Upload
ben-saunders
View
48
Download
0
Embed Size (px)
Citation preview
WELCOME TO TODAY'S PRESENTATION
DevOps vs GDPR: How to Comply and Stay Agile
A Joint Webinar between Contino & Delphix
Today's Speakers
Adam Bowen Delphix Strategic Advisor,
Office of the CTO
Ben SaundersContino Client Principal Ilker Taskaya
Delphix Senior Solution
Engineer
Ian MorganContino Technology Strategist
Your organisation can’t ignore regulation…..Many organisations have been in denial about digital disruption. However, the onset of regulatory compliance is a disruption they can’t refuse to ignore. If you think your organisation has it’s head in the sand, or has applied the noise cancelling headphones, then now is the time to act with GDPR deadlines fast approaching.
“Has the legislation been passed yet?”
“This isn’t really happening is it?....breathe in...breathe out”
“We don’t need to worry about these Challenger Banks…errrrr,
what was that? The EU are banging on our door?”
What is GDPR and how could it affect your organisation?
General Data Protection Regulation (GDPR)...In Layman's Terms
EU Legislation is changing the ways in which organisations handle, distribute and utilize sensitive customer data with GDPR
The intention is to align each member of the european union (EU) state, to a single set of rules and regulation.
When this legislation comes to fruition, all organisations that process personally identifiable information (PII) of EU residents must adhere to a number of provisions and standards.
In the event that organisations fail to adhere to these standards, then there is a likelihood that they will face significant fines or penalties.
There is no opting out, every organisation must comply! So what are the implications of GDPR?
2% The amount of Global Turnover organisations will be fined, if they fail to comply with GDPR at the
first time of audit.
4% The amount of Global Turnover organisations will be fined, if they fail to comply with GDPR at the
second time of audit.
Organisations, will be given time to remediate their data deficiencies once identified by the regulators. However,
organisations should be more proactive to how they are going to handle this change
and explore ways in which they can combine data agility, compliance and automation as a catalyst for business
growth.
GDPR Principles - The Data Controller
GDPR
1. Personal data must be processed lawfully, fairly and transparently.
2. Personal data can only collected for specified, explicitly and legitimate purposes.
3. Personal data must be adequate, relevant and limited to what is necessary for processing.
4. Personal data must be accurate and kept up to date.
5. Personal data must be kept in a form such the data subject can be identified as long as necessary for processing.
6. Personal data must be processed in a manner that ensures its security.
The Data Controller is responsible for demonstrating the principles outlined below. It is also the responsibility of the Data controller to secure the same assurances from external data processors with whom they contract
Enterprises must be clear on what each of the principles mean for them. Given, the broad interpretation of terms (like “processing”) a large amount of ambiguity still exists.
GDPR – Data Challenges
Data Breaches
Data Protection by Design & by default
Data Portability
Data Encryption
The notion of building privacy or data protection measures into applications or processes is not new. The regulation, however makes this mandatory in Article 26.
Under article 20 of the Regulation, data subjects can request a copy of personal data held on them, and can also request that this information is transmitted to another data controller. The Regulation doesn’t stipulate precisely how this information has to be presented or the format it has to be in.
Given the extent to which encryption could mitigate the impacts of a data breach, enterprises should extend encryption to cover all of the data, processing and storage processes
GDPR mandates that both the supervisory authority and the data subject themselves be notified of any breach.
There are a number of specific data challenges under the GDPR Regulation that Enterprises need to internalize into their practice. A number of high-impact considerations are detailed below:
GDPR – Data Challenges
Data Breaches
Data Protection by Design & by default
Data Portability
Data Encryption
The notion of building privacy or data protection measures into applications or processes is not new. The regulation, however makes this mandatory in Article 26.
Under article 20 of the Regulation, data subjects can request a copy of personal data held on them, and can also request that this information is transmitted to another data controller. The Regulation doesn’t stipulate precisely how this information has to be presented or the format it has to be in.
Given the extent to which encryption could mitigate the impacts of a data breach, enterprises should extend encryption to cover all of the data, processing and storage processes
GDPR mandates that both the supervisory authority and the data subject themselves be notified of any breach.
There are a number of specific data challenges under the GDPR Regulation that Enterprises need to internalize into their practice. A number of high-impact considerations are detailed below:
We will be focussing on
portions of this regulation
today.
GDPR - A Ticking Time Bomb for Global Organisations
WHO IS AFFECTED?
Organisations who do business in the EU. Organisations, who have customers in the EU. Organisations that trade with other entities in the EU.
RIGHT TO OPT OUT
The right to opt out, or the “right to be forgotten” enables individuals to request that their data is removed from an organization's system/s of record, whereby there is no longer a legitimate reason for their data to be held.
DATA BREACH & REGULATION
If a data breach occurs, then organisations must notify their data protection authority within 72 hours. Audits of organisations control processes around the end to end data supply chain must be executed, to ensure they are fit for purpose.
WHAT ARE THE PENALTIES?
First Audit Failings - 2% GTOSecond Audit Failings - 4% GTO
From there on it will only get worse!
PRIVACY BY DESIGN
GDPR stipulates that systems and processes must be designed in a way that data compliance standards are followed and adhered to.
Privacy by Design - DevOps vs GDPR
The Constraint: RIGHT TO OPT OUT
The right to opt out, or the “right to be forgotten” enables individuals to request that their data is removed from an organization's system/s of record, whereby there is no longer a legitimate reason for their data to be held.
The Constraint: PRIVACY BY DESIGN
GDPR stipulates that systems and processes must be designed in a way that data compliance standards are followed and adhered to.
The Solution: DEVOPS & DATA AGILITY TO TACKLE
COMPLIANCE
Contino - ContinuumDelphix - Data Masking
AWS - Cloud Environments
Customers have the right to withdraw their consent from allowing organisations to utilise their personal data for the execution of application testing. As a result, organisations must explore ways in which they can adhere to GDPR compliance but still provision high quality test data at velocity. The premise of Accountable Empowerment must be adhered to by organisations to ensure they can track Who did What and When they did it across their delivery pipeline, this can be achieved through integrated DevOps tooling and processes.
End to End Accountable Empowerment - Obfuscation, Control & Visibility: Who, What, When, Where?
Just to add more pressure….You can’t get away from BAU
“We need new functionality delivered in our customer facing web-app….oh and we need it tomorrow!”
“Damn it. How are we going the release an environment so we can test this feature?!”
“What do you mean it is going to take us 10 days to load data into the environment?!”
“Hang on, what do you mean the data is loaded...but someone has deployed the wrong config?!”
“What? I have already raised an RFQ with your team... What do you mean it has expired!?”
We are teaming up to help customers address these pains...
Based on the challenges that regulation brings to our joint customers, in addition to the more traditional BAU delivery bottlenecks, Contino and Delphix are applying our DevOps expertise, compliance know-how and technical wizardry to help customers accelerate their application delivery whilst controlling cost and remaining compliant.
How are we doing this, I hear you say?
Accountable Empowerment - DevOps vs GDPRContinuum is a Continuous Delivery pipeline tool chain which integrates both open source and enterprise grade tools to enable the creation of a secure application delivery pipeline in AWS. In order to assist with the provisioning of production like test data, Continuum integrates with Delphix to leverage its data virtualization and data masking capabilities so that we can provision production grade environments consistently, whilst complying with GDPR legislation. With DevOps & Data Agility, we enable Accountable Empowerment.
Data MaskingThe most advanced data security solution available.
Continuum, is a platform we deploy within weeks • Full infrastructure as code• Multi region, multi availability zone deployments• Microservice / containerised deployments targeting Kubernetes• Continuous integration & continuous delivery toolchain
Cloud MigrationAchieve value from cloud projects faster.
DevOpsComplete the DevOps stack with self-service data.
DevOps & Data Agility - Future Proof for GDPR
Leading digital companies are operating under a DevOps operating model – ‘You Build It, You Run It.’ Fortunately, these practices are now also viable for large established enterprises in regulated industries as the tools, practices and approaches are proven.
DevOps teams operate in a more cross functional way and have more control of their stack federated to them, their use of automation tooling will lead to more tightly controlled and audited environments and increased levels of quality, resilience and compliance within a GDPR context. MASK ONCE AND DEPLOY ANYWHERE, CONSISTENTLY AND SECURELY.
Develo
per
Develo
per
Develo
per
Teste
r
Ops E
ngine
er
Ops E
ngine
er Build Unit TestIntegration
TestDev
DeployTest
DeployProd
Deploy
Continuous Integration or release automation tooling implementsrole based access control, whilst
data can be made available across development environments.
Infrastructure, middleware andapplication deployments are
repeatable using infrastructure as code playbooks with the capacity to populate
environments with obfuscated data, volumes at a fraction of the production scale with
Delphix.
Automated approval and deploymentgates incorporated into the pipeline here.
Incorporate Compliant Data Agility Mechanisms with Delphix at multiple stages of the SDLC.
“Real” data copies extracted from production systems, obfuscated and stored
in a staging area for environment loads either through self-service test data, or
predefined automation recipes/playbooks.
Privacy by Design - DevOps vs GDPR
CONTINUOUS DELIVERY PIPELINE
DevOps Delivery Pipeline - Application, Data & Environment Alignment
Planning, Requirements & Analysis
Design & Development Repositories & Management
Integration & Test Implementation & Deployment
1. Developer accepts a defect, incident or requirement.
7. Developer accepts the status of the defect, incident or requirement.
5. Developer requests peer review approval or automated acceptance.
3. Developer pulls dependencies from the binary repository.
2. Developer pulls source code from repository.
4. Source code changes are made in the local IDE. Run local code analytics.
6. Source code commits are pushed to central SCM.VCS.
8. The build server detects changes in the VCS, pulls code and initiates a build. A successful compilation triggers automated tests.
9. The build server uses the build automation tools to push the generated artifacts and deployables to the binary repository.
10. Once the changes pass automated tests, they are assessed for quality through SonarQube checks.
Dependency Management
Version Control
Code Quality
CI Server
Build AutomationBinary Repository
IDEDefects, Incidents &
Requirements
Product Team / Squad work across the delivery pipeline, developing, orchestrating & testing, where required through automation and the
mantra of ACCOUNTABLE EMPOWERMENT.
Dependencies are pulled from
the binary repository
The deployment tools pull the artifacts and propagate them through the deployment environment across ST, SIT Pre-Prod.
Continuous Delivery tools are used to orchestrate and manage the various parts of delivery pipeline.
Environment management tools are used to provision environments and test data, under version control.
Quality Assurance tools used to smoke test and secure environment.
Environment Build - ST-SIT
We can create a coherent Privacy by Design, GDPR compliant DevOps pipeline that ensures people have access to the right tooling to do their jobs, yet ensuring the correct governance/compliance controls exist to enable secure access to customer data.
Data Management TodayPRODUCTION NON-PRODUCTION
DEV TEST STAGE
3 TB of Storage, Weeks to Provision/Refresh
Copy, move data
STORAGE
RDBMS
APP
STORAGE
RDBMS
APP
STORAGE
RDBMS
APP
STORAGE
RDBMS
APP
1 TB of Storage
How It Works
STORAGE: < 1 TB
STORAGE: 1 TB
RDBMS
APP
DELPHIX VIRTUAL MACHINEInstalls on any supported hypervisor
ANY STORAGE
Source
STEP 1Capture application data:
one-time copy of prod
0.3 TB
How It Works
STORAGE: 1 TB
RDBMS
APP
STORAGE: < 1 TB
Source
STEP 2Continuously record unique, incremental changes
March 21 06:11am
March 22 12:43pm
March 22 08:41pm
0.3 TB
How It Works
STORAGE: 1 TB
RDBMS
APP
DEV
RDBMS
APP
TEST
RDBMS
APP
STAGE
RDBMS
APP …
STORAGE: < 1 TB
Source
STEP 3Share data blocks instead of duplicating data
0.3 TB
How It Works
STORAGE: 1 TB
RDBMS
APP
DEV
RDBMS
APP
TEST
RDBMS
APP
STAGE
RDBMS
APP …
STORAGE: < 1 TB
Source
0.3 TB
Change the Physics, Change the Game
Dev
Test UAT
Reporting
▪ Have as many copies as you want without adding storage
▪ Access data in minutes instead of hours, days, or weeks
▪ Refresh from production at any time
▪ Rewind to any point in history
▪ Bookmark during a test and return to it in minutes
▪ Branch data at-will for troubleshooting, parallel projects
▪ Integrate with DevOps solutions to deliver environments on-demand
Software applianceAny Server, Storage, Cloud
10:27 A.M. 1:30 P.M. 5:07 P.M.
Virtual Database
s
3 months ago Last Monday Today
21© 2014 Delphix. All Rights Reserved. Private & Confidential.
Cloud On-PremisesPartners
Next-gen data masking• Easy to use• Automatic profiling• Referential integrity
10:27 A.M. 1:30 P.M. 5:07 P.M.
DEV 1 to N
Embedded native masking
3 months agoLast Monday Today
TEST 1 to N
UAT 1 to N
Full, Virtual, Self-Service Capability
Bookmark Rewind
Refresh
Synchronize
BranchProvision
✓ Mask Once ✓ Distribute Many ✓ Refresh Anytime
But what is the value to your organisation?
Masking: We reduce the surface area for data leakage risk, by up to 80% and enable GDPR compliance.
Faster Environments: By utilizing AWS hosted environments, customers can build environments in ten minutes, as opposed to waiting days, or weeks.
Faster Test Data: The framework can capture production data, obfuscate it and deploy it into an environment in under four minutes, as opposed to 8 hour dump and loads times. Not to mention the 10 day lead time for requesting data!
Self Service: Our framework has self-service controls to break down data lead times and ensure compliance with enable end to end traceability.
Environment Visibility: Our delivery pipeline is fully configuration managed so we can see who did what, when to satisfy regulatory controls and compliance needs.
Business Value Indicators
90% Faster
90% Faster
Self Service
Full Traceability
2% or £10MThe amount of Global Turnover organisations will be fined, if they fail to comply with GDPR at the first time of audit.
4% or £20MThe amount of Global Turnover organisations will be fined,
if they fail to comply with GDPR at the second time of audit.
Get your house in order and your organistion will also
avoid huge penalties!
By combining the powers of Continuum, Cloud and Delphix we help customers get compliant, whilst cutting cost and accelerating application delivery time to market.
80% Less Risk
What have we spoken about today?
Regulation, regulation, regulation: We have covered the necessity for your organisation to comply with regulatory controls whist providing insight into how DevOps can help with this.
GDPR Impact: We have covered the key elements of GDPR and it’s implications on organisations trading within the EU.
The DevOps Fightback: We have given substance around how DevOps can help you fight back against GDPR and become more agile in the process.
Privacy by Design: We have provided an overview of what an end to end “Privacy by Design” DevOps pipeline looks like.
Mask your data: Adam Bowen has demonstrated the power of the Delphix’s data virtualization & masking capability so that your organisation can remain GDPR compliant.
What next for your organisation?
Please feel free to request a demonstration of Continuum or Delphix to understand how both solutions can help you address GDPR legislation, whilst adopting DevOps and the Cloud!
We are also working together to execute complimentary GDPR readiness workshops. Feel free to contact Ben or Adam to learn more.
If you want to learn more about GDPR, visit the Delphix website HERE
Stay tuned for more joint webinars over the coming months. We are jointly developing a tightly integrated delivery framework. If you want to road test Delphix, you can now gain access to an engine on the AWS marketplace.
Please feel free to connect with either Ben or Adam on LinkedIn should you have some follow up questions. You can also email us: [email protected] [email protected]
CLOSING THOUGHTS…..
Accountable Empowerment - DevOps, Cloud & Data Agility
It is possible to kill three birds with one stone… by addressing regulatory & compliance controls your organisation can accelerate delivery by unshackling yourself from monolithic infrastructure and antiquated processes by implementing an integrated DevOps pipeline such as Continuum, leverage cloud hosted environments and apply data masking capabilities with Delphix to address GDPR.
Three Birds One Stone… That One Stone is the combination of Continuum, Delphix and AWS.
A fully integrated cloud ready Continuous Delivery pipeline that is highly secure in AWS.
A Virtual Data & Masking solution that enables data agility, without adding risk to your organisation.
Transformation, Regulation & Compliance
Continuous Delivery for Consistent Environments
Data Masking for GDPR Coverage
DevOpsData Agility
Cloud
QUESTIONS?