Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Gemalto solutions and guidance for GDPR
Predrag Aleksić, PreSales Engineer, Enterprise and Cybersecurity
February 2018
Agenda
What’s driving data protection
GDPR, General Data Protection Regulation
Privacy by Design
Essential questions for your Compliance
Data Flow & The Big Question! – Where to encrypt
Why KeySecure is a key element in GDPR framework
eIDAS
3
Translate GDPR for your specific situation
Go and read the legislation:
GDPR Legislation
Privacy By Design – 7 principles
Proactive & Preventative
Default setting
Embedded in design
Positive-sum
End-to-end security
Visibility and transparency
User-centric
4
So where to start?
GDPR – EXPLAINED
5
Where to start? Start with Basics…
01.03.18 Gemalto DataProtection Framework 6
6 steps
Understand the GDPR legal framework
Create a Data Register
Classify your data
Start with your top priority
Assess & document additional risks and processes
Revise and repeat
7
So how to protect our data?
GDPR – EXPLAINED
8
Produced, processed and
stored in more places Shared more
Distributed to more
locations outside of your
control
MORE DATA
Balancing Business Value and Security
The data protection dilemma
01/03/2018 Gemalto Enterprise & Cybersecurity - CONFIDENTIAL 9
SECURE THE BREACH Control who and what can access information.
Apply data protection and controls that sit with
the data asset.
PROTECT WHAT MATTERS, WHERE IT
MATTERS Data is the new perimeter.
ACCEPT THE BREACH Perimeter security alone is no longer enough.
Do You Have a Plan B?
PLAN A Prevent the Breach
PLAN B Assume the breach
Minimize its impacts
Cybersecurity: have a plan
01/03/2018 Gemalto Enterprise & Cybersecurity - CONFIDENTIAL 10
01/03/2018 Gemalto Enterprise & Cybersecurity - CONFIDENTIAL 11
12
Prevent Attacks / Mitigate the impact
GDPR highlights the importance of techniques recommended to
prevent a breach attempt from succeeding:
• Encryption
• Anonymization and Pseudonymization
• User Access Control
• Data Minimization
Secure the Breach: the method
13
At-rest in storage
In motion across the
network
On-premises or in the
cloud
Secure and own
encryption keys
Centrally manage
keys and policies
Protect identities
Ensure only
authorized users and
services have access
Secure the
KEYS
Control the
ACCESS
Encrypt the
DATA
1 2 3
What Data
What Applications
What Storage
What use case?
Analyse the
NEED
0
14
Crypto
Management
Key
Manager
HSM
Crypto
Provisioning
System
SECURE &
MANAGE KEYS
3
Applications
SaaS
Apps
Internal Users +
Administrators
Cloud Providers
Admins/Superuse
rs
Internal Users +
Administrators
Cloud Providers
Admins/Superuse
rs
Strong Authentication
CONTROL
ACCESS
Internal Users +
Administrators
Cloud Providers
Admins/Superusers
Customers +
Partners
1
The 3 key elements
File Servers
Database
s
Virtual Machines
Storage Networks Physical Data Virtual Data Data in the Cloud
ENCRYPT THE DATA
Data at Rest Encryption Data in Motion Encryption 2
15
Why two-factor authentication?
Audit trail for GDPR compliancy
who accessed
at what time
which information
Reduce risk for stolen credentials
Breach prevention
16
Why encryption?
Lost or stolen data in terms of GDPR
Only breach notification No user information duty No secrets revealed No bad publicity
Less business impact Breach prevention
17
Why Key Management?
No direct GDPR compliancy requirement
BUT when encrypting data:
Data is no longer important
But Key Management is!
Application
s (.NET, JAVA,
KMIP, XML) Databases
3rd party solutions (e.g. Self-encrypting drives via KMIP)
File encryption
**##**
Tokenization
Ethernet
FiberChanel
Hardware Security Modules Appliance
File Shares
Tape
Backups
Network Share
Encryption Proxy
Virtual Instances
Virtual Storage
Protect V Manager Virtual Appliance
18
Cryptography as an IT Service
Authentication
Management (On-Premise or
Cloud)
Nat. IDs
AMI
Metering
E-Signatures
E-Passports
Certificate Infrastructures
Trust. Every day.
Protect Cloud &
Virtual Infrastructure
Protect
Identities
Protect
Infrastructure
Protect NAS
Storage
ProtectFile Server/Desktop Agent
Key Secure Appliance
Protect
Data Centers
L2 HighSpeed
Encryptors
Protect
Data Transfer
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS Remote
Storage
NAS | SAN
Data Flow and The Big Question! Users | Apps (browser, mobile)
Da
ta
Flo
w
Key Mngt
Where To Encrypt? Who to Protect against?
01.03.18
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS
Full Disk Encryption – blanket
• Block Level Encryption
• Typically simple deployment
• No Encryption/Decryption Access Control
• Protects BACKUP only
Remote
Storage
NAS | SAN
Storage Level Security Users | Apps
Da
ta
Flo
w
Key Mngt
01.03.18
• Transparent File Encryption – files, folders, shares, databases,
ftp servers, application data, etc.
• Encryption Policies – Encryption policies determine which of the file
server’s paths and files will be encrypted, which keys will be used, and which users,
groups, or processes will be given access to the encrypted data
• Access Policies – Access policies define which users, groups, and
processes can access protected content
• Enforcing Backup & Restore Policies – enables
authorized admins perform backup-restore duties on encrypted files only
• Protection against Rogue “root” User – prevents
super user “root” from accessing sensitive data when impersonating and user.
• Separation of duties – security vs. data management
• Dual Control – MofN – sensitive operations require multiple admins.
File System–Level Transparent File Encryption
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS Remote
Storage
NAS | SAN
Users | Apps
Da
ta
Flo
w
Key Mngt
01.03.18
• Transparent column-level – local & remote
• Standard Encryption
• Format-Preserving Encryption (FPE)
• Tokenization
• Access policies – Key Ownership-based partitioning – databases may have visibility and access to their keys only
• Protection against DBA – prevention of DBA from impersonating other
database users
• Separation of duties – security vs. data management
• Dual Control (MofN) – performing sensitive operation require multiple
admins.
Database-level protection
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS Remote
Storage
NAS | SAN
Users | Apps
Da
ta
Flo
w
Key Mngt
01.03.18
Application-level protection
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS Remote
Storage
NAS | SAN
Users | Apps
Da
ta
Flo
w
Key Mgnt
• Cryptographic operations: Encrypt/decrypt, Sign/SignV, Mac/MacV
• Standard Encryption
• Format-Preserving Encryption (FPE)
• Tokenization
• Bulk Interfaces – Encryption, Tokenization, FPE. Token.
• Key & Certification management interfaces
• Access policies – • Key Ownership-based partitioning –
• Applications have visibility and access to their keys only
• Protection against all admins • Admins can only see encrypted data
• Separation of duties • security vs. data management
• Dual Control (MofN) • performing sensitive operation require multiple admins.
01.03.18
24
Gemalto Encryption Ecosystem Offers the industry’s most expansive ecosystem of integrations for encrypting data
within third party environments
Indicates a SafeNet Product
SafeNet Protect App
SafeNet Protect DB SafeNet Tokenization
SafeNet ProtectFile
SafeNet ProtectV
SafeNet High Speed
Encryptors
Layer 2 Ethernet Encryption
SafeNet KeySecure Platform
Distributed Key Management
Virtual
Machines
File
Servers
& Shares
Application
Servers Database
s Web and
Application
Servers
Network Encryption
Data in
Motion
Data at Rest
25
Gemalto Key Management Ecosystem The industry’s most expansive and diverse ecosystem of integrations including the
largest # of KMIP integration products
Cloud
Encryption
Gateways Backup &
Storage
Database
Encryption
Storage &
Archive
SIEM Tools
Cloud
Services File & Disk
Encryption
SafeNet
ProtectApp SafeNet
ProtectFile
SafeNet
ProtectDB
SafeNet
ProtectV™ SafeNet
Tokenization
SafeNet KeySecure Platform
Distributed Key Management
+300 HSM
Integrations
400+ Authentication
Integrations
300+ HSM
Integrations
30+ KeySecure
Integrations
35+ Crypto
Integrations
01/03/2018 Gemalto Enterprise & Cybersecurity CONFIDENTIAL 26
Thank You!
27 Complying with eIDASS