gdpr are you ready? "data breach" means a breach of security leading to the accidental or...
TRANSCRIPT
Vesselin Yankov
Regional Representative
September 28, 2017
GDPR – Are You Ready?
• Prepare for GDPR and the upcoming campaign
• Overview of GDPR
• Familiarize yourself with the regulation and timelines
• Details and differences
• Data breaches and fines
• How to achieve compliancy
• Role of IAM
• Обхват на решението
• Questions you can ask
Objectives
GDPR – Some Facts
What is GDPR, anyway?
• GDPR (Regulation (EU) 2016/679)
replaces the current EU data protection
directive (95/46/EC), and intends to
strengthen and unify data protection for
individuals within the EU, and to give
citizens back control of their personal data.
• Adopted on 27th April 2016, and becomes
legally effective on 25th May 2018.
Why should customers care?
• The GDPR is a game-changer for organizations holding,
and protecting, personal, identifiable information on EU
citizens (PII).
• GDPR takes direct legal effect in EU member states
without need for local legislation
• Takes precedence over any local conflicting legislation,
including sector-related regulation
• Significant reputational risk & fines for non-compliance
• The EU can’t sustain a
“Patchwork Carpet”* of
Privacy Laws
• GDPR solves unique
privacy laws per country
• Difficult to conduct
business
- Multi-nation Employees
- Manage Customer Data
- Manage Health Care Records
Perspective on GDPR
*Christoph Stoica
Scope of GDPR – who is affected?
• Expanded territorial reach vs existing data protection
directive
• Applies to organisations established in the EU, but also to EU-
based entities, regardless of whether data is processed inside or
outside the EU; or organisations based outside the EU who are
offering goods and services to EU citizens, or monitoring their
behaviour where that behaviour takes place in the EU
Data Controllers & Data Processors
Data Controller:
"Controller" means the natural or legal
person, public authority, agency or any
other body which alone or jointly with
others determines the purposes and
means of the processing of personal
data; where the purposes and means of
processing are determined by EU or
Member State laws, the controller (or the
criteria for nominating the controller) may
be designated by those laws.
Data Controller:
"Controller" means the natural or legal
person, public authority, agency or any
other body which alone or jointly with
others determines the purposes and
means of the processing of personal
data; where the purposes and means of
processing are determined by EU or
Member State laws, the controller (or the
criteria for nominating the controller) may
be designated by those laws.
Data Processor:
"Processor" means a natural or legal
person, public authority, agency or any
other body which processes personal
data on behalf of the controller.
Data Processor:
"Processor" means a natural or legal
person, public authority, agency or any
other body which processes personal
data on behalf of the controller.
What do we mean by ‘Processing’ Personal Data?
Personal
Data
Collection
Recording
Organisation
Structuring Storage
Adaptation/Alteration
Retrieval
Use
Erasure
Destruction Consultation
• 1. Personal data shall be:
• (f) processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures ('integrity and
confidentiality').
• 2. The controller shall be responsible for, and be able to demonstrate
compliance with, paragraph 1 ('accountability').
Obligations when Processing Personal Data
What is Personal Data?
"Personal data" means any information relating to an
identified or identifiable natural person ("data subject");
an identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an
identifier such as a name, an identification
number, location data, online identifier or to one or
more factors specific to the physical,
physiological, genetic, mental, economic, cultural or
social identity of that person.
"Sensitive Personal Data" are personal data,
revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union
membership; data concerning health or sex life and
sexual orientation; genetic data or biometric data.
But, who..?
• Organisations within scope must:
• Prove compliance – document/record the principles behind
processing decisions
• Implement comprehensive, proportionate governance measures
such as privacy impact assessments, and ‘privacy by design’
• Report data breaches within 72 hours of becoming aware of the
breach
More Accountability with GDPR
• Mandatory data breach reporting for all organisations is a
key change to current legislation
Data Breach Reporting?
Notification to relevant supervisory
authority:
Where the breach is likely to result in
significant detrimental effect on
individuals – i.e. discrimination,
reputation, financial loss, loss of
confidentiality or other social or
economic disadvantage
Notification to relevant supervisory
authority:
Where the breach is likely to result in
significant detrimental effect on
individuals – i.e. discrimination,
reputation, financial loss, loss of
confidentiality or other social or
economic disadvantage
Notification to individual concerned:
Where the breach is likely to result in
high risk to the rights and freedoms of
individuals, they must be notified directly
Notification to individual concerned:
Where the breach is likely to result in
high risk to the rights and freedoms of
individuals, they must be notified directly
"Data breach" means a breach of security leading to the
accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed.
i.e. a breach is more than just losing personal data
What is a Data Breach?
Data Breach Penalties
Failure to Notify
2% Global Turnover
Maximum of €10m
Failure to Notify
2% Global Turnover
Maximum of €10m
Serious Breaches
4% Global Turnover
Maximum of €20m
Serious Breaches
4% Global Turnover
Maximum of €20m
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to
this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6
shall in each individual case be effective, proportionate and dissuasive
GDPR Differentiated from PCI
GDPR
Non Prescriptive
Controls are not
mandated.
No mapping of controls.
PCI DSS Compliance*
Prescriptive
Controls like MFA are
mandated.
Mapped controls.
*Payment Card Industry
≠
What do customers need to do?
• Speak to their lawyers
• Undertake mandatory obligations, such as determining
whether they need to appoint a Data Protection Officer,
Privacy Impact Assessments and implement Privacy By
Design and Privacy by Default
• Look at GDPR holistically – it’s a whole organisation issue
• e.g. all employees must understand their obligations regarding the
processing of personal data
What do customers need to do…
3 Fundamental Principles for Protecting Personal
Data – What, Where, Who
What personal data do we store/process? Do we need to?
Where do we store/process personal data? Is it protected?
Who has access to personal data? Is it appropriate?
The major threat comes from inside
1- 2016 Ponemon Institute, The cybersecurity risk to knowledge assets 2- 2015 Ponemon Institute, Cost of Cyber Crime Study
The most likely root causes
of data breaches1
1.67
2.45
2.89
1- most likely
3- least likely
Careless
INSIDER
Malicious
INSIDER
EXTERNAL
Attacker
Malicious insiders
Denial of services
Web-based attacks
Phishing
Stolen devices
Malware
$145,000
$127,000
$96,000
$82,000
$34,000
$7,400
Average cost per attack2
The Role of IAM in Protecting Personal Data
1. Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical or
organisational measures ('integrity and confidentiality').
2. The controller shall be responsible for, and be able to demonstrate
compliance with, paragraph 1 ('accountability').
Remember this…?
GDPR impacts the way that organisations
need to think about security…
The Role of IAM in Protecting Personal Data
Manage &
Govern Rights
Enforce
Access
Controls
Monitor
Activity
How to achieve compliancy ?
( Обхват на решението )
MICROFOCUS CAN HELP !
• Внедряване на система за IT Assets Management
NetIQ Asset Management
Внедряване на инструмент за инвентаризация на всичките ИТ активи.
Придобиването на информация в реално време за всички устройства и софтуер в
ИТ инфраструктурата както и за тяхното натоварване и използване ще позволи да
се намали опасността от компрометиране на сиурността поради наличието на
неконтролирани източници на заплахи. Събирането и поддържането на актуална
информация ще позволи правилно да се планира обхвата на всеки един от
следващите етапи. Всеки опит за включване на нови устройства или за
инсталиране на нов софтуер ще се открива автоматизно и веднага и ще
предизвиква съответните действия.
Обхват на GDPR решението (1)
• Внедряване на система за Access Management и Privileged
Account Management (NetIQ)
Изграждане на система за предоставяне и за контрол на достъпа на потребители
до WEB базирани услуги в ИС с автентификация в LDAP. Интеграция на всички
WEB базирани приложни системи с досегашна локална автентификация към
системата за централизирана автентификация. Изграждане на услуга за
автентификация за външните потребители на услуги, предлагани от
организацията. Изграждане на система за управление и контрол на достъпа на
привилегированите потребители (потребители с административни права,
компрометирането на които крие най-голяма опасност). Осигуряване на
централизирана автентификация за администраторите на сървърите през LDAP
и ограничаване на локалния достъп.
Обхват на GDPR решението (2)
What does it do? • It delivers a seamless single sign-on (SSO) experience for internal and consumer users of all web applications using
standards-based federation (SAML, OAuth, OpenID Connect, WS-Federation, etc.) as well as other technologies.
• It allows organizations to securely share information—such as supply chain, customer, financial, intellectual property, patient
information (and so on)—with business participants.
• Enables administrators to quickly and effectively add or remove access as needed, as well as track access to ensure
compliance.
• Its risk-based authentication engine empowers organizations to increase the security of the services and applications
containing private information while simplifying access for low-risk services or situations.
Common uses
• Federation. Enable control user access and single sign-on through federation to cloud based applications.
• Gateway. Enable user access control and single sign-on across the organizations’ entire web
environment. Access Manager’s gateway is the best in the industry, providing integration for all types of web-based
applications.
• Fills out NetIQ’s Identity Manager solutions: 70% of access manager deployments are part of an IDM installation. Typically,
the end goal for managing identities is to control access.
• Office 365: Use Access Manager to address access control and single sign-on.
• Consuming social identities so governments and businesses can allow customers/citizens to use those identities rather than
create a new identity with the business. Access Manager also allows organizations to tie social identities to verified identities.
• Provide access to mobile apps by (1) pushing web apps out to portable devices through the MobileAccess App; (2)
integrating with mobile apps that support OpenID Connect; (3) using Access Manager’s iOS SDK (Android coming soon).
Capabilities • Provides SSO for mobile applications.
• Provides a simple-to-implement cross-platform portal (mobile devices as well as
full browsers)
• Supports standards-based federation like SAML, OAuth, OpenID Connect, WS-
Federation.
• The simple sign-on add-on supports any service that can’t be integrated through
standards based federation or the gateway.
• Enables SSO by managing multiple passwords for applications at the back end.
• Is integrated with the NetIQ Advanced Authentication Framework that lets
customers use almost any authentication methods, including biometrics, smart
cards, tokens and more.
• Makes it possible to deliver single sign-on access to Office 365 and Microsoft
SharePoint without the need to deploy and maintain complex Microsoft Active
Directory Federation Services (ADFS) configurations.
• Integrates with social identities so applications and services can be personalized
while not requiring the user to create another isolated user account.
• Includes built-in monitoring and analysis tools so that administrators can track
usage trends as well as spot anomalies.
• Внедряване на система за Identity Management (NetIQ)
Синхронизация, интеграция и репликация на информацията за
цифровите идентичности и информацията за активите между всички
информационни системи на организацията. Изграждане на удобен
механизъм за създаване, блокиране на електронна идентичност и
предоставяне на права от представители на “Човешки ресурси” без това
да ангажира системните администратори. Осигуряване на механизъм за
изграждане на различни нива на достъп до различните услуги;
Обхват на GDPR решението (3)
What does it do?
• Automates account creation and revocation, centralizes access administration and ensures every user has just one
identity.
• It reduces the time, effort and cost of changes (such as when a user changes jobs within a company), protects
against compliance violations by enforcing policy and controls, and makes it easy to immediately provision and
revoke resources.
• It provides management of roles, policies, workflow and reporting to meet the most demanding scale and regulatory
requirements.
• Solves problems:
• Integrate silos of identity to reduce security risk due to missed changes, while reducing the significant
workload placed on IT to maintain those silos.
• Add or remove accounts instantly to reduce or eliminate lag time that leaves users unproductive and exposes
the business to the risk of users who retain too much access when they leave a job or role.
• Condense the time needed to produce reporting on roles, users and activities down to minutes rather than
days or weeks.
• Centralize identity and access management for SaaS applications to avoid inconsistent policy enforcement
between internally and externally provided services.
• Reduce the time, expense and expertise needed to integrate with applications with the drag-and-drop
Designer utility.
• Внедряване на система за Single Sign-On и въвеждане на
многофакторна афтентикация
NetIQ Access Management, NetIQ Advanced Authentication, NetIQ Secure Login
Реализация на технология позволяваща осигуряване на достъп на потребителите
до всички приложения след еднократна автентификация и авторизация в
директорийната услуга. Осигуряване на възможности за внедряване на средства
за еднократно регистриране/подписване (Single Sign On) за приложения, за които
не може да се осигури централизирана автентификация в LDAP. Изграждане на
технология за използване на средства за многофакторна идентификация във
вътрешната и външната инфраструктура (Smart cards, Tokens, УЕП). Интеграция
на средствата за многофакторна идентификация с директорийната услуга;
Обхват на GDPR решението (4)
What does it do? • It enables organizations to elevate secure access beyond username
and password using multi-factor authentication methods. These
methods usually replace the traditional username and password
paradigm, but they can also be used to augment username and
password for interactions that need an extra layer of protection against
unauthorized access.
• Strong authentication methods are more foolproof than passwords can
ever be. With the Advanced Authentication, your customers can:
Safeguard access with multiple layers of security: What the user knows
(password), what the user has (smart card, token or other
authentication device) and who the user is (biometric authentication—
retina scans, breath and capillary analyzers, and more).
• Eliminate the need for passwords altogether—a simple card swipe or
finger scan (or any option required) immediately gives authorized users
access.
• Meet regulatory requirements for healthcare, finance, government, law
enforcement (including the Criminal Justice Information Services, or
CJIS, mandate) and more.
• Provide support for a wider range of devices than any other solution on
the market: Advanced Authentication integrates with almost any
authentication reader or device.
• Eliminate the need for multiple authentication solutions and separate
servers to support each device.
• Внедряване на система за Privilege Account Management (NetIQ)
• Изграждане на система за управление, мониторинг и контрол върху действията
на привилигированите потребители (администратори с максимални права на
достъп). Персонифициране на правата на база роли/задължения и текущ одит
върху всички действия извършвани от привилигированите потребители.
• Изграждане и настройка на система за алармиране в реално време при
откриване на инциденти, свързани с действията на привилигированите
потребители.
Обхват на GDPR решението (5)
What does it do? • Manage insider risk by closely controlling and monitoring what
privileged users, such as super-users and administrators, are doing
with their access.
• It eliminates the need to distribute administrative credentials to the
entire administrative staff by delegating privileged account access
rights using configurable, centralized policies
• You can:
• Secure privileged access to sensitive assets with advanced
authentication controls: Integrates with NetIQ Advanced
Authentication to support two factor authentication and step-up
authentication.
• Single sign-on to Linux and UNIX servers: Authorized users
can access servers without entering additional credentials or
complex commands.
• Ensure users get only the access rights they need, when they
need them: Users can only perform administrative tasks that
are specific to their identity and role.
• Eliminates use of “global” passwords. Shared Account
Password Management (SAPM): Store credentials in a secure
vault that authorized users must check out. Supports
databases, applications and systems in both physical and
virtual (e.g., VMware ESXi) environments.
• Risk-based privileged session control: Immediately identifies
potential threats as they are typed and can be configured to
automatically terminate the session or revoke access.
• Внедряване на система Security information and event
management (SIEM) и File Integrity Monitoring (FIM)
NetIQ Sentinel, NetIQ Change Guardian
• Изграждане на система за мониторинг и управление на събития, свързани с
информационната сигурност (Log Management). Осигуряване на възможност за
регистриране (logging), и контрол (auditing) на дейностите на потребителите с
възможност за извършване на справки за произволен период от време.
Изграждане и настройка на система за алармиране в реално време при
откриване на инциденти, свързани с комуникационно-информационните системи;
• Внедряване на система за File Integrity Monitoring.
Обхват на GDPR решението (6)
• GDPR (Регламент (ЕС) 2016/679 на Европейския парламент и на
Съвета от 27 април 2016 година относно защитата на
физическите лица във връзка с обработването на лични данни и
относно свободното движение на такива данни),
• НАРЕДБА за общите изисквания за мрежова и информационна
сигурности,
• Директива (ЕС) 2016/1148 на Европейския парламент и на
Съвета от 6 юли 2016 г. относно мерки за високо общо ниво на
сигурност на мрежите и информационните системи в Съюза
Важни закони и нормативни актове:
БД 1
ЦИ
П1
БД N
ЦИ
П N
Централно репозитори за ЦИ
Управление на Цифрови Идентичности
(процеси, форми, логика, правила, ... )
Управление на Достъпа до уеб приложения
Управление на одитни записи (логове) (LM)
Управление на инциденти (SIEM)
Въпроси и коментари ?
• Веселин Янков
• +359 888 340 856