With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Join this webinar to learn more about:
- Data Protection solutions for the enterprise
- Trends in Data Masking, Tokenization and Encryption
- New Data Protection Standards from ISO and NIST
- The new API Economy and how to control access to sensitive data — both on-premises, and in public and private clouds
- The llatest developments in IAM technologies and authentication
2. 2
• Head of Innovation at TokenEx
• Chief Technology Officer at Protegrity
• Chief Technology Officer at Atlantic BT Security Solutions
• Chief Technology Officer at Compliance Engineering
• Developer at IBM Research and Development
• Inventor of 70+ issued US patents
• Providing products and services for Data Encryption and
Tokenization, Data Discovery, Cloud Application Security Broker,
Web Application Firewall, Managed Security Services and
Security Operation Center
Ulf Mattsson
3. 3
• Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight against persistent
cyber-attacks
• We simply cannot catch the bad guys until it is too late. This
picture is not improving
• Verizon reports concluded that less than 14% of breaches are
detected by internal monitoring tools
• JP Morgan Chase data breach
• Hackers were in the bank’s network for months undetected
• Network configuration errors are inevitable, even at the larges
banks
• Capital One data breach
• A hacker gained access to 100 million credit card applications
and accounts
• Amazon Web Services, the cloud hosting company that Capital
One was using
Enterprises Losing Ground Against Cyber-attacks
11. 11
• Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight against persistent
cyber-attacks
• We simply cannot catch the bad guys until it is too late. This
picture is not improving
• Verizon reports concluded that less than 14% of breaches are
detected by internal monitoring tools
• JP Morgan Chase data breach
• Hackers were in the bank’s network for months undetected
• Network configuration errors are inevitable, even at the larges
banks
• Capital One data breach
• A hacker gained access to 100 million credit card applications
and accounts
• Amazon Web Services, the cloud hosting company that Capital
One was using
Enterprises Losing Ground Against Cyber-attacks
34. 34
Source: Gartner
Coding security directly
into APIs has the following
disadvantages:
■ Violates separation of
duties.
■ Makes code more
complex and fragile.
■ Adds extra maintenance
burden.
■ Is unlikely to cover all
aspects that are required
in a full API security policy.
■ Not reusable.
■ Not visible to security
teams.
Security for Microservices
36. 36
Source: Gartner
Apply policies to APIs
(for example, using
an API gateway) but
avoid situations
where each API has
a unique security
policy
Instead, leverage a
reusable set of
policies that are
applied to APIs based
on their
categorization.
Abstract any specific
API characteristics
(such as URL path)
from the policies
themselves
Products Delivering API Security
38. 38
There methods to keep mobile data secure:
• Apps running natively on iOS or Android that collect payment data can use any of the standard RSA encryption libraries to locally encrypt sensitive data on the device and
then subsequently tokenize the encrypted value from the organization’s mobile application server.
• Developers can use a mobile SDK to tokenize within a native iOS or Android application. The mobile SDK can be configured to capture the CVV in addition to tokenizing
the PAN.
• A mobile device can use a WebView to display the (CVV) iFrame hosted on the organization’s web server.
Source: TokenEx
Data Security in Native and Mobile Applications
41. 41
Cloud Access Security
Broker
(CASB)
Administrator
Data Security for including encryption, tokenization or
masking of fields or files (at transit and rest)
Remote
User
Internal
User
Cloud
Encryption
Gateway
(CASB)
Secure
Cloud
Security Separation
Armor.com
42. 42
Privacy enhancing data de-identification terminology and
classification of techniques
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Encrypted data
has the same
format
Server model Local model
Differential
Privacy (DP)
Formal privacy measurement models
(PMM)
De-identification techniques
(DT)
Cryptographic tools
(CT)
Format
Preserving
Encryption (FPE)
Homomorphic
Encryption
(HE)
Two values
encrypted can
be combined*
K-anonymity
model
Responses to queries
are only able to be
obtained through a
software component
or “middleware”,
known as the
“curator**”
The entity
receiving the
data is looking
to reduce risk
Ensures that for
each identifier there
is a corresponding
equivalence class
containing at least K
records
*: Multi Party Computation (MPC)
**: Example Apple and Google
43. 43
Encryption and Privacy Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Homomorphic Encryption (HE)
*: Multi Party Computation (MPC)
Oper
(Enc_D1,
Enc_D2)
HE
Dec
HE
Enc
HE
Enc
Clear
12
Protected Key
Clear
D2
Enc
D1
Enc
D2
“Untrusted
Party*”Clear
123
Format Preserving Encryption
(FPE)
FPE
Enc Clear
D1
FPE
Dec
Clear
123
Protected Keys
897
44. 44
Encryption and Privacy Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Differential Privacy
(DP)
k-Anonymity
Model
__
__
__
*: Example Apple and Google
Clear
Protected
Curator*
Filter
Clear
Cleanser
Filter
Cleanser
Filter
Clear
__
__
__
Protected
DB DB
• Differential Privacy (Google, Apple) and k-Anonymity Model
45. 45
EU General Data Protection Regulation (GDPR)
• What is Personal Data according to GDPR?
Article 4 – Definitions
• (1) ‘personal data’ means any
information relating to an identified
or identifiable natural person
• (5) ‘pseudonymisation’ means the
processing personal data in such
a manner that the data can no
longer be attributed to a specific
data subject
46. 46
GDPR Fines
• When French regulators cited Europe's fledgling General Data Protection Act in fining
Google $57 million earlier this year for playing fast and loose with consumer data in
personalizing ads, experts called what was then the biggest fine issued under the new
law the "tip of the iceberg.“
• The U.K.'s Information Commissioner's Office (ICO) on July 8 cited GDPR in announcing
it would seek a $230 million fine against British Airways (equal to 1.5 percent of the
company's annual revenue) for a September 2018 breach in which attackers accessed
the protected data of nearly 500,000 customers through the airline's website and mobile
applications.
• The ICO alleged that ineffective security practices were to blame.
• ICO added Marriott to the list, saying it intends to seek nearly $124 million from
Marriott (or 3 percent of its annual revenue) for a breach that saw hackers maintain
access to the Starwood guest reservation database between 2014 and 2018,
compromising 383 million customer records.
Source: rsaconference.com
50. 50
Example of Cross Border Data-centric Security
Data sources
Data
Warehouse
In Italy
Complete policy-enforced de-
identification of sensitive data
across all bank entities
51. 51
What is the difference?
• Encryption - A data security measure using mathematic algorithms to generate rule-based values in place of original data
• Tokenization - A data security measure using mathematic algorithms to generate randomized values in place of original data
Encryption alone is not a full solution
• With encryption, sensitive data remains in business systems. With tokenization, sensitive data is removed completely from business systems and
securely vaulted.
Tokens are versatile
• Format-preserving tokens can be utilized where masked information is required
Encryption vs Tokenization
52. 52
Examples of Protected Data
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial Services
Dr. visits, prescriptions, hospital stays and
discharges, clinical, billing, etc.
Financial Services Consumer Products and
activities
Protection methods can be equally applied to
the actual data, but not needed with de-
identification
53. 53
Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information
54. 54
On Premise tokenization
• Limited PCI DSS scope reduction - must still maintain a
CDE with PCI data
• Higher risk – sensitive data still resident in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from the
environment
• Platform-focused security
• Lower associated costs – cyber insurance, PCI audit,
maintenance
Total Cost and Risk of Tokenization
Example: 50% Lower Total Cost
58. 58
#3 Self-Sovereign Identity (SSI)
YOU
CONNECTION
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
Source: Sovrin.org
The Sovrin Network is the first public-permissioned blockchain designed as a global public utility exclusively to
support self-sovereign identity and verifiable claims. Recent advancements in blockchain technology now allow
every public key to have its own address, which is called a decentralized identifier (DID).