Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
The GDPR and Its Implications On Cloud Services
September2017NormBarber,ManagingDirector([email protected])
ArapidlygrowingandsuccessfulRedmond,WA-basedsoluGonsdeveloperwithsignificanttechnicalresourceslocatedintheUSandIndia.OurglobalfocusisonCloud,Cybersecurity,Compliance(regulatory)andCost.
EffecGvelymigraGngfromatradiGonal,on-premisesITenvironmenttoaHybridITenvironmentthatmayincludeelementsofSaaS,IaaS,andPaaSrequiresalogicalsetofsteps.AsGartnerhasnoted,“AnorganizaGoncannotsimply‘jump’totheCloud.Thereneedtobeac5vi5esthatarepartofaphasedevalua5onandplantomovetotheCloud.”
Discover Assess Target Migrate Monitor
UnifyCloud LLC – General Background
TheGeneralDataProtecGonRegulaGon(GDPR)impactstheenGreCloud(SaaS,IaaS,PaaS)journey
3
ThispresentaGonisacommentaryontheGDPR,asUnifyCloudLLCinterpretsit,asofthedateofpublicaGon. We’vespentalotofGmewithGDPRandliketothinkwe’vebeenthough`ulaboutitsintentandmeaning. ButtheapplicaGonofGDPRishighlyfact-specific,andnotallaspectsandinterpretaGonsofGDPRarewell-sealed.Asaresult,thispresentaGonisprovidedforinformaGonalpurposesonlyandshouldnotberelieduponaslegaladviceortodeterminehowGDPRmightapplytoyouandyourorganizaGon. WeencourageyoutoworkwithalegallyqualifiedprofessionaltodiscussGDPR,howitappliesspecificallytoyourorganizaGon,andhowbesttoensurecompliance. UNIFYCLOUDLLCMAKESNOWARRANTIES,EXPRESS,IMPLIED,ORSTATUTORY,ASTOTHEINFORMATIONINTHISWHITEPAPER. ThispresentaGonisprovided“as-is.”informaGonandviewsexpressedinthispresentaGon,includingURLandotherInternetwebsitereferences,maychangewithoutnoGce.
Disclaimer
4
• WhatistheGDPR
• HowtointerprettheGDPR• AddressingGDPRcomplianceintheCloud
• GDPRBaselineapproach• CaseStudy:ManagingGDPRinAzure
Today’s GDPR briefing topics
5
Controller(fromGDPR)“…thenaturalorlegalperson,publicauthority,
agencyorotherbodywhich,aloneorjointlywithothers,
determinesthepurposesandmeansoftheprocessingof
personaldata;wherethepurposesandmeansofsuch
processingaredeterminedbyUnionorMemberState
law,thecontrollerorthespecificcriteriaforits
nominaGonmaybeprovidedforbyUnionorMember
Statelaw.”
Audience poll: GDPR key roles that will impact you
Processer(fromGDPR)“…anaturalorlegalperson,publicauthority,agencyor
otherbodywhichprocessespersonaldataonbehalfof
thecontroller.”
Solu5onPurveyor• CSV
• ISV
• Consultant
6
7
GDPR key drivers for May 25, 2018 enforcement (in effect as of 5/4/16)
Source:
• Updatesandmodernizestheprinciplesofthe1995DataProtecGonDirecGve
• SetsouttherightsoftheindividualandestablishestheobligaGonsofthoseprocessingandthoseresponsiblefortheprocessingofthedata.
• EstablishesthemethodsforensuringcomplianceaswellasthescopeofsancGonsforthoseinbreachoftherules.
• AppliestoallorganizaGonsdoingbusinessintheEUregardlessoflocaGon.
8
GDPR data definitions regardless of nationality or EU residence
PersonalData(fromGDPR)“…meansanyinformaGonrelaGngtoanidenGfiedoridenGfiablenatural
person('datasubject');anidenGfiablenaturalpersonisonewhocanbe
idenGfied,directlyorindirectly,inparGcularbyreferencetoanidenGfier
suchasaname,anidenGficaGonnumber,locaGondata,anonline
idenGfierortooneormorefactorsspecifictothephysical,physiological,
geneGc,mental,economic,culturalorsocialidenGtyofthatnaturalperson.”
Examples:
• Name
• IdenGficaGonnumber(e.g.,SSN)
• LocaGondata(e.g.,homeaddress)
• OnlineidenGfier(e.g.,e-mailaddress,screennames,IPaddress,deviceIDs)
• GeneGcdata(e.g.,biologicalsamplesfromanindividual)
• Biometricdata(e.g.,fingerprints,facialrecogniGon)
“TheGDPRalsorequirescompliancefromnon-EUorganizaGonsthatoffergoodsorservicestoEUresidentsormonitorthebehaviorofEUresidents.”
Source:Brief:YouNeedAnAc0onPlanForTheGDPR;ForresterResearch;October2016
9
GDPR compliance is a challenge for both controllers and processors
“Bytheendof2018,over50%ofcompaniesaffectedbytheGDPRwillnotbeinfullcompliancewithitsrequirements.”Gartner-FocusonFiveHigh-PriorityChangestoTackletheEUGDPR;September30,2016
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located.
10
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 1. ProvidenoGficaGontodatasubjects,inclearandplainlanguage.
2. Requestandobtainthedatasubject’saffirmaGveandgranularconsent.
3. DisconGnuewithprocessingacGviGesifthedatasubjectdeniesconsent.
4. Provideamechanismfordatasubjectstowithdrawconsent.
5. ObtainaffirmaGveconsentfromachild’s(underageof16)parentorguardian.
“…organizaGonsmustdemonstratethattheyhaveimplementedappropriatemeasurestomiGgateprivacyrisks.Evenintheabsenceofaprivacybreachorcustomercomplaint,regulatorsmayrequirefirmstoexhibitevidenceoftheircomplianceandriskmanagementstrategies,includingaprivacyimpactassessment(PIA)whenappropriate.”
Source:Brief:YouNeedAnAc0onPlanForTheGDPR;ForresterResearch;October2016
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
11
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 1. ProvidenoGceofprocessingacGviGesattheGmepersonaldataisobtained.
2. ProvidenoGceofprocessingacGviGesifpersonaldatahasnotbeenobtaineddirectly.
3. ProvidethedataprivacynoGceatallpointswherepersonaldataiscollected.
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
12
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 1. ProvidemechanismforvalidaGngidenGtyoftherequesGngdatasubject.
2. Providemechanismfortorequestaccesstotheirpersonaldata.
3. Provideamechanismtorespondtorequestsonpersonaldataaccess.
4. Maintainthetechnologicalabilitytotraceandsearchpersonaldata.
5. ProvidemechanismtorequestrecGficaGonandrecGfypersonaldata.
6. Provideamechanismtorequesttheerasureofpersonaldata.
7. Maintainthetechnologicalabilitytolocateanderasepersonaldata.
8. TracktowhichaddiGonalcontrollerspersonaldatahasbeentransferred.
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
13
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 9. Whenpersonaldataismadepublic,contactthoseenGGesfordataerasure.
10. ProvidemechanismtorequesttherestricGonofdataprocessing.
11. Maintainthetechnologicalabilitytorestrictprocessingofpersonaldata.
12. Providemechanismtorequestcopiesandtransmitpersonal.
13. Providemechanismtorespondtodataportabilityrequests.
14. Locatepersonaldataandexportinstructured,machine-readableformats.
15. IfprocessingfordirectmarkeGng,providemechanismtoobject.
16. MaintainthetechnologicalabilitytodisconGnuethedataprocessing.
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
14
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 1. Maintainaudittrailstodemonstrateaccountabilityandcompliance.
2. Maintaininventoryofdatadetailingcategoriesofdatasubjects.
3. MaintainauditabletrailsofprocessingacGviGes.4. CarryoutdataprotecGonimpactassessmentsof
processingoperaGons.5. Providethede-idenGficaGonofpersonaldatafor
archivingpurposes.
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
15
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 1. Embedprivacycontrols(inserviceanddevelopmentlifecycle).
2. Embedprivacydesignedtominimizetheamountofpersonaldatacollected.
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
16
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 1. Providemechanismtopseudonymize,encrypt,orotherwisesecurepersonaldata.
2. Implementsecuritymeasuresintheservice.3. ConfirmongoingconfidenGality,integrity,and
availabilityofpersonaldata.4. Providemechanismtorestoretheavailabilityand
accesstopersonaldata.5. FacilitateregulartesGngofsecuritymeasures.
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
17
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 1. ControllersnoGfyDPAwithin72hoursintheeventofadatabreachincident.
2. ControllersnoGfyaffecteddatasubjectsofahigh-riskdatabreachincident.
3. ProcessorsnoGfycontrollerswithoutunduedelayofadatabreachincident.
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
18
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
43GDPRRequirements* 1. Trackandrecordpersonaldatathatisforwardedtothird-parGes.
2. ProvidemechanismfortrackingandrecordingdatatransfersinandoutoftheEU.
3. Maintaininventoryofdatatransfercontractswiththird-parGes.
4. Provideappropriatesafeguards(e.g.,PrivacyShield)foreffecGvelegalremedies.
*UnifyCloudLLCGDPRinterpretaGon.YouareencouragedtocompleteyourownGDPRinterpretaGon
19
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
BusinessProcesses&UserControls
ApplicaGons&WorkloadFeatures
ITInfrastructureControls
OnPremisesCompliance
InternalAudit
20
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
BusinessProcesses&UserControls
SaaSApplicaGons&WorkloadFeatures
CloudComplianceModel
CloudITInfrastructureControls
InternalAudit
21
Controller’s (or your customer’s) GDPR compliance model GD
PRRegulaG
on(2
61pages)
BusinessProcesses&UserControls
SaaSApplicaGons&WorkloadFeatures
CloudComplianceModel
InternalAudit“Soadashboardthroughwhichyourteamcaneasilytrackthat(capabiliGes)willcomeinhandy.”
Source:Brief:YouNeedAnAc0onPlanForTheGDPR;ForresterResearch;October2016
22
23
Understanding a Cloud shared responsibility model for GDPR
Source:MicrosoFSource:AmazonWebServices
• ImplemenGnginterconnecGvitybetweenCloudandon-premisesresources.
• SecurityDevelopmentLifecycleforapplicaGons.
• ApplicaGonQApriortomovingtoCloudproducGon.
• MonitoringthesecurityofapplicaGons.
• Reviewingandapplyingpublicsecurityandpatchupdates(IaaS).
• ReporGngtheincidentsandalertsspecifictosystemsandsubscripGons.
• SupportGmelyresponseswithCloudpla`orm.
• ImplemenGngredundantsystemsforhot-failover.
• Controlsoveraccount/subscripGonIDsandpasswordsandaccesstoapplicaGons.
• Compliancewithapplicablelaws/regulaGons.
• DeterminingandimplemenGngencrypGonfordata.
• SecuringcerGficatesusedtoaccessapplicaGons.
• SelecGonofaccessmechanismfordata.
• DeterminingtheServicesconfiguraGons.
• Backupofdatatolocal/Cloudstorage.
• ProtecGonofthesecretsassociatedwithaccounts.
24
ControlsandreporGngaswellasconfiguraGonoversightexcludedfromaCSVpla`ormSOCreport
What “managed by customer” means (from a typical SOC* report)…
* AICPAServiceOrganizaGonControl(SOC)Reports(TypeIandTypeII)formerlyStatementonAudiGngStandardsNo.70:ServiceOrganizaGons(SAS70)
25
AnCloudServiceGDPRBaselineshouldinclude:• CloudServicesComplianceValidaGon(ISO,SOC)• ServicesSewngValues• DevOpsRulesforCloudServices
Using a GDPR baseline approach
“However,intermsofsecurity,whilefewrespondentsreportedadecreaseinproducGonsecurity,thisisanareawhereDevOpshasnotyetcontributedsignificantimprovement.(SeeFigure9)ThismaynotbethefaultofDevOpspracGcesthemselves–increasingsecurityrequiresadeliberateeffort–butitcouldpointtoanopportunityfortoolsvendors.”
26
• 130deployableAzureServices(lastcount)• SomeServicesarecandidatesforGDPRdefined
“personal&sensiGvedata””
o BlobStorage
o DataFactory
o DatalakeStore
o SQLDatabase
o SQLDataWarehouse
o StorSimple
• SomeServicesarecapabiliGestohelpmeetGDPRrequirements:
o AzureAD
o AzureInformaGonProtecGon
o KeyVault
o MulG-factorAuthenGcaGon
Case Study: GDPR Baseline Dashboard for Azure
27
Azure Services and GDPR compliance roles
S.No. CloudService HighLevelDescription(fromCapstoneGDPRWhitepaper) Discover Manage Protect Report Enabler Target
1 ActiveDirectory
Anidentityandaccessmanagementsolutioninthecloud.ItmanagesidentitiesandcontrolsaccesstoAzure,on-premises,andothercloudresources,data,andapplications.WithAzureActiveDirectoryPrivilegedIdentityManagement,youcanassigntemporary,Just-In-Time(JIT)administrativerightstoeligibleuserstomanageAzureresources.
Yes Yes Yes
2 KeyVaults
Itoffersaneasy,cost-effectivewaytosafeguardkeysandothersecretsinthecloudbyusinghardwaresecuritymodules(HSMs).ProtectcryptographickeysandsmallsecretslikepasswordswithkeysstoredinHSMs.
Yes Yes
3 StorageAccount(Classic)
AnAzurestorageaccountgivesyouaccesstotheAzureBlob,Queue,Table,andFileservicesinAzureStorage.YourstorageaccountprovidestheuniquenamespaceforyourAzureStoragedataobjects.Bydefault,thedatainyouraccountisavailableonlytoyou,theaccountowner. Yes Yes
4 DataFactories
Itisamanagedservicewhichletsyouproducetrustedinformationfromrawdataincloudoron-premisessources.Easilycreate,orchestrateandschedulehighly-available,fault-tolerantworkflowsofdatamovementandtransformationactivities.
Yes Yes
5 MultifactorAuthentication
Ithelpspreventunauthorizedaccesstoon-premisesandcloudapplicationsbyprovidinganadditionallayerofauthentication.Followorganizationalsecurityandcompliancestandardswhilealsoaddressinguserdemandforconvenientaccess.
Yes Yes
6 SiteRecoveryIthelpsyouprotectimportantapplicationsbycoordinatingthereplicationandrecoveryofprivatecloudsforsimple,cost-effectivedisasterrecovery.
Yes Yes
7 SQLService
Itisarelationaldatabase-as-aserviceusingtheMicrosoftSQLServerEngine.SQLDatabaseisahigh-performance,reliable,andsecuredatabaseyoucanusetobuilddata-drivenapplicationsandwebsitesintheprogramminglanguageofyourchoice,withoutneedingtomanageinfrastructure.
Yes Yes Yes
JourneyStage Compliance
28
GDPR baseline setting guidance for Azure Services
S.No. CloudService CloudOriginFunctionality Value Subject GDPRCitation IssueActiveDirectory->IntegrationwithlocalAD->DomainsverifiedforDirectorySync 1 DataSubjectRights Art.15-17 Providemechanismforvalidatingidentity
oftherequestingdatasubject.
ActiveDirectory->IntegrationwithlocalAD->DomainsplannedforSingleSign-On 0 DataSubjectRights Art.15-17 Providemechanismforvalidatingidentityoftherequestingdatasubject.
ActiveDirectory->IntegratedApplications->Usersmaygiveapplicationspermissiontoaccesstheirdata
NO RighttoRestriction Art.18,Sec.1,Sub.(a)–(d) Maintainthetechnologicalabilitytorestrictprocessingofdatasubjects’personaldata(orforMicrosoftcustomerstodosoinaccordancewithrequestsofdatasubjects).
ActiveDirectory->IntegrationwithlocalAD->DirectorySync Activated DataSecurity Art.32,Sec.1,Sub.(a) Providemechanismtopseudonymize,encrypt,orotherwisesecurepersonaldata.
ACTIVEDIRECTORY_INTEGRATEDAPPLICATIONS_USERSMAYADDINTEGRATEDAPPLICATIONS No DataSubjectRights Art.15-17 Providemechanismforvalidatingidentityoftherequestingdatasubject.
ACTIVEDIRECTORY_USERACCESS_ALLOWINVITATIONS Yes Righttoaccess Art.15,Secs.1–2 Providemechanismfordatasubjectstorequestaccesstotheirpersonaldataandreceiveinformationontheprocessingactivitiesoftheirpersonaldata.
ACTIVEDIRECTORY_USERACCESS_ALLOWGUESTSTOINVITE No Righttoaccess Art.15,Secs.1–2 Providemechanismfordatasubjectstorequestaccesstotheirpersonaldataandreceiveinformationontheprocessingactivitiesoftheirpersonaldata.
ACTIVEDIRECTORY_USERACCESS_LIMITGUESTACCESS Yes Righttoaccess Art.15,Secs.1–2 Providemechanismfordatasubjectstorequestaccesstotheirpersonaldataandreceiveinformationontheprocessingactivitiesoftheirpersonaldata.
ActiveDirectory1
29
Creating a GDPR baseline
30
Creating a GDPR baseline
31
Creating a GDPR baseline
32
Creating a GDPR baseline
33
Monitoring a GDPR baseline
34
Monitoring a GDPR baseline
35
Monitoring a GDPR baseline
36
Monitoring a GDPR baseline
37
• GDPRisineffectnowandwillbeenforcedstarGngonMay25,2018
• CloudsoluGons(IaaS/PaaSandSaaS)willbepartofacontroller’scompliancemodel
• Understand/interprettheGDPRrequirementsandmaptoprocessorfeatures/controls
• ConsiderusingaGDPRbaselineapproachforareaswherecerGficaGonsdonotapply
• Forvendors…doNOTimplyusingyoursoluGonwilldirectlyguaranteeGDPRcompliance
• Thankyou!AnyfinalquesGons?
Summary
The GDPR and Its Implications On Cloud Services
September2017NormBarber,ManagingDirector([email protected])
AcopyofthispresentaGonwillbemadeavailabletoyoua{erthesessionends.Visitwww.cloudatlasinc.comforaddiGonalinformaGonaboutoursoluGons.