If you can't read please download the document

Javier Salido [email protected] Microsoft, Trustworthy Computing

Tags:

Embed Size (px)

Citation preview

  • Slide 1

Slide 2 Javier Salido [email protected] Microsoft, Trustworthy Computing Slide 3 Session Objectives and Takeaways Session Objective(s): Review common privacy issues Understand how Data Governance can provide answers The Information Lifecycle allows organizations to better understand how data is used The Microsoft Technology Framework helps in identifying suitable privacy controls Microsoft provides tools and guidance to assist you in your Data Governance efforts Slide 4 Agenda Privacy Review of privacy concerns in todays world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Slide 5 What is Privacy? UK Calcutt Committee: the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information Security is necessary for privacy, but privacy is not guaranteed with security Slide 6 Privacy Concerns are Increasing Organizations are accumulating unprecedented amounts of data on individuals Data can be stolen, lost or misused Inappropriate or careless use of technology puts Privacy at risk Software designed to identify and profile individuals for monetary gain Poor software design and implementation Most software does not consider privacy aspects Weak or non-existent security controls Slide 7 Top of Mind Data Breaches in 2008 Average cost of an incident was $6.6 million US, a 2.5% increase over 2007 Largest percentage of incidents (35%) is due to lost or stolen laptops or media Average customer churn attributable to Data Breaches was 3.6% 6% for financial services industry Source: Ponemon study, Cost of a Data Breach, Feb 2009 http://www.encryptionreports.com/ Slide 8 Top of Mind Data Retention Accidental misuse of data in violation of privacy policies and legislation E-Discovery in civil litigation cases Loss or theft of data No breaches on data you dont keep 66% of Data Breaches in 2008 involved data that was not known to reside on the affected system at the time of the incident Source: 2008 Verizon Data Breach Investigations Report. http://www.verizonbusiness.com/resources/security/repor ts/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/repor ts/2009_databreach_rp.pdf Slide 9 And if That was not Enough .. Customers trust in online business is eroding Inefficient use of the organizations data assets Industrial espionage, theft of intellectual property Need to comply with an increasingly complex regulatory environment: Governance, Risk and Compliance (GRC) Slide 10 Agenda Privacy Review of privacy concerns in todays world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Slide 11 Statutory & Regulatory Landscape In EU privacy is a fundamental right Concept of personal data defined in 95/46/EC 95/46/EC defines rules for transfer of personal data across member states borders Data cannot be transported outside of EU unless citizens give consent, or there is a legal framework in place, e.g. Safe Harbor Data Protection Administrators in member states enforce laws and rules, and prosecute violators Slide 12 Statutory & Regulatory Landscape In US privacy is not a fundamental right US Supreme Court justices have said that privacy is not in Constitution, Bill of Rights, or subsequent amendments Privacy is offered through a patchwork of federal and state legislation Where legislation does not exist the FTC can protect consumers through Section 5 of the FTC Act Privacy in US focuses on concept of personally identifiable information (PII) Information which can be used to distinguish or trace an individual's identity (Office of Management and Budget) Slide 13 Statutory & Regulatory Landscape In Latin America some countries have adopted EU-style data protection legislation In Asia there are growing calls for legislation Association of Southeast Asian Nations (ASEAN) leaning towards using the Organization for Economic Cooperation and Development (OECD) privacy guidelines on protection of privacy Slide 14 Agenda Privacy Review of privacy concerns in todays world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Slide 15 Privacy Standards ISO/IEC CD 29100 Information technology Security techniques Privacy framework NIST SP 800-122 (Draft) Guide to Protecting the Confidentiality of Personally Identifiable Information Slide 16 Security Standards ISO/IEC 27002 (formerly ISO/IEC 17799) 15.1.4 Data protection and privacy of personal information Control: Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses Implementation guidance: An organizational data protection and privacy policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information Slide 17 Agenda Privacy Review of privacy concerns in todays world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four technical areas of the framework Action Plan Summary Slide 18 Data Governance Is the exercise of decision-making and authority for data-related matters Encompasses the people, processes, and IT required for consistent and proper handling of data across the enterprise Slide 19 Why Organizations look at DG? Risk Management Protection of data assets and intellectual property Safeguard customer data and organizational prestige Establish appropriate personal data use to optimally balance ROI and risk exposure Compliance Meet existing compliance obligations Ensure quality of compliance data Provide the company flexibility to respond to new compliance requirements Maximize benefit from data assets Increases consistency and confidence in decision making Improve data quality, reliability and availability Establish common data definitions across the enterprise Establishes accountability for information quality Slide 20 Agenda Privacy Review of privacy concerns in todays world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Slide 21 Data Governance for Privacy and GRC Strategy Documented Policies & Procedures Business Data Req. Compliance Data Req. Privacy Requirements Risk Governance GRC Implementation Slide 22 Data Governance for Privacy and GRC Governance Organizations should collect only the data required to conduct business Data should be rationalized and shared Risk Data should be secured from unauthorized access and use Data should be accurate Data should be accessible Slide 23 Data Governance for Privacy and GRC Compliance All applicable laws and regulations relating to data and the systems that the data is stored or processed on should be complied with Slide 24 Questions for the Organization Am I collecting data in alignment with business goals and priorities? Am I notifying customers and obtaining their consent first when personal information is involved? Am I managing data risk appropriately? If the data I am storing is personal information how am I protecting my customers privacy? Am I handling the data within compliance? What statutes and regulations do I need to follow? Slide 25 Agenda Privacy Review of privacy concerns in todays world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Slide 26 Information Lifecycle Understanding the information lifecycle helps in thinking about data governance principles It is also useful when looking at how data is collected, processed and shared within an organization, and who has access to it The information lifecycle is the basis of a technology framework for data governance Slide 27 Information Lifecycle Data Storage Collect Update Delete Process Transfer Transfer (New Lifecycle) Slide 28 Agenda Privacy Review of privacy concerns in todays world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Slide 29 Four Focus Areas InformationProtection Auditing and reporting Identity and Access control Secure Infrastructure Safeguards against malware and intrusions Safeguards against unauthorized access to personal info Protect systems from evolving threats Protect personal information from unauthorized access or use Provide management controls for identity, access and provisioning Protect sensitive personal information in structured DBs Protect sensitive personal information in unstructured documents, messages and records, through encryption Protect data while on the network Monitor to verify integrity of systems and data Monitor to verify compliance with business processes Slide 30 Agenda Privacy Review of privacy concerns in todays world Statutory and Regulatory landscape Standards Data Governance Data Governance for Privacy Data Governance Technology Framework Data Lifecycle The four focus areas of the framework Action Plan Summary Slide 31 Action Plan Remember, technology is only part of the solution Catalog sensitive information Classify sensitive information Plan your technical controls Leverage the Information Lifecycle to evaluate potential threats at each stage, for each set of data Slide 32 Action Plan For each area in the framework, options can be thought of as candidate controls Think about what privacy risks exist, and how the technology can address is Identify technologies that integrate with other technologies in the same and other areas in the framework Integration will make management easier and help reduce the likelihood that gaps in coverage will exist Slide 33 Bringing it All Together Lifecycle and Framework Secure Infrastructure Identity and Access Control Information Protection Auditing and Reporting Collect Secure client and web site authN/authZ Encrypt traffic Update Secure client and web site authN/authZ Encrypt traffic Log user Process Secure host authN/authZ Encrypt traffic Log reason Delete Secure wipe authN/authZ Log delete TransferauthN/authZ Encrypt traffic Log user Data Storage Secure server Encrypt data store Slide 34 examples & tools Slide 35 Example 1: Secure Infrastructure Issue: Compromised systems put personal information at risk of compromise or disclosure Slide 36 Example 1: Secure Infrastructure Solution: Anti-malware and firewall defenses can protect systems from compromise Windows Update and WSUS can keep systems up to date with software patches for OS and some apps Forefront Client Security provides anti-malware defenses with centralized reporting and scanning Windows Firewall provides advanced host firewall protection NAP allows only healthy systems to access network resources containing personal information Slide 37 Example 2: Information Protection Issue: Databases are a rich repository of customer personal data and PII Focus of external attacks by hackers using multiple methods Rogue administrators and non-authorized internal personnel may try to access data Solution: Encryption in database can protect data from unauthorized users SQL Server uses certificates to protect symmetric keys which are used to encrypt data Slide 38 Example 3: Information Protection Issue: Mobile workforce carry customer data on mobile devices If device is lost or stolen data might fall into hands of unauthorized users Solution: Encryption of content will protect data if device is lost or stolen BitLocker will encrypt all files on laptop Rights Management Services can be used to restrict access to business documents Slide 39 Rights Management Services Slide 40 IT Compliance Management Architecture Compliance Planning Guide Determine GRC Applicability Plan for GRC Control Requirements Follow Checklists Manage GRC Life Cycle through MOF Compliance Workbook Configuration Guidance Links Plan Controls Deploy Controls Subject Matter Experts GRC Authority Docs Planning Guide IT Manager IT Pro Review Authority Documents Job Aids Slide 41 IT Compliance Management Workbook Slide 42 Microsoft Privacy Standard for Developers (and Web sites) 3.1 Provides guidelines for: Creating notice and consent notices Providing sufficient data security Maintaining data integrity Supplying controls when developing software products and web sites Slide 43 Data Governance Web-site Microsoft Confidential Slide 44 Data Governance Web-site Contains white papers, one-pagers, presentations and other resources Tailored for specific audiences http://www.microsoft.com/datagovernance Slide 45 Summary Privacy issues are real, and a challenge for organizations of all sizes Data governance is an approach to tackling Privacy issues The information lifecycle and data governance framework help organizations understand data use and relationships and identify suitable technology Visit the Microsoft Data Governance web-site for more information and guidance Slide 46 Slide 47 www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Slide 48 Track Resources http://www.microsoft.com/datagovernance Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Slide 49 Complete an evaluation on CommNet and enter to win! Required Slide Slide 50 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide


TAaaS: Trustworthy Authentication as a Service - KAISTcaislab.kaist.ac.kr/publication/paper_files/2016/TAaaS.pdf · TAaaS: Trustworthy Authentication as a Service ... Trustworthy

TAaaS: Trustworthy Authentication as a Service - KAISTcaislab.kaist.ac.kr/publication/paper_files/2016/TAaaS.pdf · TAaaS: Trustworthy Authentication as a Service ... Trustworthy

Documents
Steve Riley Sr. Security Strategist Microsoft Trustworthy Computing Group steve.riley@microsoft.com SEC303

Steve Riley Sr. Security Strategist Microsoft Trustworthy Computing Group [email protected] SEC303

Documents
Our Trustworthy friends

Our Trustworthy friends

Education
Rappels Questions : frjms@microsoft.com frjms@microsoft.com Présentations :

Rappels Questions : [email protected] [email protected] Présentations :

Documents
TrustWorthy Catalogs

TrustWorthy Catalogs

Documents
Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield (craschof@microsoft.com) Microsoft

Windows XP Service Pack 2 Customer Awareness Workshop Trustworthy Computing – XP SP2 Technical Overview Craig Schofield ([email protected]) Microsoft

Documents
Trustworthy Security Framework for Wireless … Trustworthy Wireless Industrial Sensor Networks Trustworthy Security Framework for Wireless Industrial Sensor Networks Laura Gheorghe

Trustworthy Security Framework for Wireless … Trustworthy Wireless Industrial Sensor Networks Trustworthy Security Framework for Wireless Industrial Sensor Networks Laura Gheorghe

Documents
Gust Lopez Salido

Gust Lopez Salido

Economy & Finance
Enrique Lopiz elopiz@microsoft.com Especialista Soluciones Microsoft Ibérica Jose Maria Fernandez jmfern@microsoft.com jmfern@microsoft.com Especialista

Enrique Lopiz [email protected] Especialista Soluciones Microsoft Ibérica Jose Maria Fernandez [email protected] [email protected] Especialista

Documents
Trustworthy Computing

Trustworthy Computing

Documents
Foundations of Trustworthy Leadership - WholeHearted · FOUNDATIONS OF TRUSTWORTHY LEADERSHIP WholeHearted leadership programs are grounded in six foundations of trustworthy leadership:

Foundations of Trustworthy Leadership - WholeHearted · FOUNDATIONS OF TRUSTWORTHY LEADERSHIP WholeHearted leadership programs are grounded in six foundations of trustworthy leadership:

Documents
Niall Binns. Salido de madre

Niall Binns. Salido de madre

Documents
Windows XP SP2 Point de vue du développeur Gilles Guimard (gillesg@microsoft.com) gillesg@microsoft.com Jean Gautier (jeanga@microsoft.com ) jeanga@microsoft.com

Windows XP SP2 Point de vue du développeur Gilles Guimard ([email protected]) [email protected] Jean Gautier ([email protected] ) [email protected]

Documents
É criture de code s é curis é – M é thodes Eric Mittelette (ericmitt@microsoft.com) ericmitt@microsoft.com Jean Gautier (jeanga@microsoft.com ) jeanga@microsoft.com

É criture de code s é curis é – M é thodes Eric Mittelette ([email protected]) [email protected] Jean Gautier ([email protected] ) [email protected]

Documents
PDE Based Trustworthy Deep Learninghelper.ipam.ucla.edu/publications/dlm2020/dlm2020_15804.pdfHowever, Deep Learning is Not Trustworthy! Trustworthy deep learning: 1. Robustdeeplearning

PDE Based Trustworthy Deep Learninghelper.ipam.ucla.edu/publications/dlm2020/dlm2020_15804.pdfHowever, Deep Learning is Not Trustworthy! Trustworthy deep learning: 1. Robustdeeplearning

Documents
Trustworthy Browsing

Trustworthy Browsing

Documents
CV et Portfolio_Laura Salido López

CV et Portfolio_Laura Salido López

Documents
The Beatles Seib y Salido

The Beatles Seib y Salido

Documents
04 - SALIDO - Gabriela Garcia

04 - SALIDO - Gabriela Garcia

Documents
Fees Approved Month January - El Paso Countyepcounty.com/districtclerk/documents/Jan2019MAFR.pdf · ROSARIO RAMIREZ-SALIDO,KHLOE RAMIREZ-SALIDO,YAMILE SALIDO, a child 00795645 NA

Fees Approved Month January - El Paso Countyepcounty.com/districtclerk/documents/Jan2019MAFR.pdf · ROSARIO RAMIREZ-SALIDO,KHLOE RAMIREZ-SALIDO,YAMILE SALIDO, a child 00795645 NA

Documents
1 The Art of Building a Reusable Class Library Brad Abrams – BradA@Microsoft.com Krzysztof Cwalina - KCWalina@Microsoft.com BradA@Microsoft.com KCWalina@Microsoft.com

1 The Art of Building a Reusable Class Library Brad Abrams – [email protected] Krzysztof Cwalina - [email protected] [email protected] [email protected]

Documents
1 Windows Vista Tablet PC: Shawn.VanNess@microsoft.com Jamie.Wakeam@microsoft.com Shawn.VanNess@microsoft.com Jamie.Wakeam@microsoft.com PRS315 Program

1 Windows Vista Tablet PC: [email protected] [email protected] [email protected] [email protected] PRS315 Program

Documents
Trustworthy Yet?

Trustworthy Yet?

Documents
Security in a Virtual World Kai Axford, CISSP, MCSE Sr. Security Strategist, Trustworthy Computing Group Microsoft Corporation kaiax@microsoft.com

Security in a Virtual World Kai Axford, CISSP, MCSE Sr. Security Strategist, Trustworthy Computing Group Microsoft Corporation [email protected]

Documents
Microsoft BizTalk Server 2004 José António Silva joseas@microsoft.com joseas@microsoft.com Vasco Veiga vascov@microsoft.com Developer

Microsoft BizTalk Server 2004 José António Silva [email protected] [email protected] Vasco Veiga [email protected] Developer

Documents
Web Services Day David Gristwood davidgri@microsoft.comdavidgri@microsoft.com blogs.msdn.com/David_Gristwood davidgri@microsoft.com Mike Pelton mpelton@microsoft.commpelton@microsoft.com

Web Services Day David Gristwood [email protected]@microsoft.com blogs.msdn.com/David_Gristwood [email protected] Mike Pelton [email protected]@microsoft.com

Documents
Be TRUSTWORTHY 6- 8/2/2012. What does it mean by TRUSTWORTHY? Synonym of TRUSTWORTHY: Reliable, Responsible, Faithful

Be TRUSTWORTHY 6- 8/2/2012. What does it mean by TRUSTWORTHY? Synonym of TRUSTWORTHY: Reliable, Responsible, Faithful

Documents
Ya Salido El Sol

Ya Salido El Sol

Documents
Trustworthy Databases Jim Gray (gray@microsoft.com) Distinguished Engineer Microsoft Corporation

Trustworthy Databases Jim Gray ([email protected]) Distinguished Engineer Microsoft Corporation

Documents
Trustworthy Systems

Trustworthy Systems

Documents