jm + compliance   2

Twitter thread regarding GDPR-compliance for append-only logs/event sourcing systems
Martin Kleppmann: "What’s current best practice for GDPR compliance (in particular, right to deletion) in systems with append-only logs/event sourcing/blockchains, which are supposed to keep history forever?"

Ben Kehoe: "Crypto delete. The immutable store keeps an encrypted copy, and the key is stored elsewhere. Forget me = throw away the key".

That seems to be the most practical suggestion in general in this thread.
twitter  threads  gdpr  compliance  law  eu  append-only  logs  blockchain  event-sourcing  architecture  storage  kafka  kinesis 
4 weeks ago by jm
The Target hack and PCI-DSS
Both Heartland Payment Systems and Hannaford Bros. were in fact certified PCI-compliant while the hackers were in their system. In August 2006, Wal-Mart was also certified PCI-compliant while unknown attackers were lurking on its network. [...] “This PCI standard just ain’t working,” says Litan, the Gartner analyst. “I wouldn’t say it’s completely pointless. Because you can’t say security is a bad thing. But they’re trying to patch a really weak [and] insecure payment system [with it].”

Basically, RAM scrapers have been in use in live attacks, sniffing credentials in the clear, since 2007. Ouch.
ram-scrapers  trojans  pins  pci-dss  compliance  security  gartner  walmart  target 
january 2014 by jm

Copy this bookmark: