As the cyber threat landscape continues to evolve, organizations worldwide are increasing their spend on cybersecurity technology. We have a transition from 3rd party security providers into native cloud security services. The challenge of securing enterprise data assets is increasing. What’s needed to control Cyber Risk and stay Compliant in this evolving landscape?
We will discuss evolving industry standards, how to keep track of your data assets, protect your sensitive data and maintain compliance to new regulations.
3. 3
Payment Card Industry (PCI)
Security Standards Council (SSC):
1. Tokenization Task Force
2. Encryption Task Force
3. Point to Point Encryption Task
Force
4. Risk Assessment SIG
5. eCommerce SIG
6. Cloud SIG
7. Virtualization SIG
8. Pre-Authorization SIG
9. Scoping SIG Working Group
• Previously Head of Innovation at TokenEx and Chief Technology Officer at Atlantic BT, Compliance Engineering,
and Protegrity, and IT Architect at IBM
Ulf Mattsson
ULFMATTSSON.COM
• Products and Services:
• Data Encryption, Tokenization, Data Discovery, Cloud Application Security Brokers
(CASB), Web Application Firewalls (WAF), Robotics, and Applications
• Security Operation Center (SOC), Managed Security Services (MSSP), and Security
Benchmarking/Gap-analysis for Financial Industry
• Inventor of more than 70 issued US Patents and developed Industry Standards
with ANSI X9 and PCI SSC
6. 6
Source:
https://www.zdnet.com/article/fbi-says-cybercrime-reports-quadrupled-during-covid-19-pandemic/
"Whereas they might typically receive 1,000 complaints a day through their internet portal, they're now receiving something like
3,000 - 4,000 complaints a day not all of those are COVID-related, but a good number of those are.
"There was this brief shining moment when we hoped that, you know, 'gosh cyber criminals are human beings too,' and maybe
they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale. Sadly that
has not been the case," Ugoretz said.
"They really run the gamut. Everything from setting up fraudulent internet domains [...], we've seen people set up fraudulent
COVID charities, promise delivery of masks and other equipment, and then deliver fraudulent loans, extortion, etc.. So pretty
much, sadly, anything you can think of. Cyber-criminals are quite creative," the FBI official said
FOREIGN HACKERS HAVE TARGETED US-BASED COVID-19 RESEARCH
But in addition to regular cybercrime reports, Ugoretz said the bureau is also aware of attacks carried out by foreign countries,
targeting the national healthcare sector and the US' COVID-19 research capabilities.
FBI says cybercrime reports quadrupled during COVID-19 pandemic
7. 7
• Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight against persistent cyber-attacks
• We simply cannot catch the bad guys until it is too late. This picture is not improving
• Verizon reports concluded that less than 14% of breaches are detected by internal
monitoring tools
• JP Morgan Chase data breach
• Hackers were in the bank’s network for months undetected
• Network configuration errors are inevitable, even at the largest banks
• Capital One data breach
• A hacker gained access to 100 million credit card applications and accounts
• Amazon Web Services (AWS) - cloud hosting company that Capital One was using
misconfiguration at the application layer of a Capital One firewall
• Equifax incident of 2017
• The FBI arrested a suspect in the case: A former engineer at Amazon Web Services
(AWS)
• Facebook privacy breaches
• US Federal Trade Commission started an investigation
• Approved a settlement providing a fine of roughly $ 5 billion for the privacy breaches
committed by Facebook
Enterprises Losing Ground Against Cyber-attacks
10. 10
Security Compliance
Privacy
Controls
Regulations
Policies
Hybrid
CloudDevOps. DataOps
and DevSecOps
GDPR
CCPA
Data
Security
PCI DSS v4
HIPAA
Identity
Management
Application
Security
Risk
Management
Industry
Standards
Examples of Evolving Regulations & Industry
Standards
NIST, ISO, ANSI X9,
FFIEC, COBIT
OWASP
Data
Privacy
Please see the slide at the end
for more information
W3C, SSI, Oasis
Containers
and
Serverless
How, What and Why
Balance
11. 11
PCI DSS Compliance Issues with breached organizations and PCI DSS v4
Source: Verizon 2019 Payment Security Report
• PCI DSS Requirement 3 is addressing protecting cardholder
data.
• PCI DSS Requirement 10 is addressing network security and
access.
PCI DSS v4 adds a customized approach
• Meeting the security intent of PCI DSS by using security
approaches that may be different than traditional PCI DSS
requirements.
• Compensating controls will be removed
12. 12https://iapp.org/media/pdf/resource_center/trustarc_survey_iapp.pdf
How many privacy laws are you complying with?
General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in
the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data
outside the EU and EEA areas.
California Consumer Privacy Act ( CCPA) is a bill that enhances privacy rights and consumer protection for residents of
California, United States.
13. 13
CCPA redefines ”Personal information”
• CCPA states that ”Personal information” means information that identifies, relates to, describes, is capable of
being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or
household
PwC,
Micro Focus
17. 17
Knowing where sensitive information resides
www.protegrity.com
Knowing where sensitive information resides sets realistic expectations for managing the scope, cost and timeframe of data
projects, including security and regulatory compliance.
18. 18
Monitor and track sensitive data
www.protegrity.com
Classifiers are weighted, based on the probability of accuracy
22. 22
http://dataprotection.link/Zn1Uk#https://www.wsj.com/articles/coronavirus-paves-way-for-new-age-of-digital-surveillance-11586963028
American officials are drawing cellphone location data from mobile advertising firms to track the presence of crowds—but
not individuals. Apple Inc. and Alphabet Inc.’s Google recently announced plans to launch a voluntary app that health officials
can use to reverse-engineer sickened patients’ recent whereabouts—provided they agree to provide such information.
European nations monitor citizen
movement by tapping
telecommunications data that they say
conceals individuals’ identities.
The extent of tracking hinges on a series of tough choices: Make it voluntary or mandatory? Collect personal or anonymized
data? Disclose information publicly or privately?
In Western Australia, lawmakers approved a bill last month to install surveillance gadgets in people’s homes to monitor those
placed under quarantine. Authorities in Hong Kong and India are using geofencing that draws virtual fences around
quarantine zones. They monitor digital signals from smartphone or wristbands to deter rule breakers and nab offenders, who
can be sent to jail. Japan’s most popular messaging app beams health-status questions to its users on behalf of the
government.
23. 23
Source:
The US FEDERAL TRADE
COMMISSION
(FTC) , 2019
Credit card fraud tops the list of identity theft
reports in 2018
• The US FEDERAL TRADE
COMMISSION (FTC)
received nearly three
million complaints from
consumers in 2018
• The FTC received more
than 167,000 reports
from people who said
their information was
misused on an existing
account or to open a
new credit card
account
24. 24
Example of disk
level encryption
Exposes all
data on the
disk volume
Encrypts all
data on the
disk volume
Volume
Encryption
25. 25
Example of file
level encryption
Exposes all
data in the
file at use
Encrypts all
data in the
file at rest
(and transit)
26. 26
Example of
what Role 2
can see
Example of
the data
values that
are stored in
the file at rest
Reduce risk by not exposing the
full data value to applications
and users that only need to
operate on a limited
representation of the data
Reduce risk by field level protection
27. 27
Shared
responsibili
ties across
cloud
service
models
Data Protection for Multi-
cloud
Payment
Application
Payment
Network
Payment
Data
Tokenization,
encryption
and keys
Gateway
Call Center
Application
Format Preserving Encryption (FPE)
PI* Data
Tokenization
Salesforce Analytics
Application
Differential Privacy (DP),
K-anonymity model
Dev/test
Systems
Masking
PI* Data
PI* Data
Microsoft
Election
Guard
development
kit
Election
Data
Homomorphic Encryption (HE)
Data
Warehouse
PI* Data
Vault-less tokenization (VLT)
Use-cases of some de-identification techniques
Voting
Application
*: PI Data (Personal information) means information that identifies, relates to, describes, is capable of being associated
with, or could reasonably be linked, directly or indirectly, with a consumer or household according to CCPA
28. 28
Data protection techniques: Deployment on-premises, and clouds
Data
Warehouse
Centralized Distributed
On-
premises
Public
Cloud
Private
Cloud
Vault-based tokenization y y
Vault-less tokenization y y y y y y
Format preserving
encryption
y y y y y
Homomorphic encryption y y
Masking y y y y y y
Hashing y y y y y y
Server model y y y y y y
Local model y y y y y y
L-diversity y y y y y y
T-closeness y y y y y y
Privacy enhancing data de-identification
terminology and classification of techniques
De-
identification
techniques
Tokenization
Cryptographic
tools
Suppression
techniques
Formal
privacy
measurement
models
Differential
Privacy
K-anonymity
model
29. 29
• Privacy enhancing data de-identification terminology and classification of techniques
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Encrypted data has
the same format
Server model Local model
Differential
Privacy (DP)
Formal privacy measurement models
(PMM)
De-identification techniques
(DT)
Cryptographic tools
(CT)
Format
Preserving
Encryption (FPE)
Homomorphic
Encryption
(HE)
Two values
encrypted can
be combined*
K-anonymity
model
Responses to queries
are only able to be
obtained through a
software component
or “middleware”,
known as the
“curator**
The entity
receiving the
data is looking
to reduce risk
Ensures that for
each identifier there
is a corresponding
equivalence class
containing at least K
records
*: Multi Party Computation (MPC) **: Example Apple and Google
ISO Standard for Encryption and Privacy Models
30. 30
Use cases of some de-identification techniques and models
Source: INTERNATIONAL
STANDARD ISO/IEC 20889
Transit Use Storage Singling out
Pseudonymization Tokenization
Protects the data flow
from attacks
Yes Yes Yes Yes Direct identifiers No
Deterministic
encryption
Protects the data when
not used in processing
operations
Yes No Yes Yes All attributes No
Order-preserving
encryption
Protects the data from
attacks
Partially Partially Partially Yes All attributes No
Homomorphic
encryption
Protects the data also
when used in processing
operations
Yes Yes Yes Yes All attributes No
Masking
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes Local identifiers Yes
Local suppression
Protects the data in
analytical applications
Yes Yes Yes Yes
Identifying
attributes
Partially
Record suppression
Removes the data from
the data set
Yes Yes Yes Yes Yes Yes
Sampling
Exposes only a subset of
the data for analytical
applications
Partially Partially Partially Yes Yes Partially
Generalization
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
Partially
Rounding
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
No
Top/bottom coding
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
No
Noise addition Noise addition
Protects the data in
dev/test and analytical
applications
Yes Yes Yes No
Identifying
attributes
Partially
Generalization
Technique name
Data
truthfulness
at record
level
Use Case / User
Story
Data protected in
Applicable to
types of
attributes
Reduce
Cryptographic tools
Suppression
31. 31
Field Privacy Action (PA) PA Config
Variant Twin
Output
Gender Pseudonymise AD-lks75HF9aLKSa
Pseudonymization
Generalization
Field Privacy Action (PA) PA Config
Variant Twin
Output
Age Integer Range Bin
Step 10 +
Pseud.
Age_KXYC
Age Integer Range Bin
Custom
Steps
18-25
Aggregation/Binning
Field Privacy Action (PA) PA Config
Variant Twin
Output
Balance Nearest Unit Value Thousand 94000
Rounding
Generalization
Source data:
Output data:
Last name Balance Age Gender
Folds 93791 23 m
… … … …
Generalization
Source data:
Output data:
Patient Age Gender Region Disease
173965429 57 Female Hamburg Gastric ulcer
Patient Age Gender Region Disease
173965429 >50 Female Germany Gastric ulcer
Generalization
Examples of data de-identification
Source: INTERNATIONAL STANDARD ISO/IEC 20889, Privitar, Anonos
33. 33
Protected
Curator*
(Filter)
Output
Cleanser
(Filter)
Input Protected
Database
Privacy measurement models
Differential Privacy
Differential privacy is a model that provides mathematical guarantees that the probability distribution of the
output of this analysis differs by a factor no greater than a specified parameter regardless of whether any data
principal is included in the input dataset.
Source: INTERNATIONAL STANDARD ISO/IEC 20889
*: Example: Apple
34. 34
Clear text
data
Cleanser
Filter
Database
Privacy measurement models
K-anonymity model
The k-anonymity model that ensures that groups smaller
than k individuals cannot be identified.
• Queries will return at least k number of records. K-
anonymity is a formal privacy measurement model that
ensures that for each identifier there is a corresponding
equivalence class containing at least K records.
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Anonymized text
data
Some of the de-identification techniques can be used either independently or in combination with each other to satisfy the K-
anonymity model.
Suppression techniques, generalization techniques, and microaggregation* can be applied to different types of attributes in a
dataset to achieve the desired results.
*: Microaggregation replaces all values of continuous attributes with their averages computed in a certain algorithmic way.
35. 35
Privacy measurement models
K-anonymity model
The k-anonymity can thwart the ability to link field-structured databases
Given person-specific field-structured data, produce a release of the data with scientific guarantees that the individuals
who are the subjects of the data cannot be reidentified while the data remain practically useful.
A release provides k-anonymity if the data for each person cannot be distinguished from at least k-1 individuals whose
data also appears in the release
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Datashouldbeprotected
36. 36
Applicability of some de-identification techniques and models
Source:
INTERNATIONAL
STANDARD
ISO/IEC 20889
Transit Use Storage Singling out Linking In
Pseudonymization Tokenization
Protects the data flow
from attacks
Yes Yes Yes Yes Direct identifiers No Partially
Deterministic
encryption
Protects the data when
not used in processing
operations
Yes No Yes Yes All attributes No Partially
Order-preserving
encryption
Protects the data from
attacks
Partially Partially Partially Yes All attributes No Partially
Homomorphic
encryption
Protects the data also
when used in processing
operations
Yes Yes Yes Yes All attributes No No
Masking
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes Local identifiers Yes Partially
Local suppression
Protects the data in
analytical applications
Yes Yes Yes Yes
Identifying
attributes
Partially Partially P
Record suppression
Removes the data from
the data set
Yes Yes Yes Yes Yes Yes Yes
Sampling
Exposes only a subset of
the data for analytical
applications
Partially Partially Partially Yes Yes Partially Partially P
Generalization
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
Partially Partially P
Rounding
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
No Partially P
Top/bottom coding
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
No Partially P
Noise addition Noise addition
Protects the data in
dev/test and analytical
applications
Yes Yes Yes No
Identifying
attributes
Partially Partially P
Generalization
Technique name
Data
truthfulness
at record
level
Use Case / User
Story
Data protected in
Applicable to
types of
attributes
Reduces the risk o
Cryptographic tools
Suppression
37. 37
Risk reduction and truthfulness of some de-identification techniques and models
Source:
INTERNA
TIONAL
STANDAR
D ISO/IEC
20889
Transit Use Storage Singling out Linking Inference
Pseudonymization Tokenization
Protects the data flow
from attacks
Yes Yes Yes Yes Direct identifiers No Partially No
Deterministic
encryption
Protects the data when
not used in processing
operations
Yes No Yes Yes All attributes No Partially No
Order-preserving
encryption
Protects the data from
attacks
Partially Partially Partially Yes All attributes No Partially No
Homomorphic
encryption
Protects the data also
when used in processing
operations
Yes Yes Yes Yes All attributes No No No
Masking
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes Local identifiers Yes Partially No
Local suppression
Protects the data in
analytical applications
Yes Yes Yes Yes
Identifying
attributes
Partially Partially Partially
Record suppression
Removes the data from
the data set
Yes Yes Yes Yes Yes Yes Yes Yes
Sampling
Exposes only a subset of
the data for analytical
applications
Partially Partially Partially Yes Yes Partially Partially Partially
Generalization
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
Partially Partially Partially
Rounding
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
No Partially Partially
Top/bottom coding
Protects the data in
dev/test and analytical
applications
Yes Yes Yes Yes
Identifying
attributes
No Partially Partially
Noise addition Noise addition
Protects the data in
dev/test and analytical
applications
Yes Yes Yes No
Identifying
attributes
Partially Partially Partially
Generalization
Technique name
Data
truthfulness
at record
level
Use Case / User
Story
Data protected in
Applicable to
types of
attributes
Reduces the risk of
Cryptographic tools
Suppression
39. 39
Homomorphic Encryption (HE)
Anonymous data processing with fully homomorphic encryption
www.ntt-review.jp
Anonymous data processing involves multiple users sending some sensitive data to a cloud server, where it is aggregated,
stripped of identifying information, and analyzed, typically to extract some statistical information, which is then delivered to
the final recipient.
• The security requirement is that the cloud server must learn nothing about the content of users’ data, and the recipient
must obtain only the anonymized results of the statistical analysis, and, no information on individual users.
41. 41
Data sources
Data
Warehouse
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Example of Cross Border Data-centric Security using Tokenization
• Protecting Personally Identifiable Information
(PII), including names, addresses, phone, email,
policy and account numbers
• Compliance with EU Cross Border Data
Protection Laws
• Utilizing Data Tokenization, and centralized
policy, key management, auditing, and
reporting
Data should
be protected
42. 42
Type of Data
Use Case
I
Structured
I
Un-structured
Simple -
Complex -
Payment Card Information
PHI
Personal Information (PI*) or
Personally Identifiable Information (PII)
Encryption
of Files
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information
How to protect different types of data with encryption and tokenization
Card Holder
Data
*: California CCPA
43. 43
Access to Data Sources / FieldsLow High
High -
Low -
I I
Risk, productivity and access to
more data fields
User Productivity
45. 45
Local Data Security Gateways (DSG)
Central Security
Manager (ESA)
Use Case - Compliance with cross-border and other privacy restrictions
• 200 million users
• 160 countries
46. 46
A Data Security Gateway (DSG) can turn sensitive data to Ciphertext or Tokens
DSG*
*: Example of supported protocols include HTTP, HTTPS, SFTP, SMTP and API utilizing web services or REST
47. 47
Implementation aspects – Policy management
The privacy policy should provide separation of duties between security administrators and database administrators.
The policy can define models, formats, and parameters for the privacy techniques that are used for different data
objects.
“Protectors” can be implemented as agents in a framework PEP (Policy Enforcement Point)
“Application Protectors”
can be part of an API
Economy / Ecosystem
(Gartner)
“MPP Protectors” run in
a Massively Parallel
Platforms
(Datawarehouse)
“Big Data Protectors”
run in Hadoop
“File Protectors” can be
implemented as a
gateway or on servers
“Cloud Gateway” can
be implemented as a
CASB proxy that
protects data before
sending it to cloud
50. 50
Risk
What is Risk Adjusted Computing?
Elasticity
Out-sourcedIn-house
On-premises
On-premises
Private Cloud
Hosted
Private Cloud
Public Cloud
Low -
High -
Computing Cost
- High
- Low
• Encryption/decryption Point
Protected data
U
U
U
52. 52
A Cloud Security Gateway (CASB) can protect sensitive data in Cloud (SaaS)
• Example of supported protocols include HTTP, HTTPS,
SFTP, and SMTP
• Based on configuration instead of programming
• Secures existing web services or REST API calls
• See and control where sensitive data travels
1. Install the Cloud Security Gateway in your
trusted domain
2. Select the fields to be protected
3. Start using Salesforce with enhanced security
• Policy Enforcement Point (PEP)
Protected data fields
U
53. 53
Security controls can be applied
On-premises or Cloud
• “Active Directory”
• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• AV – Anti Virus
• Network Sec
Public Cloud / Multi-
cloud
55. 55
• Amazon S3 encryption and decryption takes place in the EMRFS client on your cluster.
• Objects are encrypted before being uploaded to Amazon S3 and decrypted after they are downloaded.
• The EMR (Elastic MapReduce) File System (EMRFS) is an implementation of HDFS that all Amazon EMR clusters use for
reading and writing regular files from Amazon EMR directly to Amazon S3.
Amazon S3 client-side encryption
56. 56
• Amazon Virtual Private Cloud (Amazon VPC) lets you provision a
logically isolated section of the AWS Cloud where you can launch
AWS resources
• Your virtual networking environment allows selection of your
own IP address range, creation of subnets, and configuration
AWS encryption key management
57. 57
Protect data before landing
Enterprise
Policies
Apps using de-identified
data
Sensitive data streams
Enterprise on-
prem
Data lifted to S3 is
protected before use
S3
• Applications can use de-
identified data or data in the
clear based on policies
• Protection of data in AWS S3
before landing in a S3 bucket
Protection of data
in AWS S3 with
Separation of Duties
• Policy Enforcement Point (PEP)
Separation of Duties
58. 58
Protection throughout the lifecycle of data in Hadoop
Big Data Protector
tokenizes or encrypts
sensitive data fields
Enterprise
Policies
Policies may be managed
on-prem or Google Cloud
Platform (GCP)
• Policy Enforcement Point (PEP)
Protected data fields
U
UU
Big Data Protection with Granular Field Level
Protection for Google Cloud
Separation of Duties
59. 59
References:
1. California Consumer Privacy Act, OCT 4, 2019, https://www.csoonline.com/article/3182578/california-consumer-privacy-act-what-
you-need-to-know-to-be-compliant.html
2. CIS Controls V7.1 Mapping to NIST CSF, https://dataprivacylab.org/projects/identifiability/paper1.pdf
3. GDPR and Tokenizing Data, https://tdwi.org/articles/2018/06/06/biz-all-gdpr-and-tokenizing-data-3.aspx
4. GDPR VS CCPA, https://wirewheel.io/wp-content/uploads/2018/10/GDPR-vs-CCPA-Cheatsheet.pdf
5. General Data Protection Regulation, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
6. IBM Framework Helps Clients Prepare for the EU's General Data Protection Regulation, https://ibmsystemsmag.com/IBM-
Z/03/2018/ibm-framework-gdpr
7. INTERNATIONAL STANDARD ISO/IEC 20889, https://webstore.ansi.org/Standards/ISO/ISOIEC208892018?gclid=EAIaIQobChMIvI-
k3sXd5gIVw56zCh0Y0QeeEAAYASAAEgLVKfD_BwE
8. INTERNATIONAL STANDARD ISO/IEC 27018, https://webstore.ansi.org/Standards/ISO/
ISOIEC270182019?gclid=EAIaIQobChMIleWM6MLd5gIVFKSzCh3k2AxKEAAYASAAEgKbHvD_BwE
9. New Enterprise Application and Data Security Challenges and Solutions https://www.brighttalk.com/webinar/new-enterprise-
application-and-data-security-challenges-and-solutions/
10. Machine Learning and AI in a Brave New Cloud World https://www.brighttalk.com/webcast/14723/357660/machine-learning-and-ai-
in-a-brave-new-cloud-world
11. Emerging Data Privacy and Security for Cloud https://www.brighttalk.com/webinar/emerging-data-privacy-and-security-for-cloud/
12. New Application and Data Protection Strategies https://www.brighttalk.com/webinar/new-application-and-data-protection-
strategies-2/
13. The Day When 3rd Party Security Providers Disappear into Cloud https://www.brighttalk.com/webinar/the-day-when-3rd-party-
security-providers-disappear-into-cloud/
14. Advanced PII/PI Data Discovery https://www.brighttalk.com/webinar/advanced-pii-pi-data-discovery/
15. Emerging Application and Data Protection for Cloud https://www.brighttalk.com/webinar/emerging-application-and-data-protection-
for-cloud/
16. Data Security: On Premise or in the Cloud, ISSA Journal, December 2019, ulf@ulfmattsson.com
17. Webinars and slides, www.ulfmattsson.com