AWS re:Inforce 2019: Privacy, Ethics, and Engineering in Emerging Technology (SEP204)

all right so today words are about privacy ethics and engineering and emerging technology I'm gonna stand here usually I stand out in front of the patient but we got the clicker set up maybe someone can help us with the click here to make sure it's it's working all right let me just test it real quick here a couple times yeah all right live B so I'm from instructure I just want to introduce myself and kind of talk to you about how we were approached in these particular topics at instructure Oh before we do that with some related breakouts so you should be aware of that we'll also help with you in designing their privacy programs within your various organizations so from my standpoint just a little bit about me I'm a security engineer at heart I love to build I love to help other organizations build their security programs from the ground up I've done it a couple of times now now the questions you're probably asking is why is security guy talking about privacy and ethics I'm gonna get into that a little bit later in the presentation but for me personally I'm extremely motivated by being a part of organizations that have really meaningful impact of humanity and right now helping in structure along with their journey a little bit about instructure and I provide this only as context for the rest of the presentation not as like a marketing picture otherwise but largely my intent here is to show how we and our organization have approached this and hopefully things you can glean in your own so a little bit Bowden structures some of you may have used our products before in your learning and development journeys one is called canvas that's for K through 12 and higher education schools to basically help people and instructors in their teaching and learning journeys our mission statement is help people grow from the first day of school to the last day of work we definitely help people aid in in those conversations whether it be development conversations within your organization between a manager and employee or whether it be between an institution or a teacher and a student at an institution so I put up this slide because in my journey and maybe the case with many of you in your journey as I've seen these kind of viewed as mutually exclusive within organizations but what I found is they really are a synergistic type of relationship when you have them both together in the past you know a security team maybe like we have all of these data elements and we need to secure those data and it's regardless of what they may be whereas a privacy professional may be looking at saying hey what type of data elements are we actually capturing why do we need those are we removing those at the end of contracts are we making sure the lifecycle of data elements within our infrastructure are they following what we've committed to do with with customers and so any of those two approaches but in our case our to draw like have been diagram where they're both juxtaposed over each other they're really awesome parts about each of them and how that's helped us in our journey as we you know considered privacy in the security world and consider security in the privacy world so I started the security team in the structures a few years back and we wanted to I wanted to still the approach for security down into three different objectives so the super simple straightforward on how we wanted to approach it I mean most of us think hey a security team detects bad things or detects things that we're doing incorrectly and then they also secure against those things or help people within the organization's secure against bad things from happening to the organization I feel like sometimes this third one is left off or not considered because folks are so in depth looking into the detective and the security against those things that the essence of where I come to security and feel like it's an important aspect of most security teams for privacy teams are built in maintaining the trust of customers and I feel like privacy fits extremely well into this place so that really between customers and our organizations we have that sync between each other to make sure that a we've established this trust we want to maintain this trust especially with regard to data elements one of the values core values at instructure is openness this is really helpful fed into the natural approach to saying hey I want to make sure that the things that we say and we're doing from a privacy standpoint from the handling of data from cradle to grave are the things same things that you are understanding that we're doing with those things and so as we've approached openness and especially with ethics related to this particular presentation we wanted to make sure that was very much in sync and very much aware that they are easily able to understand what we're doing with things and we're actually doing what we're saying we're doing so from a privacy standpoint and data residency standpoint at least within our organization these various layers of the stack looking at data you have the controllers you have the processes of data we very much fit and holistically deployed on top of AWS we fit in the data processor realm and so the way we approach privacy in our designs and our architectures and our deployments and development models is very much similar to an analogous to the weight of us is approaches which has been hey we want to enable our customers with the tools to manage the data elements that they control from cradle to grave and make sure that is all congruent with how they're communicating out with customers our primary customers on our end have been schools or institutions higher education learning and then you know straight up businesses with the development career development learning journey or bridge and they largely manage that conversation with customers or their users or end-users but on our end we make sure that we are enabling them and embolden them with those features or tools or sets within our software to allow them to do that effectively so I wanted to talk a little bit about the journey at instructure way we approach this internally really quick we have so I'm I'm our chief security officer our VP of security at a structure we made a very strategic relationship between security team and our legal team and so that's kind of what this slide is definitely value the input from our legal team our DPO or data privacy officers it's on our legal team and it's become a very just again synergistic relationship between the two we both bring different talents to the table and then we both make sure that we're holding each other accountable with regard to being good stewards of the data that we we have as we started arm-in-arm this was a few years ago now granted before our time together this member of our legal team and myself kind of you know that we had probably some of the most organizations where you have either tribal knowledge or understanding what we're doing things and we're definitely doing things the right way but the formalization of the program was definitely an arm and arm effort as we walked alongside each other to first scope out hey what data elements do we actually have this was very well known we just decided to formalize it into a data inventory or a data map it make conversations with customers extremely easy to say these are the data elements that we have and these are why we have them and we also note are these optional elements or are these ones that are required to use as part of the functionality of the product that we provide so in most cases we make most of these fields optional so customers are able to input whatever fields they'd like to on their and if it's gonna be a long random string or a grid representing their users on their end in our system we won't know who the identities of those individuals are as they use the service that definitely enable our customers to do that from an emergency technology standpoint like many of us in the room you know we hope to maximize the value of the data elements we have and as much as it improves the learning journey of our end users while still being good stewards of the data elements that we've been given so this slide may be a little bit more obnoxious than in reality but you know at instructure we try to approach things in a way that simplifies them but allows us to execute them carefully so we definitely don't have a stack of these paper sitting all of our desks at work especially relating to having a robust privacy training and privacy policy we try to distill it down to the most distinct language as possible and make sure our internal folks know about it as well as our external folks so that they are able to you know effectively enact the things that we've promised our customers to do one more point on this one actually this year is when we decided to actually join our privacy internal training program with our security and our compliance training programs so that it made it a seamless experience for our internal employees to take the training and have all of those elements covered in one very distinct and very easy to understand training so that we were able to cover the privacy aspects the security aspects as well as our compliance at risk aspects largest point of so I mean this looks pretty probably pretty familiar to your or to our various development programs I just wanted to note on here the various areas that we have inserted privacy and security within our SDLC you know they definitely are hand-in-hand in every step of the way from a security standpoint we're using various scanners in our code from a privacy standpoint we're checking to make sure that our back-end database the fields that we've added to the database for various elements that we plan on collecting actually match what we designed and plan in the beginning the last one is just making sure our customers are very aware of the the changes that we've added to the application as part of you know being good stewards these data elements lastly I'm actually an AWS native I started at AWS gosh a long time ago is back when AWS had a much much smaller – even general is you know back in 2008 2010 and it's amazing how it's grown over time and these services it definitely helped us in our journey from a security and privacy standpoint to embolden us to be good stewards of these data elements so as we've approached our build process we've said hey how do we make sure these things are built-in for our customers to use from you know data controller standpoint but and maintaining like I mentioned before these open agreements and understanding with customers but there's several out-of-the-box tools that we use we love that we've definitely embraced and become a part of our core operating structure guard duties been fantastic and helping us detect things with regard to weird things that may be occurring in our infrastructure we receive those in various you know text-based means that our team members whether it be while walking the dog or whether it be you know at our desk working during the day that something random has just happened and we want to look in that investigate so trusted advisors been fantastic to make sure we're using us the appropriate way we definitely have taken advantage of the well architected and well secured reviews it's been extremely helpful working with the 80 of us folks to make sure hey you didn't forget something and we're definitely benchmarked against what folks would expect us to be doing regard to our use of AWS we this is totally unscripted by the way so his answer may be very uncomfortable are you using any marketplace solutions at all in any of the work that you're doing great question you know every time we approach a new solution or a new way of handling things we definitely check out the marketplace say his there is something out there already that makes sense Russ to use if we've evaluated some of those items right hmm the cost structure here doesn't make sense so maybe the cost structure does make sense we're able to for those there any particular ones I'd want to call out but definitely a fantastic valuable resource for us to look at before we say let's go build our own it's going to take a few months or a few years actually do and maintain after that so you have to yeah great question the mark place has been fantastic okay so from a security hardening standpoint fYI I mean you know one of the things a lot of these frameworks call for are having hardened images are a good baseline to follow you know CIS and the DISA sticks and various other standards out there that help make sure that we're deploying things in a hardened good state we definitely look at the marketplace or those say hey is there an image that exists right now for the image you know the underlying OS yeah I like to go for so we don't have to go through and harden our own so okay that's a good example okay yeah great question lastly configure rules are extremely helpful or a lot of organizations have adopted just building their own lab dozen checking their AWS you know accounts against those particular compliance checks lastly you know may see just good use of tags from an inventory and data ownership standpoint tags have been extremely helpful to help us know who owns what why what they plan on doing with those things and how we can trace those things down if there's anything concerning with them lastly cloud trail we do a significant amount of log based alerting at least from a making sure that we have good accounting for what's happening with all of our assets you know lastly really is just definitely a good partnership between our security and privacy teams and has helped us approach privacy say in a more I guess inclusive way versus a siloed approach okay you know again hopefully this is just either a good validation of if you're doing these programs you know within your organization this has been helpful or at least something to benchmark against but that's generally the desire presenting this aspect to say hey this is one approach and definitely hopefully something that has helped provide some insight thank you for that matter thank you I don't need that I'm glued up okay cool so yeah you get to stand very precariously close to that edge so my name is Jonathan Jenkins as was mentioned before I work with a de West professional services as a senior security consultant so my role is to help customers move their most sensitive workflows on to AWS and we're going backwards in time oh is that working this oh cool so it wouldn't be a security deck if it didn't have the shared responsibility model right and it's really important from one particular aspect you'll see that this model all over the place and you'll see that orange line moves up and down depending on which service you're making use of and but one thing will remain constant is that customer data is always the responsibility of the customer and I would put it to you exactly what Matt has said before is that actually this becomes a Russian doll right so where that customer data starts with your journey on creating your own shared responsibility model with your customers begins so inside there is going to be a sort of strata of parts of the infrastructure parts of management of that data that are you're responsible for and parts which your customers will be responsible for so that's the reason for showing this now at that and the fact that it's not a security deck if it doesn't have the shared responsibility model in as a slide there are lots of security standards out there now and a few regulations and I just want to punctuate slightly the difference between the two so a privacy standard can be something like PCI DSS I used to use PCI DSS as a really good sort of benchmark for saying whether I was managing privacy related information correctly so sort of taking the pan and pin out of the equation and just kind of managing privacy related information in in accordance with PCI DSS and that has very structured approach to how you can meet that standard whether you're compliant to that standard or not an auditor can come in a third-party auditor can come in and decide whether you are or you are not compliant to that standard so that's what I would term a sec toriel standard so that covers single sector so you've got things like HIPAA as well for the medical environments and then you've got regulations so up here we've got the EU data protection and GDP are obviously from my accent you might be able to tell I'm from the UK and gdpr is a big deal at the moment and it's a very difficult discussion to have with customers because I'm not a lawyer and there's parts of the discussion that I need to have with my customers about how they're going to meet the risks that are associated with GDP are there are also data privacy standards and regulations across many other countries you can see a few there New Zealand and Germany being pretty obvious ones and there's one in California which is I think January of next year so there's lots and lots of privacy regulations and standards and our our services will at will be audited against as many of those as we can and you can go and have a look and see how we attest ourselves as meeting those standards using AWS artefacts so you can dial in through your console and go and check that out we have terms and conditions which we try to be as transparent about as possible we have transparency so we show you exactly how it is that we're managing your data through some of those data stations we provide you with compliance and security tools and services things like AWS config security hub which was announced today as a general release allow you to do that and also things like guard duty allowing you to have automated protection as well in terms of Detective Control I'd like to highlight though the Amazon partner Network and marketplace your you know one of the things that one of the reasons ADA risk came about was that we recognized that scale and our agility were were two of the things that were clearly things that we could offer to our customers and so we were able to allow businesses to operate on our platform on that on that basis so that they didn't have to worry about the bricks and mortar data centers that they so they didn't have to worry about security guards to hire or who has access to data racks and things like that customers could actually get on and do the business that they're best at doing and not have to worry about who's got access to pull wires out of the back of of racks and in the same in the same way I would say that your if you're trying to meet privacy standards privacy requirements your best bet if you're not in that game already is to use some of the partner network to achieve those types of things so there's a partner that we use improvement in professional services quite a lot which is data guys data guys have a marketplace solution which does an awesome job of identifying where your privacy related data is it contextualizes that so if you were to have a field in a database or a field on a volume somewhere that said 30 November Street it understands that 30 November is not a date it's actually an address and so it uses data that's either side of the data being interrogated to be able to classify it as a private data and so can help track that it can help mask it it can help do some encryption on that it can create granular roles that allow access or not allow access to particular users so that's a really really interesting technology that I recommend you go and have a look at the other one is an emerging technology partner called privet our privet I have some really interesting technology to do with privacy in big data so if you're doing a IML there are some really difficult problems to solve one is whether is this private data is it not private data now I've got to mutate and and and manage and look after where that data is moving to and from I've got to make sure that only certain people have access to certain data I've got to make sure that my machine learning models are learning in in ways that they're permitted to learn for example and privet are I've got some interesting polymorphic encryption technology that allows them to meet manipulate large datasets very quickly without altering or updating certain without updating certain those data with it and keeping them as encrypted data we have deep security expertise hopefully you agree with that and certainly within professional services we have experts within the field so I'm an S&M SME for both privacy but also for technologies like cloud HSM and also for blockchain so we have lots and lots of deep expertise in some of those fields and we have those independent audit audits and data stations which you can go and download through an NDA on AWS artefact I want to talk now about the professional services approach and it really kind of synergizes or is very familiar with with your own story there map the first is we do a discovery phase so the first phase whenever I rock up to a professional services engagement to do with privacy is to do that discovery and it can be quite a painful task it's painful because you have to ask very probing questions about where it is that data is being in brest into a system where it is that data then moves within the system where it is that data then is processed within a system and where it is that data is then egressed out of the system who has access to each of those components why is it that you're needing to process that data at any particular point do you need to hold on to that data for longer than that period of time and all those types of that the rights that you might have over that data is really important so within that discovery phase we're just asking questions about where are things right now we're not looking to solution eyes we're not trying to think about well we need to encrypt those s3 buckets or we need to put correct protections around I am policies we're just looking to see how things are monitored modest isn't managed right now to understand how we then need to reduce that scope and that's what happens within the assessment phase within the assessment phase customers then look at the discovery that they've made about the way in which they're managing that data and then reflect on that in relation to any sect Oriole or regulatory compliance that they need to meet this is the phase that's most difficult for me as a professional services consultant to get involved in because I can't really offer any advice it really does have to be in the case of regulatory can controls I can't offer any advice there because I'm not a lawyer I'm not a solicitor I don't have a legal bar but what I can do is help them make some of those assessments so they can say we we see a risk with regards to data exfiltration and i can then start offering well we need to look at how we can manage that if we managed it at the periphery if we looked at guard duty as a detective control does that manage some of the risk that you might perceive and so then there is a dialogue that needs to go backwards and forwards finally there's the implementation phase and that's definitely where a de West professional services can again help out and help to implement controls that manage some of those risks and so right up until we're doing the assessment we're really not talking about technology at all we're not talking about ec2 instances or anything we've been talking about discovery of what there is doing an assessment of the risk that's within the discovery and then doing an implementation which is essentially mitigating some of those risks so that very first phase the discovery phase is often complemented or is in a large part to do with the a data protection impact assessment and this seems to be there's a bit of a growing trend around doing this certainly when I was offering this last year as something that we could help customers with they looked at me very confused and what the hell is a data data protection impact assessment but nowadays it's becoming more more obvious to customers what that is but still they find a little difficulty and understand if there's no template out there for example on what does a good data protection impact assessment look like there's no sort of you know fill this sheet in fill this excel sheet in or fill this document in and and everything's good it is still a bit of an organic process and it's not always trivial to do that one thing that I tend to use is like my go-to framework is the OECD privacy guidelines and I do recommend that if you have got a privacy related requirement at the moment this is a really good basis to start with you'll find that most privacy regulations or privacy standards around the world are based on this so this is the root of all of that pain that some customers are feeling at the moment as they try to meet those privacy standards but ultimately it boils down to these few topics collection limitation is do I actually need to collect that information in the first place data quality is making sure that the data that I do collect is correct purpose specification is saying why I'm using that data to the person as I collect it for example so there's lots of these guidelines that you'll see reflected in many privacy regulations and previously standards and that's because they really are the next thing that I help customers do on their on their road to creating a deep EIA is to define what personal data looks like in their solution you can see a few example here of what might what a customer might decide to be personal data some customers may say it's not personal data other customers might certain regulations or rather standards would would say that you know an IP address is a is a piece of private data others may not so it's important to to work out what what is private data before you then start tracking that private data as it flows through your system and maybe ingress egress is that system a dpi a in my eyes is a diagram potentially that describes your entire architecture in terms of the services that you're making use of the operations that are taking place at each stage and then why it is that you're needing to operates on some of that data it also looks at the risks and some of the questions involved in the retention periods and other other sort of related topics and related questions when we go through to the assessment stage we have several pieces several services that customers can make use of that that help them meet those compliance requirements all those privacy requirements through through from Identity and Access Management which is obviously a preventative control that helps manage users that are accessing the console or are accessing AWS services and resources Identity and Access Management is a really obvious way that you can restrict or permit access to those resources Active Directory services and sam'l Federation are ways that you can allow your existing your existing user stores to be able to get access to your AWS console and it is the way in which large customers that I'm working with are making use I've very rarely see AWS customers that I work with making you I don't I am users anymore it's very very rare that I see and I am use it most of the time where there are roles there are their roles that are being assumed by a federated user so they're not really using I am as a as a user interface they're not dialing into the console directly they're using a federation technique and that that does manage a risk right so the risk that's being managed by by that is that you're managing the star to move the lever process if someone leaves your business or they move between a department or they're joining the business then it's it's very easy for those two stores to become out of sync so if you're just using a single source of truth for your identity pool such as Active Directory then it's a it's really easy to manage some of that risk whereas if you're creating iam users free for every person then you're going to run a risk that the to become out of sync and someone has access that they maybe shouldn't do or potentially someone doesn't have access to something they should do for encryption technologies we have kms we have cloud HSM and alias certificate manager like to talk briefly about AWS kms a lot of people just sort of tick the the encrypt box on s3 they tick the encrypt box on an ec2 instance that they've started and I would challenge that slightly by saying why are you doing that now I'm not saying don't do it I'm just saying and challenging why do you think that's a good idea because if you're ticking it just because you think you should be ticking it that's the wrong reason just because it's best practice doesn't make it the right thing for you to do I would challenge and say you should always be turning on kms encryption because it manages a very specific threat manages a couple of threats related to if AWS were legally obliged to provide your information to north law services then we would we would notify you that we were doing that we would obviously resist having to hand that information over but if it's encrypted using kms it's going to be junk it's just going to be encrypted junk so that's the reason that you turn on kms is because you're protecting your data from being given out to legal services or the or or anything like that you're protecting it against that and cloudy HSM isn't is as I said I'm a cloud HSM SME I've worked with hardware security modules for nearly two decades now and cloud HSM is is really awesome because managing an HSM is really difficult to do if you're not using an HSM already don't is my advice it is very hard to do it well and do it properly and I highly recommend you get a competent partner in to help you do that if you want to use cloud HSM and you have a regulatory requirement to do so or mandated industry requirement to use an HSM and we have some other services down here Amazon Maisie is constantly undergoing changes and alterations it's it's a really great service for both identifying where your PII data is and also where it can also monitor where that data is being escalated so it can become kind of a very quick hit in terms of getting your security on your privacy bar to one particular to a particular step and and is a very well developed and very versatile tool Amazon inspector allows you to manage some of the vulnerabilities that you might see on ec2 instances for example so can manage threats related to those vulnerabilities so it can I it can both identify where you've got a vulnerability and then you can have SSM to go in and start patching some of those instances as well and guard duty which I've spoken about before is is one of the largest and fastest-growing services that we have at AWS at the moment I I get involved in a few incidents with customers who are having just a bad day and guard duty oftentimes saves a lot of time for me identifying what might have gone wrong so where customers have got this on by default it makes my life as managing incidents and doing Incident Response significantly easier and so if you want to manage some of those risks it should be something that's hitting into your your mitigation and your your implementation phases of of any privacy related behaviors that you may have one other tool that I want to talk about before I draw it to a close is to talk about a blog post that I wrote late last year and it proposed this process and I'll be honest with you so many customers have now spoken about having used this and how much benefit they got from it that I want to I want to share it with you today as well and basically what we're saying here is we're using a DevOps approach to managing security controls so what I was saying before about don't put security controls in place even though they it says it's best practice you should do it because of the reason and this kind of eats out what that reason might be define your roles have a two Pizza team that decides who is involved in your privacy journey from those roles then decide what behaviors they need from the system so that we're talking here about I want s3 buckets to be encrypted because I want to manage the the threat of a subpoena I want to manage the threat of an insider attack I want to manage whatever it might be but then we understand why it is we're applying those controls and so a developer who's then implementing it will make the right decisions about how they implement it rather than just seeing s3 bucket tick done I need to make sure that that stays like that so there are other controls that I might need to write okay so there's an example here so that I fully understand the best approach and I'm able to understand what with my own customers another sort of fragment from this is that you can write acceptance criteria for a lot of these controls so because we've used a DevOps technique here we're saying as a role I want to so that outcome we can write a given that a certain a certain thing is happening a certain set of variables are in a particular state I expect this to happen as a result so I you know given that I am starting creating a new s3 bucket or uploading an object I expect that that is encrypted want with a kms key that I control and so if I've written it like that I can now write an AWS config rule that then continuously monitors my compliance to that standard so you now get that that continuous compliance across your environment making sure that your Dearing to your own privacy standards and managing risks that might be associated with them so I don't have much more to say if I'm honest with you we've got sort of 20 minutes remaining I did want to talk just we were talking earlier out there about emerging technologies as well won't we so you know from the emerging technology standpoint we're talking about I mean you mentioned a couple of vendors or not vendors but folks that can help in that sure yeah you know from our end the emerging technologies larger than what we build into our tools to allow customers to manage their data the way they'd like to manage it I mean that was kind of one the essence is I came across but were there any others that you felt that were important to mention I mean I would say that certainly if we want to touch on emerging technologies and ethics at the same time we've got things like a IML right and that's an obviously a slightly touchy topic I'd say it's a very difficult topic but I would draw back to the shared responsibility model and I would think deeper about what the risks are right so the risk in using AI ml in a way which might be ethically interesting is you're you risk of reputational risk right so the reputational risk is that if you use that data in an unethical way your business will suffer from some reputational damage and so you can still think about it in terms of the risks and then managing those risks with the user stories as a way of documenting it so I want to use a IML in an ethical way so that my customers continue to respect and respect the customer brand goes along with what we were saying earlier about hey why are we doing it yeah we're doing the risk associated with it is X Y Z yeah exactly yeah so that's one another emerging technology which has some interesting privacy slant to it is blockchain so obviously we have AWS managed blockchain now so we've got hyper ledger fabric and also we've good we've got some etherium that's coming soon as well those are interesting topics and certainly when you're looking at it from a privacy perspective it is worth diving really deep into some of that technology before you launch into it so I would encourage you to run through the DPI a run through that data privacy impact assessment in terms of using blockchain with any privacy related information before you use it just to make sure that you're you're absolutely happy with the way in which it's being used and also we have qld be the quantum ledger database which is an awesome piece of technology essentially a Merkle tree but it's it's a really handy way of collecting evidence is the way that I've been using with my customers and holding some of that state for various transactions but again you need to think about the data that you're storing on ql DB and managing some of the risks associated with privacy I don't have anything else to add and I don't want to necessarily work i nevah our own over here and I want to thank you all by the way for coming and joining us in talking we're listening to us at any rate for a period of time about privacy ethics and emerging technologies I hope that you've enjoyed thing to myself and Matt please do take the survey online I know we finished slightly early hopefully that's a good thing but we do it we do absolutely thrive on feedback at AWS like data is the most important thing to us so please do fill in those sheets tell us how well or badly we did that the clicker didn't work and the slides were a little bit slow possibly but we really really thrive on feedback if there's services that you want or want to see AWS provide to help you on your privacy journey then please do find me afterwards or ask your your essay or your term really happy to do that thank you so much I appreciate it thank you

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *