10 actions to accelerate eu gdpr compliance with oracleoracle key vault . transparent data...
TRANSCRIPT
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
10 actions to Accelerate EU GDPR Compliance With Oracle Manuel Vidal Business Development Director Oracle Iberia
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Not all technologies identified are available for all cloud services.
Disclaimer The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of any vendor’s products or services.
3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 4
GDPR’s Key Security Principles
Assess
Processes, Profiles,
Data Sensitivity, Risks
Detect
Auditing, Activity Monitoring,
Alerting, Reporting
Prevent
Encryption, Pseudonymization,
Anonymization, Fine Grained Access
Control, Privileged Access
Control, Separation of Duties
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
So where do we begin…
Define Data & App Governance (1)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Screen Scrape
Screen Scrape
Screen Scrape
Screen Scrape Message Queue
Message Queue Message Queue
Download File
Download File
Download File
Transaction File
Transaction File
Transaction File
ORB
ORB
CICS Gateway
CICS Gateway
APPC
APPC RPC
RPC
Transaction File Sockets
Sockets
Message
Message
Application
Application
Application
Application
Application
Application
Application
Application
Application
Application
Governance Layer
Governance Layer
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Customer Data and Integration Governance: Activities • A
– A1 – Finding Data – A2 – Deleting Data – A3 – Sharing Data – A4 – Creating Single View of Customers
• B – B1 – Classification of Data and Linking
to Data Processes – B2 – Risk Assessment of Data Elements
and Data Processes – B3 – Identification and Management of
Data Flows
7
• C – C1 – Building glossary of critical data – C2 – Establishing control with policies
and rules – C3 – Monitoring Data Proliferation and
establishing control with workflow
• D – D1 – Govern Application Level Services – D2 – Govern Process Interactions
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
then
Training of employees (2)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Some free resources from Oracle • Webcast Series. “Accelerate EU GDPR Compliance” • Analyst Research. Six Basic Strategies for Data Protection • Events. • Newsletter. Oracle GDPR Newsletter featuring Gartner Research • Video. Customer Reference Story • White Paper. Accelerate Your response to the EU GDPR with Oracle
Database Security. • New White Paper. Helping Address GDPR Compliance Using Oracle Security
Solutions
9
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
then
Take a Security Risk Assessment (3)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Storage
Server
Network
Virtualization
Operating System
Database
Com
plia
nce
Iden
tity
& A
cces
s
11
Oracle Database Compliance Oracle Solaris Compliance Oracle Trusted Partitions
Oracle Identity Management Oracle Key Vault
Transparent Data Encryption (TDE) Data Redaction, Database Vault, Label Security, Data Masking RAC, Data Guard, Flashback Oracle Recovery Appliance
Solaris Immutable Zones Solaris fine grained access and control Solaris Auditing Solaris Cryptographic Framework Solaris Cluster Oracle DB Multitenant Solaris Zones Oracle Virtual Networking Oracle VM
Database Firewall Solaris IP filter Secure Live Migration Encryption (SSL, IPsec), IP Filter Firewall, Internet Key Exchange
Silicon Secured Memory Cryptographic Acceleration Oracle RAS
Encryption Check Summing, ZFS self healing data Replication Snapshotting
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 12
Assess Security Risks
• Quickly evaluate risks to your Oracle Databases (evaluate risks to your processes and applications)
• Identify sensitive data (if not Data and App Governance)
• Identify security misconfigurations
• Reduce the attack surface and minimize threat exposure
Role and Privilege Analysis
Reduce attack surface
Discover Personal Data First Name, Age, DoB
Scan Security Configuration & Assessment
Findings and suggestions
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
…then, we will start prevention
Prevent attacks (4, database layer)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Prevent Attacks (Database layer) Reference GDPR Principle Oracle Database Security Control Article 6 Where the processing for another purpose than the one for which
the data have been collected is not based on the data subject’s consent...the controller shall… take into account, inter alia: … 4.e.) the existence of appropriate safeguards, which may include encryption or pseudonymization.
• Use Oracle Advanced Security - Transparent Data Encryption to encrypt the data at rest and Oracle Key Vault to centrally manage master encryption keys.
• Use Oracle Database Network Encryption and Data Integrity to encrypt data in transit.
• Use Oracle Advanced Security - Data Redaction and Oracle Database Vault – to implement technical measures that reduces the linkability of a data set with the original identity of a data subject (pseudonymization).
Article 32 …the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: the pseudonymization and encryption of personal data …
Recital 28 The application of pseudonymization to personal data can reduce the risks for the data subjects concerned and help controllers and processors meet their data- protection obligations.
Recital 83 In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption …
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Prevent Attacks (Database layer, continued) Reference GDPR Principle Oracle Database Security Control Recital 26 The principles of data protection should therefore
not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
• Use Oracle Data Masking and Subsetting to mask or anonymise data in non-production environments.
Article 5 (Personal data shall be) … adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization').
• Use Oracle Data Masking and Subsetting to subset the data by deleting the data or by extracting the data to a different location.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Prevent Attacks (Database Layer, continued) Reference GDPR Principle Oracle Database Security Control
Article 29 The processor and any person acting under the authority of the controller or of the processor who has access to personal data, shall not process those data except on instructions from the controller …
• Use Oracle Virtual Private Database for Fine Grained Access Control
• Use Oracle Label Security to assign data classification labels on the sensitive information
• Use Oracle Label Security to control access based on the data classification and/or track consent
• Use Oracle Database Vault to control the access of privileged users such as Processors.
Article 32 4) The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller…
Recital 64 The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.
• Use Oracle Strong Authentication techniques such as SSL or Kerberos in-line with Real Application Security (RAS) to verify the identity of the database and application users accessing sensitive information.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 17
Prevent Data Compromise
• Block out-of-band access with encryption at rest and in motion
• Protect against compromised administrator login credentials
• Enforce trusted path access
• Prevent sensitive data proliferation
• Reduce your exposure
Encryption At-Rest and in Transit
*7#$%!!@!%afb ##<>*$#@34
Labels & Controls Sensitive data, IP, PCI, PII, PHI
Data Subsetting Region, year, size-based
Trusted Path Wrong program,
wrong IP
Pseudonymization dob: xx/xx/xxxx ssn: xxx-xx-4321
Data Masking dob: 12/01/1987 11/05/1999
*******
Access denied
Access denied
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
…then, we will keep preventing …
Keep preventing attacks (5, 6 compute and storage layers)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 19
Oracle System and Storage Controls to Help with EU GDPR People security. Data security.
Immutable VMs
Identity governance
Security compliance Ffamework
Self-service
Authentication
Authorisation
Auditing Remote auditing
Separation of duties
Least privilege
CVE aware packaging
Cryptographic framework
Secure by default
Hierarchical check summing
Detective controls
Administrative controls
SnapShots, CoW
Cryptographic framework
Continuous data validation
Key Management 3
End-to-end audit trails
Retention policy
Replication
Oracle customers have been using these controls to help them comply with the 1995 EU Directive on Data Protection for a number of years.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 20
Oracle Systems Capabilities that May Assist in Achieving GDPR
Encryption
Regular testing
Limit data access
Risk assessment
Monitor and access
Integrity, protect against loss/destruction/damage
Ability to restore in a timely fashion
Solaris Cryptographic Framework, SPARC ciphers Solaris RBAC,
privileges, ACLs Immutable zones
and virtual machines
Silicon Secured Memory
Solaris label security
(Remote) audit, syslog
ZFS
Security Compliance Framework, verified boot, IPS
GDPR term Oracle Systems security capabilities
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 21
Oracle Storage Capabilities that May Assist in Achieving GDPR
StorageTek Tape T1000
Oracle Keymanager 3
Oracle Hierarchical Storage Management
StorageTek tape analytics
ZFS Storage Appliance
Recovery Appliance
Oracle Storage security capabilities
Encryption
Regular testing
Limit data access
Risk assessment
Monitor and access
Integrity, protect against loss/destruction/damage
Ability to restore in a timely fashion
GDPR term
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
… now, implement
Implement the right systems (7, 8)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Encrypt
Redact
Mask
Subset
23
Compute
Compute
Key Vault
Audit Vault
Database Vault
Net Adm Test
Prod
Sys Adm
Stg Adm
Dev
Protect
DB Adm
ZDLRA
Adm
in N
etw
ork,
VLA
N,
and
Fire
wal
l Client Netw
ork , VLAN, and Firew
all
Tactics – System Block Diagram People and Apps
Data
Infrastructure
Platform
Ecosystem
Exadata
ZFSSA
Standby DB
Object Store
DB Firewall Encrypt
DB
Encrypt
Storage
Storage
Storage
IB Network
VM
VM
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Comprehensive Security Designed In, Not Bolted On SPARC Makes Enterprise-Wide Security Practical
One Cryptographic Accelerator per Core, 8 or 32 Cores per Chip
Protection from attacks against data
in memory, on media or transmitted over the
network with virtually no performance impact
Silicon Secured Memory
Encryption Accelerators
Access Control, Read-Only
VMs
Compliance Reporting,
Remote Audits
24
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
… now, monitor
Monitor (9, database layer and …)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Monitor to Detect Threats Reference GDPR Principle Oracle Database Security Control Article 30 Each controller and, where applicable, the controller's
representative, shall maintain a record of processing activities under its responsibility.
• Use Oracle Database Auditing to enable and maintain records (audit records) of processing.
• Use Oracle Fine Grained Auditing to record or audit specific activities of users such as selects on sensitive data
• Use Oracle Audit Vault and Database Firewall to centrally control the records of processing and being able to provide correct data breach information to the Authority and to understand if the breach is likely to result in a high risk to the rights and freedoms of natural persons
• Use Oracle Audit Vault and Database Firewall to monitor and send timely alerts on suspicious behavior.
Article 33 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …
Article 34 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 27
Detect Anomalies, Support DPOs and Controllers
• Audit user activities
• Detect abnormal access patterns
• Alert and report on security incidents
• Support compliance audits
• Detect and block the most common database attack vectors
Detect Anomalies Identify unusual
patterns, new clients
Separation of Duties Secure audit
repository
Support Compliance Reports and
analysis
Handle SQL Injection Detect, report,
and block
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
… now, patch software and the systems
Patch regularly all the layers (10)
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
99.9% Of the exploited vulnerabilities were compromised more than a year after the CVE was published
29
Source: Verizon Data Breach Investigations Report, 2015
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
The age of “If it ain’t broke, don’t fix it,” is over!
Oracle Corporation - Confidential 30
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Applicable for protecting personal information (or any other company sensitive information). Oracle Systems and Storage Products
Existing systems, OS upgrade. OS should be upgraded to latest release,
increasing security (secure by default, minimum impact on data).
OS should be regularly updated and audited, using the Security Compliance Framework.
Should leverage the Cryptographic and Security Compliance Frameworks.
Leverage roles and rights through the fine-grained least privileged RBAC access control.
Auditing on by default.
Hardware and OS upgrade Should have their data store(s),
including databases, set up securely with appropriate systems, data, network and database/application security tools.
Should leverage Silicon Secured Memory technology and cryptographic cores.
Leverage a unified approach to identity and access management by integrating system components—as well as deployed services—with an organisation’s existing identity and access management architecture.
Data security.
People security.