Rootconf Hyderabad edition

On SRE, systems engineering and distributed systems

Tickets

Data Protection and Compliance - Architecting Privacy in Devops

Submitted by Ganessh Kumar R P (@ganesshkumar) on Thursday, 18 April 2019

Section: Full talk Technical level: Intermediate Session type: Lecture Status: Rejected

Abstract

Remember the incident(https://ia.acs.org.au/article/2019/millions-of-facebook-passwords-stored-in-plain-text.html), early this year, when millions of Facebook users were asked to reset their password as one of their systems was storing user passwords in plain text?

How do you formulate your process so that this does not happen in your company? At Microsoft, we have a unique way of handling customer data and information flow. In Microsoft Teams, we store a range of customer data ranging from healthcare to education - all of which have strict data compliance and regulatory requirements. And we have strict data handling policies so that even Microsoft employees don’t see your data.

This talk focuses on our experience in building a compliant storage layer to store the content of users and teams in Microsoft Teams.

Outline

  • Process - Compliance to Data Protection is part of our Engineering Process
    • Trust
    • Data handling
    • Customer Promises
    • Compliance
  • Microsoft Teams & Building Compliant New Services
  • Data Handling - Walk through how data regulation is baked into a feature
    • Data classification
    • Data deletion
      • Active deletion
      • Passive deletion
      • Retention hooks
    • Data Encryption
      • CosmosDB encryption
      • Bring your own key
  • Legal hold and eDiscovery
    • Change Feed
  • Engineering Systems - So that even employees in Microsoft can’t tamper with your data
    • KeyVault and it’s features
    • CredScan
    • Certificate Rotation
    • PAVC, Host IDS, AzureSecPack
  • Case Studies
    • GDRP
    • Go Local

Requirements

If you can bring your enthusiasm about privacy, security, and compliance, you will be able to appreciate the challenges and the solutions.

Speaker bio

I am Ganessh Kumar, Software Engineer at Microsoft India Development Centre, Bengaluru. I am working on a new service that acts as the Data Layer to enable services in Microsoft Teams to store their data in a secure and compliant way.

Over my 7 years of experience in Software Industry, I have worked on frontend, backend, mobile, and DevOps. I enjoy being a Full Stack Developer where I can understand the product end-to-end. As an end user, I value privacy a lot and at Microsoft, I enjoy the opportunity to work on a product that has a lot of emphasis on data security and compliance.

Before Microsoft, I have worked at Amazon and Mitter.io building some of the highly available mission-critical services.

Links

Slides

https://docs.google.com/presentation/d/1Q_egeMv7gpuoMFqKeOMC7T10FnwJkbYWHeHsvGT0E6Q/edit?usp=sharing

Preview video

https://youtu.be/OA4czk4XTL0

Comments

  •   Zainab Bawa (@zainabbawa) Reviewer 11 months ago

    Ganessh, thanks for the submission. We need to see draft slides and preview video by 30 April to complete evaluation of the proposal.

    •   Ganessh Kumar R P (@ganesshkumar) Proposer 11 months ago

      Hi @zainabbawa. I have added the slides. Will upload the video by tomorrow.

  •   Anwesha Sarkar (@anweshaalt) Reviewer 11 months ago

    Thank you for submission Ganesh. Submit your preview video it helps us to give your presentation a fair review and close the decision.

  •   Ganessh Kumar R P (@ganesshkumar) Proposer 11 months ago

    @anweshaalt @zainabbawa: I have attached the preview video as well.

  •   Zainab Bawa (@zainabbawa) Reviewer 9 months ago (edited 9 months ago)

    Thanks Ganessh, and apologies for the delay in getting back. Here are some comments from review:

    1. The proposal has to be turned around to explain what was the problem context at MS and why this is relevant for the Rootconf participants? Putting the spotlight on explaining what Microsoft does not provide a value add for participants because their problems may not be similar to your use case. Instead, you have to build a relationship with the audience by focussing on a problem which they can identify with or a problem which they may not have thought of, but will be relevant to think about and solve for in future.
    2. The slides at this point are fairly descriptive and abstract. There is no anchor weaving a story that is clear. You may want to rethink your slides by going back to looking at what is the thread that ties all of this information together, and the thread will be a problem that is generalizable across DevOps/Security, irrespective of the MS context.

    We’ll have more review and feedback for your proposal idea, and will look into it for consideration for Rootconf Pune/Hyderabad/Delhi editions.

Login with Twitter or Google to leave a comment