devops vs gdpr: how to comply and stay agile

WELCOME TO TODAY'S PRESENTATION

DevOps vs GDPR: How to Comply and Stay Agile

A Joint Webinar between Contino & Delphix

Today's Speakers

Adam Bowen Delphix Strategic Advisor,

Office of the CTO

Ben SaundersContino Client Principal Ilker Taskaya

Delphix Senior Solution

Engineer

Ian MorganContino Technology Strategist

Your organisation can’t ignore regulation…..Many organisations have been in denial about digital disruption. However, the onset of regulatory compliance is a disruption they can’t refuse to ignore. If you think your organisation has it’s head in the sand, or has applied the noise cancelling headphones, then now is the time to act with GDPR deadlines fast approaching.

“Has the legislation been passed yet?”

“This isn’t really happening is it?....breathe in...breathe out”

“We don’t need to worry about these Challenger Banks…errrrr,

what was that? The EU are banging on our door?”

What is GDPR and how could it affect your organisation?

General Data Protection Regulation (GDPR)...In Layman's Terms

EU Legislation is changing the ways in which organisations handle, distribute and utilize sensitive customer data with GDPR

The intention is to align each member of the european union (EU) state, to a single set of rules and regulation.

When this legislation comes to fruition, all organisations that process personally identifiable information (PII) of EU residents must adhere to a number of provisions and standards.

In the event that organisations fail to adhere to these standards, then there is a likelihood that they will face significant fines or penalties.

There is no opting out, every organisation must comply! So what are the implications of GDPR?

2% The amount of Global Turnover organisations will be fined, if they fail to comply with GDPR at the

first time of audit.

4% The amount of Global Turnover organisations will be fined, if they fail to comply with GDPR at the

second time of audit.

Organisations, will be given time to remediate their data deficiencies once identified by the regulators. However,

organisations should be more proactive to how they are going to handle this change

and explore ways in which they can combine data agility, compliance and automation as a catalyst for business

growth.

GDPR Principles - The Data Controller

GDPR

1. Personal data must be processed lawfully, fairly and transparently.

2. Personal data can only collected for specified, explicitly and legitimate purposes.

3. Personal data must be adequate, relevant and limited to what is necessary for processing.

4. Personal data must be accurate and kept up to date.

5. Personal data must be kept in a form such the data subject can be identified as long as necessary for processing.

6. Personal data must be processed in a manner that ensures its security.

The Data Controller is responsible for demonstrating the principles outlined below. It is also the responsibility of the Data controller to secure the same assurances from external data processors with whom they contract

Enterprises must be clear on what each of the principles mean for them. Given, the broad interpretation of terms (like “processing”) a large amount of ambiguity still exists.

GDPR – Data Challenges

Data Breaches

Data Protection by Design & by default

Data Portability

Data Encryption

The notion of building privacy or data protection measures into applications or processes is not new. The regulation, however makes this mandatory in Article 26.

Under article 20 of the Regulation, data subjects can request a copy of personal data held on them, and can also request that this information is transmitted to another data controller. The Regulation doesn’t stipulate precisely how this information has to be presented or the format it has to be in.

Given the extent to which encryption could mitigate the impacts of a data breach, enterprises should extend encryption to cover all of the data, processing and storage processes

GDPR mandates that both the supervisory authority and the data subject themselves be notified of any breach.

There are a number of specific data challenges under the GDPR Regulation that Enterprises need to internalize into their practice. A number of high-impact considerations are detailed below:

GDPR – Data Challenges

Data Breaches

Data Protection by Design & by default

Data Portability

Data Encryption

The notion of building privacy or data protection measures into applications or processes is not new. The regulation, however makes this mandatory in Article 26.

Under article 20 of the Regulation, data subjects can request a copy of personal data held on them, and can also request that this information is transmitted to another data controller. The Regulation doesn’t stipulate precisely how this information has to be presented or the format it has to be in.

Given the extent to which encryption could mitigate the impacts of a data breach, enterprises should extend encryption to cover all of the data, processing and storage processes

GDPR mandates that both the supervisory authority and the data subject themselves be notified of any breach.

There are a number of specific data challenges under the GDPR Regulation that Enterprises need to internalize into their practice. A number of high-impact considerations are detailed below:

We will be focussing on

portions of this regulation

today.

GDPR - A Ticking Time Bomb for Global Organisations

WHO IS AFFECTED?

Organisations who do business in the EU. Organisations, who have customers in the EU. Organisations that trade with other entities in the EU.

RIGHT TO OPT OUT

The right to opt out, or the “right to be forgotten” enables individuals to request that their data is removed from an organization's system/s of record, whereby there is no longer a legitimate reason for their data to be held.

DATA BREACH & REGULATION

If a data breach occurs, then organisations must notify their data protection authority within 72 hours. Audits of organisations control processes around the end to end data supply chain must be executed, to ensure they are fit for purpose.

WHAT ARE THE PENALTIES?

First Audit Failings - 2% GTOSecond Audit Failings - 4% GTO

From there on it will only get worse!

PRIVACY BY DESIGN

GDPR stipulates that systems and processes must be designed in a way that data compliance standards are followed and adhered to.

Privacy by Design - DevOps vs GDPR

The Constraint: RIGHT TO OPT OUT

The right to opt out, or the “right to be forgotten” enables individuals to request that their data is removed from an organization's system/s of record, whereby there is no longer a legitimate reason for their data to be held.

The Constraint: PRIVACY BY DESIGN

GDPR stipulates that systems and processes must be designed in a way that data compliance standards are followed and adhered to.

The Solution: DEVOPS & DATA AGILITY TO TACKLE

COMPLIANCE

Contino - ContinuumDelphix - Data Masking

AWS - Cloud Environments

Customers have the right to withdraw their consent from allowing organisations to utilise their personal data for the execution of application testing. As a result, organisations must explore ways in which they can adhere to GDPR compliance but still provision high quality test data at velocity. The premise of Accountable Empowerment must be adhered to by organisations to ensure they can track Who did What and When they did it across their delivery pipeline, this can be achieved through integrated DevOps tooling and processes.

End to End Accountable Empowerment - Obfuscation, Control & Visibility: Who, What, When, Where?

Just to add more pressure….You can’t get away from BAU

“We need new functionality delivered in our customer facing web-app….oh and we need it tomorrow!”

“Damn it. How are we going the release an environment so we can test this feature?!”

“What do you mean it is going to take us 10 days to load data into the environment?!”

“Hang on, what do you mean the data is loaded...but someone has deployed the wrong config?!”

“What? I have already raised an RFQ with your team... What do you mean it has expired!?”

We are teaming up to help customers address these pains...

Based on the challenges that regulation brings to our joint customers, in addition to the more traditional BAU delivery bottlenecks, Contino and Delphix are applying our DevOps expertise, compliance know-how and technical wizardry to help customers accelerate their application delivery whilst controlling cost and remaining compliant.

How are we doing this, I hear you say?

Accountable Empowerment - DevOps vs GDPRContinuum is a Continuous Delivery pipeline tool chain which integrates both open source and enterprise grade tools to enable the creation of a secure application delivery pipeline in AWS. In order to assist with the provisioning of production like test data, Continuum integrates with Delphix to leverage its data virtualization and data masking capabilities so that we can provision production grade environments consistently, whilst complying with GDPR legislation. With DevOps & Data Agility, we enable Accountable Empowerment.

Data MaskingThe most advanced data security solution available.

Continuum, is a platform we deploy within weeks • Full infrastructure as code• Multi region, multi availability zone deployments• Microservice / containerised deployments targeting Kubernetes• Continuous integration & continuous delivery toolchain

Cloud MigrationAchieve value from cloud projects faster.

DevOpsComplete the DevOps stack with self-service data.

DevOps & Data Agility - Future Proof for GDPR

Leading digital companies are operating under a DevOps operating model – ‘You Build It, You Run It.’ Fortunately, these practices are now also viable for large established enterprises in regulated industries as the tools, practices and approaches are proven.

DevOps teams operate in a more cross functional way and have more control of their stack federated to them, their use of automation tooling will lead to more tightly controlled and audited environments and increased levels of quality, resilience and compliance within a GDPR context. MASK ONCE AND DEPLOY ANYWHERE, CONSISTENTLY AND SECURELY.

Develo

per

Develo

per

Develo

per

Teste

r

Ops E

ngine

er

Ops E

ngine

er Build Unit TestIntegration

TestDev

DeployTest

DeployProd

Deploy

Continuous Integration or release automation tooling implementsrole based access control, whilst

data can be made available across development environments.

Infrastructure, middleware andapplication deployments are

repeatable using infrastructure as code playbooks with the capacity to populate

environments with obfuscated data, volumes at a fraction of the production scale with

Delphix.

Automated approval and deploymentgates incorporated into the pipeline here.

Incorporate Compliant Data Agility Mechanisms with Delphix at multiple stages of the SDLC.

“Real” data copies extracted from production systems, obfuscated and stored

in a staging area for environment loads either through self-service test data, or

predefined automation recipes/playbooks.

Privacy by Design - DevOps vs GDPR

CONTINUOUS DELIVERY PIPELINE

DevOps Delivery Pipeline - Application, Data & Environment Alignment

Planning, Requirements & Analysis

Design & Development Repositories & Management

Integration & Test Implementation & Deployment

1. Developer accepts a defect, incident or requirement.

7. Developer accepts the status of the defect, incident or requirement.

5. Developer requests peer review approval or automated acceptance.

3. Developer pulls dependencies from the binary repository.

2. Developer pulls source code from repository.

4. Source code changes are made in the local IDE. Run local code analytics.

6. Source code commits are pushed to central SCM.VCS.

8. The build server detects changes in the VCS, pulls code and initiates a build. A successful compilation triggers automated tests.

9. The build server uses the build automation tools to push the generated artifacts and deployables to the binary repository.

10. Once the changes pass automated tests, they are assessed for quality through SonarQube checks.

Dependency Management

Version Control

Code Quality

CI Server

Build AutomationBinary Repository

IDEDefects, Incidents &

Requirements

Product Team / Squad work across the delivery pipeline, developing, orchestrating & testing, where required through automation and the

mantra of ACCOUNTABLE EMPOWERMENT.

Dependencies are pulled from

the binary repository

The deployment tools pull the artifacts and propagate them through the deployment environment across ST, SIT Pre-Prod.

Continuous Delivery tools are used to orchestrate and manage the various parts of delivery pipeline.

Environment management tools are used to provision environments and test data, under version control.

Quality Assurance tools used to smoke test and secure environment.

Environment Build - ST-SIT

We can create a coherent Privacy by Design, GDPR compliant DevOps pipeline that ensures people have access to the right tooling to do their jobs, yet ensuring the correct governance/compliance controls exist to enable secure access to customer data.

Data Management TodayPRODUCTION NON-PRODUCTION

DEV TEST STAGE

3 TB of Storage, Weeks to Provision/Refresh

Copy, move data

STORAGE

RDBMS

APP

STORAGE

RDBMS

APP

STORAGE

RDBMS

APP

STORAGE

RDBMS

APP

1 TB of Storage

How It Works

STORAGE: < 1 TB

STORAGE: 1 TB

RDBMS

APP

DELPHIX VIRTUAL MACHINEInstalls on any supported hypervisor

ANY STORAGE

Source

STEP 1Capture application data:

one-time copy of prod

0.3 TB

How It Works

STORAGE: 1 TB

RDBMS

APP

STORAGE: < 1 TB

Source

STEP 2Continuously record unique, incremental changes

March 21 06:11am

March 22 12:43pm

March 22 08:41pm

0.3 TB

How It Works

STORAGE: 1 TB

RDBMS

APP

DEV

RDBMS

APP

TEST

RDBMS

APP

STAGE

RDBMS

APP …

STORAGE: < 1 TB

Source

STEP 3Share data blocks instead of duplicating data

0.3 TB

How It Works

STORAGE: 1 TB

RDBMS

APP

DEV

RDBMS

APP

TEST

RDBMS

APP

STAGE

RDBMS

APP …

STORAGE: < 1 TB

Source

0.3 TB

Change the Physics, Change the Game

Dev

Test UAT

Reporting

▪ Have as many copies as you want without adding storage

▪ Access data in minutes instead of hours, days, or weeks

▪ Refresh from production at any time

▪ Rewind to any point in history

▪ Bookmark during a test and return to it in minutes

▪ Branch data at-will for troubleshooting, parallel projects

▪ Integrate with DevOps solutions to deliver environments on-demand

Software applianceAny Server, Storage, Cloud

10:27 A.M. 1:30 P.M. 5:07 P.M.

Virtual Database

s

3 months ago Last Monday Today

21© 2014 Delphix. All Rights Reserved. Private & Confidential.

Cloud On-PremisesPartners

Next-gen data masking• Easy to use• Automatic profiling• Referential integrity

10:27 A.M. 1:30 P.M. 5:07 P.M.

DEV 1 to N

Embedded native masking

3 months agoLast Monday Today

TEST 1 to N

UAT 1 to N

Full, Virtual, Self-Service Capability

Bookmark Rewind

Refresh

Synchronize

BranchProvision

✓ Mask Once ✓ Distribute Many ✓ Refresh Anytime

But what is the value to your organisation?

Masking: We reduce the surface area for data leakage risk, by up to 80% and enable GDPR compliance.

Faster Environments: By utilizing AWS hosted environments, customers can build environments in ten minutes, as opposed to waiting days, or weeks.

Faster Test Data: The framework can capture production data, obfuscate it and deploy it into an environment in under four minutes, as opposed to 8 hour dump and loads times. Not to mention the 10 day lead time for requesting data!

Self Service: Our framework has self-service controls to break down data lead times and ensure compliance with enable end to end traceability.

Environment Visibility: Our delivery pipeline is fully configuration managed so we can see who did what, when to satisfy regulatory controls and compliance needs.

Business Value Indicators

90% Faster

90% Faster

Self Service

Full Traceability

2% or £10MThe amount of Global Turnover organisations will be fined, if they fail to comply with GDPR at the first time of audit.

4% or £20MThe amount of Global Turnover organisations will be fined,

if they fail to comply with GDPR at the second time of audit.

Get your house in order and your organistion will also

avoid huge penalties!

By combining the powers of Continuum, Cloud and Delphix we help customers get compliant, whilst cutting cost and accelerating application delivery time to market.

80% Less Risk

What have we spoken about today?

Regulation, regulation, regulation: We have covered the necessity for your organisation to comply with regulatory controls whist providing insight into how DevOps can help with this.

GDPR Impact: We have covered the key elements of GDPR and it’s implications on organisations trading within the EU.

The DevOps Fightback: We have given substance around how DevOps can help you fight back against GDPR and become more agile in the process.

Privacy by Design: We have provided an overview of what an end to end “Privacy by Design” DevOps pipeline looks like.

Mask your data: Adam Bowen has demonstrated the power of the Delphix’s data virtualization & masking capability so that your organisation can remain GDPR compliant.

What next for your organisation?

Please feel free to request a demonstration of Continuum or Delphix to understand how both solutions can help you address GDPR legislation, whilst adopting DevOps and the Cloud!

We are also working together to execute complimentary GDPR readiness workshops. Feel free to contact Ben or Adam to learn more.

If you want to learn more about GDPR, visit the Delphix website HERE

Stay tuned for more joint webinars over the coming months. We are jointly developing a tightly integrated delivery framework. If you want to road test Delphix, you can now gain access to an engine on the AWS marketplace.

Please feel free to connect with either Ben or Adam on LinkedIn should you have some follow up questions. You can also email us: [email protected] [email protected]

https://www.delphix.com/resources/white-paper/general-data-protection-regulation-gdpr-requirements-data-masking

mailto:[email protected]

mailto:[email protected]

CLOSING THOUGHTS…..

Accountable Empowerment - DevOps, Cloud & Data Agility

It is possible to kill three birds with one stone… by addressing regulatory & compliance controls your organisation can accelerate delivery by unshackling yourself from monolithic infrastructure and antiquated processes by implementing an integrated DevOps pipeline such as Continuum, leverage cloud hosted environments and apply data masking capabilities with Delphix to address GDPR.

Three Birds One Stone… That One Stone is the combination of Continuum, Delphix and AWS.

A fully integrated cloud ready Continuous Delivery pipeline that is highly secure in AWS.

A Virtual Data & Masking solution that enables data agility, without adding risk to your organisation.

Transformation, Regulation & Compliance

Continuous Delivery for Consistent Environments

Data Masking for GDPR Coverage

DevOpsData Agility

Cloud

QUESTIONS?