3-2 - Symantec - GDPR - Threat or opportunity · 2018. 11. 29. · z ( } ] } ( ( ] ] ( } ] } ( ( ]
Transcript of 3-2 - Symantec - GDPR - Threat or opportunity · 2018. 11. 29. · z ( } ] } ( ( ] ] ( } ] } ( ( ]
General Data Protection RegulationThreat or Opportunity?
Davor PeratSenior Technology Consultant
Legal Disclaimer
The materials contained in this presentation are not intended to provide, and do not constitute or comprise, legal advice on any particular matter and are provided for general information purposes only.
You should not act or refrain from acting on the basis of any material contained in this presentation, without seeking appropriate legal or other professional advice.
The Drive for Data Privacy
Lack of Business Ownership
Data Growth
Emerging Technology
Regulations
Lack of Visibility
Evolving Threat landscape
Press Headlines
Reputation
Business Opportunity
Customer Expectations
Drivers Inhibitors
Copyright © 2017 Symantec Corporation
3
EU General Data Protection Regulation (GDPR)
Copyright © 2017 Symantec Corporation
4
28 Interpretations of the Data Protection Directive
One Data Protection RegulationHarmonized across all EU member states
TODAY: 2018:
Right to be forgotten Parental Consent Data Protection Officer
Extra-territoriality of GDPR
Fines and penalties
Joint Liability of Controllers and Processors
Mandatory Breach Notification
Technology Considerations for the GDPR
5
Know your Personal data
Process Data Lawfully
Embed privacy
Protect Personal Data
PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE
Copyright © 2017 Symantec Corporation
Typical Customer Timeline for the GDPR
6
25th May 2018GDPR comes into force
across all EU states (including the UK)
Awareness PhaseWhat is it and does it really impact me?
25th May 2016Formal EU Approval of
GDPR
2H 2016 2017 2018
Discovery & PlanningWhat do I need to do and when by?
• Thought Leadership• Awareness• Education
• Risk Assessments / Gap Analysis• Advisory Services• Information Governance Plans• Budgeting / Hiring Key Staff
ImplementationMaking Changes to Prepare
• Policy and Organisational Updates• Addressing Technology Gaps• Purchasing of Software and
Technology
Have concerns about ability to become compliant
9 in 10 Do not fully understand GDPR
96%
Consider compliance at top priority in the next two years
22%
Copyright © 2017 Symantec Corporation
April 2017
Regulatory Awareness
BUSINESSES ARE NOT ONLY UNDERPREPARED FOR THE GDPR – THEY ARE UNDERPREPARING.
Copyright © 2014 Symantec Corporation
57%
53%
48%
43%
42%
42%
33%
28%
24%
2%
0%
Regulations applying to all EU member states
Gaining consent for data collection
Reporting data breaches
The requirement of a Data Protection Officer (DPO)
Protecting data in an ethical way
Providing information on retention time for personaldata
Using data in an ethical way
The right to be forgotten for citizens
The ability for individuals to easily transfer their datafiles from one service provider to another
None of the above
*Other (please specify)
Elements respondents believe to be part of the GDPR
Have concerns about ability to become compliant
9 in 10 Do not fully understand GDPR
96%
Believe their organization is fully prepared for GDPR
26%
Consider compliance at top priority in the next two years
22%
Copyright © 2016 Symantec Corporation
STARK LACK OF CONFIDENCE IN MEETING MAY 2018 DEADLINE REVEALED
Copyright © 2014 Symantec Corporation
9
21%
48%
20%
3%7%
Confidence of compliance by May 2018
Yes, we are already compliant
Yes, we will be fully compliant by May 2018
Yes, we will be partly compliant by May 2018
No, not at all compliant
Don’t know
Believe it is even possible to become fully compliant with the
GDPR
1 in 5
Said their organisation will not be compliant at all, or only partly
compliant, by 2018
23%
Believe that while some company departments will be able to comply
- others will not
49%
Copyright © 2016 Symantec Corporation
A Consumer Disconnect
ACCORDING TO BUSINESSES, CONSUMERS DON’T CONSIDER DATA SECURITY & PRIVACY A TOP PRIORITY…
Copyright © 2014 Symantec Corporation
11
73%
60%
56%
29%
26%
23%
16%
13%
27%
40%
44%
71%
74%
77%
84%
87%
Quality of products
Good customer service
Cost of products
Track record of data security
Track record of data privacy
Organisation's ethical stance
The innovativeness of the organisation
Whether they have an existing relationship
Business perception of consumer priorities
Top three priority Not a top three priority
Admit customers ask about data security during transactions
36%
Do not think an organisation’s privacy track record is a top three
consideration for customers
74%
Do not believe their organisation takes an ethical approach to securing and protecting data
35%
Copyright © 2016 Symantec Corporation
Copyright © 2014 Symantec Corporation
12
Of respondents are not confident they completely meet customers’ data
security expectations
55%88% 86%
82%
69%
56%47%
Symantec State of Privacy: Importance of factors when choosing a company to shop with
or use
…YET CONSUMERS RANK IT #1, SHOWING BUSINESSES ARE OUT OF TOUCH
Do not believe their organisation takes an ethical approach to
securing and protecting data.
45%
Copyright © 2016 Symantec Corporation
Cultural preparedness
BUSINESSES ARE UNDERESTIMATING THE CULTURAL CHANGES THEY NEED TO MAKE AHEAD OF MAY 2018
Copyright © 2014 Symantec Corporation
14
4%
9%
6%
7%
11%
13%
Employee personal information
Customer information (personal)
Customer information (including paymentdetails)
Company records
Information on competitors
Market data
Companies where all employees can access the following information
Say all staff can access customers’ payment details
6%
Say all employees can access customers’ personal information
1 in 10
Believe everyone in the organisation has a responsibility to
ensure data is protected
14%
Copyright © 2016 Symantec Corporation
PARTICUARLY GIVEN THE WIDE REACHING ACCESS EMPLOYEES HAVE TO PERSONAL INFORMATION
Copyright © 2014 Symantec Corporation
15
47%42%
12%
39% 48%
13%
Yes, it is a top priority Yes, it is a priority No, it is not a priority
Respondents that believe managing and using data in an ethical way is a priority
for their organisation
Managing data in an ethical way Using data in an ethical way
Said they would be increasing security training
45%
Said managing data ethically is a top priority for their organisation
47%
Are planning to completely overhaul their approach to security
in response to the GDPR
27%
Copyright © 2016 Symantec Corporation
Technical readiness & The Right to Be Forgotten
BUSINESSES ARE CONCERNED ABOUT THE COMPLEXITY OF PROCESSING DATA CORRECTLY
Copyright © 2014 Symantec Corporation
17
Believe customers would exercise their right for data to be deleted
81%
Say deleting customer data will be a challenge
9 in 10
Have already received requests to be forgotten
1 in 10
Currently do not have a system in place to forget a customer
60%
45%42%
34%33% 32%
25%
0%
7%3%
Challenges organisations face if customers ask to have their data modified or deleted
Copyright © 2016 Symantec Corporation
Privacy & Security
Privacy & Security
SecurityThe “How” of personal
data protection
Tactics
SecurityThe “How” of personal
data protection
Tactics
PrivacyThe “What” of personal
data protection
Strategy
PrivacyThe “What” of personal
data protection
Strategy
“You can have security without privacy but you can’t have privacy without security”
19
Copyright © 2017 Symantec Corporation
Data Governance Framework to Manage Privacy
Define and Locate Personal Data
Secure Technology that Collects
Personal Data
Record Consent from Data Subjects
Detect and Block Threats to Data in
Use
Privacy Impact Assessments
Validate Data Processors
Restrict Processing of Data YOU have
to Retain
Prevent Data Loss, Report Breaches
Control Access to Data
Protect Data at Rest
Secure Transfer and Storage of Collected Data
Risk Management of Info Lifecycle
Validate Data Subjects Invoking
Rights
Educate DPOs on Cyber Risk
Pseudonymisationand obfuscation of
personal data
Minimise, Anonymise, Erase
Data
Copyright © 2017 Symantec Corporation
20
Collect Process Retain & Secure Manage
SecuritySecurity
PrivacyPrivacy
The Regulatory Terms Of Reference
Article 4 paragraph 12: THE BREACHWhat can happen to data?
“… a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthoriseddisclosure of, or access to, personal
data transmitted, stored or otherwise processed”
Recital 75: THE IMPACTWhat can happen to the data subject?
“The risk to the rights and freedoms of natural persons, of varying likelihood
and severity, may result from personal data processing which could lead to physical, material or non-material
damage”
Copyright © 2017 Symantec Corporation
21
GDPR / DPA REQUIREMENT:Prevent, Detect, Log, Report, Remedy
GDPR / DPA EXPECTATION:Anticipate, Avoid, Mitigate, Compensate
Managing Privacy and Security is an Ongoing Process
ISO 27001
Copyright © 2017 Symantec Corporation
22
Plan
Do
Check
Act
NIST Cyber Framework
Identify
Protect
DetectRespond
Recover
Assess
Protect
Sustain
Respond
Privacy Operational Lifecycle
PREPARE PROTECT DETECT RESPOND
Privacy SecurityPrivacy Security
Build Privacy Requirements into Security TransformationReducing Risk from Preparation to Response
23
Understand Personal Data & Risk Posture
Data Discovery and Privacy Impact Assessments
Data Loss Prevention
Risk Posture Assessment and Remediation
Control Compliance Suite / Endpoint Management
Cloud Data Risk Posture Assessment
Elastica
Protect Personal Data From Malicious Attack & Misuse
Information Protection and Governance
Data Loss Prevention / Encryption / Authentication
Threat ProtectionSEP / DCS / ATP / Email Security / Web Security
Data Encryption & TokenizationProxySG, Cloud Data Protection
Provide Rapid DetectionUnderstand Impact of Breach
Monitoring, Threat Intelligence and Cyber
ExpertiseCyber Security Services
Advanced Persistent Threat Detection
ATP / Unified Analytics
Advanced Persistent Threat Detection
SSL Visibility, CAS/MA, Security Analytics
Respond Efficiently & Effectively to be Compliant Mitigate Risk
Crisis Management and Incident Response
Cyber Security Services
Cyber InsuranceUnified Analytics
Incident Response and Network Forensics
Security Analytics
PREPARE PROTECT DETECT RESPOND
Copyright © 2017 Symantec Corporation
What broad areas do I need to focus on for GDPR?
How do I manage and report on my information risk management practices?
What personal data is out there and where is it?
Who can access personal data and who has accessed it?
Can we control where data resides?
Can we control what personal data is accessible and who can access it?
Can we encrypt / obfuscate personal data?
Can we detect unauthorised access or breaches of personal data?
Can we quickly and thoroughly notify in the event of a breach?
How Symantec can assist with the GDPR ?
24
Copyright © 2017 Symantec Corporation
CCS
DLP / CASB
VIP
MSS / ATPIncident ResponseSecurity Analytics
Encryption / CDP
Assessment ServicesDelivered by Partners or Symantec Consulting
Determine priority areas of focus for your organisation
CCS GDPR Readiness
Assessment
Discover sensitive personal data risks in your organisation
DLP Risk Assessment
Discover Cloud Usage risks in your organisation
Shadow IT Risk Assessment
Copyright © 2017 Symantec Corporation
25
Security Requirements in the GDPRArticle 5(1)(f), Article 32, Recitals 71, 78, 83
Provision / Requirement
General principle and specific requirements for risk-based, comprehensive information security throughout the organization to protect all personal data at all times and in all locations, both at rest and in transit
What it Means
You need to understand and constantly monitor the IT risk associated with the personal information assets you have and the processing operations you carry out, and you must adapt your IT security posture accordingly in real time.
Copyright © 2017 Symantec Corporation
26
SYMANTEC INFORMATION PROTECTION
Copyright © 2017 Symantec Corporation
27
Comprehensive VisibilityAcross on-premise, mobile and cloud
Secure AccessThe right people get the right apps, with ease
Real-time ProtectionSecure information at rest and in motion Access
Identities
Data
PROTECT
PREPARE
PERSONAL DATA PROTECTION
Copyright © 2017 Symantec Corporation
28
What data exists where?
Shadow IT for cloud apps
What is my exposure?
BYOD and Mobile growth
Who Has Access?
Careless access to information
Passwords are ineffective
How Is It Being Used?Where is it?
Lack of context
Rogue access to apps and data
Users uploading to cloud apps
Sharing data that shouldn’t be shared
Stored in unprotected manner
PROTECT
PREPARE
INFORMATION PROTECTION EVERYWHERE
Copyright © 2015 Symantec Corporation
29
SECURE ACCESS
Have confidence that information is
accessed by the right people, with ease
COMPREHENSIVE VISIBILITY
Discover where information is across on-premise, mobile
and cloud
REAL-TIME PROTECTION
Protect information in use and in motion with
context and content aware policies
On-premise
Cloud
Mobile
PROTECT
PREPARE
Symantec DLPHelping You Prepare and Protect
Locate where your sensitive information resides across your cloud, mobile, network, endpoint and storage systems
DiscoverUnderstand how your sensitive information is being used, including what data is being handled and by whom
MonitorStop sensitive information from being leaked or stolen by enforcing data loss policies and educating employees
Protect
Copyright © 2017 Symantec Corporation
30
PROTECT
PREPARE
GDPR Templates for European Personal Identifiers
Unmanaged devicesExtended perimeter
Symantec DLP Management
Console
Managed devices with DLP Endpoint Agent
PoliciesIncidents
Corporate Datacenter
PoliciesIncidents
Extending DLP Cloud with CASB
Copyright © 2017 Symantec Corporation
31
Apply Fine-Tuned Policies to Cloud Leverage Workflow IntegrationsGain CASB Functionality
• Shadow IT Analysis• Granular Visibility and Control• User Behavior Analytics
Extend DLP to 60+ Cloud Apps
PoliciesIncidents
SymantecCloudDLP
SymantecCASB
PROTECT
PREPARE
DLP Enforce
SEPM
ProxySG
Threat Intelligence
Data Sources
Symantec CloudSOCCASB Audit for Shadow IT: Usage & Risk Visibility
Copyright © 2017 Symantec Corporation
32
PREPARE
Secure Web GatewayProtecting Personal Data for the Cloud
Proxy
Proxy All Endpoints• Terminate and decrypt traffic• Emulate all device types • Extract content for inspection• Integrate authentication
Control Web & Cloud Governance• Discover & control shadow IT risk• Block web-borne threats• Enforce access policy & audit usage
of web & cloud
W W W . W E B S I T E . C O M
Prevent Threats & Orchestrate Content• Pre-filter sandbox with advanced content
inspection• Send content to DLP, sandbox, analytics,
etc.. • Open integration architecture to quickly
add new services.JAR .EXE
Enhance the User Experience & Performance• Video Acceleration and Split Tunneling• Asymmetric Caching of Content• Optimized Protocol Support
Web
DETECT
PROTECT
Symantec Endpoint ProtectionStop Targeted Attacks and Zero-Day Threats with Layered Protection
ANTIVIRUS
NETWORK FIREWALL & INTRUSION
PREVENTION
APPLICATION AND DEVICE
CONTROL
BEHAVIOR MONITORING
MEMORY EXPLOIT
MITIGATION
REPUTATION ANALYSIS
ADVANCED MACHINE LEARNING
EMULATOR
NETWORK FIREWALL & INTRUSION
PREVENTION
Pre-execution detection of new and evolving threats
INCURSION INFESTATION and EXFILTRATIONINFECTION
Patented real-time cloud lookup for scanning of suspicious files
Blocks malware before it spreads to your machineand controls traffic
Scans and eradicates malware that arrives on a system
Blocks malware before it spreads to your machineand controls traffic
Determines safety of files and websites using the wisdom of the community
Monitors and blocks files that exhibit suspicious behaviors
Blocks zero-day exploits against vulnerabilities in popular software
Control file, registry, and device access and behavior; whitelisting, blacklisting, etc..
Virtual machine detects malware hidden using custom packers
DETECT
PROTECT
Lock Down Data Centers with Zero Trust Model
Active Directory (LSASS)
DNS Service/Bl
ind
RPC/SSHdSQL Service
OracleService Operating
System
App ControlInsure only approved
apps are allowed
No Patching Secure legacy an
critical applications without downtime
Protect DataApplication data is
always secure
ComplianceRealtime FIM and
security monitoring
PROTECT
Breach Notification RequirementsArticles 33, 34, Recitals 83, 85, 86, 87
Provision / Requirement
Mandatory personal data breach notification except if the data was adequately encrypted
What it Means?
If you suffer a data breach, you must respond to it to understand and minimize the consequences, and you must report it within 72 hours to your competent authority, as well as, if appropriate, also to the impacted individuals. However no notification is required to the individuals where the data was adequately encrypted
Copyright © 2017 Symantec Corporation
36
Encrypt Personal Data with SymantecThe Symantec Encryption Portfolio
Copyright © 2016 Symantec Corporation
37
Protects individual files in transit and at rest from
unauthorized parties
FILE & FOLDER ENCRYPTION
Protects email in transit and at rest from
unauthorized parties
EMAIL ENCRYPTION
Renders data at rest on devices inaccessible to unauthorized parties
ENDPOINT ENCRYPTION
ENDPOINT ENCRYPTION MANAGEMENT SERVER ENCRYPTION MANAGEMENT SERVER
Manages individual and group keys, creates encryption policies, and reports on encryption status. Third-party encryption management• BitLocker (Microsoft)• FileVault (Apple)• Opal compliant self-encrypting drives
PROTECT
Symantec Cloud Data ProtectionObfuscate Data with Tokenisation
SymantecCloud Data ProtectionGateway
Cloud Data ProtectionToken Map Repository
User Cloud App
CloudApplication
Example: enterprise defined a policy to protect FIRST NAME And LAST NAME
Fields in ServiceNow
Without impacting the cloud apps’functionality (e.g. search, sort e-mail)
Copyright © 2017 Symantec Corporation
38
PROTECT
Content Analysis (CAS)
Hash Reputation
Dual AV
Predictive File Analysis
Acceptable files passed through based on file reputation, whitelist/blacklist
Signatures evaluated for known bad
Analyzes code for malicious character
Broker to Sandbox
ICAP
API
.JAR .EXEPROXY
Symantec Content Analysis and Malware AnalysisMultiple Engines Detect & Prevent Advanced Persistent Threats
Copyright © 2017 Symantec Corporation
39
DETECT
Symantec Security AnalyticsCan we quickly and thoroughly notify in the event of a breach?
Within 72 hours of detection, the notification must:a) Describe the nature of the personal
data breach including the categories and number of data subjectsconcerned and the categories and number of data records concerned;
b) Recommend measures to mitigate the possible adverse effects of the personal data breach;
c) Describe the consequences of the personal data breach;
d) Describe the measures proposed or taken by the controller to address the personal data breach.
• Security Analytics is able to provide full context of what happened before, during, and after a breach, including:
– How the breach occurred
– What data was compromised
– What measures are needed to resolve it
• Find all indicators of compromise associated with a data breach, including root cause analysis
• Records of what files were lost or compromised make it easy identify personal data records that were lost
Copyright © 2017 Symantec Corporation
40
RESPOND
Managing and Demonstrating Compliance
Provision / Requirement
Article 5(2), Article 24, Recitals 74, 77, 78, 82
General principle of accountability of data controllers
What it Means?
Controllers must take every technical and organizational measure appropriate to ensuring and demonstrating compliance.
Copyright © 2017 Symantec Corporation
41
Article 32(1d)
Customer needs a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
ASSETSASSETS CONTROLSCONTROLS
EVIDENCEEVIDENCE
ASSETSASSETS CONTROLSCONTROLS
EVIDENCEEVIDENCE
SYMANTEC CONTROL COMPLIANCE SUITE
Copyright © 2016 Symantec Corporation
PLAN
• Define business risk objectives• Create policies for multiple mandates• Map to controls and de-duplicate
REPORT
• Demonstrate compliance to multiple stakeholders• Correlate risk across business assets• High level dashboards with drill down
\ASSESS REMEDIATE
• Risk-based prioritization• Closed loop tracking of deficiencies• Integration with ticketing systems
PLAN REPORT
REMEDIATE
Vuln
erab
ility
M
anag
er
Asse
ssm
ent
Man
ager
Sym
ante
c D
ata
Conn
ecto
rs
Exte
nded
D
ata
Conn
ecto
rs
CCS Reporting & Analytics
CCS Dynamic Dashboards
Symantec ServiceDesk
3rd Party Ticketing
Integration
Symantec Workflow
Integration
Policy Manager Risk Manager
CCS ContentCCS Content
StakeholdersSecurity / Audit IT / Operations Business / Mgmt.
Environment
Stan
dard
s M
anag
er
DETECT
RESPOND
PREPARE
Symantec Endpoint Management
Visibility Configuration Management Remediation
Managing and protecting endpoints begins with knowing what devices and software are being used in your environment and who is using them.
Securely configure and deploy hardware and software, automate processes, reduce costs, manage and track all assets.
Securely patch, deploy updates, fix issues, and report on compliance.
PREPARE
External and public content exposures, including compliance risks
Inbound risky content shared with employees (e.g.,malware, IP)
Risky users & user activities
Offer Shadow Data Risk Assessment
Symantec CloudSOCUnderstand Cloud Data Risk via “Shadow Data” Risk Assessment
Copyright © 2017 Symantec Corporation
44
PREPARE
Symantec Supports Across Data Privacy and Security
Advanced Breach Detection, Remediation, & Notification
ATP
Analytics
Endpoint
Server
Web / CASB Cyber Security
Services
DLP
CASB
Web
CDPEncryption
Personal Data Protection Everywhere
45
PROTECT
DETECT
RESPON
D
Technology Risk Management
DLPData Insight
CASB Audit
CCS
EPM
Understand Data Risk
Understand, Report, and Remediate Compliance
Unparalleled Threat Intelligence
Endpoint175M
endpoints protected
Email2Bm emails
scanned/day
Web1.2Bn web requests
secured/day
Physical & Virtual
Workloads64K Datacenters
protected
Cloud Security
12,000 cloud applications
secured
Copyright © 2017 Symantec Corporation
PREPARE
VIP / MPKI
Why Symantec
Copyright © 2017 Symantec Corporation
46
Data Protection Everywhere
Secure computing environment
Breach detection and response
Unbiased and lower operating costs
Compliance monitoring & reporting
State of the Art Technology
Recommendations
• Use this 4 months wisely, implementation may take longer than you think
• Engage with your Board, report on progress in addressing data privacy through your security program
• Understand, and tackle your big data privacy and security risks
• Document what personal data you hold and ensure lawful use
• Identify where technology can help you achieve compliance:– Prepare: Understand IT (and data) environment and risks– Protect: Secure Personal Data Everywhere– Detect: Breach monitoring and detection – Respond: Incident Response planning
Copyright © 2017 Symantec Corporation
47
Thank you!
Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Davor [email protected]+385 91 6366976
Legal Disclaimer: The materials contained in this presentation are not intended to provide, and do not constitute or comprise, legal advice on any particular matter and are provided for general information purposes only. You should not act or refrain from acting on the basis of any material contained in this presentation, without seeking appropriate legal or other professional advice.