GDPR and Privacy Enhancing Technologies Shane McEntagart ......Implementing industry leading tools can assist privacy governance, risk, and compliance management. ... Ponemon Institute©

9th February 2018

Cyber SecurityGDPR and Privacy Enhancing TechnologiesShane McEntagart ( [email protected] )

mailto:[email protected]

Event briefing and overview

Shane McEntagart

(Deloitte)

GDPR alignment with Cyber Security

Liam O’Connor

(Deloitte)

Panel discussion

Chair: Jacky Fox

(Deloitte – Cyber Security Lead )

Presenters

Nicola Flannery

(Deloitte – Data Privacy)

Mark Oldroyd (Sailpoint)

David Higgins

(CyberArk)

Clive Finlay (Symantec)

Agenda and Welcome

Headline Verdana BoldCyber SecurityGDPR and Privacy Enhancing TechnologiesLiam O’Connor ( [email protected] )

mailto:[email protected]

Facts & figures

What changes does the GDPR bring?

4%Potential fines as a percentage of global turnover

72Hours given to

report a data breach7

Core individual rights afforded

under the GDPR

28,000Estimated number

of new Data Protection Officers required in Europe (IAPP study 2016)

80+New

requirements in the GDPR

190+Countries

potentially in scope of the regulation

€203mCost of 4% fine for a typical FTSE 100

company

What changes does the GDPR bring?

Changes compared to the 1995 Directive (95/46/EC)

Broader territorial scope

Enforcement

Accountability

Expanded definitions

Data subjects rights

Consent

Data breach notification

One-stop shop

International data transfers

General

Data

Protection

Regulation

Applies to players not established in the EU but whose activities consist of targeting data subjects in the EU

Data Protection Authorities will be entitled to impose fines ranging between 2% to 4% of annual turnover, or 10 – 20 million euros

Explicit obligation to the controller as well as the processor to be able to demonstrate their compliance to the GDPR

Personal data now might include location data, IP addresses, online and technology identifiers

Reinforced rights: Access, rectification, restriction, erasure, portability,objection to processing; no automated processing and profiling

Spelled out more clearly and focus on ability of individuals to distinguish a consent

Report a personal data breach to the Data Protection Authority within 72 hours

Data Protection Authorities (DPA) of main establishment can act as lead DPA, supervising processing activities throughout the EU

Processing Inventory

Data

Management

Data

Transfers

Strategy

Policies &

procedures

Auditand Certification

Privacy by Design

Organisation and

Accountability

Communication,

Training, Awareness

Privacy Impact

Assessment

GDPR Transformation Programme

A best practice privacy programme distinguishes six main focus areas. This can help to formulate key objectives:

StrategyLayer 1

Organisation and accountabilityLayer 2

Policy, process & dataLayer 3

Culture, training & awarenessLayer 4

Privacy operations Layer 5

Processing inventoryLayer 6

GDPR: Implementation Challenges ?

The GDPR presents a number of challenges:

Under Article 32 of the GDPR - Security of Processing – “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate”

GDPR Alignment With Your Cyber Security Strategy

Data Breaches

Risk Based Approach

Security Best Practice

Identity & Protect Crown Jewels

Threat Landscape

Data Protection & Cyber Security Interconnected

Technology As An Enabler

GDPR & Cyber Security Alignment

Governance

Secure

Vigilant

Resilient

Maintaining Compliance After May

Complying with the GDPR requires the management of privacy risks. Implementing industry leading tools can assist privacy governance, risk, and compliance management.

GDPR – Privacy Enabling Technologies

9

Sample of tool classification types:

Identity Access Management

Unstructured Data Management

Data Loss Prevention

Governance, Risk & Compliance Management

DPIA Automation & Management

Data Breach Management & Reporting

Reporting & Record Keeping

Anonymisation & Pseudonymisation

Vulnerability Management

eDiscovery

Monitoring – SIEM / SOC

Training & Awareness

1. Establish Governance

2. Define & Implement Controls & Processes

3. Define Requirements For Supporting Technologies

4. Discover Existing Tools That Satisfy

Requirements

5. Assess PET Vendors Based On Requirement

Gaps

Key elements to consider:

Before adopting and implementing privacy technology, companies should go through prerequisite steps

Business-Focused Identity GovernanceThe Power of Identity

11

12

$158 is the

average cost per

lost or stolen

record

2016 Cost of Data Breach Study: Global Analysis -Ponemon Institute© Research Report

Do you know WHERE your

(Sensitive) data is?

Do you know WHO has access?

Is the access APPROPRIATE?

Can you PROVE it?

Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 13

71%of staff have

access to data they should not see

Ponemon Institute Report

89%believe they are now at risk from

insider threat

IT Governance Report

1 in 7employees will sell their credentials for

$150

SailPoint Survey

80%of company data is held in unstructured

content

Forbes Report

Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 14Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 14

Employee

Contractor

Vendor

Partner


SECURITY PARADIGMS HAVE SHIFTED

FROM NETWORK-CENTRIC…

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.


TO USER-CENTRIC

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.


Sanctions & litigation risk

• Fines: 4% of annual revenue or

€20m

• Breaches notified to regulator

within 72 hours

• Citizen compensation lawsuits

• Audit, Clean up, reputation

What is it?

• Homogenous Data privacy law

• All organizations processing EU

citizen data

• Live date May 2018

• Unstructured data in scope

• 28 PII conventions

Data Access Governance

• Privacy Policies

• Data Discovery

• Need to know basis access

• Retention Policies

• Breach detection & Disclosure

Governance & Compliance

• Data Protection Officers

• Data owner accountability

• Least privilege principle

• Breach disclosure

• Fine grained audit trails

GDPR Highlights


SailPoint’s Relevance to GDPR

Technology (15 Articles)People

(18 Articles)

Process

(66 Articles)

SailPoint Relevant (12 Articles)

Identity Governance

for Files

(11 Articles)

Identity Governance

for Applications(6 Articles)

80%

Coverage


40% International

Business

850+Customers and

Growing

IAM Market Leader

Gartner IGA MQ 2017, Continued Leader

Forrester IMG Wave 2016, Continued Leader

Kuppinger Cole IDaaS Compass 2017, Leader

Founded

in 2005

by IAM

veterans 95% Customer

Satisfaction

World’s

LARGESTDedicated Identity

& Access

Management

Vendor


Customers by Vertical

Insurance Manufacturing Energy/UtilitiesBanking/Financial Services Health/Pharma Other


Guaranteeing the Appropriateness of Access

Sustainable Identity

Governance

Process

FULFILLMENTProvisioning

Management

Identity Lifecycle

Management Process

VALIDATIONBehaviour,

Policy, Roles and

Risk Analysis

REQUESTBusiness Interface

Management


Build Current StateIdentity Collection

CorrelationEntitlement Cataloguing

Discovery & Classification

Get Visibility

Authoritative

Sources

Applications

And Services





Validate Current State

AnalyticsReporting

Access CertificationGovernance Insights

Get Clean

Authoritative

Sources

Applications

And Services






AnalyticsReporting


Define Desired State

Policy EnforcementBusiness Role Modelling

Risk AnalysisOwner Identification

Stay Clean

Authoritative

Sources

Applications

And Services






AnalyticsReporting


Define Desired State

Policy EnforcementBusiness Role Modelling

Risk AnalysisOwner Identification

Manage & Secure

Lifecycle ProcessesSelf-Service

Identity Context Distribution

Manage & Secure

Authoritative

Sources

Applications

And Services


Mainframes Databases

ApplicationsCRM/HR/

Financial

Applications & infrastructure

Identity Governance

Access

File storage systems

File servers Cloud storage

Collaboration

systems

NAS

SailPoint Vision: Comprehensive Governance


Identity Governance

File storage systems

File servers Cloud storage

Collaboration

systems

NAS

Mainframes Databases

ApplicationsCRM/HR/

Financial

Applications & infrastructure

Access

SailPoint Vision: Comprehensive Governance


SailPoint Identity+ Alliance Partnership

SailPoint Platform: The “Business” of Identity

Certification

& RemediationData

Classification

Role & Risk

Modeling

Analytics

& Reporting

Policy

EnforcementAutomated

Lifecycle EventsSelf-Service

Business Process

Management

Provisioning

Connectors

Aggregation & Provisioning Broker

Manual

Work

Items

Business

Functionality

Flexible

Change

Fulfillment

and

Data

Collection

Identity

Analytics

Change

Automation

Password

Management

Activity

Monitoring

Service Desk

Integration

Security/

GRC

Integration

Specialist

Integration

Mainframe

Provisioning

Integration

PUM

Integration

Unstructured

Data

Management

SailPoint Open Identity Platform

Mobile

Integration


Ground to Cloud Deployment Options

On Premise Public CloudManaged Service

SaaS


Azure AD Access Management + SailPoint

Access Certification

Access Request

Fine-grained & Life Cycle Provisioning

Compliance & Audit Reporting

Password Reset Extension

Policy-based Workflow & Approvals

Conditional Access and Multi-factor Authentication

Self-Service Password Reset

Single Sign-On

User and Group Management and Provisioning

B2B Collaboration

Risk-based Identity Protection


GovernanceWorkflow

Access

Provisioning

Provisioning

Modeling

Directory

• Groupm, Entitlementx

• Groupn, Entitlementy

• …

Azure Solution Architecture

End User

Change

Notification

Authentication

Cloud and On-Premises Applications

HR Application(Authoritative Source)


“By 2021, organizations with

complementary/integrated

IGA and DAG capabilities will

suffer 60% fewer data breaches.”

–Gartner (2017)

WHAT ARE ANALYSTS SAYING


Identity at the Center of Security

Security Incident &

Event Management

Data Loss

Prevention

Privileged User

Management

Data

Governance

IT Service

Management

Mobile Device

Management

Governance, Risk,

& Compliance

Applications &

Infrastructure


Beyond GDPR: Enterprise Identity Governance

Protect access to all applications and data – on-premises and in the cloud

Applications

& Systems

Data stored

in files

• Greater visibility into access risks

• Centralize all access to applications and data

• Reduced complexity by providing a consistent set of controls

Benefits

Access Request

Access Certification

Provisioning Workflow

Access Policies

User Risk-based Modeling

Password Management

Data Classification

Activity Monitoring

Permission Analysis

Thank You

The Privileged Pathway…

…to Critical Data

David Higgins, Director of Customer Development, EMEA

37

Agenda

• The Human Element

External:

• The Privileged Pathway

• Isolating the Attack

Internal:

• The forgotten Data Access Vector

38

PROTECT ACCESS to sensitive personal data

Detect and RESPOND RAPIDLY to breaches early in the attack lifecycle

ASSESS RISK and test the effectiveness of data protection processes

DEMONSTRATE COMPLIANCE and prove you have the necessary security controls in place

Data protection by design and by default

Security of processing

Notification of a personal data breach

Data protection impact assessment

Protection from non-compliance

Article 25

Article 32 (2)

Article 33

Article 35

Article 82

Key GDPR Requirements and Privileged Security

39

CyberArk: Proactive Protection, Detection & Response

PROTECT

ACCESS

Secure the privileged pathway

and privileged access to systems

containing personal data

RESPOND

RAPIDLY

Monitor, detect, alert, and respond to high-risk activity

and enable security teams to

stop attackers before they can access personal

data

DEMONSTRATE

COMPLIANCE

Have the operational

controls to prove compliance and protect yourself from litigation

ASSESS RISK

Improve your security posture by identifying all privileged user and application accounts and

conduct penetration

testing to ensure the right security

controls are in place

40

External

41

ENDPOINT INFRASTRUCTURE DATA LOCATION

Data Breach – Attackers: The Privileged Pathway

42

The Starting Position

Because many existing implementations of Active Directory Domain Services have been operating for years at risk of credential theft,

organisations should assume breach and consider the very

real possibility that they may have an undetected compromise of domain or enterprise administrator credentials

—MICROSOFT,“MITIGATING PASS-THE-HASH AND OTHERCREDENTIAL THEFT, VERSION 2,” 2014

…doesn’t matter how much you train and educate your users…

43

44

PAS Hygiene Program Goals

Step 1 Focus first on eliminating irreversible network takeover attacks (e.g., Kerberos Golden Ticket).

Step 2 Control & secure infrastructure backdoor accounts.

Step 3 Limit lateral movement.

Step 4 Protect 3rd party privileged accounts.

Step 5 Manage SSH keys on critical Unix servers.

Step 6 Defend cloud & DevOps backdoors.

Step 7 Secure shared IDs for business users (integrate and accelerate adoption of MFA).

45

Step 1: Irreversible Network Takeover Attacks

ENDPOINT

Kerberos Attack Detection

Manage Domain Admin and Enterprise Admin Credentials

Enforce Tiered Account Model

Enforce Application Control on Domain Controllers

Session Isolation

INFRASTRUCTURE DOMAIN CONTROLLERS

1

46

Step Two: Control & Secure Infrastructure and End Point

Well-known Infrastructure Accounts

ENDPOINT

Manage Local Administrator Accounts on Windows

Manage Root Accounts on UNIX/Linux Kerberos Attack Detection




Session Isolation


Session Isolation

Manage Local Administrator Accounts

2

47

Step Three: Limit Lateral Movement

ENDPOINT

Manage Local Administrator Accounts on Windows

Manage Root Accounts on UNIX/Linux Kerberos Attack Detection




Session Isolation


Session Isolation

Manage Local Administrator Accounts

3

Manage 3rd Party Application Accounts

Application Control

Least Privilege

Block Credential Theft

48

Secure the Eco-System

Cᵌ Alliance

Authentication

IT Service

Management

(ITSM)

Malware

Analytics

IAMSIEM

Monitoring &

Discover

Threat

Response

Authentication

HSMDirectory

Services

Validated

Secured

Solutions

Secure &

Manage COTS

App Cred.

49

Internal

50

FILE

SHARES

Data Access – Infra Admins: The Forgotten Vector

APPLICATION

DATABASE

OPERATING SYSTEM

Applic

atio

n E

nviro

nm

ent

Application User

DBA Access

Infrastructure Admin Access

STORAGE

Business

User

IT Admins

3RD

PARTY

51

Session Management for Critical Assets / Accounts

Privileged User

ITSM

IAM

HSM

MFA

SIEMNative Support for RDP and SSH Based

Clients

52

Identifying Key Risks – Lateral Movement

53

Identifying Key Risks – Domain Compromise

Get Your Head in the Cloud A Practical Model for Enterprise Cloud Security

Technology Considerations for the GDPR

Know your Personal data

Process Data Lawfully

Embed privacy

Protect Personal Data

PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE

Copyright © 2016 Symantec Corporation56


What is the one word you need to be wary of when talking about the cloud


CONTROL


All the benefits you receive from moving to the cloud: agility, elasticity, and low cost are received by giving up…


CONTROL


All the challenges you face in the cloud: security, compliance, data residency, data privacy and management are rooted in your lack of…


CONTROL


The only reason you have not moved your critical workloads to the cloud is because you cannot afford to give up…


CONTROL


CONTROLHow do you give it away and keep it at the same time?


This is your enterprise – your realm of complete

CONTROL


Before the cloud, you held your infrastructure and applications safe within its walls

---------------


Then the cloud happened…

---------------


…your infrastructure started moving over

---------------

CONTROLand you lost some


---------------

…your applications started moving over too---------------


---------------

---------------

CONTROLand you lost more


---------------

---------------

Additionally… cloud endpoint, mobile, BYOD, have all spiraled…


---------------

---------------

CONTROLout of your

Enterprise Perimeter Regional Office

HomeOffice

CoffeeShop

Mobile IoTPersonal

IoTHome

Cars Aircraft


CONTROLHow do we regain it?


---------------

WE NEED A NEW CONTROL POINT

ProtectingInfrastructureCloud Workload

Protection


Does it really matter, isn’t Amazon (or Microsoft) providing all the security I need ?

Let’s have a quick look under the covers

AWS “Shared Security Model”

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client Side Data Encryption & Data Integrity Authentication

Server Side Encryption (File system and/or Data)

Network Traffic Protection (Encryption, Integrity, Identity)

Compute Storage Database Networking

Regions

Availability/ZonesEdge Locations

AWS Global Infrastructure

Wo

rklo

ads

Infr

astr

uct

ure

Customer

Who is Responsible?What needs to be Protected?Where?

Security Services includeIAM, MFA, CloudWatch, VPC

CloudTrails, AWS Config,Inspector, Other…

Key Customer Challenges for Security in Public IaaS Cloud


Shared Responsibility Model For Security in Public Cloud

Physical Infrastruct

ure

AppsDataOS

AWS/Azure responsible for Security

Customer responsible for Security

1

Loss of Control: New network paradigm still requires security with new tools • How can I detect and eliminate rogue instances in Security Implementations?• My old tools do not work as there are no SPAN/TAP ports for Network • How do I ensure AV is deployed and applications are segmented to be compliant?

Loss of Visibility: Infrastructure deployment leaves a blind spot in security• What instances are running? What is deployed on them?• What Regions, VPC, Subnets are they part of?• What if there is a known vulnerability? Should they be In Scope for compliance

Cloud Native Delivery: Need efficient deployment • How can I deploy security technology at cloud speed? • How can I detect my infrastructure scale out and ensure that security is in lock step?

Risk & Compliance: Need Security monitoring to meet compliance• Gain insight into the potential known and unknown vulnerability exploits on the software

deployed in you AWS/Azure accounts• Prioritize & Remediate with ample network and asset context

1-2 server releases per

year

6 servers releases per

minute

15,000%increase

100 servers per admin

500 servers per admin

5X increase

Speed and Agility in Public Cloud

Bolted-onBuilt into the

process

Private Cloud Public Cloud

2

Pain Points articulated in customer validation

Cloud Workload Protection – The IaaS Control Point

81

Instances in auto-scaling group with policies applied

Complete instance mapping with real-time protection status

Automatic policy recommendations

Continuous Visibility Across Cloud Workloads


82

Identify potential threats and apply security policies in the same view

RT-FIM

Application Isolation & OS HardeningUser & Process Behavioral Analysis


83

Agent Not Installed

Policy Not Applied

Protected

Discover and view security postures of workloads wherever they are

Shut down rogue instances to reduce attack surfaced

Global Security Dashboard With Drill-Down Capability

ProtectingInformation

Cloud Data Protection & Shadow IT Discovery

Encryption & TokenizationCloud Compliance

Cloud Investigations

Cloud Incident Response & Investigation

Cloud DLP

Enforcing Cloud Policy & Remediation

Cloud Malware DetectionCloud IAM & User Analytics

Extending cyber controls and processes to the cloud

Proxy

CASB Gateway

Events

OutsidePerimeter

EnterprisePerimeter

Cloud API

Extending cyber controls and processes to the cloud


TokenizationCloud Compliance

Cloud Investigations

Cloud Incident Response & Investigation

Cloud DLP


Cloud Malware DetectionCloud IAM & User AnalyticsCASB Gateway

Events

OutsidePerimeter

EnterprisePerimeter

Proxy

Cloud API

DLP Enforce

Endpoint

Web Gateway

Threat Intelligence

Data Protection Sources


Cloud IAM & User Analytics Cloud Compliance Cloud Incident Response & Investigation



Cloud IAM & User Analytics Cloud Compliance Cloud Incident Response & Investigation

DLP Enforce Management Server

On-premisesDLP Detection



DLP Enforce Management ServerNew Challenges

26% of Cloud Docs are Broadly Shared1

Proliferation of Cloud Apps

Shadow Data Problem

Compromised Accounts


Cloud IAM & User AnalyticsEnforcing Cloud Policy & Remediation

Cloud Compliance Cloud Incident Response & Investigation

Extending DLP into cloud applications

Apply Existing DLP Policies to Cloud

Leverage existing DLP Workflow

Gain Full CASB Functionality• Inline Blocking and Offline

Remediation• Shadow IT Analysis• User Behavior Analytics

Extend DLP to Cloud Apps


DLP Enforce Management Server

Shadow IT Discovery & Controls


Cloud Compliance Cloud Incident Response &Investigation













Enterprise Perimeter Regional Office

HomeOffice

CoffeeShop

Mobile IoTPersonal

IoTHome

Cars Drones

External and public content exposures, including compliance risks

Inbound risky content shared with employees (e.g., malware, IP)

Risky users and user activities

Where to start ? Understand what’s important to your business and where it isComplete a Shadow Data Risk Assessment


There is only one word you need to know when talking about the cloud


CONTROL


Bring all that control together


… to give comprehensive information security with

GDPR – Privacy Enhancing

Technologies

Panel Discussion – Q&A

30 minutes

This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London, EC4A 3BZ, United Kingdom.

Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

© 2017 Deloitte LLP. All rights reserved.

Documents

GDPR and Privacy Enhancing Technologies Shane McEntagart ......Implementing industry leading tools can assist privacy governance, risk, and compliance management. ... Ponemon Institute©