By nature Event-driven systems transform data and propagate it across multiple services. This characteristic makes the GDPR compliance challenging. Immutable Kafka logs make it impossible to explicitly delete a published message that may contain Personally Identifiable Information (PII). A general solution has been to choose a short-enough retention duration for such topics so that the data is eventually removed within the allowed time limit. As for consumers of the data, one typically has to audit and trace where the data is propagated, and request each of the consuming services to purge their copy. Even then PII may still continue to exist, for example in backups, intermediate stating environments like S3 buckets, and ad-hoc copies of the data used for business analytics, data science, etc. This talk presents a way to build GDPR compliance into the message propagation protocol itself, and utilise crypto-shredding to in effect render all copies of PII decipherable on demand. The talk explains how a message schema such as ProtocolBuffer can be extended to allow publishers of data to mark data as PII. It shows how GDPR compliance can be integrated into existing APIs that were not designed with GDPR in mind, with minimum disruption. It illustrates how the marked data is encrypted before it is stored in Kafka and guarantee that the data remains encrypted throughout its entire propagation journey. The talk shows how the key management system works transparently across thousands of services to control access to data with different granularity and protect against cross referencing to avoid unauthorized access to data.

1. 1@solarwinds
GDPR Compliance: Transparent Handing of
PII in Event-Driven Systems
Masih H. Derkani
© 2020 SolarWinds Worldwide, LLC. All rights reserved.

2. 2@solarwinds
GDPR* Compliance
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Right to be forgotten
* https://bit.ly/39w1LhR
≈ within 28 Days

3. 3@solarwinds
Personally Identifiable
Information
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Email, IP Address, Name, Location, Cookies, etc.
Information relating to natural persons
who can be directly or indirectly
identified.*
* https://bit.ly/3303uuv

4. 4@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Enter…
Immutable, Append-only, Replicated
Logs.
Great for fault-tolerance;
not so much for GDPR Compliance.

5. 5@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.

6. 6@solarwinds 6@solarwinds
retention.ms<2419200000
© 2020 SolarWinds Worldwide, LLC. All rights reserved.

7. 7@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Simple to “forget” data.
Effective.
Minimal Effort.
Retention duration cannot be longer than 28 days.
Data is not removed on demand.
Cannot have per “natural person” access control.
High risk of leftover data.
But…
Retention duration
less than 28 days

8. 8@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.

9. 9@solarwinds 9@solarwinds
Crypto-shredding
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
“…the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys.” *
* https://bit.ly/39waDEb

10. 10@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Simple to “forget” data.
On demand data removal.
Fine-grained access control over data.
Lower risk of leftover data.
Medium to high engineering effort.
Extra COGS.
Requires careful key management.
Will impact throughput.
But…
Crypto-shredding

11. 11@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Encryption key per:
Cluster
Topic
User
Crypto-shredding

12. 12@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Per User
Encryption Key
6. Decrypted
Key Management System
2. Encrypted
1. Encrypt
3. SendProducer
5. Decrypt
Consumer4. Poll
Encrypted PII Payload Plain PII Payload TLS/SSL Communication Flow

13. 13@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Key Management
System
Producer Encrypt

14. 14@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Key Management
System
Consumer Decrypt

15. 15@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Per User
Encryption Key

16. 16@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Per User
Encryption Key

17. 17@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Messages typically have a
schema.
Not all fields are PII.
Not all consumers care about
PII.
Per User
Encryption Key

18. 18@solarwinds 18@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Identify PII fields.
Build it into Message Schema.
Partially encrypt Message.

19. 19@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Per User
Encryption Key
ProtocolBuffer Message Schema.
syntax = "proto3";
message MyMessage {
string email = 1;
string first_name = 2;
string last_name = 3;
double purchase_value = 4;
}

20. 20@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Identify PII fields
…using Custom Options*
built into Message Schema
* https://bit.ly/2WZ3GGC

21. 21@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Identify PII fields
…using Custom Options*
built into Message Schema
* https://bit.ly/2WZ3GGC
syntax = "proto3";
import "google/protobuf/descriptor.proto";
extend google.protobuf.FieldOptions { GDPRCompliance gdpr = 51234; }
message GDPRCompliance { bool key = 1; bool pii = 2; }
message MyMessage {
string email = 1 [(gdpr) = {pii: true, key: true}];
string first_name = 2 [(gdpr) = {pii: true}];
string last_name = 3 [(gdpr) = {pii: true}];
double purchase_value = 4;
}

22. 22@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Identify PII fields
…using Custom Options*
built into Message Schema
* https://bit.ly/2WZ3GGC
private Message processPIIFields(Message message) {
message.getAllFields().forEach((fieldDescriptor, value) -> {
final FieldOptions fieldOptions = fieldDescriptor.getOptions();
final MyProtoFile.GDPRCompliance gdpr = fieldOptions.getExtension(MyProtoFile.gdpr);
if (gdpr.getKey()) {
final String fieldName = fieldDescriptor.getName();
final Type fieldType = fieldDescriptor.getType();
...
}
});
...
}

23. 23@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Partially encrypt Message
…using interceptor.classes*
built into Kafka Client Library
* https://bit.ly/30Uwnpc
* https://bit.ly/2X0pRw7

24. 24@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Partially encrypt Message
…using interceptor.classes*
built into Kafka Client Library
* https://bit.ly/30Uwnpc
* https://bit.ly/2X0pRw7
class MyProducerInterceptor implements ProducerInterceptor<String, Message> {
@Override
public ProducerRecord<String, Message> onSend(final ProducerRecord<String, Message> record) {
final Message value = record.value();
final Message complyingValue = processPIIFields(value);
return new ProducerRecord<>(
record.topic(),
record.partition(),
record.timestamp(),
record.key(),
complyingValue,
record.headers());
}
...
}

25. 25@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Partially encrypt Message
…using interceptor.classes*
built into Kafka Client Library
* https://bit.ly/30Uwnpc
* https://bit.ly/2X0pRw7
final Properties config = new Properties();
config.put(ProducerConfig.INTERCEPTOR_CLASSES_CONFIG, MyProducerInterceptor.class.getName());
...
final KafkaProducer<String, MyProtoFile.MyMessage> producer = new KafkaProducer<>(config);
...

26. 26@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
+
Contract-first PII specification.
Message Schema backward compatibility.
Transparent Kafka record interception.
Access to non-PII fields while remaining compliant;
only decrypt when needed.

27. 27@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
-
Non-string field type not supported.
Only ProtocolBuffer Message Schema.

28. 28@solarwinds© 2020 SolarWinds Worldwide, LLC. All rights reserved.
Future Work
Schema-agnostic partial encryption.
Utilising Kafka record Headers.
Nested messages with multiple PII Key.
POC non-Java clients.
Load test and throughput optimisation.

29. 29@solarwinds
THANK
YOU
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
🍻

30. 30@solarwinds
Q&A
© 2020 SolarWinds Worldwide, LLC. All rights reserved.
?

31. 31@solarwinds
This presentation contains forward-looking statements regarding future
product plans and development efforts. SolarWinds considers various
features and functionality prior to any final generally available release.
Information in this presentation regarding future features and
functionality is not and should not be interpreted as a commitment from
SolarWinds that it will deliver any specific feature or functionality in the
future or, if it delivers such feature or functionality, any time frame when
that feature or functionality will be delivered. All information is based
upon current product interests, and product plans and priorities can
change at any time. SolarWinds undertakes no obligation to update any
forward-looking statements regarding future product plans and
development efforts if product plans or priorities change.
© 2020 SolarWinds Worldwide, LLC. All rights reserved.

32. 32@solarwinds
The SolarWinds, SolarWinds & Design, Orion, and THWACK
trademarks are the exclusive property of SolarWinds Worldwide,
LLC or its affiliates, are registered with the U.S. Patent and
Trademark Office, and may be registered or pending registration
in other countries. All other SolarWinds trademarks, service
marks, and logos may be common law marks or are registered or
pending registration. All other trademarks mentioned herein are
used for identification purposes only and are trademarks of (and
may be registered trademarks) of their respective companies.
© 2020 SolarWinds Worldwide, LLC. All rights reserved.