All posts by Michael Buckbee

Data Security: Definition, Explanation and Guide

Data Security: Definition, Explanation and Guide

What is Data Security?

Data Security is a process of protecting files, databases, and accounts on a network by adopting a set of controls, applications, and techniques that identify the relative importance of different datasets, their sensitivity, regulatory compliance requirements and then applying appropriate protections to secure those resources.

Similar to other approaches like perimeter security, file security or user behavioral security, data security is not the be all, end all for a security practice. It’s one method of evaluating and reducing the risk that comes with storing any kind of data.

Why Data Security?

If the Data Security process is just one of many different ways to structure your organization’s information security systems, what makes it better than competing methods?

Broadly speaking, most other security processes are “user-centric”: they focus on questions like:

  • Is this user allowed to access this data?
  • Is this person authorized to be on this network?
  • Is this person abusing system resources?

Which is great and necessary but struggles with many real-world issues like large organizations having hundreds or thousands of servers with haphazardly applied permissions, antiquated user groups and gaps in knowing who is accessing what.

A data-centric security model is a practical way of approaching this from a different direction.

Data vs User Security Models

Imagine a scenario where a user on your customer service team places a spreadsheet containing customer Personally Identifiable Information like Social Security Numbers or other sensitive records onto a globally accessible shared folder.

User Centric Model: this isn’t a problem, everyone has the proper rights to access that file.

Data Security Model: this is a huge problem as sensitive information is now available to every intern, contractor or “coasting through their two weeks notice until they take a new job at your biggest competitor” employee with network access.

This scenario makes plain the big dependency of a Data Security approach: data classification.

What is Data Classification?

Data Classification is the technical term for knowing what data is held within any given file.

Classification is typically conducted along two different paths:

  1. File Types: certain files such as private SSH keys and PKI certificates are just inherently more sensitive.
  2. File Information: the actual data contained within the file.

File information is by far the more complicated of the two paths as it’s necessary to define what sensitive information “looks” like to the software application doing the classification.

In some cases, this is as straightforward as looking for certain tell-tale strings of data like: “password”, or “credit card” in a file, but more often it’s necessary to define patterns to be matched within a given file.

Regular Expressions

Regular Expressions are one of the primary ways that people communicate patterns to computer programs, so it’s no surprise that they are one of the key components of many classification systems used in data security practices.

US Social Security numbers have a distinct pattern of 3 digits, a dash, 2 digits, a dash followed by 4 digits.

123-45-6789

A regular expression to identify a Social Security Number within a document would be:
\d{3}-\d{2}-\d{4}\s

If the above looks like printable line noise to you, you are not alone. While a comprehensive review of Regular Expressions is beyond the scope of this article, we encourage you to try at least get a feel for their use with one of the online Regular Expression writers, which is an easy way to get instant feedback on your knowledge:

Data Security Techniques

The following are broach techniques used in the field of Data Security to improve security.

Stop Collecting Unneeded Data

The last decade of IT management has seen a shift in how data is considered. Previously it was an asset: having more data was almost always better than less as you could never be sure ahead of time what you might want to do with it.

Today, data is a liability. The threat of a reputation-destroying data breach, loss in the millions or stiff regulatory fines all reinforce the thought that collecting anything beyond the minimum amount of sensitive data is extremely dangerous.

To that end: review all data collection procedures. Document why each data point is needed from a business standpoint.

Purge Stale Data

Data that is not on your network is data that can’t be compromised. Put in place systems that track file access and automatically archive files that haven’t been accessed for years. In the modern age of near yearly acquisitions, reorganizations and “synergistic relocations” it’s quite likely that networks of any significant size have multiple forgotten servers that are kept around for reasons no one is quite sure of.

Quarantine Sensitive Files

Earlier, we described a common scenario where a file containing sensitive data was placed on a share open to the entire company. Systems that continually classify data and take preemptive action to move those files to a secure location are worth their weight in gold as they dramatically shorten the length of time that data is not under the proper control.

Track User Behavior against Data Groups

The general term plaguing rights management within an organization is “overpermissioning’. That one-off, temporary projects or rights grants on the network rapidly become a baroque and convoluted web of interdependencies that result in users collectively having access to far more data on the network than they need for their role.

Systems that profile user behavior and automatically put in place permissions to match that behavior limits the potential damage that any one user (or malicious attacker who compromises their account) can do.

Respect Data Privacy

Data Privacy is a distinct aspect of cybersecurity dealing with the rights of individuals and the proper handling of data under your control. For more, read our Guide to Data Privacy

Data Security Regulations: GDPR, HIPAA and SOX

Regulations such as HIPAA (healthcare), SOX (public companies) and GDPR (anyone who knows that the EU exists) are best considered from a data security perspective. While there are other aspects of them, at their core they require that organizations:

  • Track what kinds of sensitive data they possess
  • Be able to produce that data on demand
  • Prove to auditors that they are taking appropriate steps to safeguard the data

All of which fit not just comfortably within a data security mindset, but all but require it.

Practical Data Security

For companies that have a hold on data and have security obligations due to GDPR or other regulatory requirements, understanding what data security means at Varonis will help you manage and meet data protection and privacy regulations requirements.

The mission at Varonis is simple: your data is our primary focus, and our data security platform protects your file and email systems from cyber attacks and insider threats. We’re fighting a different battle – so your data is protected first. Not last.

We continuously collect and analyze activity on your enterprise data, both on-premises and in the cloud. We then leverage five metadata streams to ensure that your organization’s data has confidentiality, integrity, and availability.

Users and Groups – Varonis collects user and group information and maps their relationships for a complete picture of how user accounts are organized.

Permissions – We add the file system structure and permissions from the platforms that we monitor, and combine everything into a single framework for analysis, automation, and access visualization.

Access Activity – Varonis continually audits all access activity, and records & analyzes every touch by every user. Varonis automatically identifies administrators, service accounts and executives and creates a baseline of all activity. Now you can detect suspicious behavior, whether it’s an insider accessing sensitive content, an administrator abusing their privileges, or ransomware like CryptoLocker.

Perimeter TelemetryVaronis Edge analyzes data from perimeter devices such as VPN proxy servers, and DNS and combines this information with data access activity to detect and stop malware apt intrusions and data exfiltration.

Content Classification – We then scan for sensitive and critical data, and can absorb classification from other tools like DLP or e-Discovery. Now we know where sensitive data lives and where it’s overexposed.

Data Privacy: Definition, Explanation and Guide

Data Privacy: Definition, Explanation and Guide

What is Data Privacy?

Data Privacy is the branch of information security dealing with the proper handling of data concerning consent, notice, sensitivity, and regulatory concerns. Practical data privacy problems often revolve around:

  1. Whether or how data can be shared with third parties.
  2. If data can legally be collected or stored.
  3. Regulatory restrictions such as GDPR, HIPAA or COPPA.

Data Security and Data Privacy what’s the difference?

Data Security and Data Privacy are often used interchangeably, but there are distinct differences:

Data Security can broadly be thought of as protecting the data on your network from outsiders (and malicious insiders).

Data Privacy governs how the data is collected, shared and used.

Consider data that you consider to be solidly secured: it’s encrypted, access to it is restricted, and multiple overlapping monitoring systems are in place. In all meaningful senses of the word, the data is secure.

However, if that data was collected without proper consent that is a violation of data privacy and distinct from the actual security surrounding the data.

Data privacy revolves around making sure that that data is used in the correct manner.

Data Privacy Principles

Cavoukian, the former Information & Privacy Commissioner of Ontario, Canada says, “Privacy forms the basis of our freedom. You have to have moments of reserve, reflection, intimacy, and solitude.” It is only through the freedom of play and experimentation that innovation and new ideas can emerge.

You don’t want to be the company to be described as creepy in the way that you leverage your customer’s personal data – whether it is with passive location tracking, apps secretly absorbing your personal address book, or websites recording your every keystroke.

Instead, employees should be regularly trained in security and privacy, so they understand the processes and procedures necessary to also ensure proper collection, sharing, and use of sensitive data.

Data Privacy Acts and Laws

Determining what data privacy acts and laws affect your data depend upon knowing where the data originated (country/state), what personally identifiable information it might contain and how it’s used.

Consider two different files on your network. The first contains a summary medical diagnosis of a minor living in Illinois (a US State with very strict medical and biometric regulations). The second is a Powerpoint file with summary charts of disease progression.

They both need to be secured. They both are about medical information. However, the first has many more potential data privacy regulations that govern it’s handling than the second due to the type of information that resides within it.

GDPR (General Data Protection Regulation)

EU citizens personal data is now protected by the GDPR. Among the many other GDPR Requirements, this includes:

  • Explicit opt-in consent
  • The right to request their data
  • The right to delete their data

You can think of GDPR as giving consumers certain rights over their data while also placing security obligations on companies holding their data. A particularly challenging aspect of the GDPR is the requirement to provide data you hold about the user to them on demand as most organizations can’t actually search all their files. <a href=’https://www.varonis.com/solutions/gdpr-compliance/’>GDPR Compliance software</a> that classifies data, finds PII, etc. is almost mandatory.

HIPAA (Health Information Privacy and Portability Act)

Data privacy for health and medical information in the United States is covered by HIPAA – a data privacy regulation put in place to safeguard individuals personal health information.

Review the HIPAA Compliance: Guide and Checklist for more information.

 

 

The Difference Between E3 and E5 Office365 Features

The Difference Between E3 and E5 Office365 Features

Microsoft’s Enterprise Mobility and Security offerings are additional sets of security services that can be purchased to help control, audit and protect the data and users of Microsoft’s Azure and Office 365 products.

If you’re an enterprise that is concerned about data breaches, ransomware or insider threats, it’s unlikely that you would not upgrade your base (E3) Azure license to the slightly more expensive but worthwhile E5.

Note: It’s a licensing distinction, not a technical one, but the EMS E5 features listed below are the same as those you receive from Azure AD Premium P2.

Bluntly speaking, if you’re an organization large enough to have an actual IT department and not a “Julie in accounting is good with computers so she handles that stuff in her spare time” department, the base security and management options of Office 365 will not be sufficient.

How to get Detailed reports of Office 365 File, Email and Active Directory Permissions

If you’re accustomed to having detailed insight to your file sharing, email, and Active Directory permissions and activity, as Varonis customers are, the (lack of) default security functionality in the base Office 365 license will shock you.

The following feature lists are organized to help you make sense of the different native Microsoft Office 365 security tool capabilities available at each license level. These capabilities are actually provided by a number of different applications and services which are included with the different tiers, so there are varying degrees of cohesion and coverage with them.

In particular, if you need to secure both cloud and on-premises infrastructure, you should check out the additional capabilities added by Varonis (listed below).

E3 features NOT in the base license
(ProPlus and E1)

Single Sign On

  • SSO across Office 365 + Azure services
  • Ability to develop apps to consume the SSO

Advanced Security Reporting

  • Auditing and Alerting

eDiscovery

  • Search, hold and export data held in the organization’s Office 365 stores

DLP

  • Access revocation
  • Prevent accidental sharing of sensitive information
  • View DLP Reports showing content that matches policies

E5 Features not in E3

Risk Based Conditional Access

  • Limit data access based on location, device, user state, and application sensitivity.
    • Limit a kiosk application to only run from designated workstations
    • Block outside access to BI apps
    • Enforce web applications only running on company hardware
  • Machine Learning based detection of suspicious patterns of data access.
    • Leverage larger Azure touchpoints for risk identification (brute forcing)
    • Identify abnormal data access patterns that might indicate malware
  • Contextual Multi-Factor Authentication challenges
    • Issue MFA requests to modify data (update email/password) in an app but don’t issue a challenge to view the data
    • Issue MFA challenge on a session / periodic (once per week) basis

Privileged Identity Management

  • Better overview of which users are assigned privileged and admin roles in Azure resources and Azure AD
    • Get a 10,000 foot view of who has the capability of making changes in your infrastructure
  • On demand just in time admin access users
    • Grant and pull back admin rights for specific workflows
  • Administrator Assignment alerts
    • Find out when a new admin is added at 2:30am on a Saturday
  • Admin approval requirements for roles
    • Have the CTO/Director of IT approve new admin right grants
    • Audit + track admin right grants
  • Admin role auditing
    • Track what changes have happened with the admin group overall

Data Classification

  • Classify and label data based on sensitivity
    • Identify data in files that are potentially dangerous.
  • Carry label based sensitivity protection through the enterprise
    • As different systems interact with the data, you can restrict access, require MFA challenge, etc based on what classification label is applied.

Microsoft Cloud App Security

  • Monitor usage of SAAS apps on your network
    • Block Shadow IT SAAS apps
    • Enforce addition/removals from SAAS apps
  • Limit cloud app usage based on user, device and location
    • Better secure potentially weak SAAS apps

How to secure your move to Office365 Security Varonis

Moving from an on-premise to a hybrid environment with Office365 is inherently tricky. Make things easier on yourself by using Varonis to:

  1. Clean up your existing user accounts
  2. Lock down your current file permission and sharing strategy
  3. Skip moving stale and abandoned data to the cloud
  4. Quarantine sensitive information.

Post-move, Varonis lets you monitor your on-premise and Office365 resources in a single unified view. Without that capability, it’s almost impossible to track lateral data movement through your environment without manually stitching together logs. Which significantly increases your response time to a suspected data breach or other security event.

Enforcing Least Privilege

  • Allow data owners to manage permissions
  • Assign permissions based on historic usage
  • Model permissions structures before applying
  • BiDirectional view on permission and permission sources

Detection

  • Get transparency into permissions views
  • Understand exactly who owns what
  • Fine grained rule definition and alerting
  • User Account Behavioral Identification (Users, Admins and VIPs naturally behave different)

Regulations

  • Regulating bodies don’t care where they data is located, so you need to cover both cloud and on premise as well as the localities your data is physically stored in.

Get Started Securing Office 365

If you’re interested in seeing where your file permissions are open, your sensitive data exists and which administrator who quit three years ago still has access to your network, you should get a free risk assessment from Varonis.

GDPR Data Protection Supervisory Authority Listing

GDPR Data Protection Supervisory Authority Listing

The DPA (Data Protection Authority) is the agency within each European Union country that is responsible for GDPR (General Data Protection Regulation) assistance and enforcement.

What’s the difference between a Data Protection Authority and a Supervisory Authority?

A Data Protection Authority handles reports of data breaches, mediates issues like data subject access requests and works to educate their country about best practices in keeping digital data secure. The Supervisory Authority is which particular Data Protection Authority has jurisdiction over a particular matter.

Because online services are so intertwined it’s quite common to have situations where it’s a German citizens data that is being held by a French company.

Who should have jurisdiction over the matter? Should it be France’s Commission Nationale de l’Informatique et des Libertés (CNIL) or the German Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit?

The answer: it’s complicated (and in truth would rely upon some factors not presented in this extremely simplified example). However, whichever agency ends up with jurisdiction would be the DPA that was acting as the Supervisory Authority for the matter.

Why you need every DPA’s Contact Information

As either a data controller or data processor, you will be responding to requests for data from users’ of your system. Per Article 12 of the GDPR you may need to inform them of which supervisory authority they can escalate to if you exceed the initial 30 day grace period for a request.

Additionally, at the time of consent (when the user says: ‘I do’ to you collecting their personal information) you need to inform them their right to lodge a complaint with a supervisory authority. This and other consent requirements are spelled out in Article 13.

Austria

Österreichische Datenschutzbehörde

Hohenstaufengasse 3
1010 Wien
Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690
dsb@dsb.gv.at
http://www.dsb.gv.at/

Belgium

Commission de la protection de la vie privée

Commissie voor de bescherming van de persoonlijke levenssfeer
Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
commission@privacycommission.be
http://www.privacycommission.be/

Bulgaria

Commission for Personal Data Protection

2, Prof. Tsvetan Lazarov blvd.
Sofia 1592
Tel. +359 2 915 3580
Fax +359 2 915 3525
kzld@cpdp.bg
http://www.cpdp.bg/

Croatia

Croatian Personal Data Protection Agency

Martićeva 14
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099
azop@azop.hr or info@azop.hr
http://www.azop.hr/

Cyprus

Commissioner for Personal Data Protection

1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
commissioner@dataprotection.gov.cy
http://www.dataprotection.gov.cy/

Czech Republic

The Office for Personal Data Protection

Urad pro ochranu osobnich udaju
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
posta@uoou.cz
http://www.uoou.cz/

Denmark

Datatilsynet

Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00
Fax +45 33 19 32 18
dt@datatilsynet.dk
http://www.datatilsynet.dk/

Estonia

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

Väike-Ameerika 19
10129 Tallinn
Tel. +372 6274 135
Fax +372 6274 137
info@aki.ee
http://www.aki.ee/en

Finland

Office of the Data Protection Ombudsman

P.O. Box 315
FIN-00181 Helsinki
Tel. +358 10 3666 700
Fax +358 10 3666 735
tietosuoja@om.fi
http://www.tietosuoja.fi/en/

France

Commission Nationale de l’Informatique et des Libertés – CNIL

8 rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
http://www.cnil.fr/

Germany

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

Husarenstraße 30
53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
poststelle@bfdi.bund.de
http://www.bfdi.bund.de/
Germany splits complaints amoung a number of different agencies, to sort out which one applies, use:
https://www.bfdi.bund.de/bfdi_wiki/index.php/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte

Greece

Hellenic Data Protection Authority

Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628
contact@dpa.gr
http://www.dpa.gr/

Hungary

National Authority for Data Protection and Freedom of Information

Szilágyi Erzsébet fasor 22/C
H-1125 Budapest
Tel. +36 1 3911 400
peterfalvi.attila@naih.hu
http://www.naih.hu/

Ireland

Data Protection Commissioner

Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800
Fax +353 57 868 4757
info@dataprotection.ie
http://www.dataprotection.ie/

Italy

Garante per la protezione dei dati personali

Piazza di Monte Citorio, 121
00186 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
garante@garanteprivacy.it
http://www.garanteprivacy.it/

Latvia

Data State Inspectorate

Director: Ms Daiga Avdejanova
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556
info@dvi.gov.lv
http://www.dvi.gov.lv/

Lithuania

State Data Protection

Žygimantų str. 11-6a
011042 Vilnius
Tel. + 370 5 279 14 45
Fax +370 5 261 94 94
ada@ada.lt
http://www.ada.lt/

Luxembourg

Commission Nationale pour la Protection des Données

1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29
info@cnpd.lu
http://www.cnpd.lu/

Malta

Office of the Data Protection Commissioner

Data Protection Commissioner: Mr Joseph Ebejer
2, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
commissioner.dataprotection@gov.mt
http://www.dataprotection.gov.mt/

Netherlands

Autoriteit Persoonsgegevens
Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
info@autoriteitpersoonsgegevens.nl
https://autoriteitpersoonsgegevens.nl/nl

Poland

The Bureau of the Inspector General for the Protection of Personal Data – GIODO
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 53 10 440
Fax +48 22 53 10 441
kancelaria@giodo.gov.pl; desiwm@giodo.gov.pl
http://www.giodo.gov.pl/

Portugal

Comissão Nacional de Protecção de Dados – CNPD

R. de São. Bento, 148-3°
1200-821 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
geral@cnpd.pt
http://www.cnpd.pt/

Romania

The National Supervisory Authority for Personal Data Processing

President: Mrs Ancuţa Gianina Opre
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 21 252 5599
Fax +40 21 252 5757
anspdcp@dataprotection.ro
http://www.dataprotection.ro/

Slovakia

Office for Personal Data Protection of the Slovak Republic

Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
statny.dozor@pdp.gov.sk
http://www.dataprotection.gov.sk/

Slovenia

Information Commissioner

Ms Mojca Prelesnik
Zaloška 59
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778
gp.ip@ip-rs.si
https://www.ip-rs.si/

Spain

Agencia de Protección de Datos

C/Jorge Juan, 6
28001 Madrid
Tel. +34 91399 6200
Fax +34 91455 5699
internacional@agpd.es
https://www.agpd.es/

Sweden

Datainspektionen

Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
datainspektionen@datainspektionen.se
http://www.datainspektionen.se/

United Kingdom

The Information Commissioner’s Office

Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 745
international.team@ico.org.uk
https://ico.org.uk

EUROPEAN FREE TRADE AREA (EFTA)

Iceland

Icelandic Data Protection Agency

Rauðarárstíg 10
105 Reykjavík
Tel. +354 510 9600; Fax +354 510 9606
postur@personuvernd.is

Liechtenstein

Data Protection Office

Kirchstrasse 8, P.O. Box 684
9490 Vaduz
Principality of Liechtenstein
Tel. +423 236 6090
info.dss@llv.li

Norway

Datatilsynet

The Data Inspectorate
P.O. Box 8177 Dep
0034 Oslo
Tel. +47 22 39 69 00; Fax +47 22 42 23 50
postkasse@datatilsynet.no

Switzerland

Data Protection and Information Commissioner of Switzerland

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Mr Adrian Lobsiger
Feldeggweg 1
3003 Bern
Tel. +41 58 462 43 95; Fax +41 58 462 99 96
contact20@edoeb.admin.ch

GDPR Requirements in Plain English

GDPR Requirements in Plain English

You just want to answer the question: “What do I need to do for GDPR?”

Maybe you’ve worked your way through a few online quizzes to test for GDPR readiness or skimmed an article that made some vague suggestions.

You might even have attempted to read the source European Parliament on General Data Protection Regulation 4.5.2016 L 119/1 only to find that the human nervous system was designed to violently reject exposure to such dense legalese.

Which is why we’ve translated every chapter and article of the GDPR into something a person might be able to reasonably understand and implement. If you need immediate assistance with your GDPR compliance, request a 1:1 Demo on how Varonis can help.

Get started below:

Chapter 1 – GDPR Basics

Article 1 – Who does the GDPR Apply to?

What it says

EU citizens data now has a variety of protections. If your organization has personal data of EU citizens, this applies to you.

So you should

If you’re in the EU, read the rest of this document and start working on your data protection processes.

 

 

Located elsewhere? Yes, The GDPR Will Affect You

 

 

Don’t believe me? Separate from any regulations, the GDPR is a very practical approach to how to handle all the different aspects of data security.

 

 

Even if you’ve personally determined that you don’t need to necessarily become compliant, you definitely need to protect your user’s data and implementing the GDPR guidelines will help you improve that.

Article 2 – What Data does the GDPR Apply to?

What it says

This covers any file or database that has a person’s name or an ID in it.

So you should

Start tracking all of the data stores that are used in your company across marketing, research, customer service, support, etc.

 

 

GDPR Overview

Article 3 – What countries does the GDPR Apply to?

What it says

It doesn’t matter what country the hard drive containing the data is in, if it is about an EU citizen the GDPR applies.

So you should

Know where your data is located and where your marketing is occurring. Is your mobile app (even the free version) available in the European app markets? Did the new “growth hacker” hire decide to put $20 into a trial display ad that happened to include an EU country?

 

 

Learn more about GDPR Territorial Scope

 

 

Article 4 – What do these new terms we made up mean?

What it says

Personal Data – anything that you could conceivably use to identify a person within a larger group. This is likely broader than you think they consider combining data to be personal. aka while being left handed necessarily call you out, being a left handed male making between 30k to 60k who lives in the village of Shropshire on Lee may well.

 

 

Profiling – learning anything about a person’s preferences or inclinations. Seems mostly concerned with predicting behavior or future actions.

 

 

Controller – if you’re reading this, most likely this means you. It’s whoever decides what to do with the data that’s been collected. If you run a website that uses any marketing or analytics services you’re a controller.

 

 

Processor – typically this is any company that the controller tells to handle their data for any purpose. If you run a website and use Google Analytics, Google is the processor as they are acting at your direction.

 

 

 

So you should

Start making a list of all of the outside entities that you use for analytics, marketing or anything else within your company. Note: because humans are digital pack rats, make sure you include things like Box, Dropbox, GDrive or on premise storage systems as they’ll inevitably have files in them like: “Top 10 most common support issues 2015” that are stuffed to the brim with people’s names and IDs.

 

 

You’ll also want to really start tracking down any external services used on your website, your web host, etc. you don’t want to go through this exercise only to find out that your site backups are stored on an internet accessible Pentium box running under someone’s desk.

 

 

A good example of this is how Paypal has listed the Category, Party, Purpose and what Data is disclosed to each partner: Paypal 3rd Party List

Chapter 2 – How to Implement GDPR

Article 5 – How to handle personal data

What it says

Personal data should be kept:

 

– Accurate and up to date

 

– Secured

 

– Transparent about how it’s going to be used

 

– Restricted to the minimum needed to do the job

So you should

  • Review what you’re doing with any collected data- Track where you received it

    – Get consent (opt in) for using it

    – Have a plan for deleting stale or out of date data

     

    For stale unstructured files consider using an automated application like the Data Transport Engine to continuously purge dangerous data.

Article 6 – You should get consent for that data

What it says

Tell people what you are going to do with the data. Do that. Don’t do things with it other than that.

So you should

Educate your whole staff on what are and are not appropriate uses for collected data.

 

 

Provide a contact point and procedure for who to contact if violations are found.

Article 7 – How to prove you got consent

What it says

– Be able to prove consent was given for data

 

– Don’t bury the consent and usage info

 

– Use plain language and be specific

 

– Seriously, don’t use the data for things they didn’t consent to

So you should

  • Update any email newsletter or contact forms with improved consent language and links to your online Privacy Policy and TOS- Set up internal documentation linking data to what has been consented.

    – Be prepared to prove that you have consent for your collected data

Article 8 – Kids can’t give consent

What it says

– Humans 16+ years of age and older can give their consent

 

– Under 16? You’ll need their parent or guardian to give consent

 

– The choose your DOB form used on things like mature movie trailers is probably not going to cut it.

 

– Not human? You have other problems than GDPR.

So you should

Add filters keeping out children and don’t track people until consent is given

Article 9 – What types of data are considered most sensitive

What it says

Unless required by some other law (employment or real estate) – don’t collect any data about race, politics, religion, union status, health data, sex life or sexual orientation.

So you should

Review the data you currently have on hand and make sure that none of these special categories of data exist and / or could be inferred from the data you control.

 

 

It’s important to also consider a seemingly innocuous data field like “hobbies” and what that might indicate about a person.

Article 10 – How to handle criminal data

What it says

Unless you’re working for a legal organization you shouldn’t keep any data regarding convictions, or offenses about a person.

So you should

If you’re one of those places doing “online criminal record checks” you should probably just shut down and open an Etsy store selling band posters.

Article 11 – How to handle data with no identification

What it says

If you can legitimately claim that you can’t track a person from the interaction – it’s ok to tell them and then not track them.

So you should

Consider something like an anonymous feedback box at a supermarket.

 

 

It’s data. It’s collected. But there’s no correlation with other sources or means of identification, so it’s ok to not get opt in consent.

Chapter 3 – People’s Data Rights

Section 1 – Don’t make things confusing

Article 12 – Be transparent about what you’re doing with data

What it says

Be honest with people, use plain language to describe what you’re doing with their data at the time you collect it.

 

 

If people ask for what data you know about them don’t take longer than 30 days (from the request being made) to respond.

 

 

If people start trolling by making a crazy number of requests or other abusive actions, it’s ok to deny the request (within reason) or to charge a small fee for it to be completed.

 

 

If you think someone might be scamming by making a fake request on behalf of a legitimate person, it’s ok to ask them to prove their identity in another way.

 

 

Providing information to people along with standardized icons would be nice, just make sure they’re machine-readable.

So you should

Run any copy you write by a non technical person (or professional copywriter) to see if it makes sense.

 

 

Consider checking with a tool like the BlaBlaMeter or WhiterRhino’s Marketing Detector Tool

 

 

Have a procedure in place to handle personal data requests to have their data deleted or fixed (note the 30 day deadline).

 

 

Section 2 – What you need to tell people about what you’re doing

Article 13 – When you collect data from people, make sure you tell them these things

What it says

In your online forms (or anywhere you collect data from people), provide:

 

 

– Contact information for the company (and ideally the Data Privacy Officer)

 

– Describe what you’re going to use the data for

 

– List what categories of data you’re collecting

 

– How long you’re going to keep the data

 

– How to contact you about issues or to remove the data

 

– If the data is going to be used for profiling and in general terms the logic involved.

 

– You just need to do all this the first time, if they fill out a second form 30 seconds after the first we can assume they haven’t forgotten it all yet.

So you should

Provide links to your Privacy Policy, TOS and GDPR communications page (which should include most of these points) at every form entry point.

 

 

Here are some good examples of GDPR communications pages:

 

 

HotJar

 

Facebook

Article 14 – You need to tell people what you’re doing even if you’re not collecting personal data.

What it says

All of the above should be available even if you’re not collecting personal information.

So you should

Same as above

Article 15 – What rights people have about their own data

What it says

– People are allowed to ask if you have their data and you need to respond whether or not you do.

 

– If you do have their personal data, you need to provide them on demand:

 

– Why you have it

 

– What categories of personal data you have

 

– Who in your organization or third-parties accessed it (in particular if they were in another country)

 

– How long you plan on keeping their data

 

– That they’re able to request to have their data deleted or fixed as requested

 

– Source of where data was obtained

 

– That they have the right to lodge a complaint with the EU Commission if they’re displeased with your response.

 

– Unless something weird is going on, provide the data electronically

 

– Don’t compromise other people’s data while doing this

So you should

Be able to answer the questions listed here about the data you have on hand. In particular, the source, how long you have it and what steps to take if there are issues, errors or if they want it deleted.

 

 

If you haven’t already, pick an existing customer and run through the exercise of pretending they sent you a so called nightmare letter that would fully exercise all of their rights under the GDPR.

Section 3 – Fixing and Deleting Data

Article 16 – People can ask you to fix their data

What it says

If someone identifies a problem with your data about them, you need to fix it.

So you should

Have a procedure in place to handle information update requests.

Article 17 – People can ask you to delete their data

What it says

If any of the following apply, you need to be able to remove their data from your system ‘without undue delay’ which while they don’t come out and say it here, probably means within in 30 days.

 

– They withdraw consent (aka they feel like it) and there’s not a legal reason to keep it

 

– Data has been unlawfully processed (used for a purpose beyond what it was intended)

 

So you should

Have a procedure in place to handle data deletion requests.

 

 

This is generally considered described as The Right to Be Forgotten

Article 18 – People can ask you to pause what you’re doing with their data

What it says

People can request that their data be kept, but not worked with if that is what makes sense for a legal claim or while things are sorted out.

 

 

This is conceptually similar to a work stoppage on a construction site. Nobody is asking that you fill in the excavated foundation or pull out the pilings, but you can’t proceed with adding new floors or wiring the place up.

So you should

Have a procedure in place to handle data stoppage (pause) requests.

Article 19 – If you are making mass corrections to people’s data you need to tell them

What it says

If you have to do a bulk rectification, erasure or restriction (pause in processing) on a user data you need to inform them.

So you should

Be aware of scenarios that would escalate to this and require notice. For example, if a single person found an issue with your data collection that you then needed to perform on all of your data, you would need to notify all affected.

Article 20 – People can ask for their data to be exported in a nice format

What it says

People can request the data that you have about them

 

The data should be machine readable (CSV, XLS, XML, JSON).

 

The data should be structured and the entire process automated if possible

 

So you should

Start working on data export features to pull all of a user’s associated data out of your system and into an export format.

 

 

You need to handle unstructured data as well as data held in a database.

 

 

How to find GDPR data in Word, Excel, Exchange and Sharepoint

 

 

 

 

Section 4 – People can ask for human intervention in machine made decisions and opt out of being profiled

Article 21 – People can opt out of being profiled or being presented with filtered information

What it says

People can object to “profiling”, shaping content or what’s presented to them and request to be opted out.

So you should

Have an opt out system in place to stop remarketing, profiling, etc.

Article 22 – People can ask for a human to make a determination about themselves

What it says

People can opt out of entirely machine made decisions about themselves.

So you should

Have a system for manual review of automated processes and notifications in place.

Section 5 – Restrictions

Article 23 – Situations where this doesn’t apply

What it says

Individual countries can make laws that change these regulations for a bunch of cases like national security, etc.

So you should

You probably don’t have to worry about this if your job title isn’t “Minister of Security” or “Head of DHS”

Chapter 4 – Controller and Processor

Section 1 – What you need to do

Article 24 – What Controllers need to do

What it says

You need to document what you’re doing to comply with GDPR and be and be able to prove that in cases where it’s not self evident.

So you should

Keep a record of GDPR training, procedures, steps taken, etc.

Article 25 – Consider data protection and security before you do things

What it says

You shouldn’t collect more data than you need and what data you do collect you need to pseudonymise.

So you should

Educate your teams on privacy and data protection by design.

 

 

Checkout the Privacy by Design Cheatsheet

 

 

and Pseudonymization as an Alternative to Encryption

Article 26 – How to handle data sharing

What it says

If you’re sharing your data with another organization, you both need to agree who is responsible for what.

So you should

Get data sharing agreements in writing and clearly spell out responsibilities.

Article 27 – Do you need to hire someone who lives in the EU?

What it says

If you’re routinely collecting data (and for sure if it’s special category or criminal data) you need to designate a person in the EU as your representative for these matters.

So you should

Hire someone who resides in an EU country.

Article 28 – What Processors need to do

What it says

Services (Processors) that you (as the Controller) use need to be GDPR compliant.

 

 

They also aren’t allowed to put personal data into a non EU data center or transfer it to another third party without your say so.

So you should

Make sure all the services you use are GDPR compliant.

 

 

Most services should now have some page on their website that indicates their GDPR compliance status. On your own GDPR compliance page you should list and link to theirs.

Article 29 – Processors can only do what they’ve agreed to do with data.

What it says

Services that have been given personal data for processing should only work with the data as instructed.

So you should

If you’re not a processor, this doesn’t apply to you. If you are, then don’t engage in any speculative cross customer analysis, sell the data for other purposes, etc.

Article 30 – You need to keep track of what you’re doing with data

What it says

You need to track what is happening with personal data across your organization and any services it goes to. Including to what purpose.

 

 

If you have less than 250 employees and aren’t collecting data every day and aren’t dealing with special categories or criminal data you don’t have to do do this.

So you should

Figure out which data is sensitive, who can access it, and setup auditing so that you have a record of exactly what is happening to that data and can alert and investigate anything suspicious.

Article 31 – You need to cooperate if an authority asks you to

What it says

If your countries supervising authority asks to see your GDPR homework, you need to show them.

 

So you should

Be sure to document all of the steps you’re taking for GDPR compliance.

 

 

Perhaps more importantly you need to handle complaints from people regarding their data seriously as they may well escalate into fines and investigations.

Section 2 – Data security

Article 32 – Here’s the minimum you should do to keep your data secure

What it says

You should keep data secure.

 

– Encrypted at rest

 

– Ability to restore/recover from disaster

 

– Regular testing for security issues

 

– Take extra care to consider data breaches and consequences

So you should

Implement modern digital security methods.

 

 

– Secure Data Storage

 

– Entitlement reviews

 

– Data Breach plans

Article 33 – If you have a data breach, you need to notify the supervising authority

What it says

Once you become aware of a data breach (loss of data control) you have 72 hours to notify the [supervisory authority](https://www.varonis.com/blog/gdpr-data-protection-authority-supervisory-listing/)

So you should

Have a data breach response plan.

 

 

Have a method of reporting security issues internally.

 

 

Article 34 – If you have a data breach, you need to inform people

What it says

You need to tell people ‘without undue delay’ if their data has been breached.

 

 

This will likely be determined to be within 72 hours (matching the supervisory authority timeframe)

So you should

Have a data breach incident plan ready to go.

 

 

Have a method of notifying users.

 

 

Read the Guide to the EU GDPR Breach Notification Rule

Section 3 – Consider and document how what you do may affect data security

Article 35 – You should write up a data protection impact assessment before new projects

What it says

Before you bring on new services to deal with data, you should figure out what impact that will have on security in terms of what exactly they are going to do with the data, an in particular if they’re doing to do profiling/filtering based on the data.

So you should

Document what impact each new service might have on your internal data protection efforts.

Article 36 – You can ask for permission and guidance.

What it says

If you’re doing some kind of data processing that would put data at risk, you need to consult with the supervising authority beforehand.

 

 

They’ll give you a written response within 8 weeks. Fun.

So you should

If you’re doing something like releasing an “anonymized” dataset that may still have some privacy impacts, you should get prior approval from the supervising authority.

Section 4 – Data Protection Officer

Article 37 – You should designate a data protection officer

What it says

There needs to be a single point of contact within your organization who can field requests about GDPR related items.

So you should

You need to designate a Data Privacy Officer.

 

 

They should be a competent Infosec professional who can address concerns and has the tools to act on requests.

 

 

More reading:

 

 

Do You Have to Hire a DPO?

 

 

DPO Requirement

Article 38 – What the data protection officer should handle

What it says

The DPO needs to be involved with data processing tasks and taken seriously.

 

 

– They can do other tasks, as long as they don’t have a conflict of interest.

So you should

Many organizations already have a CISO (Chief Information Security Officer) and it’s likely that may CISOs will pick up DPO responsibilities as well.

 

 

Whatever the title, what’s important is that data privacy and security concerns are considered within whatever projects happen in your organization.

Article 39 – What the data protection officer should do

What it says

The DPO should advise the company on how to comply with the GDPR on an ongoing basis.

So you should

Don’t treat your DPO like a mushroom farmer.

Section 5 – Trade groups can create codes of conduct and certifications

Article 40 – What’s a Code of Conduct?

What it says

Industries should draw up codes of conduct describing how GDPR regulations should be implemented within a specific industry.

 

 

For instance, the Pan European Game Information association might issue a Code of Conduct describing how game developers should handle the data they collect about gamers. In the same way they make recommendations about video game content around language, violence, and age ratings, they could make recommendations about how user data should be handled.

 

 

This makes a lot of sense as what they’re doing has a very different relationship with personal data than other industries like aluminium smelting or car repair.

So you should

You should check if there are any codes of conduct that your trade organization have published.

 

 

Codes of Conduct are still being developed and for the time being appear to be voluntary. It is something to keep an eye on as that may change or compliance may become entwined with other industry certifications or requirements.

 

 

For instance, PEGI ratings are not required for new video games, but the vast majority of retailers won’t stock your game in their store without one.

 

 

Similarly, there may come a time when PEGI releases a Code of Conduct describing the data protection standards needed to meet certification.

Article 41 – Associations can monitor Codes of Conduct

What it says

Associations (like PEGI in the above example) may monitor organizations to see if they’re complying with their published Code of Conduct.

So you should

If a Code of Conduct is available in your industry the association has final say over whether or not you meet the requirements of it.

Article 42 – Associations can certify that people meet the Code of Conduct

What it says

Associations can establish certifications (a stamp of approval) that can be granted to organizations who meet the terms of the Code of Conduct

So you should

Check if a certification is available for your organization.

Article 43 – Certifications need approved

What it says

Certification groups need to be approved by the supervisory authority.

So you should

Check if the certification you’re working towards has been approved by the supervisory authority

Chapter 5 – How to handle transferring data out of the EU and GDPR

Article 44 – Generally you should get permission

What it says

You should get permission before transferring data.

So you should

Have a process in place for documenting data transmission actions and agreements

Article 45 – Countries that aren’t in the EU but have their own GDPR like requirements

What it says

If the Commission says another country meets their rules, you don’t need the permission to transfer there.

So you should

Check what countries are included before going through the transfer agreements.

Article 46 – You have to consider data safety in transferring data to another country

What it says

If you transfer data to another country it will need to have adequate data safety laws and guarantees.

So you should

Read the fine print on each country’s approach to data safety.

Article 47 – Non EU companies can create their own strict data handling rules to be GDPR compliant

What it says

If a company that is not in the EU wants to handle EU data they can create binding corporate rules that match the GDPR regulations.

 

 

If these are strictly followed then it could be ok to transfer data to them out of the EU.

So you should

If you are planning to work with a company outside of the EU/GDPR requirements, find out if they have corporate rules that could make them GDPR compliant.

Article 48 – How to handle international legal data disputes

What it says

If a judge orders data to be transferred it needs to not violate international law.

So you should

It seems odd to have to write this, but “don’t violate international law”

Article 49 – A fallback for when the country you’re trying to transfer to has no data rules

What it says

If there’s no rules in the country you’re transferring data to, you need to at least get the user’s permission first (or have another good reason)

So you should

If you’re following the other directives to get user consent before taking action, you should be covered for this as well.

Article 50 – We would like countries outside the EU to work with us

What it says

Countries should get along.

So you should

Hope they do get along, it would make all of our jobs easier.

Chapter 6 – Supervisory Authorities (the agency that monitors GDPR within your country)

Section 1 – Independent Status

Article 51 – What a Supervisory Authority should do

What it says

Countries should monitor whether companies are paying attention to these GDPR rules.

So you should

You should find out what agency or division within your country is handling GDPR enforcement.

Article 52 – Supervisory Authorities shouldn’t have conflicts of interest

What it says

Supervising authorities shouldn’t take bribes or have conflicts of interest.

So you should

Refrain from bribing your supervising authority. This isn’t FIFA.

Article 53 – How to get a job working within a Supervisory Authority

What it says

The people in the supervising authority should be appointed by the government.

So you should

No need to run a political campaign, the people are appointed not elected.

Article 54 – Core Supervisory Authority rules

What it says

It’s up to each country to figure out the job requirements and terms for the people in the supervising authority.

So you should

Polish up that LinkedIn resume and start looking at the ads in the Economist for a hot new career in authoritative GDPR supervising.

Section 2 – Competence, Tasks and Powers

Article 55 – Competence

What it says

There’s a lot of technical details involved with GDPR (encryption, data storage and transfer). The people who have oversight on this should be able to understand the concepts at play in the field of data security.

So you should

Check out the Troy Hunt courses on Web Security Fundamentals, Computer Security and the GDPR attack plan.

Article 56 – Competence of the lead supervisory authority

What it says

Supervising authorities should handle issues that mostly happen in their own countries.

So you should

While the GDPR is EU wide, your interactions with it will most likely be with the supervising authority of your own country.

Article 57 – Tasks

What it says

If you’re a Supervisory Authority, you should hear complaints, promote data safety and be a force for good in the efforts of data safety and security.

So you should

There’s nothing you directly need to do with respect to this article, but I think it’s nice that they aspirationally added it anyway.

 

 

It at least gives me hope that the supervising authorities will do more than draconically enforce GDPR requirements.

Article 58 – Powers

What it says

Supervision Authorities can issue warnings to companies, force companies to issue data breach notices, withdraw certification, order the suspension of data flows.

So you should

If you’re in communication with your authority, they can cause your organization significant distress. Listen to them.

Article 59 – Activity reports

What it says

Every year you should publish a report to the public stating what actions you have taken.

So you should

You should do your best to keep your company off of this report.

Chapter 7 – Cooperation and consistency

Section 1 – Cooperation

Article 60 – Cooperation

What it says

Supervising Authorities should help each other out

Article 61 – Mutual assistance

What it says

Supervising Authorities should share their information and requests with one another.

Article 62 – Joint operations of supervisory authorities

What it says

If an incident or investigation calls for it – supervising authorities should conduct joint investigations.

Section 2 – Consistency

Article 63 – Consistency mechanism

What it says

Hold onto something. We’re about to tell you how to cooperate.

Article 64 – Opinion of the Board

What it says

For specific issues like new requirements, criteria or corporate rules these need to be approved by the Board

Article 65 – Dispute resolution by the Board

What it says

The Board with handle disputes between SAs

Article 66 – Urgency procedure

What it says

If some new technology or process is developed (like quantum brain data telepathy) that’s outside the bounds of current regulations, and it’s time sensitive, the SA can implement a new regulation without going through the Board.

So you should

Refrain from inventing any technologies that will disrupt the secure communications infrastructure and data storage of the world’s economy. AKA no practical quantum computing

Article 67 – Exchange of information

What it says

The Commission will figure out how to get supervising authorities to securely share information with each other later.

So you should

Find out if the Commission sorted out how to do this in a GDPR compliant manner.

Section 3 – European Data Protection Board

Article 68 – European Data Protection Board

What it says

There is now a European Data Protection Board (because we said so). Every country gets to pick one person from their supervising authority to be on it.

So you should

Find out who your country’s representative is and wish them luck with this new endeavor.

Article 69 – Independence

What it says

The Board is a strong independent Board that lives life on its own terms and doesn’t take guff from anybody.

So you should

Respect the Board.

Article 70 – Tasks of the Board

What it says

We’re going to make guidelines for your guidelines.

So you should

Read the guidelines.

Article 71 – Reports

What it says

Every year there will be a public report of our activities which will include practical suggestions and best practices.

So you should

Look for this report as when it comes out it could be genuinely useful and informative.

Article 72 – Procedure

What it says

Most votes wins for decisions, but if you want to change the rules you need a 2/3 vote.

So you should

Start lining up a super majority of representatives if you want to make substantive changes to the GDPR regulations.

Article 73 – Chair

What it says

There will be a chair and two deputies who are elected. 5 year term. 2 term limit.

So you should

Find out who the chair of the committee is and follow them on Twitter.

Article 74 – Tasks of the Chair

What it says

Hold meetings. Talk to the lead supervising authorities.

Article 75 – Secretariat

What it says

The secretariat will handle the day to day business

So you should

Keep it firm in your mind that this is a serious and responsible position held by a respected individual within an august institution and not the horse that won the Triple Crown in 1973.

Article 76 – Confidentiality

What it says

Board business can be confidential if it’s sensitive.

So you should

Opt to not hack the Board. That would be in poor taste.

Chapter 8 – Remedies, liability and penalties

Article 77 – Right to lodge a complaint with a supervisory authority

What it says

Anyone can make a complaint to the supervising authority about any company that is in possession of their data.

 

 

The supervisory authority needs to take this complaint seriously and keep the person making the complaint updated on their investigation into the issue.

So you should

You don’t need to take any direction action with respect to this article, but it underlines one of the primary ways that you and your organization may come to the attention of your supervising authority.

 

 

In particular, you should note that it’s a requirement of your GDPR compliance that you inform and direct people to the supervising authority where they can make a complaint.

 

 

– Look up the Data Protection Authority in your country and note the others in case you’re contacted by one.

Article 78 – Right to an effective judicial remedy against a supervisory authority

What it says

Individuals can sue the supervisory authority if they feel that their complaint wasn’t appropriately handled.

So you should

This article is highly unlikely to affect you (as I can’t imagine a supervising authority reading this article for legal advice).

 

 

However, I think this article is really illuminating as to how serious the Commission is about implementing GDPR.

 

 

It’s explicity writing in ways for people to escalate up through organizations > supervising authorities > legal systems to protect their data and discover how it’s being used.

Article 79 – Right to an effective judicial remedy against a controller or processor

What it says

Users have a right to a “judicial remedy”

So you should

Involve your corporate legal counsel as you could be brought to court in parallel with or as an escalation from a complaint.

Article 80 – Representation of data subjects

What it says

Users can create a non profit legal entity to more effectively sue companies (controllers and processors) together in court.

So you should

Be prepared to get lots of class action lawsuit emails.

Article 81 – Suspension of proceedings

What it says

If a controller is being sued in another country the case in the starting country can be suspended.

So you should

Good luck to you if you’re a controller or processor embroiled in lawsuits in multiple countries simultaneously.

Article 82 – Right to compensation and liability

What it says

1. Who can receive compensation?

 

Anybody who had their data right infringed (even if they weren’t directly harmed)”

 

 

2. Who is liable?

 

Any controller or processor who messed up. ”

 

 

 

3. Any outs?

 

If you can prove that you were not in any way responsible (including negligence) then you’re stuck.”

 

 

 

4. How is compensation split?

 

Where multiple entities are responsible. They are all each responsible for the full payment.”

 

 

 

5. Claim backs?

 

After a processor/controller has paid the user they can sue each other in court about who is really liable.”

 

 

 

6. What jurisdiction is this?

 

The country you’re in.

So you should

Significant thought and weight has been put into the GDPR describing exactly how you and your organization are going to pay out fines.

 

 

The process greatly favors the individual raising a complaint against you.

Article 83 – General conditions for imposing administrative fines

What it says

Fines for violations shall be “effective, proportionate and dissuasive”

 

 

Depending on how well you’ve been securing data and getting user consent this could be millions of dollars or 2% of your revenue.

So you should

Do all you can to comply with GDPR regulations as this isn’t a lightswitch of fine/no fine.

 

 

It is a sliding scale that takes into account what you’re doing with the data, what controls are in place, documentation, processes, etc.

Article 84 – Penalties

What it says

Countries can add on fines above and beyond what is laid out here.

So you should

Limber up your checkbook.

Chapter 9 – Provisions relating to specific processing situations

Article 85 – Processing and freedom of expression and information

What it says

Supervising authorities can’t hinder journalists, academic or artists freedom of expression with their rules (in general).

So you should

If you’re dealing with data that is generally in the public interest you should look more closely at your data handling procedures.

Article 86 – Processing and public access to official documents

What it says

Governments and entities still need to hold onto your information if it’s in the public interest.

So you should

Not expect to be able to get out of a parking ticket by invoking the Right to be Forgotten.

Article 87 – Processing of the national identification number

What it says

Each government needs to set rules on how their National ID is treated

So you should

It’s not sufficient to just treat your own country’s ID information as personal and sensitive. You need to find and alert on the IDs from each EU country.

Article 88 – Processing in the context of employment

What it says

Governments can set more specific laws around employment data

So you should

Employment data in your organization’s HR department may well be kept in a separate system than your user data. It has its own set of rules governing access and what needs to happen with it under GDPR.

Article 89 – Data kept in the public interest (for scientific or historical purposes) may be exempt

What it says

Archiving in the public interest can occur, but needs to be deliberately safeguarded

So you should

It’s unclear how exactly the limits of archiving in the public interest will be set.

 

 

But if you’re doing work in a protected area it’s likely that the supervisory authority will recognize that.

Article 90 – Spies have their own rules

What it says

Intelligence agencies get their own set of rules

So you should

This article is highly unlikely to affect you (as I can’t imagine a supervising authority reading this article for legal advice).

 

 

However, I think this article is really illuminating as to how serious the Commission is about implementing GDPR.

 

 

It’s writing in ways for people to escalate up through organizations > supervising authorities > legal systems to protect their data and discover how it’s being used.

Article 91 – Faith based exemptions

What it says

Religious institutions have some special exemptions

So you should

If you’re a church, mosque or other religious organization, the existing privacy laws you operate under apply in addition to the GDPR.

Chapter 10 – Bureaucratic Legalese

Article 92 – Exercise of the delegation

What it says

This is all subject to change if we’re ordered to do so

Article 93 – Committee procedure

What it says

The Commission has a committee

Chapter 11 – Final provisions

Article 94 – Repeal of Directive 95/46/EC

What it says

The old privacy and data regulations are out GDPR is in

Article 95 – Relationship with Directive 2002/58/EC

What it says

GDPR needs to fit in with these old regulations

Article 96 – Relationship with previously concluded Agreements

What it says

Any one off international agreements are dead. Long live GDPR!

Article 97 – Commission reports

What it says

Every 4 years the Commission will report on the status of the GDPR.

Article 98 – Review of other Union legal acts on data protection

What it says

There may be some inconsistencies with other legal acts. The Commission will work to smooth those out.

Article 99 – Entry into force and application

What it says

Judgement Day is May 25th 2018

This content is provided as general non-legal information and does not constitute individualized advice. Please consult with your legal advisors as to the particular implementation on your company

How to use PowerShell Objects and Data Piping

How to use PowerShell Objects and Data Piping

This article is a text version of a lesson from our PowerShell and Active Directory Essentials video course (use code ‘blog’ for free access).

The course has proven to be really popular as it walks you through creating a full Active Directory management utility from first principles.

What makes a PowerShell Object?

If there’s one thing you fundamental difference between PowerShell and other scripting languages that have come before, it’s PowerShell’s default use of Objects (structured data) instead of plain strings (undifferentiated blobs of data).

Consider something like a car. It has:

  • Colors
  • Doors
  • Lights
  • Wheels

These items that describe this particular object are called properties. Your car can also do things, it can turn left and right, it can move forward and back – these are the methods of the object.

Properties: the aspects and details of the object.
Methods: actions the object can perform.

What’s the PowerShell Pipeline?

PowerShell was inspired by many of the great ideas that make up “The Unix Philosophy” – most notable for us today are two points:

  1. Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new “features”.
  2. Expect the output of every program to become the input to another, as yet unknown, program. Don’t clutter output with extraneous information. Avoid stringently columnar or binary input formats. Don’t insist on interactive input.

In practice, what these somewhat abstract points of philosophy mean is that you should create lots of small, purposeful PowerShell scripts that each do a particular task. Every time you go to put an If/Else, another flag, another bit of branching logic, you should ask yourself: “Would this be better as a separate script?”

An example: don’t make a script that downloads a file and then parses the downloaded data. Make two scripts:

  1. One that downloads the data – download.ps
  2. A second that handles parsing the data into something usable – parse.ps

To get the data from the download.ps to parse.ps you would “pipe” the data in between the two scripts.

How to find the Properties and Methods of a PowerShell Object

There are way too many aspects of even the simplest object in PowerShell to remember. You need a way to interactively find out what each object you encounter can do as you’re writing your scripts can do.

The command you’ll need to do this is Get-Member cmdlet provided by Microsoft.

How To Use Get-Member

Get-Member
   [[-Name] ]
   [-Force]
   [-InputObject ]
   [-MemberType ]
   [-Static]
   [-View ]
   []

Get-Member helps reinforce an idea that I had a lot of difficulty grappling with in moving from bash to PowerShell scripting, that everything (literally everything) in PowerShell is an object. Let’s take a really simple example:

1. Use the Write-Output cmdlet to write some info into our PowerShell console.

Write-Output ‘Hello, World’

2. Assign that output to a variable called $string

$string = Write-Output `Hello, World`

3. Pipe the $string variable (That contains ‘Hello, World’) to the Get-Member cmdlet

$string | Get-Member

You’ll get some output that looks like the screenshot below:

A list of properties and methods for this Object of type String. As the underlying data of the object changes so changes the responses of the methods and properties.

Some examples:

A string object of “Hello, World” has a length (property) of 13
A string object of “Hello, People of Earth!” has a length of 24

Calling Methods and Properties with Dot Notation

All of the Methods and Properties of an Object need to be called with a type of syntax called “Dot Notation” which is just a fancy way of saying:

OBJECT.PROPERTY

Some examples:

$string.Length
13

Methods are invoked in the say way, but parentheses are added.

$string.ToUpper()
HELLO, WORLD!

$string.ToLower()
hello, world!

Both of these methods don’t take any “arguments” – additional commands passed in as parameters within the parentheses.

$string.Replace(‘hello’,’goodbye’)
Goodbye, world!

The Replace method does, the first argument is what you’re looking for in the string ‘hello’ and the second is what you’d like to replace it with.

How to Make our Own PowerShell Objects

Our $string variable that we created was of Type System.String – but what if we wanted to create our own type of object instead of relying upon the built-in types?

1. Create HashTable

A hash table is a Key + Value datastore where each ‘key’ corresponds to a value. If you’ve ever been given an employee number at a job or had to fill out a timesheet with codes given to each company you’ll be familiar with the concept.

$hashtable = @{ Color = ‘Red’; Transmission = ‘Automatic’; Convertible = $false}

If you pipe this to Get-Member you’ll now get a different listing of methods and properties because it’s a different Type (it’s System.Collections.Hashtable instead of System.String).

2. Creating a PowerShell Custom Object

To transform this from a hashtable to a full-blown PowerShell Object, we’ll use what’s called a “type accelerator” -> pscustomobject – [pscustomobject]$hashtable

When we run this and compare the results to what we have previously with Get-Member you’ll notice a wild difference. Gone are the generic methods and properties of a hashtable and instead are the properties that you had specified (Color, Transmission and whether or not it was a Convertible).

Getting Into the Pipeline

Some people get really hung up on what’s the difference between a script and an application. In general, scripts are small and do one very concise action. Applications are large (comparatively) and bundle together tons of features.

Consider the approach to exposing functionality in Microsoft Word versus how similar features would be presented as a series of scripts.

In Word, the word count is continually displayed in the status bar at the bottom of the editing window.

You can click it and get more detailed statistics (one of the many thousands of features in Microsoft Word).

In PowerShell scripting you’d use two separate cmdlets to achieve this functionality:

Get-Content will import a text file as an object (everything in PowerShell is an object) and Measure-Object will then collect statistics about that object for us.

Putting it together you’d have:

Get-Content c:\documents\myfile.txt | Measure-Object -word

The `|` character in between the two commands is the “pipe” which indicates that instead of displaying the output of the Get-Content command in the PowerShell command window, it should instead pass that data to the next script (the Measure-Object cmdlet).

Now, you might be looking at this example and thinking to yourself: “That’s a very convoluted way to finding out how many words are in a file” and you wouldn’t be wrong, But the important thing to consider is that the scripting doesn’t “care” what comes before the pipe.

Instead of importing a single file, maybe we’re writing a novel with 60 different chapters (one chapter per file), we could concatenate all of those files together and pipe the result to Measure-Object and get a word count for the whole book in one go.

How to Use the Pipeline

As a more practical example of using piping for sysadmin tasks, let us try to find and restart a service with PowerShell.

For this, we’re going to be using two cmdlets:

To start, we can walk through the steps as if we were doing everything manually.

First, let’s look for the Windows Audio Service

Get-Service -Name audiosrv

If you’re in PowerShell (look for the PS prompt) – you should get something that looks like:

And having found the service is present, we could then restart it.

Restart-Service -Name audiosrv

If we’re using pipelines, we could instead pipe the entire object into the Restart-Service cmdlet.

Get-Service -Name audiosrv | Restart-Service

The above is functionally the same but happens as a single command

To extend this further, we can use the -PassThru command to keep passing the input object through each script.

Get-Service -Name audiosrv | Restart-Service -PassThru | Stop-Service

Through this, we’re able to apply a number of command to the same initial object.

Now for a more real-world example.

Pinging a Collection of Computers with PowerShell

To start, we have a number of computer hostnames (one per line) in a text file.

Your first instinct might be to try and directly pass the file to the Test-Connection cmdlet, like:

Get-Content -Path C:\Example.txt | Test-Connection

However, we still need to be cognizant of what type of object is being passed. The above is passing in the file as if it was a chapter in a book, it’s not sure what to do with it. We need to first format the file data into the expected format.

To figure that out, we turn to the Get-Help cmdlet

Get-Help -Name Test-Connection -Full

“Full” indicates that the parameter listings should include not just the names and usage, but also whether or not they accept pipeline input, and if they do, what format.

In the above screenshot, you can see the “Accept pipeline input?” is True and indicates that it accepts input via a Property Name (instead of an object).

The following will extract each line of the input file and transform it via the pscustomobject command into a property name (as required by the Test-Connection cmdlet.

Get-Content -Path C:\Example.txt | ForEach-Object { [pscustomobject]@{ComputerName = $PSItem} } | Test-Connection

Next Steps with PowerShell

Want to learn more? Use unlock code ‘blog’ for free access to the full PowerShell and Active Directory Essentials video course.

How To Get Started with PowerShell and Active Directory Scripting

How To Get Started with PowerShell and Active Directory Scripting

Build a Full PowerShell Utility

This article is a text version of a lesson from our PowerShell and Active Directory Essentials video course (use code ‘blog’ for free access).

The course has proven to be really popular as it walks you through creating a full Active Directory management utility from first principles.

Coding With PowerShell

It can be hard to get started with PowerShell, especially if over the years you’ve become accustomed to working with the cmd.exe command line or batch files. In this article (based on Lesson 2 of our PowerShell and Active Directory course), we’ll cover how and why you should upgrade your skills to PowerShell and the fundamentals of launching the PowerShell editor, command completion and how to get always up to date help and examples.

Running Commands

The PowerShell console is an interactive console that enables you to run various commands in real time. There’s no need to edit a script in Notepad and then run it separately, a big time saver.

If you’re in any organization that’s been around for any length of time, you’ve probably already got some smaller scripts, bat files, or procedures that you run from the cmd.exe command line. Great news! You can invoke all of that from with PowerShell, this was a deep design decision on the part of Microsoft as they were trying to make the transition as easy as possible for sysadmins.

In appearance, the PowerShell editor looks and functions just like the cmd.exe command prompt environment. The utilities and skills you already know will work within PowerShell right now with no modification. If you’re working on making the transition from one-off tasks to enabling a more automated network, getting in the habit of firing up PowerShell instead of the command prompt is a good way to start.

All of your often used utilities like ping, ipconfig, dir, etc will all work exactly as you’ve come to expect.

How to Find PowerShell Commands

People love PowerShell because it’s so, well, powerful. But that power comes from an absolutely insane amount of complexity. It’s just not feasible or practical for someone to memorize all of the different commands, cmdlets, flags, filters and other ways of telling PowerShell what to do.

Thankfully, built right into the editor are multiple tools to help you deal with this fact.

Tab Completion

There’s no need to memorize all of the different commands or exact spelling of a command. Type

get-c

Into the editor and hit the TAB key – you’ll cycle through all the commands beginning with what you had input so far. This works at any section of the command you’re trying to invoke, the name (as shown below), but also flags and paths that you’re manipulating to get your desired outcome.

Get-Command

While tab completion works well, what happens if you don’t know the name of the command you’re looking for? In that case, you’d use a command for finding other commands: Get-Command.

In searching for commands, it’s important to keep in mind that there’s a syntax to them: VERB-NOUN. Typically the verbs are things like Get, Set, Add, Clear, Write and Read and the Nouns are the files, servers, or other items within your network and applications.

Get-Command is a discovery tool for exploring the commands available on your system.

PowerShell’s Command Syntax

Someone once described the Perl scripting language as looking like “executable line noise” – an incredibly useful tool with a wildly opaque syntax and a correspondingly high learning curve.

While not quite to that level the traditional command prompt in Windows isn’t too far off. Consider a common task like finding all the items in a directory whose names start with the string ‘Foo’.

CMD: FOR /D /r %G in (“Foo*”) DO @Echo %G

FOR and DO indicate that it’s a loop.
The /D flag indicates this is for Directories
The /r flag indicates that “Files Rooted at Path”
The pattern that defines the set of files to be looped over is designated with “in”
@Echo instructs the script to write out the result of each loop and finally
%G is the “implicit parameter” and is chosen because earlier developers had already used the pathname format letters a, d, f, n, p, s, t, and x. So, starting with G is traditional as it gives you the largest set of unused letters for returned variables ( G, H, I, J, K, L, M) – in other words, it’s an ugly hack.

Compare that to the PowerShell equivalent:

PowerShell: Get-ChildItem -Path C:\Example -Filter ‘Foo*’

The output’s functionally the same, but even in this fairly trivial example, it’s much much easier to understand what’s happening. It’s immediately obvious what all the elements in the command do and how you could modify them. The only slightly non-obvious thing here is the * wildcard character (present in both examples) which indicates that the pattern used to match items should start with ‘Foo’ and end in anything else.

It just keeps getting better from here as say you want to know how to identify just files (not directories) in the path? You could dig up the docs, Google around and try to sort that out with the command line version, or if you’re in PowerShell, type “-” and hit the tab key, rolling through the flag options until the obvious solution shows up.

One Big String vs Object Properties

Servers are no good to anyone if they’re not online. Which is why people spend an inordinate amount of time pretending they’re sonar operators on a submarine and ping’ing them (yes, that’s actually why it’s named that – https://en.wikipedia.org/wiki/Ping_(networking_utility)

While the output from ping is useful (and you can use ping within PowerShell), at the end of the day the output is just a big string – a series of letter and number characters with no defined breaks between them).

PowerShell has a command that’s analogous to ping, but that returns data that’s structured, making it easy to work with. That command is Test-Connection.

Below you can see the output of pinging a server (named ‘DC’ on their local network) and the equivalent Test-Connection output.

Putting aside that it’s easier to read, what’s really important is that you can now pass this information off to another command, incorporate it into a larger utility (as this full course is working towards) or just tweak it so that it makes more sense.

Geting Help System

Up to now, we’ve focused on how to manipulate a particular command as you’re in the middle of it (via tab completion), but as you start doing more and more with PowerShell, the commands become more complex with even more complex options. While the Verb-Noun syntax helps, what helps, even more, is having:

1. Up to date documentation
2. Lots of examples

CmdLet Help

In practice, you should combine Get-Command (to find what to use) and then use Get-Help to find out how to use that particular command.

A practical example of how to do this: suppose you need to identify all the running Windows Services on a machine.

You would start by looking for commands for service interaction:

Get-Command service

Which would tell you at a glance that you were on the right track. Thinking back to the standard Verb-Noun syntax of PowerShell commands, you want to investigate how to properly use ‘Get-Service’.

MicroSoft’s Office Get-Service Documentation

For this, you’d use a new command ‘Get-Help’. Start by typing

“Get-Help -” and hit the Tab key

You’ll quickly find the available options, the most obviously suitable one being “-Name”, so you’d try:

Get-Help -Name Get-Service

Immediately you get the full Syntax (and that you can include or exclude names based on filters).

If you wanted to deep dive into a particular aspect of the command you can drill down further with Get-Help, including each parameter

Get-Help -Name Get-Service - Parameter Name

PowerShell Help Examples

Because we’re all humans reading this (no offense Google bot), we have the same mental hurdles to overcome with respect to pattern recognition and translating abstract command syntaxes into what we should actually type to accomplish what we need to get through the day.

By entering in “-examples” or included with the “-detail” flag for Get-Help, you’ll be presented with a set of examples for using the command.

Here is the output for:

Get-Help -Name Get-Service -Examples

Staying Up To Date

Nothing is more frustrating than entering in exactly what an example says you should, only to have it not work as documented. Often this is caused by out of date documentation, bad examples, or updated libraries.

Sidestep these frustrations as well as get new examples and fixes with the

update-help

Command. you’ll start the download process.

Next Steps with PowerShell

Want to learn more? Use unlock code ‘blog’ for free access to the full PowerShell and Active Directory Essentials video course.

[Podcast] Security and Privacy Concerns with Chatbots, Trackers, and more

[Podcast] Security and Privacy Concerns with Chatbots, Trackers, and more

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


The end of the year is approaching and security pros are making their predictions for 2018 and beyond. So are we! This week, our security practitioners predicted items that will become obsolete because of IoT devices. Some of their guesses – remote controls, service workers, and personal cars.

Meanwhile, as the business world phase out old technologies, some are embracing the use of new ones. For instance, many organizations today use chatbots. Yes, they’ll help improve customer service. But some are worried that when financial institutions embrace chatbots to facilitate payments, cyber criminals will see it as an opportunity to impersonate users and take over their accounts.

And what about trackers found in apps bundled with DNA testing kits? From a developer’s perspective, all the trackers help improve the usability of an app, but does that mean we’ll be sacrificing security and privacy?

Other articles discussed:

  • Australia government consider allowing firms to buy facial recognition data
  • Replay scripts to track cursor

Tool of the Week: Sword

Panelists: Kilian Englert, Kris Keyser, Mike Buckbee

[Podcast] Bring Back Dedicated and Local Security Teams

[Podcast] Bring Back Dedicated and Local Security Teams

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


Last week, I came across a tweet that asked how a normal user is supposed to make an informed decision when a security alert shows up on his screen. Great question!

I found a possible answer to that question at New York Times director of infosecurity, Runa Sandvik’s recent keynote at the O’Reilly Security Conference.

She told the attendees that many moons ago, Yahoo had three types of infosecurity departments: core, dedicated and local.

Core was the primary infosec department. The dedicated group were subject matter experts on security, still on the infosec department, but worked with other teams to help them conduct their activities in a secure way. The security pros on the local group are not officially on the infosec department, but they’re the security experts on another team.

Who knew that once upon a time dedicated and local security teams existed?! It would make natural sense that they would be the ones to assist end users on security questions, why don’t we bring them back? The short answer: it’s not so simple.

Other articles discussed:

Panelists: Kilian Englert, Forrest Temple, Matt Radolec

Krack Attack: What You Need to Know

Krack Attack: What You Need to Know

For the last decade, philosophers have been in agreement that there is another, deeper level within Maslow’s Hierarchy of Human Needs: WiFi Access.

We’re now at the point where even the most mundane devices in your house are likely to be WiFi enabled.

Today we learned that every single one of those devices–every single smartphone, wireless access point, and WiFi-enabled laptop–is vulnerable due to a fundamental flaw with WPA2(Wireless Protected Access v2).

It turns out that the WPA2 (Wireless Protected Access v2) protocol can be manipulated into reusing encryption keys in what’s being called the Krack Attack

The result?

Attackers can view and compromise your encrypted traffic, inject ransomware code, hijack your credentials, and steal sensitive information like credit card numbers, passwords, emails, photos, and more.

Who Is Affected?

Because of how it works, this attack threatens all WiFi networks – and WiFi-enabled devices.

While the flaw is in the WPA2 protocol itself, how that protocol is implemented differs across device and software vendors. Apple’s iOS devices and Windows machines are mostly (as of now) unaffected since they don’t strictly implement the WPA2 protocol and key reinstallation.

The largest group affected are Android users and those other client devices that implemented the WPA2 protocol very strictly.

How the Attack Works

The attack works against WiFi clients and depends upon being within WiFi range of the target device. Attackers can use a special WiFi card that retransmits a previously used session key which forces a reinstallation of that key on the client device.

By doing so (and depending on exactly how WPA2 is implemented on the client device), the attacker can then send forged data to the client. For example, an attacker could silently manipulate the text and links on a web page.

How Practical Is the Attack?

An interesting twist to this attack is that it depends much more upon physical proximity in order to compromise a client since you need to be in WiFi range. An attacker also needs a somewhat specialized networking device and to be able to code up the exploit manually – since no software has yet been released for this attack.

What You Can Do To Protect Yourself Today

The more encryption you run at different layers of the communications stack the better. If you’re in charge of a website, this is just one more in a vast list of reasons you should be forcing SSL/TLS on your site.

VPNs are also a strong (additional) option: they’re inexpensive, easily configured, and can make Krack much less of an issue. An attacker can view/capture the encrypted data but won’t be able to do anything with it.

What You Can Do In The Coming Weeks

Update your devices – and be mindful of where and on what devices you’re using WiFi.

Every vendor is likely going to release a patch addressing this vulnerability: install the next product update that gets pushed to you – and encourage those around you to install security updates.

Neglected security updates are actually a large and persistent vulnerability: they’re there for a reason – install them! Greater adoption helps everyone. If you need more convincing, check out Lesson 4 of Troy Hunt’s Internet Security Basics.

What You Can Do Long Term

This may spark more (and long-needed) research into the areas of WiFi vulnerabilities.

While you can’t entirely prepare for the unknown, you can set yourself up to respond quickly by establishing good procedures for emergency patch management, implementing defense in depth by layering multiple different security systems and keeping all of your systems as up to date as possible.

This attack highlights that it’s important not to rely solely on any single layer of defense. For many home networks, this is, unfortunately, their only security layer. Always consider what happens when a layer of defense fails.

How to Better Structure AWS S3 Security

How to Better Structure AWS S3 Security

If the new IT intern suggests that you install a publicly accessible web server on your core file server – you might suggest that they be fired.

If they give up on that, but instead decide to dump the reports issuing from your highly sensitive data warehouse jobs to your webserver – they’d definitely be fired.

But things aren’t always so clear in the brave new world of the cloud – where services like Amazon’s Simple Storage Service (S3), which performs multiple, often overlapping roles in an application stack, is always one click away from exposing your sensitive files online.

Cloud storage services are now more than merely “a place to keep a file” – they often serve as both inputs and outputs to more elaborate chains of processes. The end result of all of this is the recent spate of high profile data breaches that have stemmed from S3 buckets.

An S3 Bucket Primer

S3 is one of the core services within AWS. Conceptually, it’s similar to an infinitely large file server at a remote site or a FTP server that you’re connecting to from across the Internet.

However, S3 differs in a few fundamental ways that are important to understand: failing to do so will trip you up and may result in insecure configurations.

S3 is organized around the concepts of Buckets and Objects, instead of servers with files.

Buckets are the top level organizational resource within S3 and are always assigned a DNS addressable name. Ex: http://MyCompanyBucket.s3.amazonaws.com

This might trick you into thinking of a bucket like a server, where you might create multiple hierarchies within a shared folder for each group that needs access within your organization.

Here’s the thing:

  • There’s no cost difference between creating 1 bucket and a dozen
  • By default you’re limited to a 100 buckets, but getting more is as simple as making a support request.
  • There is no performance difference between accessing a 100 files on one bucket or 1 file in a 100 different buckets.

With these facts in mind, we need to steal a concept from computer science class: the Single Responsibility Principle.

Within a network, a file server is a general resource typically used by lots of different departments for all kinds of work.

S3 allows you to devote a bucket to each individual application, group or even an individual user doing work. For security (and your sanity as a sysadmin) you want the usage of that bucket to be as narrowly aligned as possible and devoted to a single task.

A significant number of the unintentional data exposure incidents on S3 appear to have been caused by public facing S3 buckets (for websites) that were also (likely accidently) used for the storage of sensitive information.

Sidebar: A warning sign is often found in the bucket naming. Generic, general names like: ‘mycompany’ or ‘data-store’ are asking for trouble. Ideally you should establish a naming convention like: companyname-production/staging/development-applicationname

Bucket Policies

Policies are the top level permission structures for buckets. They define:

  • Who can access a bucket (what users/principals)
  • How they can access it (http only, using MFA)
  • Where they can access it from (a Virtual Private Cloud, specific IP)

Policies are defined in blocks of JSON that you can either write by hand or use AWS’s Policy Generator – https://awspolicygen.s3.amazonaws.com/policygen.html – to create.

Benefit #1 of organizing your buckets into narrowly defined roles: your bucket policies will be an order of magnitude simpler, since you won’t have to try to puzzle out conflicting policy statements or even just read through (up to 20kb!) of JSON to try and reason out the implications of a change.

Example Bucket Policy



{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}

Narrow buckets mean simpler policies, which in turn mean less likelihood of accidentally over permissioning users – and unintentionally creating a data breach.

Think of Bucket Policies as how the data should be treated.

IAM Policies in S3

Identity and Access Management IAM policies, on the other hand, are all about what rights a user/group has to a resource in AWS (not just S3).

You can apply both IAM and Bucket policies simultaneously: access attempts will calculate the least privilege union of the two policies and take action accordingly.

Further Reading: IAM Policies and Bucket Policies and ACLs! Oh, My!

VPC Endpoints in S3

A very powerful, but often underutilized tool in securing AWS services is to divide applications into different logically separated application groups inside of a Virtual Private Cloud.

On a grander scale than simply designating a bucket for a particular purpose, a VPC is a logically separated set of Amazon Web Services (including S3) that can be cordoned off for greater security.

Most of the large databreaches that have surfaced regarding groups using S3 have NOT been website related. Organizations are using a variety of AWS’s tools like RedShift and Quicksite to do analysis of massive amounts of (potentially) sensitive data: analysis, reports and raw data that should not be placed on a public network.

The tool of choice to separate this is AWS’s Virtual Private Cloud. With VPC you can define a set of services that will be unable to connect to the general Internet, and only be accessible via a VPN (IPSEC) connection into the VPC.

Think of a VPN connected VPC as a separate section of your internal network – and resources like S3 within the VPC aren’t publicly addressable:

  • A bot scanning for open buckets won’t be able to see them.
  • Your new data scientist can’t accidently leave a bucket publicly accessible because they were trying to download a report.
  • Day to day users of the services don’t have to try and figure out if their actions will cause chaos and destruction.

Enable S3 Logging

By default, S3 doesn’t maintain access logs for objects (files) in a bucket. On a per bucket basis you can enable access logs to write to another S3 bucket.

http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html

Reviewing access periodically can give you great insight into if your data is being accessed from an unknown location, or in the case of a data breach, how and when exfiltration occurred.

S3 stores raw logs to the logging bucket where you can parse them with a number of different open source tools, like:



More recently, AWS Athena was launched. It’s a new service that lets you directly run SQL queries against structured data sources like JSON, CSV and log files stored in S3.

In Conclusion

AWS S3 is a powerful and extremely useful service that increases the capabilities of IT and application groups. Properly administered, it can be a safe and powerful tool for data storage and as the base of more complex applications.

Steps to keep your data secure on AWS S3:

  1. Review which of your S3 buckets are open to the public internet
  2. Split S3 Buckets to 1 per application or module
  3. Separate concerns with VPC S3 Endpoints
  4. Log everything