GPDR and NIS Compliance Presentation
Short Description
GDPR (EU 2016/679) and NIS are intended to strengthen data protection for people in the EU, replacing Directive 95/46/EC...
Description
GDPR & NIS Taking T aking the pain out of governm government ent mandated mandated security security response response
HyTrust Workoad !ecurity "se #ases Previously discussed specifc use cases – how are they related to GDPR/NIS?
Critical areas aected y GDPR a!d NIS – i!creased ris" with pulic or hyrid cloud e!viro!#e!ts$ 1. 'rivieged account misuse 2. (ata )reach protection *. (ata sovereignty sovereignty compiance
'alt data reaches o! all clouds clo uds
%li#i!ate privileed user #isuse
Stop stupid a!d the accide!tal dow!ti#e
&emove costy infrastructure air gaps
$nd audit and compiance su%ering
(void data soverei!ty la!d#i!es
+('& $ecutive !ummary )hat
-e standard for data protection and privacy for the $" mem)er state / repacing the previous !afe Har)or agreement )eteen the "! and $". #overs any company doing )usiness in the $" or ith an $" citien.
)he!
+oes into 3fu4 force on 5ay 2, 2017. (i%erent mem)er states may add some variations or additiona re8uirements.
I#pact
$nforcement is )acked )y su)stantia 9nes, some )ased on 2:;response to privacy and security.
=%ects a range of technoogy systems incuding data storage and coection, data encryption, and frameorks for privacy processes through poicy and privacy speciaists.
!ti uncear ith ?ritain eaving the $" / )ut most ikey fooing +('& i sti )e more stringent than any oca guideines.
5igration to 'u)ic #oud Increases &isk GDPR Re*uire#e!t Transparen T ransparency cy
Su##ary Descriptio! 'rivacy poicy and ('C
Challe!es 'oicy guarantees harder ith *rd party ie coud provider
#onsent>(ata @uaity
Cpt;in )y consumerD a)iity to get rid of data if consent is ithdran
Tracking data across Tracking across many orkoads and geographies ith instant a)iity to 3ki4 data 'roof of actions of encryption and destruction are re8uired if chaenged
!ecurity enforcement of 'rivacy
'rotecting data via encryption, secure 'rotecting data destruction, etc..
(ata )reach readiness and response
B2 hours for )reach noti9cationD incident response pan
5uti;coud depoyment for arge enterprises creates chaenges to coect incident data and take action very 8uicky
&ight to )e Aorgotten =rt 1B
&ight to )e Aorgotten ; $rasure =rt 1B
= data must deeted / retroa retroactivey ctivey and for a records
Note there are !u#erous other areas o+ challe!es – ut these are #ost tech!ically challe!i! +or cloud e!aled ora!i,atio!s-
Technoogy T echnoogy ?est 'ractices 'ractices &esponse &esponse to +('& .a!d applicale 'yrust 0se Cases1 Cases1
1
2
*
<
(uto#atic
I!siders
Sel+4Reulati!
Plat+or# (!ostic
I!sta!t Proo+
!hift from aert $nsure admins on and !I$5 anaysis access data on any to proactive, coud can )e monitored automatic security and proof of for )oth )reach compiance can )e protection and shon instanty or privacy protection instanty Eag vioations 2Data Sov-3 for prompt remediation 2PI56 Data Sov-3
Workoad needs porta)e poicy to protect and enforce compiance itsef 2Data Sov-3
Impement a patform agnostic soution / hich i ork across any provider or orkoad type virtua machine, !((#, containers, etc.. 2(ll use cases3
$nsure proof of compiance is fast, easy, and muti; coud ready 2(ll use cases3
y
ou
rov er ays 'rotectedF
m
5icrosoft, =maon, and others have issued statements that their 5icrosoft, customers are protected and compiant aready via their use of 3mode4 contracts and other ega mechanisms.
'owever8-
1
2
*
<
;90 are sti responsi)e for the data, even if the provider is compiant.
;90 are sti responsi)e for the administrative actions of systems on that netork.
9N:; orkoads and data that resides on that provider can )e considered as (& sites, @= copies, etc.. are sti your issue.
(!d i+ provider +ails – GC" are are sti responsi)e for data )reach discosure and remediation impact for your customers.
&egardess ess of ho is hosting your data, GC" are responsi)e for it. 7otto# li!e$ &egard ?e proactive and not rey on the provider or speci9c technoogy to protect your data.
y rust aayF GDPR Scope Transparency T ransparency
a es t e
'yrust Capaility
pa n go 0se Case a!d (dvisory Notes
Data Protectio!- 'oicy actions and orkoad response can a #odify the privacy poicy through data and admin poicy engine and enforce through orkoad poicy. poicy. 5onitor and eecute )e monitored and provide instant response to an a udit. immediate poicy change propagation across a orkoads>couds.
#onsent>(ata @uaity
!ecure decommission of orkoads re8uired to ensure fast and ecient data destruction on demand. #reates chain of evidence of data destruction.
Data Protectio!- Through hyper ecient key key management technoogy, data can )e instanty destroyed.
!ecurity enforcement of 'rivacy
$ncryption that )e used to secure the pri vacy via access and propagation of the protected data.
Data Protectio!6 Data Sov- 'roof of actions of encryption and destruction are re8uired re8uired if chaenged. $ncryption, poicy contros, etc.. #an )e detaied for audit, compiance proof, or forensics.
(ata )reach readiness and response
Instant audit trai and correation of activity, poicy, and intentiona>accidenta attempts attempts of )reach. =)iity to provide &?=#s for instant access across auditors or other reguators.
PI56 Data Sov- 5uti;coud depoyment for arge enterprises creates chaenges to coect incident data and take action very 8uicky
&ight to $rasure to )e Aorgotten
$ncryption key revocation means =JJ data is immediatey rendered useess.
Data Protectio!6 Data Sov- (o not need to track here data eists, ony use key management.
(etaied +('& 5apping to HyTrust GDPR Source e>t
Re*uire#e!t Su##ary
'yrust / Custo#er 9ptio!s
(rticle @ – Security o+ processi!
=ppropriate eve of security )ased on state of art. IncudingK encryption, encryption, reguar tests tests of security e%ectiveness, ensure con9dentiaity, integrity of data.
Impement poicy )ased encryption for data protection and evidence. evidence. !ho compiance of human assets.
(rticle @A – Respo!siility o+ the co!troller
&e8uires data controer to impement appropriate technica F measures to ensure and Fdemonstrate compiance.
Aorensic eve ogs that track orkoads, Aorensic administrative activities, and poicy changes at the o)Nect eve.
(rticle @B – data protectio! y desi! a!d de+ault
(ata controers must aso impement data protection )y d efautFimpement appropriate technica Fmeasures to Lprotect>addressM Lprotect >addressM the amount of data coected, etent of process processing, ing, and retention and accessi)iity of data.
Through HyTrust ?oundary#ontro ?oundary#ontro poicies, the system is )y defaut set to adhere to data )oundaries and usage. Aurthermore encryption can )e used to enforce this across any coud provider.
-I! $ecutive !ummary )hat
$" netork and information security -I! directive sets common cy)er;security standards and aims to step up cooperation among $" countries and service providers.
)he!
$" mem)er states have 21 months compy and then 6 months to identify critica infrastructure operators 5ay 2017
I#pact
Jays out speci9c technica guidance on 3critica4 infrastructure entities incuding energy, banking banking,, heathcare, transport sector organiations that are vita to the $" mem)er state government
Increased transparency and information sharing / requiring faster analysis and reporting by aected organizations
3#ritica infrastructure4 identi9ed operators i have a higher cyber security standard standard and and )e speci9cay responsi)e for prevention of risks and incident response
y rust e uces $ampes NIS Directive Re+ere!ce
s t
Directive Su##ary
; 'yrust 0se Cases
.A1 Ris"4#a!ae#e!t #easures
5easures to identify any risks of incidents, to prevent, detect and hande incidents and to mitigate their impact. The security of netork and information systems comprises the security of stored, transmitted and processed data.
Data Protectio!- 'roactive contros via HyTrust services and forensic eve ogging for compiance veri9cation. !ecurity of data can )e enforced via HyTrust (ata#ontro.
.1 Security re*uire#e!ts a!d !otifcatio!
!ecurity of systems and compiance ith internationa standards among other re8uirements
PI56 Data Protectio!- !ecurity from insider threats and compiance tempates>anaysis can )e done HyTrust #oud#ontro
.16 .A16 .1
5any points in the directive refer to sharing of data among various government agencies.
PI56 Data Sov- HyTrust #oud#ontro provides &?=#s to ao third parties customer de9ned access to o)Nect eve functions to share ony the information )eing re8uired.
ha!" ;ou
View more...
Comments