Pro Yearly is on sale from $80 to $50! »

General Data Protection Regulation, a developer's story

8fc45f4725efe8e8bc8d6c1f92224b65?s=47 Michelangelo
October 26, 2017

General Data Protection Regulation, a developer's story

On May 25, 2018 all companies collecting and processing data of people from within the European Union must comply to the General Data Protection Regulation or GDPR. In this talk we'll cover what the GDPR is and how it will impact businesses within the EU and abroad, what can be done to comply to this regulation and how to proceed further. This talk will not provide you legal answers, but will give you technology solutions that will make your applications compliant to these regulations. Even if you're not processing data from the EU, these solutions will offer you better protection to the data you currently keep and will ensure that in the case of a breach, the impact will be minimum.

8fc45f4725efe8e8bc8d6c1f92224b65?s=128

Michelangelo

October 26, 2017
Tweet

Transcript

  1. GENERAL DATA PROTECTION REGULATION A developer’s story

  2. None
  3. LATEST BREACHES THAT IMPACTED PEOPLE’S LIVES Equifax (2017) 143 Million

    accounts hacked financial exposure (credit), credit card data & personal information Ashley Madison (2015) 37 Million accounts hacked extorsion, divorces, suicides OPM (2015) 21 Million US government personnel foreign assets, informant data, addictions & relationship issues
  4. None
  5. WHO ARE YOUR ADVERSARIES? (Natural) Disaster Hackers Law enforcement Nation

    States Employees
  6. DISCLAIMER This is not “legal advice” and all points made

    should be checked with your company’s legal department or consult a legal advisor for your specific situation!
  7. GDPR What is it?

  8. GENERAL DATA PROTECTION REGULATION (GDPR) ➤ More strict modification of

    already existing advisories (not rules) of best practices towards protecting privacy data in EU ➤ Become law in all 28 EU countries on May 25, 2018 ➤ Impact all businesses that collect and process privacy related data of EU data subjects (even outside of EU)
  9. “ GDPR is a risk based approach -Cindy E. Compert

    - IBM Security
  10. None
  11. WHAT GDPR WANTS TO PROTECT Religion & Beliefs Physical Appearance

    Cultural Background Sexual Orientation Social Status Financial Strength Mental State Medical Conditions Studies & Education Memberships Loyalty Programs Identity & Nationality
  12. WHAT IS CONSIDERED “PRIVATE DATA”? ➤ Name, email address, home

    address, phone number ➤ Social security number, national identity number, passport number ➤ Medical data, social status, religion, political views, sexual orientation, nationality, financial balance ➤ Concert tickets, travel arrangements, library cards, loyalty programs ➤ IP addresses with timestamps ➤ and much more…
  13. PII Personal Identifiable Information Information that can identify a single

    individual
  14. RULE OF THUMB Any piece of information that can point

    to a single individual within the EU
  15. WHY CARE ABOUT GDPR? Why do I need to invest

    so much in being ready?
  16. PROTECT & SERVE ➤ Protect data of EU data subjects

    ➤ Secure the way you store data ➤ Audit access to data ➤ Know what data is kept in the company
  17. FINES & PENALTIES ➤ up to 10 million Euro or

    2% of annual global turnover ➤ up to 20 million Euro or 4% of annual global turnover for more severe infringements
  18. IMPROVING KNOWLEDGE on the private data collected and processed by

    your company and who had access to it.
  19. SERVICE BINGO

  20. None
  21. IMPROVE SECURITY GDPR is a risk based approach to protect

    privacy data. All measures to ensure this protection will improve your overal security.
  22. GDPR COMPLIANCE The nitty-gritty

  23. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

  24. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

  25. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

  26. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

  27. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

  28. PATH TO GDPR COMPLIANCY ASSESS TRANSFORM DESIGN OPERATE CONFORM

  29. IN2IT CASE STUDY - 25 external services - 2 continents

    (EU & NA) - No agreements with providers - No consent for data transfer - Limited encryption of data ✓ Automated deployment processes ✓ Signed code and releases ✓ Strict Access Control ✓ 5 external services ✓ 2 continents with Module Clause for US and Canadian services ✓ Contracts with all providers ✓ Consent for data transfer ✓ All data encrypted (in-transit and at rest) ✓ Automated deployment processes ✓ Signed code, release and documents ✓ Strict Access Control
  30. SOME EXAMPLES Technical things you can do right now!

  31. PASSWORD MANAGEMENT ➤ Don’t store data access passwords in common

    repository ➤ Don’t keep passwords in environment variables* ➤ Make use of an Identity Management System to manage ➤ SSH keys ➤ API keys ➤ DSN’s ➤ Public keys (*) Why not use environment variables: diogomonica.com
  32. HASHICORP VAULT ➤ Tool for managing secrets ➤ vaultproject.io ➤

    Secures, stores and controls ➤ access tokens ➤ passwords ➤ certificates ➤ API keys ➤ … others ➤ Access Control ➤ Key Rolling ➤ Configurable lease time ➤ Audit logs ➤ Open Source
  33. USE A TEAM PASSWORD MANAGER

  34. GIVE 2FA TO EVERYONE!

  35. AUDIT TRAILS WITH MIDDLEWARE & CQRS ➤ Log access to

    data ➤ Automate anonymising of privacy data ➤ Automate encryption of privacy data
  36. …AND DON’T FORGET TO ENCRYPT YOUR STORAGE & COMMUNICATIONS! App

    Data Storage File Storage Log Storage Backup Storage Public - private key exchange| encrypted data storage
  37. WHAT YOU CAN DO NOW! Simple steps towards more privacy

  38. RESPECT DNT HEADERS

  39. None
  40. Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.8,en-US;q=0.6,nl;q=0.4 Cache-Control: max-age=0

    Connection: keep-alive DNT: 1 Host: www.example.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (<script>alert(‘Filter Input, Escape Output’);</script>)
  41. None
  42. INTERESTING FOR DISABLING GOOGLE ANALYTICS <?php if (!array_key_exists('HTTP_DNT', $_SERVER) ||

    1 !== (int) $_SERVER[‘HTTP_DNT’]): ?> <!-- show your Google Analytics Script Here --> <?php endif ?>
  43. REMOVE THE “DATA” from displayed information

  44. What’s wrong with this picture?

  45. Why display full name details?

  46. Why display email addresses?

  47. Why display phone numbers?

  48. REDUCE ACCESS TO DETAILS If a user has other ways

    to communicate with your clients, remove the visible display of common data elements like full names, email and shipment addresses and phone numbers.
  49. Do you see the difference?

  50. Not full name display

  51. Integrated communication functionality

  52. None
  53. SAME FUNCTIONALITY, BUT KEEPS DATA HIDDEN ➤ Prevents accidentally exposing

    email and phone numbers (e.g. during a call) ➤ Hides details from end-user, but functionality is still provided ➤ Sending out an email uses build-in mail client ➤ Making calls uses a phone middleware used in the company ➤ Gives clear audit trail on who accessed what
  54. None
  55. NOT 100% PROTECTION, BUT… ➤ We remove the personal one-on-one

    communication with customers ➤ We add better access management on customer communication ➤ Full audit trail now possible as communication stays in-application ➤ Less chance for data loss as contact details are kept away from users
  56. BLOCKCHAIN Immutable, verifiable ledger for all transactions

  57. EMAIL MARKETING

  58. CONTACT DATA Opt-in , always

  59. NOT OPT-IN /dev/null is the place to be

  60. LIMIT EXPIRATION Don’t keep longer than needed

  61. AUTOMATE IT!

  62. NEXT STEPS Get started now to be ready

  63. GET STARTED NOW

  64. DON’T START BLINDLY KNOW WHAT TO PROTECT!

  65. EVALUATE REGULARLY

  66. GOAL: PROTECT PRIVACY

  67. SOME RESOURCES ➤ European Commission: Protection of personal data ➤

    EU GDPR Infograph ➤ Charting the Course to GDPR: Setting Sail ➤ Deloitte GDPR Series ➤ InfoSecurity Group GDPR Checklist ➤ Securing MongoDB ➤ Table and tablespace encryption on MariaDB 10.1
  68. THE CLOCK IS TICKING…

  69. None
  70. in it 2 PROFESSIONAL PHP SERVICES Michelangelo van Dam Zend

    Certified Engineer contact@in2it.be - www.in2it.be - T in2itvof - F in2itvof Consulting Automation Training
  71. JOIN THE DISCUSSION https://in2.se/gdpr-updates

  72. None