How to Solve CCPA and GDPR's Toughest Compliance Mandates - - PowerPoint PPT Presentation

WEBINAR

How to Solve CCPA and GDPR's Toughest Compliance Mandates

Automating Data Privacy and Security for API-based Services

Welcome and Introductions

Elias Terman VP of Global Marketing Integris Software MODERATOR Chandan Golla Head of Product Management Integris Software Shan Zhou VP Customer Success Cloudentity

Agenda Privacy as a competitive differentiator Meeting CCPA and GDPR compliance challenges Discovering your regulated data Data sharing challenges and opportunities Digital transformation blind spot? APIs. What continuous defensibility looks like Q and A

Data Privacy Fails

When Data Sharing Agreements Go Terribly Wrong

“...but it was in our terms of service” Facebook contends that its technology worked exactly how it was built it to work, but Cambridge Analytica broke the rules. Lesson learned Contracts can be used to punish someone, but not until after they’ve broken the rules and the damage has been done.

Privacy is critical to how businesses grow

PI privacy is both a business enabler and regulatory burden

• Build Trust
• Progressive Consent
• Personalization
• Open Banking
• GDPR
• CCPA

3rd Party Transfers Disclosure

The Challenging Regulatory Landscape

Access Notice Deletion Consent Sale Purpose Processing Activities Data Flows

Foundation to meeting CCPA and GDPR Requirements

Continuous defensibility boils down to doing four things well: 1. Understanding where personal information resides across all data sources (at rest and in-motion) 2. Mapping that data back to data handling obligations 3. Remediating risk and closing gaps 4. Fulfilling data subject requests

Foundation to meeting CCPA and GDPR Requirements

Continuous defensibility boils down to doing four things well: 1. Understanding where personal information resides across all data sources 2. Mapping that data back to data handling obligations 3. Remediating risk and closing gaps 4. Fulfilling data subject requests

Easier said than done!

• Point in time
• Doesn’t scale
• Evolving

definition of PI

• Streaming data

is blind spot

Regulations Contracts Internal Challenges

PI Surveys: Inaccurate and Time Consuming

Unstructured File Shares

Google Drive, NFS, NAS

Structured Databases

Oracle, MSSQL, MySQL, DB2

Big Data

Hadoop, Snowflake

SaaS

Microsoft O365, Salesforce

Data-in-Motion

Kafka, Amazon Kinesis

Additional Sources

JDBC Connectors, RESTful API’s

87% of the US population can be uniquely identified with their Zip Code, Gender, and Birthdate*

*Source: https://dataprivacylab.org/projects/identifiability/paper1.pdf

Name: John Smith Likes: Pistachio ice cream History: Visits downtown store 2x week Pattern: Never visits on Sunday GENDER ZIP DATE OF BIRTH

De-Identified Data Repository

? ? ?

Data analysts

Not all discoverable sensitive information is linked to an identity

CCPA: Inferred data

Religion can be inferred from diet preference or HR PTO days

Unstructured File Shares

Google Drive, NFS, NAS

Structured Databases

Oracle, MSSQL, MySQL, DB2

Big Data

Hadoop, Snowflake

SaaS

Microsoft O365, Salesforce

Data-in-Motion

Kafka, Amazon Kinesis

Additional Sources

JDBC Connectors, RESTful API’s

• Scalable
• Continuous
• Extensible
• Streaming

Data Layer

Integris Data Privacy Automation

• Accurate discovery and classification of sensitive data at scale
• Data at rest, in motion, structured or unstructured, cloud or on premise
• Apply business obligations to data map and initiate action

Solution Regulations Contracts Internal

Integris Data Privacy Automation

Data is always changing Discovery of data at rest becomes obsolete Key to protection? Monitoring inbound and outbound data transfers.

The Blind Spot: Data in Motion

Company A Company B {...} {...}

Logs 3rd Party Transfers

How does data move?

Data moves through APIs, but they are a blind spot

• 1. No insight into:
• What is exposed and to whom
• What’s happening with the data
• What controls are in place
• 2. Network perimeters no longer apply

APIs Key to Digital Transformation But Two Major Challenges Remain

Data Sharing Agreements are Major Privacy Concern

61% enterprises cited data sharing agreements as a privacy concern

Data Sharing Agreements Don’t Protect Data

40% of respondents have 50 or more data sharing agreements Respondents lacked confidence in their partners’ ability to abide by data sharing agreements (84% less confident)

Why is enforcing privacy on APIs so hard?

Data movement and purpose Lack of awareness of the data exchanged No understanding of intent of use Hard to enforce Current controls deployed at app perimeter Lack of unique identities for APIs Distributed environments Apps span multi cloud and on-prem environments Decentralized DevOps teams Scale Consumer scale is not traditional scale High latency results in negative experiences

Establish a two-step program

➔ Discovery and classification of data at rest ➔ PI surface area reduction ➔ Policies and rules to monitor changes ➔ Remediation process

Lay the Foundation Safe Digital Transformation

➔ Discovery and classification of data in motion ➔ Monitor online transfers against data contracts and policies ➔ Implement privacy checks in addition to security checks (i.e. Progressive Consent)

1 2

Implement Progressive Consent

95% of customers are more likely

to be loyal to a company they trust

92% are more likely to purchase

additional products and services from trusted businesses

93% of customers are more likely

to recommend a company they trust Give me control

• ver what data you

collect on me Ask for my consent to use my information Show me your commitment to protecting my data

Progressive Consent Example

Progressive Consent Example

Progressive Consent Example

Progressive Consent

Discovery and Classification

Progressive Consent

Progressive Consent

The right data is provided to the right resources at the right time Progressive consent/revocation Continuous compliance Continuous enforcement

Risks and Remediation

Best Practices for API Data Protection

Who - Authorization & Authentication Data contract validation User and API identity verification API authorization PI processor Usage pattern

Know your Who, What, and Why...

What & Why - Data, Schema & Contracts Schema change alert High sensitivity classification alert High sensitivity attribute alert Unencrypted data alert

Best Practices for Deployment

Unique identity for every user, API, and device Deploy close to the service for best performance Must support hybrid and multi-cloud environments Microservices based to support legacy and modern architectures Inspect every transaction, not just the first request Deployable everywhere with centralized management Provide seamless DevOps integration patterns, transpose responsibilities for verifiable policy enforcement

Data Protection

Privacy Information Security

Discovery & Classification Data Handling Obligations Risk & Governance Encryption Network Security Access Control Regulations Contracts Policies Activity Monitoring Breach Response DLP / CASB

What data is important and Why How those policies are enforced

Protected Usable Data

Data Privacy is integral to Data Protection

Privacy and Security go hand in hand:

• Keeping your information private requires keeping it secure
• If your information is not private, it’s not secure

Q&A

Elias Terman VP of Global Marketing Integris Software MODERATOR Chandan Golla Head of Product Management Integris Software chandan@integris.io Shan Zhou VP Customer Success Cloudentity http://info.cloudentity.com/ demo-download