The document discusses the impact of the coronavirus pandemic on data protection, privacy, and cybersecurity, highlighting the increase in cyber attacks due to the mass shift to remote work. Experts warn about the rise of phishing and email fraud, particularly targeting platforms like Microsoft Office 365 and Zoom, as cybercriminals exploit vulnerabilities in work-from-home scenarios. Recommendations for secure remote work practices, such as using strong passwords and multi-factor authentication, are also emphasized.

1. Data Protection &
Privacy During the
Coronavirus Pandemic
mashviral
Ulf Mattsson
www.TokenEx.com

2. Data Protection &
Privacy During the
Coronavirus Pandemic
mashviral
Please submit your questions
during our session!

3. 1. Head of Innovation at TokenEx
2. Chief Technology Officer at
• Protegrity
• Atlantic BT
• Compliance Engineering
3. Architect & Developer at IBM Research and Development
4. Inventor of more than 70 awarded US Patents
5. Products and Services
• Data Encryption, Tokenization, and Data Discovery,
• Security and Privacy Benchmarking/Gap-analysis for Financial Industry
• Managed Security Services, and Security Operation Centers
• Cloud Application Security Brokers, and Web Application Firewalls,
• Robotics and Applications in Manufacturing,
Ulf Mattsson
3

4. Data from different sources:
WHO, CDC, NHC, earlyAlert
and more
https://www.arcgis.com/apps/webappviewer3d/index.html?id=d9d3f8fa9a23425c8f0889baab626186

5. Global Risk Perception
Source:
ISSA

6. Source:
ISSA
Evolution
of Cyber
Attacks

7. Source:
The US FEDERAL TRADE
COMMISSION
(FTC) , 2019
Credit card fraud tops
the list of identity theft
reports in 2018
• FTC received nearly three
million complaints from
consumers in 2018
• The FTC received more than
167,000 reports from people
who said their information
was misused on an existing
account or to open a new
credit card account

8. Mass move to work from
home in coronavirus crisis
creates opening for hackers:
cyber experts
https://www.reuters.com/article/
us-health-coronavirus-cyber/
mass-move-to-work-from-home-
in-coronavirus-crisis-creates-opening-
for-hackers-cyber-experts-idUSKBN2153YC
Passwords
Masquerading
Update VPN

9. New Windows 10 bug hits home working: Outlook, Office 365,
Teams can't access internet
https://www.zdnet.com/article/new-windows-10-bug-hits-home-working-outlook-o365-teams-cant-access-internet/?ftag=TRE-03-
10aaa6b&bhid=29092732071845353741741261859287

10. FBI: Cybercrime Gang Mailing 'BadUSB' Devices to Targets
Malicious USB Devices Accompanied by Fake Gift Cards to Entice Would-Be Victims
https://www.databreachtoday.com/fbi-cybercrime-gang-mailing-badusb-devices-to-targets-a-14029?rf=2020-03-
31_ENEWS_SUB_DBT__Slot1_ART14029&mkt_tok=eyJpIjoiT1RBd1ltRXpaamsxTmpFMCIsInQiOiJQYnh5YWtpVVZqNThvb0RldkszS1F6dFExUXBLS1wva1RmTmhrVkdhckIrSWdYV2dTeFVBNDZcL3FPTFBxM
El5NXRGZExmV29KaEJhbGsyMFJDXC8ycDZlR3dOeHdpN1V6WjNEUlRkWmE3Y09NMXd6RXNPNGVaZkhtWDNaNmluVlN2NzlOVEJOQUZYWmFxaXdSMENJVkxcLzNBPT0ifQ%3D%3D

11. Email Fraudsters Take Advantage Of Coronavirus Opportunity
https://www.pymnts.com/news/b2b-payments/2020/email-fraud-coronavirus-data-digest/ , Mar 2020
Officials are warning of a rise in phishing attacks, while retailers have also been warned about fraud risks,
with Amazon recently removing 1 million products for allegedly making fraudulent claims, recent Forbes
reports said.
“Another side effect of the Coronavirus is increased teleworking, which furthers the reliance on email for
communication adding yet another multiplier to these email fraud schemes,” the U.S. Secret Service
Department of Homeland Security wrote in a warning published earlier this month.
$2.1 billion in losses were reported to the FBI as a result of hackers targeting Microsoft Office 365 and
Google G suite in a slew of business email compromise attacks, Bleeping Computer reported earlier this
month.
The attacks that target workforce platforms reflects fraudsters’ shift to cloud email services as businesses
themselves migrate away from on-premise email systems, the publication noted, with the FBI warning that
fraudsters are infiltrating these email portals to better mimic legitimate employees to conduct their scams.
Trust only original/known links/sources!

12. Coronavirus: Warning over surge in Zoom security incidents
Check Point researchers have observed a surge in suspicious Zoom domains as cyber criminals target
popular remote working and collaboration tools
https://www.computerweekly.com/news/252480806/Coronavirus-Warning-over-surge-in-Zoom-security-
incidents?asrc=EM_EDA_125549257&utm_medium=EM&utm_source=EDA&utm_campaign=20200331_Coronavirus:%20Warning%20over%20surge%20in%20Zoom%20s
ecurity%20incidents
70 have now been identified as fake sites, which are impersonating genuine Zoom domains with the intention of
capturing and stealing personal information.
The numbers reinforce a trend for cyber criminals to take advantage of home working via Zoom, which is used by
over 60% of the Fortune 500, and has been downloaded more than 50 million times from the Google Play app
store.
“We have seen a sharp rise in the number of Zoom domains being registered, especially in the last week,” said
Omer Dembinsky, manager of cyber research at Check Point.
“This increase means that hackers have taken notice of the work-from-home paradigm shift that Covid-19 has
forced, and are seeing it as an opportunity to deceive, lure and exploit people.
“Each time you get a Zoom link or document messaged or forwarded to you, we recommend double-
checking to make sure it’s not a trap.”

13. China Suspected In Surge Of US Cyberattacks
https://www.pymnts.com/news/security-and-risk/2020/china-suspected-in-surge-of-us-
cyberattacks/
Cyberspying
13

14. Working in a coronavirus world:
Strategies and tools for staying productive
https://www.zdnet.com/article/effective-strategies
-and-tools-for-remote-work-during-coronavirus//
We tend to prefer the choice that ticks all the technical boxes
and/or is the most trusted/cost-effective.
However, if you want your investment in remote work to pay
off, pay special attention to whether the average worker will
be easily able to use your solution, as tools for digital access
span the range of complexity and user experience.
Whenever possible, put a strong emphasis on tools that are
simple, straightforward, and "just work."
The risk in not doing so is that your support costs for remote
work will simply be higher, with less to show for it in terms of
preserving productivity, as workers spend more of their time
getting the solution to work.
14

15. Coronavirus: How one team switched 4,000 staff to remote
working in just a week
https://www.zdnet.com/article/coronavirus-how-one-team-switched-4000-staff-to-remote-working-in-just-a-week/
Delivering laptops
15
Example:
Separate laptops for
Work vs Private
(Working from home
for several years)

16. https://finance.yahoo.com/news/amid-coronavirus-
walmart-says-its-seeing-increased-sales-of-tops-but-
not-bottoms-202959379.html , The Independent
Amid coronavirus, Walmart says it's seeing increased sales of tops
— but not bottoms

17. Authentication and
Passwords
Business Data
VPN tunnel
performanceInternet access
Working in a coronavirus world:
Strategies and tools for
staying productive
https://www.zdnet.com/article/effective-strategies
-and-tools-for-remote-work-during-coronavirus//
Remote worker
Enterprise
1
7
2
3
Microsoft Teams,
Zoom
5
17
Tele-health 4
eLearning 6

18. Mobile and Desktop Operating Systems Market Share
18
Windows
•In April 2019, Windows had a desktop market share of 79.24%.
(Source: StatCounter)
•Windows 10 had a desktop/laptop market share of 39.22%. This established it as the most
popular operating system on the market.
(Source: The Inquirer)
•Windows 7 was used by 33.38%.
(Source: StatCounter)
•6.05% of users relied on Windows 8.1.
(Source: StatCounter)
•2.2% of people used Windows 8.
(Source: StatCounter)
•5.26% of Windows PCs still ran on Windows XP.
(Source: WIRED)
•Microsoft’s revenue for 2018 was $110.36 billion. That is a 14.28% increase since 2017.
(Source: Macrotrends)
•Microsoft’s revenue for Q1 of 2019 was $30.571 billion.
(Source: Macrotrends)
Mac
•OS X reached a 14.64% desktop market share during the period of April 2018 – April 2019.
(Source: StatCounter)
•MacOS reached 9.65% of the desktop/laptop OS market share in February 2019.
(Source: AppleWorld)
https://hostingtribunal.com/blog/operating-systems-market-share/#gref
Upgrade to
Windows 10 !
Keep Updated /
patch

19. Malwarebytes:
https://app.hushly.com/runtime/content/XLSqVyFETZ8kY0TX
*: https://www.csoonline.com/article/3353416/what-is-mimikatz-and-
how-to-defend-against-this-password-stealing-tool.html
1. Enable BitLocker. ...
2. Use a "local" login account. ...
3. Enable Controlled Folder Access. ...
4. Turn on Windows Hello. ...
5. Enable Windows Defender. ...
6. Don't use the admin account. ...
7. Keep Windows 10 updated automatically. ...
8. Backup.
Source: Forbes
How To Secure
Microsoft
Windows 10
There’s been an increasing move over the last two years
to organizations over consumers.
Overall consumer threat detections are down by 2
percent from 2018, but business detections increased by
13 percent in 2019. This resulted in a mere 1 percent
increase in threat volume year-over-year.
The sophistication of threat capabilities in 2019
increased, with many using exploits, credentialstealing
tools, and multi-stage attacks involving mass infections of
a target.
While seven of 10 top consumer threat categories
decreased in volume, HackTools—a threat category for
tools used to hack into systems and computers—
increased against consumers by 42 percent year-over-
year, bolstered by families such as MimiKatz*, which also
targeted businesses.
19

20. PC Backup
https://www.pcmag.com/news/the-beginners-guide-to-pc-backup
Example
20

21. The Best Password Managers for 2020
https://www.pcmag.com/picks/the-best-password-managers
Example
21

22. Example of Password Manager (Free Edition)
https://www.pcmag.com/picks/the-best-password-managers
22

23. Examples of Anti-virus
Software products
Enterprise AV Product Issues
(Source: Remtcs-secure):
1 2 3 4
No built in vulnerability scanner to detect CVEs (common vulnerability and exposures) on local hosts x x x
Cloud only deployment model x x
No domain reputation filtering x x
No built in searchable database of CVE with direct links to mitigation details x x
No built in sandboxing x x
The sandbox is cloud based and not local to the appliance. Malware must be sent over for analysis,
increasing discovery latency
x
No CSO (Chief Security Officer) level reporting x
High false positive rate x
Must have cloud connectivity to see advanced alerts x
No Active Directory Integration x
Only supports Firewall integration with one vendor x
Endpoint only. No visibility into network proliferation of files/malware x
Malware remediation requires separate software and licensing x
Cannot determine the entry point for malware x
Can block a file from executing, but does not remove the file x
No domain reputation filtering x
Threat intel and malware analysis not included by default x
No built in searchable database of CVE with direct links to mitigation details x
Complex and labor intensive management x
Product
19 Issues with 4 major AV products
23
PCI DSS - Requirement #5
Source: https://www.trustedantiviruscompare.com/best-antivirus-softwareBest Antivirus Software (2020):

24. Example
24
Windows Defender is
better than nothing,
but McAfee's premium
software is much more
comprehensive in
terms of advanced
features and utilities.
Also, independent
tests prove that
McAfee is better than
Windows Defender in
terms of both
malware detection
and system
performance.
Feb 19, 2020,
https://www.proficien
tblogging.com/windo
ws-defender-vs-
mcafee/

25. Wi-Fi Protected Setup
https://www.digitalcitizen.life/simple-questions-what-wps-wi-fi-protected-setup , https://en.wikipedia.org/wiki/Wi-
Fi_Protected_Setup
Here's how WPS connections can be performed:
1.First, press the WPS button on your router to turn on the discovery of new devices. Then, go to your device and select the
network you want to connect to. The device is automatically connected to the wireless network without entering the network
password.
2.You may have devices like wireless printers or range extenders with their own WPS button that you can use for making quick
connections. Connect them to your wireless network by pressing the WPS button on the router and then on those devices.
You don't have to input any data during this process. WPS automatically sends the network password, and these devices
remember it for future use. They will be able to connect to the same network in the future without you having to use the WPS
button again.
3.A third method involves the use of an eight-digit PIN. All routers with WPS enabled have a PIN code that's automatically
generated, and it cannot be changed by users. You can find this PIN on the WPS configuration page on your router. Some devices
without a WPS button but with WPS support will ask for that PIN. If you enter it, they authenticate themselves and
connect to the wireless network.
4.A fourth and last method also involves using an eight-digit PIN. Some devices without a WPS button but with WPS support
will generate a client PIN. You can then enter this PIN in your router's wireless configuration panels, and the router will use it to
add that device to the network.
25
Use strong router password: “uppercase and lowercase letters, numbers, and special characters.”

26. What Are WEP, WPA, and WPA2? Which Is Best?
https://www.lifewire.com/what-are-wep-wpa-and-wpa2-which-is-best-2377353
Example
26

27. VPN use surges as coronavirus outbreak prompts huge rise in remote
working
https://www.zdnet.com/article/vpn-use-surges-as-coronavirus-outbreak-prompts-huge-rise-in-remote-working/
The growth in employees forced to work from home due to the COVID-19 coronavirus outbreak has led to a huge
spike in people using business virtual private networks (VPN) to secure their remote working.
Figures released by VPN provider NordVPN revealed that global use of its virtual private network technology had
increased by 165% since 11 March. A business VPN allows users to securely connect to corporate networks to send
and receive files, data and applications from anywhere – which in many cases right now is going to be people's
homes.
The UK's National Cyber Security Centre (NCSC) has issued security advice on using VPN services and remote working
in order to help both organisations and employees stay safe from cyberattacks – especially as, for many, this is the
first time they'd had to work remotely.
That advice includes recommendations for staff to use strong passwords and to use multi-factor authentication, if
available, in order to reduce the chances of cyber criminals being able to compromise accounts.
European cybersecurity agency ENISA* has also set out similar recommendations for securely working from home.
*: https://www.enisa.europa.eu/tips-for-cybersecurity-when-working-from-home
27

28. Telemedicine is changing the way we see doctors
https://www.techrepublic.com/article/telemedicine-is-changing-the-way-we-see-doctors/?ftag=COS-05-
10aaa0g&taid=5e7f9ffeef5fb4000146a90e&utm_campaign=trueAnthem:+Twitter+Card&utm_medium=trueAnthemCard&utm_source=twitterCard
28
TechRepublic's Karen Roby, Macy Bayern, and Veronica Combs discussed the
changes in healthcare during the coronavirus pandemic. The following is an edited
transcript of their conversation.
Karen Roby: One of the things that's really emerging is telemedicine. Veronica, I
know you've put together some great articles here as far as what is available to
people, how people can still see and talk to their doctors when they're in need. Talk
a little bit about some of the resources that you've found and have been writing
about, and how that can really help people at this time?
Veronica Combs: I think people always consider the gold standard is a visit with
your doctor, like I'm looking at you, you're looking at me. You can tell my health. But
now, it's really flipped around that you don't really want to leave your house if you
don't want to, and doctors don't really want you breathing on them if you don't have
to. Some of the hospital and health systems on the coasts were faster to have
these telemedicine platforms.

29. •Ontario Telemedicine Network
•Remote therapy
•Ronald S. Weinstein
•Tele-epidemiology
•Teladoc
•Telecare
•Telemental health
•Teleneuropsychology
•Telenursing
•Telepathology
•Telepsychology
•UNESCO Chair in Telemedicine
•Telemedecine 360
Telehealth Resources
https://en.wikipedia.org/wiki/Telehealth
29
•Medicine portal
•Technology portal
•Telecommunication portal
•American Telemedicine Association
•American Well
•Center for Telehealth and E-Health Law
•Connected health
•eHealth
•In absentia health care
•MDLIVE
•Mercy Virtual
•mHealth
•National Rural Health Association

30. Can I still use Voice-controlled Devices?
30

31. The EU Agency for Cybersecurity's
guidance and
CERT-EU News Monitor
31

32. CERT-EU News Monitor - Latest Threats
https://cert.europa.eu/cert/filteredition/en/CERT-LatestNews.html
32

33. European Union Agency for Cybersecurity
https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity
ENISA
Centre of
Expertise
33

34. UK police criticized for using drones to publicly shame walkers in coronavirus lockdown
The UK is now following in the footsteps of Spain and Italy in drone usage.
https://www.zdnet.com/article/uk-police-use-drones-to-enforce-coronavirus-lockdown-shame-those-flouting-the-rules/?ftag=COS-05-
10aaa0g&taid=5e80aa005ef37700017855a2&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=twitter

35. How smart city tech is being used to control the coronavirus outbreak
https://www.techrepublic.com/article/how-smart-city-tech-is-being-used-to-control-the-coronavirus-outbreak/?ftag=COS-05-
10aaa0g&taid=5e8256ee9a7fcd0001c497db&utm_campaign=trueAnthem:+Twitter+Card&utm_medium=trueAnthemCard&utm_source=twitterCard
In Singapore, the Government Technology Agency of Singapore launched TraceTogether on March 20 in
collaboration with the Ministry of Health.
• The TraceTogether app uses short-distance Bluetooth signals to connect one phone using the app with another
user who is close by.
• It stores detailed records on a user's phone for 21 days but does not include location data.
• Authorities have said they will decrypt the data if there is a public health risk related to an individual's
movements.
China used a similar method to track a person's health status and to control movement in cities with high numbers
of coronavirus cases.
• Individuals had to use the app and share their status to be able to access public transportation.
David Heyman, founder and CEO of Smart City Works said that the keys to addressing privacy concerns about high-
tech surveillance by the state is anonymizing the data and giving individuals as much control over their own data as
possible.
• "Personal details that may reveal your identity such as a user's name should not be collected or should be
encrypted with access to be granted for only specific health purposes, and data should be deleted after its
specific use is no longer needed," he said.

36. Increase in Privacy Rights And Regulations

37. Are the EU GDPR,
California CCPA or
US HIPAA rules changing?

38. In Times Of Pandemic, GDPR Still Applies, EU Warns
https://www.forbes.com/sites/emmawoollacott/2020/03/20/in-times-of-pandemic-gdpr-still-applies-eu-
warns/#744505616215
38
Ensure
protection
of personal
data

39. Source: IBM
Encryption and
TokenizationDiscover
Data Assets
Security
by Design
GDPR Framework core – Discovery, Encryption and Tokenization
39

40. 40
Source: BigID

41. Data sources
Data
Warehouse
In Italy
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Example of Cross Border Data-centric Security
• Protecting Personally Identifiable Information
(PII), including names, addresses, phone, email,
policy and account numbers
• Compliance with EU Cross Border Data
Protection Laws
• Utilizing Data Tokenization, and centralized
policy, key management, auditing, and
reporting
41

42. https://www.bytebacklaw.com/2020/03/responding-to-ccpa-requests-during-the-coronavirus-pandemic/ 42

43. CCPA Redefines Personal Data
• According to “PI Vs PII: How CCPA Redefines What Is Personal Data” the CCPA
definition “creates the potential for extremely broad legal interpretation around
what constitutes personal information, holding that personal information is any
data that could be linked with a California individual or household.”
• CCPA states that ”Personal information” means information that identifies,
relates to, describes, is capable of being associated with, or could reasonably be
linked, directly or indirectly, with a particular consumer or household.“
• This goes well beyond data that is obviously associated with an identity, such
as name, birth date, or social security number, which is traditionally regarded as
PII.
• It’s ultimately this “indirect” information–such as product preference or
geolocation data that is material since it is much more difficult to identify it and
connect it with a person than well-structured personally identifiable information
43

44. HHS Issues Limited Waiver of HIPAA Sanctions Due to Coronavirus
https://healthitsecurity.com/news/hhs-issues-limited-waiver-of-hipaa-sanctions-due-to-coronavirus
44
Information
sharing
Information
sharing

45. PCI SSC is aware of the unprecedented situation caused by the spread of COVID-19
https://www.pcisecuritystandards.org/covid19?utm_content=123288427&utm_medium=social&utm_source=twitter&hss_channel=tw-20256309
45

46. eLearning – 2020 Workplace Learning
https://learning.linkedin.com/content/dam/me/learning/resources/pdfs/LinkedIn-Learning-2020-Workplace-Learning-Report.pdf
46
After years of being under-resourced, L&D
(Learning and development, in human resource
management) budgets are expected to continue
to grow—shifting from Instructor-Led Training
(ILT) to online learning—and executive buy-in
continues to build.
As we enter 2020, talent developers are focused
on finding innovative ways to drive engagement,
activate managers, and measure the business
impact of learning.
Simultaneously, they are looking ahead,
preparing for the upskilling and reskilling
revolution coming in the next 3-5 years, when
digital transformation and automation are
expected to have a greater impact on the
workforce globally.

47. eLearning – 2020 Workplace Learning
https://learning.linkedin.com/content/dam/me/learning/resources/pdfs/LinkedIn-Learning-2020-Workplace-Learning-Report.pdf
47

48. eLearning – 2020 Workplace Learning
https://learning.linkedin.com/content/dam/me/learning/resources/pdfs/LinkedIn-Learning-2020-Workplace-Learning-Report.pdf
48

49. A learning journey is a curated collection of learning content,
both formal and informal, that can be used to acquire skills for a specific role or technology area.
https://www.ibm.com/services/learning/journeys

50. Encryption and
Privacy Models
50

51. True Data Privacy requires All of these techniques for On-
prem, Hybrid and Cloud environments
51

52. • Privacy enhancing data de-identification terminology and classification of techniques
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Encrypted data
has the same
format
Server model Local model
Differential
Privacy (DP)
Formal privacy measurement models
(PMM)
De-identification techniques
(DT)
Cryptographic tools
(CT)
Format
Preserving
Encryption (FPE)
Homomorphic
Encryption
(HE)
Two values
encrypted can
be combined*
K-anonymity
model
Responses to queries
are only able to be
obtained through a
software component
or “middleware”,
known as the
“curator**
The entity
receiving the
data is looking
to reduce risk
Ensures that for
each identifier there
is a corresponding
equivalence class
containing at least K
records
*: Multi Party Computation (MPC)
**: Example Apple and Google
ISO Standard for Encryption and Privacy Models
52

53. Data
Warehouse
Centralized Distributed
On-
premises
Public
Cloud
Private
Cloud
Vault-based tokenization y y
Vault-less tokenization y y y y y y
Format preserving
encryption
y y y y y
Homomorphic encryption y y
Masking y y y y y y
Hashing y y y y y y
Server model y y y y y y
Local model y y y y y y
L-diversity y y y y y y
T-closeness y y y y y y
Formal
privacy
measurement
models
Differential
Privacy
K-anonymity
model
Privacy enhancing data de-identification
terminology and classification of techniques
De-
identification
techniques
Tokenization
Cryptographic
tools
Suppression
techniques
Example of mapping of data security and privacy techniques (ISO) to different
deployment models
53

54. Risk reduction and truthfulness of some de-identification techniques and
models
Singling out Linking Inference
Deterministic
encryption
Yes All attributes No Partially No
Order-preserving
encryption
Yes All attributes No Partially No
Homomorphic
encryption
Yes All attributes No No No
Masking Yes Local identifiers Yes Partially No
Local suppression Yes Identifying attributes Partially Partially Partially
Record suppression Yes
Sampling Yes N/A Partially Partially Partially
Pseudonymization Yes Direct identifiers No Partially No
Generalization Yes Identifying attributes
Rounding Yes Identifying attributes No Partially Partially
Top/bottom coding Yes Identifying attributes No Partially Partially
Noise addition No Identifying attributes Partially Partially Partially
Cryptographic tools
Suppression
Generalization
Technique name
Data
truthfulness at
record level
Applicable to types of
attributes
Reduces the risk of
Source: INTERNATIONAL STANDARD ISO/IEC 20889 54

55. Cloud

56. 56

57. Shared
responsibilities
across cloud
service models
Source:
Microsoft
Still Customer
Responsibility for:
• User security
• (App security)
• Data security
57

58. User
Payment
Applicatio
n
Payment
Network
Payment
Data
Tokenization
(VBT),
encryption
and keys
User CASB
User
Call
Center
Applicatio
n
Format Preserving Encryption (FPE)
PII
Data
Vault-based
tokenization (VBT)
Examples of Data Protection Use Cases
User Data
Warehous
e
PII Data
Vault-less tokenization (VLT)
Salesforce
58

59. On Premise tokenization
• Limited PCI DSS scope reduction - must
still maintain a CDE with PCI data
• Higher risk – sensitive data still resident
in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed
from the environment
• Platform-focused security
• Lower associated costs – cyber
insurance, PCI audit, maintenance
Total Cost and Risk of Tokenization in Cloud vs On-prem
Source: TokenEx 59

60. Risk and Operational Aspects with different Cloud Models
Risk
Elasticity
Out-sourcedIn-house
On-premises
system
On-premises Private
Cloud
Hosted Private Cloud
Public Cloud
Low -
High -
Compute Cost
- High
- Low
Risk Adjusted Computation
60

61. References:
1. Coronavirus disinformation unit, https://www.computerweekly.com/news/252479721/DCMS-to-oversee-coronavirus-disinformation-
unit
2. Here are 2,780+ free ebooks and 100 free audiobooks,
https://www.reddit.com/r/FreeEBOOKS/comments/fip0m1/here_are_2780_free_ebooks_and_100_free_audiobooks/?utm_medium
=social&utm_source=twitter&utm_content=reddit&utm_campaign=text
3. All the free online resources parents need in home 'schooling' during coronavirus outbreak , https://www.zdnet.com/article/all-the-
free-online-resources-parents-guardians-need-in-home-schooling/?ftag=COS-
0510aaa0g&taid=5e7e0e06ef5fb4000146a263&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&ut
m_source=twitter
4. California Consumer Privacy Act, OCT 4, 2019, https://www.csoonline.com/article/3182578/california-consumer-privacy-act-what-
you-need-to-know-to-be-compliant.html
5. GDPR and Tokenizing Data, https://tdwi.org/articles/2018/06/06/biz-all-gdpr-and-tokenizing-data-3.aspx
6. GDPR VS CCPA, https://wirewheel.io/wp-content/uploads/2018/10/GDPR-vs-CCPA-Cheatsheet.pdf
7. General Data Protection Regulation, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
8. IBM Framework Helps Clients Prepare for the EU's General Data Protection Regulation, https://ibmsystemsmag.com/IBM-
Z/03/2018/ibm-framework-gdpr
9. INTERNATIONAL STANDARD ISO/IEC 20889, https://webstore.ansi.org/Standards/ISO/ISOIEC208892018?gclid=EAIaIQobChMIvI-
k3sXd5gIVw56zCh0Y0QeeEAAYASAAEgLVKfD_BwE
10. INTERNATIONAL STANDARD ISO/IEC 27018, https://webstore.ansi.org/Standards/ISO/
ISOIEC270182019?gclid=EAIaIQobChMIleWM6MLd5gIVFKSzCh3k2AxKEAAYASAAEgKbHvD_BwE
11. ISO/TS 25237:2008(E), Health Informatics—Pseudonymization, https://www.sis.se/api/document/preview/911119/
12. NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT,
https://www.nist.gov/system/files/documents/2019/09/09/nist_privacy_framework_preliminary_draft.pdf
13. NISTIR 8053, De-Identification of Personal Information, https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf
14. Data Security: On Premise or in the Cloud, ISSA Journal, December 2019,
https://mydigitalpublication.com/publication/?m=1336&i=639272&p=28 61

62. 2
2
THANK YOU
www.TokenEx.comUlf Mattsson