3-2 - Symantec - GDPR - Threat or opportunity · 2018. 11. 29. · z ( } ] } ( ( ] ] ( } ] } ( ( ]

General Data Protection RegulationThreat or Opportunity?

Davor PeratSenior Technology Consultant

Legal Disclaimer

The materials contained in this presentation are not intended to provide, and do not constitute or comprise, legal advice on any particular matter and are provided for general information purposes only.

You should not act or refrain from acting on the basis of any material contained in this presentation, without seeking appropriate legal or other professional advice.

The Drive for Data Privacy

Lack of Business Ownership

Data Growth

Emerging Technology

Regulations

Lack of Visibility

Evolving Threat landscape

Press Headlines

Reputation

Business Opportunity

Customer Expectations

Drivers Inhibitors

Copyright © 2017 Symantec Corporation

3

EU General Data Protection Regulation (GDPR)


4

28 Interpretations of the Data Protection Directive

One Data Protection RegulationHarmonized across all EU member states

TODAY: 2018:

Right to be forgotten Parental Consent Data Protection Officer

Extra-territoriality of GDPR

Fines and penalties

Joint Liability of Controllers and Processors

Mandatory Breach Notification

Technology Considerations for the GDPR

5

Know your Personal data

Process Data Lawfully

Embed privacy

Protect Personal Data

PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE


Typical Customer Timeline for the GDPR

6

25th May 2018GDPR comes into force

across all EU states (including the UK)

Awareness PhaseWhat is it and does it really impact me?

25th May 2016Formal EU Approval of

GDPR

2H 2016 2017 2018

Discovery & PlanningWhat do I need to do and when by?

• Thought Leadership• Awareness• Education

• Risk Assessments / Gap Analysis• Advisory Services• Information Governance Plans• Budgeting / Hiring Key Staff

ImplementationMaking Changes to Prepare

• Policy and Organisational Updates• Addressing Technology Gaps• Purchasing of Software and

Technology

Have concerns about ability to become compliant

9 in 10 Do not fully understand GDPR

96%

Consider compliance at top priority in the next two years

22%


April 2017

Regulatory Awareness

BUSINESSES ARE NOT ONLY UNDERPREPARED FOR THE GDPR – THEY ARE UNDERPREPARING.


57%

53%

48%

43%

42%

42%

33%

28%

24%

2%

0%

Regulations applying to all EU member states

Gaining consent for data collection

Reporting data breaches

The requirement of a Data Protection Officer (DPO)

Protecting data in an ethical way

Providing information on retention time for personaldata

Using data in an ethical way

The right to be forgotten for citizens

The ability for individuals to easily transfer their datafiles from one service provider to another

None of the above

*Other (please specify)

Elements respondents believe to be part of the GDPR

Have concerns about ability to become compliant

9 in 10 Do not fully understand GDPR

96%

Believe their organization is fully prepared for GDPR

26%

Consider compliance at top priority in the next two years

22%


STARK LACK OF CONFIDENCE IN MEETING MAY 2018 DEADLINE REVEALED


9

21%

48%

20%

3%7%

Confidence of compliance by May 2018

Yes, we are already compliant

Yes, we will be fully compliant by May 2018

Yes, we will be partly compliant by May 2018

No, not at all compliant

Don’t know

Believe it is even possible to become fully compliant with the

GDPR

1 in 5

Said their organisation will not be compliant at all, or only partly

compliant, by 2018

23%

Believe that while some company departments will be able to comply

- others will not

49%


A Consumer Disconnect

ACCORDING TO BUSINESSES, CONSUMERS DON’T CONSIDER DATA SECURITY & PRIVACY A TOP PRIORITY…


11

73%

60%

56%

29%

26%

23%

16%

13%

27%

40%

44%

71%

74%

77%

84%

87%

Quality of products

Good customer service

Cost of products

Track record of data security

Track record of data privacy

Organisation's ethical stance

The innovativeness of the organisation

Whether they have an existing relationship

Business perception of consumer priorities

Top three priority Not a top three priority

Admit customers ask about data security during transactions

36%

Do not think an organisation’s privacy track record is a top three

consideration for customers

74%

Do not believe their organisation takes an ethical approach to securing and protecting data

35%



12

Of respondents are not confident they completely meet customers’ data

security expectations

55%88% 86%

82%

69%

56%47%

Symantec State of Privacy: Importance of factors when choosing a company to shop with

or use

…YET CONSUMERS RANK IT #1, SHOWING BUSINESSES ARE OUT OF TOUCH

Do not believe their organisation takes an ethical approach to

securing and protecting data.

45%


Cultural preparedness

BUSINESSES ARE UNDERESTIMATING THE CULTURAL CHANGES THEY NEED TO MAKE AHEAD OF MAY 2018


14

4%

9%

6%

7%

11%

13%

Employee personal information

Customer information (personal)

Customer information (including paymentdetails)

Company records

Information on competitors

Market data

Companies where all employees can access the following information

Say all staff can access customers’ payment details

6%

Say all employees can access customers’ personal information

1 in 10

Believe everyone in the organisation has a responsibility to

ensure data is protected

14%


PARTICUARLY GIVEN THE WIDE REACHING ACCESS EMPLOYEES HAVE TO PERSONAL INFORMATION


15

47%42%

12%

39% 48%

13%

Yes, it is a top priority Yes, it is a priority No, it is not a priority

Respondents that believe managing and using data in an ethical way is a priority

for their organisation

Managing data in an ethical way Using data in an ethical way

Said they would be increasing security training

45%

Said managing data ethically is a top priority for their organisation

47%

Are planning to completely overhaul their approach to security

in response to the GDPR

27%


Technical readiness & The Right to Be Forgotten

BUSINESSES ARE CONCERNED ABOUT THE COMPLEXITY OF PROCESSING DATA CORRECTLY


17

Believe customers would exercise their right for data to be deleted

81%

Say deleting customer data will be a challenge

9 in 10

Have already received requests to be forgotten

1 in 10

Currently do not have a system in place to forget a customer

60%

45%42%

34%33% 32%

25%

0%

7%3%

Challenges organisations face if customers ask to have their data modified or deleted


Privacy & Security

Privacy & Security

SecurityThe “How” of personal

data protection

Tactics

SecurityThe “How” of personal

data protection

Tactics

PrivacyThe “What” of personal

data protection

Strategy

PrivacyThe “What” of personal

data protection

Strategy

“You can have security without privacy but you can’t have privacy without security”

19


Data Governance Framework to Manage Privacy

Define and Locate Personal Data

Secure Technology that Collects

Personal Data

Record Consent from Data Subjects

Detect and Block Threats to Data in

Use

Privacy Impact Assessments

Validate Data Processors

Restrict Processing of Data YOU have

to Retain

Prevent Data Loss, Report Breaches

Control Access to Data

Protect Data at Rest

Secure Transfer and Storage of Collected Data

Risk Management of Info Lifecycle

Validate Data Subjects Invoking

Rights

Educate DPOs on Cyber Risk

Pseudonymisationand obfuscation of

personal data

Minimise, Anonymise, Erase

Data


20

Collect Process Retain & Secure Manage

SecuritySecurity

PrivacyPrivacy

The Regulatory Terms Of Reference

Article 4 paragraph 12: THE BREACHWhat can happen to data?

“… a breach of security leading to the accidental or unlawful destruction,

loss, alteration, unauthoriseddisclosure of, or access to, personal

data transmitted, stored or otherwise processed”

Recital 75: THE IMPACTWhat can happen to the data subject?

“The risk to the rights and freedoms of natural persons, of varying likelihood

and severity, may result from personal data processing which could lead to physical, material or non-material

damage”


21

GDPR / DPA REQUIREMENT:Prevent, Detect, Log, Report, Remedy

GDPR / DPA EXPECTATION:Anticipate, Avoid, Mitigate, Compensate

Managing Privacy and Security is an Ongoing Process

ISO 27001


22

Plan

Do

Check

Act

NIST Cyber Framework

Identify

Protect

DetectRespond

Recover

Assess

Protect

Sustain

Respond

Privacy Operational Lifecycle

PREPARE PROTECT DETECT RESPOND

Privacy SecurityPrivacy Security

Build Privacy Requirements into Security TransformationReducing Risk from Preparation to Response

23

Understand Personal Data & Risk Posture

Data Discovery and Privacy Impact Assessments

Data Loss Prevention

Risk Posture Assessment and Remediation

Control Compliance Suite / Endpoint Management

Cloud Data Risk Posture Assessment

Elastica

Protect Personal Data From Malicious Attack & Misuse

Information Protection and Governance

Data Loss Prevention / Encryption / Authentication

Threat ProtectionSEP / DCS / ATP / Email Security / Web Security

Data Encryption & TokenizationProxySG, Cloud Data Protection

Provide Rapid DetectionUnderstand Impact of Breach

Monitoring, Threat Intelligence and Cyber

ExpertiseCyber Security Services

Advanced Persistent Threat Detection

ATP / Unified Analytics

Advanced Persistent Threat Detection

SSL Visibility, CAS/MA, Security Analytics

Respond Efficiently & Effectively to be Compliant Mitigate Risk

Crisis Management and Incident Response

Cyber Security Services

Cyber InsuranceUnified Analytics

Incident Response and Network Forensics

Security Analytics

PREPARE PROTECT DETECT RESPOND


What broad areas do I need to focus on for GDPR?

How do I manage and report on my information risk management practices?

What personal data is out there and where is it?

Who can access personal data and who has accessed it?

Can we control where data resides?

Can we control what personal data is accessible and who can access it?

Can we encrypt / obfuscate personal data?

Can we detect unauthorised access or breaches of personal data?

Can we quickly and thoroughly notify in the event of a breach?

How Symantec can assist with the GDPR ?

24


CCS

DLP / CASB

VIP

MSS / ATPIncident ResponseSecurity Analytics

Encryption / CDP

Assessment ServicesDelivered by Partners or Symantec Consulting

Determine priority areas of focus for your organisation

CCS GDPR Readiness

Assessment

Discover sensitive personal data risks in your organisation

DLP Risk Assessment

Discover Cloud Usage risks in your organisation

Shadow IT Risk Assessment


25

Security Requirements in the GDPRArticle 5(1)(f), Article 32, Recitals 71, 78, 83

Provision / Requirement

General principle and specific requirements for risk-based, comprehensive information security throughout the organization to protect all personal data at all times and in all locations, both at rest and in transit

What it Means

You need to understand and constantly monitor the IT risk associated with the personal information assets you have and the processing operations you carry out, and you must adapt your IT security posture accordingly in real time.


26

SYMANTEC INFORMATION PROTECTION


27

Comprehensive VisibilityAcross on-premise, mobile and cloud

Secure AccessThe right people get the right apps, with ease

Real-time ProtectionSecure information at rest and in motion Access

Identities

Data

PROTECT

PREPARE

PERSONAL DATA PROTECTION


28

What data exists where?

Shadow IT for cloud apps

What is my exposure?

BYOD and Mobile growth

Who Has Access?

Careless access to information

Passwords are ineffective

How Is It Being Used?Where is it?

Lack of context

Rogue access to apps and data

Users uploading to cloud apps

Sharing data that shouldn’t be shared

Stored in unprotected manner

PROTECT

PREPARE

INFORMATION PROTECTION EVERYWHERE


29

SECURE ACCESS

Have confidence that information is

accessed by the right people, with ease

COMPREHENSIVE VISIBILITY

Discover where information is across on-premise, mobile

and cloud

REAL-TIME PROTECTION

Protect information in use and in motion with

context and content aware policies

On-premise

Cloud

Mobile

PROTECT

PREPARE

Symantec DLPHelping You Prepare and Protect

Locate where your sensitive information resides across your cloud, mobile, network, endpoint and storage systems

DiscoverUnderstand how your sensitive information is being used, including what data is being handled and by whom

MonitorStop sensitive information from being leaked or stolen by enforcing data loss policies and educating employees

Protect


30

PROTECT

PREPARE

GDPR Templates for European Personal Identifiers

Unmanaged devicesExtended perimeter

Symantec DLP Management

Console

Managed devices with DLP Endpoint Agent

PoliciesIncidents

Corporate Datacenter

PoliciesIncidents

Extending DLP Cloud with CASB


31

Apply Fine-Tuned Policies to Cloud Leverage Workflow IntegrationsGain CASB Functionality

• Shadow IT Analysis• Granular Visibility and Control• User Behavior Analytics

Extend DLP to 60+ Cloud Apps

PoliciesIncidents

SymantecCloudDLP

SymantecCASB

PROTECT

PREPARE

DLP Enforce

SEPM

ProxySG

Threat Intelligence

Data Sources

Symantec CloudSOCCASB Audit for Shadow IT: Usage & Risk Visibility


32

PREPARE

Secure Web GatewayProtecting Personal Data for the Cloud

Proxy

Proxy All Endpoints• Terminate and decrypt traffic• Emulate all device types • Extract content for inspection• Integrate authentication

Control Web & Cloud Governance• Discover & control shadow IT risk• Block web-borne threats• Enforce access policy & audit usage

of web & cloud

W W W . W E B S I T E . C O M

Prevent Threats & Orchestrate Content• Pre-filter sandbox with advanced content

inspection• Send content to DLP, sandbox, analytics,

etc.. • Open integration architecture to quickly

add new services.JAR .EXE

Enhance the User Experience & Performance• Video Acceleration and Split Tunneling• Asymmetric Caching of Content• Optimized Protocol Support

Web

DETECT

PROTECT

Symantec Endpoint ProtectionStop Targeted Attacks and Zero-Day Threats with Layered Protection

ANTIVIRUS

NETWORK FIREWALL & INTRUSION

PREVENTION

APPLICATION AND DEVICE

CONTROL

BEHAVIOR MONITORING

MEMORY EXPLOIT

MITIGATION

REPUTATION ANALYSIS

ADVANCED MACHINE LEARNING

EMULATOR

NETWORK FIREWALL & INTRUSION

PREVENTION

Pre-execution detection of new and evolving threats

INCURSION INFESTATION and EXFILTRATIONINFECTION

Patented real-time cloud lookup for scanning of suspicious files

Blocks malware before it spreads to your machineand controls traffic

Scans and eradicates malware that arrives on a system

Blocks malware before it spreads to your machineand controls traffic

Determines safety of files and websites using the wisdom of the community

Monitors and blocks files that exhibit suspicious behaviors

Blocks zero-day exploits against vulnerabilities in popular software

Control file, registry, and device access and behavior; whitelisting, blacklisting, etc..

Virtual machine detects malware hidden using custom packers

DETECT

PROTECT

Lock Down Data Centers with Zero Trust Model

Active Directory (LSASS)

DNS Service/Bl

ind

RPC/SSHdSQL Service

OracleService Operating

System

App ControlInsure only approved

apps are allowed

No Patching Secure legacy an

critical applications without downtime

Protect DataApplication data is

always secure

ComplianceRealtime FIM and

security monitoring

PROTECT

Breach Notification RequirementsArticles 33, 34, Recitals 83, 85, 86, 87


Mandatory personal data breach notification except if the data was adequately encrypted

What it Means?

If you suffer a data breach, you must respond to it to understand and minimize the consequences, and you must report it within 72 hours to your competent authority, as well as, if appropriate, also to the impacted individuals. However no notification is required to the individuals where the data was adequately encrypted


36

Encrypt Personal Data with SymantecThe Symantec Encryption Portfolio


37

Protects individual files in transit and at rest from

unauthorized parties

FILE & FOLDER ENCRYPTION

Protects email in transit and at rest from

unauthorized parties

EMAIL ENCRYPTION

Renders data at rest on devices inaccessible to unauthorized parties

ENDPOINT ENCRYPTION

ENDPOINT ENCRYPTION MANAGEMENT SERVER ENCRYPTION MANAGEMENT SERVER

Manages individual and group keys, creates encryption policies, and reports on encryption status. Third-party encryption management• BitLocker (Microsoft)• FileVault (Apple)• Opal compliant self-encrypting drives

PROTECT

Symantec Cloud Data ProtectionObfuscate Data with Tokenisation

SymantecCloud Data ProtectionGateway

Cloud Data ProtectionToken Map Repository

User Cloud App

CloudApplication

Example: enterprise defined a policy to protect FIRST NAME And LAST NAME

Fields in ServiceNow

Without impacting the cloud apps’functionality (e.g. search, sort e-mail)


38

PROTECT

Content Analysis (CAS)

Hash Reputation

Dual AV

Predictive File Analysis

Acceptable files passed through based on file reputation, whitelist/blacklist

Signatures evaluated for known bad

Analyzes code for malicious character

Broker to Sandbox

ICAP

API

.JAR .EXEPROXY

Symantec Content Analysis and Malware AnalysisMultiple Engines Detect & Prevent Advanced Persistent Threats


39

DETECT

Symantec Security AnalyticsCan we quickly and thoroughly notify in the event of a breach?

Within 72 hours of detection, the notification must:a) Describe the nature of the personal

data breach including the categories and number of data subjectsconcerned and the categories and number of data records concerned;

b) Recommend measures to mitigate the possible adverse effects of the personal data breach;

c) Describe the consequences of the personal data breach;

d) Describe the measures proposed or taken by the controller to address the personal data breach.

• Security Analytics is able to provide full context of what happened before, during, and after a breach, including:

– How the breach occurred

– What data was compromised

– What measures are needed to resolve it

• Find all indicators of compromise associated with a data breach, including root cause analysis

• Records of what files were lost or compromised make it easy identify personal data records that were lost


40

RESPOND

Managing and Demonstrating Compliance


Article 5(2), Article 24, Recitals 74, 77, 78, 82

General principle of accountability of data controllers

What it Means?

Controllers must take every technical and organizational measure appropriate to ensuring and demonstrating compliance.


41

Article 32(1d)

Customer needs a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

ASSETSASSETS CONTROLSCONTROLS

EVIDENCEEVIDENCE

ASSETSASSETS CONTROLSCONTROLS

EVIDENCEEVIDENCE

SYMANTEC CONTROL COMPLIANCE SUITE


PLAN

• Define business risk objectives• Create policies for multiple mandates• Map to controls and de-duplicate

REPORT

• Demonstrate compliance to multiple stakeholders• Correlate risk across business assets• High level dashboards with drill down

\ASSESS REMEDIATE

• Risk-based prioritization• Closed loop tracking of deficiencies• Integration with ticketing systems

PLAN REPORT

REMEDIATE

Vuln

erab

ility

M

anag

er

Asse

ssm

ent

Man

ager

Sym

ante

c D

ata

Conn

ecto

rs

Exte

nded

D

ata

Conn

ecto

rs

CCS Reporting & Analytics

CCS Dynamic Dashboards

Symantec ServiceDesk

3rd Party Ticketing

Integration

Symantec Workflow

Integration

Policy Manager Risk Manager

CCS ContentCCS Content

StakeholdersSecurity / Audit IT / Operations Business / Mgmt.

Environment

Stan

dard

s M

anag

er

DETECT

RESPOND

PREPARE

Symantec Endpoint Management

Visibility Configuration Management Remediation

Managing and protecting endpoints begins with knowing what devices and software are being used in your environment and who is using them.

Securely configure and deploy hardware and software, automate processes, reduce costs, manage and track all assets.

Securely patch, deploy updates, fix issues, and report on compliance.

PREPARE

External and public content exposures, including compliance risks

Inbound risky content shared with employees (e.g.,malware, IP)

Risky users & user activities

Offer Shadow Data Risk Assessment

Symantec CloudSOCUnderstand Cloud Data Risk via “Shadow Data” Risk Assessment


44

PREPARE

Symantec Supports Across Data Privacy and Security

Advanced Breach Detection, Remediation, & Notification

ATP

Analytics

Endpoint

Email

Server

Web / CASB Cyber Security

Services

DLP

CASB

Web

CDPEncryption

Personal Data Protection Everywhere

45

PROTECT

DETECT

RESPON

D

Technology Risk Management

DLPData Insight

CASB Audit

CCS

EPM

Understand Data Risk

Understand, Report, and Remediate Compliance

Unparalleled Threat Intelligence

Endpoint175M

endpoints protected

Email2Bm emails

scanned/day

Web1.2Bn web requests

secured/day

Physical & Virtual

Workloads64K Datacenters

protected

Cloud Security

12,000 cloud applications

secured


PREPARE

VIP / MPKI

Why Symantec


46

Data Protection Everywhere

Secure computing environment

Breach detection and response

Unbiased and lower operating costs

Compliance monitoring & reporting

State of the Art Technology

Recommendations

• Use this 4 months wisely, implementation may take longer than you think

• Engage with your Board, report on progress in addressing data privacy through your security program

• Understand, and tackle your big data privacy and security risks

• Document what personal data you hold and ensure lawful use

• Identify where technology can help you achieve compliance:– Prepare: Understand IT (and data) environment and risks– Protect: Secure Personal Data Everywhere– Detect: Breach monitoring and detection – Respond: Incident Response planning


47

Thank you!

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Davor [email protected]+385 91 6366976

Legal Disclaimer: The materials contained in this presentation are not intended to provide, and do not constitute or comprise, legal advice on any particular matter and are provided for general information purposes only. You should not act or refrain from acting on the basis of any material contained in this presentation, without seeking appropriate legal or other professional advice.

3-2 - Symantec - GDPR - Threat or opportunity · 2018. 11. 29. · z ( } ] } ( ( ] ] ( } ] } ( ( ]

Documents

Transcript of 3-2 - Symantec - GDPR - Threat or opportunity · 2018. 11. 29. · z ( } ] } ( ( ] ] ( } ] } ( ( ]