Ulf Mattsson presented on bridging the gap between privacy and big data. He discussed the evolution of data security methods from coarse-grained to fine-grained approaches like field encryption, masking, and tokenization. Mattsson also covered key drivers for data security like regulations, expanding threats, and enabling data insight while maintaining privacy. Examples of data de-identification methods like tokenization and encryption were provided to protect identifiable information.

1. Bridging the Gap Between Privacy and Big Data
Ulf Mattsson, CTO
Protegrity
ulf.mattsson AT protegrity.com

2. 20 years with IBM
• Research & Development & Global Services
Inventor
• Encryption, Tokenization & Intrusion Prevention
Involvement
Ulf Mattsson, CTO Protegrity
2
• PCI Security Standards Council (PCI SSC)
• American National Standards Institute (ANSI) X9
• Encryption & Tokenization
• International Federation for Information Processing
• IFIP WG 11.3 Data and Application Security
• ISACA New York Metro chapter

3. 3

4. Agenda
1. What is Big Data & Cloud?
2. Risk & Drivers for Data Security
3. The Evolution of Data Security Methods
4. Data De-Identification
5. Off-Shoring & Outsourcing
6. Use Cases & Case Studies
4

5. Who is Protegrity?
Proven enterprise data protection software leader since the 90’s.
Business driven by compliance
• PCI (Payment Card Industry)
• PII (Personally Identifiable Information)
• PHI (Protected Health Information) – HIPAA
• State and Industry Privacy Laws• State and Industry Privacy Laws
Servicing many Industries
• Retail, Hospitality, Travel and Transportation
• Financial Services, Insurance, Banking
• Healthcare
• Telecommunications, Media and Entertainment
• Manufacturing and Government

6. Big Data

7. Hadoop
• Designed to handle the emerging “4 V’s”
• Massively Parallel Processing (MPP)
• Elastic scale
• Usually Read-Only
• Allows for data insights on massive, heterogeneous
data sets
What is Big Data?
data sets
• Includes an ecosystem of components:
7
Hive
MapReduce
HDFS
Physical Storage
Pig Other
Application Layers
Storage Layers

8. Has Your Organization Already Invested in Big Data?
8
Source: Gartner

9. Cloud
9

10. Services usually provided by a third party
• Can be virtual, public, private, or hybrid
Increasing adoption – up 12% from 2012*
Often an outsourced solution, sometimes cross-border
Allows for greater accessibility of data and low overhead
Cloud Services
*Source: GigaOM

11. Cloud Services and Models
Source: NIST, CSA

12. Drivers for
Data Security
12
Data Security

13. Regulations & Laws
• Payment Card Industry Data Security Standard (PCI DSS)
• National Privacy Laws
• Cross-Border & Outsourcing Privacy Laws
Expanding Threat Landscape
• Hackers & APT
Drivers for Data Security
• Hackers & APT
• Internal Threats & Rogue Privileged Users
• Excessive Privilege or Security Negligence
Sensitive Data Insight & Usability
• Unprotected Sensitive or Restricted Data is Unusable for
Marketing, Monetization, Outsourcing, etc.
Vulnerabilities in Emerging Technologies
13

14. Regulations &
LawsLaws
PCI DSS
14

15. Founded in 2006, comprised of four major credit card
brands
Each card brand enforcement program issues fines,
fees and schedule deadlines
• Visa's Cardholder Information Security Program (CISP)
http://www.visa.com/cisp
PCI Data Security Standards Council
• MasterCard's Site Data Protection (SDP) program
http://www.mastercard.com/us/sdp/index.html
• Discover's Discover Information Security and Compliance
(DISC) program
http://www.discovernetwork.com/fraudsecurity/disc.html
• American Express Data Security Operating Policy (DSOP)
http://www.americanexpress.com/datasecurity
15

16. PCI DSS
Build and maintain a secure
network.
1. Install and maintain a firewall configuration to protect
data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect cardholder data. 3. Protect stored data
4. Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a vulnerability
management program.
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applicationsapplications
Implement strong access
control measures.
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to cardholder data
Regularly monitor and test
networks.
10. Track and monitor all access to network resources
and cardholder data
11. Regularly test security systems and processes
Maintain an information
security policy.
12. Maintain a policy that addresses information security
16

17. Protection of cardholder data in memory
Clarification of key management dual control and split
knowledge
Recommendations on making PCI DSS business-as-
usual and best practices
PCI DSS 3.0
Security policy and operational procedures added
Increased password strength
New requirements for point-of-sale terminal security
More robust requirements for penetration testing
17

18. Relevant to all sensitive data that is outsourced to cloud
1. Clients retain responsibility for the data they put in the cloud
2. Public-cloud providers often have multiple data centers, which may
often be in multiple countries or regions
3. The client may not know the location of their data, or the data may
PCI DSS Cloud Guidelines
3. The client may not know the location of their data, or the data may
exist in one or more of several locations at any particular time
4. A client may have little or no visibility into the controls
5. In a public-cloud environment, one client’s data is typically stored
with data belonging to multiple other clients. This makes a public
cloud an attractive target for attackers
18

19. Regulations &
LawsLaws
National Privacy Laws
19

20. National Privacy Laws - USA
1. Names
2. All geographical subdivisions
smaller than a State
3. All elements of dates (except
year) related to individual
4. Phone numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial
numbers
13. Device identifiers and serial
numbers
14. Web Universal Resource Locators
Heath Information Portability and Accountability Act – HIPAA
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary
numbers
10. Account numbers
20
14. Web Universal Resource Locators
(URLs)
15. Internet Protocol (IP) address
numbers
16. Biometric identifiers, including
finger prints
17. Full face photographic images
18. Any other unique identifying
number

21. Privacy Laws
54 International Privacy Laws
30 United States Privacy Laws
21

22. Information Technology Act – 2000 (IT Act)
• Requires that the corporate body and Data Processor
implement reasonable security practices and standards
• IS/ISO/IEC 27001 requirements recognized
Information Technology Act – 2008 (Amended IT Act)
• Damages for negligence and wrongful gain or loss
• Criminal punishment for disclosing Sensitive Personal
National Privacy Laws - India
• Criminal punishment for disclosing Sensitive Personal
Information (SPI)
India Privacy Law – 2011
• Expanded definition of SPI to passwords, financial data,
health data, medical treatment records, and more
Right to Privacy Bill – 2013 (Proposed)
• Increased jail terms & fines for disclosure of SPI
• Addresses data handled for foreign clients
22

23. Regulations &
Laws
Cross-Border &
Outsourcing Laws
23

24. The laws of the sending country apply to data sent
across international borders, including outsourced
operations
• i.e. National Privacy Laws
APEC Cross-Border Privacy Laws
• Non-binding privacy enforcement in Asia-Pacific region
Cross-Border & Outsourcing Laws
• Non-binding privacy enforcement in Asia-Pacific region
24

25. Expanding Threat
Landscape

26. 26

27. Cyber Criminals Cost India USD 4 Billion
27
Source: Symantec 2013

28. 28

29. 29
http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf

30. Sensitive Data
Insight &
30
Insight &
Usability

31. Vulnerabilities
in Emerging
31
in Emerging
Technologies

32. Holes in Big Data…
32
Source: Gartner

33. Many Ways to Hack Big Data
MapReduce
(Job Scheduling/Execution System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Avro(Serialization)
Zookeeper(Coordination)
Hackers
Unvetted
Applications
Or
Ad Hoc
Processes
Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase
33
HDFS
(Hadoop Distributed File System)
Hbase (Column DB)
Avro(Serialization)
Zookeeper(Coordination)
Privileged
Users

34. The Insider Threat
34

35. Big Data and Cloud environments are designed for
access and deep insight into vast data pools
Data can monetized not only by marketing
analytics, but through sale or use by a third party
The more accessible and usable the data is, the
Sensitive Data Insight & Usability
The more accessible and usable the data is, the
greater this ROI benefit can be
Security concerns and regulations are often viewed
as opponents to data insight
35

36. Big Data (Hadoop) was designed for data access,
not security
Security in a read-only environment introduces new
challenges
Massive scalability and performance requirements
Big Data Vulnerabilities and Concerns
Sensitive data regulations create a barrier to
usability, as data cannot be stored or transferred in
the clear
Transparency and data insight are required for ROI
on Big Data
36

37. Public cloud security is often not visible to the client,
but client is still responsible for security
Greater access to shared data sets by more users
creates additional points of vulnerability
Data redundancy for high availability, often across
multiple data centers, increases vulnerability
Cloud Vulnerabilities and Concerns
multiple data centers, increases vulnerability
Virtualization can create numerous security issues
Transparency and data insight are required for ROI
37
How do you lock this?

38. Security Improving but We Are Losing Ground
38

39. Breach Discovery Methods
39
Verizon 2013 Data-breach-investigations-report

40. The Evolution of
Data SecurityData Security
Methods
40

41. Coarse Grained Security
• Access Controls
• Volume Encryption
• File Encryption
Fine Grained Security
Evolution of Data Security Methods
Time
Fine Grained Security
• Access Controls
• Field Encryption (AES & )
• Masking
• Tokenization
• Vaultless Tokenization
41

42. Use of Enabling Technologies
1%
18%
30%
21%
91%
47%
35%
39%
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption 21%
28%
7%
22%
39%
28%
29%
23%
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
Evaluating
42

43. Old and flawed:
Minimal access
levels so people
can only carry
Access Control
Risk
High –
can only carry
out their jobs
43
Access
Privilege
Level
I
High
I
Low
Low –
DC6

44. Slide 43
DC6 I have no idea what this graph is supposed to represent
Daniel Crum, 11/6/2013

45. Applying the protection profile to
the content of data fields allows
for a wider range of authorityfor a wider range of authority
options
44

46. Risk
High –
Old:
Minimal access
levels – Least
New:
Much greater
How the New Approach is Different
Access
Privilege
Level
I
High
I
Low
Low –
levels – Least
Privilege to avoid
high risks
Much greater
flexibility and
lower risk in data
accessibility
45

47. Reduction of Pain with New Protection Techniques
High
Pain
& TCO
Strong Encryption Output:
AES, 3DES
Format Preserving Encryption
DTP, FPE
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
46
1970 2000 2005 2010
Low
Vault-based Tokenization
Vaultless Tokenization
8278 2789 2990 2789
Format Preserving
Greatly reduced Key
Management
No Vault
8278 2789 2990 2789

48. Fine Grained Security: Encryption of Fields
Production Systems
Encryption of fields
• Reversible
• Policy Control (authorized / Unauthorized Access)
• Lacks Integration Transparency
• Complex Key Management
• Example: !@#$%a^.,mhu7///&*B()_+!@
47
Non-Production Systems

49. Fine Grained Security: Masking of Fields
Production Systems
48
Non-Production Systems
Masking of fields
• Not reversible
• No Policy, Everyone can access the data
• Integrates Transparently
• No Complex Key Management
• Example: 0389 3778 3652 0038

50. Fine Grained Security: Tokenization of Fields
Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management
• Business Intelligence
• Example: 0389 3778 3652 0038
49
Non-Production Systems
• Reversible
• Policy Control (Authorized / Unauthorized Access)
• Not Reversible
• Integrates Transparently

51. Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
50
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

52. Fine Grained Data Security Methods
Vault-based Tokenization Vaultless Tokenization
Footprint Large, Expanding. Small, Static.
High Availability,
Disaster Recovery
Complex, expensive
replication required.
No replication required.
Vault-based vs. Vaultless Tokenization
51
Distribution Practically impossible to
distribute geographically.
Easy to deploy at different
geographically distributed locations.
Reliability Prone to collisions. No collisions.
Performance,
Latency, and
Scalability
Will adversely impact
performance & scalability.
Little or no latency. Fastest industry
tokenization.

53. PCI DSS 3.0
• Split knowledge and dual control
PCI SSC Tokenization Task Force
• Tokenization and use of HSM
Card Brands – Visa, MC, AMEX …
The Future of Tokenization
• Tokens with control vectors
ANSI X9
• Tokenization and use of HSM
52

54. Security of Different Protection Methods
High
Security Level
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
53
Low

55. 10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Different Protection Methods
10 000 -
1 000 -
100 -
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
54

56. Risk Adjusted Data Protection
Data Security Methods Performance Storage Security Transparency
System without data protection
Monitoring + Blocking + Obfuscation
Data Type Preservation Encryption
Strong Encryption
There is always a trade-off between security and usability.
Strong Encryption
Vaultless Tokenization
Hashing
Anonymisation
BestWorst
55

57. Data
De-Identification
56
De-Identification

58. The solution to protecting Identifiable data is to properly de-
identify it.
Redact the information – remove it.
What is de-identification of identifiable data?
Personally Identifiable Information Health Information / Financial Information
Personally Identifiable Information Health Information / Financial Information
Redact the information – remove it.
The identifiable portion of the record is de-identified with any
number of protection methods such as masking, tokenization,
encryption, redacting (removed), etc.
The method used will depend on your use case and the
reason that you are de-identifying the data.
57

59. Identifiable Sensitive Information
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 937-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual healthcare data, but
not needed with de-identification
58

60. De-Identified Sensitive Data
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
59

61. Use
Case
How Should I Secure Different Data?
Simple – PCI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Personally Identifiable Information
Type of
Data
I
Structured
I
Un-structured
Complex – PHI
Protected
Health
Information
60
Personally Identifiable Information

62. Research Brief
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for protecting sensitive data over
encryption
Nearly half of the respondents (47%) are currently
using tokenization for something other than cardholder
data
Over the last 12 months, tokenization users had 50%
fewer security-related incidents than tokenization non-
users
61 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC

63. The business intelligence exposed through Vaultless
Tokenization can allow many users and processes to
perform job functions on protected data
Extreme flexibility in data de-identification can allow
responsible data monetization
Vaultless Tokenization & Data Insight
Data remains secure throughout data flows, and can
maintain a one-to-one relationship with the original
data for analytic processes
62

64. Use Cases for
Coarse & FineCoarse & Fine
Grained Security
63

65. Off-shoring &
OutsourcingOutsourcing

66. Business Process Outsourcing (BPO)
• Business Processes
• E.g. Loans, Mortgages, Call Centre, Claims Processing, ERP,
etc.
• Application Development
• Need to de-identify Data for Testing and Development
Off-Shoring
Privacy Impacts BPO & Offshore Business Solutions
• Same as Outsourcing, but data is sent for business functions
(like call center, etc.) off-shore.
Laws governing your ability to send real data to 3rd parties are
already restrictive, and becoming more so
Penalties for infringement are growing more severe
Risk of data breaches and data theft is increased
65

67. Major Bank in EU wants to centralise EDW
operations in a single country and therefore send
customer data from country A to country B. Privacy
Laws in country A prohibit this.
Private Bank in Europe wants to offshore Finance
Examples
Private Bank in Europe wants to offshore Finance
Operations. Privacy Law prohibits transfer of citizen
data to India.
Retail Bank in Scandinavia wants to offshore
Customer Services. Privacy law prevents transfer of
citizen data to the Far East.
66

68. Case Studies

69. Protegrity Use Case: UniCredit
CHALLENGES
The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers,
birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming
source data from various European banking entities, and existing data within those systems, which would be
consolidated at the Italian HQ.

70. Case Study - Large US Chain Store
Reduced cost
• 50 % shorter PCI audit
Quick deployment
• Minimal application changes
• 98 % application transparent
Top performanceTop performance
• Performance better than encryption
Stronger security
69

71. Case Study: Large Chain Store
Why? Reduce compliance cost by 50%
• 50 million Credit Cards, 700 million daily transactions
• Performance Challenge: 30 days with Basic to 90 minutes with
Vaultless Tokenization
• End-to-End Tokens: Started with the D/W and expanding to
stores
• Lower maintenance cost – don’t have to apply all 12 requirements
• Better security – able to eliminate several business and daily
reports
• Quick deployment
• Minimal application changes
• 98 % application transparent
70

72. Aadhaar/UID
Big DataBig Data
Use Case

74. Aadhaar Data Stores
Mongo cluster
(all enrolment records/documents
– demographics + photo)
Shard
1
Shard
4
Shard
5
Shard
2
Shard
3
Low latency indexed read (Documents per sec),
High latency random search (seconds per read)
Low latency indexed read (milli-
Solr cluster
(all enrolment records/documents
– selected demographics only)
Low latency indexed read (Documents per sec),
Low latency random search (Documents per sec)
Shard
0
Shard
2
Shard
6
Shard
9
Shard
a
Shard
d
Shard
f
MySQL
(all UID generated records - demographics only,
track & trace, enrolment status )
Low latency indexed read (milli-
seconds per read),
High latency random search (seconds
per read)
UID master
(sharded)
Enrolment
DB
HDFS
(all raw packets)
Data
Node 1
Data
Node 10
Data
Node ..
High read throughput (MB per sec),
High latency read (seconds per read)
Data
Node 20
HBase
(all enrolment
biometric templates)
Region
Ser. 1
Region
Ser. 10
Region
Ser. ..
High read throughput (MB per sec),
Low-to-Medium latency read (milli-seconds per read)Region
Ser. 20
NFS
(all archived raw packets)
Moderate read throughput,
High latency read (seconds per read)
LUN 1 LUN 2 LUN 3 LUN 4

75. Protegrity Summary
Proven enterprise data security
software and innovation leader
• Sole focus on the protection of
data
• Patented Technology,
Continuing to Drive Innovation
Cross-industry applicability
• Retail, Hospitality, Travel and
TransportationTransportation
• Financial Services, Insurance,
Banking
• Healthcare
• Telecommunications, Media and
Entertainment
• Manufacturing and Government
74

76. Please contact us for more information
Ulf.Mattsson@protegrity.com
Info@protegrity.com
Elaine.Evans@protegrity.com
www.protegrity.com