10 actions to accelerate eu gdpr compliance with oracleoracle key vault . transparent data...

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

10 actions to Accelerate EU GDPR Compliance With Oracle Manuel Vidal Business Development Director Oracle Iberia


Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Not all technologies identified are available for all cloud services.

Disclaimer The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of any vendor’s products or services.

3

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 4

GDPR’s Key Security Principles

Assess

Processes, Profiles,

Data Sensitivity, Risks

Detect

Auditing, Activity Monitoring,

Alerting, Reporting

Prevent

Encryption, Pseudonymization,

Anonymization, Fine Grained Access

Control, Privileged Access

Control, Separation of Duties


So where do we begin…

Define Data & App Governance (1)


Screen Scrape

Screen Scrape

Screen Scrape

Screen Scrape Message Queue

Message Queue Message Queue

Download File

Download File

Download File

Transaction File

Transaction File

Transaction File

ORB

ORB

CICS Gateway

CICS Gateway

APPC

APPC RPC

RPC

Transaction File Sockets

Sockets

Message

Message

Application

Application

Application

Application

Application

Application

Application

Application

Application

Application

Governance Layer

Governance Layer


Customer Data and Integration Governance: Activities • A

– A1 – Finding Data – A2 – Deleting Data – A3 – Sharing Data – A4 – Creating Single View of Customers

• B – B1 – Classification of Data and Linking

to Data Processes – B2 – Risk Assessment of Data Elements

and Data Processes – B3 – Identification and Management of

Data Flows

7

• C – C1 – Building glossary of critical data – C2 – Establishing control with policies

and rules – C3 – Monitoring Data Proliferation and

establishing control with workflow

• D – D1 – Govern Application Level Services – D2 – Govern Process Interactions


then

Training of employees (2)


Some free resources from Oracle • Webcast Series. “Accelerate EU GDPR Compliance” • Analyst Research. Six Basic Strategies for Data Protection • Events. • Newsletter. Oracle GDPR Newsletter featuring Gartner Research • Video. Customer Reference Story • White Paper. Accelerate Your response to the EU GDPR with Oracle

Database Security. • New White Paper. Helping Address GDPR Compliance Using Oracle Security

Solutions

9


then

Take a Security Risk Assessment (3)


Storage

Server

Network

Virtualization

Operating System

Database

Com

plia

nce

Iden

tity

& A

cces

s

11

Oracle Database Compliance Oracle Solaris Compliance Oracle Trusted Partitions

Oracle Identity Management Oracle Key Vault

Transparent Data Encryption (TDE) Data Redaction, Database Vault, Label Security, Data Masking RAC, Data Guard, Flashback Oracle Recovery Appliance

Solaris Immutable Zones Solaris fine grained access and control Solaris Auditing Solaris Cryptographic Framework Solaris Cluster Oracle DB Multitenant Solaris Zones Oracle Virtual Networking Oracle VM

Database Firewall Solaris IP filter Secure Live Migration Encryption (SSL, IPsec), IP Filter Firewall, Internet Key Exchange

Silicon Secured Memory Cryptographic Acceleration Oracle RAS

Encryption Check Summing, ZFS self healing data Replication Snapshotting


Assess Security Risks

• Quickly evaluate risks to your Oracle Databases (evaluate risks to your processes and applications)

• Identify sensitive data (if not Data and App Governance)

• Identify security misconfigurations

• Reduce the attack surface and minimize threat exposure

Role and Privilege Analysis

Reduce attack surface

Discover Personal Data First Name, Age, DoB

Scan Security Configuration & Assessment

Findings and suggestions


…then, we will start prevention

Prevent attacks (4, database layer)


Prevent Attacks (Database layer) Reference GDPR Principle Oracle Database Security Control Article 6 Where the processing for another purpose than the one for which

the data have been collected is not based on the data subject’s consent...the controller shall… take into account, inter alia: … 4.e.) the existence of appropriate safeguards, which may include encryption or pseudonymization.

• Use Oracle Advanced Security - Transparent Data Encryption to encrypt the data at rest and Oracle Key Vault to centrally manage master encryption keys.

• Use Oracle Database Network Encryption and Data Integrity to encrypt data in transit.

• Use Oracle Advanced Security - Data Redaction and Oracle Database Vault – to implement technical measures that reduces the linkability of a data set with the original identity of a data subject (pseudonymization).

Article 32 …the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: the pseudonymization and encryption of personal data …

Recital 28 The application of pseudonymization to personal data can reduce the risks for the data subjects concerned and help controllers and processors meet their data- protection obligations.

Recital 83 In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption …


Prevent Attacks (Database layer, continued) Reference GDPR Principle Oracle Database Security Control Recital 26 The principles of data protection should therefore

not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

• Use Oracle Data Masking and Subsetting to mask or anonymise data in non-production environments.

Article 5 (Personal data shall be) … adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization').

• Use Oracle Data Masking and Subsetting to subset the data by deleting the data or by extracting the data to a different location.


Prevent Attacks (Database Layer, continued) Reference GDPR Principle Oracle Database Security Control

Article 29 The processor and any person acting under the authority of the controller or of the processor who has access to personal data, shall not process those data except on instructions from the controller …

• Use Oracle Virtual Private Database for Fine Grained Access Control

• Use Oracle Label Security to assign data classification labels on the sensitive information

• Use Oracle Label Security to control access based on the data classification and/or track consent

• Use Oracle Database Vault to control the access of privileged users such as Processors.

Article 32 4) The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller…

Recital 64 The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

• Use Oracle Strong Authentication techniques such as SSL or Kerberos in-line with Real Application Security (RAS) to verify the identity of the database and application users accessing sensitive information.


Prevent Data Compromise

• Block out-of-band access with encryption at rest and in motion

• Protect against compromised administrator login credentials

• Enforce trusted path access

• Prevent sensitive data proliferation

• Reduce your exposure

Encryption At-Rest and in Transit

*7#$%!!@!%afb ##<>*$#@34

Labels & Controls Sensitive data, IP, PCI, PII, PHI

Data Subsetting Region, year, size-based

Trusted Path Wrong program,

wrong IP

Pseudonymization dob: xx/xx/xxxx ssn: xxx-xx-4321

Data Masking dob: 12/01/1987 11/05/1999

*******

Access denied

Access denied


…then, we will keep preventing …

Keep preventing attacks (5, 6 compute and storage layers)


Oracle System and Storage Controls to Help with EU GDPR People security. Data security.

Immutable VMs

Identity governance

Security compliance Ffamework

Self-service

Authentication

Authorisation

Auditing Remote auditing

Separation of duties

Least privilege

CVE aware packaging

Cryptographic framework

Secure by default

Hierarchical check summing

Detective controls

Administrative controls

SnapShots, CoW

Cryptographic framework

Continuous data validation

Key Management 3

End-to-end audit trails

Retention policy

Replication

Oracle customers have been using these controls to help them comply with the 1995 EU Directive on Data Protection for a number of years.


Oracle Systems Capabilities that May Assist in Achieving GDPR

Encryption

Regular testing

Limit data access

Risk assessment

Monitor and access

Integrity, protect against loss/destruction/damage

Ability to restore in a timely fashion

Solaris Cryptographic Framework, SPARC ciphers Solaris RBAC,

privileges, ACLs Immutable zones

and virtual machines

Silicon Secured Memory

Solaris label security

(Remote) audit, syslog

ZFS

Security Compliance Framework, verified boot, IPS

GDPR term Oracle Systems security capabilities


Oracle Storage Capabilities that May Assist in Achieving GDPR

StorageTek Tape T1000

Oracle Keymanager 3

Oracle Hierarchical Storage Management

StorageTek tape analytics

ZFS Storage Appliance

Recovery Appliance

Oracle Storage security capabilities

Encryption

Regular testing

Limit data access

Risk assessment

Monitor and access

Integrity, protect against loss/destruction/damage

Ability to restore in a timely fashion

GDPR term


… now, implement

Implement the right systems (7, 8)


Encrypt

Redact

Mask

Subset

23

Compute

Compute

Key Vault

Audit Vault

Database Vault

Net Adm Test

Prod

Sys Adm

Stg Adm

Dev

Protect

DB Adm

ZDLRA

Adm

in N

etw

ork,

VLA

N,

and

Fire

wal

l Client Netw

ork , VLAN, and Firew

all

Tactics – System Block Diagram People and Apps

Data

Infrastructure

Platform

Ecosystem

Exadata

ZFSSA

Standby DB

Object Store

DB Firewall Encrypt

DB

Encrypt

Storage

Storage

Storage

IB Network

VM

VM


Comprehensive Security Designed In, Not Bolted On SPARC Makes Enterprise-Wide Security Practical

One Cryptographic Accelerator per Core, 8 or 32 Cores per Chip

Protection from attacks against data

in memory, on media or transmitted over the

network with virtually no performance impact

Silicon Secured Memory

Encryption Accelerators

Access Control, Read-Only

VMs

Compliance Reporting,

Remote Audits

24


… now, monitor

Monitor (9, database layer and …)


Monitor to Detect Threats Reference GDPR Principle Oracle Database Security Control Article 30 Each controller and, where applicable, the controller's

representative, shall maintain a record of processing activities under its responsibility.

• Use Oracle Database Auditing to enable and maintain records (audit records) of processing.

• Use Oracle Fine Grained Auditing to record or audit specific activities of users such as selects on sensitive data

• Use Oracle Audit Vault and Database Firewall to centrally control the records of processing and being able to provide correct data breach information to the Authority and to understand if the breach is likely to result in a high risk to the rights and freedoms of natural persons

• Use Oracle Audit Vault and Database Firewall to monitor and send timely alerts on suspicious behavior.

Article 33 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …

Article 34 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.


Detect Anomalies, Support DPOs and Controllers

• Audit user activities

• Detect abnormal access patterns

• Alert and report on security incidents

• Support compliance audits

• Detect and block the most common database attack vectors

Detect Anomalies Identify unusual

patterns, new clients

Separation of Duties Secure audit

repository

Support Compliance Reports and

analysis

Handle SQL Injection Detect, report,

and block


… now, patch software and the systems

Patch regularly all the layers (10)

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

99.9% Of the exploited vulnerabilities were compromised more than a year after the CVE was published

29

Source: Verizon Data Breach Investigations Report, 2015


The age of “If it ain’t broke, don’t fix it,” is over!

Oracle Corporation - Confidential 30


Applicable for protecting personal information (or any other company sensitive information). Oracle Systems and Storage Products

Existing systems, OS upgrade. OS should be upgraded to latest release,

increasing security (secure by default, minimum impact on data).

OS should be regularly updated and audited, using the Security Compliance Framework.

Should leverage the Cryptographic and Security Compliance Frameworks.

Leverage roles and rights through the fine-grained least privileged RBAC access control.

Auditing on by default.

Hardware and OS upgrade Should have their data store(s),

including databases, set up securely with appropriate systems, data, network and database/application security tools.

Should leverage Silicon Secured Memory technology and cryptographic cores.

Leverage a unified approach to identity and access management by integrating system components—as well as deployed services—with an organisation’s existing identity and access management architecture.

Data security.

People security.

10 actions to accelerate eu gdpr compliance with oracleoracle key vault . transparent data...

Documents