Accesso trusted al dato e configurazione dei sistemi informativi per il GDPR

Transcription

1 Accesso trusted al dato e configurazione dei sistemi informativi per il GDPR Guglielmo Troiano - Senior Consultant at Digital360 - Senior Advisor at Osservatori Politecnico di Milano Igor Marcolongo - Head of Process & Compliance Giancarlo Colla Oracle ACS Principal Pre Sales Architect 15/03/2018

2 Data processing is a matter of trust Data Subject shall trust data Controller(s) Trustworthy privacy information documentation Cybersecurity Personal data minimization Data Erasure if/when requested Data portability 2

3 Data processing is a matter of trust Data Controller shall trust the Data Processor Respect of the purposes of the processing Cybersecurity Respect of pacts 3

4 Data processing is a matter of trust Privacy Authorities are in charge of maintaining the trust in the system Building trust in the online environment is key to economic and social development. Lack of trust, in particular because of a perceived lack of legal certainty, makes consumers, businesses and public authorities hesitate to carry out transactions electronically and to adopt new services. eidas Regulation, whereas #1 4

5 Another Regulation? On July 1 st 2016, the new eidas Regulations came into force This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union. eidas Regulation, whereas #2 eidas stands for: electronic IDentification And Signatures 5

6 The role of a Qualified Trust Service Provider The highest level Trust Services are provided by Qualified Trust Service Providers eidas sets up a common qualification and audit schema, that permit to outsource the liability of the digital processes Liability for the entire process Identity of the parties QTSP Strong authenti cation Non repudiabl e e- Delivery Verify Validate & Preserv e Willingne ss to transact 6 6

7 eidas trusted pillars Electronic Signatures Electronic TimeStamp Digital Identity edelivery Digital Preservation 7

8 InfoCert is the biggest QTSP in Europe 240 Employees 52 Mln 2016 LONDON 4 Offices 14 Patents MILAN PADUA ROME EBITDA CAGR +23% International working groups: ETSI European Telecommunication Standard Institute DTCE - Digital Trust and Compliance Europe ISO Certifications:

9 Principle of accountability GDPR eidas the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary GDPR, article

10 Trusted Accountability Compliance and Technological Assessment Process Reengineering Contracts and Policies Penetration Test and Vulnerability Assessment Data Inventory Data Protection Impact Assessment Records of processing activities Training & DPO REMEDIATION & ACCOUNTABILITY Insurance Policy Organizational change Technical improvements TRUST SERVICES 10

11 Case 1 - Trusted Accountability in Healtcare For an important Italian Hospital, Trusted Accountability is being able to demonstrate: the privacy information has been given properly the patient expressed the consent to the processing the informed consent TRUST SERVICES Advanced Electronic Signature Qualified TimeStamp Digital Evidence Preservation 11

12 Case 2 >>> - Trusted Trusted right right to access to access tinder-personal-data-dating-app-messages-hacked-sold

13 Case 2 - Trusted right to access High risk of data breach of (sensitive) privacy information TRUST SERVICES Digital Identity Qualified Electronic Signature Qualified Electronic Delivery 13

14 GDPR IS NOTHING WITHOUT TRUST 14

15 Oracle ACS Managed Cloud Security Services Da più di 20 anni Oracle Advanced Customer Services fornisce servizi personalizzati e proattivi per ambienti «mission critical» presso più di 4000 clienti corrispondenti alle maggiori aziende e multinazionali di tutto il mondo. Transition Support Mission-Critical Support Managed Apps and Help Desk Expert Support Managed Platform Private Cloud Cloud at Customer Systems Optimization Security Support On Premises Public Cloud 15

16 Oracle ACS Managed Cloud Security Services Managed Security Services Data security through comprehensive security management in Oracle Cloud and on premises Vulnerability and Threat Prevention Services: File Integrity Monitoring Web Application Vulnerability Penetration Testing Vulnerability Assessment Web Application Firewall Database Security Services: Database Security Risk Assessment Database Encryption Database Vault Database Audit Data Masking Managed Identity Services Prevention of intruders, without delaying business operations in Oracle Cloud and on premises Identity Provisioning Single Sign-On Strong Authentication Identity Analytics Identity Federation Managed Compliance Services Enabling compliance with industry standards and legislative regulations in Oracle Cloud PCI DSS Security HIPAA Security Services GxP Compliance Services for Fusion SaaS 16

17 Oracle ACS Managed Cloud Security Services Managed Security Services Data security through comprehensive security management in Oracle Cloud and on premises Vulnerability and Threat Prevention Services: File Integrity Monitoring Web Application Vulnerability Penetration Testing Vulnerability Assessment Web Application Firewall Database Security Services: Database Security Risk Assessment Database Encryption Database Vault Database Audit Data Masking Managed Identity Services Prevention of intruders, without delaying business operations in Oracle Cloud and on premises Focus sulla Sicurezza del Identity Provisioning Database Single Sign-On Oracle Strong Authentication Identity Analytics Identity Federation Managed Compliance Services Enabling compliance with industry standards and legislative regulations in Oracle Cloud PCI DSS Security HIPAA Security Services GxP Compliance Services for Fusion SaaS 17

18 Soluzioni Oracle che aiutano a indirizzare GDPR - Database DBA Database Firewall Consente di archiviare e gestire le chiavi di crittografia Audit Vault Key Vault Data Masking and Subsetting Psedonimizzazione: vengono sostituiti i dati personali con uno pseudonimo allo scopo di evitare l'identificazione diretta della persona di riferimento DEVEL APP Database Vault Transparent Data Encryption and Reduction Gestione della «duty Segregation». Utenti accedono solo ai dati di propria responsabilità Gli accessi vengono tracciati e archiviati in per poter essere analizzati Database I dati sensibili vengono «criptati» sia sui dischi che nei sistemi di archiviazione e backup Testing Sono collezionati centralmente Audit Data, Log audit, db firewall security envents Security Monitoring and Analytics Cloud Service Configuration and Compliance Cloud Service Audit Log Server 18

19 ANALISI «NORMATIVA» Approccio metodologico ACS per la gestione della sicurezza 19

20 ACS Security Assessment Services Security Assessment Normativo Oracle Database Security Review and Support Analisi delle criticità e proposta di mitigazione del rischio Database Security Risk Assessment Service Vulnerability Assessment Service Application and Network Penetration Test Network Threat Analysis and Network Diagrams Assess Processes, Profiles, Data Sensitivity, Risks Discussione con il cliente relativamente al piano di mitigazione del rischio REPORT OF FINDINGS FOR DATABASE <NAME> PRIORITIZED ACTION CHART (Impact/Value view) ACTIVITY PLANNING (next steps) 20

21 Database Security Risk Assessment (DBSRA) Security Assessment Normativo Executive Summary Oracle software installation and Patch Oracle Database Security Review and Support Securing Storage Oracle Authentication and Password Security Oracle Authentication Options Database User Accounts Oracle Accounts Management Managing Passwords Analisi delle criticità e proposta di mitigazione del rischio REPORT OF FINDINGS FOR DATABASE <NAME> Oracle Net Services & Secure Communication Oracle Parameter Settings Protecting the Data Dictionary Protecting Oracle Directories and Oracle Files Oracle Profile Setup Settings In-depth security assessment of the Oracle database and workloads with 120+ database checks and interviews of applications and security owners Discussione con il cliente relativamente al piano di mitigazione del rischio General Policy and Procedures Database Activity Monitoring Risk-based report of findings, remediation recommendations 21

22 Database Security Risk Assessment - Recommendations Security Assessment Normativo Oracle Database Security Review and Support Analisi delle criticità e proposta di mitigazione del rischio Discussione con il cliente relativamente al piano di mitigazione del rischio Analisi del Rischio e definizione di un piano di mitigazione mediante l utilizzo delle Database Security Options 22

23 Database Security Risk Assessment - Planning JOURNEY BEST PRACTICES READINESS CONTINUOUS SECURITY DOCUMENTATION RISK MITIGATION 23

24 ACS Security Prevention Services SECURITY PRODUCTS TO PROTECT DATABASE DATA MANAGED SECURITY SERVICES Advanced Security Key Vault Data Masking and Subsetting Database Vault Label Security Audit Vault (and Database Firewall) Encrypt Oracle Databases transparently and redact sensitive application data Securely manage encryption key lifecycle as well as passwords, certificates and more Anonymize production data for testing and development environments Control privileged user access using least privilege and separation of duties enforcement Allow individual data records to be labeled with metadata that describes the characteristics of the data, and then enforces access to those records based on the metadata Centralized auditing, monitoring, reporting and alerting of anomalous database activity management ACS Managed Database Encryption Services (or Activation) ACS Security Service and Support for «Key Vault activation ACS Managed Database Masking Service (or Activation) ACS Managed Database Vault Service (or Activation) ACS Security Service and Support for «Label Security activation ACS Managed Database Audit Service (or Activation) 24

25 Vulnerability scan Assessment Recommandetions ACS Security Detection Services ACS Managed Security File Integrity Monitoring Service Data Center ACS Managed Security Database Audit Service Provides a complete audit service, detecting and alerting privileged access to your databases using Oracle Audit Vault. This service provides Audit Vault installation, design, configuration, test, management, ACS SIEM alerting integration, monitoring, and reporting Help protect application and environment files from compromise by monitoring and alerting on unauthorized changes. This service includes the setup of policies to monitor files relating to the application and database environment, ongoing monitoring and alerting of unauthorized changes ACS Managed Security Vulnerability Assessment Service Enables the environment running your application and database to have regular vulnerability assessments of the service infrastructure, detecting vulnerabilities and providing recommendation to remediate. This service includes regular vulnerability scans, scan reporting both at technical and executive summary level, remediation recommendations, and tracking of remediation activities 25

26 Benefici ottenuti con Approccio metodologico ACS Benefici dei Managed Security Services: ASSESSMENT Nella fase iniziale viene fornita una fotografia dettagliata del livello di sicurezza dell installato Oracle posto sotto assessment (nel caso specifico del Database) Viene definito un piano di mitigazione dei rischi PREVENTION Vengono attivati i servizi Oracle inerenti la sicurezza identificati come necessari in relazione agli obiettivi concordati in fase di analisi dei risultati dell assessment DETECTION Viene garantito il mantenimento dei livelli di sicurezza e «readiness» dell installato sia mediante assessment e vulnerability scan periodici che con opportuni monitoraggi 26

27 Oracle Advanced Security Services Mail: White Paper che descrive i servizi di sicurezza di Oracle ACS pdf 27

28 28 Thank you