GPDR and NIS Compliance Presentation

GDPR & NIS  Taking  T aking the pain out of governm government ent mandated mandated security security response response

HyTrust Workoad !ecurity "se #ases Previously discussed specifc use cases – how are they related to GDPR/NIS?

Critical areas aected y GDPR a!d NIS – i!creased ris" with pulic or hyrid cloud e!viro!#e!ts$ 1. 'rivieged account misuse 2. (ata )reach protection *. (ata sovereignty sovereignty compiance

'alt data reaches o! all clouds clo uds

%li#i!ate privileed user #isuse

Stop stupid a!d the accide!tal dow!ti#e

&emove costy infrastructure air gaps

$nd audit and compiance su%ering

(void data soverei!ty la!d#i!es

+('& $ecutive !ummary )hat 

-e standard for data protection and privacy for the $" mem)er state / repacing the previous !afe Har)or agreement )eteen the "! and $". #overs any company doing )usiness in the $" or ith an $" citien.

)he! 

+oes into 3fu4 force on 5ay 2, 2017. (i%erent mem)er states may add some variations or additiona re8uirements.

I#pact 

$nforcement is )acked )y su)stantia 9nes, some )ased on 2:;response to privacy and security.



=%ects a range of technoogy systems incuding data storage and coection, data encryption, and frameorks for privacy processes through poicy and privacy speciaists.



!ti uncear ith ?ritain eaving the $" / )ut most ikey fooing +('& i sti )e more stringent than any oca guideines.

5igration to 'u)ic #oud Increases &isk GDPR Re*uire#e!t  Transparen  T ransparency cy

Su##ary Descriptio! 'rivacy poicy and ('C

Challe!es 'oicy guarantees harder ith *rd party ie coud provider

#onsent>(ata @uaity

Cpt;in )y consumerD a)iity to get rid of data if consent is ithdran

 Tracking data across  Tracking across many orkoads and geographies ith instant a)iity to 3ki4 data 'roof of actions of encryption and destruction are re8uired if chaenged

!ecurity enforcement of 'rivacy

'rotecting data via encryption, secure 'rotecting data destruction, etc..

(ata )reach readiness and response

B2 hours for )reach noti9cationD incident response pan

5uti;coud depoyment for arge enterprises creates chaenges to coect incident data and take action very 8uicky

&ight to )e Aorgotten =rt 1B

&ight to )e Aorgotten ; $rasure =rt 1B

= data must deeted / retroa retroactivey ctivey and for a records

Note there are !u#erous other areas o+ challe!es – ut these are #ost tech!ically challe!i! +or cloud e!aled ora!i,atio!s-

 Technoogy  T echnoogy ?est 'ractices 'ractices &esponse &esponse to +('& .a!d applicale 'yrust 0se Cases1 Cases1

1

2

*

<



(uto#atic

I!siders

Sel+4Reulati!

Plat+or# (!ostic

I!sta!t Proo+

!hift from aert $nsure admins on and !I$5 anaysis access data on any to proactive, coud can )e monitored automatic security and proof of for )oth )reach compiance can )e protection and shon instanty or privacy protection instanty Eag vioations 2Data Sov-3 for prompt remediation 2PI56 Data Sov-3

Workoad needs porta)e poicy to protect and enforce compiance itsef 2Data Sov-3

Impement a patform agnostic soution / hich i ork across any provider or orkoad type virtua machine, !((#, containers, etc.. 2(ll use cases3

$nsure proof of compiance is fast, easy, and muti; coud ready 2(ll use cases3

y

ou

rov er ays 'rotectedF

m

5icrosoft, =maon, and others have issued statements that their 5icrosoft, customers are protected and compiant aready via their use of 3mode4 contracts and other ega mechanisms.

'owever8-

1

2

*

<

 ;90 are sti responsi)e for the data, even if the provider is compiant.

 ;90 are sti responsi)e for the administrative actions of systems on that netork.

9N:; orkoads and data that resides on that provider can )e considered as (& sites, @= copies, etc.. are sti your issue.

(!d i+ provider +ails –  GC" are are sti responsi)e for data )reach discosure and remediation impact for your customers.

&egardess ess of ho is hosting your data, GC" are responsi)e for it. 7otto# li!e$ &egard ?e proactive and not rey on the provider or speci9c technoogy to protect your data.

y rust aayF GDPR Scope  Transparency  T ransparency

a es t e

'yrust Capaility

pa n go 0se Case a!d (dvisory Notes

Data Protectio!- 'oicy actions and orkoad response can a #odify the privacy poicy through data and admin poicy engine and enforce through orkoad poicy. poicy. 5onitor and eecute )e monitored and provide instant response to an a udit. immediate poicy change propagation across a orkoads>couds.

#onsent>(ata @uaity

!ecure decommission of orkoads re8uired to ensure fast and ecient data destruction on demand. #reates chain of evidence of data destruction.

Data Protectio!-  Through hyper ecient key key management technoogy, data can )e instanty destroyed.

!ecurity enforcement of 'rivacy

$ncryption that )e used to secure the pri vacy via access and propagation of the protected data.

Data Protectio!6 Data Sov- 'roof of actions of encryption and destruction are re8uired re8uired if chaenged. $ncryption, poicy contros, etc.. #an )e detaied for audit, compiance proof, or forensics.

(ata )reach readiness and response

Instant audit trai and correation of activity, poicy, and intentiona>accidenta attempts attempts of )reach. =)iity to provide &?=#s for instant access across auditors or other reguators.

PI56 Data Sov- 5uti;coud depoyment for arge enterprises creates chaenges to coect incident data and take action very 8uicky

&ight to $rasure to )e Aorgotten

$ncryption key revocation means =JJ data is immediatey rendered useess.

Data Protectio!6 Data Sov- (o not need to track here data eists, ony use key management.

(etaied +('& 5apping to HyTrust GDPR Source e>t

Re*uire#e!t Su##ary

'yrust / Custo#er 9ptio!s

(rticle @ – Security o+ processi!

=ppropriate eve of security )ased on state of art. IncudingK encryption, encryption, reguar tests tests of security e%ectiveness, ensure con9dentiaity, integrity of data.

Impement poicy )ased encryption for data protection and evidence. evidence. !ho compiance of human assets.

(rticle @A – Respo!siility o+ the co!troller

&e8uires data controer to impement appropriate technica F measures to ensure and Fdemonstrate compiance.

Aorensic eve ogs that track orkoads, Aorensic administrative activities, and poicy changes at the o)Nect eve.

(rticle @B – data protectio! y desi! a!d de+ault

(ata controers must aso impement data protection )y d efautFimpement appropriate technica Fmeasures to Lprotect>addressM Lprotect >addressM the amount of data coected, etent of process processing, ing, and retention and accessi)iity of data.

 Through HyTrust ?oundary#ontro ?oundary#ontro poicies, the system is )y defaut set to adhere to data )oundaries and usage. Aurthermore encryption can )e used to enforce this across any coud provider.

-I! $ecutive !ummary )hat 

$" netork and information security -I! directive sets common cy)er;security standards and aims to step up cooperation among $" countries and service providers.

)he! 

$" mem)er states have 21 months compy and then 6 months to identify critica infrastructure operators 5ay 2017

I#pact 

Jays out speci9c technica guidance on 3critica4 infrastructure entities incuding energy, banking banking,, heathcare, transport sector organiations that are vita to the $" mem)er state government



Increased transparency and information sharing / requiring faster analysis and reporting by aected organizations



3#ritica infrastructure4 identi9ed operators i have a higher cyber security standard standard and  and )e speci9cay responsi)e for prevention of risks and incident response

y rust e uces $ampes NIS Directive Re+ere!ce

s t

Directive Su##ary

; 'yrust 0se Cases

.A1 Ris"4#a!ae#e!t #easures

5easures to identify any risks of incidents, to prevent, detect and hande incidents and to mitigate their impact. The security of netork and information systems comprises the security of stored, transmitted and processed data.

Data Protectio!- 'roactive contros via HyTrust services and forensic eve ogging for compiance veri9cation. !ecurity of data can )e enforced via HyTrust (ata#ontro.

.1 Security re*uire#e!ts a!d !otifcatio!

!ecurity of systems and compiance ith internationa standards among other re8uirements

PI56 Data Protectio!- !ecurity from insider threats and compiance tempates>anaysis can )e done HyTrust #oud#ontro

.16 .A16 .1

5any points in the directive refer to sharing of data among various government agencies.

PI56 Data Sov- HyTrust #oud#ontro provides &?=#s to ao third parties customer de9ned access to o)Nect eve functions to share ony the information )eing re8uired.

ha!" ;ou