Documente Academic
Documente Profesional
Documente Cultură
Event briefing and GDPR alignment with Mark Oldroyd Panel discussion
overview Cyber Security (Sailpoint) Chair: Jacky Fox
Shane McEntagart Liam O’Connor (Deloitte – Cyber
(Deloitte) (Deloitte) David Higgins Security Lead )
(CyberArk) Presenters
Nicola Flannery
Clive Finlay (Deloitte – Data
(Symantec) Privacy)
Headline Verdana Bold
Cyber Security
GDPR and Privacy Enhancing Technologies
Liam O’Connor ( loconnor@Deloitte.ie )
What changes does the GDPR bring?
Facts & figures
72 €203m
4% 7 Hours given to
report a data breach Cost of 4% fine for
Core individual a typical FTSE 100
Potential fines as rights afforded company
a percentage of under the
global turnover GDPR
80+
28,000 190+ New
requirements
Estimated number Countries
in the GDPR
of new Data potentially in
Protection Officers scope of the
required in Europe regulation
(IAPP study 2016)
What changes does the GDPR bring?
Changes compared to the 1995 Directive (95/46/EC)
Broader territorial scope Applies to players not established in the EU but whose activities consist of
targeting data subjects in the EU
Data Protection Authorities will be entitled to impose fines ranging
Enforcement
between 2% to 4% of annual turnover, or 10 – 20 million euros
Explicit obligation to the controller as well as the processor to be able to
Accountability
demonstrate their compliance to the GDPR
Personal data now might include location data, IP addresses, online
Expanded definitions
and technology identifiers
General
Data Data subjects rights Reinforced rights: Access, rectification, restriction, erasure, portability,
objection to processing; no automated processing and profiling
Protection
Regulation Consent Spelled out more clearly and focus on ability of individuals to distinguish
a consent
Data breach notification Report a personal data breach to the Data Protection Authority within 72
hours
Data Protection Authorities (DPA) of main establishment can act as
One-stop shop
lead DPA, supervising processing activities throughout the EU
Policies &
Layer 3 Policy, process & data Data
procedures
Data
Management Transfers
Privacy Impact
Layer 5 Privacy operations Assessment
Audit Privacy by
and Certification Design
Data Breaches
Risk Based Approach
Security Best Practice
Identity & Protect Crown Jewels
Threat Landscape
Data Protection & Cyber Security
Interconnected
Technology As An Enabler
GDPR & Cyber Security Alignment
Governance
Secure
Vigilant
Resilient
Maintaining Compliance After May
9
GDPR – Privacy Enabling Technologies
Complying with the GDPR requires the management of privacy risks. Implementing industry
leading tools can assist privacy governance, risk, and compliance management.
Key elements to consider: Sample of tool classification types:
12
71% 80% 1 in 7 89%
of staff have of company data is employees will sell believe they are
access to data they held in unstructured their credentials for now at risk from
should not see content $150 insider threat
Partner
Contractor
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved.
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 14
SECURITY PARADIGMS HAVE SHIFTED
FROM NETWORK-CENTRIC…
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 15
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
TO USER-CENTRIC
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 16
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
GDPR Highlights
850+
Customers and
40%
International
Growing Business
World’s
Founded
in 2005 LARGEST
Dedicated Identity
by IAM
& Access
veterans Management
Vendor
95%
Customer
Satisfaction
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 19
Customers by Vertical
Banking/Financial Services Insurance Health/Pharma Manufacturing Energy/Utilities Other
Sustainable Identity
Governance
Process
FULFILLMENT
Provisioning
Management
VALIDATION
Behaviour,
REQUEST Policy, Roles and
Business Interface Risk Analysis
Management
Identity Lifecycle
Management Process
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 21
Get Visibility
Authoritative Applications
Sources And Services
Identity Collection
Build Current State Correlation
Entitlement Cataloguing
Discovery & Classification
Analytics
Reporting
Validate Current State Access Certification
Governance Insights
Identity Collection
Build Current State Correlation
Entitlement Cataloguing
Discovery & Classification
Policy Enforcement
Business Role Modelling
Define Desired State Risk Analysis
Owner Identification
Analytics
Reporting
Validate Current State Access Certification
Governance Insights
Identity Collection
Build Current State Correlation
Entitlement Cataloguing
Discovery & Classification
Policy Enforcement
Business Role Modelling
Define Desired State Risk Analysis
Owner Identification
Analytics
Reporting
Validate Current State Access Certification
Governance Insights
Identity Collection
Build Current State Correlation
Entitlement Cataloguing
Discovery & Classification
Access
Identity Governance
Access
Identity Governance
Flexible
Aggregation & Provisioning Broker
Change
Fulfillment Manual Security/ Unstructured
Provisioning Service Desk Provisioning PUM Mobile Specialist
and Connectors Work
Integration Integration Integration
GRC Data
Integration Integration Integration Management
Data Items
Collection
Mainframe
Managed
On Premise Public Cloud SaaS
Service
Single Sign-On
User and Group Management and Provisioning Fine-grained & Life Cycle Provisioning
Access Request
Access Certification
Workflow Governance
Change
Notification
HR Application
Modeling Provisioning
(Authoritative Source)
Directory
• Groupm, Entitlementx
• Groupn, Entitlementy
• …
Provisioning
Access
Authentication
End User
Access Request
Access Certification
Provisioning Workflow Applications Data stored
& Systems in files
Access Policies
User Risk-based Modeling
Password Management Benefits
Data Classification
• Greater visibility into access risks
Activity Monitoring • Centralize all access to applications and data
• Reduced complexity by providing a consistent set of controls
Permission Analysis
External:
• The Privileged Pathway
• Isolating the Attack
Internal:
• The forgotten Data Access Vector
37
Key GDPR Requirements and Privileged Security
Data protection impact ASSESS RISK and test the effectiveness of data
Article 35 assessment protection processes
38
CyberArk: Proactive Protection, Detection & Response
40
Data Breach – Attackers: The Privileged Pathway
41
The Starting Position
—MICROSOFT,
“MITIGATING PASS-THE-HASH AND OTHER
CREDENTIAL THEFT, VERSION 2,” 2014
…doesn’t matter how much you train and educate your users…
42
43
PAS Hygiene Program Goals
Step 1 Focus first on eliminating irreversible network takeover attacks (e.g., Kerberos Golden Ticket).
Step 7 Secure shared IDs for business users (integrate and accelerate adoption of MFA).
44
1 Step 1: Irreversible Network Takeover Attacks
Manage Domain Admin and
Enterprise Admin Credentials
Kerberos Attack Detection
Enforce Tiered Account Model
45
Step Two: Control & Secure Infrastructure and End Point
2 Well-known Infrastructure Accounts
Manage Local Administrator Manage Local Administrator Manage Domain Admin and
Accounts Accounts on Windows Enterprise Admin Credentials
Manage Root Accounts on UNIX/Linux Kerberos Attack Detection
Enforce Tiered Account Model
Session
INFRASTRUCTURE Session DOMAIN
ENDPOINT Isolation Isolation
CONTROLLERS
46
3 Step Three: Limit Lateral Movement
Manage Local Administrator Manage Local Administrator Manage Domain Admin and
Accounts Accounts on Windows Enterprise Admin Credentials
Application Control Manage Root Accounts on UNIX/Linux Kerberos Attack Detection
Least Privilege Manage 3rd Party Application Accounts Enforce Tiered Account Model
Block Credential Theft
Session
INFRASTRUCTURE Session DOMAIN
ENDPOINT Isolation Isolation
CONTROLLERS
47
Secure the Eco-System
Cᵌ Alliance
IAM
SIEM
Malware
Analytics
Monitoring &
IT Service Discover
Management
(ITSM)
Threat
Authentication Response
Secure &
Manage COTS
App Cred.
Authentication
Validated
Secured
Solutions HSM
Directory
Services
48
Internal
49
Data Access – Infra Admins: The Forgotten Vector
Application User
FILE
SHARES
Business
User APPLICATION
Application Environment
DBA Access
DATABASE
3P RD
ARTY
OPERATING SYSTEM
STORAGE
Infrastructure Admin Access
IT Admins
50
Session Management for Critical Assets / Accounts
Privileged
User
MFA
ITSM
IAM
HSM Native Support for RDP and SSH Based
SIEM Clients
51
Identifying Key Risks – Lateral Movement
52
Identifying Key Risks – Domain Compromise
53
Get Your Head in the Cloud
A Practical Model for Enterprise Cloud Security
Technology Considerations for the GDPR
CONTROL
----
----
----
---
----
----
----
---
----
----
----
---
----
----
----
---
CONTROL
----
----
----
---
----
----
----
---
CONTROL
----
----
----
---
Customer Data
Workloads
Client Side Data Encryption & Server Side Encryption Network Traffic Protection
Data Integrity Authentication (File system and/or Data) (Encryption, Integrity, Identity)
Infrastructure
Loss of Control: New network paradigm still requires security with new tools
Physical AWS/Azure responsible • How can I detect and eliminate rogue instances in Security Implementations?
Infrastruct
ure
for Security • My old tools do not work as there are no SPAN/TAP ports for Network
• How do I ensure AV is deployed and applications are segmented to be compliant?
2 Speed and Agility in Public Cloud Risk & Compliance: Need Security monitoring to meet compliance
• Gain insight into the potential known and unknown vulnerability exploits on the software
Private Cloud Public Cloud
1-2 server 6 servers
deployed in you AWS/Azure accounts
releases per releases per
15,000%
increase
• Prioritize & Remediate with ample network and asset context
year minute
RT-FIM
Cloud Compliance
Encryption & Tokenization
Enterprise
Perimeter
Extending cyber controls and processes to the cloud
Cloud Data Protection &
Shadow IT Discovery
Cloud Compliance
Tokenization
Enterprise
Perimeter
Cloud Data Protection & Enforcing Cloud Policy & Cloud Incident Response &
Cloud IAM & User Analytics Cloud Compliance
Shadow IT Discovery Remediation Investigation
Endpoint
DLP Enforce
Threat
Intelligence
Cloud Data Protection & Enforcing Cloud Policy & Cloud Incident Response &
Cloud IAM & User Analytics Cloud Compliance
Shadow IT Discovery Remediation Investigation
DLP Enforce
Management Server
On-premises
DLP Detection
Cloud Data Protection & Enforcing Cloud Policy & Cloud Incident Response &
Cloud IAM & User Analytics Cloud Compliance
Shadow IT Discovery Remediation Investigation
DLP Enforce
New Challenges Management Server
On-premises
DLP Detection
Shadow IT Enforcing Cloud Policy & Cloud Incident Response &
Cloud IAM & User Analytics Cloud Compliance
Discovery & Controls Remediation Investigation
On-premises
DLP Detection
Cloud Data Protection & Enforcing Cloud Policy & Cloud Incident Response &
Cloud IAM & User Analytics Cloud Compliance
Shadow IT Discovery Remediation Investigation
Cloud Data Protection & Enforcing Cloud Policy & Cloud Incident Response &
Cloud IAM & User Analytics Cloud Compliance
Shadow IT Discovery Remediation Investigation
Cloud Data Protection & Enforcing Cloud Policy & Cloud Incident Response &
Cloud IAM & User Analytics Cloud Compliance
Shadow IT Discovery Remediation Investigation
Cloud Data Protection & Enforcing Cloud Policy & Cloud Incident Response &
Cloud IAM & User Analytics Cloud Compliance
Shadow IT Discovery Remediation Investigation
Enterprise Perimeter Regional Home Coffee Mobile IoT IoT Cars Drones
Office Office Shop Personal Home
Where to start ? Understand what’s important to your business and where it is
Complete a Shadow Data Risk Assessment
Inbound risky content shared with Risky users and user activities
employees (e.g., malware, IP)
There is only one word you need to know when talking about the cloud
30 minutes
This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the
contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in
this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square,
London, EC4A 3BZ, United Kingdom.
Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by
guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP do not provide services to
clients. Please see www.deloitte.com/about to learn more about our global network of member firms.