data privacy & security: gdpr and what it means to you · a comprehensive approach to non-prod...
TRANSCRIPT
© 2019 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential.
Alexandros Mathopoulos | Product Manager, Delphix
Data Privacy & Security:GDPR and What it Means to You
March 28, 2019
© 2019 Delphix. All Rights Reserved. Private and Confidential.
1 GDPR Overview
2 Key Articles of GDPR
3 Security Controls
Agenda
2
© 2017 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential. 3
Effective Date
May 25, 2018
© 2017 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential. 4
Effective Date
May 25, 2018Scope
500+ Million EU Residents
© 2017 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential. 5
Effective Date
May 25, 2018Scope
500+ Million EU ResidentsFines
4% of Global Revenue
© 2019 Delphix. All Rights Reserved. Private and Confidential. 6
Personal Data
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
”- Article 4
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Key Articles of GDPR
7
BREACH NOTIFICATION
Responsibilities
PROTECTIONOFFICER
CONSENT
RIGHT TO BE FORGOTTEN
PROFILING PROTECTION
CROSS BORDER TRANSFERS
“In the case of a personal data breach ...not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
Article 33
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Key Articles of GDPR
8
BREACH NOTIFICATION
Responsibilities
PROTECTIONOFFICER
CONSENT
RIGHT TO BE FORGOTTEN
PROFILING PROTECTION
CROSS BORDER TRANSFERS
“The controller and the processor shall designate a data protection officer...The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”
Article 37,38, & 39
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Key Articles of GDPR
9
BREACH NOTIFICATION
Responsibilities
PROTECTIONOFFICER
CONSENT
RIGHT TO BE FORGOTTEN
PROFILING PROTECTION
CROSS BORDER TRANSFERS
“the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data...presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language...the data subject shall have the right to withdraw his or her consent at any time.”
Article 7
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Key Articles of GDPR
10
BREACH NOTIFICATION
Responsibilities
PROTECTIONOFFICER
CONSENT
RIGHT TO BE FORGOTTEN
PROFILING PROTECTION
CROSS BORDER TRANSFERS
“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection..”
Article 44 & 45
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Key Articles of GDPR
11
BREACH NOTIFICATION
Responsibilities
PROTECTIONOFFICER
CONSENT
RIGHT TO BE FORGOTTEN
PROFILING PROTECTION
CROSS BORDER TRANSFERS
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
Article 22
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Key Articles of GDPR
12
BREACH NOTIFICATION
Responsibilities
PROTECTIONOFFICER
CONSENT
RIGHT TO BE FORGOTTEN
PROFILING PROTECTION
CROSS BORDER TRANSFERS
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”
Article 17
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Security ControlsThere exist 2 controls that allow you to be exempt and/or relaxed from GDPR
responsibilities. Anonymization & Pseudonymization.
© 2019 Delphix. All Rights Reserved. Private and Confidential. 14
Pseudonymization
“The principles of data protection should apply to any information concerning an identified or identifiable natural person…..principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information”
Anonymization
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Psuedonymize Data with Tokenization
Name
Charles Evans
Email Address
Credit Card #
3233-4123-8211-6723
Name
5E23LuuX4uhkeAbLBX==
Email Address
D0AFec#9EHQ+PsE/tM==
Credit Card #
kkIEDX2xY/+asEQ1v90==
Tokenization
Name
Charles Evans
Email Address
Credit Card #
3233-4123-8211-6723
Re-Identification
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Name
Email Address
Credit Card #
7253-6623-0291-9074
Louis Brett
Anonymize Data with Masking
“DATA AT RISK” IS IN DATABASES
Name
Credit Card #
Charles Evans
Email Address
3233-4123-8211-6723
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Non-Production Data Represents a Major Hidden Risk
NON-PRODUCTION (80%)
PRODUCTION DATA (20%)
» Is constantly growing
» Entails multiple types of repositories
» Is often less protected by security and governance measures
Non-Production Data:
© 2019 Delphix. All Rights Reserved. Private and Confidential. 18
Data Still Needs To Be Useful...
© 2019 Delphix. All Rights Reserved. Private and Confidential. 19
DB2 Mainframe DB2 LUW DB2 iSeries
Oracle SQL Server
Data Source Almost Never Live In Isolation
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Masking Eliminates Sensitive Data in Non-Production
“DATA AT RISK” IS IN DATABASES
Claimant Table
ID First_Name
1 George
2 Mary
3 John
Employee Table
ID F-Name
5 John
6 George
7 Mary
Claimant Table
ID First_Name
1 Michael
2 Clara
3 Damien
Employee Table
ID F-Name
5 Damien
6 Michael
7 Clara
Unmasked Data Masked Data
REALISTIC Value preserved for testing and analysis
REFERENTIAL INTEGRITY Data is masked consistently, even across heterogeneous sources
IRREVERSIBLE Sensitive data cannot be
retrieved
REPEATABLE Automation to keep pace
with changing dataSENSITIVE DATA IN PRODUCTION
Social Security Numbers, Credit Card Information, Patient Information, Email Addresses
© 2017 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential. 21
© 2019 Delphix. All Rights Reserved. Private and Confidential.
A Comprehensive Approach to Non-Prod Data Security
SECURE
APPLY automatic or custom masking with
consistency, repeatability
DISCOVER
IDENTIFY sensitive data and create an
enterprise-wide risk profile
DELIVER
DISTRIBUTE secure data to non-production
environments in minutes
© 2017 Delphix. All Rights Reserved. Private and Confidential.
Delphix Dynamic Data PlatformDeliver masked data in just minutes
Applications
Files
Databases
Rich APIsDD ControlsSelf Service
Datapods
On-Prem Any Server
Private Cloud
Public Cloud
SyncCompressProvision
CompliancePolicyMasking
DistributeAudit & ReportManage
VIRTUALIZE SECURE MANAGE
DBA
23
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Masking Eliminates Sensitive Data in Non-Production
“DATA AT RISK” IS IN DATABASES
Claimant Table
ID First_Name
1 George
2 Mary
3 John
Employee Table
ID F-Name
5 John
6 George
7 Mary
Claimant Table
ID First_Name
1 Michael
2 Clara
3 Damien
Employee Table
ID F-Name
5 Damien
6 Michael
7 Clara
Unmasked Data Masked Data
REALISTIC Value preserved for testing and analysis
REFERENTIAL INTEGRITY Data is masked consistently, even across heterogeneous sources
IRREVERSIBLE Sensitive data cannot be
retrieved
REPEATABLE Automation to keep pace
with changing dataSENSITIVE DATA IN PRODUCTION
Social Security Numbers, Credit Card Information, Patient Information, Email Addresses
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Mask virtual copy one time
Repeatable and Secure Data DeliveryMask once, deliver many
25
Production Source
DEV
QA• Provision a complete, virtual copy of production• Automatically discover and mask sensitive data • Distribute multiple masked copies packaged in data pods• Provide testers with self-service control• Easily refresh data copies
Distribute secure copies in minutes
© 2019 Delphix. All Rights Reserved. Private and Confidential.
CLOUD
Enable Secure Dev/Test in Hybrid Cloud Architectures
26
ON-PREMISEProduction Source
DEV
QA• Synchronize with on-prem source• Compress and mask data• Replicate secure data to cloud-based instance• Provision data pods to consumers
© 2019 Delphix. All Rights Reserved. Private and Confidential.
Delphix Dynamic Data Platform and GDPR
Ease “Cross Border Transfer” restrictions using pseudonymisation and anonymization
Protection of live production data
Satisfy “Right to Be Forgotten” requirements for non-production
Breach notification support
Secure personal data in both cloud and on-premises data through pseudonymisation and anonymization