VMworld 2013: VMware Disaster Recovery Solution with Oracle Data Guard and Site Recovery Manager
GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive...
Transcript of GRC3386BES Addressing your General Data Protection ...€¦ · Health Religious Beliefs Sensitive...
Garry Binder, Intel CorporationAndrew Guerra, IBMRenaud Larsen, Hytrust
GRC3386BES
#VMworld #GRC3386BES
Addressing your General Data Protection Regulation (GDPR) Challenges with Security and Compliance Automation Based on VMware Cloud Foundation
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
• GDPR Overview & Requirements
• IBM Secure Virtualization – Solution Overview
• Summary / Call to Action
• Q & A
2#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
3
Security Continues to be #1 Barrier for Cloud Adoption
MAIN CONCERNSData from Cloud Research Partners
#1General security risks
33% 28%
#2Lack of staff
resources or expertise
27%
#3Integration with existing
IT environments
26%
#4Data loss &
leakage risks
24%
#5Legal & regulatory
compliance
CLOUD ADOPTION BARRIERS
57%
Data Loss/Leakage
47%
Confidentiality
30%
Regulatory compliance
49%
Data Privacy
36%
Data Sovereignty/Control
3#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
General Data Protection Regulation (GDPR) Overview
VMworld 2017 Content: Not fo
r publication or distri
bution
Is GDPR the
next Y2K for
data privacy
and data
protection?VMworld 2017 Content: N
ot for publicatio
n or distribution
Replaces the Data Protection legislation of the 90’s
One single set of data protection rules across EU
Will come into force throughout the EU
on May 25, 2018
Gives individuals much more control over their
personal data
VMworld 2017 Content: Not fo
r publication or distri
bution
Increased Fines
Territorial Scope
Opt-in Consent
Breach Notification
Joint Liability
Right to Removal (RTBF)
Data Transfer
One Law
Common Enforcement
Collective Redress
Top 10 GDPR Provisions
VMworld 2017 Content: Not fo
r publication or distri
bution
Data Subject
The individual
whose data is
being collected
and can be
identified from
that data
Data Controller
The organization that
defines the reason for
the data collection,
decides how the data is
collected and processed
and is ultimately
responsible for its
safekeeping
Data Processor
A person or body acting
on behalf of the data
controller to store or
process the data
Personal Data (PII)
Any information relating
to an identified or
identifiable natural
person (data subject)
Supervisory
Authorities
Public bodies set up by the
governments of the EU
countries to help advise
data controllers and data
subjects on the law and
enforce the regulation
Key GDPR Definitions
VMworld 2017 Content: Not fo
r publication or distri
bution
Types of Personal Information
Date of Birth
Address
Personal Email Address
Online Identifier
Business Email Address
Phone Number
Ethnic Origin
Name
Health
Religious Beliefs
Se
nsitiv
e P
ers
on
al D
ata
VMworld 2017 Content: Not fo
r publication or distri
bution
No matter where you are in the world , if you do
business within the EU, you need to comply with GDPR!
VMworld 2017 Content: Not fo
r publication or distri
bution
Substantial increase in fines for organizations
that do not comply with GDPR
Two-tier fine structure for different violations can
vary from 2% to 4% of global revenue or 10M
euro to 20M euro which ever is greaterVMworld 2017 Content: Not fo
r publication or distri
bution
The local supervisory
authority must be
informed within 72
hours of any data
loss and users
informed as soon as
possible unless…VMworld 2017 Content: N
ot for publicatio
n or distribution
data was encrypted or a form of pseudonymization was used, the data
is automatically deemed secure and the organization is not required
to notify the data subject or supervisory authority of the breach
VMworld 2017 Content: Not fo
r publication or distri
bution
Data belongs
to the data
subject NOT
the data
controllerVMworld 2017 Content: N
ot for publicatio
n or distribution
The Right
to be Forgotten
VMworld 2017 Content: Not fo
r publication or distri
bution
Organizations will be required to
“implement appropriate technical
and organizational measures” in
relation to the nature, scope, context
and purposes of their handling and
processing of personal data
GDPR = 11 Chapters, 81 Pages, 99
Articles, 100+ Recitals
~ 12 articles address “technical
measures”
VMworld 2017 Content: Not fo
r publication or distri
bution
GDPR Articles - some specifics
17
Core
Requirements*
Audit and
Compliance
EncryptionData
Sovereignty
Article 5 Principles relating to personal data processing
Article 24 Responsibility of the controller
Article 28 Processor
Article 32 Security of processing
Data protection by design and by defaultArticle 24
Article 30Records of processing activities
Article 33Notification of a personal data breach to
the supervisory authority
Article 6 Lawfulness of processing
Article 17 The Right to Erasure
(aka “The Right to Be Forgotten”)
Article 34 Communication of a personal data breach
to the data subject
Article 44 General Principle for Transfers
Article 44General Principle for Transfers
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
• GDPR Overview & Requirements
• IBM Secure Virtualization – Solution Overview
• Summary / Call to Action
• Q & A
18#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
19
A VMware Portfolio Solution
IBM Cloud is first to market with a solution
that captures the benefits of both HyTrust
software and Intel® Trusted Execution
Technology to protect virtualized workloads
down to the microchip level.
IBM Cloud Secure Virtualization (ICSV)
Customer
Demographics
Point of Sale
Transactions
Customer
Credentials
Intellectual Property
Intel Xeon® Processor Bare Metal Servers + Intel® TXT Enabled
VMware Cloud Foundation™
CloudControl DataControl
OS
App
OS
App
OS
App
OS
App
Includes VMWare Cloud Foundation licenses and
infrastructure (NSX, VSAN, Vcenter, Vsphere).
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Virtualization Admin
Application User
Virtualization Layer
Physical Layer
Storage Layer
CloudControl
Virtual
Machine DataControl
20
A Combined Security Offering from IBM, HyTrust and Intel®
ICSV Solution Benefits
HyTrust Software Provides
Policy and access controls for
cloud security, reporting, and
encryption software
IBM Cloud Provides
Automated VMware solutions on
trusted Bluemix bare metal
infrastructure
Intel® Trusted Execution
Technology Provides
Hardware-based (chipset)
security technology to protect
workloads
Intel® TXT
Application
En
cry
pte
d V
Ms
an
d D
ata
Streamlined visibility and reporting for
corporate and regulatory compliance
Policy-enforced controls and access
management
Confidence that workloads always run
on known trusted hardware and
software stacks
Keys under Tenant-control, and, Data
decryption only when access, location
policies are met.
A powerful solution together…
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Benefits of IBM Cloud for VMware Solutions
21
Compatibility
Speed & Flexibility
Cloud Economics
• Full Compatibility with vCenter on and off premises• Workload portability puts you in charge• Continue with existing staff, tools and infrastructure
• Deploy in hours in multiple configuration sizes• Expand and contract capacity as your needs change• Deploy single site or multi-site configurations globally
• Predictable & simplified budgeting• No long term contract overhead• Pay for what you use with cloud OpEx model
IBM Differentiation
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
22
Intel BENEFITS
IN-USEAT-REST
VISIBILITY/CONTROL
TRUST
IN-FLIGHT
PROTECT THE DATA
SECURE THE PLATFORM
RESILIENCE
Effective security is built on a foundation of trust
PERFORMANCE
WITHOUTCOMPROMISING
VMworld 2017 Content: Not fo
r publication or distri
bution
SERVER WITH TPM
23
Hardware Root of Trust
Intel® Trusted Execution Technology
► System boot stack gets crypto-hashed
before execution
► Hash values get safely stored in Trusted
Platform Module (TPM)
► Match to known-good values determines
system trust status
Ensure a measured
environment baseline with
Intel® Trusted Execution
Technology (Intel® TXT)
3. Policy action
enforced,
known untrusted
2. Hypervisor
measure
does not match
POSSIBLE
EXPLOIT! MATCH!
2. Hypervisor
measure matches
3. OS and applications
are launched, known
trusted
1. System powers on and Intel TXT
verifies system BIOS/Firmware
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Intel Cloud Integrity Technology
24
Trusted Platform and Workloads Launch
Verification of the integrity of the launch of the
platform and workloads (VMs, containers…) to
provide trust and assurance
Trusted Compute Pools
Attestation provides information to inform which
systems are trustworthy for hosting workloads
Compliance
Attestation allows verification of platform and
workload trust for comparison against policy and
use in audit — this includes Geo-boundaries
Intel Provides a Protected Launch &
Hardware-enforced Geo location
Intel® Cloud Integrity
Technology – leverages Intel®
TXT
Data center
Firmware
BIOS
Hypervisor
Intel® TXT
Data center
Firmware
BIOS
Hypervisor
Intel® TXT
Workload integrity
Location and
boundary control
Platform integrity
Intel® TXT + TPM
Capability
Ch
ain
of
tru
st
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
HyTrust Simplifies Security at Scale
25
HyTrust Benefits
HyTrust BoundaryControl with
Intel® TXT
HyTrust
DataControl
HyTrust CloudControl with
Intel® TXT
► Protect server virtualization
► Control of private cloud
► Secure single-tenancy
► Continuous compliance
► Workload encryption
► Key management
► Public/hybrid cloud
► IaaS migration
► Workload & data geo-fencing
► Tenant-defined boundaries
► Data sovereignty
► Contextual tagging
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
26
HyTrust BoundaryControl
Automatically provision, configure, and enforce security controls for all things inside
your defined logical boundaries – Intel TXT provides Hardware Root-of-Trust
Define and create a logical boundary
by geography, regulatory standard,
department, etc.
Assign tags to key assets Define policies and automate security control
enforcement for your defined boundary
PCI PII*Finance
PCI GermanFinance
PCIPCI
PCI
Do not decrypt workload unless it is
running on Host B
Automatically encrypt workloads
within the boundary
Network
Storage
Workload
Host/Server
PCI PCI
PCI PCI
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
IBM Benefits
27
VMware Cloud Foundation on IBM Cloud
natively integrates vSphere, NSX and vSAN
full stack virtualization along with the lifecycle
management of SDDC manager. This
deployment is automated offering fast and
repeatable installation.
IBM Cloud offers the benefits of global scale
with over 50 interconnected data centers
worldwide.
IBM Cloud Automates the
Infrastructure
Network Virtualization
Compute Virtualization
Storage Virtualization
Physical Infrastructure
Apps Apps Apps Apps Apps
Management
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
28
Solution Benefits
Data Decryption by
Location
Deployment Control
by Location
Server Platform
Integrity
Only allow virtual server data to be
decrypted in authorized locations
Ensure only certain virtual
servers run on hardware in
authorized locations
Only allow virtual workloads to run
on untampered hardware and
software
Continuous monitoring and reporting of controls to support regulatory and industry compliance
Privileged User
Controls
Reduce admin risk with advanced
role based access controls and
secondary approval workflows
Security and Compliance Automation
VM1
VM1
Public
Cloud
VM1 VM1 VM1
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
ICSV Best Practice Responses to GDPR
29
1
2
3
4
5
Proactive Security
Move from reactive alerts and SIEM analysis to proactive,
automated security for both breach and privacy protectionInsider Threats
Ensure and enforce authorized admin access to workloads and
data. Monitor and validate proof of compliance and flag
violations for remediation
Data Sovereignty
Implement a platform agnostic solution – which will work across
any provider or workload type (virtual machine, SDDC,
containers, etc..)
[
Workload Protection
Workload needs portable policy to protect and enforce
compliance itself
[
Regulatory Compliance
Ensure proof of compliance is fast, easy, and multi-cloud
ready
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
• GDPR Overview & Requirements
• IBM Secure Virtualization – Solution Overview
• Summary / Call to Action
• Q & A
30#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2017 HyTrust, Inc. | 31
Take Action
Schedule a discovery meeting to assess customers needs IBM Technicalsolutions team - Intel & HyTrust can assist
Identify Customers with intensive data security & compliance needs (GDPR, PCI, HIPAA)
Check out more information on the wiki
Execute a pilot or proof of concept for interested customersProcess and promotion for POC is on the wiki
Set up Technical Workshop to engage Security & Compliance TeamsIBM Technical solutions team - Intel & HyTrust can assist pilot planning
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2017 HyTrust, Inc. | 32
Ordering Codes
L30 ˙ 6950-17V - IBM Bluemix Secure Virtualization (Cloud BU) (for Cloud Foundation)
L30 6950-16F – IBM Bluemix Implementation Services (Cloud BU – CPS)
Cloud BU
L30 ˙ 6941-95X - IBM Bluemix Secure Virtualization (GTS BU) (for Cloud Foundation)
L30 6941-95A – IBM Bluemix Implementation Services (GTS mirror code)
GTS BU
*Latest ordering codes can be found on VMware wiki
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
35
► Dozens of global cloud centers
► Open, secure and scalable
► Secure, high-speed network
► Expert services and tools
► Secure integration to on-
premises
IBM Cloud
IBM cloud managed server
Softlayer data center & network pop
Softlayer network pop
Private network
Appendix
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
36
Links
Offering:
► IBM Cloud Secure Virtualization: https://www.ibm.com/cloud-
computing/bluemix/products/secure-virtualization
► IBM BlueMix + Intel TXT
White Papers
► The Road to a Secure, Compliant Cloud: IBM, HyTrust, & Intel
► Why you need a Data Protection Security Officer
► US National Institute of Technologies and Standards (NIST) Inter-agency Report
IR-7904 “Trusted Geo Location In The Cloud”
Videos/Animations
► IBM, HyTrust, and Intel help ensure cloud security and data compliance (1:11 min)
Press/Blogs
► March 21, 2017 IBM Press Release: IBM Automates Compliance Controls & Data
Security for Multi-Cloud Workloads
► IBM Blog: IBM Cloud, HyTrust, & Intel cloud offering helps ensure security and data
compliance
► Intel Blog: Moving Toward a Thinking Cloud
► HyTrust Blog: IBM Cloud Secure Virtualization: A HyTrust Joint Solution with IBM
Cloud and Intel
► Intel’s Diane Bryant, EVP/GTM Data Center Group video testimonial on IBM Cloud
Secure Virtualization
Appendix
#GRC3386BES CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2017 HyTrust, Inc. | 37
More Information
Wiki – https://ibm.biz/IC4VSwiki
Offering Manager – Andrew D. Guerra
CPS OM – Laura E Storey
IBM Cloud Sales:
Kameron Chao (NA)
Jonathan Wisler (EU)
References – Jeff Messore
Tech Sales/POCs – Vinod Chavan
Sales Enablement – Andre Sandoval
Partnerworld Link –
http://ibm.biz/partnerworld_vmware
Enablement – Sherry Thompson
IBM Cloud Sales:
Kameron Chao (NA)
Jonathan Wisler (EU)
Internal IBM IBM Business Partners (Channel)
Europe: Pat Conte
WW: Gene [email protected]
Europe: Derek [email protected]
WW: Gary Lepselter
VMworld 2017 Content: Not fo
r publication or distri
bution