Data protection & privacy in the world of database DevOps

Grant Fritchey

www.scarydba.com

grant@scarydba.com

@GFritchey

www.linkedin.com/in/scarydba

Agenda

• What is DevOps?

• Extending DevOps to databases

• Impact of database DevOps on data governance and

compliance

• James Boother – Sales & Marketing Director, Coeo

What is DevOps

“DevOps is the union of people, process, and products to enable

continuous delivery of value to our end users.”

Donovan Brown,Principal DevOps Program Manager, Microsoft

Extending DevOps to databases

• Business-critical data needs to be safely and correctly preserved

• Databases carry state that needs to be managed as part of

rolling out new or updating existing software

Benefits of Database DevOps

• Databases are in sync with application development

• Reliable traceability of database changes

• Removal of the database bottleneck in agile delivery processes

• Frequent releases, requiring less dev and DBA time

• Audit trail of who has accessed what data, when and where

Impact of DevOps on Data Governance

64% of respondents said DevOps had a positive impact on Data Governance & Compliance

Database DevOps as a foundation for compliance

• Monitoring - a key component for resilience

• Change control & testing - reliable, repeatable, consistent

• Provisioning and masking - compliant distribution of data

• Automation - a durable and consistent audit trail

James BootherSales & Marketing Director

Coeo

blog.coeo.com

james@coeo.com

@jimmyboo

www.linkedin.com/in/JamesBoo

ther

What is GDPR?

Common myths

Mapping GDPR to DevOps

Next steps

Q&A

Agenda

What is GDPR?

Mutually agreed European General Data Protection Regulation (GDPR)

Will come into force on May 25 2018

Replaces the 1995 data protection regulation. Supersedes the UK Data Protection Act 1998

Any organisation operating within Europe needs to adhere

What is GDPR?

http://eur-lex.europa.eu/legal-

content/EN/TXT/PDF/?uri=CELEX:32016R0679

&from=EN

The right to be informed

The right of access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object

Rights related to automated decision making and profiling

Individual’s rights

Name

Identification number

Email address

Online user identifier

Social media posts

Physical, physiological, or genetic information

Medical information

Location

Bank details

IP address

Cookies

Examples of personal data covered by GDPR

https://aka.ms/gdprsqlwhitepaper

Penalties

Size of offence Penalty

Small Up to €10 million or 2%

global turnover

Serious Consequences Up to €20 million or 4%

global turnover

Current UK Up to £500,000

Elizabeth Denham, the UK's information

commissioner, says

"The GDPR is a step change for data

protection,"

"It's still an evolution, not a revolution".

Words of advice from the ICO

ICO 12 step process

https://ico.org.uk/media/for-

organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf

1. Awareness

2. Information you hold

3. Communicating privacy information

4. Individuals’ rights

5. Subject access requests

6. Lawful basis for processing personal data

7. Consent

8. Children

9. Data breaches

10. Data protection by design and data

protection impact awareness

11. Data projection officers

12. International

Common Myths

Myth #1

I can’t comply with

GDPR and use

DevOps

Click to edit Master title styleMyth #1 - Mapping GDPR to DevOps

- Users have access only to the data needed

- Implement data protection by design and by

default

- Test for security regressions such as

unprotected PII data

- Identifying code-level security regressions such

as code that returns data to non-privileged

users

- Use Generated sample data or Dynamic

data masking instead of copying un-

sanitized production data into non-

production environments

- PII data is encrypted or pseudo-anonymised

- Users have the right level of access

- Encrypted connections using TLS or Always

Encrypted

- Dynamic Data Masking

- Row-level Security

- Sysadmin access for DBAs

- Restricted access for everyone else

- Audit access and ability to identify

compromised data

- Encrypted backups

- Removing data from backups

Myth #2

I only need to worry

about production

Click to edit Master title styleMyth #2 – Identifying all of the Personal Data you hold

https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment

Myth #3

Holding data in

Azure prevents me

from complying with

GDPR

Click to edit Master title styleMyth #3 – Azure advanced data protection features

Feature SQLDB SQL Server

Vulnerability Assessment Coming soon

TDE On by default Available in Enterprise

Threat detection

Auditing

Dynamic data masking

Always encrypted

Encrypted connections

AAD User login with MFA (With SSMS 17)

Next steps

Technical readiness

Create a repeatable deployment process

Setup monitoring of access to the environments

Remediate any technical risks identified during the assessment

Next Steps

Compliance readiness

Nominate a Data Protection Officer

Assess your environment

Identify the personal data across all environments

Prepare a breach response plan

Two Work Streams:

Further reading

Topic Blog post

Introducing Always Encrypted https://blog.coeo.com/mattrobertshaw/2

017/05/08/introducing-always-encrypted

Securing connections to SQL Server with

TLS

https://blog.coeo.com/securing-

connections-to-sql-server-with-tls

How Vulnerable is Your Data? Stop

Malware Attacks using Azure SQL

Database

https://blog.coeo.com/how-vulnerable-

is-your-data-stop-malware-attacks-

using-azure-sql-database

The GDPR and You https://www.scarydba.com/2017/11/13/th

e-gdpr-and-you/

Q&A