Digital Finance Africa 2022 - https://itnewsafrica.com/event/ -hosted by IT News Africa is the definitive annual event on technology leadership in the
financial services industry. It asks the hard questions not asked in other
conferences, and identifies the skills required to steer a course in an age
where the entire industry is transforming rapidly. This is a Summit for bold,
visionary leaders who are willing to take calculated risks as much as they
are willing to consolidate, who know what to give up as much as what they
expect to gain.
2. Trust in a Digital
World
• Agenda
1. Trust in a Digital World
2. Assessing your Adversary
3. Data-Centric Security
• Encryption
• Tokenisation
• Confidential Computing
4. Conclusion
3. Data is the digital version of what makes us
human. All our families’ health records,
personal family incidents, where we holiday,
what we eat and drink, our detailed
financial records, subscriptions to what we
read and consume, our political and
religious affiliations, whom we associate
with, and where we drive.
Organisations store our digital lives on-
premises, in multiple locations,
transforming and re-architecting for
multi-cloud and multi-geographic for
ongoing data science-driven algorithms
for both historical and real-time
analytics and decision making.
How to protect this data?
Data is shared and accessed both legally and illegally
10. VIP Customers
John
Smith
• Update data subject record and references to found PII
• Files, transactions, database records, log files, etc.
• Data subject relationship(s) with company
• PII shared with 3rd parties
Produce Master Catalog, Data Lineage, and Data Flow
Data Location, Quality, Accuracy, Duplicates, Copies
11. Data-Centric Security - Legacy Approach to Encryption Has Gaps
Data at rest
encryption
Column or
Table or File
encryption
Transport
Encryption
(TLS)
Application,
Access rules,
Firewalls
People,
Endpoints,
DLP Traditional security is not end to end.
• Security gaps exist across data at rest, in motion, in
use – that are regularly exploited*.
• ‘Data at rest’ is disk, file, or database encryption
• ‘Data in motion’ is Transport Layer Security (TLS)
• ‘Data in use’ and the transformation of ‘data at rest’
to ‘data in motion’ is NOT protected
*https://www.verizon.com/business/resources/reports/dbir/
GAP
GAP
GAP
GAP
GAP
GAP
Re-Encrypt
De-Crypt
Re-Encrypt
De-Crypt
Re-Encrypt
De-Crypt
Re-Encrypt
De-Crypt
12. Replace live data
in apps, data
stores, files
Create shared or
one-time data sets
for analytics
Classical
encryption
requires app &
schema changes
Available Options: Stateless Tokenization, Advanced Format-Preserving Encryption, Format Preserving Hashing
Data-Centric Security – Securing Data End to End
13. Format Preserving Tokenisation (FPT)
Examples of data
protection, access
with FPT
Name: John Smith
Address: 924 Eastland Street, Chicago, IL, 60007
RSAID: 8901275041086
Email: jsmith@corp.com
SUBID: N88880925
DOB: 27 – 01 - 1989
Name: Uhea Pmwun
Address: 580 Qeugbnjw Xowrt, Lwidlew, UP, 82423
RSAID: 89219835632937
Email: kowipy@glor.com
SUBID: N2783904
DOB: 15 – 15 - 1969
Name: John Smith
Address: 924 Eastland Street, Chicago, IL, 60007
RSAID: 2198356381086
Email: jsmith@corp.com
SUBID: N2783904
DOB: 27 – 01 - 1989
Live data converted
to secured* form –
data stays protected
Dynamic access and masking or
partial access for permitted users.
* Protected data can preserve referential integrity, or be fully randomized, pre-padded to adjust
length, prefixed or postfixed with meta data labels – flexible.
14. Confidential Computing
Threats to applications and data hosted in Cloud Infrastructure:
• Nation States – massive resources and time scales
• ‘Regular’ Attackers – for profit, chaos & fun
• Insider Threats – malicious insiders, application code bugs, mistakes, Root/Administrator access
• Subpoenas from Governments
Confidential Computing Consortium created via The Linux Foundation
• Trusted Execution Environment (TEE) – Isolated hardware-based runtime environment that enables data confidentiality, data and code integrity
• Enclave – a security feature within the TEE that creates a barrier that blocks ALL unauthorised users from ANY access to memory, application code, or data
Efforts are underway to Virtualise Confidential Computing Creation, Management, Portability
• Reduce the Attack Surface – Isolated protection from vulnerabilities that exist outside of hardened workloads
• Hardened Security – Access the latest, hardware-based security in the Intel, AMD & Arm CPUs.
• Any Applications – Scalable, flexible, and secure for any application – ‘Lift & Shift’
• Simple Deployments – Rapidly secure workloads
15. Conclusions
All the major cloud providers have developed Confidential Computing Capabilities that provide:
• Internally baked high-speed hardware-based encryption
• Hardware-based roots of trust
• Isolating data and application code physically
• Key Management
• As a new technology, there are challenges related to conflicting definitions and responsibilities of making it a reality
• When/if ‘privacy concerns’ become a strong business driver, Confidential Computing may become an obvious choice
• Linux Foundation Report: Confidential computing market to reach $54 billion in 2026
https://www.zdnet.com/article/linux-foundation-confidential-computing-market-to-reach-54-billion-in-2026/
Source: IDC Report ‘Secure Innovation Requires Confidential Computing’ – accessible from the link below:
https://info.anjuna.io/white-paper-secure-innovation-requires-confidential-computing-register.html
16. THANK YOU
1 0 0 8 S a x b y A v e , E l d o r a i g n e ,
C e n t u r i o n , G a u t e n g , 0 1 5 7
i n f o @ s o l i d 8 . c o . z a
PAT R I C K D E V I N E
+ 2 7 ( 0 ) 8 3 6 5 7 8 7 7 8
S I M O N E S A N TA N A
+ 2 7 ( 0 ) 8 3 2 0 0 5 0 0 9