Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR- The Buck Stops Here

255 views

Published on

PASS Summit 2018 Slides
Presentation on GDPR in the Microsoft sphere.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

GDPR- The Buck Stops Here

  1. 1. Kellyn Pot’Vin-Gorman, DevOps Engineer and now Data Platform Architect in Power BI and AI at Microsoft GDPR- The Buck Stops Here
  2. 2. Please silence cell phones
  3. 3. Free online webinar events Free 1-day local training events Local user groups around the world Online special interest user groups Business analytics training Get involved Explore everything PASS has to offer Free Online Resources Newsletters PASS.org
  4. 4. Download the GuideBook App and search: PASS Summit 2018 Follow the QR code link displayed on session signage throughout the conference venue and in the program guide Session evaluations Your feedback is important and valuable. Go to passSummit.com 3 Ways to Access: Submit by 5pm Friday, November 16th to win prizes.
  5. 5. • /kellyngorman • @DBAKevlar • kellyngorman Kellyn Pot’Vin-Gorman Data Platform Architect at Microsoft, EDU Team Former Technical Intelligence Manager, Delphix • Multi-platform DBA, (Oracle, MSSQL, MySQL, Sybase, PostgreSQL, Informix…) • Oracle ACE Director, (Alumni) • Oak Table Network Member • Idera ACE Alumni 2018 • STEM education with Raspberry Pi and Python, including DevOxx4Kids, Oracle Education Foundation and TechGirls • Former President, Rocky Mtn Oracle User Group • Current President, Denver SQL Server User Group • Linux and DevOps author, instructor and presenter. • Blogger, (http://dbakevlar.com) Twitter: @DBAKevlar
  6. 6. GDPR FAQs • GDPR, (General Data Protection Regulations) went into effect for world compliance to the EU requirements on May 25, 2018. • Doesn’t just cover websites. • Was put into effect in the EU on January 2017. • Trivia- When did most of EU start to panic about GDPR? When did most in the US start to panic about GDPR? What is the maximum fine if charged with violation of GDPR? http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2014/wp216_en.pdf
  7. 7. The EU • With Brexit, England will be leaving the EU. • Who thought Norway WAS part of the EU? • Who isn’t surprised that Switzerland isn’t part of the EU? • What is citizens are traveling, staying or online?
  8. 8. What is GDPR Data? Standard Personal Data: Name, Address, Phone Number Identification Numbers: Social Security Numbers, IP Address Medical and Financial Information Cookies, Geo Tracking Info
  9. 9. What is GDPR Critical Data? • Any data that belongs to an EU citizen. • Name, address and/or phone number • Email address or URL • Banking Details • Social Security Number • Medical Information • IP Address • Posts on Social Media
  10. 10. Fines with GDPR Non-Compliance The data breach penalties are either a fine of up to €10 million or 2% of annual revenue, or up to €20m or 4% of annual revenue.
  11. 11. What is the DBAs Role in GDPR? • You have the role of controller and protector of the data. • You will be responsible for: • Identifying critical data. • Auditing and a process to continue to identify critical data. • Formal process to update or remove critical data. • Ability to report on GDPR compliance.
  12. 12. How Are We Doing?
  13. 13. GDPR Responsibility • Although quite detailed, you must have the following to be compliant: • The citizen has given consent to the processing of his or her personal data; • You must have contractual obligations with a individual, or for tasks at the request of a data subject who is in the process of entering into a contract; • It must comply with a data controller's legal obligations; • It must protect the vital interests of a data subject or another individual; • Must perform a task in the public interest or in official authority; • It must be for legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).
  14. 14. “There is a general lack of agreement about what exactly GDPR compliance is…” Graham Dufault, Senior Director for Public Policy ACT | The App Association.
  15. 15. Responsibility Companies must provide REASONABLE levels of data protection- what does this mean?
  16. 16. Claudette Meets GDPR Project • Used an AI tool, (Claudette) in June, 2018, to assess automatically whether privacy policies were compliant for GDPR for 14 companies • The companies, (Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking, Skyscanner, Netflix, Steam and Epic Games) were chosen as the most used services in a selection of sectors and as good examples. • Claudette expected the compliance to be comprehensive of all required information to GDPR and comprehensible to anyone working with it. • There was a golden standard devised, a model that Claudette used for the assessment. • All fourteen companies failed the assessment. https://www.beuc.eu/publications/beuc-x-2018-065_faq_-_artificial_intelligence_meets_gdpr.pdf
  17. 17. Claudette Lessons Learned • None of the companies provided all the information required by GDPR • Data processing is continually at odds with how GDPR requirements assume it is. • No banner agreement on a website conveys agreement to privacy policies for GDPR to a website, (which we’ll cover more later on.) • Due to the complex wording and lacking information in policies, it’s almost impossible for any user to know what they’ve agreed to regarding their data privacy where GDPR is concerned. https://www.beuc.eu/publications/beuc-x-2018-065_faq_-_artificial_intelligence_meets_gdpr.pdf
  18. 18. Introduction to Claudette http://www.claudette.eu/gdpr/
  19. 19. The Conundrum • Companies are already strapped with standard regulatory requirements and security issues. • Due to demands from SOX, HIPAA and PII • GDPR has raised the pofile of data privacy and cybersecurity to a buzzword within the C-level. • The rise of the Chief Security Officer, (CSO) has begun. • By the May deadline, it was an $8 billion investment
  20. 20. This is a Technical Overview of Handling GDPR So what can you do with GDPR to cover your ass(ets)?
  21. 21. Microsoft Takes it Seriously https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted
  22. 22. Security
  23. 23. Adopt Cybersecurity and Privacy Framwork • Use a common framework, approved as compliant with GDPR for policies and procedures. • Have the buy in from the entire IT department and the business owner. • Well documented policies with clear and concise terminology of what is covered. • As enhancements or new features are added, ensure that documentation is up to date.
  24. 24. Cyber Security Tools www.microsoft.com/sir
  25. 25. Third Party Vendors • Third party vendors must take appropriate steps to be GDPR compliant • Data residing in their systems. • Data in transit • Shared with third parties or partners. • As the source who collected the data is accountable, not the third party, this is as important as securing your own systems. • Have a full contract stating what is covered by the GDPR agreement
  26. 26. Multi-factor authentication Build it into EVERYTHING. Consider incorporating secondary authentication into smart phones using smart unlocks and smart scans.
  27. 27. Applications and Websites
  28. 28. Having a Sign-off Agreement Isn’t enough • Many sites have GDPR agreements on their web portal or site. • This is simply an agreement that says the customer knows the site collects personal identifying data. This is not GDPR At the Web Tier, you must • Know what data is cached or stored at the web tier. • Have a process to audit and remove if requested from the user. • Have a way to track all of these procedures.
  29. 29. Data Mapping • Diagrams must map where data is located and where it goes inside every data system in the company.
  30. 30. Client Applications • Identify Where Data is Stored: • Flat files, including workstation copies of MS Access, Excel and even Notepad. • Consider adding encryption at the application and host level. • Purge system of unnecessary copies that could result in a breach. • Build audit procedures into transactional applications that will track GDPR data.
  31. 31. Analytics • To enhance performance and ease visuals- • Localized datasets in analytics tools • A Tabular data model in an Analysis Server is still data stored outside of the source database. • Know that data sets that are found in analytics tools, (like Power BI) may come from relational databases, Access, Excel and CSV files. • Ease of access results in complex auditing of analytics systems.
  32. 32. How Will You Accomplish This?
  33. 33. Form A GDPR Team • Business User • Application Support • System Administrator • Database Administrator • Project Manager
  34. 34. How to Take on a GDPR Project • Identify areas under GDPR • Create outline of what data must be protected. • Design processes and procedures to identify critical data. • Use third party tools and features for auditing and mature tracking of GDPR data. • All team members MUST understand the importance of GDPR.
  35. 35. Data Vulnerabilities • Data cached at application level and available to users. • Flat files that may support data, along with keys that may be vulnerable and used for encryption. • Analytics Data and tabular models that may store critical data • Backups, data retained for records.
  36. 36. Categorizing Environments All environments are not created equal. • Treat applications and analytics to the same requirements if data is stored within. • Don’t implement the same solutions to development, test and QA/Unit testing as staging and production.
  37. 37. Confidential data Exposure Production Non-production
  38. 38. Encryption of Data- Production • Obfuscates data with the user of encryption keys. • Without the appropriate key and/or password, the data is useless. • Limits risk if data is breached outside the data, even if the access is at the host level, as the data is still encrypted. • Beneficial when data is accessible from public networks or websites. • Does not replace security procedures- at host and application level.
  39. 39. Dynamic Data Masking- True Masking? • Excellent to protect from data “above the covers” • Less acceptable in terms of breeches or commandeered data environments. Don’t rely on this solution for enterprise data protection of critical, GDPR requirements.
  40. 40. Dynamic Architecture https://docs.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-2017 432-22-9874 432-XX-XXXX Teachers Admissions Masking Functions Masking Policies
  41. 41. Irreversible Masking Data and Masking of Non-Prod • Is different, (PII, HIPPA, PCI, etc.) as it renders the information useless from a security standpoint, even if there is a full copy of the database breeched. • Resolves both the technical and personal responsibility issue. • The data can be masked before it moves to non-production, removing risk. • As discussed, 80% of data on average is non-production. • Must have a robust discovery and identification process. • Masks all data and if it does it for strings in data stores and flat files, this is a bonus!
  42. 42. Irreversible Masking Products https://www.trustradius.com/data-masking-software
  43. 43. Demo
  44. 44. Data Virtualization, On-Prem with Masking Source 8 TB database Masking Engine Application Server File Server
  45. 45. Confidential Data with Masking Exposure Production Non-production Encryption Mask Solution
  46. 46. The Kitchen Sink
  47. 47. Don’t Store These in the Database • Encryption keys • License keys • Environment passwords and directories • AND Database Passwords Passwords should never be in clear text….ever. Use Azure Key Vault
  48. 48. Block Chain is Cool! Not so much for GDPR Blockchain is- • Immutable digital ledger • Stored in a block • Added to a chain once verified • Decentralized This makes it very difficult for GDPR procedures
  49. 49. Blockchain Requires Unique Procedures B B B B B B B B B B B B
  50. 50. The Future with Data Protection • Eleven other states will have similar data protection and breach notification laws going in front of voters this election. • There is an added complexity that its state driven vs. federal, (i.e. like EU’s solution) • July, 2018, Senator Mark Warner released a position paper that’s gaining a lot of attention and encompasses the major areas of GDPR. • New companies who will make it their business to audit companies, collect fines and profit from part of this money that is agreed upon with the EU. • Google’s “Framework for Responsible Data Protection Regulation” was released in September, a month before the 500K breach. More companies are expected to follow suit.
  51. 51. Half GDPR Compliance Doesn’t Make You Compliant • A GDPR Security Team is a must for any company • Identification of all GDPR data is essential • Business users must understand the importance of GDPR • Most GDPR violations will be found to be unintentional by users making copies from secure systems. • Analytics Environments and Block Chain create complex challenges for GDPR • Work to combine other security projects and frameworks into one with GDPR, (CCPA, SOX, HIPAA, etc.) to create efficiency.
  52. 52. Data is the Centric to GDPR • Identify • Secure • Audit • Track • Remove Databases • Big Data • Analytics tools • Application tier Not the only place data resides
  53. 53. Summary Invest in policies that make sense and can grow with the organization Dedicate resources to GDPR, but combine them with other security groups when possible. Incorporate cybersecurity as the first line of defense. Not all data obfuscation is the same. Don’t treat all environments the same. Data doesn’t just reside in the database.
  54. 54. Thank You Learn more from Kellyn Pot’Vin-Gorman @DBAKevlar kegorman@Microsoft.com

×