Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Follow the data

267 views

Published on

Today’s WordPress environment generally results in numerous organisations managing either our data or the hardware and software that it relies upon.

Although we subcontract out parts of our WordPress infrastructure we are still accountable for the data processed by our Websites.

This talk takes a look at a typical WordPress set up and follows the journey that a user’s data might take and some potential threats at each point on its journey.

It looks at what we can do to minimise our exposure to risk of outsourcing management of our infrastructure, the considerations we should make and what questions we should be asking of our hosts.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Follow the data

  1. 1. Follow the DataFollow the Data Dave PotterDave Potter Mainplus Technology
  2. 2. 27th May 2018 3 Why me? ● Started in IT in 1977Started in IT in 1977 ● Managed computer operations and technical support for a largeManaged computer operations and technical support for a large proportion of that timeproportion of that time
  3. 3. 27th May 2018 4 ` ● It’s the right thing to do!It’s the right thing to do! ● WeWe sub-contract responsibility but not accountability.sub-contract responsibility but not accountability. ● Ensure suppliers will protect our dataEnsure suppliers will protect our data ● GDPR and the UK equivalentGDPR and the UK equivalent ● https://wordpress.tv/2017/11/12/heather-burns-designing-for-data-protection/https://wordpress.tv/2017/11/12/heather-burns-designing-for-data-protection/ ● https://wordpress.tv/2016/11/01/heather-burns-get-to-grips-with-gdpr/https://wordpress.tv/2016/11/01/heather-burns-get-to-grips-with-gdpr/ ● https://wordpress.tv/2017/11/11/claude-saulnier-4-steps-to-tackle-the-forthcoming-changes-in-https://wordpress.tv/2017/11/11/claude-saulnier-4-steps-to-tackle-the-forthcoming-changes-in- data-privacy-law/data-privacy-law/ ● Protection from virus’, WordPress© security, Security pluginsProtection from virus’, WordPress© security, Security plugins ● http://wordpress.tv/2016/08/09/tim-nash-security-is-everyones-responsibilityhttp://wordpress.tv/2016/08/09/tim-nash-security-is-everyones-responsibility// Caring for our users’ data
  4. 4. 27th May 2018 5 The user “Hello Computer”
  5. 5. 27th May 2018 6 The Datacentre
  6. 6. 27th May 2018 7 ● What legislative jurisdiction(s) applyWhat legislative jurisdiction(s) apply ● Where is/are the data center(s) located?Where is/are the data center(s) located? ● Who owns the infrastructure in the data centre?Who owns the infrastructure in the data centre? ● Who has control of who can access data?Who has control of who can access data? ● What is the policy and process if a government agency asks forWhat is the policy and process if a government agency asks for access to data?access to data? Jurisdiction
  7. 7. 27th May 2018 8 ● AndorraAndorra ● ArgentinaArgentina ● Canada (commercial organisations)Canada (commercial organisations) ● Faroe IslandsFaroe Islands ● GuernseyGuernsey ● IsraelIsrael ● Isle of ManIsle of Man ● JerseyJersey ● New ZealandNew Zealand ● SwitzerlandSwitzerland ● UruguayUruguay ● US (limited to the Privacy Shield framework)US (limited to the Privacy Shield framework) Recognised by EU as providing adequate protection.Recognised by EU as providing adequate protection. Adequacy
  8. 8. 27th May 2018 9 ● Replaced Safe harbour July 2016Replaced Safe harbour July 2016 ● Allows companies to self certifyAllows companies to self certify ● As of today - over 2,739 companies certified by the U.S.As of today - over 2,739 companies certified by the U.S. Department of Commerce.Department of Commerce. https://www.privacyshield.gov/listhttps://www.privacyshield.gov/list ● On the commercial side, the WP29 called for details on theOn the commercial side, the WP29 called for details on the handling of HR data, automated decision-making and clarity onhandling of HR data, automated decision-making and clarity on available recourse for data subjects.available recourse for data subjects. ● On the national security side the WP29 “regrets” PresidentialOn the national security side the WP29 “regrets” Presidential Policy Directive 28 - surveillance activities need to safeguardPolicy Directive 28 - surveillance activities need to safeguard personal information regardless of where the person resides -personal information regardless of where the person resides - still subject to Presidential privilege.still subject to Presidential privilege. ● European officials unhappy about US stalling on promising notEuropean officials unhappy about US stalling on promising not to force companies to hand over their data secretly to theto force companies to hand over their data secretly to the intelligence services.intelligence services. Privacy Shield
  9. 9. 27th May 2018 10 https://www.theguardian.com/technology/2015/sep/09/microsoft-court-case-hotmail-ireland-search-warrant http://www.independent.co.uk/life-style/gadgets-and-tech/news/investigatory-powers-bill-act-snoopers-charter-browsing-history-what-does-it-mean-a7436251.html https://www.independent.co.uk/news/world/americas/us-politics/us-department-of-justice-anti-donald-trump-activists-facebook-account-details-warrants-demands-a7973181.html https://www.computerworlduk.com/security/draft-investigatory-powers-bill-what-you-need-know-3629116/
  10. 10. 27th May 2018 11 The Host
  11. 11. 27th May 2018 12 ● Are free SSL certificates provided (“Let’s Encrypt”)?Are free SSL certificates provided (“Let’s Encrypt”)? ● SFTP and SSH access?SFTP and SSH access? ● What backup facilities are provided?What backup facilities are provided? ● Where are they stored?Where are they stored? ● ...... shall not be responsible nor be liable for any loss, damage,shall not be responsible nor be liable for any loss, damage, costs or expenses or other claims howsoever arising forcosts or expenses or other claims howsoever arising for compensation for any data, file or other material being damaged,compensation for any data, file or other material being damaged, corrupted, lost or otherwise affected.corrupted, lost or otherwise affected. ● WP-CLI?WP-CLI? ● Wordcamps are a great place to find out information!Wordcamps are a great place to find out information! Hosting
  12. 12. 27th May 2018 13 Who Pulled the Plug? https://mediatemple.net/community/products/dv/204404134/faq:-i-received-a-notice-that-my-dv-server-has-been-temporarily-disabled. FAQ: I RECEIVED A NOTICE THAT MY DV SERVER HAS BEEN TEMPORARILY DISABLED Greetings. If you are reading this, most likely you have received a notice regarding a spike in network activity on your (mt) Media Temple service. When network overuse is detected, our system will shutdown your VPS (virtual private server) to curtail the overuse of resources. Please note: We want your service to be back online and functioning in a healthy manner ASAP. In this brief article, we will cover important information to help you understand and resolve any outstanding issues. https://mediatemple.net/community/products/dv/204404134/faq:-i-received-a-notice-that-my-dv-server-has-been-temporarily-disabled.
  13. 13. 27th May 2018 14 Ourselves
  14. 14. 27th May 2018 15 ● Where does encryption take place?Where does encryption take place? ● At the server or at the origin?At the server or at the origin? ● Who has access to encrypted data?Who has access to encrypted data? ● What backup facilities are provided?What backup facilities are provided? ● Version recovery?Version recovery? ● Do they provide a DPA?Do they provide a DPA? Cloud Storage
  15. 15. 27th May 2018 16 Backups It’s a backup Jim, butIt’s a backup Jim, but not as we know it!not as we know it!
  16. 16. 27th May 2018 17 Make a plan
  17. 17. 27th May 2018 18 ● Share you plan with your customers and visitors.Share you plan with your customers and visitors. ● Agree service levelsAgree service levels ● Use you plan and ability to set SLAs as a selling tool.Use you plan and ability to set SLAs as a selling tool. Market your plan
  18. 18. 27th May 2018 19 Jurisdiction Access to your data? Free SSL certificates SFTP and SSH access WP-CLI Juristriction Encryption Version recovery Plans Backups Let’s recap
  19. 19. 27th May 2018 20 If you know where your backups are when all about youIf you know where your backups are when all about you Are losing theirs and blaming it on the hostAre losing theirs and blaming it on the host If you can trust your recovery plan, when all doubt what to doIf you can trust your recovery plan, when all doubt what to do But make allowance for unexpected issues tooBut make allowance for unexpected issues too If you can be calm and communicate while recoveringIf you can be calm and communicate while recovering Or being shouted at, have all the answersOr being shouted at, have all the answers Or being hassled, don’t give way to panickingOr being hassled, don’t give way to panicking And yet don’t look to good, nor blame it on others:And yet don’t look to good, nor blame it on others: If you can talk with support and keep your pride,If you can talk with support and keep your pride, ' Or walk with techies - nor lose the common touch,' Or walk with techies - nor lose the common touch, if neither data loss nor recovery format can hurt you,if neither data loss nor recovery format can hurt you, If all customers count with you, but none too much;If all customers count with you, but none too much; If you can fill the unforgiving minuteIf you can fill the unforgiving minute With sixty seconds' worth of data recovered,With sixty seconds' worth of data recovered, Yours is the Website and everything that's in it,Yours is the Website and everything that's in it, And - which is more - you'll still be in business, my son!And - which is more - you'll still be in business, my son! With apologies to Rudyard Kipling.
  20. 20. 27th May 2018 21 Image attributions: - Leo Lintang - ramcreative Dave PotterDave Potter http://mainplus.co.uk dave@mainplus.co.uk @MainplusUK

×