The document discusses introducing a new data security model using APIs and AI pattern recognition. It notes that data breaches cost enterprises millions of dollars and new regulations like GDPR and CCPA have increased data security urgency. The proposed model uses minimal human touch, APIs to access data, and AI to learn, detect, and flag abnormalities in data access patterns to better secure sensitive enterprise data.

1. Securing sensitive data
through APIs and AI pattern
recognition!
Sesh Raj, President DSAPPS INC!

3. • Introducing a new way to robustly secure sensitive enterprise data using
APIs and AI (artificial intelligence) pattern recognition methods. !
• Currently the cost of a data breach can cost an enterprise several millions of
dollars and in some cases could mean closure of business. !
• With new stringent regulations like GDPR in Europe and the California
Consumer Privacy Act enterprises face new urgencies on securing data. !
• Given that around 75% of attacks come from insider threats enterprises
require new models to ensure data security.!

4. Outline of talk
• Data security urgency
Ø Data breaches - a worldwide epidemic.!
Ø Look at the new data security and privacy regulations!
• Examine problem / Current solutions
Ø Understand what causes data breaches, review attack vectors!
Ø Current data security strategies!
• Introducing the Touchfree API/AI data security model
• Review API security challenges and solutions!
• Review AI technologies and applying these for data security!
• Implementing Touchfree API/AI distributed cloud service!
• Summary and Next steps

5. • Automate processes and workflows.!
• Manage tasks, events, milestones,
documents, issues, risks.!
• Collaborate with key resource teams,
vendors, partners, customers.!
• Knowledge management templates.!
• Risk Management Indicators!
• Rapid digital enterprise
transformation!
Solution 1!
Smart Enterprise Apps!
dsapps.com – Rapid digital enterprise transformation!

6. Claims and Disclosures
• Claims!
1. Presentation is vendor neutral. !
2. Primarily presented from a consultant’s viewpoint!
• Disclosures!
1. New potentially useful ideas presented and feedback
sought, ideas that may mature to become future startup
products.!

8. Source: Statista.com!
Data Breaches affect Millions of Records

9. IBM Security: Cost of a Data Breach
Average total cost of a data breach! USD 3.92 million !
Most expensive country! United States, USD 8.19 million!
Most expensive industry! Healthcare, USD 6.45 million!
Average size of a data breach! 25,575 records!
Average cost per lost or stolen record! $148!

10. IBM security study: !
Mega data breaches cost !
$40 million to $350 million!

11. Data breaches estimated to cost
over $2 Trillion Annually, by 2020!
!
https://en.wikipedia.org/wiki/List_of_data_breaches!

12. Data Breach/Data Privacy Penalties
• GDPR - European data protection regulation. !
• Fines up to 10 Million Euros or 2% of annual turnover, whichever higher.!
• CCPA - California Consumer Privacy Act (enforced 2020) !
• $100 to $750 fine for each California resident affected by a data breach.!
• Affects companies over $25 Million annual revenues or posses personal information of 50K
or more consumers/devices or over half of revenue from selling personal information!
• Implement new personal information acquisition and deletion processes!
https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act!

13. A business that collects a consumer's personal information must, at or
before the point of collection, inform the consumer as to the categories
of personal information to be collected and the purposes for which the
categories of personal information shall be used. A business must
disclose and deliver the personal information the business
collected about the consumer in response to a verifiable consumer
request.!
!
A business must delete the personal information the business
collected about a consumer and direct service providers to delete the
consumer's personal information in response to a verifiable consumer
request, subject to certain exceptions.!
CCPA - new process for private information

14. !
In addition, after satisfying certain procedural requirements, a
consumer can bring a civil action in an amount not less than $100
and not greater than $750 per consumer per incident or actual
damages, whichever is greater, regarding their nonencrypted or
nonredacted personal information that is subject to an
unauthorized access and exfiltration, theft, or disclosure as a
result of the business's violation of the duty to implement and
maintain reasonable security procedures and practices
appropriate to the nature of the information to protect the personal
information.!
CCPA – penalties, require encryption,
security procedures

15. What causes data breaches?
• Poor security processes that lead to attacks - such as storing
passwords in the clear, storing private data without adequate
encryption. !
• Insecure data processing and storage infrastructure. !
• Not following standards such as PCI, HIPAA etc. !
• Lack of training.!
• Insider threat - Malicious attacks, thefts, carelessness, mistakes etc.
by employees and temporary staff with access to key data resources.!

16. Insider threat and human error
accounts for near 75% of attacks!
https://securityintelligence.com/news/insider-threats-account-for-
nearly-75-percent-of-security-breach-incidents/!

18. Current Data Security Strategies
Zero-Trust model. Adding additional security layers to trust users and devices!
Governance. Manage systems and people. Establish business rules, approved code and API
libraries, guidelines for controlling systems across business units, departments, and geographies.!
Authentication methods. Solid passwords, 2FA, MFA, AMFA. Single sign-on and biometrics.!
Encryption at rest and in motion.!
Mobile Device Management (MDM) - Manage lost devices, control apps, commission/decommission!
Backup, archiving, and storage.!
AI and analytics to spot and address anomalies !
Right IT tools and solutions.!
Employee education and training.!

19. Introducing Touchfree Data Security Model
• Minimal human touch - leverages robotic process automation for
security management and maintenance!
• APIs only access - to write and read sensitive data!
• APIs secured via AI (Artificial Intelligence) - learns, detects and flags
abnormalities in data access (content, context, process, location etc.)!
• Hosted in encrypted, distributed cloud - no direct data access!
(patent pending)!

20. (Attack vectors reduced to one)!

21. API Security is key
!
According to Gartner, APIs will be the
most common attack vector by 2022!
https://www.securityweek.com/next-big-cyber-attack-vector-apis!
!

22. How do we ensure API security?!

23. The most common attack vectors can be broken down into three categories: !
!
Parameters !
Parameter attacks exploit the data sent into an API, including URL, query parameters, HTTP
headers, and/or post content. !
!
Identity !
Identity attacks exploit flaws in authentication, authorization, and session tracking. In
particular, many of these are the result of migrating bad practices from the web world into
API development. !
!
Man-in-the-Middle !
These attacks intercept legitimate transactions and exploit unsigned and/or unencrypted
data being sent between the client and the server. They can reveal confidential information
(such as personal data), alter a transaction in flight, or even replay legitimate transactions. !

24. Example - layered security model
https://www.forumsys.com/featured/four-pillars-of-api-security/!

25. OWASP API SECURITY TOP 10 (2019)
Security Issue Solution(s)
Broken Object Level Authorization! Verify user permissions/policies, don’t depend on IDs from clients!
Broken Authentication ! Strong passwords, keys, tokens, timestamps!
Excessive Data Exposure ! Don’t expose all data if not needed, to prevent traffic sniffing!
Lack of Resources & Rate Limiting ! Set resource limits and rules on clients!
Broken Function Level Authorization ! Check user authorization, endpoint access and user groups/roles!
Mass Assignment ! Avoid functions that bind a client’s input into code variables/objects. !
!
Security Misconfiguration ! Fix unpatched flaws, harden environment, review settings!
Injection! Validate, sanitize, filter client data. Parameterize interfaces. Limit records.!
Improper Assets Management ! Inventory all API hosts and document permissions!
Insufficient Logging & Monitoring! Log all failed attempts, denied access, validation errors. Use SIEM – security
information and event management to aggregate/manage logs!

26. Mistakes or malicious intent by an
authorized insider who meets all the
requirements under OWASP could pose an
insider threat – this leads us to explore use
of AI technologies, to flag such threats!

27. Using AI to spot and flag abnormality
Beyond API user identity we can track and analyze !
• DATA - what is being requested (type, volume)!
• TIME - when requested, !
• LOCATION - from where (network, IP address, geography)!
• DEVICE - via which device,!
• APPLICATION - via what application, !
• FREQUENCY - how often!
• HISTORY - since when!
• CONTEXT - for what purpose, what relationships!
BEHAVIOR – with reference to user role, permissions and business processes!

28. AI 101!

31. Labeling and flagging
sensitive data!
!
Data!
!
Labeled!
Training set!
Flag Private
information!
!
(example social
security number)!

32. https://www.datasciencecentral.com by
Vincent Granville!
Clustering is the problem of grouping
points by similarity using distance
metrics, which ideally reflect the
similarities you are looking for.!
!
K-Means Clustering !
Simple and elegant algorithm to partition
a dataset into K distinct, non-overlapping
clusters. !
!

33. Healthcare Example – !
protecting data access via k-means clustering!
Time of
access!
Location of
access!
Patient data!
!
Volume of
data!
Time of access!
Data!
type!
Data type!
Objective: Flag outliers!
noon! midnight!
Identify and optimize the position of the centroids in each cluster.!

34. Other unsupervised
learning techniques!
• KMeans + Autoencoder (a simple deep learning) - Autoencoders
are data compression algorithms that transform input data into
sparse and more efficient representations, speeding learning,
improving accuracy.!
• Deep embedded clustering algorithm (advanced deep learning) –
learns feature assignments and cluster assignments using deep
neural networks that outperform and are more robust.!

35. Deep Neural networks!
• Set of algorithms patterned after the
human brain designed to cluster and
classify data recognizing patterns
based on first learning labeled data.!
• Unsupervised deep learning uses very
little training data – detecting and
learning features from the data.!
Towardsdatascience.com!

36. Deep learning provides automatic discovery of
abnormal data access and patterns, without need for
programming or customization independent of data
structure, company, industry type etc.!

37. Deployment!
Firewall!
Touchfree.ai
!
API service managing private
information!
User/App!
Roles/Authorization management,
key management, token
management!
API!
Inside firewall!
Public/private cloud, !
Encrypted, distributed containers!
(no direct data access)!

38. touchfree.ai Rest API
Function Operation inputs outputs Keys, tokens, timestamps
store PI! POST! PI (json)! Success flag!
userauth, publickey for
encryption, PI token!
get PI! GET! -! PI (json)!
userauth, privatekey for
decryption, PI token!
update PI! UPDATE! Updated PI (json)! Success flag!
userauth, publickey for
encryption, PI token!
delete PI! DELETE! -! Success flag!
userauth, publickey to
writeover blank, PI token!
inform PI! NOTIFY! Admin/CSO emails!
PI abnormal status via AI
check!
!
-!
admin PI!
GET/POST/
UPDATE!
New admin
settings!
Current admin settings! userauth!

39. Summary!
• Currently enterprises are facing a growing epidemic of data breaches with severe
financial, business and regulatory costs.!
• Enterprises now face a deadline of January 1st, 2020 to comply to the requirements of
California’s Consumer Privacy Act to safeguard private information.!
• Insider threats from malware, mistakes, lack of training as well as malicious attacks
accounts to about 75% of data breach attacks!
• TOUCHFREE.AI hosted in encrypted, distributed cloud containers offers a new data
security model that replaces most insider threat attack vectors with an API interface
secured by an AI abnormality monitoring layer and meeting regulatory processes that
require that consumers have complete control over their private information!

40. Contact:Sesh Raj
seshraj1@dsapps.com!
!
For feedback and beta sign-up visit
touchfree.ai