A joint webinar between Contino and Delphix explaining how DevOps, Cloud and Data Virtualization can be used to accelerate application delivery, yet still allow organisations to remain GDPR compliant.
UiPath Test Automation using UiPath Test Suite series, part 1
DevOps vs GDPR: How to Comply and Stay Agile
1. WELCOME TO TODAY'S PRESENTATION
DevOps vs GDPR: How to Comply and Stay Agile
A Joint Webinar between Contino & Delphix
2. Today's Speakers
Adam Bowen
Delphix Strategic Advisor,
Office of the CTO
Ben Saunders
Contino Client Principal Ilker Taskaya
Delphix Senior Solution
Engineer
Ian Morgan
Contino Technology Strategist
3. Your organisation can’t ignore regulation…..
Many organisations have been in denial about digital disruption. However, the onset of regulatory compliance is a disruption they can’t refuse
to ignore. If you think your organisation has it’s head in the sand, or has applied the noise cancelling headphones, then now is the time to act
with GDPR deadlines fast approaching.
“Has the legislation been passed
yet?”
“This isn’t really happening is
it?....breathe in...breathe out”
“We don’t need to worry about
these Challenger Banks…errrrr,
what was that? The EU are banging
on our door?”
What is GDPR and how could it affect your organisation?
4. General Data Protection Regulation (GDPR)...In Layman's Terms
EU Legislation is changing the ways in which organisations
handle, distribute and utilize sensitive customer data with
GDPR
The intention is to align each member of the european
union (EU) state, to a single set of rules and regulation.
When this legislation comes to fruition, all organisations
that process personally identifiable information (PII) of EU
residents must adhere to a number of provisions and
standards.
In the event that organisations fail to adhere to these
standards, then there is a likelihood that they will face
significant fines or penalties.
There is no opting out, every organisation must comply!
So what are the implications of GDPR?
2%The amount of Global Turnover organisations will
be fined, if they fail to comply with GDPR at the
first time of audit.
4%The amount of Global Turnover organisations will
be fined, if they fail to comply with GDPR at the
second time of audit.
Organisations, will be given time to
remediate their data deficiencies once
identified by the regulators. However,
organisations should be more proactive to
how they are going to handle this change
and explore ways in which they can
combine data agility, compliance and
automation as a catalyst for business
growth.
5. GDPR Principles - The Data Controller
GDPR
1. Personal data must be processed lawfully, fairly
and transparently.
2. Personal data can only collected for specified,
explicitly and legitimate purposes.
3. Personal data must be adequate, relevant and
limited to what is necessary for processing.
4. Personal data must be accurate and kept up to
date.
5. Personal data must be kept in a form such the data
subject can be identified as long as necessary for
processing.
6. Personal data must be processed in a manner that
ensures its security.
The Data Controller is responsible for demonstrating the principles outlined below. It is also the responsibility of the Data
controller to secure the same assurances from external data processors with whom they contract
Enterprises must be clear on what each of the principles mean for them. Given, the broad interpretation of terms (like
“processing”) a large amount of ambiguity still exists.
6. GDPR – Data Challenges
Data
Breaches
Data Protection by Design &
by default
Data
Portability
Data Encryption
The notion of building privacy
or data protection measures
into applications or processes
is not new. The regulation,
however makes this mandatory
in Article 26.
Under article 20 of the
Regulation, data subjects can
request a copy of personal
data held on them, and can
also request that this
information is transmitted to
another data controller. The
Regulation doesn’t stipulate
precisely how this information
has to be presented or the
format it has to be in.
Given the extent to which
encryption could mitigate the
impacts of a data breach,
enterprises should extend
encryption to cover all of the
data, processing and storage
processes
GDPR mandates that both the
supervisory authority and the
data subject themselves be
notified of any breach.
There are a number of specific data challenges under the GDPR Regulation that Enterprises need to internalize into their
practice. A number of high-impact considerations are detailed below:
7. GDPR – Data Challenges
Data
Breaches
Data Protection by Design &
by default
Data
Portability
Data Encryption
The notion of building privacy
or data protection measures
into applications or processes
is not new. The regulation,
however makes this mandatory
in Article 26.
Under article 20 of the
Regulation, data subjects can
request a copy of personal
data held on them, and can
also request that this
information is transmitted to
another data controller. The
Regulation doesn’t stipulate
precisely how this information
has to be presented or the
format it has to be in.
Given the extent to which
encryption could mitigate the
impacts of a data breach,
enterprises should extend
encryption to cover all of the
data, processing and storage
processes
GDPR mandates that both the
supervisory authority and the
data subject themselves be
notified of any breach.
There are a number of specific data challenges under the GDPR Regulation that Enterprises need to internalize into their
practice. A number of high-impact considerations are detailed below:
We will be
focussing on
portions of this
regulation
today.
8. GDPR - A Ticking Time Bomb for Global Organisations
WHO IS AFFECTED?
Organisations who do business in the EU.
Organisations, who have customers in the EU.
Organisations that trade with other entities in
the EU.
RIGHT TO OPT OUT
The right to opt out, or the “right to be
forgotten” enables individuals to request that
their data is removed from an organization's
system/s of record, whereby there is no longer
a legitimate reason for their data to be held.
DATA BREACH & REGULATION
If a data breach occurs, then organisations must
notify their data protection authority within 72
hours.
Audits of organisations control processes
around the end to end data supply chain must
be executed, to ensure they are fit for purpose.
WHAT ARE THE PENALTIES?
First Audit Failings - 2% GTO
Second Audit Failings - 4% GTO
From there on it will only get
worse!
PRIVACY BY DESIGN
GDPR stipulates that systems and processes
must be designed in a way that data compliance
standards are followed and adhered to.
9. Privacy by Design - DevOps vs GDPR
The Constraint: RIGHT TO OPT
OUT
The right to opt out, or the “right to be
forgotten” enables individuals to request that
their data is removed from an organization's
system/s of record, whereby there is no longer
a legitimate reason for their data to be held.
The Constraint: PRIVACY BY
DESIGN
GDPR stipulates that systems and processes
must be designed in a way that data compliance
standards are followed and adhered to.
The Solution: DEVOPS & DATA
AGILITY TO TACKLE
COMPLIANCE
Contino - Continuum
Delphix - Data Masking
AWS - Cloud Environments
Customers have the right to withdraw their consent from allowing organisations to utilise their personal data for the execution of application
testing. As a result, organisations must explore ways in which they can adhere to GDPR compliance but still provision high quality test data at
velocity. The premise of Accountable Empowerment must be adhered to by organisations to ensure they can track Who did What and When
they did it across their delivery pipeline, this can be achieved through integrated DevOps tooling and processes.
End to End Accountable Empowerment - Obfuscation, Control & Visibility: Who, What, When, Where?
10. Just to add more pressure….You can’t get away from BAU
“We need new functionality delivered in our customer
facing web-app….oh and we need it tomorrow!”
“Damn it. How are we going the release an
environment so we can test this feature?!”
“What do you mean it is going to take us 10 days to
load data into the environment?!”
“Hang on, what do you mean the data is loaded...but
someone has deployed the wrong config?!”
“What? I have already raised an RFQ with your team...
What do you mean it has expired!?”
11. We are teaming up to help customers address these pains...
Based on the challenges that regulation brings to our joint customers,
in addition to the more traditional BAU delivery bottlenecks, Contino
and Delphix are applying our DevOps expertise, compliance know-
how and technical wizardry to help customers accelerate their
application delivery whilst controlling cost and remaining compliant.
How are we doing this, I hear you say?
12. Accountable Empowerment - DevOps vs GDPR
Continuum is a Continuous Delivery pipeline tool chain which integrates both open source and enterprise grade tools to enable the creation
of a secure application delivery pipeline in AWS. In order to assist with the provisioning of production like test data, Continuum integrates
with Delphix to leverage its data virtualization and data masking capabilities so that we can provision production grade environments
consistently, whilst complying with GDPR legislation. With DevOps & Data Agility, we enable Accountable Empowerment.
Data Masking
The most advanced data security solution
available.
Continuum, is a platform we deploy within weeks
• Full infrastructure as code
• Multi region, multi availability zone deployments
• Microservice / containerised deployments targeting Kubernetes
• Continuous integration & continuous delivery toolchain
Cloud Migration
Achieve value from cloud projects faster.
DevOps
Complete the DevOps stack with self-service
data.
13. DevOps & Data Agility - Future Proof for GDPR
Leading digital companies are operating under a DevOps operating model – ‘You Build It, You Run It.’ Fortunately, these practices are now also viable
for large established enterprises in regulated industries as the tools, practices and approaches are proven.
DevOps teams operate in a more cross functional way and have more control of their stack federated to them, their use of automation tooling will lead
to more tightly controlled and audited environments and increased levels of quality, resilience and compliance within a GDPR context. MASK ONCE AND
DEPLOY ANYWHERE, CONSISTENTLY AND SECURELY.
Build Unit Test
Integration
Test
Dev
Deploy
Test
Deploy
Prod
Deploy
Continuous Integration or release
automation tooling implements
role based access control, whilst
data can be made available across
development environments.
Infrastructure, middleware and
application deployments are
repeatable using infrastructure as code
playbooks with the capacity to populate
environments with obfuscated data, volumes
at a fraction of the production scale with
Delphix.
Automated approval and deployment
gates incorporated into the pipeline here.
Incorporate Compliant Data Agility Mechanisms with
Delphix at multiple stages of the SDLC.
“Real” data copies extracted from
production systems, obfuscated and
stored in a staging area for environment
loads either through self-service test data,
or predefined automation
recipes/playbooks.
14. Privacy by Design - DevOps vs GDPR
CONTINUOUS DELIVERY PIPELINE
DevOps Delivery Pipeline - Application, Data & Environment Alignment
Planning, Requirements &
Analysis
Design & Development Repositories &
Management
Integration & Test Implementation & Deployment
1. Developer accepts a defect,
incident or requirement.
7. Developer accepts the
status of the defect, incident or
requirement.
5. Developer
requests peer
review approval
or automated
acceptance.
3. Developer pulls
dependencies from the
binary repository.
2. Developer pulls
source code from
repository.
4. Source code
changes are made
in the local IDE.
Run local code
analytics.
6. Source code commits
are pushed to central
SCM.VCS.
8. The build server
detects changes in the
VCS, pulls code and
initiates a build. A
successful compilation
triggers automated
tests.
9. The build server
uses the build
automation tools to
push the generated
artifacts and
deployables to the
binary repository.
10. Once the changes pass
automated tests, they are
assessed for quality
through SonarQube
checks.
Dependency
Management
Version Control
Code Quality
CI Server
Build Automation
Binary Repository
IDE
Defects, Incidents &
Requirements
Product Team / Squad work across the delivery
pipeline, developing, orchestrating & testing,
where required through automation and the
mantra of ACCOUNTABLE EMPOWERMENT.
Dependencies
are pulled from
the binary
repository
The deployment tools pull the artifacts and
propagate them through the deployment
environment across ST, SIT Pre-Prod.
Continuous
Delivery tools are
used to orchestrate
and manage the
various parts of
delivery pipeline.
Environment
management tools are
used to provision
environments and test
data, under version
control.
Quality
Assurance
tools used to
smoke test
and secure
environment.
Environment
Build - ST-SIT
We can create a coherent Privacy by Design, GDPR compliant DevOps pipeline that ensures people have access to the right tooling to do their jobs, yet
ensuring the correct governance/compliance controls exist to enable secure access to customer data.
15. Data Management Today
PRODUCTION NON-PRODUCTION
DEV TEST STAGE
3 TB of Storage, Weeks to Provision/Refresh
Copy, move
data
STORAGE
RDBMS
APP
STORAGE
RDBMS
APP
STORAGE
RDBMS
APP
STORAGE
RDBMS
APP
1 TB of Storage
16. How It Works
STORAGE: < 1 TB
STORAGE: 1 TB
RDBMS
APP
DELPHIX VIRTUAL MACHINE
Installs on any supported hypervisor
ANY STORAGE
Source
STEP 1
Capture application data:
one-time copy of prod
0.3 TB
17. How It Works
STORAGE: 1 TB
RDBMS
APP
STORAGE: < 1 TB
Source
STEP 2
Continuously record unique, incremental changes
March 21
06:11am
March 22
12:43pm
March 22
08:41pm
0.3 TB
18. How It Works
STORAGE: 1 TB
RDBMS
APP
DEV
RDBMS
APP
TEST
RDBMS
APP
STAGE
RDBMS
APP
…
STORAGE: < 1 TB
Source
STEP 3
Share data blocks instead of duplicating data
0.3 TB
19. How It Works
STORAGE: 1 TB
RDBMS
APP
DEV
RDBMS
APP
TEST
RDBMS
APP
STAGE
RDBMS
APP
…
STORAGE: < 1 TB
Source
0.3 TB
20. Change the Physics, Change the Game
Dev
Test UAT
Reporting
▪ Have as many copies as you want without
adding storage
▪ Access data in minutes instead of hours,
days, or weeks
▪ Refresh from production at any time
▪ Rewind to any point in history
▪ Bookmark during a test and return to it in
minutes
▪ Branch data at-will for troubleshooting,
parallel projects
▪ Integrate with DevOps solutions to deliver
environments on-demand
Software appliance
Any Server, Storage, Cloud
10:27 A.M. 1:30 P.M. 5:07 P.M.
Virtual
Database
s
3 months ago Last Monday Today
22. But what is the value to your organisation?
Masking: We reduce the surface area for data leakage risk,
by up to 80% and enable GDPR compliance.
Faster Environments: By utilizing AWS hosted
environments, customers can build environments in ten
minutes, as opposed to waiting days, or weeks.
Faster Test Data: The framework can capture production
data, obfuscate it and deploy it into an environment in under
four minutes, as opposed to 8 hour dump and loads times.
Not to mention the 10 day lead time for requesting data!
Self Service: Our framework has self-service controls to
break down data lead times and ensure compliance with
enable end to end traceability.
Environment Visibility: Our delivery pipeline is fully
configuration managed so we can see who did what, when
to satisfy regulatory controls and compliance needs.
Business Value Indicators
90% Faster
90% Faster
Self Service
Full Traceability
2% or £10MThe amount of Global Turnover organisations will be fined,
if they fail to comply with GDPR at the first time of audit.
4% or £20MThe amount of Global Turnover organisations will be fined,
if they fail to comply with GDPR at the second time of
audit.
Get your house in order and
your organistion will also
avoid huge penalties!
By combining the powers of Continuum, Cloud and Delphix we help customers get compliant, whilst cutting
cost and accelerating application delivery time to market.
80% Less
Risk
23. What have we spoken about today?
Regulation, regulation, regulation: We have covered the necessity for your organisation to comply with regulatory
controls whist providing insight into how DevOps can help with this.
GDPR Impact: We have covered the key elements of GDPR and it’s implications on organisations trading within the EU.
The DevOps Fightback: We have given substance around how DevOps can help you fight back against GDPR and
become more agile in the process.
Privacy by Design: We have provided an overview of what an end to end “Privacy by Design” DevOps pipeline looks like.
Mask your data: Adam Bowen has demonstrated the power of the Delphix’s data virtualization & masking capability so
that your organisation can remain GDPR compliant.
24. What next for your organisation?
Please feel free to request a demonstration of Continuum or Delphix to understand how both solutions can help you address GDPR
legislation, whilst adopting DevOps and the Cloud!
We are also working together to execute complimentary GDPR readiness workshops. Feel free to contact Ben or Adam to learn more.
If you want to learn more about GDPR, visit the Delphix website HERE
Stay tuned for more joint webinars over the coming months. We are jointly developing a tightly integrated delivery framework. If you
want to road test Delphix, you can now gain access to an engine on the AWS marketplace.
Please feel free to connect with either Ben or Adam on LinkedIn should you have some follow up questions. You can also email us:
ben.saunders@contino.io adam.bowen@delphix.com
26. Accountable Empowerment - DevOps, Cloud & Data Agility
It is possible to kill three birds with one stone… by addressing regulatory & compliance controls your organisation can accelerate delivery
by unshackling yourself from monolithic infrastructure and antiquated processes by implementing an integrated DevOps pipeline such as
Continuum, leverage cloud hosted environments and apply data masking capabilities with Delphix to address GDPR.
Three Birds One Stone… That
One Stone is the combination of
Continuum, Delphix and AWS.
A fully integrated cloud ready Continuous Delivery
pipeline that is highly secure in AWS.
A Virtual Data & Masking solution that
enables data agility, without adding risk to
your organisation.
Transformation, Regulation &
Compliance
Continuous Delivery for
Consistent Environments
Data Masking for GDPR Coverage
DevOps
Data Agility
Cloud