Data Management Best Practices for Security & Privacy

Transcript

1. Data Management Best Practices for Security & Privacy ARMA –

   December 2018 Event

2. Data Management Struggles • Data moves faster than management practices

   • Need for automation is critical • DevOps provides a new frontier • Process in enterprises is foundational • Policies • Contracts • Supply Chain Integrations • Endpoints to Data Warehouses • Data governance must be adhered to

3. Common Frustrations • Data management best practices always seem theoretical

   • Foundational work is always an afterthought to data exchanges • No one person knows all data exchanges, it takes a team, ideally a data governance team • Reconciling policies or requirements is never-ending • Disconnect between data contracts and IT operations and compliance

4. Data Management Principles From Governance to Operationalizing Data Management Plans

5. “A goal without a plan is just a wish." Antoine

   de Saint-Exupery (1900 -1944) • Build a Data Management Plan • Constituents should include a cross section of team member • Plan must include: • types of data to be authored; • standards that would be applied, for example format and metadata content; • provisions for archiving and preservation; • access policies and provisions; and • plans for eventual transition or termination of the data in the long-term future.

6. Data Management Framework • Holistic approach to understand the information

   needs of the enterprise & its stakeholders • Consistency for planning & process development • 10 major functional areas, including governance • Aligns data with business strategy (above) and technology (below) • Takes into account the data lifecycle – creation through destruction • A framework is foundational and encompasses data management risks from Legal to Security Source: Data Management Association International

7. Beyond Governance Status Quo • Data Loss Protection • ETL

   & ERM Data Warehouse Tools (SAS, IBM, etc.) • SaaS Players (Sales Force) • Tableau, Domo (data visualization) • PaaS (AWS, Azure) • Client side FDE (full disk encryption) • PKI (for data integrity) • Integrated Authentication (IAM solutions) • Security Incident Event Monitoring Future State Automation • Many traditional out of the box software actually exacerbates the problem • Custom automation is gaining much more effectiveness • Supports a Crawl-Walk-Run approach to Data Management • Automation, Orchestration • Chef • Puppet, • Ansible • Terraform scripts • Controls can be developed to assure of data management controls based upon a governance framework Automation Key for Validation and Enforcing Governance

8. AdTech Example Architecting Privacy & Security in a Cloud Environment

9. Data Analytics Example Consider supply chain of your data Need

   to consider classification of raw & processed data • Data you get in vs. data you produce Importance of knowing your role • Processor vs. Controller • DPIA – Exercise to understand impact of data Map out your data flows – conduct a DFD • APIs • Network paths • 3rd Party Integration Map out your data stores Consider your role in a supply chain Data Management Basics that Go a Long Way

10. Data Providers Sample

11. Mapping Data Moves to Governance Data Analytics Company Data on

    the Move ⇀Data from data providers ⇀ Direct user engagements (e-commerce, ads, etc.) ⇀ Feeds from data aggregators ⥃APIs ⇀ Analytics & Visualization Systems ⇀ Finance (ad metrics) ⥃ CRM systems ↺ Algorithms transform data ↺ AWS ElasticSearch • Short term data storage • Reporting (AWS Aurora) • Data Visualization (Tableau) • Long Term Data Storage • AWS EBS, EFS, or AWS Glacier Governance • Know data to be consumed • Review Data Processing Agreements (DPAs) • Audit data received • Abiding by data usage • Determine internal data uses • Knowing when to encrypt • Keeping the data

12. Amazon EC2 Security group Auto Scaling group Security group web

    app cluster AdTech Web Tier logs web.adtech.com Amazon Route 53 Elastic Load Balancing Amazon EBS snapshot root volume data volume Memcached Amazon Glacier Supports crypto requirements Longterm data storage. Recovery support Logical separation RBAC access control IAM Policies, VPC ACLs TLS - Data in Transit Retention Policies ACME AdTech in AWS Applying Data Management Hygiene in the Cloud Audit trail for access control, data integrity Pro-Tips that Work Audit for privacy controls Audit for security controls Automate audit checks Conduct a DFD Identify regulatory gaps Identify data controller requirement gaps

13. IoT Example Privacy by Design in Consumer Electronic Devices

14. IoT & Data Acquisition • Data drives for better consumer

    products • Trends in consumerism requires massive amounts of regulated data • Data to manage • Consents • PII • Supplier contracts • Logs • Product usage • Retention – Cost benefit analysis • Data has an expiration data in IoT • Lose the liability via data divestiture

15. initialise switchOn switchOff heatSwitchStatus Heat Switch initialise heatStatus reportFault reportFurnaceStatus

    release theFaultResetSwitchIndicator theFaultStatusIndicator theHeatFlowRegulator theHeatSwitch theView Operator Interface powerDown powerUp theFurnace theHeatFlowRegulator theHome theOperatorInterface Heating System closeAllWaterValves openWaterValve closeWaterValve needsHeat noLongerNeedsHeat theRooms Home initialise reportCurrentTime reportCurrentDate dayOfWeek hour minute second Clock Calendar initialise reportelapsedSeconds release elapsedSeconds theSemaphore timerProcess Timer activate deactivate initialise release currentState itsSemaphore theBoilerTemperatureSensor theCombustionFaultSensor theHeatFlowRegulator theBlower theOilValve theIgnitor theOilFaultsensor theView timeDelay Furnace initialise closeWaterValve openWaterValve release currentState name theCurrentTemperatureSensor theDesiredTemperatureSensor theHeatFlowRegulator theLivingPattern theSemaphore theView theWaterValve Room initialise waterValveStatus Water Valve openValve closeValve valveStatus Simple Valve initialise needsHeat noLongerNeedsHeat release respondToFaultResetSwitch respondToFurnaceFault respondToFurnaceNotRunning respondToFurnaceRunning respondToHeatSwitchOff respondToHeatSwitchOn roomsNeedingHeat Heat Flow Regulator initialise furnaceStatus Furnace Status Indicator reportStatus setStatus status theView Indicator switchOn respondToFault theView Fault Reset Switch Indicator toggleState returnState state Toggle Switch initialise setDesiredTemperature desiredTemperature theView Desired Temperature Sensor initialise currentTemperature Current Temperature Sensor reportTemperature temperature Temperature Sensor respondToExternalChange value theSemaphore Simple Sensor uses uses is a is a is a uses 1,m has IoT Data Flow Usage, Analytics, and Data Retention Pro-Tips that Work Remember your goals Know security & privacy implications Map data points to those goals Understand your data flow Know what to protect Keep what you need; lose the rest

16. Data Management Takeaways Do’s & Don’ts that Lead to Positive

    Change in Data Management

17. Going forward w/ Data Governance • Framework First, Policies Next

    • Usually stops here for many • Know Data Flows • Data Flow Diagramming pivotal for proper governance • Know your data stores • Data at rest today is across multiple data stores • Know crypto capabilities • Know how you’re keeping your encryption keys • Know logging configuration • Employ integrated authentication wherever possible • Employ the use of DevOps functions • Implements controls • Validates controls • Obtains evidence of controls

18. Q&A • [email protected] • www.versprite.com

19. Tony UcedaVélez CEO & Founder | VerSprite – Global Security

    Firm (www.versprite.com) OWASP Atlanta Chapter Leader (past 10 years) Author, “Risk Centric Threat Modeling – Process for Attack Simulation & Threat Analysis”, Wiley June 2015 • Passionate global, threat modeling evangelist • ~25 years of diverse IT/ Security experience in software development, architecture, pen testing, threat modeling, sys admin, security operations • Dreams of bankrupting #infosec with intelligent, threat inspired DevSecOps automation • Twitter: @t0nyuv • Linkedin: www.linkedin.com/tonyuv • Email: [email protected]