data protection and privacy in the world of database devops
TRANSCRIPT
Data protection & privacy in the world of database DevOps
Grant Fritchey
www.scarydba.com
@GFritchey
www.linkedin.com/in/scarydba
Agenda
• What is DevOps?
• Extending DevOps to databases
• Impact of database DevOps on data governance and
compliance
• James Boother – Sales & Marketing Director, Coeo
What is DevOps
“DevOps is the union of people, process, and products to enable
continuous delivery of value to our end users.”
Donovan Brown,Principal DevOps Program Manager, Microsoft
Extending DevOps to databases
• Business-critical data needs to be safely and correctly preserved
• Databases carry state that needs to be managed as part of
rolling out new or updating existing software
Benefits of Database DevOps
• Databases are in sync with application development
• Reliable traceability of database changes
• Removal of the database bottleneck in agile delivery processes
• Frequent releases, requiring less dev and DBA time
• Audit trail of who has accessed what data, when and where
Impact of DevOps on Data Governance
64% of respondents said DevOps had a positive impact on Data Governance & Compliance
Database DevOps as a foundation for compliance
• Monitoring - a key component for resilience
• Change control & testing - reliable, repeatable, consistent
• Provisioning and masking - compliant distribution of data
• Automation - a durable and consistent audit trail
James BootherSales & Marketing Director
Coeo
blog.coeo.com
@jimmyboo
www.linkedin.com/in/JamesBoo
ther
What is GDPR?
Common myths
Mapping GDPR to DevOps
Next steps
Q&A
Agenda
What is GDPR?
Mutually agreed European General Data Protection Regulation (GDPR)
Will come into force on May 25 2018
Replaces the 1995 data protection regulation. Supersedes the UK Data Protection Act 1998
Any organisation operating within Europe needs to adhere
What is GDPR?
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679
&from=EN
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights related to automated decision making and profiling
Individual’s rights
Name
Identification number
Email address
Online user identifier
Social media posts
Physical, physiological, or genetic information
Medical information
Location
Bank details
IP address
Cookies
Examples of personal data covered by GDPR
https://aka.ms/gdprsqlwhitepaper
Penalties
Size of offence Penalty
Small Up to €10 million or 2%
global turnover
Serious Consequences Up to €20 million or 4%
global turnover
Current UK Up to £500,000
Elizabeth Denham, the UK's information
commissioner, says
"The GDPR is a step change for data
protection,"
"It's still an evolution, not a revolution".
Words of advice from the ICO
ICO 12 step process
https://ico.org.uk/media/for-
organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf
1. Awareness
2. Information you hold
3. Communicating privacy information
4. Individuals’ rights
5. Subject access requests
6. Lawful basis for processing personal data
7. Consent
8. Children
9. Data breaches
10. Data protection by design and data
protection impact awareness
11. Data projection officers
12. International
Common Myths
Myth #1
I can’t comply with
GDPR and use
DevOps
Click to edit Master title styleMyth #1 - Mapping GDPR to DevOps
- Users have access only to the data needed
- Implement data protection by design and by
default
- Test for security regressions such as
unprotected PII data
- Identifying code-level security regressions such
as code that returns data to non-privileged
users
- Use Generated sample data or Dynamic
data masking instead of copying un-
sanitized production data into non-
production environments
- PII data is encrypted or pseudo-anonymised
- Users have the right level of access
- Encrypted connections using TLS or Always
Encrypted
- Dynamic Data Masking
- Row-level Security
- Sysadmin access for DBAs
- Restricted access for everyone else
- Audit access and ability to identify
compromised data
- Encrypted backups
- Removing data from backups
Myth #2
I only need to worry
about production
Click to edit Master title styleMyth #2 – Identifying all of the Personal Data you hold
https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment
Myth #3
Holding data in
Azure prevents me
from complying with
GDPR
Click to edit Master title styleMyth #3 – Azure advanced data protection features
Feature SQLDB SQL Server
Vulnerability Assessment Coming soon
TDE On by default Available in Enterprise
Threat detection
Auditing
Dynamic data masking
Always encrypted
Encrypted connections
AAD User login with MFA (With SSMS 17)
Next steps
Technical readiness
Create a repeatable deployment process
Setup monitoring of access to the environments
Remediate any technical risks identified during the assessment
Next Steps
Compliance readiness
Nominate a Data Protection Officer
Assess your environment
Identify the personal data across all environments
Prepare a breach response plan
Two Work Streams:
Further reading
Topic Blog post
Introducing Always Encrypted https://blog.coeo.com/mattrobertshaw/2
017/05/08/introducing-always-encrypted
Securing connections to SQL Server with
TLS
https://blog.coeo.com/securing-
connections-to-sql-server-with-tls
How Vulnerable is Your Data? Stop
Malware Attacks using Azure SQL
Database
https://blog.coeo.com/how-vulnerable-
is-your-data-stop-malware-attacks-
using-azure-sql-database
The GDPR and You https://www.scarydba.com/2017/11/13/th
e-gdpr-and-you/
Q&A