How MongoDB can accelerate a path to GDPR compliance
Download as PPTX, PDF2 likes2,439 views
The document outlines how MongoDB can aid organizations in achieving compliance with the GDPR (General Data Protection Regulation) by detailing key requirements and roles, such as data subjects and controllers, and how MongoDB's features align with these demands. It emphasizes the need for explicit consent, data protection by design, breach notifications, and other compliance factors, along with case studies that demonstrate successful implementations. Additionally, it highlights the ongoing responsibilities of businesses to adapt their data practices in accordance with GDPR regulations.
![Set schema and search for out of compliance
Find compliant docs:
db.orders.find({
$jsonSchema : {<schema-here>}
});
Find non-compliant docs:
db.orders.find({
$nor : [
{$jsonSchema:{<schema-here>}}
]
});](https://image.slidesharecdn.com/mongodbgdprnasignarvaez2018-03-28-180328190304/85/How-MongoDB-can-accelerate-a-path-to-GDPR-compliance-22-320.jpg)
How MongoDB can accelerate a path to GDPR compliance
- 1. How MongoDB can accelerate a path to GDPR compliance Sig Narváez Principal Solutions Architect [email protected] @SigNarvaez
- 2. Agenda • GDPR Overview • GDPR Privacy Requirements • What does it mean for US companies? • Data Management Impacts • Case Studies • Ovum research • Resources and Next Steps
- 3. Disclosure For a full description of the GDPR’s regulations, roles, and responsibilities, it is recommended that readers refer to the text of the GDPR (Regulation (EU) 2016/679), available from the Official Journal of the European Union, and refer to legal counsel for the interpretation of how the regulations apply to their organization.
- 4. GDPR Rationale • How safe is your personal data? • How is personal data used by the organizations we choose to share it with? • Damage our reputations • Deny us access to the healthcare or financial services • Discriminate against us • Reduce our autonomy, freedom, individuality CyberSecurity Ventures Fortune, November ‘15
- 5. View from Gartner, July 2017
- 6. What is the GDPR? • EU General Data Protection Regulation 2016/679 • Enshrines protection & privacy of EU citizen data as a human right • Governs how organizations collect, store, process, retain, and share the personal data of EU citizens • Applies globally • If you process data in the EU, or data about the EU • Enforced from May 25th 2018 • Fines of up to €20m, or 4% of global revenue, whichever is higher for Major Incidents, and €10m, or 2% for Minor incidents
- 7. Why is GDPR Necessary? • Replaces Data Protection Directive 95/46/EC, enacted in 1995 • Implementations varied across EU member states • Technology has moved on MASSIVELY • Global reach • Expands the scope of “personal data”
- 8. The Increased Scope of Personal Data • PII as defined by the NIST: Any information that is linked or linkable to an Individual Linked: Full Name, SSN, Drivers License, … Linkable: Job Position, Age Group, … • Non PII: Data that cannot be used on its own to trace, or identify a person Device ID’s, IP Addressed, Cookies, … PII Non PII
- 9. GDPR Article 4 (clause 1) PD PII Non PII PD definition includes anything that can uniquely identify an individual, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual. US-based companies: Storing non-PII data per US definitions could be considered PD data per GDPR definition The Increased Scope of Personal Data
- 10. Key GDPR Demands • Explicit consent (not by default): what, how long, who with? • Additional permission if processing beyond purpose of original consent • Data protection & privacy by design, by default • Right to be forgotten • Right to review automated decisions • Breach notification within 72 hours • Review data at any time, portability between service providers • Applicable to any organization processing EU citizen data
- 11. Key GDPR Roles & Definitions • Data Subject: EU citizen • Data Controller: organization collecting the data • Data Processor: employee or contractor with access to personal data • Data Protection Officer: employed by an organization to oversee implementation, answerable to Supervisory Authority • Supervisory Authority: EU member state (28) body overseeing GDPR implementation Data Breach, defined by the GDPR “‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
- 12. Mapping GDPR to Required Data Platform Capabilities
- 13. What’s Needed for Compliance? What compliance isn’t…. • Turn on a bunch of database security controls • BOOM…we’re done!
- 14. What’s Needed for Compliance? What compliance isn’t…. • Turn on a bunch of database security controls • BOOM…we’re done! What compliance is… • People • Roles, responsibilities, accountability • Process • Business practices • Product • Technologies to implement controls Together they accelerate the path to compliance
- 15. GDPR Data Protection Requirements DISCOVER DEFEND DETECT Identify all PD in your systems Implement appropriate security controls Monitor to identify suspicious behavior, remediate gaps
- 16. Discover Defend Detect Identify Personal Data Access Control Monitor & Report Implement Retention Policies Pseudonymisation & Encryption Audit Resilience & DR Logging Data Sovereignty / locality Mapping Required Capabilities to GDPR
- 18. Discover Identification of Personal Data Data Protection Impact Assessment GDPR Article 35 (clause 1) “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
- 19. MongoDB Compass The GUI for MongoDB • Visualize & explore your schema with an intuitive GUI • Gain quick insights about your data with easy-to-read histograms • Build queries with a few clicks • Drill down to view individual documents in your collection • Rich query language and secondary indexes for deep discovery
- 20. Data Governance: Document Validation Data Governance and Agility of Dynamic Schema 3.2 Document Validation Rules • Field-level rules beyond basic types and lengths • Tunable: enforce rules, log warnings, or allow • Partial document validation – enforce subset of fields 3.6 Full JSON Schema support • Extends to full document validation • $jsonSchema can also be used to query for documents outside compliance of full schema
- 22. Set schema and search for out of compliance Find compliant docs: db.orders.find({ $jsonSchema : {<schema-here>} }); Find non-compliant docs: db.orders.find({ $nor : [ {$jsonSchema:{<schema-here>}} ] });
- 23. Discover Retention of Personal Data “Information to be Provided” GDPR Article 13 (clause 2a) “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.”
- 24. Automatic Data Erasure: Time to Live (TTL) Indexes • Automates the expiry of data from the database • Define TTL index against a date field, specify the expiration period • Background process deletes the document once retention period expires • Simplifies enforcement, with lower overhead
- 25. Manual Data Erasure • MongoDB allows modifying the shape of any document, at any point in time. $unset operator deletes a particular field • Removing complete documents .deleteOne() and .deleteMany() • Remove complete collections or databases collection.drop() db.dropDatabase()
- 27. Defend General Security Requirements “Security of Processing” GDPR Article 32 (clause 1) “….the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: a. the pseudonymisation and encryption of personal data; b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
- 28. Access Control of the Data Authentication • Challenge/Response • x509 certs, Kerberos • LDAP Authorization • Role-Based Access Control • User Defined Roles
- 29. Access Control of the Clusters Ops Manager Cloud Manager Atlas • Authentication • Challenge/Response, 2FA • LDAP (Ops Manager) • Authorization • RBAC • Organizations / Teams / Projects
- 30. Defend Pseudonymisation & Encryption “Security of Processing” GDPR Article 32 (clause 1) “…. shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…: a. the pseudonymisation and encryption of personal data;” “Communication of a Personal Data Breach to the Data Subject” GDPR Article 34 (clause 3a) Communication of a breach to a data subject is not required if the data is rendered unintelligible, i.e. via encryption
- 31. Pseudonymisation: Read-Only Views • MongoDB allows administrators to define views that expose a subset of data from the underlying collection • Exclude or mask fields • Reduces risk of sensitive data exposure • Views do not affect source collections • Separately specified permissions levels
- 32. Encryption: In Motion & At Rest • End to end data encryption • Data in motion, TLS encryption • Data at rest in persistent storage and backups
- 33. Defend Resilience & Disaster Recovery “Security of Processing” GDPR Article 32 (clause 1) “…. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including …: b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;”
- 34. Resilience: Replica Sets • Data to be distributed across multiple independent nodes, no SPOF • Replica set – 2 to 50 copies • Self healing • Data center awareness • Replica sets address: • Always-on availability & disaster recovery • Data durability, consistency • Maintenance (e.g., HW swaps) • Workload isolation Application Driver Primary Secondary Secondary Replication
- 35. DR: Backup with Point-in-time Recovery • Continuous backups, minimizing exposure to data loss • Cluster-wide snapshots of sharded clusters • Restore to precisely the moment you need, quickly and safely with point-in- time restores • Automation-driven restores • Queryable and Encrypted Backups
- 36. Defend Sovereignty: Data Transfers Outside of the EU GDPR Article 45 (clause 1) “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.”
- 37. MongoDB Zones • Partition data across distributed clusters based on data locality policies • Adhere to data sovereignty requirements • If policies change, update the sharding metadata (zones, ranges) and data is automatically migrated between shards • Configure visually from MongoDB Ops / Cloud Manager
- 39. Detect Monitoring &Alerting “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority....” “Notification of a Personal Data Breach to the Supervisory Authority” GDPR Article 33 (clause 1)
- 40. Monitoring & Alerting • Over 100+ database-related metrics • Visualized across charts and dashboards • Custom alerts so incidents do not become emergencies: pushed to collaboration & management platforms • Push telemetry data via API into APM platforms
- 41. Detect Auditing “....Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility” “Data Protection by Design and by Default” GDPR Article 25 (clause 2)
- 42. Auditing • MongoDB Enterprise Advanced audit log records all actions taken against the database • Configurable filters (commands, IP, etc) & role-based auditing
- 43. Reacting to Changes: Change Streams • Listen for changes in data • Configurable filters • Control passed to application layer • Workload Isolation: Run against secondary Node • Security best practices ChangeStreamsAPI Business Apps User Data Sensors Clickstream Real-Time Event Notifications Message Queue Compliance Monitoring Solution
- 44. MongoDB Services “.... the appropriate data protection training to personnel having permanent or regular access to personal data” “Binding corporate rules” GDPR Article 47 (clause 2n) • M310 Security Course • M102 for DBA’s • M103 & M122 - Cluster Administration • MongoDB University public & private training • MongoDB Global Consulting Services
- 45. Case Studies
- 46. Digital Transformation with MongoDB UK’s Leading Commercial Property Data Service Drives GDPR readiness Problem Why MongoDB Results Problem Solution Results Need to develop a new platform for the company to move from traditional print media to a digital business delivering market intelligence and tools across multiple online channels Monolithic application architecture and rigid relational database prevented IT team pushing new updates any more than once per month Moved to MEAN stack powered by a microservices-based architecture in the cloud MongoDB Enterprise Advanced for access to advanced security and support MongoDB Encrypted Storage Engine to support GDPR readiness GDPR readiness with a much more agile data platform Supports 50x more releases per month, with always on availability Transformed business: now digital is driving revenue growth
- 47. Better prepare for GDPR with DBaaS Ensure data gathered from Exercise Equipment (IoT) complies with regulations Problem Why MongoDB Results Problem Solution Results Gather data from exercise equipment (commercial and residential). Data collected at second-level granularity Desired data storage in EU to assist with GDPR compliance. Existing MongoDB DBaaS provider did not offer the cross-region replication required to enforce data locality. Analytics via Workload Isolation also required. Migrate from existing DBaaS to MongoDB Atlas. Enabled Cross Region Replication. Enabled read-only nodes and BI Connector as-a-service to unlock real time analytics and insights against the data. GDPR readiness with a much more agile cloud-agnostic data platform putting data where they need it. Enable business insight with self- serve Analytics. Multinational Manufacturer & Distributor of Exercise Equipment (IoT). USA Subsidiary.
- 48. Encryption At-Rest for GDPR Adopted MongoDB Enterprise Advanced for advanced security Problem Why MongoDB Results Problem Solution Results Using MongoDB Community and 3rd party Support provider. Access to Enterprise tools and advanced encryption not available. 3rd party options added cost and complexity. Encryption At-Rest required for GDPR compliance. Adopted MongoDB Enterprise Advanced for advanced security and first-class service. Enabled Encryption At-Rest Storage Engine with ability to rotate keys as required and integrate with 3rd party KMS solutions. Encryption At-Rest adds to GDPR readiness. Strategic relationship with OEM of data platform: MongoDB Inc. Leading cloud-based identity platform. Provides SSO for various platforms and identity providers
- 49. Wrapping Up
- 50. Discover Defend Detect Identify Personal Data • MongoDB Compass • Expressive Queries & Analytics • Document Validation • JSON Schema Access Control • Authentication (i.e. LDAP, Kerberos) • Authorization (RBAC) • IP Whitelisting & VPC Peering • Organizational Controls for Cluster Access Monitor & Report • Real-Time Alerting Personal Data Retention • TTL Indexes Pseudonymisation & Encryption • Read-Only Views • Log Redaction • TLS/SSL Network Encryption • Encrypted Storage Engine Audit • MongoDB Audit Log • Change Streams Resilience & DR • Replica Sets • MongoDB PIT Backup & Recovery • Queryable and Encrypted Backups Data Sovereignty • MongoDB Zones MongoDB University, Training & Global Consulting How MongoDB Supports GDPR
- 51. MongoDB Atlas and GDPR Compliance is an on-going process and a shared responsibility • Cloud-Agnostic • Uses GDPR-compliant cloud providers • SOC2 Type 1 Certified • https://aws.amazon.com/compliance/gdpr-center/ • https://cloud.google.com/security/gdpr/ • https://www.microsoft.com/en-us/TrustCenter/CloudServices/Azure/GDPR
- 52. Ovum Consulting and Research • “Developer productivity is the engine that drives the outcomes of digital transformation initiatives” • “MongoDB challenges the notion that safety prevents progress” • Whitepaper highlights most of the features we covered today • www.mongodb.com/collateral/mongodb-takes-steps- toward-governance-in-the-era-of-gdpr
- 53. Next Steps Download the whitepaper Refer to your legal counsel for GDPR advice Engage MongoDB Consulting THANK YOU!