EU GDPR and Security Compliance for the DBA Santa Clara, California - - PowerPoint PPT Presentation

Santa Clara, California | April 23th – 25th, 2018

EU GDPR and Security Compliance for the DBA

2

Meet Your Presenters

Tyler Duzan

• Product Manager for MySQL

Software at Percona

• Prior to joining Percona was an

Operations Engineer for more than twelve years

• Background in security and

compliance, specifically PCI, HIPAA/HITECH, HITRUST, SOC, and FEDRAMP & FISMA. Jeff Sandstrom

• Product Manager for MongoDB

Software at Percona

• Jeff has been a Product Manager

for over ten years, first in the contact center space, then enterprise voice, and now open source databases. He's a business nerd who loves tech.

3

Disclaimer

• We are not Attorneys, we are Product Managers
• Nothing within this presentation should be construed as legal

advice

• You should consult with an attorney to understand and mitigate

any compliance risk for your organization

• This presentation is not all-inclusive, we are discussing specific

selected Articles of the GDPR we think are especially relevant

4

Outline

• 1. General Overview of Compliance
• 2. GDPR Key Terminology
• 3. EU GDPR Articles a DBA Should Know
• Article Overview
• Articles of Particular Interest to DBAs
• Deep Dive into Article 17, Article 25, Article 32-35, and Article 44
• 4. How Does Percona Software Help to Solve This?
• 5. Open Questions for DBAs to Consider
• 6. Q&A

General Overview of Compliance

6

Compliance Objectives

• Build a secure infrastructure and know where sensitive data resides
• Implement consistent security and data-handling standards across the

enterprise

• Design and implement effective controls for access to sensitive data
• Provide a pathway to audit the organization
• Reduce risk to the organization from data breaches
• Protect your customers and partners who have entrusted you
• Protect shareholder value

7

Why Compliance Matters to the DBA

• Datastores across the enterprise may likely contain sensitive data
• Databases are a primary target for malicious actors attempting a data

breach

• Most compliance regulations specifically prescribe methods and

techniques that must be used for datastores

• The DBA is often the primary responsible party for implementing

compliance controls and technical measures for protecting data

8

How Has Compliance Changed?

• Compliance regulations began by targeting specific industry verticals such

as healthcare, finance, and government.

• The focus of early compliance was really on mitigating broad
• rganizational risk, typically when handling data that had large financial

risk implications or national security implications

• Later compliance regulations began focusing on the safety of consumer

data as technology became integral to our daily existence

• Many of these regulations limited coverage to situations where the

consumer might be directly financially impacted by a breach and where a clear and direct customer relationship existed

9

How Has Compliance Changed?

• Lately compliance regulations have shifted because of a shifting

environment both in technology and economics.

• Current compliance regulations must take into account the existence of

cloud providers, the ubiquity of Software-as-a-Service (SaaS) applications for both businesses and consumers, and the rise of sophisticated attacks.

• We now exist in a world where great harm can be caused at scale using

data that was previously thought to be innocuous. Many of these are first

• f their kind attacks.
• EU GDPR seeks to address many of these concerns by emphasizing that

fundamental ownership of data resides with the person whom that data is about.

GDPR Key Terminology

11

Terminology

• Data Controller
• The entity that is determining the purposes and means of processing the data.
• Example: A social media application collecting user information, a manufacturing company collecting

personal data about employees, etc.

• Data Processor
• The entity that processes data on behalf of the Data Controller.
• Example: A payroll company that is issuing paychecks for a manufacturing company’s employees, a

cloud service provider storing personal data

• Data Processing
• Any automated or partially automated operation performed on personal data

12

Terminology

• Data Subject
• A natural person whose personal data is processed by a Controller or Processor
• Personal Data
• Any information that can directly or indirectly identify the Data Subject
• Examples:
• Biometric data
• Health data
• Online identifiers
• Geolocation data
• PII (name, address, government ID number, etc)
• Profiling
• Any data processing intended to evaluate, analyze, or predict the behavior of a Data

Subject

GDPR Articles DBAs Should Know

14

GDPR Articles Overview

• Chapter 1: General Provisions
• Article 1-4
• Chapter 2: Principles
• Article 5-11
• Chapter 3: Rights of the Data

Subject

• Article 12-23
• Chapter 4: Controller and

Processor

• Article 24-43
• Chapter 5: Transfer of personal

data to third countries of international organizations

• Article 44-50
• Chapter 6: Independent

Supervisory Authorities

• Article 51-59
• Chapter 7: Cooperation and

Consistency

• Article 60-76

15

GDPR Articles Overview

• Chapter 8: Remedies, Liabilities,

and Sanctions

• Article 77-84
• Chapter 9: Provisions relating to

specific data processing situations

• Article 85-91
• Chapter 10: Delegates Acts and

Implementing Acts

• Article 92 & 93
• Chapter 11: Final Provisions
• Article 94-99

16

Articles of Particular Interest to DBAs

• Article 17
• “the (…) controller shall have the
• bligation to erase personal data

without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.”

• Article 25
• Data protection by design and by

default

• Article 32
• Security of data processing
• Article 33 & 34
• Notification of a personal data

breach to the supervisory authority

• Communication of a personal data

breach to the data subject

• Article 35
• Data protection impact assessment
• Article 44
• General principles for transfers

17

General Areas of Concern in GDPR

• Change Management
• Data Discovery and Classification
• Environmental Evaluation
• Establishing Appropriate Internal Processes
• Auditability
• Internally defining ethical walls
• Tracking location of data by user / Data Mapping

18

Article 17

• Establishes a legislative structure which resides ownership of data with

the Data Subject

• Establishes the “Right to be Forgotten” as EU Law
• “the (…) controller shall have the obligation to erase personal data without undue

delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”.

• Expands deletion requirements to now include the obligation for the Data

Controller to inform anyone else who has the Personal Data when a deletion request is received, extending to Data Processors or copies of that data

19

Article 25

• Enshrines the concept of data protection by design and default
• Requires that controls must be in place to ensure that
• Personal Data cannot be attributed to an identified or identifiable Data Subject
• Only the Personal Data necessary for a specific purpose can be processed
• Only the Personal Data necessary for a specific purpose is collected
• Data that is no longer needed should be deleted
• Implies strongly specific technical requirements, which in some cases are

defined elsewhere

• Data minimization, data masking, data pseudonymization
• Implementing strict ethical walls and access controls within your organization for

seeing Personal Data

• Utilizing best practice methods for protecting Personal Data when stored

20

Article 32

• Requires both Data Controllers and Data Processors to implement certain

technical and organizational measures

• These measures help to prescribe how to handle the philosophical basis
• f EU GDPR
• Technical examples
• Encryption for data that is both “at rest” and “in motion”
• Monitoring and auditing access to Personal Data
• Data masking for applications which access Personal Data
• Organizational examples
• Maintaining data accessibility and planning for a response to a breach
• Testing and evaluating the effectiveness of your controls
• Auditability of your environment

21

Article 33 and 34

• Establishes the requirements for informing regulators (Supervisory

Authority) and users (Data Subjects) when a breach occurs

• Data Controllers must inform the appropriate Supervisory Authority within

72 hours of a data breach occurring or provide a substantial reason for any delay

• Data Processors must notify Data Controllers immediately as soon as

they become aware of a breach

• If a data breach presents risk to users Data Controllers and Data

Processors must individually notify affected Data Subjects, without undue delay.

• If it’s not possible to provide all required information initially, it can be

provided in phases through multiple notifications

22

Article 35

• Establishes and defines the Data Protection Impact Assessment (DPIA)
• Data Controllers must perform a DPIA whenever a new processing
• peration or technology is proposed
• The Data Protection Impact Assessment must at minimum include the

following documented items:

• A description of the new processing operation or technology and it’s purpose, as well

as a justification of its necessity relative to that defined purpose.

• An assessment of the potential risks to the rights and freedoms of Data Subjects
• A description of the proposed measures to mitigate the risks to the Data Subjects
• A description of proposed data safeguards and security measures

23

Article 44

• Prohibits the transfer of Personal Data outside the EU, unless the

recipient can prove it provides adequate data protection.

• Requires the Data Controller or Data Processor to be responsible for

verifying that the data protection requirements are met by any partners or vendors outside the EU.

• Articles 45-49 define the methods for acceptable proof of adequate data

protection

• The European Commission can declare a territory or country to provide

adequate protections thus “whitelisting” it.

• The Privacy Shield Framework in the US allows companies to self-certify

to the US Department of Commerce to be in compliance and has force of law.

How Percona Software Helps to Solve This

25

Encryption Capabilities

• Percona Server for MySQL and PXC both provide for encryption

functionality

• Vault keyring plugin for centralized encryption key management
• Binlog encryption
• InnoDB general tablespace encryption
• InnoDB file-per-table encryption (community TE)
• Upcoming additional features (undo log, redo log, …)
• Percona Server for MongoDB has WiredTiger encryption on the roadmap
• OS-level Full Disk Encryption (FDE) is datastore agnostic

26

Authentication Capabilities

• Percona Server for MySQL and PXC both provide support for PAM

authentication, which allows arbitrary PAM plugins to provide authentication facilities

• Allows LDAP or Kerberos integration
• Allows integration of 2FA
• Percona Server for MongoDB provides native support for LDAP

authentication as well as X509 based authentication

27

Auditing Capabilities

• Percona Server for MySQL and PXC both provide numerous enhanced

informational capabilities to make auditing easier

• Audit Log plugin
• Extended SHOW GRANTS
• Changed Page Tracking
• User Statistics
• Percona Server for MongoDB has built in audit log capabilities, along with

log redaction functionality.

• Tracks system events, can be configured with filters.
• Tracks schema changes, authN/authZ events, cluster membership events, and can

track CRUD operations

28

Monitoring Capabilities

• Percona Server for MySQL and PXC include significant improvements in

additional instrumentation to assist in monitoring the database and establishing baselines for heuristic analysis

• Additional INFORMATION_SCHEMA tables
• Enhancements to PERFORMANCE_SCHEMA
• Large numbers of additional performance counters
• User Statistics
• Percona Server for MongoDB adds enhanced instrumentation and

improved query profiling capabilities

• Percona Monitoring and Management provides a complete monitoring

solution for MySQL and MongoDB, including query analytics

29

Data Control Capabilities

• Percona Server for MongoDB adds in the ability to perform log redactions
• Percona Server for MySQL and PXC provide encryption capabilities
• ProxySQL as a component of the overall PXC solution allows for

implementation for data masking

Open Questions for DBAs to Consider

31

Article 17

• How do you ensure all Personal Data is deleted when a delete is issued?
• Foreign Key Constraints / Cascade Delete
• Binlog, Redo log, Undo log, etc. contents
• Content of backups
• How do you relate Personal Data across disparate datastores as it relates

to a single Data Subject?

• Data discovery systems?
• Externally indexing data?
• How do you identify other entities that may have received a copy of the

Personal Data?

• Tracing transfers to Data Processors by Data Subject
• Tracking scraping of Personal Data from public pages

32

Article 25

• How do you use technology to help enforce ethical walls in your
• rganization?
• Separating data by purpose using access controls to prevent crossing boundaries
• What methods are appropriate to limit DBA access or monitor DBA

access to ensure compliance?

• Audit log of database activity
• Monitoring logins to the system and alerting on them when done by a non-automated

user

• How can you most effectively implement data masking in your application

stack?

• Utilizing data masking as the query routing layer, implementing row level access

controls, restricting access to the database to only application users

33

Article 32

• Does your organization have the capabilities today to allow for proper

PKI?

• Utilizing TLS for client to database connections via enterprise CA
• How do you track the purpose for data and enforce limits for access and

collection at a technical level?

• Data classification systems
• Break databases up by data purpose and enforce access controls
• Long-term data storage becomes a compliance liability, how do you

effectively enforce technical limits on data lifetime?

• Tracking backups and their contents
• Setting a TTL on data at ingest

34

Article 33 & 34

• As a Data Processor how do you ensure immediate notification to Data

Controllers of a breach?

• Alerting and monitoring must encompass audit logs. It is no longer sufficient to only

monitor and alert on items which affect uptime

• As a Data Controller how do you ensure rapid notification of a breach to

the Supervisory Authority?

• Similarly, alerting and monitoring must encompass audit logs.
• Additionally, you need to consider what required information needs to be in the

notification and ensure that this is being collected as a matter of rote

• How do you know that a breach has occurred?
• Tighter integration between DBAs and their internal security and networking teams to

implement intrusion detection systems and heuristic monitoring that accounts for database behavior

35

Article 35

• Does the necessity of a Data Protection Impact Assessment (DPIA) cause

DBAs to become gatekeepers in their organization?

• Do DBAs become responsible for assisting their security organization with

understanding the risks of various database capabilities?

36

Article 44

• Where does the DBA fit into your organizations practices and policies for

controlling where data goes?

• Consider what types of controls need to be implemented at the database

layer to prevent data transfer

• Consider how this rule impacts your ability to implement geographical

scaling, disaster recovery zones, and offsite backup strategies

• How does this impact your organizations strategy for deploying databases

in the Cloud?

Q & A

38

Thank You Sponsors!!

Thank You!

40

Rate My Session