 Hi there everybody, that's quite an introduction to Liverpool too, but what I'm going to do today is talk a bit about data security but not in the traditional way. So I'll come to that a bit more in a minute but it takes, it can take about five minutes to get a WordPress site up and running these days. Very simple, very quick but it's easy when we're doing things out quickly to lose sight that we've got anywhere between one and thousands of users that are using that site that we've just created. And we have a responsibility to ensure that the data we capture within that site is looked after. GDPR has sort of brought that into legislation but some of the things I'm going to talk about today, although GDPR implies some of it, it doesn't actually explicitly talk about it, but it's also stuff that we need to look after. So the way I'm going to do this, I'm going to follow how our data flows through the system from the point of the user onwards. So, why me? Well, I've been in IT since 1977. During that time, I've done pretty much every role within IT, technical support, add them at the bottom, I'm now a project manager, I've done DBA work, development work, wherever, and just to put that data into perspective, that's six years before the internet, that's eight years before mobile phones, that's 11 years before laptops, that's 17 years before the web and 26 years before WordPress. In other words, I'm old. But it doesn't mean to say, I've seen a fair bit. The things we need to think about, why shouldn't we really care about user's data? Well, it's the right thing to do, and now that's been put into legislation with GDPR, sort of bolster that feeling up. It's important that we remember that we subcontract responsibility sometimes to the parties. We'll look at that in a minute. But when we do that, we're not subcontracting our accountability. We're still accountable for our websites. We need to ask questions of those people that we subcontracted to make sure that they are going to protect our user's data in the way we need them to and the way our customers would expect us to do on our own. So, I'm not going to go into the GDPR side of things. Heather was on earlier before me. We've got this great new feature within WordPress as of the latest release, which gives us the privacy policy. It's absolutely brilliant. And there are loads of thoughts on WordPress TV from Heather all about GDPR. Pick one. Any one of them is great. And I'm not going to talk about the traditional stuff about security. It's these viruses, hacking, security plugins and all that sort of stuff. If you want to know about that, I really recommend you go to WordPress TV again and look at a talk from Tim Nash. He does a great talk on all of that stuff. So, let's start our journey. First of all, we start with our users and their devices. We have no control over this at all. We have no way of knowing what the users will get up to and, believe me, they can get up to pretty much anything. So, we'll leave that bit alone because we can't control it. First stop on our user's data when we get our visitors coming into our website is the data centre. Now, these days, data centres are either one of two things. They're either a very large data centre that's sitting as a cloud service, AKA Amazon, Microsoft. But it could be a bespoke data centre that's being used. People like Rackspace, UK Fast, Telehouse or Blade Room. The important thing about this is or the important information we need to be conscious of is where that data centre is because where that data centre is is likely to impact what the legal jurisdiction is that governs that data centre. For instance, if that data centre is in the US and the people who earn it are part of the privacy shield, more about that later, that's probably okay. However, if that data centre is somewhere in the Far East, then what level of security and privacy and care are they obliged to look to use for our data? The other thing is, who owns the infrastructure within that data centre? Because that again decides who may have access to that information. So for instance, if somebody in government nefariously decided that they wanted to collect data about voters who voted against them in a recent election, so that would take action against them in some way or target them in some way, would where the data centre infrastructure, who own the data centre infrastructure, mean that that owner would have to give up that data to whoever it is asking for it. Now, it's not going to happen right, it's very unlikely to hold that thought. When it comes to, I'll just mention privacy shield, but there's also something in EU legislation called ADICUSA. And the EU has listed a series of countries that are deemed to have privacy legislation that meets EU requirements. So there's the list as it stands at the moment. You'll notice that the US is in there, but it's limited to something called the privacy shield framework. I'll have a look at that in just a minute. What we'll see is that that means it's not the whole of the US, it's a subset thereof. So privacy shield, who remembers something called safe harbour? Safe harbour was an agreement that the EU had with the US, where the US says, yeah, Europe, we understand that you've got all these privacy requirements. We will actually set some income called safe harbour, which says we will adhere to your privacy level of legislation if we're going to do business with you guys. Well, basically the US troddle over it, the EU, through the ties that the promise says. Safe harbour is a word of rubbish, guys, you promised me you'd do this, you haven't. So it's all over. You know, we're not going to allow data to be exported out to you anymore. So the US says, well, hold on, we'll get something in place. Let us carry on for a little bit with us while we get out of some order. And what came out of that was privacy shield. Now, there's a few things to remember about privacy shield. A, it only employs to the US. B, it only employs to specific companies in the US that sign up to the privacy shield. And those companies self certify themselves. Nobody comes along and says, right, give me your documentation, let's see whether you comply or not. Now, they basically add themselves to the list and say, yeah, we'll comply, but be fine. The only way that they will be reviewed is if somebody makes a complaint against them, or if something happens to actually bring them to the attention of the US government in terms of breaking the privacy shield improvements. As of today, I believe this was, as of a few weeks ago, there was 2,739 companies certified by the US. It's a department of commerce within the US that looks after them. And you can go and look at those, that list of companies at any time, just by going to the privacy shield site and going to the list. They're easy to find. It's not completely bought into by everybody in the EU. There's a group called the WP29 committee. It looks at this and they are not completely happy with the whole thing. They feel that the way the privacy shield requires people to look after particularly human resource data is too lax and needs beefing up. There will be ongoing discussions around this, but right now it's the best we've got in terms of dealing with companies in the US. Just to put that in context, those of you that's got data sitting out there with Dropbox, with Mailchip, with Microsoft, with Apple, so they fit into the privacy shield requirements. And you'll find that pretty much all in there. It's interesting to see who's in there. It's interesting to see who's not in there. If he's out, check the list. This business about some political party wanting to find out about their voters and insisting that a data centre gives up the information, what happened? The US department told Facebook they wanted details of everybody one day. They told them they wanted full details of a Facebook site where the owners were putting out anti-Trump messages during the election. They felt that there might have been some election ringing going on in some way, shape or form. They weren't exactly clear about how that might have come about or whatever. And so if you can sort of see it, somebody's got a site that's basically trying to influence a voting or an election, it wasn't just the owners of that Facebook site that the Trump administration was demanding. It was everybody who liked that site. So if somebody might have posted up a humorous comment on that site and you found it funny and, ah, I like that, that might have been your details that Facebook was giving up as being connected with that website. The next one I just want to talk about is that the Department of Justice says that it can demand every email from any US-based provider regardless of where the data centre is. It's a pertinent one for this meeting because it was all about information about a particular person that was of interest regarding drugs and their data was sitting on the Microsoft Irish data centre. And the Department of Justice says, no, your HQ is in the US, therefore you'll fall under US legislation. Therefore we demand you give up that data. Microsoft fought against it. It went to court in 2014. The FBI used the law data from 1986 to still communication apps to ask for the emails. Microsoft said no. But hundreds if not thousands of investigations in terrorism and child pornography will be hampered by the government's inability to obtain electronic evidence if you go down this route. Which means they basically sort of lost, Microsoft sort of lost. However, they didn't let it go. They are appealing and the Supreme Court issued a rixing kind of judicial review in October 2017 and the case will be heard again later this year or it shouldn't be heard again later this year. But you just have to show, right? You've got a company that's in the privacy shield. You've got a data centre that's sitting in Europe and you've got a political regime or a legislative organisation that's insisting that none of the EU legislation applies in this instance. So this is why we need to be careful about where our data centres are, which jurisdiction they fall into and who owns that infrastructure within the data centre because all of those things can cause ad users data to be insisted upon by somebody that you weren't expecting. It's not about whether it's right or not, it's about what our customers expect. It's the expectations we need to satisfy. So that's the data centre. The next place on our journey is the host. Because generally what will happen is, if we come back at it from the other way, we will ask a host to host our website. The host will then have a data centre where they put the data. Once again, the location of that host and the jurisdiction it falls into is just as important as where the data centre is because they have control over our data within that data centre. We generally don't have direct access into the data centre. We get through our host or our host systems one by shape or another. So, what is it we should be looking at when we look for a host? The things I look for are, do they provide SSL certificates on RA3? I've recently moved from a website provider simply because they wanted a 60-pound certificate for an SSL certificate. It's ridiculous. These days, you've got an open source organisation called Let's Encrypt. They offer SSL certificates to anybody who wants them free of charge or any hosting company free of charge and lots of hosting companies will provide that onto their customers free of charge. There's no reason we should be paying for SSL certificates these days. Does everybody know what an SSL certificate is and what it does? Hands up if you don't. SSL certificate, when you go to a website, you see a little padlock that turns up and it starts HTTPS instead of HTTPS. That means your data is encrypted over the network. To do that, you need a certificate to initiate that and that's what the SSL certificate is. First, the host provides SFTP and SSH access. When we want to load up changes to our WordPress code, the way we want to do that is through the file transfer mechanism. SFTP is the secure version of a file transfer mechanism. SSH gives the same secure access to the command line within the operating system that's running our WordPress. Why on earth will we need access to the command line? Well, if we want to use this little guy down here, WPCLI, the CLI stands for command line interface. So you need to be able to get to the command line in order to use WPCLI. Why would you want to use WPCLI? All sorts of things. One of the talks earlier on was talking about being able to disable plug-ins when you've got a white screen, if that's what's caused it. Do all sorts of things on a command line interface when your UI is completely dead in the water? Plus, it's a great way of automating stuff. You can run scripts from the command line interface, which means you can automate things. Brilliant. So do they give you SSH access into that? What backups facilities are provided by the host? Do you want to use them? If you do, where are they stored? An interesting thing, I had a quick look at the terminal conditions of mine, hosting provider. When it came to backups, I found this little statement in the terminal conditions. Hosting provider shall not be responsible, nor liable for any loss of damage, cost or expenses or other claims house, river arising for compensation for any data, file or other material being damaged, corrupted or otherwise affected. So how many of you have got your hosts doing your backup for you and storing your backups? Did you know there might be something in you? There's a condition that says that if we lose all your backup data, nothing to do with us, pal. Can't hold us responsible. Now, I'm not worried. I don't keep any of my backups with my host. Because if my host goes down, how do I get to my backups? What does that mean for me? If my host goes to another host, if again you look into the terminal conditions of this host, it talks about it being reasonable that they get 30 days to get your system back up and going in extreme cases. Am I waiting to wait 30 days to get my websites back up and running? No, I'll go to another host even if it's only temporarily. I can't do that if I can't get to my backups to restore them somewhere else. When I went looking for a new hosting company, the way I did it was I made a list of the questions I wanted to ask. I went to WordCamp London and I was a learned host there and I went round and asked them every question I wanted to ask. It was brilliant. By the end of the WordCamp, I not only found a host that I liked that gave me all the answers I wanted to the questions I was asking, but that helped me migrate my first three sites over to them before I left the conference. WordCamp is fantastic. Yes? Are you going to tell us who that host is? Thank you? No, not in the room, be cool. 34 SP. I use those guys anyway. That's why you didn't know what he said. No, I didn't know what he said. I'm sure, actually, if push came to shove, they wouldn't hang off that because that's such great guys. I want to just give you a quick story. I'm going to speed this up a bit because I'm starting to get some rewind-type things. I found this little notice in a host. Now, if you sell, the story behind this was an illustration of something that happened to me. I was being, one of my sites being hosted by a friend who used a third party host for multiple hosting facilities, and that host decided there was unusual traffic coming from my website. So, they closed my website then because they didn't want to take up all their bandwidth, because, for a host, that's their most expensive commodity, the bandwidth. So, anybody who gets unusual traffic, they close them down until they figure out what's going on, and then they protect everybody else from that problem. The problem was, I didn't just shut my site down. I didn't just shut my account. The VM that I got all my sites on, was a whole server down. So, my friend that was hosting something like a dozen different clients on that server lost everybody on that server. And, it all turned out after a weekend of badgering because they wouldn't give us, give him access to look at the logs to try and find out what was wrong, because the server was closed off to it, and they couldn't find out who had actually the unusual activity, or where the problem had been logged in their fault logging system, I actually found out that there wasn't any unusual activities at all. Somebody had just been a bit overzealous, pulled a plug on us, and it was out for a weekend. The moral of this story is, it's not whether or not they pulled a plug on you, because they will. You're not going to get away from that. It's how they handle that. We were informed. The first thing we knew about it was that when I tried to get to my site, it wasn't there, I found out my friend says, where's my site gone? Then he phoned them on and said, oh yeah, we took it down three hours ago. So, they didn't tell us, they took the whole server out, they wouldn't let us look at the logs to fix it, so we didn't know what was going on, so we could fix that. It's not whether you have a problem, it's how they deal with the problem. So, finally, the last step in our data journey is the cloud. Right. Hands up anybody in this room that doesn't use the cloud to hold data. Yeah, that's where I thought. So, once again, it's a bit like the hosting side of things, but there's a couple of extra things to think about here. When you use your cloud service to store your data, is it encrypted? If it is encrypted, is it just encrypted on their server or is it encrypted from your client? Right. Dropbox, I don't know whether they still do it or whether they've closed it off now, but certainly a year ago, it was encrypted on their server side, but everything went in plain from your client through to Dropbox. So, all that thinking that goes on in Dropbox, all done in the clear, over the network, and only gets encrypted when they get the other end. Oh, by the way, their staff at the other end have access to the encryption keys. So, if they're asked to give up data by their government, they can't say they can't do it because they have access to the encryption keys. It's not true of all cloud services. There is a particular one called treasurit, which is based out of Switzerland that encrypts at the client end as well, and they basically just put their hands on. If anybody asks them for access to the data, don't ask us. If we haven't got the keys, we can't give it you. The problem is, if you go to a service like that, you're responsible for the encryption key. You lose that encryption key, you've lost all your data, because they don't know it. You're the only person who does. What back officers isn't provided by your cloud storage provider? Dropbox? Well, it's in versioning. So, you go back a number of versions with Dropbox. Let's get one thing straight. That's not a backup. Right? Only gets you back a few versions. If you need to go back further, you've had it. The other thing is, that I had it just a few minutes ago, is that they provided a data protection agreement. Conversations I was having a couple of months ago, and looking at the forums with Dropbox, it will suggest that if you haven't got a business account with Dropbox, that doesn't include plus. It doesn't include standard. They will not give you a data processing agreement, which you need if you are storing data on their cloud services and the GDPR. Of course, the thing about a cloud is you never quite sure where it is, where that data is. On the backup side of things, some other questions to ask yourself is what format are your backups in? Is it standard, like R-Sync, Zip, SQL, or is it in a proprietary format? If it's in a proprietary format, if your host or your backup software has a problem, go south, can you still get to your backups? Have you got some sort of software that I've given you to be able to get to it? If you've got to move your data somewhere else, does the receiving system support the format that you've got it in? Have you tested your backups? As an old saying in IT is if you've got a backup, it's not tested in any backup. So, have you got some where you can test it? An old PC where you can put a local copy of WordPress, try restoring it to that virtual machine? There's lots of ways you can do it. Some hosts, like the one that I'm with, provides actually a staging area for in charge where you can actually do that sort of restore. Almost finally, make a plan. So, if something does go wrong, make a plan of what you're going to do about it. When you make that plan, consider a number of things. Passwords. Right? Does whoever's going to restore your system or you or somebody else know the passwords. Emails. Will you lose your emails at the same time as you'll lose your WordPress site? Can you get messages out to your customers? Can they get messages to you? Is your domain name service with the host that's just gone bank? Which means you're going to have all sorts of grief moving that service to somebody else. Like possible, which is a pain. Will you be available or will you as a WordPress person who earns an absolute fortune sitting on a beach in Mauritius for three weeks as part of you four holidays a year when it all goes bank and you can't get back or don't even know time. Have you got a communication plan? What happens to the data that's between you losing that system and your last backup? If you've got an e-commerce site and you're taking thousands of transactions a day or even a week if it's been a week since you took your last backup what are you going to do about those transactions you've just lost? What's your plan to keep your customers happy? You can't plan for every event so you need some sort of backstop plan to deal with your unexpected. But that's all heavy stuff and you know that's some dead time is it? It's not because once you've got a plan you can market it share your plan with customers and visitors. If you've got a privacy policy you can stick it in there you can tell everybody just how great you are looking after their data it also means you can set service levels with customers and get them to pay a premium for those service levels because you're offering to me and peddwchers may not So just to recap we've got three real places we should be looking at taking care of our customers' data there's the data centre and that's where we should be looking at where that is and what jurisdiction it comes into the host do they have access to your data do they provide SSH do they provide SFTP and SSH do they provide WPCLI what jurisdiction do they fall under and then your own data have you got encryption sorted out do you know what version recovery you've got and what restrictions are around that and have you plans to sort it out Finally I'm going to read you a poem If you know where about your backups are when all about you are losing theirs and blaming it on the host If you can trust your recovery plan when all that what to do but make allowance for unexpected issues too If you can be calm and communicate while recovering or being shouted at have all the answers or be hassled don't give ways of panicking and yet don't look too good nor blame it on others If you can talk with support and keep your pride or walk with techies and touch If neither data loss nor recovery format can hurt you if all customers can't with you but none too much If you can fill the unforgiving minute with 60 seconds worth of data recovered yours is the website and everything that's in it and which is more you'll still be in business my son Apologies to reject completely So that's me If it needs any one of those places I hope you enjoy it Thank you