GDPR & NIS

Taking the pain out of government mandated security response

2016 HyTrust, Inc. 1

HyTrust Workload Security Use Cases

Previously discussed specific use cases how are they related to GDPR/NIS?

Critical areas affected

by GDPR and NIS
increased risk with
public or hybrid cloud
environments:
1. Privileged account misuse
2. Data breach protection
3. Data sovereignty
compliance

Halt data
breaches on all
clouds

Eliminate
privileged
user misuse

Remove costly
infrastructure air
gaps

End audit and

compliance
suffering

Stop stupid and

the accidental
downtime

Avoid data
sovereignty
landmines

2016 HyTrust, Inc. 2

GDPR Executive Summary

What
New standard for data
protection and privacy
for the EU member
state replacing the
previous Safe Harbor
agreement (between
the US and EU). Covers
any company doing
business in the EU or
with an EU citizen.

When
Goes into full force on
May 25, 2018. Different
member states may
add some variations or
additional
requirements.

Impact
Enforcement is backed by substantial fines, some based
on 2%-4% of corporate revenue in EU.
Allows EU citizens to challenge companies and shift
burden onto the service providing company for
proof/response to privacy and security.
Affects a range of technology systems including data
storage and collection, data encryption, and frameworks
for privacy processes (through policy and privacy
specialists).
Still unclear with Britain leaving the EU but most likely
following GDPR will still be more stringent than any local
guidelines.

2016 HyTrust, Inc. 3

Migration to Public Cloud Increases Risk

GDPR Requirement

Summary Description

Challenges

Transparency

Privacy policy and DPO

Policy guarantees harder with 3rd party

(ie cloud provider)

Consent/Data Quality

Opt-in by consumer; ability to get rid of

data if consent is withdrawn

Security enforcement of Privacy

Protecting data via encryption, secure

data destruction, etc..

Tracking data across many workloads

and geographies with instant ability to
kill data
Proof of actions (of encryption and
destruction) are required if challenged

Data breach readiness and response

72 hours for breach notification; incident

response plan

Right to be Forgotten (Art 17)

Right to be Forgotten - Erasure (Art 17)

Multi-cloud deployment for large

enterprises creates challenges to collect
incident data and take action very
quickly
All data must deleted retroactively and
for all records

Note there are numerous other areas of challenges but these are most technically
challenging for cloud enabled organizations.

NDA Material, Confidential and Proprietary

2016 HyTrust, Inc. 4

Technology Best Practices Response to GDPR

(and applicable HyTrust Use Cases)

Automatic

Insiders

Self-Regulating

Platform
Agnostic

Instant Proof

Shift from alert

Ensure admins on
and SIEM analysis
access data on any
to proactive,
cloud can be monitored
automatic security
and proof of
for both breach
compliance can be
protection and
shown instantly (or
privacy protection instantly flag violations
[Data Sov.]
for prompt
remediation)
[PIM, Data Sov.]

Workload needs
portable policy to
protect and
enforce
compliance itself
[Data Sov.]

Implement a
platform agnostic
solution which
will work across
any provider or
workload type
(virtual machine,
SDDC, containers,
etc..)
[All use cases]

NDA Material, Confidential and Proprietary

Ensure proof of
compliance is fast,
easy, and multicloud ready
[All use cases]

2016 HyTrust, Inc. 5

My Cloud Provider Says I Am

Protected
Microsoft, Amazon, and others have issued statements that their
customers are protected and compliant already via their use of model
contracts and other legal mechanisms.
However.

YOU are still

responsible for the
data, even if the
provider is compliant.

YOU are still

responsible for the
administrative actions
of systems on that
network.

ONLY workloads and

data that resides on
that provider can be
considered as
provider scope
(private data centers,
backup/DR sites, QA
copies, etc.. are still
your issue).

And if provider fails

YOU are still responsible for
data breach disclosure and
remediation impact for your
customers.

Bottom line: Regardless of who is hosting your data, YOU are responsible for it.
Be proactive and not rely on the provider or specific technology to protect your
data.
NDA Material, Confidential and Proprietary

2016 HyTrust, Inc. 6

HyTrust Makes the GDPR pain go

away
GDPR
Scope

HyTrust Capability

Use Case and Advisory

Notes

Transparency

Codify the privacy policy through data and admin policy engine
Data Protection. Policy actions and workload response can all
and enforce through workload policy. Monitor and execute
be monitored and provide instant response to an audit.
immediate policy change propagation across all workloads/clouds.

Consent/Data Quality

Secure decommission of workloads required to ensure fast and

efficient data destruction on demand. Creates chain of evidence
of data destruction.

Data Protection. Through hyper efficient key management

technology, data can be instantly destroyed.

Security enforcement
of Privacy

Encryption that be used to secure the privacy (via access and

propagation of the protected data).

Data Protection, Data Sov. Proof of actions (of encryption and

destruction) are required if challenged. Encryption, policy
controls, etc.. Can be detailed for audit, compliance proof, or
forensics.

Data breach readiness

and response

Instant audit trail and correlation of activity, policy, and

intentional/accidental attempts of breach. Ability to provide
RBACs for instant access across auditors or other regulators.

PIM, Data Sov. Multi-cloud deployment for large enterprises

creates challenges to collect incident data and take action very
quickly

Right to Erasure (to be

Forgotten)

Encryption key revocation means ALL data is immediately

rendered useless.

Data Protection, Data Sov. Do not need to track where data

exists, only use key management.

NDA Material, Confidential and Proprietary

2016 HyTrust, Inc. 7

Detailed GDPR Mapping to HyTrust

GDPR Source
Text

HyTrust / Customer
Options

Requirement Summary

Article 32 Security of
processing

Appropriate level of security based on state

of art. Including: encryption, regular tests of
security effectiveness, ensure confidentiality,
integrity of data.

Implement policy based encryption for data

protection (and evidence). Show compliance
of human assets.

Article 24 Responsibility of
the controller

Requires data controller to implement

appropriate technical measures to ensure
and demonstrate compliance.

Forensic level logs that track workloads,

administrative activities, and policy changes
at the object level.

Article 25 data protection

by design and default

Data controllers must also implement data

protection by defaultimplement
appropriate technical measures to
[protect/address] the amount of data
collected, extent of processing, and retention
and accessibility of data.

Through HyTrust BoundaryControl policies,

the system is (by default) set to adhere to
data boundaries and usage. Furthermore
encryption can be used to enforce this across
any cloud provider.

NDA Material, Confidential and Proprietary

2016 HyTrust, Inc. 8

NIS Executive Summary

What
EU network and
information security
(NIS) directive sets
common cyber-security
standards and aims to
step up cooperation
among EU countries
and service providers.

When
EU member states have
21 months comply and
then 6 months to
identify critical
infrastructure operators
(May 2018)

Impact
Lays out specific technical guidance on critical
infrastructure entities including energy, banking,
healthcare, transport sector organizations that are vital to
the EU member state government
Increased transparency and information sharing
requiring faster analysis and reporting by affected
organizations
Critical infrastructure identified operators will have a
higher cyber security standard and be specifically
responsible for prevention of risks and incident response

2016 HyTrust, Inc. 9

HyTrust Reduces Risk with NIS Examples

NIS Directive
Reference

Directive Summary

HyTrust Use Cases

(46) Risk-management
measures

Measures to identify any risks of incidents, to

prevent, detect and handle incidents and to
mitigate their impact. The security of
network and information systems comprises
the security of stored, transmitted and
processed data.

Data Protection. Proactive controls via

HyTrust services and forensic level logging
for compliance verification. Security of data
can be enforced via HyTrust DataControl.

(16) Security requirements

and notification

Security of systems and compliance with

international standards (among other
requirements)

PIM, Data Protection. Security from

insider threats and compliance
templates/analysis can be done HyTrust
CloudControl

(11), (14), (16)

Many points in the directive refer to sharing

of data among various government agencies.

PIM, Data Sov. HyTrust CloudControl

provides RBACs to allow third parties
customer defined access to object level
functions to share only the information being
required.

NDA Material, Confidential and Proprietary

2016 HyTrust, Inc. 10

Thank You

2016 HyTrust, Inc. 11