Upload
codemotion
View
25
Download
2
Embed Size (px)
Citation preview
Pronti per la legge sulla data protection GDPR? No Panic!
ROME 24-25 MARCH 2017
Domenico MaracciStefano Sali
1 > What is GDPR
2 > Highlights & Key Impacts
3 > How to approach GDPR from a secure, IT Developer perspective
4 > Q&A
• Brings into law the original Data Protection Directive
• A single set of rules will apply to all EU member states
GDPR General Data Protection Regulation 2016/679
DIRECTIVEA "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.
REGULATIONA "regulation" is a binding legislative act. It must be applied in its entirety across the EU.
REGULATION vs DIRECTIVEWhat is the difference between a Regulation (like e.g. GDPR) and a Directive (like e.g. PSD2)?
DATA SUBJECTS RIGHTS to give citizens back the control of their personal data
HARMONISATION to simplify the regulatory environment for international business by unifying the regulation within the EU
PRIMARY OBJECTIVES OF GDPRWhat is the difference between a Regulation (like e.g. GDPR) and a Directive (like e.g. PSD2)?
• Any information relating to an identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly or indirectlyo Nameo ID numbero Location or addresso Physical (Gender, color, age, stature etc)o Genetic ( includes inherited or acquired characteristics
and Health Data HPII, race)o Physiological (disability, mental)o Economic, creed or social identity
• May include online identifiers including IP address, cookies if they can be easily linked back to the data subject.
• No distinction between personal data about individuals in their private, public or work roles
GDPR DEFINITIONSPERSONAL DATA
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this timeframe is not met.In some cases, the data controller must also notify the affected data subjects without undue delay (Art. 33)
GDPR DEFINITIONSPERSONAL DATA BREACH
The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose maximum fines of up to 20M€ or 4% of annual turnover (whichever is highest) if full compliance cannot be demonstrated (Art. 83)
GDPR FINESARTICLE 83
Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. (Art. 3)
Territorial Reach
Accountability
Article 5.1(f) needs to be taken into account because it literally states: “Personal data should be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”
Excerpt
One of the most important topics included in this Regulation is a chapter devoted to the rights of the data subject. The bar has been raised and new rights have been included that will profoundly impact into the way IT will need to process and control personal data. While traditional rights of access (Art.15), rectification (Art. 16), erasure (Art.17), and objection (Art.21) remain largely the same, there has been a new right included: right to data portability (Art.18) and some modifications to the right to erasure by including the concept of right to be forgotten (Art 17) and the inclusion of right to restriction (Art. 18).
Rights of the data subject
Excerpt
Art. 25 “The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons”. And article 30 mandates the recording of processing activities.
Data Protection by Design
and by Default
DISCOVER PERSONAL DATA ACROSS YOUR ORGANIZATION AND PROTECT THEM FROM UNAUTHORIZED ACCESS1
CENTRALIZE USER IDENTITY MANAGEMENT AND ACCESS CONTROL IN PARTICULAR (BUT NOT EXCLUSIVELY) OF PRIVILEGED USERS2
MANAGE AND OPTIMIZE THE USE OF TEST DATA IN YOUR SOFTWARE DEVELOPMENT LIFECYCLE AND CONSIDER IMPLEMENTING SYNTHETIC DATA GENERATION3
EXPOSE PERSONAL DATA TO DATA SUBJECT IN A SECURE AND AUDITABLE WAY4
KEY IMPACTS FOR IT ORGANIZATIONSA FEW WORDS TO REVIEW
• Technical approach to GDPR
• Tools useful for Application Developers
• Demo
HOW TO APPROACH GDPR FROM AN IT SECURITY PERSPECTIVE
Verizon DBIR 2016
TIME TAKEN TO COMPROMISE AND EXFILTRATION
TYPES OF ATTACKS
VULNERABILITY COUNT
ISSUES REPORTED BEFORE A PRODUCT RELEASE
Static Code Analysis on Dev. Workstations
Static Code Analysis on Scrum Delivery
Penetration Test on Program Increment Delivery
Penetration Testafter Code Freeze
Penetration TestSI/GA SaaS solution
SECURITY BY DESIGN/BY DEFAULT
Veracode delivers the application security solutions and services today’s software-driven world requires. Veracode’s unified platform assesses and improves the security of applications from inception through production so that businesses can confidently innovate with the web and mobile applications they build, buy and assemble as well as the components they integrate into their environments.
Veracode seamlessly integrates application security into the software lifecycle, effectively eliminating vulnerabilities during the lowest-cost point in the development/deployment chain, and blocking threats while in production. This comprehensive solution is managed through one centralized platform and stems from a powerful combination of best-in-class technology and top-notch security experts who offer remediation coaching and guidance on processes.
COMING SOON …
It will be much harder to use production data for testing and development
The GDPR will strengthen existing legislation forbidding the use of personal data for reasons other than why it was given
Data can only be used if: explicit consent has been given for its use for the specific purpose necessary for legal purposes (e.g. to fulfil a contract, the subject's vital
interest) it is necessary for public interest, or for a legitimate interest of the processor
Data shall not be retained “beyond the minimum necessary, in terms of amount of the data and time of their storage”, and shall not be made accessible to an indefinite number of individuals
MANAGE TEST DATA IN SDLC
Excerpt
Data can only be used if: Explicit consent has been given for its use for the specific purpose, necessary for legal purposes (e.g. to fulfil a contract, the subject's vital interest), it is necessary for public interest, or for a legitimate interest of the processorOrganization need to mask personal data and other sensitive data, or getting a sub-set of production data for testing.To realize the full benefits of better test data management you must strongly consider implementing synthetic data generation, as well as how they store, manage and provision data.
Anonymisation and Pseudonymisation
Innovate or DieNew approach should be taken in order to take into account acceleration
& agile practise.
RISKY
• Sensitive data is stored inconsistently
• Complexity to mask everything
SLOW
• Few refresh / year• Manual masking, in-
house tools processes are slow and error-prone
INEFFECTIVE
• 10-20% test coverage• No negative tests or
future features
WHY PRODUCTION DATA DOESN’T DO THE JOB
Substitution Variables
Combinable Functions
CA Test Data Manager
Data Model
Generation
Bulking Scripts
Production Data / Files
Test Data
Warehouse
Test/Dev Environments
1 2
4 5
Secure Data Subsets
XML Files
XLS
SQL Files
CSV Files
API
HTML Files
FD
TXT Files
NoSQL
3
6
SYNTHETIC DATA GENERATION IS THE SOLUTION
Principal Consultant, Application Delivery, CA [email protected]
Domenico Maracci
@CA_Italy
Slideshare.net/CAInc
Linkedin.com/company/ca-technologies
ca.com/it
Stefano SaliSenior Principal Consultant Security - CA [email protected]