GDPR and NIS Compliance - How HyTrust Can Help

© 2016 HyTrust, Inc. 1

GDPR & NISTaking the pain out of government mandated security response


HyTrust Workload Security Use CasesPreviously discussed specific use cases – how are they related to GDPR/NIS?

Critical areas affected by GDPR and NIS – increased risk with public or hybrid cloud environments:

Eliminate privileged user misuse

Halt data breaches on all clouds

End audit and compliance suffering

Remove costly infrastructure air gaps

Avoid data sovereignty landmines

Stop stupid and the accidental downtime

1. Privileged account misuse 2. Data breach protection3. Data sovereignty compliance


GDPR Executive Summary

New standard for data protection and privacy for the EU member state – replacing the previous Safe Harbor agreement (between the US and EU). Covers any company doing business in the EU or with an EU citizen.

What When Impact

Goes into “full” force on May 25, 2018. Different member states may add some variations or additional requirements.

Enforcement is backed by substantial fines, some based on 2%-4% of corporate revenue in EU.

Allows EU citizens to challenge companies and shift burden onto the service providing company for proof/response to privacy and security.

Affects a range of technology systems including data storage and collection, data encryption, and frameworks for privacy processes (through policy and privacy specialists).

Still unclear with Britain leaving the EU – but most likely following GDPR will still be more stringent than any local guidelines.

© 2016 HyTrust, Inc. 4NDA Material, Confidential and Proprietary

Challenges

Migration to Public Cloud Increases Risk

Transparency

GDPR Requirement Summary Description

Consent/Data Quality

Security enforcement of Privacy

Data breach readiness and response

Right to be Forgotten (Art 17)

Privacy policy and DPO

Opt-in by consumer; ability to get rid of data if consent is withdrawn

Protecting data via encryption, secure data destruction, etc..

72 hours for breach notification; incident response plan

Right to be Forgotten - Erasure (Art 17)

Policy guarantees harder with 3rd party (ie cloud provider)

Tracking data across many workloads and geographies with instant ability to “kill” data

Proof of actions (of encryption and destruction) are required if challenged

Multi-cloud deployment for large enterprises creates challenges to collect incident data and take action very quickly

All data must deleted – retroactively and for all records

Note there are numerous other areas of challenges – but these are most technically challenging for cloud enabled organizations.


Technology Best Practices Response to GDPR(and applicable HyTrust Use Cases)

Shift from alert and SIEM analysis to

proactive, automatic security for both

breach protection and privacy protection

[Data Sov.]

Automatic

1 2 3 4 5

Insiders Self-Regulating Platform Agnostic Instant Proof Ensure admins on access data on any cloud can be monitored and proof of

compliance can be shown instantly (or instantly flag

violations for prompt remediation)

[PIM, Data Sov.]

Workload needs portable policy to

protect and enforce compliance itself

[Data Sov.]

Implement a platform agnostic solution –

which will work across any provider or

workload type (virtual machine, SDDC,

containers, etc..) [All use cases]

Ensure proof of compliance is fast,

easy, and multi-cloud ready

[All use cases]


My Cloud Provider Says I Am Protected…

Microsoft, Amazon, and others have issued statements that their customers are protected and compliant already via their use of “model” contracts and other legal mechanisms.

Bottom line: Regardless of who is hosting your data, YOU are responsible for it. Be proactive and not rely on the provider or specific technology to protect your data.

However….

1 2 3 4

And if provider fails – YOU are still responsible for data breach

disclosure and remediation impact for your customers.

ONLY workloads and data that resides on that provider

can be considered as “provider” scope (private data centers, backup/DR sites, QA copies, etc.. are

still your issue).

YOU are still responsible for the administrative actions of

systems on that network.

YOU are still responsible for the data, even if the provider

is compliant.


Use Case and Advisory Notes

HyTrust Makes the GDPR pain go away…

GDPR Scope HyTrust Capability

Codify the privacy policy through data and admin policy engine and enforce through workload policy. Monitor and execute immediate policy change propagation across all workloads/clouds.

Secure decommission of workloads required to ensure fast and efficient data destruction on demand. Creates chain of evidence of data destruction.

Encryption that be used to secure the privacy (via access and propagation of the protected data).

Instant audit trail and correlation of activity, policy, and intentional/accidental attempts of breach. Ability to provide RBAC’s for instant access across auditors or other regulators.

Encryption key revocation means ALL data is immediately rendered useless.

Data Protection. Policy actions and workload response can all be monitored and provide instant response to an audit.

Data Protection. Through hyper efficient key management technology, data can be instantly destroyed.

Data Protection, Data Sov. Proof of actions (of encryption and destruction) are required if challenged. Encryption, policy controls, etc.. Can be detailed for audit, compliance proof, or forensics.

PIM, Data Sov. Multi-cloud deployment for large enterprises creates challenges to collect incident data and take action very quickly

Data Protection, Data Sov. Do not need to track where data exists, only use key management.

Transparency

Consent/Data Quality

Security enforcement of Privacy

Data breach readiness and response

Right to Erasure (to be Forgotten)


HyTrust / Customer Options

Detailed GDPR Mapping to HyTrust

GDPR Source Text Requirement Summary

Appropriate level of security based on state of art. Including: encryption, regular tests of security effectiveness, ensure confidentiality, integrity of data.

Requires data controller to implement appropriate technical … measures to ensure and …demonstrate compliance.

Data controllers must also implement data protection by default…implement appropriate technical …measures to [protect/address] the amount of data collected, extent of processing, and retention and accessibility of data.

Implement policy based encryption for data protection (and evidence). Show compliance of human assets.

Forensic level logs that track workloads, administrative activities, and policy changes at the object level.

Through HyTrust BoundaryControl policies, the system is (by default) set to adhere to data boundaries and usage. Furthermore encryption can be used to enforce this across any cloud provider.

Article 32 – Security of processing

Article 24 – Responsibility of the controller

Article 25 – data protection by design and default


NIS Executive Summary

EU network and information security (NIS) directive sets common cyber-security standards and aims to step up cooperation among EU countries and service providers.

What When Impact

EU member states have 21 months comply and then 6 months to identify critical infrastructure operators (May 2018)

Lays out specific technical guidance on “critical” infrastructure entities including energy, banking, healthcare, transport sector organizations that are vital to the EU member state government

Increased transparency and information sharing – requiring faster analysis and reporting by affected organizations

“Critical infrastructure” identified operators will have a higher cyber security standard and be specifically responsible for prevention of risks and incident response


HyTrust Use Cases

HyTrust Reduces Risk with NIS - Examples

NIS Directive Reference Directive Summary

Measures to identify any risks of incidents, to prevent, detect and handle incidents and to mitigate their impact. The security of network and information systems comprises the security of stored, transmitted and processed data.

Security of systems and compliance with international standards (among other requirements)

Many points in the directive refer to sharing of data among various government agencies.

Data Protection. Proactive controls via HyTrust services and forensic level logging for compliance verification. Security of data can be enforced via HyTrust DataControl.

PIM, Data Protection. Security from insider threats and compliance templates/analysis can be done HyTrust CloudControl

PIM, Data Sov. HyTrust CloudControl provides RBAC’s to allow third parties customer defined access to object level functions to share only the information being required.

(46) Risk-management measures

(16) Security requirements and notification

(11), (14), (16)


Thank You

GDPR and NIS Compliance - How HyTrust Can Help

Technology

Transcript of GDPR and NIS Compliance - How HyTrust Can Help