Symantec Webinar Part 2 of 6 GDPR Compliance

GDPR Compliance:
Maintaining Security in the Cloud
Clive Finlay
Director, Technical Account
Management and Product Specialists;
Symantec
Peter Gooch
Cyber Risk Services Partner;
Deloitte

Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY 2
Agenda:
• The GDPR: What does it mean for your organization?
• Cloud Security Solutions
• Question and Answer
Welcome!
GDPR Compliance: Maintaining Security in the Cloud

The General Data Protection Regulation
What does it mean for your business?
Peter Gooch
Deloitte

Recap on the regulation
GDPR and Cloud
GDPR programmes
General Data Protection Regulation (GDPR)
Contents

General Data Protection Regulation (GDPR)
Recap on what GDPR means
 A Revolution in Enforcement Fines
of up to 4% of annual revenue for
non-compliance. This can extend to
countries outside of the EU
 Data Protection Officers (DPO)
Organisations will likely need to
appoint a DPO if they process
personal data on a large scale
 Accountability
Burden of proof now on the
organisation not the individual
 Privacy Notices & Consent
Consumers must give “freely given,
specific, informed & unambiguous
consent”
Key Design Changes
 Breach Reporting Significant
breaches must be reported within
72 hours
 Encryption Organisations may get
exemptions from notifying
individuals of data breaches when
data is encrypted
 Online Profiling Individuals have
enhanced rights to opt out of and
object to online profiling and
tracking
 Privacy-by-Design Privacy must be at
the forefront of the design, build
and deployment of new
technologies
Process Re-Design
Changes to Ways of Working
 Data Inventories Organisations must demonstrate they know
what data they hold, where it is stored & who it is shared with
 Right to be Forgotten Consumers have a stronger right to request
deletion of their data
 Right to Data Portability Individuals are entitled to request copies of
their data in a readable and standardised format
 New Definitions of Data The scope of what Personal Data means has
been extended with the concept of pseudo-anonymous data

Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
6
GDPR - Program Implementation
Executive sponsorship,
business
accountability and
multi disciplinary
• Senior visibility and
sponsorship is key.
• This is not just a Legal or
IT problem.
• Few compliance topics
have implications across
such a wide range of
areas
1
Target state definition
and outcome-based
approach
• In many programmes we
see a vacuum between
the programme team and
the business, with each
side looking to the other
for increased guidance or
more ownership.
• It is key to establish
collective outcomes;
2
Risk appetite
definition and risk
based approach
• GDPR encourages a risk
based approach.
• Initially setting risk
appetite is a difficult but
important task; is your
goal to just comply, or
can privacy be a strategic
initiative?
3
Targeted internal
messaging – see the
benefits4
Operating model –
think long term and
sustainable
• This is not something that
is going away anytime
soon. Make sure your
programme includes the
definition of a long term
operating model that sets
out roles and
responsibilities such as
how privacy risk is
managed and how it is
monitored and assessed.
5
Top 5 thematic GDPR implementation considerations*
* Source: “The Time is Now: The Deloitte GDPR Benchmarking Survey, November 2017”.
Organisations need to quickly move from GDPR ‘planning’ and ‘mobilisation’, to a ‘build’ and ‘implementation’ focus through to May
2018 and beyond. This will take executive sponsorship, a strong outcomes-based emphasis and a forward-looking, long term perspective.
• It is vital to ensure internal
messaging is relevant such
that everyone can see the
importance of the topic.
This involves understanding
their individual role, the
impact of getting it wrong,
and the benefits that a
proactive approach to
privacy can bring in terms of
customer trust and
engagement.
Taking the requirements and objectives, through to implementation and Delivery

GDPR and Cloud
The key challenges
Documenting data flows and transfers
GDPR requires organisations to maintain a
record of the personal data they process, so a
more proactive approach to understanding and
documenting data flows, including to third
parties, is required.
Transparency
GDPR calls for great transparency over how
individuals' data is used, so having confidence
about how and where data is stored and being
able to communicate this is increasingly
important.
Retention
While the requirements around retention
have not changed, having clear agreements
with cloud providers on the retention and
transfer of data at the end of service must
not be overlooked.
Rights of individuals
The rights of individuals have greater prominence
under GDPR and although the right to Portability
is the only “new” right, it’s expected that
individuals will start to exercise existing rights
more frequently.
With this in mind, organisations need to make
sure that they have processes and mechanisms in
place to respond to requests, and this includes
where data is hosted in Cloud platforms.
Security
While the increased requirements on security are
relatively few, the potential impact has increased
significantly with fines of up to 4% of global
turnover. This means organisations should re-
assess their current posture in light of the change
in potential impact..
Managing third parties
GDPR formalises what has been considered good practice
around contracting with third parties and the
requirements needed.
Data processors also have increased responsibilities, such
as documenting the data processed, but more importantly
can now be directly liable to the regulator and subject to
financial penalties as well as the data controller. The
responsibility is now more shared than ever.
Accountability and
Control are Key

Clive Finlay
Symantec
Cloud Security Solutions
How to Maintain Security in the Cloud

The Evolving Business Model
and Threatlandscape

Complex User Definition
Evolving Data Attack Surface
Expanding Perimeter
Multi-Phased, Multi-Staged Attacks
10

Regional
Office
Headquarters
Data Center
Security Stack
11

Regional
Office
Headquarters
Data Center
Roaming
Users
Security Stack
12

Evolving Data Attack Surface
Regional
Office
Headquarters
Data Center
Roaming
Users
Security Stack
13

Direct Connect Creates Expanded Networks to Protect
The Expanding Network
Regional
Office
Headquarters
Data Center
Roaming
Users
SSL Encryption
SSL Encryption
Security Stack
SSL Encryption
14

Symantec Toolset for GDPR
How Symantec can help with visibility and control of
personal data on premise and in the cloud

How do I manage and report on my information risk management practices?
Who can access personal data and who has accessed it?
Can we control what personal data is accessible and who can access it?
Can we encrypt / obfuscate personal data at rest and in motion?
What personal data is out there, where is it, and where is it going?
Can we control where data resides?
Can we detect unauthorised access or breaches of personal data?
Can we quickly and thoroughly notify in the event of a breach?
Can we respond quickly and investigate thoroughly following a breach?
Risk Management
Control Compliance Suite (CCS)
Endpoint Mgmt. (EPM)
Information Centric Security
Data Loss Prevention (DLP)
Cloud Access Security Broker
(CASB)
VIP (2-factor)
Encryption (PGP)
Cloud Data Protection (data
tokenisation)
Breach Response
Monitoring Security Service
(MSS)
Incident Response Service
Security Analytics
How Symantec can Assist with the GDPR?
16

See Data
Wherever It Lives
Protect Data
from Being Leaked
Control
User Access
Information Centric Security
17

How do I capture organizational knowledge
about data relevant to GDPR?
• Content-aware Data Loss Prevention
(DLP) gives you visibility of sensitive
data across any channel: cloud,
endpoints, email, web, repositories.
• Information Centric Tagging (ICT)
augments DLP allowing users to
classify data as they create it.
Public WiFi Home Office
EVERY LOCATION
Regional Office
ON-PREM
Datacenter Mobile BYO
EVERY DEVICE
USB
DLP
ICT
18

How do I get visibility of Personal Identifiable
Information (PII) in the Cloud?
• DLP integrates with Cloud Access
Security Broker’s (CASB’s) CloudSoc to
extend policies to cloud apps and
managed incidents on a single
console.
EVERY LOCATION
Regional Office
ON-PREM
EVERY DEVICE
USB
DLP
ICT
CloudSOC
19

How do I protect PII data when it’s
outside of my control?
• Information Centric Encryption (ICE)
keeps your data safe from unwanted
access where it resides and provides
central management to revoke access to
the file or user.
EVERY LOCATION
Regional Office
ON-PREM
EVERY DEVICE
USB
DLP
ICT
CloudSOC
ICE
20

How can I ensure PII data relevant to
GDPR will not be compromised?
• Validation and ID Protection Service
(VIP) Multi-Factor Authentication
(MFA) controls access by protecting
your data from stolen credentials.
EVERY LOCATION
Regional Office
ON-PREM
EVERY DEVICE
USB
DLP
ICT VIP
CloudSOC
ICE
21

How do I discover malicious
insiders or outsiders?
• Information Centric Analytics
(powered by Bay Dynamics) analyzes
security alerts across multiple
products to identify risky behavior
and unveil malicious users.
EVERY LOCATION
Regional Office
ON-PREM
EVERY DEVICE
USB
DLP
ICT VIP
CloudSOC
ICE
ICA
22




The Symantec Data Loss Prevention Platform
Architecture
23

On-premises
DLP Detection
DLP Enforce
Management Server
The Challenges
26% of Cloud Docs
are Broadly Shared1
• Proliferation of Cloud Apps
• Shadow Data Problem
• Compromised Accounts
Visibility, Protection, & Control in Cloud Apps
24

Extending DLP into cloud
applications
Apply Existing DLP Policies to Cloud
Leverage existing DLP Workflow
Gain Full CASB Functionality
• Inline Blocking and Offline Remediation
• Shadow IT Analysis
• User Behavior Analytics
Extend DLP to Cloud Apps
On-premises
DLP Detection
DLP Enforce
Management Server
Visibility, Protection, & Control in Cloud Apps
25




The Symantec Data Loss Prevention Platform
Architecture
Validation and ID Protection Service (VIP)
Secures access to critical data with Multi-Factor Authentication
Information Centric Encryption (ICE)
Integrated policy driven encryption and identity access
Information Centric Tagging (ICT)
Increases DLP efficiency with Users driving DLP data classification
Information Centric Analytics (ICA)
User Entity Behavior Analytics to find most risky or malicious users
VIP
ICT
ICE
ICA
26

Data Loss Prevention (DLP)
Discovers sensitive data across all channels with central policy controls
Symantec Information Centric Security
Information Centric Encryption (ICE)
Integrated policy driven encryption and identity access
Information Centric Tagging (ICT)
Increases DLP efficiency with Users driving DLP data classification
Information Centric Analytics (ICA)
User Entity Behavior Analytics to find most risky or malicious users
DLP
VIP
ICA
ICT
CloudSOC (CASB)
Extends existing DLP policies, workflows and detection to Cloud Apps
Validation and ID Protection Service (VIP)
Secures access to critical data with Multi-Factor Authentication
CloudSOC
ICE
Summary
27

Market Leadership
World class content-aware Data Loss Prevention from Symantec
• 10 consecutive years as Gartner magic quadrant leader because
– Broadest coverage of data loss channels (cloud, web, endpoints,
servers, file shares, network)
– Most comprehensive, content-aware detection - from data
fingerprinting to image analysis
– Easy to manage and deploy DLP
• Forrester also has Symantec as Leader because - “It also offers a rich set
of capabilities to help firms meet privacy requirements.”
Market Leading Cloud Access Security Broker in first Forrester Wave™
for Cloud Security and Gartner Magic Quadrant for CASB
• “It has strong capabilities for Salesforce and other structured data
protection, including search, sort, and filtering operations, and offers a
wide selection of encryption and decryption policy options.”
Delivering Information-Centric Security
The Forrester Wave™: Data Loss
Prevention Suites, Q4 2016
Gartner Magic Quadrant:
Enterprise Data Loss Prevention
(February 2017)
The Forrester Wave™:
Cloud Security Gateways,
Q4 2016
Gartner Magic Quadrant:
Cloud Access Security Broker
(CASB) (Nov 2017) 28

Why Symantec for GDPR?
World Class
Information protection
Global Leader in
Cyber Security
Leading Breach
detection and
response
Unbiased and lower
operating costs
Compliance
monitoring &
reporting
State of the Art
Technology
29

Symantec Assessment Services
Delivered by Partners or Symantec Consulting using Symantec Technology
• Determine priority areas of focus for
your organisation
CCS GDPR
Readiness
Assessment
• Discover sensitive personal data
risks in your organisation
DLP Risk
Assessment
• Discover Cloud usage risks in your
organisation, and data at risk of
exposure in sanctioned Cloud
Shadow IT & Cloud
Data Risk
Assessments
30

Question and Answer
Please post your questions in the chat box now!
Peter Gooch
Deloitte
Clive Finlay
Symantec

Thank you!
Peter Gooch
Deloitte
Clive Finlay
Symantec

Symantec Webinar Part 2 of 6 GDPR Compliance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Symantec Webinar Part 2 of 6 GDPR Compliance

Similar to Symantec Webinar Part 2 of 6 GDPR Compliance (20)

More from Symantec

More from Symantec (20)

Recently uploaded

Recently uploaded (20)

Symantec Webinar Part 2 of 6 GDPR Compliance