The document provides an overview of enterprise data protection options and strategies. It discusses the changing threat landscape, including increasingly sophisticated attackers and the need for preventative controls. Regarding payment card industry data security standards (PCI DSS), it notes there are 12 rules and 4 approved ways to render credit card numbers unreadable. A case study is presented of a large retail chain that used tokenization to simplify PCI compliance, achieving benefits like faster audits, lower costs, and better security. Different data security methods like hashing, encryption, and tokenization are compared in terms of how they can be applied at the application, database, and storage levels. Best practices for tokenization and evaluating various approaches are also covered.
Securing data today and in the future - Oracle NYCUlf Mattsson
NYOUG - New York Oracle Users Group:
- Risks Associated with Cloud Computing
- Data Tokens in a Cloud Environment
- Data Tokenization at the Gateway Layer
- Data Tokenization at the Database Layer
- Risk Management and PCI
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
With the exponential growth of data generation and collection stemming from new business models fueled by Big Data, cloud computing and the Internet of Things, we are potentially creating a cybercriminal's paradise where there are more opportunities than ever for that data to end up in the wrong hands. The biggest challenge in this interconnected world is merging data security with data value and productivity. If we are to realize the benefits promised by these new ways of doing business, we urgently need a data-centric strategy to protect the sensitive data flowing through these digital business systems. In this webinar, Ulf Mattsson explores these issues and provides solutions to bring together data insight and security to safely unlock the power of digital business.
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
Securing data today and in the future - Oracle NYCUlf Mattsson
NYOUG - New York Oracle Users Group:
- Risks Associated with Cloud Computing
- Data Tokens in a Cloud Environment
- Data Tokenization at the Gateway Layer
- Data Tokenization at the Database Layer
- Risk Management and PCI
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
With the exponential growth of data generation and collection stemming from new business models fueled by Big Data, cloud computing and the Internet of Things, we are potentially creating a cybercriminal's paradise where there are more opportunities than ever for that data to end up in the wrong hands. The biggest challenge in this interconnected world is merging data security with data value and productivity. If we are to realize the benefits promised by these new ways of doing business, we urgently need a data-centric strategy to protect the sensitive data flowing through these digital business systems. In this webinar, Ulf Mattsson explores these issues and provides solutions to bring together data insight and security to safely unlock the power of digital business.
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
To ensure their compliance with the PCI Data Security Standard, many businesses have turned to SafeNet technology for a solution. To meet these demands, SafeNet offers a range
of products, proprietary and through partner alliance. SafeNet, a global leader in information security, provides the industry’s most comprehensive range of solutions to help companies achieve compliance with the PCI Data Security Standard. Through its own proven set of products, along with an extensive partner network, SafeNet can provide merchants with the assurance that sensitive and valuable cardholder information is protected from all types of threats, and that regulatory compliance is not only being met, but
exceeded.
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
Best practices for PCI Scope Reduction includes some common misconceptions, important definitions, and an overview of technologies such as tokenization and encryption to help reduce PCI DSS scope and achieve compliance.
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
Descoping a data environment by decreasing the amount of PCI traversing it is one of the simplest and most effective ways of complying with the PCI DSS. By outsourcing the handling of sensitive payment information to security experts, organizations can reduce compliance and operational costs while minimizing the risk and liability associated with a potential data breach. Tokenization is especially effective at this due to its ability to remove sensitive data from an environment and store it in a secure, cloud-based token vault.
In this deck you will learn:
PCI controls for organizations that handle card information
Which controls can be removed from scope
How cloud-based tokenization outsources PCI compliance to a tokenization provider
Additional strategies and best practices for achieving PCI compliance
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
Continuous PCI and GDPR Compliance With Data-Centric SecurityTokenEx
Continuous PCI and GDPR Compliance With Data-Centric Security describes how to develop a data security environment that is GDPR and/or PCI DSS compliant by utilizing tokenisation to pseudonymize sensitive data. Contact: Sales@tokenex.com
Compare Vaultless tokenization to other tokenization approaches
No data replication/collision issues – guaranties data integrity, no data corruption, allows parallel computing across many servers and location
High scalability and performance
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
Achieving and maintaining compliance with the PCI DSS (Payment Card Industry Data Security Standard) is a complex and painful process that can vary widely across different industries and businesses. PCI scope reduction can simplify and reduce the pain of compliance for many organizations.
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
SafeNet dramatically reduces the cost and complexity of PCI compliance with the most complete and easy to manage data protection solution. With SafeNet, merchants, banks, and payment processors can protect sensitive data at rest, in use and in transit to meet the most challenging PCI security requirements.
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
Unlock the potential of data security 2020Ulf Mattsson
Explore challenges of managing and protecting data. We'll share best practices on establishing the right balance between privacy, security, and compliance
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
Given the vital records databases hold, these systems often represent one of the most critical areas of exposure for an organization. Consequently, as organizations look to comply with security best practices and regulatory mandates, database encryption is becoming increasingly common—and critical. Today, security teams looking to employ database encryption can choose from several alternatives. This paper provides a high level comparison of two approaches: Microsoft’s native encryption capabilities for SQL Server and the SafeNet DataSecure platform.
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
To ensure their compliance with the PCI Data Security Standard, many businesses have turned to SafeNet technology for a solution. To meet these demands, SafeNet offers a range
of products, proprietary and through partner alliance. SafeNet, a global leader in information security, provides the industry’s most comprehensive range of solutions to help companies achieve compliance with the PCI Data Security Standard. Through its own proven set of products, along with an extensive partner network, SafeNet can provide merchants with the assurance that sensitive and valuable cardholder information is protected from all types of threats, and that regulatory compliance is not only being met, but
exceeded.
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
Best practices for PCI Scope Reduction includes some common misconceptions, important definitions, and an overview of technologies such as tokenization and encryption to help reduce PCI DSS scope and achieve compliance.
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
Descoping a data environment by decreasing the amount of PCI traversing it is one of the simplest and most effective ways of complying with the PCI DSS. By outsourcing the handling of sensitive payment information to security experts, organizations can reduce compliance and operational costs while minimizing the risk and liability associated with a potential data breach. Tokenization is especially effective at this due to its ability to remove sensitive data from an environment and store it in a secure, cloud-based token vault.
In this deck you will learn:
PCI controls for organizations that handle card information
Which controls can be removed from scope
How cloud-based tokenization outsources PCI compliance to a tokenization provider
Additional strategies and best practices for achieving PCI compliance
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
Continuous PCI and GDPR Compliance With Data-Centric SecurityTokenEx
Continuous PCI and GDPR Compliance With Data-Centric Security describes how to develop a data security environment that is GDPR and/or PCI DSS compliant by utilizing tokenisation to pseudonymize sensitive data. Contact: Sales@tokenex.com
Compare Vaultless tokenization to other tokenization approaches
No data replication/collision issues – guaranties data integrity, no data corruption, allows parallel computing across many servers and location
High scalability and performance
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
Achieving and maintaining compliance with the PCI DSS (Payment Card Industry Data Security Standard) is a complex and painful process that can vary widely across different industries and businesses. PCI scope reduction can simplify and reduce the pain of compliance for many organizations.
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
SafeNet dramatically reduces the cost and complexity of PCI compliance with the most complete and easy to manage data protection solution. With SafeNet, merchants, banks, and payment processors can protect sensitive data at rest, in use and in transit to meet the most challenging PCI security requirements.
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
Unlock the potential of data security 2020Ulf Mattsson
Explore challenges of managing and protecting data. We'll share best practices on establishing the right balance between privacy, security, and compliance
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
Given the vital records databases hold, these systems often represent one of the most critical areas of exposure for an organization. Consequently, as organizations look to comply with security best practices and regulatory mandates, database encryption is becoming increasingly common—and critical. Today, security teams looking to employ database encryption can choose from several alternatives. This paper provides a high level comparison of two approaches: Microsoft’s native encryption capabilities for SQL Server and the SafeNet DataSecure platform.
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUlf Mattsson
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
LEARNING OUTCOMES FROM PRESENTATION:
• Current trends in Cyber attacks
• FFIEC Cyber Assessment Toolkit
• NIST Cybersecurity Framework principles
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
• Automated approaches to integrate Security into DevOps
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures.
In this webinar, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
Data protection on premises, and in public and private cloudsUlf Mattsson
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Learn about the Identity and Data Protection solutions for enterprise security organizations can take a data-centric approach to their security posture.
Learn about the new trends in Data Masking, Tokenization and Encryption.
Learn about the guidance and standards from FFIEC, PCI DSS, ISO and NIST.
Learn about the new API Economy and eCommerce trends and how to control sensitive data — both on-premises, and in public and private clouds.
This session is for worldwide directors and managers in Fin services, healthcare, energy, government and more
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
We need to detect our increasing issue of data security blind spots. This includes Sensitive Data that was not found in our Data Discovery across databases and files in cloud and big data. We also need to detect failures of our deployed critical security control systems. Without formal and automated processes to detect and alert to new data discovery findings and critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data. This can also impact our real compliance posture and compliance to PCI DSS 3.2. This session will teach how to automatically detect and report on these data security blind spots.
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Ulf Mattsson
Myths & Realities of Data Security & Compliance - ISACA Atlanta - Ulf Mattsson Jul 22 2016.
Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures.
In this session, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
The advent of Big Data has presented nee challenges in terms of Data Security. There is an increasing need of research
in technologies that can handle the vast volume of Data and make it secure efficiently. Current Technologies for securing data are
slow when applied to huge amounts of data. This paper discusses security aspect of Big Data.
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
Discover the latest in RegTech and stay up-to-date on compliance tools and best practices.
The move to digital has meant that many organizations have had to rethink legacy systems.
They need to put the customer first, focus on the Customer Experience and Digital Experience Platforms.
They also need to understand the latest in RegTech and solutions for hybrid cloud.
We will discuss Regtech for the financial industry and related technologies for compliance.
We will discuss new International Standards, tools and best practices for financial institutions including PCI v4, FFIEC, NACHA, NIST, GDPR and CCPA.
We will discuss related technologies for Data Security and Privacy, including data de-identification, encryption, tokenization and the new API Economy.
Practical advice for cloud data protection ulf mattsson - bright talk webin...Ulf Mattsson
The rapid rise of cloud data storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of data governance, usability, compliance and security in the cloud environment.
Key Topics include:
What is “Cloud” computing?
Security issues in the Cloud
Cloud data security guidance
Cloud data security technologies and models
Cloud security in context to the enterprise
Learn how to get more out of your PCI investment with this presentation from SafeNet titled: "Life After Compliance". Derek Tumulak discusses current approaches to PCI DSS compliance, challenges to ensuring compliance, and how to achieve best practices while addressing compliance challenges.
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
Protecting the increasing use International Unicode characters is required by a growing number of Privacy Laws in many countries and general Privacy Concerns with private data. Current approaches to protect International Unicode characters will increase the size and change the data formats. This will break many applications and slow down business operations. The current approach is also randomly returning data in new and unexpected languages. New approach with significantly higher performance and a memory footprint can be customizable and fit on small IoT devices.
We will discuss new approaches to achieve portability, security, performance, small memory footprint and language preservation for privacy protecting of Unicode data. These new approaches provide granular protection for all Unicode languages and customizable alphabets and byte length preserving protection of privacy protected characters.
Old Approaches
Major Issues
Protecting the increasing use International Unicode characters is required by a growing number of Privacy Laws in many countries and general Privacy Concerns with private data.
Old approaches to protect International Unicode characters will typically increase the size and change the data formats.
This will break many applications and slow down business operations. This is an example of an old approach that is also randomly returning data in new and unexpected languages
Book about
Quantum Computing Blockchain Reversable Protection Privacy by Design, Applications and APIs Privacy, Risks, and Threats Machine Learning and Analytics Non-Reversable Protection International Unicode Secure Multi-party Computing Computing on Encrypted Data Internet of Things II. Data Confidentiality and Integrity Standards and Regulations IV. Applications VI. Summary Best Practices, Roadmap, and Vision Trends, Innovation, and Evolution Hybrid Cloud , CASB and SASE Appendix A B C D E I. Introduction and Vision Section Access Control Zero Trust Architecture Trusted Execution Environments III. Users and Authorization Governance, Guidance, and Frameworks V. Platforms Data User App Innovation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Chapter Discovery and Search Glossary
qubit-conference-new-york-2021: https://nyc.qubitconference.com/
Cybersecurity: Get ready for the unpredictable
Create a sound cybersecurity strategy based on the right technology & budgetary insights, proven practices, and processes for SMEs.
This virtual event will equip CxOs and cybersecurity teams with the right intel to create a sound cybersecurity strategy based on the right technology & budgetary insights, proven practices, and processes specially tailored for SMEs.
Find out how to bring the smart design of cybersecurity architecture and processes, what to automate & how to properly set up internal and external ownership.
The proven cybersecurity strategy fit for your environment can go a long way. Know what to do in-house, what to outsource, set up your budgets right, and get help from the right cybersecurity specialists.
Secure analytics and machine learning in cloud use casesUlf Mattsson
Table of Contents:
Secure Analytics and Machine Learning in Cloud ......................................................................................... 2
Use case #1 in Financial Industry .............................................................................................................. 2
Data Flow .............................................................................................................................................. 2
The approach can be used for other Use-cases .................................................................................... 2
Homomorphic Encryption for Secure Machine Learning in Cloud ............................................................... 3
Evolving Homomorphic Encryption .......................................................................................................... 3
Performance Examples – HE, RSA and AES ........................................................................................... 3
Performance Examples – FHE, NTRU, ECC, RSA and AES ...................................................................... 3
Some popular HE schemes .................................................................................................................... 4
Examples of HE Libraries used by IBM, Duality, and Microsoft ............................................................ 4
Fast Homomorphic Encryption for Secure Analytics in Cloud ...................................................................... 4
Use case #2 in Health Care ........................................................................................................................ 5
Provable security for untrusted environments ..................................................................................... 5
Comparison to multiparty computation and trusted execution environments ................................... 5
Time and memory requirements of HE ................................................................................................ 5
Managing Data Security in Hybrid Cloud ...................................................................................................... 8
Data Security Policy and Zero Trust Architecture ..................................................................................... 8
The future of encryption will change in the Post-Quantum Era: .............................................................. 8
Managing Data Security in a Hybrid World ................................................................................................... 9
Evolving Privacy Regulations ....................................................................................................................... 10
New Ruling in GDPR under "Schrems II" ................................................................................................. 10
The new California Privacy Rights Act (CPRA)
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
We will discuss the Evolving International Privacy Regulations. Cross Border Data Transfer for GDPR under Schrems II is now ruled by an EU court that defined what is required. This ruling can be far reaching for many businesses.
Data encryption and tokenization for international unicodeUlf Mattsson
Unicode is an information technology standard for the consistent encoding, representation, and handling of text expressed in most of the world's writing systems. The standard is maintained by the Unicode Consortium, and as of March 2020, it has a total of 143,859 characters, with Unicode 13.0 (these characters consist of 143,696 graphic characters and 163 format characters) covering 154 modern and historic scripts, as well as multiple symbol sets and emoji. The character repertoire of the Unicode Standard is synchronized with ISO/IEC 10646, each being code-for-code identical with the other.
The Unicode Standard consists of a set of code charts for visual reference, an encoding method and set of standard character encodings, a set of reference data files, and a number of related items, such as character properties, rules for normalization, decomposition, collation, rendering, and bidirectional text display order (for the correct display of text containing both right-to-left scripts, such as Arabic and Hebrew, and left-to-right scripts). Unicode's success at unifying character sets has led to its widespread and predominant use in the internationalization and localization of computer software. The standard has been implemented in many recent technologies, including modern operating systems, XML, Java (and other programming languages), and the .NET Framework.
Unicode can be implemented by different character encodings. The Unicode standard defines Unicode Transformation Formats (UTF) UTF-8, UTF-16, and UTF-32, and several other encodings. The most commonly used encodings are UTF-8, UTF-16, and UCS-2 (a precursor of UTF-16 without full support for Unicode)
The future of data security and blockchainUlf Mattsson
Discussion of Post-Quantum Cryptography and other technologies:
Data Security Techniques
Secure Multi-Party Computation (SMPC)
Homomorphic encryption (HE)
Differential Privacy (DP) and K-Anonymity
Pseudonymization and Anonymization
Synthetic Data
Zero trust architecture (ZTA)
Zero-knowledge proofs (ZKP)
Private Set Intersection (PSI)
Trusted execution environments (TEE)
Post-Quantum Cryptography
Blockchain
Regulations and Standards in Data Privacy
GDPR and evolving international privacy regulationsUlf Mattsson
Convergence of data privacy principles, standards and regulations
General Data Protection Regulation (GDPR)
GDPR and California Consumer Privacy Act (CCPA)
What role does technologies play in compliance
Use Cases
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
A major challenge that many organizations faces, is how to address data privacy regulations such as CCPA, GDPR and other emerging regulations around the world, including data residency controls as well as enable data sharing in a secure and private fashion. We will present solutions that can reduce and remove the legal, risk and compliance processes normally associated with data sharing projects by allowing organizations to collaborate across divisions, with other organizations and across jurisdictions where data cannot be relocated or shared.
We will discuss secure multi-party computation where organizations want to securely share sensitive data without revealing their private inputs. We will review solutions that are driving faster time to insight by the use of different techniques for privacy-preserving computing including homomorphic encryption, k-anonymity and differential privacy. We will present best practices and how to control privacy and security throughout the data life cycle. We will also review industry standards, implementations, policy management and case studies for hybrid cloud and on-premises.
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
Digital Transformation and the opportunities to use data in Analytics and Machine Learning are growing exponentially, but so too are the business and financial risks in Data Privacy. The increasing number of privacy incidents and data breaches are destroying brands and customer trust, and we will discuss how business prioritization can be benefit from a finance-based data risk assessment (FinDRA).
More than 60 countries have introduced privacy laws and by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations. We will discuss use cases in financial services that are finding a balance between new technology impact, regulatory compliance, and commercial business opportunity. Several privacy-preserving and privacy-enhanced techniques can provide practical security for data in use and data sharing, but none universally cover all use cases. We will discuss what tools can we use mitigate business risks caused by security threats, data residency and privacy issues. We will discuss how technologies like pseudonymization, anonymization, tokenization, encryption, masking and privacy preservation in analytics and business intelligence are used in Analytics and Machine Learning.
Organizations are increasingly concerned about data security in processing personal information in external environments, such as the cloud; and information sharing. Data is spreading across hybrid IT infrastructure on-premises and multi-cloud services and we will discuss how to enforce consistent and holistic data security and privacy policies. Increasing numbers of data security, privacy and identity access management products are in use, but they do not integrate, do not share common policies, and we will discuss use cases in financial services of different techniques to protect and manage data security and privacy.
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
ISACA London Chapter webinar, Feb 16th 2021
Topic: “Protecting Data Privacy in Analytics and Machine Learning”
Abstract:
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about.
This session also discusses international standards and emerging privacy-enhanced computation techniques, secure multiparty computation, zero trust, cloud and trusted execution environments. We will discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
In the shadow of the global pandemic and the associated economic downturn, organizations are focused on cost optimization, which often leads to impulsive decisions to deprioritize compliance with all nonrevenue programs.
Regulators have evolved to adapt with the notable increase in data subject complaints and are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine while Equifax agreed to pay a minimum of $575 million for its breach. The US Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories sued over the company’s failure to take “reasonable steps” to secure its sensitive personal data.
Privacy and data protection are enforced by a growing number of regulations around the world and people are actively demanding privacy protection — and legislators are reacting. More than 60 countries have introduced privacy laws in response to citizens’ cry for transparency and control. By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today, according to Gartner. There is a convergence of data privacy principles, standards and regulations on a common set of fundamental principles.
The opportunities to use data are growing exponentially, but so too are the business and financial risks as the number of data protection and privacy regulations grows internationally.
Join this webinar to learn more about:
- Trends in modern privacy regulations
- The impact on organizations to protect and use sensitive data
- Data privacy principles
- The impact of General Data Protection Regulation (GDPR) and data transfer between US and EU
- The evolving CCPA, the new PCI DSS version 4 and new international data privacy laws or regulations
- Data privacy best practices, use cases and how to control sensitive personal data throughout the data life cycle
What is tokenization in blockchain - BCS LondonUlf Mattsson
BCS North London Branch in association with Central London Branch webinar (by GoToWebinar) Date: 2nd December 2020 Time: 18.00 to 19.30 Event title: Blockchain tokenization “What is tokenization in Blockchain?”
Agenda
Blockchain
What is Blockchain?
Use cases, trends and risks
Vendors and platforms
Data protection techniques and scalability
Tokenization
Digital business
Convert a digital value into a digital token
Local and central models
Cloud
Tokenization in Hybrid cloud
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about.
This session also discusses international standards and emerging privacy-enhanced computation techniques, secure multiparty computation, zero trust, cloud and trusted execution environments. We will discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
Blockchain
- What is Blockchain?
- Blockchain trends
Emerging data protection techniques
- Secure multiparty computation
- Trusted execution environments
- Use cases for analytics
- Industry Standards
Tokenization
- Convert a digital value into a digital token
- Tokenization local or in a centralized model
- Tokenization and scalability
Cloud
- Analytics in Hybrid cloud
Tokenization on Blockchain is a steady trend. It seems that everything is being tokenized on Blockchain from paintings, diamonds and company stocks to real estate. Thus, we took an asset, tokenized it and created its digital representation that lives on Blockchain. Blockchain guarantees that the ownership information is immutable.
Unfortunately, some problems need to be solved before we can successfully tokenize real-world assets on Blockchain. Main problem stems from the fact that so far, no country has a solid regulation for cryptocurrency. For example, what happens if a company that handles tokenization sells the property? They have no legal rights on the property and thus are not protected by the law. Another problem is that this system brings us back some sort of centralization. The whole idea of Blockchain and especially smart contracts is to create a trustless environment.
Tokenization is a method that converts a digital value into a digital token. Tokenization can be used as a method that converts rights to an asset into a digital token.
The tokenization system can be implemented local to the data that is tokenized or in a centralized model. We will discuss tokenization implementations that can provide scalability across hybrid cloud models. This session will position different data protection techniques, use cases for blockchain, and protecting blockchain.
Enterprise Data Protection - Understanding Your Options and Strategies
1. Enterprise Data Protection Understanding Your Options
and Strategies
Ulf Mattsson
CTO Protegrity
Ulf.mattsson AT protegrity.com
2. Ulf Mattsson
20 years with IBM Development & Global Services
Inventor of 22 patents – Encryption and Intrusion Prevention
Co-founder of Protegrity (Data Security)
Research member of the International Federation for
Information Processing (IFIP) WG 11.3 Data and Application
Security
Member of
PCI Security Standards Council (PCI SSC)
American National Standards Institute (ANSI) X9
Information Systems Audit and Control Association (ISACA)
Cloud Security Alliance (CSA)
Information Systems Security Association (ISSA)
02
5. Topics
Review the changing threat landscape
Present different options for data security for PCI DSS
Review a case study
Show how to protect the entire data flow
Discuss how to protect against advanced attacks
Show how to balance performance and security with different
approaches to tokenization and encryption
Review security enforcement at the application level,
database level, file level and storage level
05
6. The Changing Threat Landscape
Some issues have stayed constant:
Threat landscape continues to gain sophistication
Attackers will always be a step ahead of the defenders
We're fighting highly organized, well-funded crime syndicates and
nations
Move from detective to preventative controls needed:
Several layers of security to address more significant areas of risks
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
06
7. 2010 Data Breach Investigations Report
Six years, 900+ breaches, and over 900 million
compromised records
Over half of the breaches occurred outside of the U.S.
Online Data is Compromised Most Frequently:
%
Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS
07
8. Threat Action Categories
90 % of compromised records lost in highly sophisticated attacks
Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS
08
9. Payment Card Industry Data Security Standard
(PCI DSS)
The PCI Security Standards Council is an open global forum
American Express, Discover Financial Services, JCB
International, MasterCard Worldwide, and Visa Inc
The PCI standard consists of a set of 12 rules
Four ways to render the PAN (credit card number) unreadable
Two-way cryptography with associated key management processes
Truncation
One-way cryptographic hash functions
Index tokens and pads
Source: https://www.pcisecuritystandards.org/organization_info/index.php
09
10. PCI Encryption Rules
Attacker
SSL
Encrypted
Data
(PCI DSS)
Public
Network
Private Network
Application
Clear Text
Data
Clear Text Data
Database
Encrypted
Data
(PCI DSS)
OS File System
Storage
System
Data
At Rest
(PCI DSS)
Not Enough to Encrypt Pipes & Files
010
11. Protecting the Data Flow - Example
: Enforcement point
Unprotected sensitive information:
Protected sensitive information
011
12. Current, Planned Use of Enabling Technologies
Strong interest in database encryption, data masking, tokenization
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
18%
47%
30%
35%
21%
16%
10%
39% 4%
28%
Application-level encryption
Tokenization
91% 5%
1%
28% 7%
7%
22%
Evaluating
29% 7%
23%
Current Use
13%
Planned Use <12 Months
012
13. Data Security Today is a Catch-22
We need to protect both data and the business processes that rely
on that data
Enterprises are currently on their own in deciding how to apply
emerging technologies for PCI data protection
Data Tokenization - an evolving technology
How to reduce PCI audit scope and exposure to data
013
14. Hiding Data in Plain Sight – Data Tokenization
Data Entry
Y&SFD%))S(
400000 123456 7899
Tokenization
Server
Data Token
400000 222222 7899
Application
Databases
014
15. Retail Scenario with Tokenization
Authorization
Stores
Stores
Token
Servers
Aggregating
Hub for Store
Channel
Token
Servers
Settlement
Loss Prevention
Analysis - EDW
ERP
Settlement
: Integration point
015
16. Case Study - Large Chain Store Uses
Tokenization to Simplify PCI Compliance
By segmenting cardholder data with tokenization, a regional
chain of 1,500 local convenience stores is reducing its PCI
audit from seven to three months
“ We planned on 30 days to tokenize our 30 million card
numbers. With Protegrity Tokenization, the whole process
took about 90 minutes”
016
17. Case Study - Large Chain Store Uses
Tokenization to Simplify PCI Compliance
Qualified Security Assessors had no issues with the effective
segmentation provided by Tokenization
“With encryption, implementations can spawn dozens of
questions”
“There were no such challenges with tokenization”
017
18. Case Study - Large Chain Store Uses
Tokenization to Simplify PCI Compliance
Faster PCI audit – half that time
Lower maintenance cost – don’t have to apply all 12
requirements of PCI DSS to every system
Better security – able to eliminate several business processes
such as generating daily reports for data requests and access
Strong performance – rapid processing rate for initial
tokenization, sub-second transaction SLA
018
19. Field Encryption & Tokenization – Data Formats
Intrusiveness
(to Applications and Databases)
Hashing Strong Encryption Alpha -
!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*
Standard
Encryption
!@#$%a^.,mhu7/////&*B()_+!@
aVdSaH 1F4hJ 1D3a
Numeric -
666666 777777 8888
Partial -
123456 777777 1234
Clear Text Data -
Tokenizing or
Formatted
Encryption
123456 123456 1234
Encoding
Data
I
I
Original
Longer
Length
019
20. Risk Management and PCI – Security Aspects
Different data security methods and algorithms
Policy enforcement implemented at different system layers
Data Security Method
Hashing
Formatted
Encryption
Strong
Encryption
Data
Tokenization
System Layer
Application
Database Column
Database File
Storage Device
Best
Worst
020
21. Risk Management and PCI – Security Aspects
Integration at different system layers
Different data security methods and algorithms
Data Security Method
Hashing
Formatted
Encryption
Strong
Encryption
Data
Tokenization
System Layer
Application
Database Column
Database File
Storage Device
: N/A
Best
Worst
021
22. A Distributed Tokenization Approach
Large companies may need to utilize the tokenization services
for locations throughout the world.
How do you deliver tokenization to many locations without the
impact of latency?
Customer
Application
Token
Server
Customer
Application
Customer
Application
Token
Token
Server
Server
Customer
Application
022
23. Distributed Approach to Generate Random Tokens
Random Static Lookup Tables
288910
288910
28891
088910
2
288910
1,000,000
max entries
288910
288910
28891
088910
2
288910
1,000,000
max entries
Application
Application
Application
Application
Multi-Use Tokens
Random Static Lookup Tables
Remains the same size no matter the
number of unique tokens
Example: 50 million = 2 million
tokens
Performance: 200,000 tokens per
second on a commodity standard
dual core machine
023
24. Evaluating Encryption & Tokenization Approaches
Evaluation Criteria
Area
Impact
Encryption
Database
File
Encryption
Database
Column
Encryption
Tokenization
Centralized
Tokenization
(old)
Distributed
Tokenization
(new)
Availability
Scalability
Latency
CPU Consumption
Data Flow
Protection
Compliance Scoping
Security
Key Management
Randomness
Separation of Duties
Best
Worst
024
25. Evaluating Field Encryption & Distributed Tokenization
Evaluation Criteria
Strong Field
Encryption
Formatted
Encryption
Distributed
Tokenization
Disconnected environments
Distributed environments
Performance impact when loading data
Transparent to applications
Expanded storage size
Transparent to databases schema
Long life-cycle data
Unix or Windows mixed with “big iron” (EBCDIC)
Easy re-keying of data in a data flow
High risk data
Security - compliance to PCI, NIST
Best
Worst
025
26. Best Practices for Tokenization
Token Generation
Token Types
Single Use Token
Algorithm and
Key Reversible
Known strong algorithm
Multi Use Token
-
Unique Sequence
Number
One way
Irreversible
Function
Hash
Secret per
transaction
Secret per
merchant
Randomly generated
value
Published July 14, 2010.
026
27. Comments on Visa’s Tokenization Best Practices
Visa recommendations should be simply to use a random number
If the output is not generated by a mathematical function applied
to the input, it cannot be reversed to regenerate the original PAN
data
The only way to discover PAN data from a real token is a (reverse)
lookup in the token server database
The odds are that if you are saddled with PCI-DSS responsibilities,
you will not write your own 'home-grown' token servers
027
28. What Makes a “Secure Tokenization” Algorithm?
Ask vendors what their token-generating algorithms are
Be sure to analyze anything other than strong random
number generators for security.
028
29. Strong Cryptography - PCI DSS Glossary
Cryptography based on industry-tested and accepted
algorithms, along with strong key lengths and proper
key-management practices
See NIST (National Institute of Standards and
Technology, US) Special Publications
029
30. NIST Proposed Encryption Modes
Appearance of a mode in this list does not constitute
endorsement or approval by NIST
1. FCEM Format Controlling Encryption Mode
U. Mattsson
2. FFX Format-preserving Feistel-based Encryption Mode
M. Bellare, P. Rogaway, T. Spies
3. …
http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html
030
31. Data Protection Challenges
Actual protection is not the challenge
Management of solutions
Key management
Security policy
Auditing, Monitoring and reporting
Minimizing impact on business operations
Transparency
Performance vs. security
Minimizing the cost implications
Maintaining compliance
Implementation Time
031
32. Best Practices - Data Security Management
File
System
Protector
Policy
Database
Protector
Audit
Log
Application
Protector
Enterprise
Data Security
Administrator
Secure
Archive
Tokenization
Server
: Enforcement point
032
33. Privacy - More lax in US than in the E.U.
European Union
United States
European Union Data Privacy Directive
95/46/EC - protection and movement of
personally identifiable information between E.U.
member countries and to outside
Rules are primarily state-by-state.
Firms are responsible for protecting PII data and
also for managing its transfer to others by
monitoring compliance of recipients
Once the data has been yielded to a
company, the company is largely free to
use it as it wishes, subject to local state
regulations.
Medical records are no different from other
E.U. citizen’s personal information because a
degree of data protection is already afforded.
Concern over medical records privacy
may increase with the push to reduce health
care costs through greater automation.
033
34. Questions?
Click on the questions tab on your screen, type in your question, name
and e-mail address; then hit submit.
034
35. In the Case Study, Tokenization was
yielding some benefits for the retailer:
Please select ALL relevant options from below:
Faster PCI audit
Effective segmentation of cardholder data environments
Lower maintenance cost
Better security
Strong performance
ALL is the correct answer
035
36. What Makes a “Secure Tokenization”
Algorithm according to Gartner
research?
Please select ONE option from below:
Hashing algorithms
Encryption algorithms
Random values
Howegrown algorithms
“Random values“ is the correct answer
036
37. The PCI standard consists of how many
rules?
Please select ONE option from below:
6
8
12
16
12 is the correct answer
037
38. The PCI standard allows how many
different ways to render the PAN
(Credit Card Number) unreadable?
Please select ONE option from below:
2
3
4
5
6
4 is the correct answer
038