Keep your data safe and be compliant via a 360° approach
Download as PPTX, PDF1 like446 views
The document outlines a data governance event held on February 6, 2018, in Geneva, focusing on data security, compliance, and management practices amidst increasing data breaches. Key discussions included the importance of a 360° approach to data security, effective governance programs, and complying with regulations such as GDPR and the Swiss Federal Data Protection Act. Case studies highlight vulnerabilities in healthcare IT and emphasize the need for robust security measures, including two-factor authentication and access controls.
Keep your data safe and be compliant via a 360° approach
- 1. Client name ELCA for Date Data Governance Event – 6th February 2018 – Geneva - Warwick Hôtel Keep your data safe and be compliant via a 360° approach Nagib Aouini – Head of Cyber Security / Blockchain
- 2. Agenda ― Why data breaches will continue to occur ― What is Data Governance ― How to comply with regulations with an effective data governance program ― 360° Data Security Approach ― Q&A 5 6 1 2 3 4
- 4. ©copyright 2017 –Texte Story #1 Bad identity management practices Event Data Governance - Feb 6th - Geneva 4
- 5. ©copyright 2017 –Texte Event Data Governance - Feb 6th - Geneva 5
- 6. ©copyright 2017 –Texte Event Data Governance - Feb 6th - Geneva 6 https://baffle.io/the-threat/equifax-breach/ Story #1 Failed to implement a WAF and vulnerability mgt
- 7. ©copyright 2017 –Texte Event Data Governance - Feb 6th - Geneva 7
- 8. ©copyright 2017 How those breaches can happen Source http://blog.wallix.com/uber-hack-pam • The data of 57 million users has been stolen from Uber. • Malicious intruders managed to gain access to a GitHub private coding site used by some Uber software engineers, find AWS credentials, and use them to steal private data. Story #2 Failed to implement Two-Factor and Privileged ID Mgt Event Data Governance - Feb 6th - Geneva 8
- 9. ©copyright 2017 –Texte Event Data Governance - Feb 6th - Geneva 9
- 10. ©copyright 2017 –Texte Event Data Governance - Feb 6th - Geneva 10 Story #3 Ransomware attack
- 11. ©copyright 2017 –Texte Threats to Healthcare IT systems Event Data Governance - Feb 6th - Geneva11 – Data stolen from a bank quickly becomes useless once the breach is discovered and passcodes are changed – Data from the healthcare industry, which includes both personal identities and medical histories, can live a lifetime – Healthcare IT and apps use are secured only with simple username / password with no password policy enforced – Managing access control and putting strong security controls is challenging in healthcare environment because of “Need to work” principle (emergency access, doctors needs access to HER …) This data can be used to launch Spear phising scams, Identity theft, social engineering frauds ---
- 12. ©copyright 2017 –Texte Use case study : Protecting a medical information system and electronic health record Event Data Governance - Feb 6th - Geneva Problem: privacy and control of data shall be ensured and data center hosted outside Switzerland is a serious risk for such information, but also unauthorized access (because of leaked credential). ? Challenge: Development of a medical portal accross Switzerland allowing hospitals, doctors and patients to access medical information hosted on a CRM or Web app portal (even fat client via Citrix). This portal contains patient data that is protected by Swiss law 12 Login credentials are lost or stolen, resulting in unauthorized access to patient record. Malicious hackers can target physicians via spear-phishing attack to get credentials.
- 13. ©copyright 2017 Mentality must evolved Event Data Governance - Feb 6th - Geneva 13
- 14. 3 What is Data Governance Event Data Governance - Feb 6th - Geneva14
- 15. ©copyright 2017 –Texte Data Management Program Drivers Event Data Governance - Feb 6th - Geneva 15 Need to share and integrate data with external partners Alignment with Business Strategy supporting innovation Allow the business to identify opportunities being more agile Need to cope with different kinds of business built over time with specific priorities and different subsidiaries Rather independent departments/subsidiaries with own processes Part of the tools not shared or used differently Tools continuously changing Control the risk Responsibility of the company towards shareholders, customers an authorities (*) Information lifecycle must be very well controlled The company must be able to provide consistent and reliable information *: Example: General Data Protection Regulation (Regulation (EU) 2016/679), FINMA Circular 2008/21 “Operational Risks – Banks“, EU Regulation 73-2010 Aeronautical Data and Information Quality, Solvency II Directive 2009/138/EC ,
- 16. ©copyright 2017 –Texte Data Governance Event Data Governance - Feb 6th - Geneva 16 Data Governance: decision making and oversight process that prioritizes investments, allocates resources and measures results to insure that data being managed is leveraged to support business needs ■ Goals: 1. Enable an organisation to manage its data as an asset 2. To sponsor, track, and oversee the delivery of data management projects and services 3. Define, approve, communicate and implement principles, policies, procedures, metrics, tools, and responsibilities for data management 4. To manage and resolve data related issues Data Governance is more than Data Quality, Policies, Standards. It is about aligning Data Management with Corporate Needs and Strategy, to optimize its results and to control risks
- 17. ©copyright 2017 –Texte DMBOK Data Management Framework Event Data Governance - Feb 6th - Geneva 17 • A framework for understanding comprehensively and see relationships between Data Management components • The 11 functions (knowledge areas) depend on one another and need to be aligned • Ideas and concepts will be applied differently based on organization industry, culture, maturity level, strategy, vision and challenges it is facing
- 18. 3 How to comply with regulations Event Data Governance - Feb 6th - Geneva18
- 19. ©copyright 2017 –Texte Applicable regulations : GDPR Event Data Governance - Feb 6th - Geneva 19 Replaces and extends European Directive 95/46/EC from May 25th 2018 Applies to controllers or processors established in the Union Applies to controllers or processors not established in the Union where the processing activities relate to the offering of goods or services to data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.
- 20. ©copyright 2017 –Texte GDPR roles and entity 20Event Data Governance - Feb 6th - Geneva
- 21. ©copyright 2017 –Texte Applicable regulations Swiss Federal Data Protection Act Event Data Governance - Feb 6th - Geneva 21 The revised DPA is announced for the end of 2018 Needs to be harmonised with EU standards. The Federal Council has adopted a DPA revision process in Sept. 2017 and released a draft version of the future DPA Apply to controllers and processors established in Switzerland
- 22. ©copyright 2017 –Texte Data privacy framework by ELCA Event Data Governance - Feb 6th - Geneva 22 Governance Operational processes Legal & compliance Data privacy policies Data privacy roles & responsibilities Data privacy training & awareness External criteria tracking Inventory of personal data & data transfers Respect of the data subjects’ rights Data breach management Protection of Personal data Monitoring of new operational practices Data privacy notices Contractual clausesData Privacy Risk Assessments Data privacy by design and by default Data privacy audits
- 23. ©copyright 2017 –Texte FINMA controls Event Data Governance - Feb 6th - Geneva 23 #1 Governance #1 Client Identifying data CID #3 Location & Access to Data #4 Security standards for IT & Tech #5 Selection, monitoring and training of employee with access to CID #5 Identifying and controlling risks related to the confidentiality of CID #7 Confidentiality of CID : risk mitigation #8 Incidenty related to the confidentiality of CID, internal /external comm #9 Outsourcing providers and large projects in regard to CID
- 24. Client Identification Data (CID) Event Data Governance - Feb 6th - Geneva24 Direct CID Indirect CID CID
- 25. ©copyright 2017 Sharepoint compliant platform with SIQ Sharepoint Farm Sharepoint user SSOAccess management SecurityIQ SailPointIIQ Exchange AD Admin Client Business Interface Report And Audit Indexing Services General UI Supervisor SIQ admin Auditor User SailPointRESTAPI Event Handler SQL SecurityIQ Cluster Indexing Server SecurityIQ Agent : Permission + Data classification + Activity Monitor SailPoint IQ Service SharePoint SailPoint IQ Service SharePoint Event Data Governance - Feb 6th - Geneva 25
- 26. ©copyright 2017 How manage CID data in a Sharepoint and being compliant #5 Identifying and controlling risks related to the confidentiality of CID #1 Client Identifying data CID Need to know principle CID Discovery and tagging #3 Location & Access to Data Who access what ? Event Data Governance - Feb 6th - Geneva 26
- 27. ©copyright 2017 –Texte What is a CASB ? Event Data Governance - Feb 6th - Geneva 27 … Visibility who is using which app and which data is stored where Data Loss Prevention handle information according to its specificities (ciphering, tokenization) Threat protection detects malware stored in the cloud and suspect behaviours Compliance ensure compliance with specific industry regulations
- 28. ©copyright 2017 How CASB could help for GDPR/FINMA compliance Event Data Governance - Feb 6th - Geneva 28 Identifying personal data Controlling the flow of personal data Maintaining data residency and sovereignty Monitor Risky Activity Identify Shadow IT #4 Security standards for IT & Tech Two-factor + Encryption #7 Confidentiality of CID : risk mitigation Encryption + Tokenization #8 Incidenty related to the confidentiality of CID, internal /external comm Shadow IT + Policy violation
- 29. ©copyright 2017 Example : Protect patient data in CRM Online Event Data Governance - Feb 6th - Geneva 29 1 - Physicians save a new contact 2 – CASB intercept the request and encrypt field before leaving the enteprise network 3 – Contact is encrypted and stored in CRM online. But user can still see it in clear Cloud ProviderHealthcare ZRITOI POIUYRW uiiwoow@Hotmail.com 290900202 290909020 289898992 ZRITOI POIUYRW Home Maker Noiowp Poowioiw OUIOIOp Poisowoow Switzerland BORIS GUNTERBERG BORIS GUNTERBERG DIANE GUNTERBERG KLAUS GUNTERBERG SWITZERLAND “ZRITOI” “POIUYRW” “Female” “Wiioiopp Ppwoioiosyoo” “3” “990909-9090-0020” Hardware Security M odule 2a – Encryption Key stays under your sole control and managed in Switzerland
- 30. ©copyright 2017 –Texte SAML / RADIUS Perimeter Web Application Firewall LDAP / DB / Active Directory Proxy request ELCARD / CloudTRUST appliance Protecting Healthcare IT systems with ELCARD / CloudTrust Event Data Governance - Feb 6th - Geneva SAML 2 SSO / Trust 30 #4 Security standards for IT & Tech Two-factor + Encryption
- 31. 2 360° Data Security Approach
- 32. ―Identify sensitive, valuable or regulated data (CID). Provide a mean to authenticate user based on claims. ―Segregate data to avoid spills ―Authorize access based on data classification and user or device via claims ―Protect critical data automatically with right management and powerful access control model (like ABAC) ―Audit data activity for full visibility 32 Identify Segregate Authorize Protect Audit 360° approach
- 33. ©copyright 2017 –Texte Discover your sensitive Data Event Data Governance - Feb 6th - Geneva 33
- 35. ©copyright 2017 –Texte Onion approach for data security Protect Data Detect Data Breach Track Data Usage Discover Data Sensitive Data Block data access / encrypt / mask data Detect data breach or accidental data breach/use Track data export / move of sensitive data Discover / classify your sensitive data 35
- 36. ©copyright 2017 Data lifecycle and cloud challenge Event Data Governance - Feb 6th - Geneva • Generation : trust data ? • Collection : Which data ? • Storage : where ? • Usage : who use it ? • Sharing : Is it allowed • Archive : How long ? • Removal : Definitive ? 36
- 37. ©copyright 2017 Where is my data ? Event Data Governance - Feb 6th - Geneva 37 Not stored here
- 38. ©copyright 2017 –Texte Always Protected 38 Data in Use Data in Motion Data at Rest Source : Microsoft Database Encryption Credential Encryption HSM Key Vaulting Anonymization / Tokenization / Obfuscation Network / Server control Physical Media Control Archive / Destruction • Privileged Access Management • Privileged Account Monitoring • Workstation Hardening • Application Access Control • Data classification/labelling/tagging • Removal/media control • Export control • Perimeter Security – WAF • Network traffic monitoring/blocking L3-L 7 – WAF • Web application Firewall – L7 • Data collection and classification • Remote Access
- 39. ©copyright 2017 –Texte Classification with SailPoint SecurityIQ 39
- 40. ©copyright 2017 –Texte Example with Azure SQL Data classification 40
- 41. ©copyright 2017 –Texte Protect your sensitive Data Event Data Governance - Feb 6th - Geneva 41
- 42. ©copyright 2017 –Texte Securing data is challenging Event Data Governance - Feb 6th - Geneva 42 Business Partners Outsourcers Layer 1: The Back Office Layer 2:The Front Office Layer 3: External Extended Enterprise PDA’s Mobile Media Data Processors Desktops Laptops On site Contractors Independent Agents 3rd Party Analytics Log Files Teleworkers HR/Employee Reports and Extracts 3rd Party Services Outsourced Backup On site Auditors FTP SAN/Shares CustomersEmail Portals Files Office Data Databases CRM Billing Business Systems Trading MortgageWarehouse Treasury Applications Backup DR & Test
- 43. ©copyright 2017 –Texte Tokenization Event Data Governance - Feb 6th - Geneva 43 Tokenization TokenOriginal Data Personally identifiable information Token Management Data Token Mr ID | IV | Timestamp | Index etc Xe John Doe ID | IV | Timestamp | Index etc JPOwui Oisiypz 01/02/78 ID | IV | Timestamp | Index etc 24/02/99 Tokenization Replace live data after capture, after a database lookup Encryption still needed for initial data capture & to live data in “Vault” Encryption and Tokenization can be used together Performance of Token Lookup needs to be considered Mr John Doe 01/02/78 Xe JPOwui Oisiypz 24/02/99
- 44. ©copyright 2017 –Texte Audit access to your sensitive Data Event Data Governance - Feb 6th - Geneva 44
- 45. ©copyright 2017 –Texte All consolidated Logs Event Data Governance - Feb 6th - Geneva 45 Source : Microsoft Detect Security Breaches by identiying anormal user behavior and usage patterns. Collect near-real time user and devices information by applying geo-patterns Present dashboard with Risk and alert with policy violation to enable pattern detection
- 46. ©copyright 2017 –Texte Don’t ask your CISO to protect against data breach but rather ask him to prepare to react to a data breach46