GRC3386BUS GDPR Readiness with IBM Cloud Secure Virtualization Raghu Yeluri, Intel Corporation Shantu Roy, IBM Bill Hackenberger, Hytrust #VMworld #GRC3386BUS
Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2
Security Continues to be #1 Barrier for Cloud Adoption #1 General security risks #2 Lack of staff resources or expertise 33% 28% Data Loss/Leakage 57% Data Privacy 49% CLOUD ADOPTION BARRIERS #3 Integration with existing IT environments 27% MAIN CONCERNS Confidentiality 47% #4 Data loss & leakage risks 26% Regulatory compliance 36% #5 Legal & regulatory compliance 24% Data from Cloud Research Partners Data Sovereignty/Control 30% 3
General Data Protection Regulation (GDPR) Overview
Is GDPR the next Y2K for data privacy and data protection?
Replaces the Data Protection legislation of the 90 s One single set of data protection rules across EU Will come into force throughout the EU on May 25, 2018 VMworld 2017 Gives individuals much more control over their personal data Content: Not for publication
One Law Top 10 GDPR Provisions Territorial Scope Increased Fines Breach Notification Opt-in Consent Joint Liability Right to Removal (RTBF) Data Transfer Common Enforcement Collective Redress
Key GDPR Definitions Data Controller The organization that defines the reason for the data collection, decides how the data is collected and processed and is ultimately responsible for its safekeeping Data Processor A person or body acting on behalf of the data controller to store or process the data Supervisory Authorities Public bodies set up by the governments of the EU countries to help advise data controllers and data subjects on the law and enforce the regulation Data Subject The individual whose data is being collected and can be identified from that data Personal Data (PII) Any information relating to an identified or identifiable natural person (data subject)
Types of Personal Information VMworld 2017 Name Address Date of Birth Online Identifier Personal Email Address Business Email Address Content: Not for publication Phone Number Ethnic Origin Health Religious Beliefs Sensitive Personal Data
No matter where you are in the world, if you do business within the EU, you need to comply with GDPR!
Substantial increase in fines for organizations that do not comply with GDPR Two-tier fine structure for different violations can vary from 2% to 4% of global revenue or 10M euro to 20M euro which ever is greater
The local supervisory authority must be informed within 72 hours of any data loss and users informed as soon as possible unless
data was encrypted or a form of pseudonymization was used, the data is automatically deemed secure and the organization is not required to notify the data subject or supervisory authority of the breach or distribution
Data belongs to the data subject NOT the data controller
The Right to be Forgotten
Organizations will be required to implement appropriate technical and organizational measures in relation to the nature, scope, context and purposes of their handling and processing of personal data GDPR = 11 Chapters, 81 Pages, 99 Articles, 100+ Recitals VMworld 2017 ~ 12 articles address technical measures Content: Not for publication
GDPR Articles - some specifics Article 5 Article 24 Article 24 Article 28 Article 32 Article 6 Article 17 Article 34 Article 44 Principles relating to personal data processing Responsibility of the controller Data protection by design and by default Processor Security of processing Lawfulness of processing The Right to Erasure (aka The Right to Be Forgotten ) Communication of a personal data breach to the data subject General Principle for Transfers Core Requirements* Encryption Audit and Compliance Data Sovereignty Records of processing activities Notification of a personal data breach to the supervisory authority General Principle for Transfers Article 30 Article 33 Article 44 17
Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 18
IBM Cloud Secure Virtualization (ICSV) A VMware Portfolio Solution Customer Demographics Point of Sale Transactions App OS CloudControl App OS App OS VMware Cloud Foundation DataControl Customer Credentials Intellectual Property App OS IBM Cloud is first to market with a solution that captures the benefits of both HyTrust software and Intel Trusted Execution Technology to protect virtualized workloads down to the microchip level. Includes VMware Cloud Foundation licenses and infrastructure (NSX, VSAN, Vcenter, Vsphere). Intel Xeon Processor Bare Metal Servers + Intel TXT Enabled 19
ICSV Solution Benefits A Combined Security Offering from IBM, HyTrust and Intel A powerful solution together HyTrust Software Provides Policy and access controls for cloud security, reporting, and encryption software Policy-enforced controls and access management Confidence that workloads always run IBM Cloud on known Provides trusted hardware and Automated software VMware stacks solutions on trusted Bluemix bare metal infrastructure Keys under Tenant-control, and, Data decryption only when access, location policies are met. Intel Trusted Execution Technology Streamlined Provides visibility and reporting for Hardware-based corporate (chipset) and regulatory compliance security technology to protect workloads CloudControl Virtualization Layer Physical Layer Storage Layer Virtualization Admin Virtual Machine Intel TXT Application Application User DataControl Encrypted VMs and Data 20
Benefits of IBM Cloud for VMware Solutions IBM Differentiation Compatibility Speed & Flexibility Cloud Economics Full Compatibility with vcenter on and off premises Workload portability puts you in charge Continue with existing staff, tools and infrastructure Deploy in hours in multiple configuration sizes Expand and contract capacity as your needs change Deploy single site or multi-site configurations globally Predictable & simplified budgeting No long term contract overhead Pay for what you use with cloud OpEx model 21
Translating to Requirements How does the Data Controller: Maintain environment control and visibility to manage, monitor, and govern data access? Provide Security policies and implement granular security controls? Protect the Personal Data related to data Subject? Audit/Verify Security Controls implemented by the Data Processor? VMworld 2017 How does the Data Processor: 1. Verify the provisioning of the Infrastructure of sub-processor? 2. Protect workloads (inc. data) from deploying on compromised or unsanctioned infrastructure 3. Control where workloads and Applications running? Content: Not for publication 4. Enable Right to be Forgotten? 5. Support Data Sovereignty Requirements of the Data Controller? 22
Intel BENEFITS TRUST RESILIENCE VISIBILITY/ CONTROL SECURE THE PLATFORM PROTECT THE DATA WITHOUT COMPROMISING PERFORMANCE AT-REST IN-FLIGHT IN-USE Effective security is built on a foundation of trust 23
Intel Trusted Execution Technology Hardware Root of Trust 1. System powers on and Intel TXT verifies system BIOS/Firmware 2. Hypervisor measure does not match 3. Policy action enforced, known untrusted POSSIBLE EXPLOIT! SERVER WITH TPM MATCH! 2. Hypervisor measure matches 3. OS and applications are launched, known trusted Ensure a measured environment baseline with Intel Trusted Execution Technology (Intel TXT) System boot stack gets crypto-hashed before execution Hash values get safely stored in Trusted Platform Module (TPM) Match to known-good values determines system trust status 24
Intel Cloud Integrity Technology Intel Provides a Protected Launch & Hardware-enforced Geo location Trusted Platform and Workloads Launch Verification of the integrity of the launch of the platform and workloads (VMs, containers ) to provide trust and assurance Trusted Compute Pools Attestation provides information to inform which systems are trustworthy for hosting workloads Compliance VMworld 2017 Attestation allows verification of platform and workload trust for comparison against policy and use in audit this includes Geo-boundaries Chain of trust Capability Workload integrity Location and boundary control Platform integrity Intel TXT + TPM Data center Firmware BIOS Hypervisor Intel TXT Data center Firmware Content: Not for publication BIOS Hypervisor Intel TXT Intel Cloud Integrity Technology leverages Intel TXT 25
HyTrust Benefits HyTrust CloudControl with Intel TXT Protect server virtualization Control of private cloud Secure single-tenancy Continuous compliance HyTrust Simplifies Security at Scale HyTrust DataControl Workload encryption Key management Public/hybrid cloud IaaS migration HyTrust BoundaryControl with Intel TXT Workload & data geo-fencing Tenant-defined boundaries Data sovereignty Contextual tagging 26
HyTrust BoundaryControl Define and create a logical boundary by geography, regulatory standard, department, etc. Assign tags to key assets Finance Finance PCI PCI PCI PCI PII* German Define policies and automate security control enforcement for your defined boundary Do not decrypt workload unless it is running on Host B PCI PCI PCI PCI PCI Automatically encrypt workloads within the boundary Automatically provision, configure, and enforce security controls for all things inside your defined logical boundaries Intel TXT provides Hardware Root-of-Trust Workload Host/Server Network Storage 27
IBM Benefits IBM Cloud Automates the Infrastructure VMware Cloud Foundation on IBM Cloud natively integrates vsphere, NSX and vsan full stack virtualization along with the lifecycle management of SDDC manager. This deployment is automated offering fast and repeatable installation. IBM Cloud offers the benefits of global scale with over 50 interconnected data centers worldwide. VMworld 2017 Management Apps Apps Apps Apps Apps Network Virtualization Content: Not for publication Compute Virtualization Storage Virtualization Physical Infrastructure 28
Solution Benefits Server Platform Integrity VM1 Only allow virtual workloads to run on untampered hardware and software VM1 Privileged User Controls Security and Compliance Automation Public Cloud Reduce admin risk with advanced role based access controls and secondary approval workflows VM1 VM1 VM1 Data Decryption by Location Only allow virtual server data to be decrypted in authorized locations Deployment Control by Location Ensure only certain virtual servers run on hardware in authorized locations Continuous monitoring and reporting of controls to support regulatory and industry compliance 29
Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 31
Take Action Identify Customers with intensive data security & compliance needs (GDPR, PCI, HIPAA) Schedule a discovery meeting to assess customers needs IBM Technical solutions team - Intel & HyTrust can assist Set up Technical Workshop to engage Security & Compliance Teams IBM Technical solutions team - Intel & HyTrust can assist pilot planning Execute a pilot or proof of concept for interested customers Process and promotion for POC is on the wiki Check out more information on the wiki 2017 HyTrust, Inc. 32
Ordering Codes Cloud BU L30 6950-17V - IBM Bluemix Secure Virtualization (Cloud BU) (for Cloud Foundation) L30 6950-16F IBM Bluemix Implementation Services (Cloud BU CPS) GTS BU L30 6941-95X - IBM Bluemix Secure Virtualization (GTS BU) (for Cloud Foundation) L30 6941-95A IBM Bluemix Implementation Services (GTS mirror code) *Latest ordering codes can be found on VMware wiki 2017 HyTrust, Inc. 33