Grab some coffee and enjoy the pre-show banter
before the top of the
hour! !
The Briefing Room
Mind Your Business: Why Privacy Matters to the Successful Enterprise
u Reveal the essential characteristics of enterprise software, good and bad
u Provide a forum for detailed analysis of today’s innovative technologies
u Give vendors a chance to explain their product to savvy analysts
u Allow audience members to pose serious questions... and get answers!
Mission
Quis Custodiet Ipsos Custodes?
u Who watches the watchers?
u Privacy is a principle and a practice
u Security matters, as does customer X
u No rest for the weary!
HPE & Teradata
u HPE offers comprehensive data security and privacy solutions for big data, the cloud and the Internet of Things
u Its solution features data encryption, tokenization and key management
u HPE SecureData integrates with Teradata to provide native data encryption and key management capabilities for customers looking to address compliance or regulatory requirements such as PCI, HIPAA or GLBA
Guests
Jay Irwin, JD Director Teradata Center for Enterprise Security
Carole Murphy Global Product Marketing HPE Security – Data Security
Security & Privacy
Robin Bloor, PhD
Questions About Data
Who owns data, and how is ownership conferred?
Who has a right to see it?
Who has a right to change it?
Who has a duty of care for managing it?
A Very Brief History of Data Security
u Data theft is nothing new – data that is valuable is targeted
u Cyber-theft was born with the Internet. It exploded around 2005
u There are many players: governments, businesses, hacker groups, individuals
u The technologies of attack and defense evolve
u Businesses have a duty of care over their data, whether they own it or not
Compliance and Regulations
u Aside from sector initiatives there are many official regulations: HIPAA, SOX, FISMA, FERPA, GLBA (mainly US legislation)
u Standards (Global): PCI-DSS, ISO/IEC 17799 (data should be owned)
u National regulations differ from country to country (even in Europe)
Data Protection!
A particular point of focus is the individual right to privacy.
This has resulted in an attempt to normalize regulations between
jurisdictions.
14
Schrems v. Irish Data Protection Commissioner
• Max Schrems
• Austrian citizen & Facebook user
• Post-Snowden privacy concerns over his personal data
• Complaint rejected by the Irish DPC
• Appealed to the Irish High Court
• Case delayed pending EU Court of Justice referral
15
Schrems v. Irish Data Protection Commissioner
• Aug. 6, 2015 – US EU Safe Harbor Program invalidated by EU Court of Justice (CJEU) • Insufficient legal remediation
channels • Inadequate restrictions on
government interference • Interfered with national authority
exercise of data enforcement
16
“The Privacy Shield”
• Safe Harbor Self-certification Replacement
• Intended framework for transatlantic data flows
• Aims to regulate handling EU citizen data transferred to & stored by US firms
• Privacy shield self-certification begins August 2016
17
EU – US Privacy Shield Provisions
• Accountability concerns addressed
• Codifies more robust violation resolution process
• Clarifies legal rights/obligations for businesses relying on transatlantic data transfers
• Creates privacy shield ombudsman
18
EU – U.S. Privacy Shield Provisions
• The privacy shield includes rules –
• To ensure EU citizen consent to data processing & sharing
• Ensuring that third parties are validated before data can be shared with them
• Mandating avenues available for dispute resolution
• Enforcing strict breach notification
19
EU – U.S. Privacy Shield Critics
• Privacy International criticizes the weakness of control against unlawful surveillance
• Max Schrems & EU Parliament member Jan-Phillipp Albrecht criticize the agreement
• Allows data sharing for broad & generic purposes, undermining a crucial privacy protection
20
EU – U.S. Privacy Shield Proponents
• The U.S. Department of Commerce & State Department strongly support Privacy Shield
• Private-sector U.S. tech firms support the agreement to root out regulatory uncertainty
• The law aims to restore trust in trans- Atlantic data flows between EU & U.S.
21
Directive 95/46/EC
• Directive 95/46/EC, aka DPD or The Data Protection Directive
• Created in 1995 to regulate personal data processing in the EU
• Implemented in 1998
• DPD was a model for EU member state & local data protection laws
22
Directive 95/46/EC
• Member states implemented local regulations per DPD
• Member state local laws differed significantly from each other
• The Dusseldorf Round-Table Resolution
• ‘s between member state laws frustrated multi-national firms regulated in multiple jurisdictions
Data Protection
The need for General Data Protection Regulation (GDPR) is recognized. Multinationals in
particular need direction, and the cloud complicates matters...
24
General Data Protection Regulation
• GDPR draft published by the EU Commission in 2012
• Intended to replace the Data Protection Directive of 1995
• DPD implementations differed greatly among EU member states
• Intended to eliminate interstate discrepancies between local EU member laws
25
General Data Protection Regulation
Dec. 2015
Agreement Reached
May 2016
GDPR Adopted
May 2018
Compliance Due
26
Consent, Design, Appoint & Fix
• Art. § 7 requires explicit individual consent for data processing & collection
• Privacy-by-design • Data protection must be designed into
a large variety of services (overly broad?)
• Art. § 37 requires appointment of data protection officers • For organizations & public authorities in
EU member states • Who must be trained per Art. § 43
• EU citizens have the right to have incorrect data corrected or removed from databases
27
Articles § 5 & 32 – Security of Processing
Suggests security actions that may be “appropriate to risk”
• Pseudonymization and/or encryption of personal data
• Ability to ensure ongoing confidentiality, integrity, availability & resilience of processing systems & services
• Ability to timely restore availability & access to personal data in the event of a physical or technical incident
• A process to regularly test, assess & evaluate effectiveness of technical & organizational measures for ensuring data processing security
• Controllers & processors adhering to an approved code of conduct or certification mechanism listed in Art. §§ 40, 42 may use them to demonstrate compliance
The Obstacles to Encryption
u The major (perceived) obstacles are:
u Convenience
u Performance
u Cost
u C-level support
u Also, access control and encryption need to thoroughly integrate
The Changing Nature of Data…
u In time, “data in motion” may dwarf “data at rest.” Data is rarely stationary
u Encryption is the only security solution that provides coherence in such an IT environment
u Data moves and processes move, so security must follow
Data Encryption
It’s not a question of whether to do it – it’s more about how to do it
well..
31
Format-Preserving Encryption (FPE)
• Supports virtually any data types in any format: name, address, dates, numbers, etc.
• Provides Unicode Latin 1 for format and character set preserving encryption in languages such as German, Spanish, French and more
• Preserves referential integrity
• Only applications that need the original value need change
• Used for production protection and data masking
• NIST-standard using FF1 AES Encryption
AES-CBC
AES-FPE First Name: Uywjlqo Last Name: Muwruwwbp SSN: 253- 67- 2356 DOB: 01-02-1972
Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW Oiuqwriuweuwr%oIUOw1@
First Name: Gunther Last Name: Robertson SSN: 934-72-2356 DOB: 08-07-1966
First Name: K×ýAçy Last Name: ĎwlämÜqßr Chequing Acct #: 122105278 827572346
8juYE%UkFa2345^WFLE
First Name: Jürgen Last Name: Klinsmann Chequing Acct: 122105278 674301068
32
Article § 33 – Breach Notification
• Art. § 33 Supervisory Authority Notification Requirements for Personal Data Breaches
• Data controllers must notify supervisory data authority “without undue delay” (where feasible, within 72 hours)
• Notification periods over 72 hours must be accompanied with an explanation for the delay
• Notification not required if breach is unlikely to result in a risk to rights & freedoms of natural persons
• Data processors must notify data controllers without undue delay
• Data controllers must document personal data breaches, noting
• Likely breach effects & remedial actions taken
33
Article § 34 – Notification Requirements
• Data controllers must notify data subjects when a breach is likely to result in a high risk to the rights and freedoms of a natural person
• Data subject notification must include a clear & plain language explanation
• Name and contact information for the DPO
• Describe likely consequences
• Describe measures or proposed measures to be taken to address the breach
• Document personal data breaches including effects of the breach & remedial action taken
34
When Notification is Not Required
• Notification not required under Article § 34 • Data controller has implemented protection
measures on personal data that render the personal data unintelligible
• Data controller has taken measures to ensure that no high risk to the rights and freedoms to data subjects exists
• Data Subject Notification would require a disproportionate effort *
* Public notification is required for this exemption
35
Article § 79 - Penalties
• GDPR violators may face severe fines
• Fines for severe violations can be the greater of 4% annual global turnover or €20 million
• Less severe violators are subject to fines up to 2% annual global turnover or €10 million
• Compensation to aggrieved parties
• Data subjects can claim compensation for damages suffered
• Data subjects can sue data controllers or processors
36
Achieving GDPR Compliance
• Know where personal data is stored & accessed in your environment
• Plan for and execute regular risk assessments
• Implement appropriate security controls
• Audit third parties receiving personal data from your organization to ensure they practice compliant data protection
37
Questions / Comments
• Carole Murphy, Global Product
Marketing, HPE Security • Email: [email protected]
• Jay Irwin, JD, Director, Center for Enterprise Security, Teradata
• Email: [email protected]
Thank you HPE Security – Data Security www.hpe.com/software/datasecurity www.voltage.com
Teradata www.Teradata.com
Analytics and data unleash the potential of great companies
Protecting the World’s Most Sensitive Data
THANK YOU for your
ATTENTION!
Some images provided courtesy of Wikimedia Commons and https://en.wikipedia.org/wiki/Et_tu,_Brute%3F