International businesses have to address compliance to the new European Global Data Protection Regulations (EU GDPR) before May 2018. If you are deploying data initiatives, such as a new big data project, and need to address EU GDPR, you can take the opportunity to simultaneously tackle both data security and compliance.
All regulations related to data privacy and security rely on the fundamental principle of least-privileged access along with the right to access data only on a need-to-know basis. This requires you to know the specific data being requested, who is trying to access it, and what for—information that informs you whether the access should be granted or denied. In either case, the request would be logged to support any behavior or security analysis.
EU GDPR adds additional constraints, such as explicit consent required to collect personal data, the right to be forgotten, and a broad classification of personal data. Further, requirements for compliance will continue to be revisited as each EU member defines the specifics for its own country.
Drawing on numerous examples that have been deployed by BlueTalon customers around the world to address a variety of regulations and keep their data safe, Eric Tilenius explains how consistent visibility and control at a granular level across data domains can address both security and GDPR compliance. Addressing evolving requirements requires flexibility. An ideal approach is to start from the most granular elements to be regulated, collect all available parameters and attributes that might define the interaction with the data, and codify policies that can make dynamic use of these parameters.
The above naturally results in a model where you can track data elements down to the most granular element that can be stored (cell or partial cell in SQL, subfiles in filesystems, and so on). Attributes or tags should be available as metadata to indicate the sensitivity of the data. On the application or user side, any number of attributes should be collected: role, group, division, location, location at time of query, security clearance, and more. Information on the session should also be dynamically used: time of the query, length of the data query session, amount of records requested during the session, and so on. With this level of detail, you can more easily create and evolved policies that will be any compliance requirements as they are built from the ground-up using dynamically any parameter available.
Eric Tilenius is CEO of BlueTalon, the leader in secure enterprise data integration across silos. Previously, Eric was an executive in residence at Scale Venture Partners, a general manager at Zynga, and CEO of two venture-backed startups— Netcentives (which he cofounded) and Answers.com, both of which had successful IPOs. He also held product management leadership positions at Oracle Corporation and Intuit and was a consultant with Bain & Company. Eric holds an MBA from Stanford University’s Graduate School of Business, where he was an Arjay Miller Scholar, and a bachelor’s degree in economics (summa cum laude) from Princeton University.
©2017, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org