EU GDPR as an opportunity to address both big data security and compliance
Many businesses will have to address EU GDPR as they deploy big data projects. This is an opportunity to rethink data security and deploy a flexible policy framework adapted to big data and regulations. Eric Tilenius explains how consistent visibility and control at a granular level across data domains can address both security and GDPR compliance.
| Talk Title | EU GDPR as an opportunity to address both big data security and compliance |
| Speakers | Eric Tilenius (BlueTalon) |
| Conference | Strata Data Conference |
| Conf Tag | Making Data Work |
| Location | London, United Kingdom |
| Date | May 23-25, 2017 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
International businesses have to address compliance to the new European Global Data Protection Regulations (EU GDPR) before May 2018. If you are deploying data initiatives, such as a new big data project, and need to address EU GDPR, you can take the opportunity to simultaneously tackle both data security and compliance. All regulations related to data privacy and security rely on the fundamental principle of least-privileged access along with the right to access data only on a need-to-know basis. This requires you to know the specific data being requested, who is trying to access it, and what for—information that informs you whether the access should be granted or denied. In either case, the request would be logged to support any behavior or security analysis. EU GDPR adds additional constraints, such as explicit consent required to collect personal data, the right to be forgotten, and a broad classification of personal data. Further, requirements for compliance will continue to be revisited as each EU member defines the specifics for its own country. Drawing on numerous examples that have been deployed by BlueTalon customers around the world to address a variety of regulations and keep their data safe, Eric Tilenius explains how consistent visibility and control at a granular level across data domains can address both security and GDPR compliance. Addressing evolving requirements requires flexibility. An ideal approach is to start from the most granular elements to be regulated, collect all available parameters and attributes that might define the interaction with the data, and codify policies that can make dynamic use of these parameters. The above naturally results in a model where you can track data elements down to the most granular element that can be stored (cell or partial cell in SQL, subfiles in filesystems, and so on). Attributes or tags should be available as metadata to indicate the sensitivity of the data. On the application or user side, any number of attributes should be collected: role, group, division, location, location at time of query, security clearance, and more. Information on the session should also be dynamically used: time of the query, length of the data query session, amount of records requested during the session, and so on. With this level of detail, you can more easily create and evolved policies that will be any compliance requirements as they are built from the ground-up using dynamically any parameter available.
