grc3386bus gdpr readiness with ibm cloud secure or … · 2019-06-27 · a combined security...
TRANSCRIPT
Raghu Yeluri, Intel CorporationShantu Roy, IBMBill Hackenberger, Hytrust
GRC3386BUS
#VMworld #GRC3386BUS
GDPR Readinesswith IBM Cloud Secure Virtualization
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
• GDPR Overview & Requirements
• IBM Secure Virtualization – Solution Overview
• Summary / Call to Action
• Q & A
2
VMworld 2017 Content: Not fo
r publication or distri
bution
3
Security Continues to be #1 Barrier for Cloud Adoption
MAIN CONCERNSData from Cloud Research Partners
#1General security risks
33% 28%
#2Lack of staff
resources or expertise
27%
#3Integration with existing
IT environments
26%
#4Data loss &
leakage risks
24%
#5Legal & regulatory
compliance
CLOUD ADOPTION BARRIERS
57%
Data Loss/Leakage
47%
Confidentiality
30%
Regulatory compliance
49%
Data Privacy
36%
Data Sovereignty/Control
VMworld 2017 Content: Not fo
r publication or distri
bution
General Data Protection Regulation (GDPR) Overview
VMworld 2017 Content: Not fo
r publication or distri
bution
Is GDPR the
next Y2K for
data privacy
and data
protection?VMworld 2017 Content: N
ot for publicatio
n or distribution
Replaces the Data Protection legislation of the 90’s
One single set of data protection rules across EU
Will come into force throughout the EU
on May 25, 2018
Gives individuals much more control over their
personal data
VMworld 2017 Content: Not fo
r publication or distri
bution
Increased Fines
Territorial Scope
Opt-in Consent
Breach Notification
Joint Liability
Right to Removal (RTBF)
Data Transfer
One Law
Common Enforcement
Collective Redress
Top 10 GDPR Provisions
VMworld 2017 Content: Not fo
r publication or distri
bution
Data Subject
The individual
whose data is
being collected
and can be
identified from
that data
Data Controller
The organization that
defines the reason for
the data collection,
decides how the data is
collected and processed
and is ultimately
responsible for its
safekeeping
Data Processor
A person or body acting
on behalf of the data
controller to store or
process the data
Personal Data (PII)
Any information relating
to an identified or
identifiable natural
person (data subject)
Supervisory
Authorities
Public bodies set up by the
governments of the EU
countries to help advise
data controllers and data
subjects on the law and
enforce the regulation
Key GDPR Definitions
VMworld 2017 Content: Not fo
r publication or distri
bution
Types of Personal Information
Date of Birth
Address
Personal Email Address
Online Identifier
Business Email Address
Phone Number
Ethnic Origin
Name
Health
Religious Beliefs
Se
nsitiv
e P
ers
on
al D
ata
VMworld 2017 Content: Not fo
r publication or distri
bution
No matter where you are in the world , if you do
business within the EU, you need to comply with GDPR!
VMworld 2017 Content: Not fo
r publication or distri
bution
Substantial increase in fines for organizations
that do not comply with GDPR
Two-tier fine structure for different violations can
vary from 2% to 4% of global revenue or 10M
euro to 20M euro which ever is greaterVMworld 2017 Content: Not fo
r publication or distri
bution
The local supervisory
authority must be
informed within 72
hours of any data
loss and users
informed as soon as
possible unless…VMworld 2017 Content: N
ot for publicatio
n or distribution
data was encrypted or a form of pseudonymization was used, the data
is automatically deemed secure and the organization is not required
to notify the data subject or supervisory authority of the breach
VMworld 2017 Content: Not fo
r publication or distri
bution
Data belongs
to the data
subject NOT
the data
controllerVMworld 2017 Content: N
ot for publicatio
n or distribution
Organizations will be required to
“implement appropriate technical
and organizational measures” in
relation to the nature, scope, context
and purposes of their handling and
processing of personal data
GDPR = 11 Chapters, 81 Pages, 99
Articles, 100+ Recitals
~ 12 articles address “technical
measures”
VMworld 2017 Content: Not fo
r publication or distri
bution
GDPR Articles - some specifics
17
Core
Requirements*
Audit and
Compliance
EncryptionData
Sovereignty
Article 5 Principles relating to personal data processing
Article 24 Responsibility of the controller
Article 28 Processor
Article 32 Security of processing
Data protection by design and by defaultArticle 24
Article 30Records of processing activities
Article 33Notification of a personal data breach to
the supervisory authority
Article 6 Lawfulness of processing
Article 17 The Right to Erasure
(aka “The Right to Be Forgotten”)
Article 34 Communication of a personal data breach
to the data subject
Article 44 General Principle for Transfers
Article 44General Principle for TransfersVMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
• GDPR Overview & Requirements
• IBM Secure Virtualization – Solution Overview
• Summary / Call to Action
• Q & A
18
VMworld 2017 Content: Not fo
r publication or distri
bution
19
A VMware Portfolio Solution
IBM Cloud is first to market with a solution
that captures the benefits of both HyTrust
software and Intel® Trusted Execution
Technology to protect virtualized workloads
down to the microchip level.
IBM Cloud Secure Virtualization (ICSV)
Customer
Demographics
Point of Sale
Transactions
Customer
Credentials
Intellectual Property
Intel Xeon® Processor Bare Metal Servers + Intel® TXT Enabled
VMware Cloud Foundation™
CloudControl DataControl
OS
App
OS
App
OS
App
OS
App
Includes VMware Cloud Foundation licenses and
infrastructure (NSX, VSAN, Vcenter, Vsphere).VMworld 2017 Content: Not fo
r publication or distri
bution
Virtualization Admin
Application User
Virtualization Layer
Physical Layer
Storage Layer
CloudControl
Virtual
Machine DataControl
20
A Combined Security Offering from IBM, HyTrust and Intel®
ICSV Solution Benefits
HyTrust Software Provides
Policy and access controls for
cloud security, reporting, and
encryption software
IBM Cloud Provides
Automated VMware solutions on
trusted Bluemix bare metal
infrastructure
Intel® Trusted Execution
Technology Provides
Hardware-based (chipset)
security technology to protect
workloads
Intel® TXT
Application
En
cry
pte
d V
Ms
an
d D
ata
Streamlined visibility and reporting for
corporate and regulatory compliance
Policy-enforced controls and access
management
Confidence that workloads always run
on known trusted hardware and
software stacks
Keys under Tenant-control, and, Data
decryption only when access, location
policies are met.
A powerful solution together…
VMworld 2017 Content: Not fo
r publication or distri
bution
Benefits of IBM Cloud for VMware Solutions
21
Compatibility
Speed & Flexibility
Cloud Economics
• Full Compatibility with vCenter on and off premises• Workload portability puts you in charge• Continue with existing staff, tools and infrastructure
• Deploy in hours in multiple configuration sizes• Expand and contract capacity as your needs change• Deploy single site or multi-site configurations globally
• Predictable & simplified budgeting• No long term contract overhead• Pay for what you use with cloud OpEx model
IBM Differentiation
VMworld 2017 Content: Not fo
r publication or distri
bution
Translating to Requirements…
How does the Data Controller:
• Maintain environment control and visibility to manage, monitor, and govern data access?
• Provide Security policies and implement granular security controls?
• Protect the Personal Data related to data Subject?
• Audit/Verify Security Controls implemented by the Data Processor?
How does the Data Processor:
1. Verify the provisioning of the Infrastructure of sub-processor?
2. Protect workloads (inc. data) from deploying on compromised or unsanctioned infrastructure
3. Control where workloads and Applications running?
4. Enable Right to be Forgotten?
5. Support Data Sovereignty Requirements of the Data Controller?
22
VMworld 2017 Content: Not fo
r publication or distri
bution
23
Intel BENEFITS
IN-USEAT-REST
VISIBILITY/CONTROL
TRUST
IN-FLIGHT
PROTECT THE DATA
SECURE THE PLATFORM
RESILIENCE
Effective security is built on a foundation of trust
PERFORMANCE
WITHOUTCOMPROMISING
VMworld 2017 Content: Not fo
r publication or distri
bution
SERVER WITH TPM
24
Hardware Root of Trust
Intel® Trusted Execution Technology
► System boot stack gets crypto-hashed
before execution
► Hash values get safely stored in Trusted
Platform Module (TPM)
► Match to known-good values determines
system trust status
Ensure a measured
environment baseline with
Intel® Trusted Execution
Technology (Intel® TXT)
3. Policy action
enforced,
known untrusted
2. Hypervisor
measure
does not match
POSSIBLE
EXPLOIT! MATCH!
2. Hypervisor
measure matches
3. OS and applications
are launched, known
trusted
1. System powers on and Intel TXT
verifies system BIOS/Firmware
VMworld 2017 Content: Not fo
r publication or distri
bution
Intel Cloud Integrity Technology
25
Trusted Platform and Workloads Launch
Verification of the integrity of the launch of the
platform and workloads (VMs, containers…) to
provide trust and assurance
Trusted Compute Pools
Attestation provides information to inform which
systems are trustworthy for hosting workloads
Compliance
Attestation allows verification of platform and
workload trust for comparison against policy and
use in audit — this includes Geo-boundaries
Intel Provides a Protected Launch &
Hardware-enforced Geo location
Intel® Cloud Integrity
Technology – leverages Intel®
TXT
Data center
Firmware
BIOS
Hypervisor
Intel® TXT
Data center
Firmware
BIOS
Hypervisor
Intel® TXT
Workload integrity
Location and
boundary control
Platform integrity
Intel® TXT + TPM
Capability
Ch
ain
of
tru
st
VMworld 2017 Content: Not fo
r publication or distri
bution
HyTrust Simplifies Security at Scale
26
HyTrust Benefits
HyTrust BoundaryControl with
Intel® TXT
HyTrust
DataControl
HyTrust CloudControl with
Intel® TXT
► Protect server virtualization
► Control of private cloud
► Secure single-tenancy
► Continuous compliance
► Workload encryption
► Key management
► Public/hybrid cloud
► IaaS migration
► Workload & data geo-fencing
► Tenant-defined boundaries
► Data sovereignty
► Contextual tagging
VMworld 2017 Content: Not fo
r publication or distri
bution
27
HyTrust BoundaryControl
Automatically provision, configure, and enforce security controls for all things inside
your defined logical boundaries – Intel TXT provides Hardware Root-of-Trust
Define and create a logical boundary
by geography, regulatory standard,
department, etc.
Assign tags to key assets Define policies and automate security control
enforcement for your defined boundary
PCI PII*Finance
PCI GermanFinance
PCIPCI
PCI
Do not decrypt workload unless it is
running on Host B
Automatically encrypt workloads
within the boundary
Network
Storage
Workload
Host/Server
PCI PCI
PCI PCI
VMworld 2017 Content: Not fo
r publication or distri
bution
IBM Benefits
28
VMware Cloud Foundation on IBM Cloud
natively integrates vSphere, NSX and vSAN
full stack virtualization along with the lifecycle
management of SDDC manager. This
deployment is automated offering fast and
repeatable installation.
IBM Cloud offers the benefits of global scale
with over 50 interconnected data centers
worldwide.
IBM Cloud Automates the
Infrastructure
Network Virtualization
Compute Virtualization
Storage Virtualization
Physical Infrastructure
Apps Apps Apps Apps Apps
Management
VMworld 2017 Content: Not fo
r publication or distri
bution
29
Solution Benefits
Data Decryption by
Location
Deployment Control
by Location
Server Platform
Integrity
Only allow virtual server data to be
decrypted in authorized locations
Ensure only certain virtual
servers run on hardware in
authorized locations
Only allow virtual workloads to run
on untampered hardware and
software
Continuous monitoring and reporting of controls to support regulatory and industry compliance
Privileged User
Controls
Reduce admin risk with advanced
role based access controls and
secondary approval workflows
Security and Compliance Automation
VM1
VM1
Public
Cloud
VM1 VM1 VM1
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
• GDPR Overview & Requirements
• IBM Secure Virtualization – Solution Overview
• Summary / Call to Action
• Q & A
31
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2017 HyTrust, Inc. | 32
Take Action
Schedule a discovery meeting to assess customers needs IBM Technicalsolutions team - Intel & HyTrust can assist
Identify Customers with intensive data security & compliance needs (GDPR, PCI, HIPAA)
Check out more information on the wiki
Execute a pilot or proof of concept for interested customersProcess and promotion for POC is on the wiki
Set up Technical Workshop to engage Security & Compliance TeamsIBM Technical solutions team - Intel & HyTrust can assist pilot planning
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2017 HyTrust, Inc. | 33
Ordering Codes
L30 ˙ 6950-17V - IBM Bluemix Secure Virtualization (Cloud BU) (for
Cloud Foundation)
L30 6950-16F – IBM Bluemix Implementation Services (Cloud BU –
CPS)
Cloud BU
L30 ˙ 6941-95X - IBM Bluemix Secure Virtualization (GTS BU) (for
Cloud Foundation)
L30 6941-95A – IBM Bluemix Implementation Services (GTS mirror
code)
GTS BU
*Latest ordering codes can be found on VMware wiki
VMworld 2017 Content: Not fo
r publication or distri
bution