WEBINAR How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security for API-based Services
Welcome and Introductions Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management VP Customer Success Integris Software Integris Software Cloudentity MODERATOR
Agenda Privacy as a competitive differentiator Meeting CCPA and GDPR compliance challenges Discovering your regulated data Data sharing challenges and opportunities Digital transformation blind spot? APIs. What continuous defensibility looks like Q and A
Data Privacy Fails
When Data Sharing Agreements Go Terribly Wrong “...but it was in our terms of service” Facebook contends that its technology worked exactly how it was built it to work, but Cambridge Analytica broke the rules. Lesson learned Contracts can be used to punish someone, but not until after they’ve broken the rules and the damage has been done.
Privacy is critical to how businesses grow PI privacy is both a business enabler and regulatory burden ● Build Trust ● Open Banking ● Progressive Consent ● GDPR ● Personalization ● CCPA
The Challenging Regulatory Landscape Sale Deletion Consent Notice Disclosure Purpose Access Data Flows Processing 3rd Party Transfers Activities
Foundation to meeting CCPA and GDPR Requirements Continuous defensibility boils down to doing four things well: 1. Understanding where personal information resides across all data sources (at rest and in-motion) 2. Mapping that data back to data handling obligations 3. Remediating risk and closing gaps 4. Fulfilling data subject requests
Foundation to meeting CCPA and GDPR Requirements Continuous defensibility boils down to doing four things well: 1. Understanding where personal information resides across all data Easier said sources than done! 2. Mapping that data back to data handling obligations 3. Remediating risk and closing gaps 4. Fulfilling data subject requests
PI Surveys: Inaccurate and Time Consuming Challenges Regulations Contracts Internal • Point in time • Doesn’t scale • Evolving definition of PI • Streaming data is blind spot Unstructured Structured Additional Big Data SaaS Data-in-Motion File Shares Databases Sources Oracle, MSSQL, Hadoop, Microsoft O365, Google Drive, NFS, Kafka, JDBC Connectors, MySQL, DB2 Snowflake Salesforce NAS Amazon Kinesis RESTful API’s
Not all discoverable sensitive information is linked to an identity 87% of the US population can be uniquely identified with their Zip Code, Gender, and Birthdate* Name: John Smith Likes: Pistachio ice cream History: Visits downtown store 2x week Pattern: Never visits on Sunday De-Identified Data Repository ? ? ? DATE OF Data GENDER ZIP BIRTH analysts *Source : https://dataprivacylab.org/projects/identifiability/paper1.pdf
CCPA: Inferred data Religion can be inferred from diet preference or HR PTO days
Integris Data Privacy Automation Solution Regulations Contracts Internal • Scalable • Continuous Integris Data Privacy Automation • Extensible • Streaming • Accurate discovery and classification of sensitive data at scale • Data at rest, in motion, structured or unstructured, cloud or on premise • Apply business obligations to data map and initiate action Data Layer Structured Additional Unstructured SaaS Data-in-Motion Big Data Databases Sources File Shares Hadoop, Oracle, MSSQL, JDBC Connectors, Google Drive, NFS, Microsoft O365, Kafka, Snowflake NAS MySQL, DB2 Salesforce RESTful API’s Amazon Kinesis
The Blind Spot: Data in Motion Data is always changing Discovery of data at rest becomes obsolete Key to protection? Monitoring inbound and outbound data transfers. Company A Company B {...} {...} 3rd Party Transfers Logs
How does data move?
Data moves through APIs, but they are a blind spot APIs Key to Digital Transformation But Two Major Challenges Remain 1. No insight into: ● What is exposed and to whom ● What’s happening with the data ● What controls are in place 2. Network perimeters no longer apply
Data Sharing Agreements are Major Privacy Concern 61% enterprises cited data sharing agreements as a privacy concern
Data Sharing Agreements Don’t Protect Data 40% of respondents have 50 or more data sharing agreements Respondents lacked confidence in their partners’ ability to abide by data sharing agreements (84% less confident)
Why is enforcing privacy on APIs so hard? Data movement and purpose Lack of awareness of the data exchanged No understanding of intent of use Hard to enforce Current controls deployed at app perimeter Lack of unique identities for APIs Distributed environments Apps span multi cloud and on-prem environments Decentralized DevOps teams Scale Consumer scale is not traditional scale High latency results in negative experiences
Establish a two-step program ➔ Discovery and classification of data at rest 1 ➔ PI surface area reduction Lay the ➔ Policies and rules to monitor changes Foundation ➔ Remediation process 2 ➔ Discovery and classification of data in motion ➔ Monitor online transfers against data contracts and policies Safe Digital ➔ Implement privacy checks in addition to security checks (i.e. Transformation Progressive Consent)
Implement Progressive Consent Show me your commitment 95% of customers are more likely to protecting my data to be loyal to a company they trust Ask for my consent to 92% are more likely to purchase Give me control use my information over what data you additional products and services collect on me from trusted businesses 93% of customers are more likely to recommend a company they trust
Progressive Consent Example
Progressive Consent Example
Progressive Consent Example
Progressive Consent
Discovery and Classification
Progressive Consent
Progressive Consent The right data is provided to the right resources at the right time Progressive consent/revocation Continuous compliance Continuous enforcement
Risks and Remediation
Best Practices for API Data Protection Know your Who, What, and Why... Who - Authorization & Authentication What & Why - Data, Schema & Data contract validation Contracts User and API identity verification Schema change alert API authorization High sensitivity classification alert PI processor High sensitivity attribute alert Usage pattern Unencrypted data alert
Best Practices for Deployment Unique identity for every user, API, and device Deploy close to the service for best performance Must support hybrid and multi-cloud environments Microservices based to support legacy and modern architectures Inspect every transaction, not just the first request Deployable everywhere with centralized management Provide seamless DevOps integration patterns, transpose responsibilities for verifiable policy enforcement
Data Privacy is integral to Data Protection Data Protection Protected Privacy Information Security Usable Discovery & Data Handling Risk & Data Access Control Encryption Network Security Classification Obligations Governance Activity Monitoring Regulations Contracts Policies Breach Response DLP / CASB What data is important and Why How those policies are enforced Privacy and Security go hand in hand: • Keeping your information private requires keeping it secure • If your information is not private, it’s not secure
Q&A Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management VP Customer Success Integris Software Integris Software Cloudentity MODERATOR chandan@integris.io http://info.cloudentity.com/ demo-download
Recommend
More recommend
