Today’s WordPress environment generally results in numerous organisations managing either our data or the hardware and software that it relies upon.
Although we subcontract out parts of our WordPress infrastructure we are still accountable for the data processed by our Websites.
This talk takes a look at a typical WordPress set up and follows the journey that a user’s data might take and some potential threats at each point on its journey.
It looks at what we can do to minimise our exposure to risk of outsourcing management of our infrastructure, the considerations we should make and what questions we should be asking of our hosts.
2. 27th
May 2018 3
Why me?
●
Started in IT in 1977Started in IT in 1977
●
Managed computer operations and technical support for a largeManaged computer operations and technical support for a large
proportion of that timeproportion of that time
6. 27th
May 2018 7
●
What legislative jurisdiction(s) applyWhat legislative jurisdiction(s) apply
●
Where is/are the data center(s) located?Where is/are the data center(s) located?
●
Who owns the infrastructure in the data centre?Who owns the infrastructure in the data centre?
●
Who has control of who can access data?Who has control of who can access data?
●
What is the policy and process if a government agency asks forWhat is the policy and process if a government agency asks for
access to data?access to data?
Jurisdiction
7. 27th
May 2018 8
●
AndorraAndorra
●
ArgentinaArgentina
●
Canada (commercial organisations)Canada (commercial organisations)
●
Faroe IslandsFaroe Islands
●
GuernseyGuernsey
●
IsraelIsrael
●
Isle of ManIsle of Man
●
JerseyJersey
●
New ZealandNew Zealand
●
SwitzerlandSwitzerland
●
UruguayUruguay
●
US (limited to the Privacy Shield framework)US (limited to the Privacy Shield framework)
Recognised by EU as providing adequate protection.Recognised by EU as providing adequate protection.
Adequacy
8. 27th
May 2018 9
●
Replaced Safe harbour July 2016Replaced Safe harbour July 2016
●
Allows companies to self certifyAllows companies to self certify
●
As of today - over 2,739 companies certified by the U.S.As of today - over 2,739 companies certified by the U.S.
Department of Commerce.Department of Commerce.
https://www.privacyshield.gov/listhttps://www.privacyshield.gov/list
●
On the commercial side, the WP29 called for details on theOn the commercial side, the WP29 called for details on the
handling of HR data, automated decision-making and clarity onhandling of HR data, automated decision-making and clarity on
available recourse for data subjects.available recourse for data subjects.
●
On the national security side the WP29 “regrets” PresidentialOn the national security side the WP29 “regrets” Presidential
Policy Directive 28 - surveillance activities need to safeguardPolicy Directive 28 - surveillance activities need to safeguard
personal information regardless of where the person resides -personal information regardless of where the person resides -
still subject to Presidential privilege.still subject to Presidential privilege.
●
European officials unhappy about US stalling on promising notEuropean officials unhappy about US stalling on promising not
to force companies to hand over their data secretly to theto force companies to hand over their data secretly to the
intelligence services.intelligence services.
Privacy Shield
11. 27th
May 2018 12
●
Are free SSL certificates provided (“Let’s Encrypt”)?Are free SSL certificates provided (“Let’s Encrypt”)?
●
SFTP and SSH access?SFTP and SSH access?
●
What backup facilities are provided?What backup facilities are provided?
●
Where are they stored?Where are they stored?
●
...... shall not be responsible nor be liable for any loss, damage,shall not be responsible nor be liable for any loss, damage,
costs or expenses or other claims howsoever arising forcosts or expenses or other claims howsoever arising for
compensation for any data, file or other material being damaged,compensation for any data, file or other material being damaged,
corrupted, lost or otherwise affected.corrupted, lost or otherwise affected.
●
WP-CLI?WP-CLI?
●
Wordcamps are a great place to find out information!Wordcamps are a great place to find out information!
Hosting
12. 27th
May 2018 13
Who Pulled the Plug?
https://mediatemple.net/community/products/dv/204404134/faq:-i-received-a-notice-that-my-dv-server-has-been-temporarily-disabled.
FAQ: I RECEIVED A NOTICE THAT MY
DV SERVER HAS BEEN TEMPORARILY
DISABLED
Greetings. If you are reading this, most likely you have
received a notice regarding a spike in network activity on your
(mt) Media Temple service. When network overuse is
detected, our system will shutdown your VPS (virtual private
server) to curtail the overuse of resources.
Please note: We want your service to be back online and
functioning in a healthy manner ASAP. In this brief article, we
will cover important information to help you understand and
resolve any outstanding issues.
https://mediatemple.net/community/products/dv/204404134/faq:-i-received-a-notice-that-my-dv-server-has-been-temporarily-disabled.
14. 27th
May 2018 15
●
Where does encryption take place?Where does encryption take place?
●
At the server or at the origin?At the server or at the origin?
●
Who has access to encrypted data?Who has access to encrypted data?
●
What backup facilities are provided?What backup facilities are provided?
●
Version recovery?Version recovery?
●
Do they provide a DPA?Do they provide a DPA?
Cloud Storage
17. 27th
May 2018 18
●
Share you plan with your customers and visitors.Share you plan with your customers and visitors.
●
Agree service levelsAgree service levels
●
Use you plan and ability to set SLAs as a selling tool.Use you plan and ability to set SLAs as a selling tool.
Market your plan
18. 27th
May 2018 19
Jurisdiction
Access to your data?
Free SSL certificates
SFTP and SSH access
WP-CLI
Juristriction
Encryption
Version recovery
Plans
Backups
Let’s recap
19. 27th
May 2018 20
If you know where your backups are when all about youIf you know where your backups are when all about you
Are losing theirs and blaming it on the hostAre losing theirs and blaming it on the host
If you can trust your recovery plan, when all doubt what to doIf you can trust your recovery plan, when all doubt what to do
But make allowance for unexpected issues tooBut make allowance for unexpected issues too
If you can be calm and communicate while recoveringIf you can be calm and communicate while recovering
Or being shouted at, have all the answersOr being shouted at, have all the answers
Or being hassled, don’t give way to panickingOr being hassled, don’t give way to panicking
And yet don’t look to good, nor blame it on others:And yet don’t look to good, nor blame it on others:
If you can talk with support and keep your pride,If you can talk with support and keep your pride,
' Or walk with techies - nor lose the common touch,' Or walk with techies - nor lose the common touch,
if neither data loss nor recovery format can hurt you,if neither data loss nor recovery format can hurt you,
If all customers count with you, but none too much;If all customers count with you, but none too much;
If you can fill the unforgiving minuteIf you can fill the unforgiving minute
With sixty seconds' worth of data recovered,With sixty seconds' worth of data recovered,
Yours is the Website and everything that's in it,Yours is the Website and everything that's in it,
And - which is more - you'll still be in business, my son!And - which is more - you'll still be in business, my son!
With apologies to Rudyard Kipling.
20. 27th
May 2018 21
Image attributions:
- Leo Lintang
- ramcreative
Dave PotterDave Potter
http://mainplus.co.uk
dave@mainplus.co.uk
@MainplusUK