GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive...

37
Garry Binder, Intel Corporation Andrew Guerra, IBM Renaud Larsen, Hytrust GRC3386BES #VMworld #GRC3386BES Addressing your General Data Protection Regulation (GDPR) Challenges with Security and Compliance Automation Based on VMware Cloud Foundation VMworld 2017 Content: Not for publication or distribution

Transcript of GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive...

Page 1: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Garry Binder, Intel CorporationAndrew Guerra, IBMRenaud Larsen, Hytrust

GRC3386BES

#VMworld #GRC3386BES

Addressing your General Data Protection Regulation (GDPR) Challenges with Security and Compliance Automation Based on VMware Cloud Foundation

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 2: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Agenda

• GDPR Overview & Requirements

• IBM Secure Virtualization – Solution Overview

• Summary / Call to Action

• Q & A

2#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 3: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

3

Security Continues to be #1 Barrier for Cloud Adoption

MAIN CONCERNSData from Cloud Research Partners

#1General security risks

33% 28%

#2Lack of staff

resources or expertise

27%

#3Integration with existing

IT environments

26%

#4Data loss &

leakage risks

24%

#5Legal & regulatory

compliance

CLOUD ADOPTION BARRIERS

57%

Data Loss/Leakage

47%

Confidentiality

30%

Regulatory compliance

49%

Data Privacy

36%

Data Sovereignty/Control

3#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 4: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

General Data Protection Regulation (GDPR) Overview

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 5: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Is GDPR the

next Y2K for

data privacy

and data

protection?VMworld 2017 Content: N

ot for publicatio

n or distribution

Page 6: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Replaces the Data Protection legislation of the 90’s

One single set of data protection rules across EU

Will come into force throughout the EU

on May 25, 2018

Gives individuals much more control over their

personal data

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 7: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Increased Fines

Territorial Scope

Opt-in Consent

Breach Notification

Joint Liability

Right to Removal (RTBF)

Data Transfer

One Law

Common Enforcement

Collective Redress

Top 10 GDPR Provisions

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 8: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Data Subject

The individual

whose data is

being collected

and can be

identified from

that data

Data Controller

The organization that

defines the reason for

the data collection,

decides how the data is

collected and processed

and is ultimately

responsible for its

safekeeping

Data Processor

A person or body acting

on behalf of the data

controller to store or

process the data

Personal Data (PII)

Any information relating

to an identified or

identifiable natural

person (data subject)

Supervisory

Authorities

Public bodies set up by the

governments of the EU

countries to help advise

data controllers and data

subjects on the law and

enforce the regulation

Key GDPR Definitions

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 9: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Types of Personal Information

Date of Birth

Address

Personal Email Address

Online Identifier

Business Email Address

Phone Number

Ethnic Origin

Name

Health

Religious Beliefs

Se

nsitiv

e P

ers

on

al D

ata

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 10: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

No matter where you are in the world , if you do

business within the EU, you need to comply with GDPR!

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 11: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Substantial increase in fines for organizations

that do not comply with GDPR

Two-tier fine structure for different violations can

vary from 2% to 4% of global revenue or 10M

euro to 20M euro which ever is greaterVMworld 2017 Content: Not fo

r publication or distri

bution

Page 12: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

The local supervisory

authority must be

informed within 72

hours of any data

loss and users

informed as soon as

possible unless…VMworld 2017 Content: N

ot for publicatio

n or distribution

Page 13: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

data was encrypted or a form of pseudonymization was used, the data

is automatically deemed secure and the organization is not required

to notify the data subject or supervisory authority of the breach

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 14: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Data belongs

to the data

subject NOT

the data

controllerVMworld 2017 Content: N

ot for publicatio

n or distribution

Page 15: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

The Right

to be Forgotten

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 16: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Organizations will be required to

“implement appropriate technical

and organizational measures” in

relation to the nature, scope, context

and purposes of their handling and

processing of personal data

GDPR = 11 Chapters, 81 Pages, 99

Articles, 100+ Recitals

~ 12 articles address “technical

measures”

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 17: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

GDPR Articles - some specifics

17

Core

Requirements*

Audit and

Compliance

EncryptionData

Sovereignty

Article 5 Principles relating to personal data processing

Article 24 Responsibility of the controller

Article 28 Processor

Article 32 Security of processing

Data protection by design and by defaultArticle 24

Article 30Records of processing activities

Article 33Notification of a personal data breach to

the supervisory authority

Article 6 Lawfulness of processing

Article 17 The Right to Erasure

(aka “The Right to Be Forgotten”)

Article 34 Communication of a personal data breach

to the data subject

Article 44 General Principle for Transfers

Article 44General Principle for Transfers

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 18: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Agenda

• GDPR Overview & Requirements

• IBM Secure Virtualization – Solution Overview

• Summary / Call to Action

• Q & A

18#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 19: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

19

A VMware Portfolio Solution

IBM Cloud is first to market with a solution

that captures the benefits of both HyTrust

software and Intel® Trusted Execution

Technology to protect virtualized workloads

down to the microchip level.

IBM Cloud Secure Virtualization (ICSV)

Customer

Demographics

Point of Sale

Transactions

Customer

Credentials

Intellectual Property

Intel Xeon® Processor Bare Metal Servers + Intel® TXT Enabled

VMware Cloud Foundation™

CloudControl DataControl

OS

App

OS

App

OS

App

OS

App

Includes VMWare Cloud Foundation licenses and

infrastructure (NSX, VSAN, Vcenter, Vsphere).

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 20: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Virtualization Admin

Application User

Virtualization Layer

Physical Layer

Storage Layer

CloudControl

Virtual

Machine DataControl

20

A Combined Security Offering from IBM, HyTrust and Intel®

ICSV Solution Benefits

HyTrust Software Provides

Policy and access controls for

cloud security, reporting, and

encryption software

IBM Cloud Provides

Automated VMware solutions on

trusted Bluemix bare metal

infrastructure

Intel® Trusted Execution

Technology Provides

Hardware-based (chipset)

security technology to protect

workloads

Intel® TXT

Application

En

cry

pte

d V

Ms

an

d D

ata

Streamlined visibility and reporting for

corporate and regulatory compliance

Policy-enforced controls and access

management

Confidence that workloads always run

on known trusted hardware and

software stacks

Keys under Tenant-control, and, Data

decryption only when access, location

policies are met.

A powerful solution together…

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 21: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Benefits of IBM Cloud for VMware Solutions

21

Compatibility

Speed & Flexibility

Cloud Economics

• Full Compatibility with vCenter on and off premises• Workload portability puts you in charge• Continue with existing staff, tools and infrastructure

• Deploy in hours in multiple configuration sizes• Expand and contract capacity as your needs change• Deploy single site or multi-site configurations globally

• Predictable & simplified budgeting• No long term contract overhead• Pay for what you use with cloud OpEx model

IBM Differentiation

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 22: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

22

Intel BENEFITS

IN-USEAT-REST

VISIBILITY/CONTROL

TRUST

IN-FLIGHT

PROTECT THE DATA

SECURE THE PLATFORM

RESILIENCE

Effective security is built on a foundation of trust

PERFORMANCE

WITHOUTCOMPROMISING

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 23: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

SERVER WITH TPM

23

Hardware Root of Trust

Intel® Trusted Execution Technology

► System boot stack gets crypto-hashed

before execution

► Hash values get safely stored in Trusted

Platform Module (TPM)

► Match to known-good values determines

system trust status

Ensure a measured

environment baseline with

Intel® Trusted Execution

Technology (Intel® TXT)

3. Policy action

enforced,

known untrusted

2. Hypervisor

measure

does not match

POSSIBLE

EXPLOIT! MATCH!

2. Hypervisor

measure matches

3. OS and applications

are launched, known

trusted

1. System powers on and Intel TXT

verifies system BIOS/Firmware

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 24: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Intel Cloud Integrity Technology

24

Trusted Platform and Workloads Launch

Verification of the integrity of the launch of the

platform and workloads (VMs, containers…) to

provide trust and assurance

Trusted Compute Pools

Attestation provides information to inform which

systems are trustworthy for hosting workloads

Compliance

Attestation allows verification of platform and

workload trust for comparison against policy and

use in audit — this includes Geo-boundaries

Intel Provides a Protected Launch &

Hardware-enforced Geo location

Intel® Cloud Integrity

Technology – leverages Intel®

TXT

Data center

Firmware

BIOS

Hypervisor

Intel® TXT

Data center

Firmware

BIOS

Hypervisor

Intel® TXT

Workload integrity

Location and

boundary control

Platform integrity

Intel® TXT + TPM

Capability

Ch

ain

of

tru

st

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 25: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

HyTrust Simplifies Security at Scale

25

HyTrust Benefits

HyTrust BoundaryControl with

Intel® TXT

HyTrust

DataControl

HyTrust CloudControl with

Intel® TXT

► Protect server virtualization

► Control of private cloud

► Secure single-tenancy

► Continuous compliance

► Workload encryption

► Key management

► Public/hybrid cloud

► IaaS migration

► Workload & data geo-fencing

► Tenant-defined boundaries

► Data sovereignty

► Contextual tagging

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 26: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

26

HyTrust BoundaryControl

Automatically provision, configure, and enforce security controls for all things inside

your defined logical boundaries – Intel TXT provides Hardware Root-of-Trust

Define and create a logical boundary

by geography, regulatory standard,

department, etc.

Assign tags to key assets Define policies and automate security control

enforcement for your defined boundary

PCI PII*Finance

PCI GermanFinance

PCIPCI

PCI

Do not decrypt workload unless it is

running on Host B

Automatically encrypt workloads

within the boundary

Network

Storage

Workload

Host/Server

PCI PCI

PCI PCI

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 27: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

IBM Benefits

27

VMware Cloud Foundation on IBM Cloud

natively integrates vSphere, NSX and vSAN

full stack virtualization along with the lifecycle

management of SDDC manager. This

deployment is automated offering fast and

repeatable installation.

IBM Cloud offers the benefits of global scale

with over 50 interconnected data centers

worldwide.

IBM Cloud Automates the

Infrastructure

Network Virtualization

Compute Virtualization

Storage Virtualization

Physical Infrastructure

Apps Apps Apps Apps Apps

Management

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 28: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

28

Solution Benefits

Data Decryption by

Location

Deployment Control

by Location

Server Platform

Integrity

Only allow virtual server data to be

decrypted in authorized locations

Ensure only certain virtual

servers run on hardware in

authorized locations

Only allow virtual workloads to run

on untampered hardware and

software

Continuous monitoring and reporting of controls to support regulatory and industry compliance

Privileged User

Controls

Reduce admin risk with advanced

role based access controls and

secondary approval workflows

Security and Compliance Automation

VM1

VM1

Public

Cloud

VM1 VM1 VM1

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 29: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

ICSV Best Practice Responses to GDPR

29

1

2

3

4

5

Proactive Security

Move from reactive alerts and SIEM analysis to proactive,

automated security for both breach and privacy protectionInsider Threats

Ensure and enforce authorized admin access to workloads and

data. Monitor and validate proof of compliance and flag

violations for remediation

Data Sovereignty

Implement a platform agnostic solution – which will work across

any provider or workload type (virtual machine, SDDC,

containers, etc..)

[

Workload Protection

Workload needs portable policy to protect and enforce

compliance itself

[

Regulatory Compliance

Ensure proof of compliance is fast, easy, and multi-cloud

ready

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 30: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

Agenda

• GDPR Overview & Requirements

• IBM Secure Virtualization – Solution Overview

• Summary / Call to Action

• Q & A

30#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 31: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

© 2017 HyTrust, Inc. | 31

Take Action

Schedule a discovery meeting to assess customers needs IBM Technicalsolutions team - Intel & HyTrust can assist

Identify Customers with intensive data security & compliance needs (GDPR, PCI, HIPAA)

Check out more information on the wiki

Execute a pilot or proof of concept for interested customersProcess and promotion for POC is on the wiki

Set up Technical Workshop to engage Security & Compliance TeamsIBM Technical solutions team - Intel & HyTrust can assist pilot planning

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 32: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

© 2017 HyTrust, Inc. | 32

Ordering Codes

L30 ˙ 6950-17V - IBM Bluemix Secure Virtualization (Cloud BU) (for Cloud Foundation)

L30 6950-16F – IBM Bluemix Implementation Services (Cloud BU – CPS)

Cloud BU

L30 ˙ 6941-95X - IBM Bluemix Secure Virtualization (GTS BU) (for Cloud Foundation)

L30 6941-95A – IBM Bluemix Implementation Services (GTS mirror code)

GTS BU

*Latest ordering codes can be found on VMware wiki

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 33: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 34: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 35: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

35

► Dozens of global cloud centers

► Open, secure and scalable

► Secure, high-speed network

► Expert services and tools

► Secure integration to on-

premises

IBM Cloud

IBM cloud managed server

Softlayer data center & network pop

Softlayer network pop

Private network

Appendix

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 36: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

36

Links

Offering:

► IBM Cloud Secure Virtualization: https://www.ibm.com/cloud-

computing/bluemix/products/secure-virtualization

► IBM BlueMix + Intel TXT

White Papers

► The Road to a Secure, Compliant Cloud: IBM, HyTrust, & Intel

► Why you need a Data Protection Security Officer

► US National Institute of Technologies and Standards (NIST) Inter-agency Report

IR-7904 “Trusted Geo Location In The Cloud”

Videos/Animations

► IBM, HyTrust, and Intel help ensure cloud security and data compliance (1:11 min)

Press/Blogs

► March 21, 2017 IBM Press Release: IBM Automates Compliance Controls & Data

Security for Multi-Cloud Workloads

► IBM Blog: IBM Cloud, HyTrust, & Intel cloud offering helps ensure security and data

compliance

► Intel Blog: Moving Toward a Thinking Cloud

► HyTrust Blog: IBM Cloud Secure Virtualization: A HyTrust Joint Solution with IBM

Cloud and Intel

► Intel’s Diane Bryant, EVP/GTM Data Center Group video testimonial on IBM Cloud

Secure Virtualization

Appendix

#GRC3386BES CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Page 37: GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive Personal Data VMworld 2017 Content: Not for publication or distribution . No matter

© 2017 HyTrust, Inc. | 37

More Information

Wiki – https://ibm.biz/IC4VSwiki

Offering Manager – Andrew D. Guerra

CPS OM – Laura E Storey

IBM Cloud Sales:

Kameron Chao (NA)

Jonathan Wisler (EU)

References – Jeff Messore

Tech Sales/POCs – Vinod Chavan

Sales Enablement – Andre Sandoval

Partnerworld Link –

http://ibm.biz/partnerworld_vmware

Enablement – Sherry Thompson

IBM Cloud Sales:

Kameron Chao (NA)

Jonathan Wisler (EU)

Internal IBM IBM Business Partners (Channel)

Europe: Pat Conte

[email protected]

WW: Gene [email protected]

Europe: Derek [email protected]

WW: Gary Lepselter

[email protected]

VMworld 2017 Content: Not fo

r publication or distri

bution