Public concern for the safety of data is growing – not just in how criminals might use stolen data to commit fraud, but also in how personal data is used by the organisations we engage with.
The EU General Data Protection Regulation (GDPR) is designed to confront these concerns, defining a range of requirements to govern how organisations collect, store, process, retain, and share the personal data of EU citizens – irrespective of whether that organisation has a physical presence within the EU.
In this session, we explore the specific data management requirements demanded by the GDPR, digital ethics and everyone's role in being conscientious stewards of customer data, and discuss how MongoDB can provide the core technology foundations to help organisations accelerate their path to compliance.
Download the guide to GDPR and Impact to Data Management:
https://www.mongodb.com/collateral/gdpr-impact-to-your-data-management-landscape
2. GDPR
Data Ethics and Privacy in a GDPR World
Kenneth White, Product Security Lead, MongoDB Engineering
kenneth.white@mongodb.com
Mat Keep, Senior Director, MongoDB Product Team
mat.keep@mongodb.com
@matkeep
3. Agenda
• GDPR Overview & Requirements
• Data Management Impacts
• Security Controls & Ethics
• Case Studies
• Next Steps
4. Disclosure
For a full description of the GDPR’s regulations, roles, and
responsibilities, it is recommended that readers refer to the text
of the GDPR (Regulation (EU) 2016/679), available from the
Official Journal of the European Union, and refer to legal counsel
for the interpretation of how the regulations apply to their
organization.
5. GDPR Rationale
• How safe is our personal data?
• How is personal data used by the
organizations we choose to share it
with?
• Damage our reputations
• Deny us access to the healthcare or
financial services
• Discriminate against us
• Reduce our autonomy, freedom,
individuality
CyberSecurity Ventures
Ginni Rometty, IBM’s chairman, president
and CEO
"Cyber crime is the greatest threat to every
company in the world"
6. What is the GDPR?
• EU General Data Protection Regulation 2016/679
• Enshrines protection & privacy of EU citizen data as a human
right
• Governs how organizations collect, store, process, retain,
and share the personal data of EU citizens
• Applies globally
• Enforced from May 25th 2018
• Fines of up to 4% of global turnover or €20m
7. Why is GDPR Necessary?
• Replaces Data Protection Directive 95/46/EC, enacted in
1995
• Implementations varied across EU member states
• Technology has moved on
• No global reach
• Expands the scope of “personal data”
Data Breach, defined by the GDPR
“‘personal data breach’ means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed;”
8. Key GDPR Demands
• Explicit consent: defines for what, how long, who data is shared with
• Data protection & privacy by design, by default
• Review data at any time, portability between service providers
• Right to be forgotten
• Right to review automated decisions
• Breach notification within 72 hours
• Applicable to any organization processing EU citizen data
9. GDPR: 6 Months In…..
"Only 27% of EU companies
believe they are GDPR compliant"
TrustArc, July 2018
"Just a third of companies are
complying with subject access
requests"
Talend, September 2018
"Portuguese hospital hit with
€400,000 fine for two GDPR
violations"
IT Pro, 29-10-2018
11. What’s Needed for Compliance?
What compliance isn’t….
• Turn on a bunch of database
security controls
• BOOM…we’re done!
12. What’s Needed for Compliance?
What compliance isn’t….
• Turn on a bunch of database
security controls
• BOOM…we’re done!
What compliance is…
• People
• Roles, responsibilities, accountability
• Process
• Business practices
• Product
• Technologies to implement controls
13. GDPR Data Protection Requirements
DISCOVER DEFEND DETECT
Identify all PII
in your systems
Implement appropriate
security controls
Monitor to identify suspicious
behavior, remediate gaps
15. MongoDB Security Capabilities
Providing customers with control over their data
Authentication & Authorization
• LDAP, Kerberos, x.509 certificates
• On-premises AD or Azure Domain Services
Rich Role Based Access Controls (RBAC)
• Read-only database views
• Redacted query logs
16. MongoDB Security Capabilities
Providing customers with control over their data
Advanced Auditing & Administrative Controls
• Consumed through web services, remote SysLog, Change
Stream events, 100% API logs
• User account/privilege mods made outside Atlas API
automatically blocked
17. MongoDB Security Capabilities
Providing customers with control over their data
Enterprise-grade Encryption Options
• Whole volume encryption w/ single-use keys
• Encrypted Storage Engine with BYO key mgmt
• TLS 1.2 in-flight encryption default across all products, full forward
secrecy ephemeral ECC & ECDSA support on API endpoints
• Strong Challenge-Response (SCRAM-256)
18. • SCRAM authentication enforced
• Pre-defined roles against each
database
• IP whitelisting enforced
• VPC Peering option with application tier
• 2FA authentication for admin console
• Encrypted data volumes
• Ingress blocked by default
• TLS 1.2 by default
Atlas Security
MongoDB’s DBaaS in the Cloud
19. • Temporary, expiring accounts
• Temporary, expiring whitelist origins
• 24 hour opt-in control plane tokens
• Customer managed encryption keys
- AWS KMS
- Azure Vault
- GCP Cloud KMS coming soon
Atlas Security
MongoDB’s DBaaS in the Cloud
• SCRAM authentication enforced
• Pre-defined roles against each
database
• IP whitelisting enforced
• VPC Peering option with application tier
• 2FA authentication for admin console
• Encrypted data volumes
• Ingress blocked by default
• TLS 1.2 by default
20. Data Ethics and Community
● Commitment to open development and open standards
○ LetsEncrypt
○ IETF ACME automated certificate management standard
○ KMIP development
○ LDAP standards
○ Regional security and local developer conferences
21. Long-Term Path
● Enhanced encryption options for data-in-use
● Deeper integration with cloud HSM/key management services
● TLS 1.3 support w/ Forward Secret-only AEAD ciphersuites & ECC KeyEx
● U2F/WebAuthn token identity support
● X.509 authentication for Atlas clusters
● Best-in-field 3rd party software security engineering review
23. Single Customer View
Improving customer experience, providing platform to manage
user permissions
Problem Why MongoDB Results
Problem Solution Results
Customer data spread across
many source systems, no way to
get a single view of its customers
Opportunities to improve customer
service online & via call centres
Faster fraud detection
Legal & marketing need to be able
to manage customer preferences
Built a single view, extracting data
from source systems, transforming
and loading to MongoDB
MongoDB Atlas on AWS with Kafka
for messaging and transformations,
built on microservices architecture
Project delivered in 3 months, using
MongoDB single view reference
architecture
Reduced average call centre
handling times by 40%
Fraud detection lead times
reduced from hours to seconds
Legal and marketing can now
comply with requests for
personal information, and launch
marketing campaigns faster
24. Using GDPR to Support Business Transformation
10-Step Methodology to Creating a Single Customer View
Download the Whitepaper
25. Digital Transformation with
MongoDB
UK’s Leading Commercial Property Data Service Drives GDPR
readiness
Problem Why MongoDB Results
Problem Solution Results
Need to develop a new platform for
the company to move from
traditional print media to a digital
business delivering market
intelligence and tools across
multiple online channels
Monolithic application architecture
and rigid relational database
prevented IT team pushing new
updates any more than once per
month
Moved to MEAN stack powered by
a microservices-based architecture in
the cloud
MongoDB Enterprise Advanced for
access to Ops Manager, Compass
and Support
MongoDB Encrypted storage engine
to support GDPR readiness
Transformed business: now
digital is driving revenue growth
Supports 50x more releases per
month, with always on availability
Faster development velocity to
build custom services for multiple
market segments