November 7, 2019 by Kenneth Fisher
I’m blogging the Keynote!
One of my bucket list things has always to live blog a keynote at Pass Summit and I’m actually doing it! I want to thank Kendra Little for talking me into it. I missed the signup to be one of the bloggers, but there was a free space next to her and she invited me to sit there. As always I have no clue what I’m doing so wish me luck!
Wendy starts us out with a rousing version of “Good morning to you” to thunderous applause.
Now she’s reminding us to do our evaluations .. got to remember to do that.
Finance report time! (It’s important stuff people, I want to be able to keep going to Pass events!)
(Paraphrasing) “Are we spending less, or are we really being more efficient.” Yea, based on the info she shared, more SQL Saturdays, more learning, more, more, more!
Tim was told “Do not sing” (we dodged a bullet there!) (Just kidding Tim!)
Pass directly impacted 80,000 people in the past year!! That’s really impressive!
Thanking the partners that support us. (AWS, Quest, Dell, Redgate, SentryOne, and Idera)
And of course Microsoft. Couldn’t do much without them could we.
950th SQL Saturday coming up!!! Can you imagine? (I should point out if you’ve never been to one you should give it a shot, they are a lot of fun and a great opportunity to Connect, Share and Learn.)
Tim gives us stories of people who joined Pass and the hights they have reached in our community.
Time for the Passion Award! Based on the description this person really deserves it too!
Congrats Hamish Watson!
Tim says “Get Engaged”, not sure how my wife would feel about that though.
I’ve been excited about this part since I learned Tarah was speaking!
Cybersecurity is Everyone’s Problem
Three Internets and the Data Regulartory Climate
I’m really hoping to get to say hello after the keynote!
Not a lot of people work in Foreign policy and Infosec (there probably should be IMO)
There are more and more data breaches all the time.
(paraphrasing) “I see a room full of people who don’t know they are diplomats”
How many people here feel qualified for their jobs (one or two hands up)
How many people have a degree in the field (one or two hands up)
There isn’t a lot of good training for what we do (She meant degrees etc, we tend to teach each other.)
Quick note: Tarah is a great speaker, the crowd feels really engaged.
“Cybersecurity is one of the only IT roles where there are people actively trying to ruin your day, 24/7.”
The different worlds that data exists in.
We have three different internets.
- GDPR: “How do we fully delete an individual? How do we prove it?”
(Paraphrasing) We may not be able to provide a product to the EU because we can’t handle GDPR.
- Dealing with data in China is wildly different. They store web usage data in a fundamentally different way. (among other things, and I hope I got that right)
- The rest of the world (some other groups may be splitting off as well).
(Note: There is a LOT of information here!)
- Data retention
“Has anyone ever seen the amount of data your company collects go down?”
Never shrinks, Only grows, Metadata counts, “Sensible data retention is governed not by technological limits, but by compliance and regulation.”
- Data backup
It’s offsite (if you are a DBA you know it better be)
“You can’t destroy backups for purposes of forensics”
Interesting question: What happens if someone moves to the EU? Can they request their data be removed now?
You can’t physically put your hands on it.
- Data restore
Constant and continuous integration with production systems.
There should be multiple ways to restore the data.
We end up in a state of conflict between Data Science and Cybersecurity. (I prefer to think of this as a balance/juggling act, but yea.)
Dump the data ASAP! vs Save all the data
Now it’s a triangle – Confidentiality -> Integrity -> Availability -> and back.
(I promise I’ll try to clean this up later, there is just SO MUCH INFORMATION)
What happens if you are an EU citizen in Beijing using SalesForce for your Calfornia clients?
Do the Chinese regulations, GDPR, or CCPA win? No one knows yet.
First impulse for DataSec “Delete it all!”
“No one wants backups .. What they want is restore!”
(We all know this as DBAs, or at least you better)
The multitude of choices in data architecture to provide for security are sometimes in direct conflict with privacy. (This is going to become a bigger and bigger thing over time.)
Encryption at rest and in transit are best practices but later audit trails can be unusable if the data itself has been deleted. (This is kind of scary IMO, but so is security in general at times)
GDPR is retroactive (Yikes)
I’m going to summarize a bit here. We are not in a position to be able to delete a person’s data and maintain our ability to recover, or audit.
Is there a sufficient amount of encryption on a piece of data and it be considered deleted?
We know that storing too much data badly lead to the use of AI-powered cyberattacks
(paraphrased) Do scenario-based tests on the idea that all of your databases are now on the dark web
What if an EU citizen demanded the deletion of all of her data in an ongoing US legal case?
We don’t know who wins yet.
Can you prove you’ve deleted data? Can you prove you haven’t?
Start thinking about it.
Be nice to your security team!
“CISO is an old Greek word meaning ‘goat which is first to be slaughtered'” (I think DBA is too sometimes.)
“Does it ever hurt less to bike up a mountain” “It never hurts any less, you just get to the top of the mountain faster”
Tips from Tarah:
- Your company had better have a “Security@company.com” (I’m going to try emailing this later to see.)
- Take your Twitter DM seriously
- Have a vulnerability disclosure program
I think we are getting close to the end here. And I’m exhausted. And I’m excited. And I’m terrified. This was amazing!
Brief QnA. Two questions so far and it comes down to .. is there any kind of documentation available to help us with this?!?
Best answer: Start a GitHub.
Question: I’m doing genetic research, how does GDPR affect my ability to see genetic information from the EU, etc?
Answer: What is a person’s right to not have their information out there.
I think we will start to have the right to say our genetic information is unavailable for a certain amount of time (Kind of a reverse copyright)
Ending on a hopeful note
Over time all of these problems will be solved.