grc3386bus gdpr readiness with ibm cloud secure or … · 2019-06-27 · a combined security...

Raghu Yeluri, Intel CorporationShantu Roy, IBMBill Hackenberger, Hytrust

GRC3386BUS

#VMworld #GRC3386BUS

GDPR Readinesswith IBM Cloud Secure Virtualization

VMworld 2017 Content: Not fo

r publication or distri

bution

Agenda

• GDPR Overview & Requirements

• IBM Secure Virtualization – Solution Overview

• Summary / Call to Action

• Q & A

2



bution

3

Security Continues to be #1 Barrier for Cloud Adoption

MAIN CONCERNSData from Cloud Research Partners

#1General security risks

33% 28%

#2Lack of staff

resources or expertise

27%

#3Integration with existing

IT environments

26%

#4Data loss &

leakage risks

24%

#5Legal & regulatory

compliance

CLOUD ADOPTION BARRIERS

57%

Data Loss/Leakage

47%

Confidentiality

30%

Regulatory compliance

49%

Data Privacy

36%

Data Sovereignty/Control



bution

https://dome9.com/wp-content/uploads/2017/03/Cloud-Security-Report-2017.pdf

General Data Protection Regulation (GDPR) Overview



bution

Is GDPR the

next Y2K for

data privacy

and data

protection?VMworld 2017 Content: N

ot for publicatio

n or distribution

Replaces the Data Protection legislation of the 90’s

One single set of data protection rules across EU

Will come into force throughout the EU

on May 25, 2018

Gives individuals much more control over their

personal data



bution

Increased Fines

Territorial Scope

Opt-in Consent

Breach Notification

Joint Liability

Right to Removal (RTBF)

Data Transfer

One Law

Common Enforcement

Collective Redress

Top 10 GDPR Provisions



bution

Data Subject

The individual

whose data is

being collected

and can be

identified from

that data

Data Controller

The organization that

defines the reason for

the data collection,

decides how the data is

collected and processed

and is ultimately

responsible for its

safekeeping

Data Processor

A person or body acting

on behalf of the data

controller to store or

process the data

Personal Data (PII)

Any information relating

to an identified or

identifiable natural

person (data subject)

Supervisory

Authorities

Public bodies set up by the

governments of the EU

countries to help advise

data controllers and data

subjects on the law and

enforce the regulation

Key GDPR Definitions



bution

Types of Personal Information

Date of Birth

Address

Personal Email Address

Online Identifier

Business Email Address

Phone Number

Ethnic Origin

Name

Health

Religious Beliefs

Se

nsitiv

e P

ers

on

al D

ata



bution

No matter where you are in the world , if you do

business within the EU, you need to comply with GDPR!



bution

Substantial increase in fines for organizations

that do not comply with GDPR

Two-tier fine structure for different violations can

vary from 2% to 4% of global revenue or 10M

euro to 20M euro which ever is greaterVMworld 2017 Content: Not fo


bution

The local supervisory

authority must be

informed within 72

hours of any data

loss and users

informed as soon as

possible unless…VMworld 2017 Content: N

ot for publicatio

n or distribution

data was encrypted or a form of pseudonymization was used, the data

is automatically deemed secure and the organization is not required

to notify the data subject or supervisory authority of the breach



bution

Data belongs

to the data

subject NOT

the data

controllerVMworld 2017 Content: N

ot for publicatio

n or distribution

The Right

to be Forgotten



bution

Organizations will be required to

“implement appropriate technical

and organizational measures” in

relation to the nature, scope, context

and purposes of their handling and

processing of personal data

GDPR = 11 Chapters, 81 Pages, 99

Articles, 100+ Recitals

~ 12 articles address “technical

measures”



bution

GDPR Articles - some specifics

17

Core

Requirements*

Audit and

Compliance

EncryptionData

Sovereignty

Article 5 Principles relating to personal data processing

Article 24 Responsibility of the controller

Article 28 Processor

Article 32 Security of processing

Data protection by design and by defaultArticle 24

Article 30Records of processing activities

Article 33Notification of a personal data breach to

the supervisory authority

Article 6 Lawfulness of processing

Article 17 The Right to Erasure

(aka “The Right to Be Forgotten”)

Article 34 Communication of a personal data breach

to the data subject

Article 44 General Principle for Transfers

Article 44General Principle for TransfersVMworld 2017 Content: Not fo


bution

Agenda




• Q & A

18



bution

19

A VMware Portfolio Solution

IBM Cloud is first to market with a solution

that captures the benefits of both HyTrust

software and Intel® Trusted Execution

Technology to protect virtualized workloads

down to the microchip level.

IBM Cloud Secure Virtualization (ICSV)

Customer

Demographics

Point of Sale

Transactions

Customer

Credentials

Intellectual Property

Intel Xeon® Processor Bare Metal Servers + Intel® TXT Enabled

VMware Cloud Foundation™

CloudControl DataControl

OS

App

OS

App

OS

App

OS

App

Includes VMware Cloud Foundation licenses and

infrastructure (NSX, VSAN, Vcenter, Vsphere).VMworld 2017 Content: Not fo


bution

Virtualization Admin

Application User

Virtualization Layer

Physical Layer

Storage Layer

CloudControl

Virtual

Machine DataControl

20

A Combined Security Offering from IBM, HyTrust and Intel®

ICSV Solution Benefits

HyTrust Software Provides

Policy and access controls for

cloud security, reporting, and

encryption software

IBM Cloud Provides

Automated VMware solutions on

trusted Bluemix bare metal

infrastructure

Intel® Trusted Execution

Technology Provides

Hardware-based (chipset)

security technology to protect

workloads

Intel® TXT

Application

En

cry

pte

d V

Ms

an

d D

ata

Streamlined visibility and reporting for

corporate and regulatory compliance

Policy-enforced controls and access

management

Confidence that workloads always run

on known trusted hardware and

software stacks

Keys under Tenant-control, and, Data

decryption only when access, location

policies are met.

A powerful solution together…



bution

Benefits of IBM Cloud for VMware Solutions

21

Compatibility

Speed & Flexibility

Cloud Economics

• Full Compatibility with vCenter on and off premises• Workload portability puts you in charge• Continue with existing staff, tools and infrastructure

• Deploy in hours in multiple configuration sizes• Expand and contract capacity as your needs change• Deploy single site or multi-site configurations globally

• Predictable & simplified budgeting• No long term contract overhead• Pay for what you use with cloud OpEx model

IBM Differentiation



bution

Translating to Requirements…

How does the Data Controller:

• Maintain environment control and visibility to manage, monitor, and govern data access?

• Provide Security policies and implement granular security controls?

• Protect the Personal Data related to data Subject?

• Audit/Verify Security Controls implemented by the Data Processor?

How does the Data Processor:

1. Verify the provisioning of the Infrastructure of sub-processor?

2. Protect workloads (inc. data) from deploying on compromised or unsanctioned infrastructure

3. Control where workloads and Applications running?

4. Enable Right to be Forgotten?

5. Support Data Sovereignty Requirements of the Data Controller?

22



bution

23

Intel BENEFITS

IN-USEAT-REST

VISIBILITY/CONTROL

TRUST

IN-FLIGHT

PROTECT THE DATA

SECURE THE PLATFORM

RESILIENCE

Effective security is built on a foundation of trust

PERFORMANCE

WITHOUTCOMPROMISING



bution

SERVER WITH TPM

24

Hardware Root of Trust

Intel® Trusted Execution Technology

► System boot stack gets crypto-hashed

before execution

► Hash values get safely stored in Trusted

Platform Module (TPM)

► Match to known-good values determines

system trust status

Ensure a measured

environment baseline with

Intel® Trusted Execution

Technology (Intel® TXT)

3. Policy action

enforced,

known untrusted

2. Hypervisor

measure

does not match

POSSIBLE

EXPLOIT! MATCH!

2. Hypervisor

measure matches

3. OS and applications

are launched, known

trusted

1. System powers on and Intel TXT

verifies system BIOS/Firmware



bution

Intel Cloud Integrity Technology

25

Trusted Platform and Workloads Launch

Verification of the integrity of the launch of the

platform and workloads (VMs, containers…) to

provide trust and assurance

Trusted Compute Pools

Attestation provides information to inform which

systems are trustworthy for hosting workloads

Compliance

Attestation allows verification of platform and

workload trust for comparison against policy and

use in audit — this includes Geo-boundaries

Intel Provides a Protected Launch &

Hardware-enforced Geo location

Intel® Cloud Integrity

Technology – leverages Intel®

TXT

Data center

Firmware

BIOS

Hypervisor

Intel® TXT

Data center

Firmware

BIOS

Hypervisor

Intel® TXT

Workload integrity

Location and

boundary control

Platform integrity

Intel® TXT + TPM

Capability

Ch

ain

of

tru

st



bution

HyTrust Simplifies Security at Scale

26

HyTrust Benefits

HyTrust BoundaryControl with

Intel® TXT

HyTrust

DataControl

HyTrust CloudControl with

Intel® TXT

► Protect server virtualization

► Control of private cloud

► Secure single-tenancy

► Continuous compliance

► Workload encryption

► Key management

► Public/hybrid cloud

► IaaS migration

► Workload & data geo-fencing

► Tenant-defined boundaries

► Data sovereignty

► Contextual tagging



bution

27

HyTrust BoundaryControl

Automatically provision, configure, and enforce security controls for all things inside

your defined logical boundaries – Intel TXT provides Hardware Root-of-Trust

Define and create a logical boundary

by geography, regulatory standard,

department, etc.

Assign tags to key assets Define policies and automate security control

enforcement for your defined boundary

PCI PII*Finance

PCI GermanFinance

PCIPCI

PCI

Do not decrypt workload unless it is

running on Host B

Automatically encrypt workloads

within the boundary

Network

Storage

Workload

Host/Server

PCI PCI

PCI PCI



bution

IBM Benefits

28

VMware Cloud Foundation on IBM Cloud

natively integrates vSphere, NSX and vSAN

full stack virtualization along with the lifecycle

management of SDDC manager. This

deployment is automated offering fast and

repeatable installation.

IBM Cloud offers the benefits of global scale

with over 50 interconnected data centers

worldwide.

IBM Cloud Automates the

Infrastructure

Network Virtualization

Compute Virtualization

Storage Virtualization

Physical Infrastructure

Apps Apps Apps Apps Apps

Management



bution

29

Solution Benefits

Data Decryption by

Location

Deployment Control

by Location

Server Platform

Integrity

Only allow virtual server data to be

decrypted in authorized locations

Ensure only certain virtual

servers run on hardware in

authorized locations

Only allow virtual workloads to run

on untampered hardware and

software

Continuous monitoring and reporting of controls to support regulatory and industry compliance

Privileged User

Controls

Reduce admin risk with advanced

role based access controls and

secondary approval workflows

Security and Compliance Automation

VM1

VM1

Public

Cloud

VM1 VM1 VM1



bution

Agenda




• Q & A

31



bution

© 2017 HyTrust, Inc. | 32

Take Action

Schedule a discovery meeting to assess customers needs IBM Technicalsolutions team - Intel & HyTrust can assist

Identify Customers with intensive data security & compliance needs (GDPR, PCI, HIPAA)

Check out more information on the wiki

Execute a pilot or proof of concept for interested customersProcess and promotion for POC is on the wiki

Set up Technical Workshop to engage Security & Compliance TeamsIBM Technical solutions team - Intel & HyTrust can assist pilot planning



bution

https://ibm.biz/IC4VSwiki

© 2017 HyTrust, Inc. | 33

Ordering Codes

L30 ˙ 6950-17V - IBM Bluemix Secure Virtualization (Cloud BU) (for

Cloud Foundation)

L30 6950-16F – IBM Bluemix Implementation Services (Cloud BU –

CPS)

Cloud BU

L30 ˙ 6941-95X - IBM Bluemix Secure Virtualization (GTS BU) (for

Cloud Foundation)

L30 6941-95A – IBM Bluemix Implementation Services (GTS mirror

code)

GTS BU

*Latest ordering codes can be found on VMware wiki



bution



bution

grc3386bus gdpr readiness with ibm cloud secure or … · 2019-06-27 · a combined security...

Documents