GDPR for DevOp(Sec) - The laws, Controls and solutions
5/5
()
About this ebook
GDPR - the laws, controls and measurments that result in compliance with the focus on DevOps
Read more from Alasdair Gilchrist
Google Cloud Platform an Architect's Guide Rating: 5 out of 5 stars5/5REST API Design Control and Management Rating: 4 out of 5 stars4/5Six Sigma Yellow Belt Certification Study Guide Rating: 0 out of 5 stars0 ratingsA Concise Guide to Object Orientated Programming Rating: 0 out of 5 stars0 ratingsGoogle Cloud Platform for Data Engineering: From Beginner to Data Engineer using Google Cloud Platform Rating: 5 out of 5 stars5/5Google Cloud Platform - Networking Rating: 0 out of 5 stars0 ratingsConcise Guide to DWDM Rating: 5 out of 5 stars5/5Spreadsheets To Cubes (Advanced Data Analytics for Small Medium Business): Data Science Rating: 0 out of 5 stars0 ratingsA Practical Guide Wireshark Forensics Rating: 5 out of 5 stars5/5Concise Guide to OTN optical transport networks Rating: 4 out of 5 stars4/5Supply Chain 4.0: From Stocking Shelves to Running the World Fuelled by Industry 4.0 Rating: 3 out of 5 stars3/5An Executive Guide to Identity Access Management - 2nd Edition Rating: 4 out of 5 stars4/5The Layman's Guide GDPR Compliance for Small Medium Business Rating: 5 out of 5 stars5/5The Certified Ethical Hacker Exam - version 8 (The concise study guide) Rating: 3 out of 5 stars3/5A Concise Guide to Microservices for Executive (Now for DevOps too!) Rating: 1 out of 5 stars1/5Concise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5A Last Minute Hands-on Guide to GDPR Readiness Rating: 0 out of 5 stars0 ratingsDigital Success: A Holistic Approach to Digital Transformation for Enterprises and Manufacturers Rating: 0 out of 5 stars0 ratingsPSD2 - Open Banking for DevOps(Sec) Rating: 5 out of 5 stars5/5Tackling Fraud Rating: 4 out of 5 stars4/5Why Industry 4.0 Sucks! Rating: 0 out of 5 stars0 ratingsAn Introduction to SDN Intent Based Networking Rating: 5 out of 5 stars5/5ChatGPT Will Won't Save The World Rating: 0 out of 5 stars0 ratingsFinTech Rising: Navigating the maze of US & EU regulations Rating: 5 out of 5 stars5/5Concise Guide to CompTIA Security + Rating: 3 out of 5 stars3/5Management Accounting for New Managers Rating: 1 out of 5 stars1/5The Concise Guide to SSL/TLS for DevOps Rating: 5 out of 5 stars5/5The Concise Guide to the Internet of Things for Executives Rating: 4 out of 5 stars4/5SRS - How to build a Pen Test and Hacking Platform Rating: 2 out of 5 stars2/5
Related to GDPR for DevOp(Sec) - The laws, Controls and solutions
Related ebooks
A Last Minute Hands-on Guide to GDPR Readiness Rating: 0 out of 5 stars0 ratingsIntro to GDPR: A Plain English Guide to Compliance Rating: 0 out of 5 stars0 ratingsEU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition Rating: 0 out of 5 stars0 ratingsData Protection and the Cloud: Are the risks too great? Rating: 4 out of 5 stars4/5The Impact of the General Data Protection Regulation (GDPR) on the Online Advertising Market Rating: 0 out of 5 stars0 ratingsData Protection and Compliance: Second edition Rating: 0 out of 5 stars0 ratingsInformation Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5GDPR-standard data protection staff training: What employees & associates need to know by Dr Paweł Mielniczek Rating: 0 out of 5 stars0 ratingsBusiness Practical Security Rating: 0 out of 5 stars0 ratingsData Privacy: A runbook for engineers Rating: 0 out of 5 stars0 ratingsThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsAn Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5Cyber Security: Essential principles to secure your organisation Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsCloud Security and Governance: Who's on your cloud? Rating: 1 out of 5 stars1/5Be Cyber Secure: Tales, Tools and Threats Rating: 0 out of 5 stars0 ratingsThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsSecuring Cloud Services - A pragmatic guide: Second edition Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 3 out of 5 stars3/5Selling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsFundamentals of Adopting the NIST Cybersecurity Framework Rating: 0 out of 5 stars0 ratingsBring Your Own Device (BYOD): The mobile computing challenge Rating: 0 out of 5 stars0 ratingsHow Cyber Security Can Protect Your Business: A guide for all stakeholders Rating: 0 out of 5 stars0 ratingsData Privacy: What Enterprises Need to Know? Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5The Cybersecurity Mindset: Cultivating a Culture of Vigilance Rating: 0 out of 5 stars0 ratingsIT Governance: Guidelines for Directors Rating: 0 out of 5 stars0 ratingsThe Layman's Guide GDPR Compliance for Small Medium Business Rating: 5 out of 5 stars5/5
Auditing For You
2022 Best Ways To Make Money Online Rating: 4 out of 5 stars4/5(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide Rating: 3 out of 5 stars3/5Exposing Fraud: Skills, Process and Practicalities Rating: 4 out of 5 stars4/5Auditing Your Human Resources Department: A Step-by-Step Guide to Assessing the Key Areas of Your Program Rating: 0 out of 5 stars0 ratingsMadoff Talks: Uncovering the Untold Story Behind the Most Notorious Ponzi Scheme in History Rating: 4 out of 5 stars4/5Brink's Modern Internal Auditing Rating: 0 out of 5 stars0 ratingsFinancial Statement Fraud: Prevention and Detection Rating: 0 out of 5 stars0 ratingsThe Prosperity Bible Rating: 5 out of 5 stars5/5Auditing For Dummies Rating: 4 out of 5 stars4/5A Guide to Forensic Accounting Investigation Rating: 4 out of 5 stars4/5Fraud Prevention Rating: 5 out of 5 stars5/5Internal Controls: Guidance for Private, Government, and Nonprofit Entities Rating: 0 out of 5 stars0 ratingsBribery and Corruption Casebook: The View from Under the Table Rating: 0 out of 5 stars0 ratingsThe Internal Auditing Pocket Guide: Preparing, Performing, Reporting and Follow-up Rating: 0 out of 5 stars0 ratingsCrunch Time - CPA Firm Survival in a Predatory Environment Rating: 4 out of 5 stars4/5Construction Contractors: Advanced Issues Rating: 0 out of 5 stars0 ratingsTax Cuts and Jobs Act: The Complete Bill Rating: 0 out of 5 stars0 ratingsFraud Casebook: Lessons from the Bad Side of Business Rating: 0 out of 5 stars0 ratingsLean Auditing: Driving Added Value and Efficiency in Internal Audit Rating: 5 out of 5 stars5/5Trade-Based Money Laundering: The Next Frontier in International Money Laundering Enforcement Rating: 0 out of 5 stars0 ratingsAmazon Echo: The Ultimate Guide to Setting up and Maximizing Your Smart Home hub Rating: 0 out of 5 stars0 ratingsBudgeting: How to Make a Budget and Manage Your Money and Personal Finances Like a Pro Rating: 0 out of 5 stars0 ratingsDick Kinzel: Roller Coaster King of Cedar Point Amusement Point Rating: 0 out of 5 stars0 ratingsExecutive's Guide to COSO Internal Controls: Understanding and Implementing the New Framework Rating: 0 out of 5 stars0 ratingsCorporate Fraud: The Danger Within Rating: 4 out of 5 stars4/5Detecting Accounting Fraud Before It's Too Late Rating: 0 out of 5 stars0 ratingsInternal Audit Quality: Developing a Quality Assurance and Improvement Program Rating: 0 out of 5 stars0 ratings
Reviews for GDPR for DevOp(Sec) - The laws, Controls and solutions
1 rating0 reviews
Book preview
GDPR for DevOp(Sec) - The laws, Controls and solutions - alasdair gilchrist
GDPR –DevOp(Sec);the law, strategy, controls and solutions
Introduction – GDPR and the role of DevOps
Chapter I - Introduction to GDPR
Data Protective Directive (DPD)
Introduction to GDPR Definitions
Controllers vs. Processors
Data Subjects
Personal Data
DPA/Supervisory Body
Chapter II – GDPR Principles and New Articles
What does this mean for you and your business?
Increased Territorial Scope
GDPR's expansion of Processor responsibility
GDPR's expanded concept of consent
Data Subject Rights
Breach Notification
Right to Access
Right to be Forgotten
Right to Object
Data Portability
Privacy by Design
Transparency
Data Subject Profiling
Defining profiling
Legitimate Interests & Direct Marketing
Chapter III - Data Governance & Data Management
Why Manage Data?
Placing the Focus on DevOp(Sec)
Chapter IV – The Data Life Cycle
Understanding how data flows through an Organization
The Data Life Cycle
Chapter V – Performing a Privacy Impact Assessment
Assessing GDPR Readiness
Privacy Impact Assessment
Performing a PIA for GDPR Readiness
Assessing for GDPR Compliance
Chapter VI - Application Development Life Cycle
Project Planning (Privacy by Design and Default)
How DevOp(Sec) facilitates security and compliance
An Example Use Case: Developing a Mobile App
Planning stage
GDPR Privacy Controls for Application Development
Chapter VII - Translating Minimization, Transparency and Anonymisation into Controls
Transparency
Anonymisation and Pseudonymisation
Pseudonymising Techniques - Encryption & Hashing
Encryption Families
Symmetric Encryption
ECDH
Perfect Forward Secrecy
Contiguous Security Coverage
Centralized Data Security Administration
Emerging Technologies
Three Critical Components of a Total Information Security Strategy
How to Conduct an Effective Risk Assessment
Protecting Data in Transport (SSL/TLS)
Protecting Data at Rest (Cloud)
Securing PII data
Encrypting Data In Transit
vs. Data At Rest
Chapter VIII - Application Development Controls
Mobile Apps
Secure Data Storage
Understand Data Deletion Process
Chapter IX – Compliance in Code
Defining Policies Upfront
Automated Gates and Checks
Managing Changes in Continuous Delivery
Separation of Duties in DevOps
Code Instead of Paperwork
Chapter X – The Cloud and Shadow IT
APIs and Chatbot
Chapter XI - In Summary
Audit
Data Lifecycle Management (DLM)
Automation
Transparency
GDPR –DevOp(Sec);the law, strategy, controls and solutions
Introduction – GDPR and the role of DevOps
The EU General Data Protection Regulation will come into force in May 2018 and it will require products (goods and services)provided to EU subjects whether charged or free to have been designed and developed with the highest regard to the privacy of the user. The GDPR introduces several new principles which are directly related to the design, development and security process. For example ‘Privacy by Design and Default’, requires that privacy is baked into the product and not added as an afterthought or requires the user to opt-out to a more secure setting. Similarly there are the key principles of Consent, Transparency and Minimization, which will have profound effects on how personal data can be collected. For example; EU resident data subjects will have the right to expect that their PII is held securely, accurately, and what is more the source of the data and their consent must be historically documented. Furthermore,it is a requirement that their PII data is portable to a competitor, adjusted for accuracy or erased on request (the right to be forgotten).
GDPR therefore will now be a severe constraint applied to designers and Sales and Marketing with regards the collection and handling of personal data. The days of freely appropriating users’ personal data and collecting anything and everything are over – in the EU Economic Market at least.
The European Economic Area is a vast economic market; it is the second largest economy in the world in nominal terms and according to purchasing power parity (PPP). Also the European Union has a more egalitarian repartition of incomes than the world average, so it is not a market to be wilfully ignored.Hence, the GDPR is not something that organisations within or out with the EU community can simply ignore, consequently, organisations must address how they develop, market and distribute their products within the European Union.
To comply with the new GDPR, organisations wishing to trade in Europe will need to implement controls and compliance measures that are designed into products at the beginning of the product life-cycle. This means they will have to be developed; quality assured and securely operated in compliance to the GDPR. Hence, should a company wish to do business in the European Economic Area this will require revaluating the development and marketing process.
DevOps represents the integration of development, IT operations and quality assurance under a single automated umbrella. This is the essence of DevOps, a model where IT pros from all areas working together from the beginning to dramatically reduce the time to release a product. The goal of DevOps was to turn the IT business model on its head and produce shorter cycle times through automation, and deep cross-functional integration to deliver innovation at rapid pace. However, this approach has security and ‘sales and marketing’ as periphery figures during the product development life cycle.
DevOps, in order to operate efficientlyneeds to integrate a number of functional areas, including security, if it is going to be capable of building compliance and privacy into the final work product. The major difference in this new DevOp(Sec)-oriented world is that everyone’s input, security, along with sales and marketing will be required from the beginning and then automated to ensure short, predictable release times. This is primarily because most developers are not security experts. Security experts are needed now, more than ever, to partner with the other skill areas. Additionally, and in a similar vein, developers, IT operations and security practitioners also find the motives and drivers of sales and marketing alien, so representatives from sales and marketing must be incorporated early into the design and development process.
The major change requires that Security experts should seek to partner with the rest of the organization, and do so from the beginning of the development process, which has not always been the norm. The alternative is to keep security as its own functional department but that loses the key advantage of DevOps — cross-functional integration.
DevOps is actually a boon for security practitioners, who can, with the right automation and operational tools, inject security earlier into the development process, and increase the security of the code that ultimately reaches production.
However, applications are not developed just to be secure or compliant they must primarily have a purpose. This is where the early involvement of Sales and Marketing is essential as it is their requirements and specifications, which are targeting business goals and they must be made compliant with regulations and made secure whilst retaining the products fitness for purpose.
Application and data security is not the least of the challenges raised by GDPR. The ability to deliver applications that are both ‘secure by design’ and adhere to the ‘privacy by design’ philosophy will be a challenge and an opportunity for DevOps teams.
By introducing security earlier into the development process the more likely the product will meet its security and compliance obligations, whilst retaining its original business target. Just as operations, quality assurance and developers have had to adjust to cross functional integration, where there’s an expectation of collaboration and knowledge sharing, security practitioners will also need to adopt this new paradigm.
Chapter I - Introduction to GDPR
To set the scene for the introduction of the General Data Protection Regulations (GDPR) we will first spend this chapter considering the present legislation and how it affects business today. The current data privacy laws in the EU member states vary quite considerably as each member state has applied the EU Data Protection Directive 96/46/EC as the basis for their own data privacy laws. This is because the Data Protection Directive 95/46/EC was only a Directive and as such is only recommended guidelines rather than a regulation or mandatory articles of law. The EU GDPR on the other hand is a regulation so will be brought into law in its entirety in each member state. Hence for the first time there will be a common data privacy law across all member states of the EU Community.
The fundamental importance of the current EU Data Protection Directive 96/46/EU is that it addresses an important EU principle that of the right to privacy for all EU residents. This principle is extremely important as it is considered in the EU to be a fundamental human right. Indeed the right to privacy, was adopted back in 1950 and subsequently introduced to the EU Human Rights Conference in 1998 introduced under Article 8 (Right to Privacy) in the Human Rights Act (HRA 1998) in European law.
In the UK for example it is important to consider that the present law under the EU-Harmonized Data Protection Act of 1998 is based upon the EU Data Protection Directive of 1995 and that all member states of the EU have similar laws based upon the Data Protection Directive which are applied within their own legal structure. The flexibility allowed when implementing the Directive however has resulted in a disparate set of privacy laws throughout the European Community, which has been far from ideal.
Ironically, the Data Protection Directive 95/46/EC of 24 October 1995 were the European Union’s answer to the existing division of privacy regulations across the EU. Hence, its major goals included the harmonization of data protection laws and the transfer of personal data to third countries
outside of the Union. It established independent public authorities called Data Protection Authorities (DPAs) in each member state in order to supervise the application of this directive and serve as the regulatory body for interactions with businesses and citizens. The DPD also provided for the allowance of transfers of personal data to third countries, on the condition that said countries were authorized as having adequate levels of protection for the data. This was an important point as third party countries would be required being guaranteed to be comparable to those protections within the EU – for example share a comparable ethos regards data privacy. Overall, the directive has worked well despite creaking with age and stays true to the original recommendations and the core concepts of privacy as a fundamental human right.
Data Protective Directive (DPD)
The DPD is what exists today - variants of the Data Protective Directive (DPD) implemented in each member state in the UK for example it is called the Data Protection Act.
However as the DPD is now over twenty years old and was drafted long before the prevalence of the web, mobile data and social media it was struggling to find relevance in the modern world. Consequently, a new revision was proposed and the UK amongst others was a major driver behind the drafting of a new General Data Protection Regulation back in 2013, which would have relevance in the modern internet era. Therefore even though the UK may leave the EU soon after GDPR becomes statutory across all the EU member states in 2018 it will still be law in the UK and UK based businesses will need to be compliant. Furthermore, even if the UK Government was to remove the regulations from the statute books - which is highly unlikely as they contributed so much to the draft - any business wishing to conduct business within the EU single market that necessitates the collection and processing of EU citizens personal data would still require to be GDPR compliant. This is an important point as it is necessary to understand that the territorial scope of the GDPR has changed and any organization even those with no EU establishment will be required to be GDPR compliant if they supply products or services which collect the private data or monitor the behaviour of EU residents.
The importance of data privacy as a fundamental right within the EU for all citizens is a principle which the EU holds dearly and as such plays a large part in the revised GDPR. The previous Data Protection Directive was drafted way back in 1995 and came into law in most EU states in 1998 but that was only at the dawn of the internet and long before ecommerce and the web had become ubiquitous. Therefore the adapted EU laws in many countries was not sufficient to face the privacy challenges which came about through the proliferation of web browsing, social media, cloud computing services, ecommerce and importantly the invasive nature of direct advertising to the user. Similarly many felt that the current regulations did not address the business models and practices of the vast internet sized companies that harvested EU citizens’ personal data and transferred it to offshore locations out with the EU.
The Safe Harbour, was one such transatlantic agreement drawn up to allow US based internet companies to transfer EU citizens data out with the community borders despite there being little guarantee of its privacy. Indeed when challenged in court the Safe Harbour was found to be unsafe and struck down. The Court of Justice EU declared the Safe Harbour scheme for EU-US data transfers to be invalid. While Safe Harbour was not the only way to transfer data to the US from the EU, around 4,500 companies relied on this framework as their main legal basis for transfers.
The case against the Safe Harbour was originally brought about by Austrian student Max Schrems, following the NSA revelations by Edward Snowden. The CJEU ruled that the US public authorities were not only outside of the scope of Safe Harbour, but also support conflicting laws that prevail over the scheme in certain circumstances.
The Safe Harbour decisions in 2015 came after work started on the revision of privacy regulations which began in 2013 so did not bring about GDPR but the decision does go to demonstrate why a revision and update of EU data privacy laws were required to meet the changing demands of the internet era.
In order to understand the changes that the GDPR will bring for businesses operating within the EU market upon its implementation into law in May 2018 we need to consider what the UK and the other EU member states already use as their directive for data privacy protection.
Introduction to GDPR Definitions
In order to understand many of the concepts and articles within the GDPR we need to first understand some of the roles to which the law applies. The main roles referred to in the existing Data Protection Directive and the GDPR are Data Controllers,