Pronti per la legge sulla data protection GDPR? No Panic!

ROME 24-25 MARCH 2017

Domenico MaracciStefano Sali

1 > What is GDPR

2 > Highlights & Key Impacts

3 > How to approach GDPR from a secure, IT Developer perspective

4 > Q&A

• Brings into law the original Data Protection Directive

• A single set of rules will apply to all EU member states

GDPR General Data Protection Regulation 2016/679

DIRECTIVEA "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.

REGULATIONA "regulation" is a binding legislative act. It must be applied in its entirety across the EU.

REGULATION vs DIRECTIVEWhat is the difference between a Regulation (like e.g. GDPR) and a Directive (like e.g. PSD2)?

DATA SUBJECTS RIGHTS to give citizens back the control of their personal data

HARMONISATION to simplify the regulatory environment for international business by unifying the regulation within the EU

PRIMARY OBJECTIVES OF GDPRWhat is the difference between a Regulation (like e.g. GDPR) and a Directive (like e.g. PSD2)?

• Any information relating to an identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly or indirectlyo Nameo ID numbero Location or addresso Physical (Gender, color, age, stature etc)o Genetic ( includes inherited or acquired characteristics

and Health Data HPII, race)o Physiological (disability, mental)o Economic, creed or social identity

• May include online identifiers including IP address, cookies if they can be easily linked back to the data subject.

• No distinction between personal data about individuals in their private, public or work roles

GDPR DEFINITIONSPERSONAL DATA

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this timeframe is not met.In some cases, the data controller must also notify the affected data subjects without undue delay (Art. 33)

GDPR DEFINITIONSPERSONAL DATA BREACH

The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose maximum fines of up to 20M€ or 4% of annual turnover (whichever is highest) if full compliance cannot be demonstrated (Art. 83)

GDPR FINESARTICLE 83

Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. (Art. 3)

Territorial Reach

Accountability

Article 5.1(f) needs to be taken into account because it literally states: “Personal data should be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”

Excerpt

One of the most important topics included in this Regulation is a chapter devoted to the rights of the data subject. The bar has been raised and new rights have been included that will profoundly impact into the way IT will need to process and control personal data. While traditional rights of access (Art.15), rectification (Art. 16), erasure (Art.17), and objection (Art.21) remain largely the same, there has been a new right included: right to data portability (Art.18) and some modifications to the right to erasure by including the concept of right to be forgotten (Art 17) and the inclusion of right to restriction (Art. 18).

Rights of the data subject

Excerpt

Art. 25 “The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons”. And article 30 mandates the recording of processing activities.

Data Protection by Design

and by Default

DISCOVER PERSONAL DATA ACROSS YOUR ORGANIZATION AND PROTECT THEM FROM UNAUTHORIZED ACCESS1

CENTRALIZE USER IDENTITY MANAGEMENT AND ACCESS CONTROL IN PARTICULAR (BUT NOT EXCLUSIVELY) OF PRIVILEGED USERS2

MANAGE AND OPTIMIZE THE USE OF TEST DATA IN YOUR SOFTWARE DEVELOPMENT LIFECYCLE AND CONSIDER IMPLEMENTING SYNTHETIC DATA GENERATION3

EXPOSE PERSONAL DATA TO DATA SUBJECT IN A SECURE AND AUDITABLE WAY4

KEY IMPACTS FOR IT ORGANIZATIONSA FEW WORDS TO REVIEW

• Technical approach to GDPR

• Tools useful for Application Developers

• Demo

HOW TO APPROACH GDPR FROM AN IT SECURITY PERSPECTIVE

Verizon DBIR 2016

TIME TAKEN TO COMPROMISE AND EXFILTRATION

TYPES OF ATTACKS

VULNERABILITY COUNT

ISSUES REPORTED BEFORE A PRODUCT RELEASE

Static Code Analysis on Dev. Workstations

Static Code Analysis on Scrum Delivery

Penetration Test on Program Increment Delivery

Penetration Testafter Code Freeze

Penetration TestSI/GA SaaS solution

SECURITY BY DESIGN/BY DEFAULT

Veracode delivers the application security solutions and services today’s software-driven world requires. Veracode’s unified platform assesses and improves the security of applications from inception through production so that businesses can confidently innovate with the web and mobile applications they build, buy and assemble as well as the components they integrate into their environments.

Veracode seamlessly integrates application security into the software lifecycle, effectively eliminating vulnerabilities during the lowest-cost point in the development/deployment chain, and blocking threats while in production. This comprehensive solution is managed through one centralized platform and stems from a powerful combination of best-in-class technology and top-notch security experts who offer remediation coaching and guidance on processes.

COMING SOON …

It will be much harder to use production data for testing and development

The GDPR will strengthen existing legislation forbidding the use of personal data for reasons other than why it was given

Data can only be used if: explicit consent has been given for its use for the specific purpose necessary for legal purposes (e.g. to fulfil a contract, the subject's vital

interest) it is necessary for public interest, or for a legitimate interest of the processor

Data shall not be retained “beyond the minimum necessary, in terms of amount of the data and time of their storage”, and shall not be made accessible to an indefinite number of individuals

MANAGE TEST DATA IN SDLC

Excerpt

Data can only be used if: Explicit consent has been given for its use for the specific purpose, necessary for legal purposes (e.g. to fulfil a contract, the subject's vital interest), it is necessary for public interest, or for a legitimate interest of the processorOrganization need to mask personal data and other sensitive data, or getting a sub-set of production data for testing.To realize the full benefits of better test data management you must strongly consider implementing synthetic data generation, as well as how they store, manage and provision data.

Anonymisation and Pseudonymisation

Innovate or DieNew approach should be taken in order to take into account acceleration

& agile practise.

RISKY

• Sensitive data is stored inconsistently

• Complexity to mask everything

SLOW

• Few refresh / year• Manual masking, in-

house tools processes are slow and error-prone

INEFFECTIVE

• 10-20% test coverage• No negative tests or

future features

WHY PRODUCTION DATA DOESN’T DO THE JOB

Substitution Variables

Combinable Functions

CA Test Data Manager

Data Model

Generation

Bulking Scripts

Production Data / Files

Test Data

Warehouse

Test/Dev Environments

1 2

4 5

Secure Data Subsets

XML Files

XLS

SQL Files

CSV Files

API

HTML Files

FD

TXT Files

NoSQL

3

6

SYNTHETIC DATA GENERATION IS THE SOLUTION

Principal Consultant, Application Delivery, CA Technologiesdomenico.maracci@ca.com

Domenico Maracci

@CA_Italy

Slideshare.net/CAInc

Linkedin.com/company/ca-technologies

ca.com/it

Stefano SaliSenior Principal Consultant Security - CA Technologiesstefano.sali@ca.com