Steve JonesEvangelist, Redgate Software
Editor, SQLServerCentral
26 years SQL Server data experiance
DBA, developer, manager, writer, speaker in a variety of
companies and industries
Founder, SQLServerCentral
And current editor, with the goal of helping you learn to be a
better data professional every day
10 years Microsoft Data Platform MVP
I have been honored to be recognized by Microsoft for the
last decade as an MVP
Richard MacaskillProduct Manager, Redgate Software
20 years Oracle and SQL Server
Jumped from Oracle 7.3 to SQL Server 7 in 2000.
Financial Systems, BI, Line-of-Business, Risk, Performance.
London Financial Services
BI Dev for Lloyds of London, all-round developer for investment
management.
Hedge fund IT management.
Product Manager at Redgate
SQL Clone, SQL Data Masker, Data Protection and Privacy.
Currently boring everyone within earshot with Compliance and
DevOps stories.
Grant FritcheyProduct Evangelist, Redgate Software
PASS President
Currently serving as President in charge of governance and
finance
Author
I’m the Author of “SQL Server Execution Plans” and “SQL
Server Query Performance Tuning”, co-author of several more
Microsoft SQL Server MVP
Since 2009 I have been honored to be recognized by
Microsoft as an MVP
Agenda• What is Data Governance?
• What is Compliance?
• Achieving Compliance in your data estate
• What is Database DevOps?
• A slice of compliant DevOps – 3 x demos
• The impact of DevOps on compliance
What is Data Governance
“Data governance … is the overall management of the availability, usability,
integrity and security of data used in an enterprise.”
Techtarget
“… the specification of decision rights and an accountability framework to
ensure appropriate behavior in the valuation, creation, storage, use, archiving
and deletion of information.”
Gartner
The context of databases and ITOps
• Breaking down silos
• Data is a business asset, not an IT asset
• Up-front decision making
• A cultural shift from ‘trust me’ to ‘show me’
Increasing tide of laws & legislation
• Health Insurance Portability and
Accountability Act (HIPAA, 1996)
• The UK Data Protection Act (DPA, 1998)
• Gramm-Leach-Bliley Act (GLBA, 1999)
• Sarbanes-Oxley (SOX, 2002)
• Payment Card Industry requirements (PCI)
• China Cybersecurity Law (2017)
• Singapore Cybersecurity Bill (2017)
• NY DFS Cybersecurity Regulation (2017)
• EU GDPR (2018)
• EU NIS Directive (2018)
• NIST Special Publication 800-53 (draft,
revision 5)
Plus ongoing industry specific regulations & requirements• Securities & Exchanges Commission (SEC)
• Federal Trade Commission
• Commodity Futures Trading Commission (CFTC)
• The Financial Conduct Authority
• Prudential Regulation Authority
• Solicitors Regulatory Authority
• NHS Digital
• UK Gambling Commission
Why Comply?• NY DFS – up to $75,000 per day
• SOX – up to $5m for incorrect certification
• The UK Data Protection Act - £500,000
• HIPAA – up to $50,000 per record, $1.5m per year
• FCA/PRA - £56m for RBS Group (2014)
• PCI – you can’t take payments
• EU GDPR & NIS Directive – up to 4% of global revenue or €20m
• Prison
How do we comply?
• COBIT
• ISO 27002 (supported by ISO 27001)
• ITIL (supported by ISO/IEC 20000:2011)
• SOC 2
• Do-it-yourself
Who Cares?
• Regulators (The SEC / FCA / FTC)
• Authorities
• Clients and customers
• Shareholders
• The Board
• Risk & Compliance (Auditors)
• Sales & Marketing
• Information Security management
• IT management (IT Ops / Developers / DBAs)
ExternalInternal
Data Governance Implementation Survey: Key Findings
77% have implemented or plan to implement
a Data Governance program within the next two
years.
44% of respondents cited regulation as the key
driver
Successful programs used 11 tools on average
What is Compliance?
• Applying customers’ instructions faithfully
• Not breaking the law
• Industry regulator’s requirements
• Alignment with regulations
Achieving compliance in your data estate
• Tick the boxes?
• Outsource?
• Ignore?
• Change the way we think?
What is DevOps
“DevOps is the union of people, process,
and products to enable continuous
delivery of value to our end users.”
Donovan Brown,
Principal DevOps Program Manager, Microsoft
Achieving Database DevOps Success
Environments &
Deployment
Continuous Integration &
Deployment
Protecting & Preserving
Data
Barriers to successful compliance projects
52% - Understanding of what is required
51% - Alignment across the organization
47% - Appropriate skills in the team
41% - Awareness of benefits to the business
40% - Resource
Availability Management
• ‘the ability to restore the availability and access to personal
data in a timely manner’ – Article 32, GDPR
• ‘records shall be protected from loss, destruction’ –
ISO27001
• …data or information is accessible and useable upon
demand by an authorized person. – HIPAA
What is compliant software development?
• Small changes, automated quality
• CI/CD with test
• Records of change
Dave Farley on regulation and continuous delivery“My experience of working in heavily regulated industries, mostly finance in different
countries, is that the regulators quickly appreciate this stuff and they *love* it.
CD gives almost ideal traceability, because of our very rigorous approach to version control
and the high-levels of automation that we employ we get FULL traceability of every change,
almost as a side-effect. ”
Redgate Webinar Q&A, May 2016. Transcribed at www.davefarley.net
Problems to solve
• The Dev team want up-to-date, realistic data
• Teams want access to consistent database copies on demand
• The DBA wants to know where all copies of data reside
• The business want assurance that sensitive data has been
sanitized
Provisioning databases from codeConnect-SqlClone -ServerUrl http://sqlcloneserver.example.com:14145
$SourceDataImage = Get-SqlCloneImage -Name 'TradesDataMart (Full) - 2017-09-04'
$CloneName = 'TradesDataMart-Dev'
# I have several SQL Server instances registered on my SQL Clone Server - I want to deliver # a copy to
each of them
$Destinations = Get-SqlCloneSqlServerInstance |
Where-Object -FilterScript
{ $_.Server -like '*WKS*' -and $_.Instance -eq 'Dev' }
$Destinations | Invoke-Parallel -ImportVariables -ScriptBlock {
$SourceDataImage | New-SqlClone -Name $CloneName -Location $_ | Wait-SqlCloneOperation
}
Impact of DevOps on Data Governance Programs
64% of respondents said
DevOps had a positive impact
on Data Governance
DevOps for the database helps compliance
• Monitoring - a key component for resilience
• Change control & testing - reliable, repeatable, consistent
• Provisioning and masking - compliant distribution of data
• Automation - a durable and consistent audit trail