GDPR - What does this mean for you? Accelerate GDPR compliance with the Microsoft Services. Konstantin Sviridov Andrey Ivanov.

Transcription

1 You Trust IT Путь к безопасности бизнеса GDPR - What does this mean for you? Accelerate GDPR compliance with the Microsoft Services Konstantin Sviridov Andrey Ivanov 06 September 2017 This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

2 What is the EU General Data Protection Regulation (GDPR) Applies to all organizations that process personal data of EU residents New comprehensive European privacy law replacing the 1995 Data Protection Directive Regulation already in place EU starts enforcement 25 May 2018

3 How does GDPR affect organizations? The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located. Enhanced personal privacy rights. Increased duty for protecting data. Mandatory breach reporting. Significant penalties for non-compliance. Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights

4 Year once upon a time 17 years ago

5 GDPR - 26 million EU organizations impacted

6 26 million EU organizations effected Likely a panic zone GDPR requirements don t go away

7 What are the key changes to address the GDPR? Personal privacy Controls and notifications Transparent policies IT and training Individuals have the right to: Access their personal data Correct errors in their personal data Erase their personal data Object to processing of their personal data Export personal data Organizations will need to: Protect personal data using appropriate security Notify authorities of personal data breaches Obtain appropriate consents for processing data Keep records detailing data processing Organizations are required to: Provide clear notice of data collection Outline processing purposes and use cases Define data retention and deletion policies Organizations will need: Train privacy personnel & employee Audit and update data policies Employ a Data Protection Officer (if required) Create & manage compliant vendor contracts

8 European Convention on Human Rights 1953 European Convention 108 Directive 95/46/EC REGULATION (EU) 2016/ Nov Sep Jan Oct Dec Oct Apr May 2018 Article 8 of the European Convention on Human Rights provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions that are "in accordance with law" and "necessary in a democratic society". The treaty regarding the protection of individuals with regard to automatic processing of personal data was signed as Council of Europe Convention 108. All 47 members of the Council of Europe have ratified the treaty, except Turkey. Data Protection Directive 95/46/EC created to regulate the processing of personal data. The directive agrees to a new, advanced standard in the protection of individuals with regards to the processing of their personal data and its free movement. The directive is brought into force after a three-year grace period. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.

9 Secure digital environment helps building trust, enables digital transformation and increases prosperity in the EU and globally: Approved Applied from onwards Approved National implementation by 9 May 2018 COM proposal January 2017 COM guidelines January 2017 Approved National implementation by 23 September 2018 All organizations Critical sectors All organizations All organizations Public sector organizations

10 ISO/IEC Code of Practice for Protecting Personal Data in the Cloud European Union Model Clauses SSAE 16/ISAE 3402 ISO/IEC In 2014, the ISO adopted ISO/IEC 27018:2014, an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII. At least once a year, Microsoft Azure and Azure Germany are audited for compliance with ISO/IEC and ISO/IEC by an accredited third party certification body, providing independent validation that applicable security controls are in place and operating effectively. By following the standards of ISO/IEC and the code of practice embodied in ISO/IEC 27018, Microsoft the first major cloud provider to incorporate this code of practice European Union (EU) data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein, and Norway. The EU Model Clauses are standardized contractual clauses used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law and meet the requirements of the EU Data Protection Directive 95/46/EC. Microsoft provided its Standard Contractual Clauses to the EU's Article 29 Working Party for review and approval. The Article 29 Working Party includes representatives from the European Data Protection Supervisor, the European Commission, and each of the 28 EU data protection authorities (DPAs). SSAE 16 (Statement on Standards for Attestation Engagements No. 16), the successor to SAS 70, and ISAE 3402 (International Standards for Attestation Engagement No. 3402), are audit standards established by the American Institute of Certified Public Accountants (AICPA) and the International Auditing and Assurance Standards Board of the International Federation of Accountants, respectively, and are geared towards service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, hosted data centers, application service providers (ASPs), and managed security providers. SSAE 16 and ISAE 3402 audits are independent verifications of compliance with security controls and effectiveness of security controls. ISO/IEC is an information security management system (ISMS) standard, part of the ISO/IEC family of standards that address privacy, confidentiality and technical security issues and have "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization." The standards outline hundreds of potential controls and control mechanisms. ISO/IEC in particular is one of the most widely recognized certifications for a cloud service, and thus one of the most valued by our customers. ISO defines how to implement, monitor, maintain, and continually improve the ISMS. The Microsoft Online Services Information Security Policy aligns with ISO 27002, augmented with requirements specific to online services.

11

12 INTELLIGENT SECURITY GRAPH Unique insights, informed by trillions of signals. This signal is leveraged across all of Microsoft s security services 1.2B devices scanned each month Malware data from Windows Defender Shared threat data from partners, researchers and law Enforcement worldwide 400B s analyzed 200+ global cloud consumer and Commercial services Botnet data from Microsoft Digital Crimes Unit Enterprise security for 90% of Fortune M+ Azure user accounts 18+B Bing web pages scanned 450B monthly authentications

13 Industry Partners Antivirus Network INTELLIGENT SECURITY GRAPH CERTs Cyber Defense Operations Center Malware Protection Center Cyber Hunting Teams Security Response Center Digital Crimes Unit PaaS IaaS SaaS Identity Apps and Data Infrastructure Device

14 SECURITY MANAGEMENT IMPERATIVES IDENTITY DEVICES APPS / DATA INFRASTRUCTURE VISIBILITY Understand the security state and risks across resources CONTROL Define consistent security policies and enable controls GUIDANCE Elevate security through built-in intelligence and recommendations

15 DEFINE CONSISTENT SECURITY POLICIES AND ENABLE CONTROLS FOR USERS IDENTITY

16 Information Protection lifecycle example File is created (via multiple sources) User opens the file for editing Collaborate through SharePoint Online User opens the file on mobile Upload to other cloud service for external sharing Azure Information Protection client Windows Information Protection Office 365 Data Governance Intune Microsoft Cloud App Security (MCAS) Persistent labels enable a unified information protection language

17 How do I get started 1 Discover Identify what personal data you have and where it resides 2 Manage Govern how personal data is used and accessed 3 Protect Establish security controls to prevent, detect, and respond to vulnerabilities & data breaches 4 Report Keep required documentation, manage data requests and breach notifications

18 Discover Right to Erasure Right to Data Portability GDPR Workshops ETA Q1 FY18 Microsoft (and optional with Partner) workshops on GDPR awareness and scoping establishment. Secure Productive Enterprise PoC ETA Q1 FY18 Customer seeking guidance and support from Advisory Firm(s) + Microsoft to assess their current environment towards the GDPR controls. Deliverables: Gap analysis and reports. Advice/Roadmap how to address and become compliant. Fast Start Enterprise Mobility + Security Guided small implementation of EM+S to enable the capabilities in the environment Manage Documentation Privacy by Design Protect Data Security Data Transfer Foundation Capabilities Consulting Services Mapping Report Documentation Breach Response and Notification Data Insights GDPR Data Discovery pilot Known data sources/files are uploaded to Azure after which inventory is done on PII (NOT PUBLISHED YET) Microsoft Data Classification Toolkit Downloadable toolkit intended to help organizations simplify the ability to search, identify, and apply rules to data you specify. Secure Modern Enterprise (Security Foundation) OMS Log Analytics unlock the power of your own data and understand the valuable operational insights through the Hybrid Cloud Monitoring engagement RAP as A Service Microsoft Security This service is available for any organization that is seeking to evaluate and improve their Security Program Management. Azure Information Protection Implementation Services Initial configuration of Azure Information Protection tenant and optionally integrated with on-premises services. Formulate and execute on a classification and DLP strategy. Advanced Threat Analytics Implementation Service Implements ATA in a production environment, including Incident Management Process Advanced Analytics Essentials Predictive Solutions, such as Predictive Maintenance, Demand Forecasting, Attrition, and Personalization for qualified customer opportunities. Measure and demonstrate the business value using a performance dashboard Dynamic Identity Framework Assessment + Online Assessment Active Directory Service (OAADS) Assessments that cover the current posture and risks on your identity management processes and services, together with a thorough assessment of your Active Directory Services Windows 10 Security Implementation Service Includes Windows 10 Security Foundation (BitLocker, Credential Guard, Defender, SmartScreen, Security Baseline) and Windows Information Protection Privileged Access Workstation Security hardened administrative workstation for cloud tenant management, Tier 0 (Active Directory), Tier 1 (Servers), Tier 2 (Workstations) zone management to prevent breach of administrative accounts. POP-Security Incident Management Create or revise your Security Incident Management processes to enable the 72 hour breach notification requirement Persistent Adversary Detection Service (PADS) Productivity Governance and Compliance delivers a governance plan that will help organizations control, administer, and manage their SharePoint Online investments to secure applications and data when users are located remotely, and ensure compliance requirements are met. SQL Server Data Protection Plan Maintain a healthy business by preventing Data loss and having a reliable and AlwaysOn SQL Server infrastructure More foundational, medium and longer term offerings see overview in appendix

19 Partner with Microsoft Services Security Data Platform Cloud Modern Workplace Privacy Controls Notifications Policies Training GDPR Workshop Risk & Data Management Foundation GDPR Program Partner Education, Awareness, Discovery: Microsoft Roadmap Modernize your IT Environment (Partner) Discover, Manage, Protect, Report (projects based on gap analysis outcomes, and roadmap alignment) Microsoft does not provide legal advice.

20 Data Discovery Offering This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

21 Global enterprises are mandated to comply with new EU regulations and non compliance will result in fines equaling 2-4% of global revenues. Most enterprises are using this requirement to establish systematic IT Asset Management Service and reporting capabilities. Objectives of the engagement: Drive a centralized data store to host the asset data from various sources. Drive data consistency and data quality. Drive centralized reporting capability to provide insights for Legal, Business and Technical Decision Makers. Benefits & outcomes Solution built on Azure IaaS or PaaS with Power BI for data visualization needs. Drive focused workshop and quick proof of value. Assist the customer to meet their regulatory compliance needs. Components

22 Data Subject Rights depend on the relationship with the customer Consumers Employees Vendors (Suppliers, Commercial Customers) Shareholders Application EU Authorities Data Transfer Audit and Compliance 3 rd Parties

23 GDPR webpage on the Microsoft Trust Center Customer whitepaper: Beginning your GDPR journey Video of Brendon Lynch Sharing his Perspective on the GDPR Microsoft FAQ on the GDPR Blog Post: Earning your trust with contractual commitments to the General Data Protection Regulation Blog Post: Get GDPR compliant with the Microsoft cloud

24 Thank You! You Trust IT Путь к безопасности бизнеса