This document discusses how HyTrust Workload Security can help organizations address challenges related to the EU's General Data Protection Regulation (GDPR) and Network Information Security (NIS) Directive. It outlines key areas like privileged user misuse, data breaches, audit compliance that are affected by these regulations. HyTrust provides capabilities like encryption, logging, and policy enforcement across multiple clouds to help ensure data protection, demonstrate compliance, and respond rapidly to incidents in a way that reduces organizations' GDPR and NIS-related risks and pain points.

1. © 2016 HyTrust, Inc. 1
GDPR & NIS
Taking the pain out of government mandated security response

2. © 2016 HyTrust, Inc. 2
HyTrust Workload Security Use Cases
Previously discussed specific use cases – how are they related to GDPR/NIS?
Critical areas affected by
GDPR and NIS – increased risk
with public or hybrid cloud
environments:
Eliminate privileged
user misuse
Halt data breaches on
all clouds
End audit and
compliance suffering
Remove costly
infrastructure air gaps
Avoid data sovereignty
landmines
Stop stupid and the
accidental downtime
1. Privileged account misuse
2. Data breach protection
3. Data sovereignty compliance

3. © 2016 HyTrust, Inc. 3
GDPR Executive Summary
 New standard for data
protection and privacy for the
EU member state – replacing
the previous Safe Harbor
agreement (between the US
and EU). Covers any
company doing business in
the EU or with an EU citizen.
What When Impact
 Goes into “full” force on May
25, 2018. Different member
states may add some
variations or additional
requirements.
 Enforcement is backed by substantial fines, some based on 2%-4% of
corporate revenue in EU.
 Allows EU citizens to challenge companies and shift burden onto the
service providing company for proof/response to privacy and security.
 Affects a range of technology systems including data storage and
collection, data encryption, and frameworks for privacy processes
(through policy and privacy specialists).
 Still unclear with Britain leaving the EU – but most likely following GDPR
will still be more stringent than any local guidelines.

4. © 2016 HyTrust, Inc. 4NDA Material, Confidential and Proprietary
Challenges
Migration to Public Cloud Increases Risk
Transparency
GDPR Requirement Summary Description
Consent/Data Quality
Security enforcement of Privacy
Data breach readiness and response
Right to be Forgotten (Art 17)
Privacy policy and DPO
Opt-in by consumer; ability to get rid of data if
consent is withdrawn
Protecting data via encryption, secure data
destruction, etc..
72 hours for breach notification; incident response
plan
Right to be Forgotten - Erasure (Art 17)
Policy guarantees harder with 3rd party (ie cloud
provider)
Tracking data across many workloads and
geographies with instant ability to “kill” data
Proof of actions (of encryption and destruction)
are required if challenged
Multi-cloud deployment for large enterprises
creates challenges to collect incident data and
take action very quickly
All data must deleted – retroactively and for all
records
Note there are numerous other areas of challenges – but these are most technically challenging for cloud enabled organizations.

5. © 2016 HyTrust, Inc. 5NDA Material, Confidential and Proprietary
Technology Best Practices Response to GDPR
(and applicable HyTrust Use Cases)
Shift from alert and
SIEM analysis to
proactive, automatic
security for both
breach protection and
privacy protection
[Data Sov.]
Automatic
1 2 3 4 5
Insiders Self-Regulating Platform Agnostic Instant Proof
Ensure admins on access
data on any cloud can be
monitored and proof of
compliance can be shown
instantly (or instantly flag
violations for prompt
remediation)
[PIM, Data Sov.]
Workload needs
portable policy to
protect and enforce
compliance itself
[Data Sov.]
Implement a platform
agnostic solution –
which will work across
any provider or
workload type (virtual
machine, SDDC,
containers, etc..)
[All use cases]
Ensure proof of
compliance is fast,
easy, and multi-cloud
ready
[All use cases]

6. © 2016 HyTrust, Inc. 6NDA Material, Confidential and Proprietary
My Cloud Provider Says I Am Protected…
Microsoft, Amazon, and others have issued statements that their customers are protected
and compliant already via their use of “model” contracts and other legal mechanisms.
Bottom line: Regardless of who is hosting your data, YOU are responsible for it. Be proactive and not
rely on the provider or specific technology to protect your data.
However….
1 2 3 4
And if provider fails – YOU are still
responsible for data breach
disclosure and remediation impact
for your customers.
ONLY workloads and data
that resides on that provider
can be considered as
“provider” scope (private
data centers, backup/DR
sites, QA copies, etc.. are
still your issue).
YOU are still responsible for
the administrative actions of
systems on that network.
YOU are still responsible for
the data, even if the provider
is compliant.

7. © 2016 HyTrust, Inc. 7NDA Material, Confidential and Proprietary
Use Case and Advisory Notes
HyTrust Makes the GDPR pain go away…
GDPR Scope HyTrust Capability
Codify the privacy policy through data and admin policy engine and enforce
through workload policy. Monitor and execute immediate policy change
propagation across all workloads/clouds.
Secure decommission of workloads required to ensure fast and efficient data
destruction on demand. Creates chain of evidence of data destruction.
Encryption that be used to secure the privacy (via access and propagation of the
protected data).
Instant audit trail and correlation of activity, policy, and intentional/accidental
attempts of breach. Ability to provide RBAC’s for instant access across auditors or
other regulators.
Encryption key revocation means ALL data is immediately rendered useless.
Data Protection. Policy actions and workload response can all be monitored and
provide instant response to an audit.
Data Protection. Through hyper efficient key management technology, data can
be instantly destroyed.
Data Protection, Data Sov. Proof of actions (of encryption and destruction) are
required if challenged. Encryption, policy controls, etc.. Can be detailed for audit,
compliance proof, or forensics.
PIM, Data Sov. Multi-cloud deployment for large enterprises creates challenges to
collect incident data and take action very quickly
Data Protection, Data Sov. Do not need to track where data exists, only use key
management.
Transparency
Consent/Data Quality
Security enforcement of
Privacy
Data breach readiness and
response
Right to Erasure (to be
Forgotten)

8. © 2016 HyTrust, Inc. 8NDA Material, Confidential and Proprietary
HyTrust / Customer Options
Detailed GDPR Mapping to HyTrust
GDPR Source Text Requirement Summary
Appropriate level of security based on state of art.
Including: encryption, regular tests of security
effectiveness, ensure confidentiality, integrity of data.
Requires data controller to implement appropriate
technical … measures to ensure and …demonstrate
compliance.
Data controllers must also implement data protection
by default…implement appropriate technical
…measures to [protect/address] the amount of data
collected, extent of processing, and retention and
accessibility of data.
Implement policy based encryption for data protection
(and evidence). Show compliance of human assets.
Forensic level logs that track workloads, administrative
activities, and policy changes at the object level.
Through HyTrust BoundaryControl policies, the system
is (by default) set to adhere to data boundaries and
usage. Furthermore encryption can be used to enforce
this across any cloud provider.
Article 32 – Security of processing
Article 24 – Responsibility of the
controller
Article 25 – data protection by design
and default

9. © 2016 HyTrust, Inc. 9
NIS Executive Summary
 EU network and information
security (NIS) directive sets
common cyber-security
standards and aims to step up
cooperation among EU
countries and service
providers.
What When Impact
 EU member states have 21
months comply and then 6
months to identify critical
infrastructure operators (May
2018)
 Lays out specific technical guidance on “critical” infrastructure entities
including energy, banking, healthcare, transport sector organizations
that are vital to the EU member state government
 Increased transparency and information sharing – requiring faster
analysis and reporting by affected organizations
 “Critical infrastructure” identified operators will have a higher cyber
security standard and be specifically responsible for prevention of risks
and incident response

10. © 2016 HyTrust, Inc. 10NDA Material, Confidential and Proprietary
HyTrust Use Cases
HyTrust Reduces Risk with NIS - Examples
NIS Directive Reference Directive Summary
Measures to identify any risks of incidents, to prevent,
detect and handle incidents and to mitigate their
impact. The security of network and information
systems comprises the security of stored, transmitted
and processed data.
Security of systems and compliance with international
standards (among other requirements)
Many points in the directive refer to sharing of data
among various government agencies.
Data Protection. Proactive controls via HyTrust services
and forensic level logging for compliance verification.
Security of data can be enforced via HyTrust
DataControl.
PIM, Data Protection. Security from insider threats and
compliance templates/analysis can be done HyTrust
CloudControl
PIM, Data Sov. HyTrust CloudControl provides RBAC’s
to allow third parties customer defined access to object
level functions to share only the information being
required.
(46) Risk-management measures
(16) Security requirements and
notification
(11), (14), (16)

11. © 2016 HyTrust, Inc. 11
Thank You