Speakers: Paige Bartley, Senior Analyst, Data and Enterprise Intelligence, Ovum + Cameron Tovey, Head of Information Security, Confluent
For many organizations that want to adopt streaming data, strengthening their governance protocol is a key requirement. While this certainly poses a challenge for data protection regulations and standards, it also limits the potential of data in broader enterprise initiatives that look to maximize the value of information.
There’s a prevailing enterprise perception that compliance with data protection regulations and standards, such as General Data Protection Regulation (GDPR) in the EU, Payment Card Industry (PCI), International Standards Organization (ISO) and many others is a burden: limiting the leverage of data. However, the core requirement of compliance—better control of data—has multiple downstream benefits. When compliance objectives are aligned with existing business objectives, the business can experience net gain.
For many organizations that want to adopt streaming data, strengthening their governance protocol is a key requirement. While this certainly poses a challenge for data protection regulations and standards, it also limits the potential of data in broader enterprise initiatives that look to maximize the value of information.
Learning objectives:
-Understand how data compliance can be a facilitator of existing business objectives rather than a burden
-Find out how to align existing business initiatives with compliance initiatives for maximum business benefit
-Learn about the place of streaming data and data-in-motion in the compliance effort
-Identify governance and tooling needs, existing controls and how they apply to new and emerging technology
-Discover your options for improving governance
Align Data Governance with Business Goals in Streaming Era
1. Compliance in Motion:
Aligning Data Governance Initiatives with
Business Objectives in the Streaming Era
Paige Bartley,
Cameron Tovey,
2. 2
Cameron Tovey is the head of information security at Confluent. With
nearly 20 years of experience protecting data, he ensures that Confluent’s
information security program is complete and running smoothly. Before
Confluent he protected data for technology startups, healthcare
organizations, retail companies, banking institutions and other Fortune
100 entities.
Cameron Tovey
Head of Information Security, Confluent
Paige specializes in all aspects of the data lifecycle including creation,
cleansing, security, privacy and productivity. Working across the
information management space, Paige researches how data use affects
both large organizations and individuals alike. Paige’s other areas of
expertise include regulatory and legal matters, data preparation, data
quality, unstructured data, master data and records management, as well
as neuroscience and cognitive science.
Paige Bartley
Senior Analyst, Data and Enterprise Intelligence, Ovum
3. 3
Session Overview
● This session will be one hour
● The last 10-15 minutes will consist of Q&A
● Submit questions by entering them into the GoToWebinar panel
● The slides and recording will be available
27. 27
What is driving compliance in your organization?
Confluent
Cloud
Managing risk
Shortening the
sales cycle
28. 28
Managing Risk
Governmental Regulations:
● General Data Protection Regulation (GDPR)
● Health Insurance Portability and Accountability
(HIPAA)
● Federal Risk and Authorization Management
Program (FedRAMP)
Many organizations must address these regulatory
requirements, either by directly processing or storing
protected information, or by their customers’ need for
them to process or store protected information.
Data Protection Standards:
● ISO/IEC 27000 series standards
● Payment Card Industry Data Security Standard
(PCI DSS)
● Service Organization Control 2 (SOC 2)
The ability of these standards to change at a
reasonable rate to match and stay inline with industry
trends is what helps them remain applicable and
reusable in an effective data security and compliance
program.
30. 30
Regulations and Standards
Health Insurance Portability and Accountability (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Compliance with this regulation includes performing a gap assessment to understand what holes need to
be fixed in order to properly comply, putting together and beginning implementation on a remediation plan.
General Data Protection Regulation (GDPR)
This European regulation identifies the rights of individuals to request a copy of, make changes to or have
personal information completely deleted from systems. It also requires clear communication to individuals
regarding the purposes for which their information is being used.
Federal Risk and Authorization Management Program (FedRAMP)
Federal Information Security Modernization Act (FISMA)
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that
provides a standardized approach to security assessment, authorization, and continuous monitoring for
cloud products and services. Required by U.S. government entities for cloud services, FedRAMP requires
implementation of National Institute of Standards and Technology (NIST) standards for data protection.
31. 31
Regulations and Standards
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS has specific technical requirements designed to protect credit card data used in processing
payments. It strictly controls which pieces of data normally contained on the magnetic stripe of a credit
card may be retained by a company and what controls must be in place in order to do so.
Service Organization Control (SOC 2)
Defined by the American Institute of Certified Public Accountants (AICPA), this audit standard provides an
external and independent assessment of a service provider’s controls environment. Well recognized in the
U.S., this audit assessment covers how well a security program has operated their security controls over a
period of time.
ISO 27001 & ISO 27018
The International Standards Organization (ISO) has provided guidance on how to implement an effective
information security management system (ISMS). The 27001 standard provides requirements for
establishing, implementing, maintaining and continually improving an ISMS. The 27018 standard focuses on
protection of personal data in the cloud.
32. 32
Three Pillars of Data Protection
Data is only
accessible to
those to whom it
is intended.
The ability to
access data at
the moment
required
Ensuring that
data does not
change
inappropriately
Confidentiality Availability Integrity
33. 33
Emerging Technology
Streaming Technology
● Confidentiality
● Integrity
● Availability
● Authentication
● Authorization
● Audit/Non-Repudiation/Logging
Cloud Services
● Shared Responsibility Model
● What does your provider control?
● What controls do they evidence for you?
● Are their controls good enough for you?
● What do you control?
● What are your requirements for the
things in your control?
34. 34
Streaming Technology
Confidentiality – What controls are available for data confidentiality?
● Does the system encrypt data in transit?
● Does the system encrypt data at rest?
● How are these accomplished?
● Does the system provide role-based access controls?
● Does the system integrate with directory services or use single sign-on (SSO)?
Integrity – What controls are available to maintain data integrity?
● Who has access to make changes?
● How do you know your data is accurate?
● What is the backup model (i.e., traditional data or system backups or distributed copies of data)?
● How long does it take to recover from a problem?
Availability – What controls are utilized for availability and performance scaling to accommodate growth?
● What level of service is guaranteed?
● How do I measure compliance with your commitments for uptime?
● What is your plan to resolve issues in the event of downtime?
35. 35
Streaming Technology
Authentication – What controls are available to authenticate both customer users and service provider users?
● Can customer authentication services like LDAP, Active Directory or single sign-on be integrated?
● Can password and other authentication settings be managed by the customer?
● Can users utilize multi-factor authentication?
● How do automated processes integrate with the service?
● How are authentication credentials protected?
Authorization – What different activities can the customer control or limit?
● Are role-based controls available?
● Are roles able to be defined to match my organization in your system?
● What are the critical functions that should or could be limited?
● Is the ability to limit read, write, delete, and administration functions available?
Audit – How can a customer monitor access and changes to data and environments?
● Are system activities logged?
● How are these logs available to the customer?
● Are the logs available in a format that can be automatically consumed and processed by customer
systems?
36. 36
Cloud Services
Shared Responsibility Model
Responsibility for security of data and systems deployed in any cloud provider is always shared.
Cloud Service Provider Controls
There are controls clearly provided by the cloud service provider over which the customer has little or
no influence.
Optional Controls
There are controls made available by the cloud service provider which the customer can choose to
implement at their discretion.
Customer Controls
There are controls that are completely in control of the customer who utilizes a cloud service.
37. 37
Is an external opinion or
audit report available that
explains the controls they
put in place?
Does the customer have
an accounting of the
customer-responsible
controls?
?
What controls does the
cloud service provider make
available to all customers?
What controls are the
responsibility of the
customer?
Are the documented
controls sufficient?
Cloud Services
Are the available customer
controls and settings
configured correctly?
How does a customer
monitor for when
changes made expose
customer data or systems?
Are customer controls
and settings documented?
38. 38
Resources and Next Steps
https://confluent.io
http://cnfl.io/slack
#security
@confluentinc