SESSION ID: CXO-R01

Compliance by Design
Using Innovation to Beat the Compliance
Rat-Race

Hayden Delaney Bob Griffin

Partner, ICT and Data Protection Chief Security Architect
HopgoodGanim Lawyers RSA, the Security Division of EMC
@HaydenDelaney_1 @RobtWesGriffin
#RSAC
The Compliance Challenge (Hayden)

A Strategy for Compliance by Design

(Bob)

#RSAC
Leveraging Standards in Compliance by
Design (Hayden and Bob)
The Compliance Challenge #RSAC
 #RSAC

Why privacy + security matters

“At the heart of the Internet culture is a force that wants to find out
everything about you. And once it has found out everything about
you and two hundred million others, that’s a valuable asset and
people will be tempted to trade and do commerce with that asset.”

Alex Grove, 2000, Former CEO of Intel Corporation

 #RSAC

Data ecosystem

 Data Complexity
 More data = more noise

 Data Emergence
 The calculus of privacy & data sovereignty

 Data self-organisation
 Datasets interact with one-another, modifying the data ecosystem, producing more
knowledge – for example...
 #RSAC

Legal, industry & consumer response framework

 Complex: privacy and data-related law reform at a global level.

 Multi-layered regulatory frame work:
 Informational privacy + data protection (e.g., Privacy Act (Aus), Personal
Information Protection and Electronic Documents Act or “PIPEDA”
(Canada), EU Data Directive, etc)
 Data breach notification (e.g., California S.B. 1386 or proposed Aust laws)
 Anti- spam (e.g., Spam Act 2003 (Aust), CASL (Canada), CAN SPAM (US)
etc)
 Industry regulation & standards (PCI DSS, KMIP, PKCS, etc)
 #RSAC

Data is a hard beast to tame

 Data is BIG and it flows seamlessly.

 Data collection, use, disclosure is regulated & creates risk.
 Cloud and the Internet of Things (IoT) make it hard to control.
 We want the benefits but not the risk and loss of control.
 How do we resolve this?

7
 #RSAC

Maybe we’re asking the wrong questions?

 The answer ≠ “just encrypt it”.

 The issue is not use X algorithm or use ABC vendor.
 The issue not (necessarily) just all about data (or at least
encrypted data).
 Instead, we need to turn the debate to key management, visibility
and interoperability.
 #RSAC

Data sovereignty

 Once data leaves a jurisdiction’s borders, other laws apply

(and not always the good type) + loss of physical control.

 Data sovereignty is not solely a

privacy issue
 Business sensitive information

 Confidential information

 Ownership
 #RSAC

Data sovereignty & cross border disclosures in

Australia
 Cross border disclosure of personal information (Privacy Act,
APP 8):
Before an APP entity discloses personal information about an individual to an overseas
recipient, the entity must take such steps as are reasonable in the circumstances to ensure
that the overseas recipient does not breach the Australian Privacy Principles

 A focus on ongoing accountability (Privacy Act, Section 16C):

Acts of overseas recipients of personal information (in summary)
Where:
a) An Australian entity discloses personal information about an individual to an overseas
recipient; and
b) The overseas recipient breaches the Australian Privacy Principles; then
that act is taken to have been done by the Australian disclosing entity.
Case study: Apple’s solution to data #RSAC

sovereignty & privacy

 Consider the risk environment:
 Broad government data access laws via Patriot Act brought starkly to light by the
Snowden leaks
 Consumer concerns around personal privacy (e.g., Government access (Snowden) and
also malicious access (e.g., Celebrity iCloud leaks))

 Business value (probably the real reason):

 Money, money, money
 Apple seeking to create an environment where financial transactions can be conducted
via biometric finger scanner
 Laws requiring authentication for financial transactions

 The solution - engineering control

 Not (effectively) holding the data (despite actually holding it via Apple’s cloud
infrastructure)
 Encryption keys wrapped in user device & linked to biometric finger print scanner
 #RSAC

Marketing and big data – the legal challenge

 The drive to communicate with customers is key to business.

 Organisations operating in multiple jurisdictions, with geographically
dispersed retail outlets, the compliance problem is massive.
 Compliance requirements vary between:
 Communication medium (e.g., Email, SMTP messages, SMPP messages,
telephone calls)
 Jurisdiction (CASL for Canada, CAN SPAM and Telephone Consumer
Protection Act of USA, Spam Act and Do Not Call Register Act for Aus)
 A compliance strategy is discussed later.
A Strategy for Compliance #RSAC

by Design
 #RSAC

Operating in harmony

Technology

Business Security Legal and

value and
Privacy Compliance

Process People

Design
 #RSAC

Disruption: an opportunity for transformation

Extended
Workforce Sophisticated
Mobile Cloud Networked
Big Fraud
Value
Data Chains APTs

Infrastructure Business and Legal Threat Landscape

Transformation Transformation Transformation
Less control over access device More hyper-extended, Fundamentally
andhttp://www.emc.com/collateral/industry-overview/h11391-rpt-information-
back-end infrastructure more digital different tactics, more formidable
than ever
security-shake-up.pdf?pid=sbiclandingpage-sbicspecialreport-122112
 #RSAC

A change in strategy

Compliance
Risk
by Design
Focus
Compliance
Focus
Controls
Focus

Technology Focused Business Focus

 #RSAC

Enabling “Compliance by Design”

Data Analytics Governance
Data Alert & Compliance
Report

Apps Investigate &

Analyze Incident
Management
Systems Visualize
Store
Network Respond Remediation

Public & Private Threat Intelligence

 #RSAC

Communication Valley Reply (Italy)

• Requirements:
• Reduce cost of compliance reporting
• Efficient, cost-effective management of security
• Reduced cost of service delivery
• Improved service as competitive advantage
• Solution:
• Automatically track and report on client risk and
compliance
• Enhance incident triage
• Improve event analysis

http://www.emc.com/collateral/customer-profiles/h11982-reply-cp.pdf
 #RSAC
Risk discipline across the organization
LOB Executives Business Operations
CIO & Board
Managers
CISO

IT Business

Regulatory & Corporate

IT Security Risk Operational & Enterprise Risk
Compliance
Business Resiliency Audit Third Party & Vendor Risk

Common Foundation
Silos Managed Advantaged
Maturity
 #RSAC

Identity governance across the organization

Trusted interactions between identities and information

Employees/Partners/Customers
Access Platform Governance Platform

Authentication Compliance
Identity Intelligence Identity Lifecycle
Federation/SSO
Provisioning

Applications/Data/Resources
 #RSAC

Security analytics across the organization

Capture, analyze and act on data from across the enterprise.
PACKETS
VISIBILITY LIVE
ANALYSIS ACTION

Capture Time
Meta-Data Enrichment Incident Management
LOGS Compliance

LIVE
ENDPOINT
ENRICH Investigation
Session Reconstruction

NETFLOW

Advanced Analytics Endpoint Analysis

INTELLIGENCE Threat Intelligence | Rules | Parsers | Feeds | Reports | Research

What about leveraging standards? #RSAC

Secure Provisioning of Cloud Services based on SLA

Management (SPECS)
Search,Evaluate,Rank

Request SecSLA Capabilities

CSC
Federation
Negotiate & Sign SecSLA Offering

Final Agreed SecSLA capabilities

Leveraging Standards in #RSAC

Compliance by Design
 #RSAC

How does one decide?

 Popularity test - follow the crowd

 Fashion test – pick your favourite vendor and follow them
 Simplicity test – weigh the standards
 Complexity test – run tools over the standards document
 Taste test - read the standards
 #RSAC

The natural evolution of standards

Competitors
Fear + consumer organise a Standard sinks or
demand competing industry swims
standard

Clear winners Standardisation

Drives law reform
emerge drives competition

Industry responds New solutions - Competition drives

with new complex, expensive consolidation +
“solutions” +proprietary consumer benefit
 #RSAC

Interoperability in “Compliance by Design”

 Interoperability:
 Creates competition
 Helps prevent vendor-lock in
 Mitigates business continuity risk
 Interoperability standards:
 Make acquisition and use of ICT products streamlined
 Transparency – for improved governance and audit
 Consistent semantics enable analytics
 #RSAC

Interoperability reduces complexity

 Interoperability in ICT procurement:
 Mandatory requirement
 Measurable targets
 Consider: Stakeholder
requirements
Business
 Interoperability warranties at procurement rules

 Interoperability in transition-out Technical

feasibility

 Warranties covering standards compliance

 False standards – beware!
Contractual requirements
 #RSAC

Examples of interoperability standards

 PKCS#11
 OASIS Key Management Interoperability Protocol (KMIP)
 #RSAC

PKCS#11
Jan-94
RSA launches Dec-12
PKCS#11 project RSA announce
PKCS #11 management
transition to OASIS Mar-13
OASIS PKCS#11 TC
st
1 Meeting
Nov-14
PKCS#11 V2.40
Apr-95 Dec-97 Dec-99 Jan-01 Jun-04 Sep-09 OASIS
PKCS#11 V1.0 PKCS#11 V2.01 PKCS#11 V2.10 PKCS#11 V2.11 PKCS#11 V2.20 PKCS#11 V2.30 Specification
Published (RSA) Published (RSA) Published (RSA) Published (RSA) Published (RSA) Draft (RSA) (anticipated)

Jan-95 Jan-96 Jan-97 Jan-98 Jan-99 Jan-00 Jan-01 Jan-02 Jan-03 Jan-04 Jan-05 Jan-06 Jan-07 Jan-08 Jan-09 Jan-10 Jan-11 Jan-12 Jan-13 Jan-14 Jan-15

Jan-94 May-15

Feb-14
OASIS PKCS#11 Interop Apr-15
Demonstration RSA 2014 OASIS PKCS#11 Interop
-Cryptsoft Demonstration RSA 2015
-Cryptosense -TBA
-Feitian
-Oracle
-Vormetric
 #RSAC

OASIS KMIP
 #RSAC

Interoperability: KMIP Adoption

Source: Cryptsoft
 #RSAC

Security architectures
 #RSAC

Cloud security architectures - encryption

Model 1
Enterprise Model 2
Key Management Hybrid
Key
Management

Model 3
CSP Key Management
 Cloud security architectures – #RSAC

encryption key management

Model 1
Enterprise
Key Management

Model 2
Hybrid Model 3
Key CSP
Management Key
Management
 #RSAC

Compliance by Design

Technology

Business Security Legal and

value and
Privacy Compliance

Process People

Design
Resolving a problem via key management: #RSAC

Public cloud data sovereignty

CSP
California
data centre

CSP
Ireland
data centre

Encrypted data CSP

only Sydney
data centre
Resolving a problem via key management: #RSAC

Data breach & notification

 Key questions (by reference to California S.B. 1386):
 Does data include "personal information?
 Does "personal information" relate to a California resident?
 Was the "personal information" unencrypted?
 #RSAC

Resolving a problem: beyond use data

 Most jurisdictions with informational privacy laws support the de-

identification and minimization of personal information. Consider
strengths of KMIP standard

Key
Manager
Archive
key

Recover
key
 #RSAC
Resolving marketing compliance: consent
database
Gives consent +
customer-defined Email
preferences
SMPP

Text
message

SMTP
Captures: Telemarketing
• Contact mediums
• Uses & disclosures
• Duration
• Jurisdictions (data sovereignty)
 #RSAC

Apply what you have learned today

 Next week you should:
 Identify opportunities for applying compliance by design
 Ask your vendor if they support enterprise key management
 Ask your vendor if they support interoperability in cloud environments
 In the first three months following this presentation you should:
 Define a project to evaluate compliance by design
 Within six months you should:
 Drive an implementation to evaluate compliance by design
 #RSAC
Thank You!