Data protection and privacy in the world of database DevOps
Download as PPTX, PDF1 like239 views
The document discusses the integration of DevOps in database management, emphasizing the importance of data governance, compliance, and the impact of GDPR. It outlines the benefits of database DevOps, including improved sync with application development and enhanced data protection practices. Additionally, it debunks common myths about GDPR compliance in relation to DevOps and presents next steps for technical and compliance readiness.
Data protection and privacy in the world of database DevOps
- 2. Data protection & privacy in the world of database DevOps
- 4. Agenda • What is DevOps? • Extending DevOps to databases • Impact of database DevOps on data governance and compliance • James Boother – Sales & Marketing Director, Coeo
- 5. What is DevOps “DevOps is the union of people, process, and products to enable continuous delivery of value to our end users.” Donovan Brown, Principal DevOps Program Manager, Microsoft
- 6. Extending DevOps to databases • Business-critical data needs to be safely and correctly preserved • Databases carry state that needs to be managed as part of rolling out new or updating existing software
- 7. Benefits of Database DevOps • Databases are in sync with application development • Reliable traceability of database changes • Removal of the database bottleneck in agile delivery processes • Frequent releases, requiring less dev and DBA time • Audit trail of who has accessed what data, when and where
- 8. Impact of DevOps on Data Governance 64% of respondents said DevOps had a positive impact on Data Governance & Compliance
- 9. Database DevOps as a foundation for compliance • Monitoring - a key component for resilience • Change control & testing - reliable, repeatable, consistent • Provisioning and masking - compliant distribution of data • Automation - a durable and consistent audit trail
- 10. James Boother Sales & Marketing Director Coeo blog.coeo.com james@coeo.com @jimmyboo www.linkedin.com/in/JamesBoo ther
- 11. What is GDPR? Common myths Mapping GDPR to DevOps Next steps Q&A Agenda
- 12. What is GDPR?
- 13. Mutually agreed European General Data Protection Regulation (GDPR) Will come into force on May 25 2018 Replaces the 1995 data protection regulation. Supersedes the UK Data Protection Act 1998 Any organisation operating within Europe needs to adhere What is GDPR? http://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32016R0679 &from=EN
- 14. The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights related to automated decision making and profiling Individual’s rights
- 15. Name Identification number Email address Online user identifier Social media posts Physical, physiological, or genetic information Medical information Location Bank details IP address Cookies Examples of personal data covered by GDPR https://aka.ms/gdprsqlwhitepaper
- 16. Penalties Size of offence Penalty Small Up to €10 million or 2% global turnover Serious Consequences Up to €20 million or 4% global turnover Current UK Up to £500,000
- 17. Elizabeth Denham, the UK's information commissioner, says "The GDPR is a step change for data protection," "It's still an evolution, not a revolution". Words of advice from the ICO
- 18. ICO 12 step process https://ico.org.uk/media/for- organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf 1. Awareness 2. Information you hold 3. Communicating privacy information 4. Individuals’ rights 5. Subject access requests 6. Lawful basis for processing personal data 7. Consent 8. Children 9. Data breaches 10. Data protection by design and data protection impact awareness 11. Data projection officers 12. International
- 19. Common Myths
- 20. Myth #1 I can’t comply with GDPR and use DevOps
- 21. Click to edit Master title styleMyth #1 - Mapping GDPR to DevOps - Users have access only to the data needed - Implement data protection by design and by default - Test for security regressions such as unprotected PII data - Identifying code-level security regressions such as code that returns data to non-privileged users - Use Generated sample data or Dynamic data masking instead of copying un- sanitized production data into non- production environments - PII data is encrypted or pseudo-anonymised - Users have the right level of access - Encrypted connections using TLS or Always Encrypted - Dynamic Data Masking - Row-level Security - Sysadmin access for DBAs - Restricted access for everyone else - Audit access and ability to identify compromised data - Encrypted backups - Removing data from backups
- 22. Myth #2 I only need to worry about production
- 23. Click to edit Master title styleMyth #2 – Identifying all of the Personal Data you hold https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment
- 24. Myth #3 Holding data in Azure prevents me from complying with GDPR
- 25. Click to edit Master title styleMyth #3 – Azure advanced data protection features Feature SQLDB SQL Server Vulnerability Assessment Coming soon TDE On by default Available in Enterprise Threat detection Auditing Dynamic data masking Always encrypted Encrypted connections AAD User login with MFA (With SSMS 17)
- 26. Next steps
- 27. Technical readiness Create a repeatable deployment process Setup monitoring of access to the environments Remediate any technical risks identified during the assessment Next Steps Compliance readiness Nominate a Data Protection Officer Assess your environment Identify the personal data across all environments Prepare a breach response plan Two Work Streams:
- 28. Further reading Topic Blog post Introducing Always Encrypted https://blog.coeo.com/mattrobertshaw/2 017/05/08/introducing-always-encrypted Securing connections to SQL Server with TLS https://blog.coeo.com/securing- connections-to-sql-server-with-tls How Vulnerable is Your Data? Stop Malware Attacks using Azure SQL Database https://blog.coeo.com/how-vulnerable- is-your-data-stop-malware-attacks- using-azure-sql-database The GDPR and You https://www.scarydba.com/2017/11/13/th e-gdpr-and-you/
- 29. Q&A
Editor's Notes
- #3: Hi everybody, welcome to our webinar on Data protection & privacy in the world of database DevOps. All attendees are on mute, but please do leave questions in the Gotowebinar panel… We are recording the webinar and we’ll be sending you the recording and the slides tomorrow
- #4: PASS President Microsoft MVP Author Redgate Evangelist
- #5: After setting the scene by talking about what we mean by database DevOps and how it can be a solid foundation for compliance, I’ll hand over to our guest James Boother, Sales & Marketing Director at Coeo: James is Sales and Marketing Director at Coeo, a Microsoft Gold Partner providing consulting and managed services for Microsoft data platform and analytics technologies. He has extensive experience within the software industry, and before joining Coeo had 15 years’ experience working as a programmer, system architect, head of technology and consultant. James is also a Microsoft Certified Master for SQL Server and regularly present at industry and community events.
- #7: A lot of dev shops out there are already utilizing best practices around application lifecycle management and rapid delivery of their application code but the databases are normally left out and there are still a lot of manual processes involved in delivering database changes. This is mainly because deployment of databases is not as easy as swapping out old code with a new one. Databases carry state and hold business critical data that needs to be safely preserved… and there are more and more data protection and privacy regulations for organizations to be compliant with.
- #11: Now it’s time to introduce our guest speaker for today, James Boother of Coeo, for a closer look at the growing demands on dev teams within organisations to balance data protection and privacy requirements with rapid, reliable delivery.
- #17: Smaller offences could result in fines of up to €10 million or two per cent of a firm's global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm's global turnover (whichever is greater). In the UK the ICO can currently fine up to £500,000
- #19: Certain organisations (over 250 staff) must appoint a Data Protection Officer 72 hours – to report a data protection incident to the ICO (or governing body in a European country) Select which legal body you are registering with