How DevOps for the Database

Helps with Compliance

Steve JonesEvangelist, Redgate Software

Editor, SQLServerCentral

26 years SQL Server data experiance

DBA, developer, manager, writer, speaker in a variety of

companies and industries

Founder, SQLServerCentral

And current editor, with the goal of helping you learn to be a

better data professional every day

10 years Microsoft Data Platform MVP

I have been honored to be recognized by Microsoft for the

last decade as an MVP

Richard MacaskillProduct Manager, Redgate Software

20 years Oracle and SQL Server

Jumped from Oracle 7.3 to SQL Server 7 in 2000.

Financial Systems, BI, Line-of-Business, Risk, Performance.

London Financial Services

BI Dev for Lloyds of London, all-round developer for investment

management.

Hedge fund IT management.

Product Manager at Redgate

SQL Clone, SQL Data Masker, Data Protection and Privacy.

Currently boring everyone within earshot with Compliance and

DevOps stories.

Grant FritcheyProduct Evangelist, Redgate Software

PASS President

Currently serving as President in charge of governance and

finance

Author

I’m the Author of “SQL Server Execution Plans” and “SQL

Server Query Performance Tuning”, co-author of several more

Microsoft SQL Server MVP

Since 2009 I have been honored to be recognized by

Microsoft as an MVP

Agenda• What is Data Governance?

• What is Compliance?

• Achieving Compliance in your data estate

• What is Database DevOps?

• A slice of compliant DevOps – 3 x demos

• The impact of DevOps on compliance

What is Data Governance

“Data governance … is the overall management of the availability, usability,

integrity and security of data used in an enterprise.”

Techtarget

“… the specification of decision rights and an accountability framework to

ensure appropriate behavior in the valuation, creation, storage, use, archiving

and deletion of information.”

Gartner

The context of databases and ITOps

• Breaking down silos

• Data is a business asset, not an IT asset

• Up-front decision making

• A cultural shift from ‘trust me’ to ‘show me’

Increasing tide of laws & legislation

• Health Insurance Portability and

Accountability Act (HIPAA, 1996)

• The UK Data Protection Act (DPA, 1998)

• Gramm-Leach-Bliley Act (GLBA, 1999)

• Sarbanes-Oxley (SOX, 2002)

• Payment Card Industry requirements (PCI)

• China Cybersecurity Law (2017)

• Singapore Cybersecurity Bill (2017)

• NY DFS Cybersecurity Regulation (2017)

• EU GDPR (2018)

• EU NIS Directive (2018)

• NIST Special Publication 800-53 (draft,

revision 5)

Plus ongoing industry specific regulations & requirements• Securities & Exchanges Commission (SEC)

• Federal Trade Commission

• Commodity Futures Trading Commission (CFTC)

• The Financial Conduct Authority

• Prudential Regulation Authority

• Solicitors Regulatory Authority

• NHS Digital

• UK Gambling Commission

Plus a rising tide of concern at data breaches

Why Comply?• NY DFS – up to $75,000 per day

• SOX – up to $5m for incorrect certification

• The UK Data Protection Act - £500,000

• HIPAA – up to $50,000 per record, $1.5m per year

• FCA/PRA - £56m for RBS Group (2014)

• PCI – you can’t take payments

• EU GDPR & NIS Directive – up to 4% of global revenue or €20m

• Prison

How do we comply?

• COBIT

• ISO 27002 (supported by ISO 27001)

• ITIL (supported by ISO/IEC 20000:2011)

• SOC 2

• Do-it-yourself

Who Cares?

• Regulators (The SEC / FCA / FTC)

• Authorities

• Clients and customers

• Shareholders

• The Board

• Risk & Compliance (Auditors)

• Sales & Marketing

• Information Security management

• IT management (IT Ops / Developers / DBAs)

ExternalInternal

Data Governance Implementation Survey: Key Findings

77% have implemented or plan to implement

a Data Governance program within the next two

years.

44% of respondents cited regulation as the key

driver

Successful programs used 11 tools on average

What is Compliance?

• Applying customers’ instructions faithfully

• Not breaking the law

• Industry regulator’s requirements

• Alignment with regulations

Achieving compliance in your data estate

• Tick the boxes?

• Outsource?

• Ignore?

• Change the way we think?

What is DevOps

“DevOps is the union of people, process,

and products to enable continuous

delivery of value to our end users.”

Donovan Brown,

Principal DevOps Program Manager, Microsoft

Achieving Database DevOps Success

Environments &

Deployment

Continuous Integration &

Deployment

Protecting & Preserving

Data

Barriers to successful compliance projects

52% - Understanding of what is required

51% - Alignment across the organization

47% - Appropriate skills in the team

41% - Awareness of benefits to the business

40% - Resource

Demo 1

Demo 2

Demo 3

Part One – Monitoring Change

Availability Management

• ‘the ability to restore the availability and access to personal

data in a timely manner’ – Article 32, GDPR

• ‘records shall be protected from loss, destruction’ –

ISO27001

• …data or information is accessible and useable upon

demand by an authorized person. – HIPAA

Monitoring Demo

Part Two – Change Control and Testing for Assurance

What is compliant software development?

• Risk-managed

• Tested

• Reviewable

What is compliant software development?

• Small changes, automated quality

• CI/CD with test

• Records of change

Dave Farley on regulation and continuous delivery“My experience of working in heavily regulated industries, mostly finance in different

countries, is that the regulators quickly appreciate this stuff and they *love* it.

CD gives almost ideal traceability, because of our very rigorous approach to version control

and the high-levels of automation that we employ we get FULL traceability of every change,

almost as a side-effect. ”

Redgate Webinar Q&A, May 2016. Transcribed at www.davefarley.net

Change Control & Testing for Assurance Demo

Part Three – Provisioning for Development and Test

Problems to solve

• The Dev team want up-to-date, realistic data

• Teams want access to consistent database copies on demand

• The DBA wants to know where all copies of data reside

• The business want assurance that sensitive data has been

sanitized

Provisioning databases from codeConnect-SqlClone -ServerUrl http://sqlcloneserver.example.com:14145

$SourceDataImage = Get-SqlCloneImage -Name 'TradesDataMart (Full) - 2017-09-04'

$CloneName = 'TradesDataMart-Dev'

# I have several SQL Server instances registered on my SQL Clone Server - I want to deliver # a copy to

each of them

$Destinations = Get-SqlCloneSqlServerInstance |

Where-Object -FilterScript

{ $_.Server -like '*WKS*' -and $_.Instance -eq 'Dev' }

$Destinations | Invoke-Parallel -ImportVariables -ScriptBlock {

$SourceDataImage | New-SqlClone -Name $CloneName -Location $_ | Wait-SqlCloneOperation

}

Provisioning & Data Masking Demo

Impact of DevOps on Data Governance Programs

64% of respondents said

DevOps had a positive impact

on Data Governance

DevOps for the database helps compliance

• Monitoring - a key component for resilience

• Change control & testing - reliable, repeatable, consistent

• Provisioning and masking - compliant distribution of data

• Automation - a durable and consistent audit trail

Deliver value quicker and keep your data safe

Learn more from our speakers

@gfritchey

@way0utwest

@datamacas

Thank you