Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    Only $11.99/month after trial. Cancel anytime.

    GDPR for DevOp(Sec) - The laws, Controls and solutions
    GDPR for DevOp(Sec) - The laws, Controls and solutions
    GDPR for DevOp(Sec) - The laws, Controls and solutions
    Ebook222 pages2 hours

    GDPR for DevOp(Sec) - The laws, Controls and solutions

    By alasdair gilchrist

    5/5

    ()

    Read preview

    About this ebook

    GDPR - the laws, controls and measurments that result in compliance with the focus on DevOps

    LanguageEnglish
    Publisheralasdair gilchrist
    Release dateAug 20, 2017
    ISBN9781386603764
    GDPR for DevOp(Sec) - The laws, Controls and solutions

    Read more from Alasdair Gilchrist

    Related to GDPR for DevOp(Sec) - The laws, Controls and solutions

    Related ebooks

    Auditing For You

    View More
    View More

    Related podcast episodes

    Related articles

    • Article

      Data Compliance Checklist

      May 15, 2019

      People had a lot to say about Google’s January AU$80 million fine for breaching the General Data Protection Regulation (GDPR) – and rightly so. It was the first time a tech giant suffered a financial penalty under the GDPR. The fine served as a signa

      3 min read

    • Article

      Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL

      Sep 21, 2016

      Data breaches can have far-reaching repercussions; protecting against them is a companywide mandate

      2 min read

    • Article

      Financial Services in the New Age

      Mar 22, 2024

      Nearly every sector we know of is undergoing deep-rooted change thanks to rapid technological developments. The banking and financial services industry is no exception. In these changing times, where the use of Generative AI (Gen AI) is becoming wide

      2 min read

    • Article

      The Global Data War Heats Up

      Jun 26, 2019

      The Global Data War Heats Up
      5 min read

    • Article

      Managing the Risks of Digital Lending

      Feb 18, 2022

      TECHNOLOGY HAS BEEN the crux of the Indian banking system and the advent of Covid-19 has fuelled the shift of business models from ‘physical’ to ‘digital’. The journey of innovation, which started with internet banking and digital means of payments,

      6 min read

    • Article

      Compliance Is Riskier Than Ever

      Jan 31, 2020

      Compliance Is Riskier Than Ever
      4 min read

    • Article

      Vulnerability Assessments

      Jan 7, 2021

      Vulnerability Assessments
      3 min read

    • Article

      The Gold Standard

      Jun 6, 2018

      The Gold Standard
      9 min read

    • Article

      Edge Computing In Europe: A Key Driver Of Business Innovation

      Jan 26, 2024

      1 83% of our survey respondents believe that edge computing will be essential to remaining competitive in the future but only 65% are using edge today. 2 Super Integrators — edge adopters that tie edge to business in transformation adoption — compris

      8 min read

    • Article

      Arnab PANDEY

      Apr 1, 2021

      Arnab PANDEY
      11 min read

    • Article

      Digital Trust Is On The Horizon

      Mar 1, 2022

      Digital Trust Is On The Horizon
      11 min read

    Related categories

    Reviews for GDPR for DevOp(Sec) - The laws, Controls and solutions

    5/5

    1 rating0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      GDPR for DevOp(Sec) - The laws, Controls and solutions - alasdair gilchrist

      GDPR –DevOp(Sec);the law, strategy, controls and solutions

      Introduction – GDPR and the role of DevOps

      Chapter I - Introduction to GDPR

      Data Protective Directive (DPD)

      Introduction to GDPR Definitions

      Controllers vs. Processors

      Data Subjects

      Personal Data

      DPA/Supervisory Body

      Chapter II – GDPR Principles and New Articles

      What does this mean for you and your business?

      Increased Territorial Scope

      GDPR's expansion of Processor responsibility

      GDPR's expanded concept of consent

      Data Subject Rights

      Breach Notification

      Right to Access

      Right to be Forgotten

      Right to Object

      Data Portability

      Privacy by Design

      Transparency

      Data Subject Profiling

      Defining profiling

      Legitimate Interests & Direct Marketing

      Chapter III - Data Governance & Data Management

      Why Manage Data?

      Placing the Focus on DevOp(Sec)

      Chapter IV – The Data Life Cycle

      Understanding how data flows through an Organization

      The Data Life Cycle

      Chapter V – Performing a Privacy Impact Assessment

      Assessing GDPR Readiness

      Privacy Impact Assessment

      Performing a PIA for GDPR Readiness

      Assessing for GDPR Compliance

      Chapter VI - Application Development Life Cycle

      Project Planning (Privacy by Design and Default)

      How DevOp(Sec) facilitates security and compliance

      An Example Use Case: Developing a Mobile App

      Planning stage

      GDPR Privacy Controls for Application Development

      Chapter VII - Translating Minimization, Transparency and Anonymisation into Controls

      Transparency

      Anonymisation and Pseudonymisation

      Pseudonymising Techniques - Encryption & Hashing

      Encryption Families

      Symmetric Encryption

      ECDH

      Perfect Forward Secrecy

      Contiguous Security Coverage

      Centralized Data Security Administration

      Emerging Technologies

      Three Critical Components of a Total Information Security Strategy

      How to Conduct an Effective Risk Assessment

      Protecting Data in Transport (SSL/TLS)

      Protecting Data at Rest (Cloud)

      Securing PII data

      Encrypting Data In Transit vs. Data At Rest

      Chapter VIII - Application Development Controls

      Mobile Apps

      Secure Data Storage

      Understand Data Deletion Process

      Chapter IX – Compliance in Code

      Defining Policies Upfront

      Automated Gates and Checks

      Managing Changes in Continuous Delivery

      Separation of Duties in DevOps

      Code Instead of Paperwork

      Chapter X – The Cloud and Shadow IT

      APIs and Chatbot

      Chapter XI - In Summary

      Audit

      Data Lifecycle Management (DLM)

      Automation

      Transparency

      GDPR –DevOp(Sec);the law, strategy, controls and solutions

      Introduction – GDPR and the role of DevOps

      The EU General Data Protection Regulation will come into force in May 2018 and it will require products (goods and services)provided to EU subjects whether charged or free to have been designed and developed with the highest regard to the privacy of the user. The GDPR introduces several new principles which are directly related to the design, development and security process. For example ‘Privacy by Design and Default’, requires that privacy is baked into the product and not added as an afterthought or requires the user to opt-out to a more secure setting. Similarly there are the key principles of Consent, Transparency and Minimization, which will have profound effects on how personal data can be collected. For example; EU resident data subjects will have the right to expect that their PII is held securely, accurately, and what is more the source of the data and their consent must be historically documented. Furthermore,it is a requirement that their PII data is portable to a competitor, adjusted for accuracy or erased on request (the right to be forgotten).

      GDPR therefore will now be a severe constraint applied to designers and Sales and Marketing with regards the collection and handling of personal data. The days of freely appropriating users’ personal data and collecting anything and everything are over – in the EU Economic Market at least.

      The European Economic Area is a vast economic market; it is the second largest economy in the world in nominal terms and according to purchasing power parity (PPP). Also the European Union has a more egalitarian repartition of incomes than the world average, so it is not a market to be wilfully ignored.Hence, the GDPR is not something that organisations within or out with the EU community can simply ignore, consequently, organisations must address how they develop, market and distribute their products within the European Union.

      To comply with the new GDPR, organisations wishing to trade in Europe will need to implement controls and compliance measures that are designed into products at the beginning of the product life-cycle. This means they will have to be developed; quality assured and securely operated in compliance to the GDPR. Hence, should a company wish to do business in the European Economic Area this will require revaluating the development and marketing process.

      DevOps represents the integration of development, IT operations and quality assurance under a single automated umbrella. This is the essence of DevOps, a model where IT pros from all areas working together from the beginning to dramatically reduce the time to release a product. The goal of DevOps was to turn the IT business model on its head and produce shorter cycle times through automation, and deep cross-functional integration to deliver innovation at rapid pace. However, this approach has security and ‘sales and marketing’ as periphery figures during the product development life cycle.

      DevOps, in order to operate efficientlyneeds to integrate a number of functional areas, including security, if it is going to be capable of building compliance and privacy into the final work product. The major difference in this new DevOp(Sec)-oriented world is that everyone’s input, security, along with sales and marketing will be required from the beginning and then automated to ensure short, predictable release times. This is primarily because most developers are not security experts. Security experts are needed now, more than ever, to partner with the other skill areas. Additionally, and in a similar vein, developers, IT operations and security practitioners also find the motives and drivers of sales and marketing alien, so representatives from sales and marketing must be incorporated early into the design and development process.

      The major change requires that Security experts should seek to partner with the rest of the organization, and do so from the beginning of the development process, which has not always been the norm. The alternative is to keep security as its own functional department but that loses the key advantage of DevOps — cross-functional integration.

      DevOps is actually a boon for security practitioners, who can, with the right automation and operational tools, inject security earlier into the development process, and increase the security of the code that ultimately reaches production.

      However, applications are not developed just to be secure or compliant they must primarily have a purpose. This is where the early involvement of Sales and Marketing is essential as it is their requirements and specifications, which are targeting business goals and they must be made compliant with regulations and made secure whilst retaining the products fitness for purpose.

      Application and data security is not the least of the challenges raised by GDPR. The ability to deliver applications that are both ‘secure by design’ and adhere to the ‘privacy by design’ philosophy will be a challenge and an opportunity for DevOps teams.

      By introducing security earlier into the development process the more likely the product will meet its security and compliance obligations, whilst retaining its original business target. Just as operations, quality assurance and developers have had to adjust to cross functional integration, where there’s an expectation of collaboration and knowledge sharing, security practitioners will also need to adopt this new paradigm.

      Chapter I - Introduction to GDPR

      To set the scene for the introduction of the General Data Protection Regulations (GDPR) we will first spend this chapter considering the present legislation and how it affects business today. The current data privacy laws in the EU member states vary quite considerably as each member state has applied the EU Data Protection Directive 96/46/EC as the basis for their own data privacy laws. This is because the Data Protection Directive 95/46/EC was only a Directive and as such is only recommended guidelines rather than a regulation or mandatory articles of law. The EU GDPR on the other hand is a regulation so will be brought into law in its entirety in each member state. Hence for the first time there will be a common data privacy law across all member states of the EU Community.

      The fundamental importance of the current EU Data Protection Directive 96/46/EU is that it addresses an important EU principle that of the right to privacy for all EU residents. This principle is extremely important as it is considered in the EU to be a fundamental human right. Indeed the right to privacy, was adopted back in 1950 and subsequently introduced to the EU Human Rights Conference in 1998 introduced under Article 8 (Right to Privacy) in the Human Rights Act (HRA 1998) in European law.

      In the UK for example it is important to consider that the present law under the EU-Harmonized Data Protection Act of 1998 is based upon the EU Data Protection Directive of 1995 and that all member states of the EU have similar laws based upon the Data Protection Directive which are applied within their own legal structure. The flexibility allowed when implementing the Directive however has resulted in a disparate set of privacy laws throughout the European Community, which has been far from ideal.

      Ironically, the Data Protection Directive 95/46/EC of 24 October 1995 were the European Union’s answer to the existing division of privacy regulations across the EU. Hence, its major goals included the harmonization of data protection laws and the transfer of personal data to third countries outside of the Union. It established independent public authorities called Data Protection Authorities (DPAs) in each member state in order to supervise the application of this directive and serve as the regulatory body for interactions with businesses and citizens. The DPD also provided for the allowance of transfers of personal data to third countries, on the condition that said countries were authorized as having adequate levels of protection for the data. This was an important point as third party countries would be required being guaranteed to be comparable to those protections within the EU – for example share a comparable ethos regards data privacy. Overall, the directive has worked well despite creaking with age and stays true to the original recommendations and the core concepts of privacy as a fundamental human right.

      Data Protective Directive (DPD)

      The DPD is what exists today - variants of the Data Protective Directive (DPD) implemented in each member state in the UK for example it is called the Data Protection Act.

      However as the DPD is now over twenty years old and was drafted long before the prevalence of the web, mobile data and social media it was struggling to find relevance in the modern world. Consequently, a new revision was proposed and the UK amongst others was a major driver behind the drafting of a new General Data Protection Regulation back in 2013, which would have relevance in the modern internet era. Therefore even though the UK may leave the EU soon after GDPR becomes statutory across all the EU member states in 2018 it will still be law in the UK and UK based businesses will need to be compliant. Furthermore, even if the UK Government was to remove the regulations from the statute books - which is highly unlikely as they contributed so much to the draft - any business wishing to conduct business within the EU single market that necessitates the collection and processing of EU citizens personal data would still require to be GDPR compliant. This is an important point as it is necessary to understand that the territorial scope of the GDPR has changed and any organization even those with no EU establishment will be required to be GDPR compliant if they supply products or services which collect the private data or monitor the behaviour of EU residents.

      The importance of data privacy as a fundamental right within the EU for all citizens is a principle which the EU holds dearly and as such plays a large part in the revised GDPR. The previous Data Protection Directive was drafted way back in 1995 and came into law in most EU states in 1998 but that was only at the dawn of the internet and long before ecommerce and the web had become ubiquitous. Therefore the adapted EU laws in many countries was not sufficient to face the privacy challenges which came about through the proliferation of web browsing, social media, cloud computing services, ecommerce and importantly the invasive nature of direct advertising to the user. Similarly many felt that the current regulations did not address the business models and practices of the vast internet sized companies that harvested EU citizens’ personal data and transferred it to offshore locations out with the EU.

      The Safe Harbour, was one such transatlantic agreement drawn up to allow US based internet companies to transfer EU citizens data out with the community borders despite there being little guarantee of its privacy. Indeed when challenged in court the Safe Harbour was found to be unsafe and struck down. The Court of Justice EU declared the Safe Harbour scheme for EU-US data transfers to be invalid. While Safe Harbour was not the only way to transfer data to the US from the EU, around 4,500 companies relied on this framework as their main legal basis for transfers.

      The case against the Safe Harbour was originally brought about by Austrian student Max Schrems, following the NSA revelations by Edward Snowden. The CJEU ruled that the US public authorities were not only outside of the scope of Safe Harbour, but also support conflicting laws that prevail over the scheme in certain circumstances.

      The Safe Harbour decisions in 2015 came after work started on the revision of privacy regulations which began in 2013 so did not bring about GDPR but the decision does go to demonstrate why a revision and update of EU data privacy laws were required to meet the changing demands of the internet era.

      In order to understand the changes that the GDPR will bring for businesses operating within the EU market upon its implementation into law in May 2018 we need to consider what the UK and the other EU member states already use as their directive for data privacy protection.

      Introduction to GDPR Definitions

      In order to understand many of the concepts and articles within the GDPR we need to first understand some of the roles to which the law applies. The main roles referred to in the existing Data Protection Directive and the GDPR are Data Controllers,

      Enjoying the preview?
      Page 1 of 1