In a practical introduction Jan will explain from his experience in the trenches of IT security how to answer all those difficult questions the new European legislation brings up.
Nil nove sub sole. The first thing you should always remember: the requirements of GDPR are not that new. GDPR is based on existing legislation and securityframeworks like ISO27k. This means there is a treasure-chest of knowledge,templates, procedures and other security tools available. There is no use to reinvent the hot water.
Common sense is the super power. If you decrypt the legal language, a lot of the requirements are plain common sense and in my humble opinion this is the mostimportant security product you need to comply. Security and privacy by design for instance should be engrained in every project in your organisation.
Technology is your friend. Although one technology or a box can not solve all your GDPR worries, there is a lot of technology and next generation solutions that can help you to make complying to GDPR a lot easier. For example: Rolling out encryption in the right way, just like there are a lot of tools to add Artificial Intelligence and machine learning as an extra security layer
Talk 21th of june 2017 - GDPRconference Lint, Belgium
2. Accidental security expert
Jan Guldentops (°1973)
Founder of Better Access (°1996) en BA (°2003)
Open Source Fundamentalist (after hours)
Practical background in ICT and security
Security expert by accident
• Documented the security problems of the first Belgian
internet bank in 1996, have been doing security ever
since
• R&D (vooral security)
– Basta, Febelfin, Safeshops, etc.
9. Nothing new for the industry
● For the industry it is nothing new
● BS(1)7799, ISO27k family
●
Based on existing privacy law
● Based on existing best practices
● e.g. Cobit
● Problems / Challenges are the same
● The paradigm hasn’t shifted
● New :
● Big Stick
– 4% / 20.000.000
● DPO (but you often
should have a security
officer )
● Right to be forgotten
● Notification obligation
(72h!)
10. Common sense
● Common sense is
often so rare, you can
start to consider it a
superpower
● Understanding and
thinking about the
requirements solves a
lot of problems.
● Think !
11. Realism
● There is no such thing as
absolute security
● Plan for the worst !
● You will have a security
/privacy breach sooner or
later!
● So act like it !
● Educate your management
● Make contingency plans
● Nobody is infalliable ! ( except
the pope )
15. Other Common Sense
elements
● Outsourcing / insourcing
● Security / privacy by design
● No bolt-on security
● Think before you develop / implement
● Conflict with the current development thinking
17. Encryption = magic bullet ?
● “The communication of a personal data breach to the
data subject shall not be required if the controller
demonstrates to the satisfaction of the supervisory
authority that it has implemented appropriate
technological protection measures, and that those
measures were applied to the data concerned by the
personal data breach. Such technological protection
measures should render the data unintelligible to any
person who is not authorised to access it.”
● Magic bullet ? Get out-of-jail-for-free card ?
18. Encryption can help
● Encrypt everything ?
● Devices
● Communication
● Datastores
● Servers
● Data in rest
● (Parts of) databases
● Helps with difficult tasks like
● Right to be forgotten
19. BUT!
● There is only one thing worse than not using encryption ->
using bad encryption
● Choose the right software and algoritmes
● Manage your keys !
– Almost nobody has structured key management infrastructure
– You have to be able to delete, revoke keys
– No keys = no data
● Encryption is not only about confidentiality but also
integrity
● If you implement encryption don’t only use it for confidentiality
also for integrity.
20. Authentication and Access
Control
● We are still using passwords !
● Need strong authentication ! ( 2factor)
● We need a centralised authentication system
● One directory for all
● Now often multiple authentication systems
● Role and policy based management of
access to data
● à la tête du client
21. Tracebility
● You want to know what happened so you need to log what
happens on your systems / with your data.
● Log what you need to know
● E.g. administrative access, access to files, access to applications, etc.
● Make it irrefutable
● Create tools for analysing these tools
● SIEM
● Advanced tools : track everything your employee does.
22. Buy the right tools
● Companies offering your software to manage :
● ISMS
● GDPR
● Inventories
● Etc.
● Excell or documents
● The tools you use for other things
23. Automate
● We need 250.000 security
experts in the coming 5 years.
● No we need to automate things
● In systemmanagement :
– Puppet, Ansible, System center, etc.
●
Choose your poison
– Automated, managed updates
● e.g. #wannacry
● In development
– Devops
– Automated testing
● In audit
● Etc.
24. Audit
● Traditional audits are extremely expensive, take
time and will usually only be held every 3 to 5
years.
● Audit yourself :
● Vulnerability assessment tools ( Nessus, qualsys )
● Do an access audit
● Or using open source : KALI
– A large stack of online tools
Belangrijk om te onthouden :
2 manieren waarop wij werken met lokale besturen :
Leveren van volledige oplossingen
Leveren van huurlingen : consultants die tijdelijk de kennis van de ict-manager aanvullen
Leveren van technische ondersteuning en troubleshooting
Leveren oplossingen aan lokale besturen sinds 1996