General Data Protection Regulation, a developer's story

Transcript

1. GENERAL DATA PROTECTION REGULATION A developer’s story

2. None

3. LATEST BREACHES THAT IMPACTED PEOPLE’S LIVES Equifax (2017) 143 Million

   accounts hacked financial exposure (credit), credit card data & personal information Ashley Madison (2015) 37 Million accounts hacked extorsion, divorces, suicides OPM (2015) 21 Million US government personnel foreign assets, informant data, addictions & relationship issues
4. None

5. WHO ARE YOUR ADVERSARIES? (Natural) Disaster Hackers Law enforcement Nation

   States Employees

6. DISCLAIMER This is not “legal advice” and all points made

   should be checked with your company’s legal department or consult a legal advisor for your specific situation!

7. GDPR What is it?

8. GENERAL DATA PROTECTION REGULATION (GDPR) ➤ More strict modification of

   already existing advisories (not rules) of best practices towards protecting privacy data in EU ➤ Become law in all 28 EU countries on May 25, 2018 ➤ Impact all businesses that collect and process privacy related data of EU data subjects (even outside of EU)

9. “ GDPR is a risk based approach -Cindy E. Compert

   - IBM Security
10. None

11. WHAT GDPR WANTS TO PROTECT Religion & Beliefs Physical Appearance

    Cultural Background Sexual Orientation Social Status Financial Strength Mental State Medical Conditions Studies & Education Memberships Loyalty Programs Identity & Nationality

12. WHAT IS CONSIDERED “PRIVATE DATA”? ➤ Name, email address, home

    address, phone number ➤ Social security number, national identity number, passport number ➤ Medical data, social status, religion, political views, sexual orientation, nationality, financial balance ➤ Concert tickets, travel arrangements, library cards, loyalty programs ➤ IP addresses with timestamps ➤ and much more…

13. PII Personal Identifiable Information Information that can identify a single

    individual

14. RULE OF THUMB Any piece of information that can point

    to a single individual within the EU

15. WHY CARE ABOUT GDPR? Why do I need to invest

    so much in being ready?

16. PROTECT & SERVE ➤ Protect data of EU data subjects

    ➤ Secure the way you store data ➤ Audit access to data ➤ Know what data is kept in the company

17. FINES & PENALTIES ➤ up to 10 million Euro or

    2% of annual global turnover ➤ up to 20 million Euro or 4% of annual global turnover for more severe infringements

18. IMPROVING KNOWLEDGE on the private data collected and processed by

    your company and who had access to it.

19. SERVICE BINGO

20. None

21. IMPROVE SECURITY GDPR is a risk based approach to protect

    privacy data. All measures to ensure this protection will improve your overal security.

22. GDPR COMPLIANCE The nitty-gritty

23. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

24. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

25. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

26. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

27. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

28. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

29. IN2IT CASE STUDY - 25 external services - 2 continents

    (EU & NA) - No agreements with providers - No consent for data transfer - Limited encryption of data ✓ Automated deployment processes ✓ Signed code and releases ✓ Strict Access Control ✓ 5 external services ✓ 2 continents with Module Clause for US and Canadian services ✓ Contracts with all providers ✓ Consent for data transfer ✓ All data encrypted (in-transit and at rest) ✓ Automated deployment processes ✓ Signed code, release and documents ✓ Strict Access Control

30. SOME EXAMPLES Technical things you can do right now!

31. PASSWORD MANAGEMENT ➤ Don’t store data access passwords in common

    repository ➤ Don’t keep passwords in environment variables* ➤ Make use of an Identity Management System to manage ➤ SSH keys ➤ API keys ➤ DSN’s ➤ Public keys (*) Why not use environment variables: diogomonica.com

32. HASHICORP VAULT ➤ Tool for managing secrets ➤ vaultproject.io ➤

    Secures, stores and controls ➤ access tokens ➤ passwords ➤ certificates ➤ API keys ➤ … others ➤ Access Control ➤ Key Rolling ➤ Configurable lease time ➤ Audit logs ➤ Open Source

33. USE A TEAM PASSWORD MANAGER

34. GIVE 2FA TO EVERYONE!

35. AUDIT TRAILS WITH MIDDLEWARE & CQRS ➤ Log access to

    data ➤ Automate anonymising of privacy data ➤ Automate encryption of privacy data

36. …AND DON’T FORGET TO ENCRYPT YOUR STORAGE & COMMUNICATIONS! App

    Data Storage File Storage Log Storage Backup Storage Public - private key exchange| encrypted data storage

37. WHAT YOU CAN DO NOW! Simple steps towards more privacy

38. RESPECT DNT HEADERS

39. None

40. Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.8,en-US;q=0.6,nl;q=0.4 Cache-Control: max-age=0

    Connection: keep-alive DNT: 1 Host: www.example.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (<script>alert(‘Filter Input, Escape Output’);</script>)
41. None

42. INTERESTING FOR DISABLING GOOGLE ANALYTICS <?php if (!array_key_exists('HTTP_DNT', $_SERVER) ||

    1 !== (int) $_SERVER[‘HTTP_DNT’]): ?> <!-- show your Google Analytics Script Here --> <?php endif ?>

43. REMOVE THE “DATA” from displayed information

44. What’s wrong with this picture?

45. Why display full name details?

46. Why display email addresses?

47. Why display phone numbers?

48. REDUCE ACCESS TO DETAILS If a user has other ways

    to communicate with your clients, remove the visible display of common data elements like full names, email and shipment addresses and phone numbers.

49. Do you see the difference?

50. Not full name display

51. Integrated communication functionality

52. None

53. SAME FUNCTIONALITY, BUT KEEPS DATA HIDDEN ➤ Prevents accidentally exposing

    email and phone numbers (e.g. during a call) ➤ Hides details from end-user, but functionality is still provided ➤ Sending out an email uses build-in mail client ➤ Making calls uses a phone middleware used in the company ➤ Gives clear audit trail on who accessed what
54. None

55. NOT 100% PROTECTION, BUT… ➤ We remove the personal one-on-one

    communication with customers ➤ We add better access management on customer communication ➤ Full audit trail now possible as communication stays in-application ➤ Less chance for data loss as contact details are kept away from users

56. BLOCKCHAIN Immutable, verifiable ledger for all transactions

57. EMAIL MARKETING

58. CONTACT DATA Opt-in , always

59. NOT OPT-IN /dev/null is the place to be

60. LIMIT EXPIRATION Don’t keep longer than needed

61. AUTOMATE IT!

62. NEXT STEPS Get started now to be ready

63. GET STARTED NOW

64. DON’T START BLINDLY KNOW WHAT TO PROTECT!

65. EVALUATE REGULARLY

66. GOAL: PROTECT PRIVACY

67. SOME RESOURCES ➤ European Commission: Protection of personal data ➤

    EU GDPR Infograph ➤ Charting the Course to GDPR: Setting Sail ➤ Deloitte GDPR Series ➤ InfoSecurity Group GDPR Checklist ➤ Securing MongoDB ➤ Table and tablespace encryption on MariaDB 10.1

68. THE CLOCK IS TICKING…

69. None

70. in it 2 PROFESSIONAL PHP SERVICES Michelangelo van Dam Zend

    Certified Engineer [email protected] - www.in2it.be - T in2itvof - F in2itvof Consulting Automation Training

71. JOIN THE DISCUSSION https://in2.se/gdpr-updates

72. None