EU GDPR and Security Compliance for the DBA. Santa Clara, California April 23th 25th, 2018

Transcription

1 EU GDPR and Security Compliance for the DBA Santa Clara, California April 23th 25th, 2018

2 Meet Your Presenters Tyler Duzan Product Manager for MySQL Software at Percona Prior to joining Percona was an Operations Engineer for more than twelve years Background in security and compliance, specifically PCI, HIPAA/HITECH, HITRUST, SOC, and FEDRAMP & FISMA. Jeff Sandstrom Product Manager for MongoDB Software at Percona Jeff has been a Product Manager for over ten years, first in the contact center space, then enterprise voice, and now open source databases. He's a business nerd who loves tech. 2

3 Disclaimer We are not Attorneys, we are Product Managers Nothing within this presentation should be construed as legal advice You should consult with an attorney to understand and mitigate any compliance risk for your organization This presentation is not all-inclusive, we are discussing specific selected Articles of the GDPR we think are especially relevant 3

4 Outline 1. General Overview of Compliance 2. GDPR Key Terminology 3. EU GDPR Articles a DBA Should Know Article Overview Articles of Particular Interest to DBAs Deep Dive into Article 17, Article 25, Article 32-35, and Article How Does Percona Software Help to Solve This? 5. Open Questions for DBAs to Consider 6. Q&A 4

5 General Overview of Compliance

6 Compliance Objectives Build a secure infrastructure and know where sensitive data resides Implement consistent security and data-handling standards across the enterprise Design and implement effective controls for access to sensitive data Provide a pathway to audit the organization Reduce risk to the organization from data breaches Protect your customers and partners who have entrusted you Protect shareholder value 6

7 Why Compliance Matters to the DBA Datastores across the enterprise may likely contain sensitive data Databases are a primary target for malicious actors attempting a data breach Most compliance regulations specifically prescribe methods and techniques that must be used for datastores The DBA is often the primary responsible party for implementing compliance controls and technical measures for protecting data 7

8 How Has Compliance Changed? Compliance regulations began by targeting specific industry verticals such as healthcare, finance, and government. The focus of early compliance was really on mitigating broad organizational risk, typically when handling data that had large financial risk implications or national security implications Later compliance regulations began focusing on the safety of consumer data as technology became integral to our daily existence Many of these regulations limited coverage to situations where the consumer might be directly financially impacted by a breach and where a clear and direct customer relationship existed 8

9 How Has Compliance Changed? Lately compliance regulations have shifted because of a shifting environment both in technology and economics. Current compliance regulations must take into account the existence of cloud providers, the ubiquity of Software-as-a-Service (SaaS) applications for both businesses and consumers, and the rise of sophisticated attacks. We now exist in a world where great harm can be caused at scale using data that was previously thought to be innocuous. Many of these are first of their kind attacks. EU GDPR seeks to address many of these concerns by emphasizing that fundamental ownership of data resides with the person whom that data is about. 9

10 GDPR Key Terminology

11 Terminology Data Controller The entity that is determining the purposes and means of processing the data. - Example: A social media application collecting user information, a manufacturing company collecting personal data about employees, etc. Data Processor The entity that processes data on behalf of the Data Controller. - Example: A payroll company that is issuing paychecks for a manufacturing company s employees, a cloud service provider storing personal data Data Processing Any automated or partially automated operation performed on personal data 11

12 Terminology Data Subject A natural person whose personal data is processed by a Controller or Processor Personal Data Any information that can directly or indirectly identify the Data Subject - Examples: Biometric data Health data Online identifiers Geolocation data PII (name, address, government ID number, etc) Profiling Any data processing intended to evaluate, analyze, or predict the behavior of a Data Subject 12

13 GDPR Articles DBAs Should Know

14 GDPR Articles Overview Chapter 1: General Provisions Article 1-4 Chapter 2: Principles Article 5-11 Chapter 3: Rights of the Data Subject Article Chapter 4: Controller and Processor Article Chapter 5: Transfer of personal data to third countries of international organizations Article Chapter 6: Independent Supervisory Authorities Article Chapter 7: Cooperation and Consistency Article

15 GDPR Articles Overview Chapter 8: Remedies, Liabilities, and Sanctions Article Chapter 9: Provisions relating to specific data processing situations Article Chapter 10: Delegates Acts and Implementing Acts Article 92 & 93 Chapter 11: Final Provisions Article

16 Articles of Particular Interest to DBAs Article 17 the ( ) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. Article 25 Data protection by design and by default Article 32 Security of data processing Article 33 & 34 Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Article 35 Data protection impact assessment Article 44 General principles for transfers 16

17 General Areas of Concern in GDPR Change Management Data Discovery and Classification Environmental Evaluation Establishing Appropriate Internal Processes Auditability Internally defining ethical walls Tracking location of data by user / Data Mapping 17

18 Article 17 Establishes a legislative structure which resides ownership of data with the Data Subject Establishes the Right to be Forgotten as EU Law the ( ) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. Expands deletion requirements to now include the obligation for the Data Controller to inform anyone else who has the Personal Data when a deletion request is received, extending to Data Processors or copies of that data 18

19 Article 25 Enshrines the concept of data protection by design and default Requires that controls must be in place to ensure that Personal Data cannot be attributed to an identified or identifiable Data Subject Only the Personal Data necessary for a specific purpose can be processed Only the Personal Data necessary for a specific purpose is collected Data that is no longer needed should be deleted Implies strongly specific technical requirements, which in some cases are defined elsewhere Data minimization, data masking, data pseudonymization Implementing strict ethical walls and access controls within your organization for seeing Personal Data Utilizing best practice methods for protecting Personal Data when stored 19

20 Article 32 Requires both Data Controllers and Data Processors to implement certain technical and organizational measures These measures help to prescribe how to handle the philosophical basis of EU GDPR Technical examples Encryption for data that is both at rest and in motion Monitoring and auditing access to Personal Data Data masking for applications which access Personal Data Organizational examples Maintaining data accessibility and planning for a response to a breach Testing and evaluating the effectiveness of your controls Auditability of your environment 20

21 Article 33 and 34 Establishes the requirements for informing regulators (Supervisory Authority) and users (Data Subjects) when a breach occurs Data Controllers must inform the appropriate Supervisory Authority within 72 hours of a data breach occurring or provide a substantial reason for any delay Data Processors must notify Data Controllers immediately as soon as they become aware of a breach If a data breach presents risk to users Data Controllers and Data Processors must individually notify affected Data Subjects, without undue delay. If it s not possible to provide all required information initially, it can be provided in phases through multiple notifications 21

22 Article 35 Establishes and defines the Data Protection Impact Assessment (DPIA) Data Controllers must perform a DPIA whenever a new processing operation or technology is proposed The Data Protection Impact Assessment must at minimum include the following documented items: A description of the new processing operation or technology and it s purpose, as well as a justification of its necessity relative to that defined purpose. An assessment of the potential risks to the rights and freedoms of Data Subjects A description of the proposed measures to mitigate the risks to the Data Subjects A description of proposed data safeguards and security measures 22

23 Article 44 Prohibits the transfer of Personal Data outside the EU, unless the recipient can prove it provides adequate data protection. Requires the Data Controller or Data Processor to be responsible for verifying that the data protection requirements are met by any partners or vendors outside the EU. Articles define the methods for acceptable proof of adequate data protection The European Commission can declare a territory or country to provide adequate protections thus whitelisting it. The Privacy Shield Framework in the US allows companies to self-certify to the US Department of Commerce to be in compliance and has force of law. 23

24 How Percona Software Helps to Solve This

25 Encryption Capabilities Percona Server for MySQL and PXC both provide for encryption functionality Vault keyring plugin for centralized encryption key management Binlog encryption InnoDB general tablespace encryption InnoDB file-per-table encryption (community TE) Upcoming additional features (undo log, redo log, ) Percona Server for MongoDB has WiredTiger encryption on the roadmap OS-level Full Disk Encryption (FDE) is datastore agnostic 25

26 Authentication Capabilities Percona Server for MySQL and PXC both provide support for PAM authentication, which allows arbitrary PAM plugins to provide authentication facilities Allows LDAP or Kerberos integration Allows integration of 2FA Percona Server for MongoDB provides native support for LDAP authentication as well as X509 based authentication 26

27 Auditing Capabilities Percona Server for MySQL and PXC both provide numerous enhanced informational capabilities to make auditing easier Audit Log plugin Extended SHOW GRANTS Changed Page Tracking User Statistics Percona Server for MongoDB has built in audit log capabilities, along with log redaction functionality. Tracks system events, can be configured with filters. Tracks schema changes, authn/authz events, cluster membership events, and can track CRUD operations 27

28 Monitoring Capabilities Percona Server for MySQL and PXC include significant improvements in additional instrumentation to assist in monitoring the database and establishing baselines for heuristic analysis Additional INFORMATION_SCHEMA tables Enhancements to PERFORMANCE_SCHEMA Large numbers of additional performance counters User Statistics Percona Server for MongoDB adds enhanced instrumentation and improved query profiling capabilities Percona Monitoring and Management provides a complete monitoring solution for MySQL and MongoDB, including query analytics 28

29 Data Control Capabilities Percona Server for MongoDB adds in the ability to perform log redactions Percona Server for MySQL and PXC provide encryption capabilities ProxySQL as a component of the overall PXC solution allows for implementation for data masking 29

30 Open Questions for DBAs to Consider

31 Article 17 How do you ensure all Personal Data is deleted when a delete is issued? Foreign Key Constraints / Cascade Delete Binlog, Redo log, Undo log, etc. contents Content of backups How do you relate Personal Data across disparate datastores as it relates to a single Data Subject? Data discovery systems? Externally indexing data? How do you identify other entities that may have received a copy of the Personal Data? Tracing transfers to Data Processors by Data Subject Tracking scraping of Personal Data from public pages 31

32 Article 25 How do you use technology to help enforce ethical walls in your organization? Separating data by purpose using access controls to prevent crossing boundaries What methods are appropriate to limit DBA access or monitor DBA access to ensure compliance? Audit log of database activity Monitoring logins to the system and alerting on them when done by a non-automated user How can you most effectively implement data masking in your application stack? Utilizing data masking as the query routing layer, implementing row level access controls, restricting access to the database to only application users 32

33 Article 32 Does your organization have the capabilities today to allow for proper PKI? Utilizing TLS for client to database connections via enterprise CA How do you track the purpose for data and enforce limits for access and collection at a technical level? Data classification systems Break databases up by data purpose and enforce access controls Long-term data storage becomes a compliance liability, how do you effectively enforce technical limits on data lifetime? Tracking backups and their contents Setting a TTL on data at ingest 33

34 Article 33 & 34 As a Data Processor how do you ensure immediate notification to Data Controllers of a breach? Alerting and monitoring must encompass audit logs. It is no longer sufficient to only monitor and alert on items which affect uptime As a Data Controller how do you ensure rapid notification of a breach to the Supervisory Authority? Similarly, alerting and monitoring must encompass audit logs. Additionally, you need to consider what required information needs to be in the notification and ensure that this is being collected as a matter of rote How do you know that a breach has occurred? Tighter integration between DBAs and their internal security and networking teams to implement intrusion detection systems and heuristic monitoring that accounts for database behavior 34

35 Article 35 Does the necessity of a Data Protection Impact Assessment (DPIA) cause DBAs to become gatekeepers in their organization? Do DBAs become responsible for assisting their security organization with understanding the risks of various database capabilities? 35

36 Article 44 Where does the DBA fit into your organizations practices and policies for controlling where data goes? Consider what types of controls need to be implemented at the database layer to prevent data transfer Consider how this rule impacts your ability to implement geographical scaling, disaster recovery zones, and offsite backup strategies How does this impact your organizations strategy for deploying databases in the Cloud? 36

37 Q & A

38 Thank You Sponsors!! 38

39 Thank You!

40 Rate My Session 40