by default methodology.
27. #FUELGOOD18
Record Keeping
Organizations keeping personal data will need to keep detailed records in order to be compliant &
keep records on:
• Reason for processing data
• Type of personal data processed
• Third parties with whom data is shared
• Personal data of countries involved & changes in their laws
• Organizational & technical security measures
• Data retention times applicable to various datasets
28. #FUELGOOD18
On-Premise
SQL Server Auditing
• Audit tables that contain personal information as well as database level logins, configuration changes and schema
changes.
• Targeted auditing can be a lot more effective and practical that auditing the entire database.
Access Auditing
• Audit system access
• Audit on users access
Documentations
• Inventory, data, users device, network devices, permissions
• Disaster Recovery Plan, procedure, update, and practice result.
29. #FUELGOOD18
Cloud
• Azure Active Directory logs detail sign-in activity and
application usage.
• Log Analytics can aggregate and analyze Windows
Event logs, IIS logs, and Syslogs.
• Azure Monitor helps track API calls in customers’
Azure resources.
• Azure Security Center helps collect and review
security logs across Azure applications and services.
• Azure Diagnostics provides access to Event logs for
Azure VMs.
• Azure Storage Analytics can trace data requests made
against Azure Storage.
31. #FUELGOOD18
THANK YOU!
James Reid - Wilkin Shum
jreid@sparkrock.com - wshum@sparkrock.com
All presentations will be made available after the conference