SlideShare a Scribd company logo

Jul 16 isaca london data protection, security and privacy risks - on premise and cloud

Download as PPTX, PDF
Ulf Mattsson
Ulf Mattsson

Slides from my Jul 16 ISACA London webinar "Data Protection, Security and Privacy Risks - On Premise and Cloud"

Technology
1 of 62
1 datafloq Ulf Mattsson ulf@ulfmattsson.com Data Protection, Security and Privacy Risks – On-premise & Cloud
2 Payment Card Industry (PCI) Security Standards Council (SSC): 1. Tokenization Task Force 2. Encryption Task Force, Point to Point Encryption Task Force 3. Risk Assessment SIG 4. eCommerce SIG 5. Cloud SIG, Virtualization SIG 6. Pre-Authorization SIG, Scoping SIG Working Group • Previously Head of Innovation at TokenEx and Chief Technology Officer at Atlantic BT, Compliance Engineering, and Protegrity, and IT Architect at IBM Ulf Mattsson ULFMATTSSON.COM • Products and Services: • Data Encryption, Tokenization, Data Discovery, Cloud Application Security Brokers (CASB), Web Application Firewalls (WAF), Robotics, and Applications • Security Operation Center (SOC), Managed Security Services (MSSP), and Security Benchmarking/Gap-analysis for Financial Industry • Inventor of more than 70 issued US Patents and developed Industry Standards with ANSI X9 and PCI SSC Dec 2019 May 2020 May 2020 Dec 2019
3Verizon Data Breach Investigations Report (DBIR) 2020 Actors in breaches
4Verizon Data Breach Investigations Report (DBIR) 2020 Assets in breaches • On-premises assets are still 70% in our reported breaches dataset. • Cloud assets were involved in about 24% of breaches. • Email or web application server 73% of the time. Server
5Verizon Data Breach Investigations Report (DBIR) 2020 Action varieties in breaches
6 Security Compliance PrivacyControls Regulations Policies Hybrid Cloud DevOps. DataOps and DevSecOps GDPR CCPA Data Security PCI DSS v4 HIPAA Identity Management Application Security Risk Management Industry Standards Examples of Evolving Regulations & Industry Standards ISO/IEC, NIST, ANSI X9, FFIEC, COBIT, W3C, IETF, Oasis OWASP Data Privacy SSI Containers and Serverless How, What and Why Balance
7 Source: www.isaca.org Emerging Technologies that Increase Risk
8 Global Map Of Privacy Rights And Regulations
9https://iapp.org/media/pdf/resource_center/trustarc_survey_iapp.pdf How many privacy laws are you complying with? General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. California Consumer Privacy Act ( CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, United States.
10 TrustArc Legal and regulatory risks are exploding
11 Source: IBM Encryption and TokenizationDiscover Data Assets Security by Design GDPR Security Requirements – Encryption and Tokenization
12 Data flow mapping under GDPR • If there is not already a documented workflow in place in your organisation, it can be worthwhile for a team to be sent out to identify how the data is being gathered. • This will enable you to see how your data flow is different from reality and what needs to be done to amend this. If an organisation’s theory about how its data is flowing is different from the reality, you have a breach and could be fined. The organisation needs to look at how the data was captured, who is accountable for it, where it is located and who has access.
13 Source: BigID
14 See security improvement and track sensitive data www.protegrity.com
15 Protecting Sensitive Data
16 PCI DSS Compliance Issues with breached organizations and PCI DSS v4 Source: Verizon 2019 Payment Security Report • PCI DSS Requirement 3 is addressing protecting cardholder data. • PCI DSS Requirement 10 is addressing network security and access. PCI DSS v4 adds a customized approach • Meeting the security intent of PCI DSS by using security approaches that may be different than traditional PCI DSS requirements. • Compensating controls will be removed
17 Data sources Data Warehouse In Italy Complete policy- enforced de- identification of sensitive data across all bank entities Example of Cross Border Data-centric Security • Protecting Personally Identifiable Information (PII), including names, addresses, phone, email, policy and account numbers • Compliance with EU Cross Border Data Protection Laws • Utilizing Data Tokenization, and centralized policy, key management, auditing, and reporting
18 http://dataprotection.link/Zn1Uk#https://www.wsj.com/articles/coronavirus-paves-way-for-new-age-of-digital-surveillance-11586963028 American officials are drawing cellphone location data from mobile advertising firms to track the presence of crowds—but not individuals. Apple Inc. and Alphabet Inc.’s Google recently announced plans to launch a voluntary app that health officials can use to reverse-engineer sickened patients’ recent whereabouts—provided they agree to provide such information. European nations monitor citizen movement by tapping telecommunications data that they say conceals individuals’ identities. The extent of tracking hinges on a series of tough choices: Make it voluntary or mandatory? Collect personal or anonymized data? Disclose information publicly or privately? In Western Australia, lawmakers approved a bill last month to install surveillance gadgets in people’s homes to monitor those placed under quarantine. Authorities in Hong Kong and India are using geofencing that draws virtual fences around quarantine zones. They monitor digital signals from smartphone or wristbands to deter rule breakers and nab offenders, who can be sent to jail. Japan’s most popular messaging app beams health-status questions to its users on behalf of the government.
19 Example of disk level encryption Exposes all data on the disk volume Encrypts all data on the disk volume Volume Encryption
20 Example of file level encryption Exposes all data in the file at use Encrypts all data in the file at rest (and transit)
21 Example of what Role 2 can see Example of the data values that are stored in the file at rest Reduce risk by not exposing the full data value to applications and users that only need to operate on a limited representation of the data Reduce risk by field level protection
22 Shared responsibili ties across cloud service models Data Protection for Multi- cloud Payment Application Payment Network Payment Data Policy, tokenization, encryption and keys Gateway Call Center Application Format Preserving Encryption (FPE) PI* Data Tokenization Salesforce Analytics Application Differential Privacy (DP), K-anonymity model PI* Data Microsoft Election Guard development kit Election Data Homomorphic Encryption (HE) Data Warehouse PI* Data Vault-less tokenization (VLT) Use-cases of some de-identification techniques Voting Application *: PI Data (Personal information) means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household according to CCPA Dev/test Systems Masking PI* Data
23 IS: International Standard TR: Technical Report TS: Technical Specification Guidelines to help comply with ethical standards 20889 IS Privacy enhancing de-identification terminology and classification of techniques 27018 IS Code of practice for protection of PII in public clouds acting as PII processors 27701 IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines 29100 IS Privacy framework 29101 IS Privacy architecture framework 29134 IS Guidelines for Privacy impact assessment 29151 IS Code of Practice for PII Protection 29190 IS Privacy capability assessment model 29191 IS Requirements for partially anonymous, partially unlinkable authentication Cloud 11 Published International Privacy Standards (ISO) Framework Management Techniques Impact 19608 TS Guidance for developing security and privacy functional requirements based on 15408 Requirements 27550 TR Privacy engineering for system lifecycle processesProcess Privacy Standards
24 20547 IS Big data reference architecture - Part 4 - Security and privacy 23491 IS Security techniques - IoT security and privacy - Guidelines for IoT domotics 27006-2 (formerly 27558 IS) TS Information security, cybersecurity and privacy protection - Requirements audit and certification of privacy information management systems 27030 IS Security and Privacy for the Internet of Things 27045 IS Big data security and privacy - processes 27046 IS Big data security and privacy - Implementation guidelines 27402 IS IoT security and privacy - Device baseline requirements 27551 IS Requirements for attribute-based unlinkable entity authentication 27555 IS Guidelines on Personally Identifiable Information Deletion 27556 IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences 27557 IS Organizational privacy risk management 27559 IS Privacy-enhancing data de-identification framework 27560 TS Privacy technologies – Consent record information structure 27570 TS Privacy Guidelines for Smart Cities 29184 IS Online privacy notices and consent 31700 IS Consumer Protection - Privacy-by-design for consumer goods and services Privacy Standards Big Data Framework Risk Design Consent and Deletion Smart Cities IoT IS: International Standard TS: Technical Specification Authentication Audit 16 International Privacy Standards in development (ISO)
25 Data protection techniques: Deployment on-premises, and clouds Data Warehouse Centralized Distributed On- premises Public Cloud Private Cloud Vault-based tokenization y y Vault-less tokenization y y y y y y Format preserving encryption y y y y y Homomorphic encryption y y Masking y y y y y y Hashing y y y y y y Server model y y y y y y Local model y y y y y y L-diversity y y y y y y T-closeness y y y y y y Privacy enhancing data de-identification terminology and classification of techniques De- identification techniques Tokenization Cryptographic tools Suppression techniques Formal privacy measurement models Differential Privacy K-anonymity model
26 • Privacy enhancing data de-identification terminology and classification of techniques Source: INTERNATIONAL STANDARD ISO/IEC 20889 Encrypted data has the same format Server model Local model Differential Privacy (DP) Formal privacy measurement models (PMM) De-identification techniques (DT) Cryptographic tools (CT) Format Preserving Encryption (FPE) Homomorphic Encryption (HE) Two values encrypted can be combined* K-anonymity model Responses to queries are only able to be obtained through a software component or “middleware”, known as the “curator** The entity receiving the data is looking to reduce risk Ensures that for each identifier there is a corresponding equivalence class containing at least K records *: Multi Party Computation (MPC) **: Example Apple and Google ISO Standard for Encryption and Privacy Models
27 Field Privacy Action (PA) PA Config Variant Twin Output Gender Pseudonymise AD-lks75HF9aLKSa Pseudonymization Generalization Field Privacy Action (PA) PA Config Variant Twin Output Age Integer Range Bin Step 10 + Pseud. Age_KXYC Age Integer Range Bin Custom Steps 18-25 Aggregation/Binning Field Privacy Action (PA) PA Config Variant Twin Output Balance Nearest Unit Value Thousand 94000 Rounding Generalization Source data: Output data: Last name Balance Age Gender Folds 93791 23 m … … … … Generalization Source data: Output data: Patient Age Gender Region Disease 173965429 57 Female Hamburg Gastric ulcer Patient Age Gender Region Disease 173965429 >50 Female Germany Gastric ulcer Generalization Examples of data de-identification Source: INTERNATIONAL STANDARD ISO/IEC 20889, Privitar, Anonos
28 Privacy Measurement Models
29 Protected Curator* (Filter) Output Cleanser (Filter) Input Protected Database Privacy measurement models Differential Privacy Differential privacy is a model that provides mathematical guarantees that the probability distribution of the output of this analysis differs by a factor no greater than a specified parameter regardless of whether any data principal is included in the input dataset. Source: INTERNATIONAL STANDARD ISO/IEC 20889 *: Example: Apple
30 Differential privacy model Differential privacy is a formal privacy measurement model that, if incorporated in the design of a particular statistical analysis, provides mathematical guarantees that the probability distribution of the output of this analysis differs by a factor no greater than a specified parameter regardless of whether any particular data principal is included in the input dataset. — a mathematical definition of privacy which posits that, for the outcome of any statistical analysis distribution independent of whether any given data principal is added to or removed from the dataset; and — a measure of privacy that enables monitoring of cumulative privacy loss and setting of a “budget” for loss limit. When adequately implemented and used, provide a mathematically proven guarantee of privacy. The design and construction of a differentially private algorithm requires appropriate expertise in the field of probability and statistics, and of the theory of differential privacy. Differentially private algorithms are built by adding a certain amount of “random noise” that is generated from a carefully selected probability distribution, such that the desired usefulness of data is preserved. NOTE For detailed treatment of these and other relevant topics on the subject, see [9], [45] and [15]. And Annex E
31 Clear text data Cleanser Filter Database Privacy measurement models K-anonymity model The k-anonymity model that ensures that groups smaller than k individuals cannot be identified. • Queries will return at least k number of records. K- anonymity is a formal privacy measurement model that ensures that for each identifier there is a corresponding equivalence class containing at least K records. Source: INTERNATIONAL STANDARD ISO/IEC 20889 Anonymized text data Some of the de-identification techniques can be used either independently or in combination with each other to satisfy the K- anonymity model. Suppression techniques, generalization techniques, and microaggregation* can be applied to different types of attributes in a dataset to achieve the desired results. *: Microaggregation replaces all values of continuous attributes with their averages computed in a certain algorithmic way.
32 Privacy measurement models K-anonymity model The k-anonymity can thwart the ability to link field-structured databases Given person-specific field-structured data, produce a release of the data with scientific guarantees that the individuals who are the subjects of the data cannot be reidentified while the data remain practically useful. A release provides k-anonymity if the data for each person cannot be distinguished from at least k-1 individuals whose data also appears in the release Source: INTERNATIONAL STANDARD ISO/IEC 20889 Datashouldbeprotected
33 Risk reduction and truthfulness of standardized de-identification techniques and models Source: INTERNATIONAL STANDARD ISO/IEC 20889 Transit Use Storage Singling out Linking Inference Pseudonymization Tokenization Protects the data flow from attacks Yes Yes Yes Yes Direct identifiers No Partially No Deterministic encryption Protects the data when not used in processing operations Yes No Yes Yes All attributes No Partially No Order-preserving encryption Protects the data from attacks Partially Partially Partially Yes All attributes No Partially No Homomorphic encryption Protects the data also when used in processing operations Yes Yes Yes Yes All attributes No No No Masking Protects the data in dev/test and analytical applications Yes Yes Yes Yes Local identifiers Yes Partially No Local suppression Protects the data in analytical applications Yes Yes Yes Yes Identifying attributes Partially Partially Partially Record suppression Removes the data from the data set Yes Yes Yes Yes All attributes Yes Yes Yes Sampling Exposes only a subset of the data for analytical applications Partially Partially Partially Yes All attributes Partially Partially Partially Generalization Protects the data in dev/test and analytical applications Yes Yes Yes Yes Identifying attributes Partially Partially Partially Rounding Protects the data in dev/test and analytical applications Yes Yes Yes Yes Identifying attributes No Partially Partially Top/bottom coding Protects the data in dev/test and analytical applications Yes Yes Yes Yes Identifying attributes No Partially Partially Noise addition Protects the data in dev/test and analytical applications Yes Yes Yes No Identifying attributes Partially Partially Partially Permutation Protects the data in dev/test and analytical applications Yes Yes Yes No Identifying attributes Partially Partially Partially Micro aggregation Protects the data in dev/test and analytical applications Yes Yes Yes No All attributes No Partially Partially Differential privacy Protects the data in analytical applications No Yes Yes No Identifying attributes Yes Yes Partially K-anonymity Protects the data in analytical applications No Yes Yes Yes Quai identifiers Yes Partially No Privacy models Applicable to types of attributes Reduces the risk of Cryptographic tools Suppression Generalization Technique name Data truthfulness at record level Use Case / User Story Data protected in Randomization
34 Encryption and Tokenization
35 Operation on encrypted data* HE Decryption HE Encryption HE Encryption Clear text data 12 Encrypted data Encrypted data “Untrusted Parties” Homomorphic Encryption (HE) Encrypted result Source: INTERNATIONAL STANDARD ISO/IEC 20889 *: Secure Multi Party Computation (SMPC) Clear text data D2 Clear text data D1 Database Operation on encrypted data* Data should be protected
36 Homomorphic Encryption (HE) Anonymous data processing with fully homomorphic encryption www.ntt-review.jp Anonymous data processing involves multiple users sending some sensitive data to a cloud server, where it is aggregated, stripped of identifying information, and analyzed, typically to extract some statistical information, which is then delivered to the final recipient. • The security requirement is that the cloud server must learn nothing about the content of users’ data, and the recipient must obtain only the anonymized results of the statistical analysis, and, no information on individual users.
37 Type of Data Use Case I Structured I Un-structured Simple - Complex - Payment Card Information PHI Personal Information (PI*) or Personally Identifiable Information (PII) Encryption of Files Tokenization of Fields Protected Health Information Personally Identifiable Information How to protect different types of data with encryption and tokenization Card Holder Data *: California CCPA
38 Access to Data Sources / FieldsLow High High - Low - I I Risk, productivity and access to more data fields User Productivity
39 Data sources Data Warehouse Complete policy- enforced de- identification of sensitive data across all bank entities Example of Cross Border Data-centric Security using Tokenization • Protecting Personally Identifiable Information (PII), including names, addresses, phone, email, policy and account numbers • Compliance with EU Cross Border Data Protection Laws • Utilizing Data Tokenization, and centralized policy, key management, auditing, and reporting Data should be protected
40 Local Data Security Gateways (DSG) Central Security Manager (ESA) Use Case - Compliance with cross-border and other privacy restrictions • 200 million users • 160 countries
41 A Data Security Gateway (DSG) can turn sensitive data to Ciphertext or Tokens DSG* *: Example of supported protocols include HTTP, HTTPS, SFTP, SMTP and API utilizing web services or REST
42 Trends in Cloud Security
43 Cloud transformations are accelerating
44Source: Gartner Source: Netskope Current use or plan to use: Spending by Deployment Model, Digital Commerce Platforms, Worldwide
45 Securing Cloud Workloads – Greatest Increase in Spending 451 Research
46 Security controls can be applied On-premises or Cloud • “Active Directory” • WAF • SIEM • Firewall • Encryption • Tokenization • Key Management • AV – Anti Virus • Network Sec Public Cloud / Multi- cloud
47 Shared responsibilities across cloud service models Source: Microsoft The Customer is Responsible for the Data across all Cloud Service Models
48 Legal Compliance and Nation-State Attacks • Many companies have information that is attractive to governments and intelligence services. • Others worry that litigation may result in a subpoena for all their data. Securosis, 2019 Multi-Cloud Key Management considerations Jurisdiction • Cloud service providers, especially IaaS vendors, offer services in multiple countries, often in more than one region, with redundant data centers. • This redundancy is great for resilience, but regulatory concerns arises when moving data across regions which may have different laws and jurisdictions. SecuPi
49Securosis, 2019 Consistency • Most firms are quite familiar with their on-premises encryption and key management systems, so they often prefer to leverage the same tool and skills across multiple clouds. • Firms often adopt a “best of breed” cloud approach. Multi-Cloud Key Management considerations Trust • Some customers simply do not trust their vendors. Vendor Lock-in and Migration • A common concern is vendor lock-in, and an inability to migrate to another cloud service provider. • Some native cloud encryption systems do not allow customer keys to move outside the system, and cloud encryption systems are based on proprietary interfaces. • The goal is to maintain protection regardless of where data resides, moving between cloud vendors. Cloud Gateway Google Cloud AWS Cloud Azure Cloud
50 • Amazon S3 encryption and decryption takes place in the EMRFS client on your cluster. • Objects are encrypted before being uploaded to Amazon S3 and decrypted after they are downloaded. • The EMR (Elastic MapReduce) File System (EMRFS) is an implementation of HDFS that all Amazon EMR clusters use for reading and writing regular files from Amazon EMR directly to Amazon S3. Amazon S3 client-side encryption
51 • Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources • Your virtual networking environment allows selection of your own IP address range, creation of subnets, and configuration AWS encryption key management
52 Risk Elasticity Out-sourcedIn-house On-premises On-premises Private Cloud Hosted Private Cloud Public Cloud Low - High - Computing Cost - High - Low • Encryption/decryption Point Protected data U U U • Encryption Key Management U U Multi-Cloud Key Management
53 A Cloud Security Gateway (CASB) can protect sensitive data in Cloud (SaaS) • Example of supported protocols include HTTP, HTTPS, SFTP, and SMTP • Based on configuration instead of programming • Secures existing web services or REST API calls • See and control where sensitive data travels 1. Install the Cloud Security Gateway in your trusted domain 2. Select the fields to be protected 3. Start using Salesforce with enhanced security • Policy Enforcement Point (PEP) Protected data fields U • Encryption Key Management Separation of Duties
54 Protect data before landing Enterprise Policies Apps using de-identified data Sensitive data streams Enterprise on- prem Data lifted to S3 is protected before use S3 • Applications can use de- identified data or data in the clear based on policies • Protection of data in AWS S3 before landing in a S3 bucket Protection of data in AWS S3 with Separation of Duties • Policy Enforcement Point (PEP) Separation of Duties • Encryption Key Management
55 Protection throughout the lifecycle of data in Hadoop Big Data Protector tokenizes or encrypts sensitive data fields Enterprise Policies Policies may be managed on-prem or Google Cloud Platform (GCP) • Policy Enforcement Point (PEP) Protected data fields U UU Big Data Protection with Granular Field Level Protection for Google Cloud Separation of Duties • Encryption Key Management
56 Underlying Technology for RegTech Solutions Source: medium, fintechnews
57 Shared platforms are most useful when built with digital technologies - Examples Source: https://regtechassociation.org/wp-content/uploads/2019/11/Protiviti-IRTA-Urgent-Call-KYC-Optimization-Final-Report.pdf
58 Gartner Forecast: Blockchain Business Value, Worldwide How Does Blockchain Impact RegTech? • Blockchain, the software of virtual currencies on cryptocurrencies has a major impact on RegTech. • A lot of banks are exploring blockchain and crypto initiatives for startups, technology partners, and innovators. • The blockchain technology promises to reshape RegTech.
59 Emerging De Jure Standards for Self-Sovereign Identity (SSI) Source: sovrin PEER DISTRIBUTED LEDGER (BLOCKCHAIN) DIGITAL WALLET CONNECTION GET CREDENTIAL SHOW CREDENTIAL 1 DIDs 2 DKMS 1. Verifiable Credentials, (W3C) 2. DID Auth, (IETF) 3. DKMS (Decentralized Key Management System), (OASIS) 4. DID (Decentralized Identifier), (W3C) SSI Example:
60 A zero trust architecture (US NIST, ANSI X9) 1. All data sources and computing services are considered resources. 2. All communication is secured regardless of network location. 3. Access to individual enterprise resources is granted on a per-session basis. 4. Access to resources is determined by dynamic policy—including the observable state of client identity, application, and other behavioral attributes. 5. The enterprise monitors assets to ensure that they remain in the most secure state possible. 6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. 7. The enterprise collects the current state of network infrastructure and communications.
61 References: 1. California Consumer Privacy Act, OCT 4, 2019, https://www.csoonline.com/article/3182578/california-consumer-privacy-act-what- you-need-to-know-to-be-compliant.html 2. CIS Controls V7.1 Mapping to NIST CSF, https://dataprivacylab.org/projects/identifiability/paper1.pdf 3. GDPR and Tokenizing Data, https://tdwi.org/articles/2018/06/06/biz-all-gdpr-and-tokenizing-data-3.aspx 4. GDPR VS CCPA, https://wirewheel.io/wp-content/uploads/2018/10/GDPR-vs-CCPA-Cheatsheet.pdf 5. General Data Protection Regulation, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation 6. IBM Framework Helps Clients Prepare for the EU's General Data Protection Regulation, https://ibmsystemsmag.com/IBM- Z/03/2018/ibm-framework-gdpr 7. INTERNATIONAL STANDARD ISO/IEC 20889, https://webstore.ansi.org/Standards/ISO/ISOIEC208892018?gclid=EAIaIQobChMIvI- k3sXd5gIVw56zCh0Y0QeeEAAYASAAEgLVKfD_BwE 8. INTERNATIONAL STANDARD ISO/IEC 27018, https://webstore.ansi.org/Standards/ISO/ ISOIEC270182019?gclid=EAIaIQobChMIleWM6MLd5gIVFKSzCh3k2AxKEAAYASAAEgKbHvD_BwE 9. New Enterprise Application and Data Security Challenges and Solutions https://www.brighttalk.com/webinar/new-enterprise- application-and-data-security-challenges-and-solutions/ 10. Machine Learning and AI in a Brave New Cloud World https://www.brighttalk.com/webcast/14723/357660/machine-learning-and-ai- in-a-brave-new-cloud-world 11. Emerging Data Privacy and Security for Cloud https://www.brighttalk.com/webinar/emerging-data-privacy-and-security-for-cloud/ 12. New Application and Data Protection Strategies https://www.brighttalk.com/webinar/new-application-and-data-protection- strategies-2/ 13. The Day When 3rd Party Security Providers Disappear into Cloud https://www.brighttalk.com/webinar/the-day-when-3rd-party- security-providers-disappear-into-cloud/ 14. Advanced PII/PI Data Discovery https://www.brighttalk.com/webinar/advanced-pii-pi-data-discovery/ 15. Emerging Application and Data Protection for Cloud https://www.brighttalk.com/webinar/emerging-application-and-data-protection- for-cloud/ 16. Data Security: On Premise or in the Cloud, ISSA Journal, December 2019, ulf@ulfmattsson.com 17. Webinars and slides, www.ulfmattsson.com
62 datafloq Ulf Mattsson ulf@ulfmattsson.com Thank You!

Recommended

ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationUlf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyUlf Mattsson
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesUlf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 

Recommended

ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationUlf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyUlf Mattsson
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesUlf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Ulf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonUlf Mattsson
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Book
BookBook
BookUlf Mattsson
 
Future data security ‘will come from several sources’
Future data security ‘will come from several sources’Future data security ‘will come from several sources’
Future data security ‘will come from several sources’John Davis
 
ETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS - the Global IT Association for Telecommunications
 
Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...Ulf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
N-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysN-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysSolarwinds N-able
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCUlf Mattsson
 
Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataUlf Mattsson
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 

More Related Content

What's hot

Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Ulf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonUlf Mattsson
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Future data security ‘will come from several sources’
Future data security ‘will come from several sources’Future data security ‘will come from several sources’
Future data security ‘will come from several sources’John Davis
 
Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...Ulf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
N-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysN-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysSolarwinds N-able
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCUlf Mattsson
 

What's hot (20)

Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine Learning
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloud
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloud
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattsson
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyoug
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud
 
Book
BookBook
Book
 
Future data security ‘will come from several sources’
Future data security ‘will come from several sources’Future data security ‘will come from several sources’
Future data security ‘will come from several sources’
 
ETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco security
 
Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
N-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysN-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 days
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYC
 

Similar to Jul 16 isaca london data protection, security and privacy risks - on premise and cloud

Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataUlf Mattsson
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfamitkhanna2070
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
BigData and Privacy webinar at Brighttalk
BigData and Privacy webinar at BrighttalkBigData and Privacy webinar at Brighttalk
BigData and Privacy webinar at BrighttalkUlf Mattsson
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Ted Myerson
 
Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
 
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...Ulf Mattsson
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRMatt Stubbs
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET Journal
 

Similar to Jul 16 isaca london data protection, security and privacy risks - on premise and cloud (20)

Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big data
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloud
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
BigData and Privacy webinar at Brighttalk
BigData and Privacy webinar at BrighttalkBigData and Privacy webinar at Brighttalk
BigData and Privacy webinar at Brighttalk
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
 
Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...
 
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPR
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private clouds
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
 

More from Ulf Mattsson

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesUlf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeUlf Mattsson
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchainUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonUlf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
 

More from Ulf Mattsson (12)

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 

Recently uploaded

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Product School
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 

Jul 16 isaca london data protection, security and privacy risks - on premise and cloud

  • 1. 1 datafloq Ulf Mattsson ulf@ulfmattsson.com Data Protection, Security and Privacy Risks – On-premise & Cloud
  • 2. 2 Payment Card Industry (PCI) Security Standards Council (SSC): 1. Tokenization Task Force 2. Encryption Task Force, Point to Point Encryption Task Force 3. Risk Assessment SIG 4. eCommerce SIG 5. Cloud SIG, Virtualization SIG 6. Pre-Authorization SIG, Scoping SIG Working Group • Previously Head of Innovation at TokenEx and Chief Technology Officer at Atlantic BT, Compliance Engineering, and Protegrity, and IT Architect at IBM Ulf Mattsson ULFMATTSSON.COM • Products and Services: • Data Encryption, Tokenization, Data Discovery, Cloud Application Security Brokers (CASB), Web Application Firewalls (WAF), Robotics, and Applications • Security Operation Center (SOC), Managed Security Services (MSSP), and Security Benchmarking/Gap-analysis for Financial Industry • Inventor of more than 70 issued US Patents and developed Industry Standards with ANSI X9 and PCI SSC Dec 2019 May 2020 May 2020 Dec 2019
  • 3. 3Verizon Data Breach Investigations Report (DBIR) 2020 Actors in breaches
  • 4. 4Verizon Data Breach Investigations Report (DBIR) 2020 Assets in breaches • On-premises assets are still 70% in our reported breaches dataset. • Cloud assets were involved in about 24% of breaches. • Email or web application server 73% of the time. Server
  • 5. 5Verizon Data Breach Investigations Report (DBIR) 2020 Action varieties in breaches
  • 6. 6 Security Compliance PrivacyControls Regulations Policies Hybrid Cloud DevOps. DataOps and DevSecOps GDPR CCPA Data Security PCI DSS v4 HIPAA Identity Management Application Security Risk Management Industry Standards Examples of Evolving Regulations & Industry Standards ISO/IEC, NIST, ANSI X9, FFIEC, COBIT, W3C, IETF, Oasis OWASP Data Privacy SSI Containers and Serverless How, What and Why Balance
  • 8. 8 Global Map Of Privacy Rights And Regulations
  • 9. 9https://iapp.org/media/pdf/resource_center/trustarc_survey_iapp.pdf How many privacy laws are you complying with? General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. California Consumer Privacy Act ( CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, United States.
  • 10. 10 TrustArc Legal and regulatory risks are exploding
  • 11. 11 Source: IBM Encryption and TokenizationDiscover Data Assets Security by Design GDPR Security Requirements – Encryption and Tokenization
  • 12. 12 Data flow mapping under GDPR • If there is not already a documented workflow in place in your organisation, it can be worthwhile for a team to be sent out to identify how the data is being gathered. • This will enable you to see how your data flow is different from reality and what needs to be done to amend this. If an organisation’s theory about how its data is flowing is different from the reality, you have a breach and could be fined. The organisation needs to look at how the data was captured, who is accountable for it, where it is located and who has access.
  • 14. 14 See security improvement and track sensitive data www.protegrity.com
  • 16. 16 PCI DSS Compliance Issues with breached organizations and PCI DSS v4 Source: Verizon 2019 Payment Security Report • PCI DSS Requirement 3 is addressing protecting cardholder data. • PCI DSS Requirement 10 is addressing network security and access. PCI DSS v4 adds a customized approach • Meeting the security intent of PCI DSS by using security approaches that may be different than traditional PCI DSS requirements. • Compensating controls will be removed
  • 17. 17 Data sources Data Warehouse In Italy Complete policy- enforced de- identification of sensitive data across all bank entities Example of Cross Border Data-centric Security • Protecting Personally Identifiable Information (PII), including names, addresses, phone, email, policy and account numbers • Compliance with EU Cross Border Data Protection Laws • Utilizing Data Tokenization, and centralized policy, key management, auditing, and reporting
  • 18. 18 http://dataprotection.link/Zn1Uk#https://www.wsj.com/articles/coronavirus-paves-way-for-new-age-of-digital-surveillance-11586963028 American officials are drawing cellphone location data from mobile advertising firms to track the presence of crowds—but not individuals. Apple Inc. and Alphabet Inc.’s Google recently announced plans to launch a voluntary app that health officials can use to reverse-engineer sickened patients’ recent whereabouts—provided they agree to provide such information. European nations monitor citizen movement by tapping telecommunications data that they say conceals individuals’ identities. The extent of tracking hinges on a series of tough choices: Make it voluntary or mandatory? Collect personal or anonymized data? Disclose information publicly or privately? In Western Australia, lawmakers approved a bill last month to install surveillance gadgets in people’s homes to monitor those placed under quarantine. Authorities in Hong Kong and India are using geofencing that draws virtual fences around quarantine zones. They monitor digital signals from smartphone or wristbands to deter rule breakers and nab offenders, who can be sent to jail. Japan’s most popular messaging app beams health-status questions to its users on behalf of the government.
  • 19. 19 Example of disk level encryption Exposes all data on the disk volume Encrypts all data on the disk volume Volume Encryption
  • 20. 20 Example of file level encryption Exposes all data in the file at use Encrypts all data in the file at rest (and transit)
  • 21. 21 Example of what Role 2 can see Example of the data values that are stored in the file at rest Reduce risk by not exposing the full data value to applications and users that only need to operate on a limited representation of the data Reduce risk by field level protection
  • 22. 22 Shared responsibili ties across cloud service models Data Protection for Multi- cloud Payment Application Payment Network Payment Data Policy, tokenization, encryption and keys Gateway Call Center Application Format Preserving Encryption (FPE) PI* Data Tokenization Salesforce Analytics Application Differential Privacy (DP), K-anonymity model PI* Data Microsoft Election Guard development kit Election Data Homomorphic Encryption (HE) Data Warehouse PI* Data Vault-less tokenization (VLT) Use-cases of some de-identification techniques Voting Application *: PI Data (Personal information) means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household according to CCPA Dev/test Systems Masking PI* Data
  • 23. 23 IS: International Standard TR: Technical Report TS: Technical Specification Guidelines to help comply with ethical standards 20889 IS Privacy enhancing de-identification terminology and classification of techniques 27018 IS Code of practice for protection of PII in public clouds acting as PII processors 27701 IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines 29100 IS Privacy framework 29101 IS Privacy architecture framework 29134 IS Guidelines for Privacy impact assessment 29151 IS Code of Practice for PII Protection 29190 IS Privacy capability assessment model 29191 IS Requirements for partially anonymous, partially unlinkable authentication Cloud 11 Published International Privacy Standards (ISO) Framework Management Techniques Impact 19608 TS Guidance for developing security and privacy functional requirements based on 15408 Requirements 27550 TR Privacy engineering for system lifecycle processesProcess Privacy Standards
  • 24. 24 20547 IS Big data reference architecture - Part 4 - Security and privacy 23491 IS Security techniques - IoT security and privacy - Guidelines for IoT domotics 27006-2 (formerly 27558 IS) TS Information security, cybersecurity and privacy protection - Requirements audit and certification of privacy information management systems 27030 IS Security and Privacy for the Internet of Things 27045 IS Big data security and privacy - processes 27046 IS Big data security and privacy - Implementation guidelines 27402 IS IoT security and privacy - Device baseline requirements 27551 IS Requirements for attribute-based unlinkable entity authentication 27555 IS Guidelines on Personally Identifiable Information Deletion 27556 IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences 27557 IS Organizational privacy risk management 27559 IS Privacy-enhancing data de-identification framework 27560 TS Privacy technologies – Consent record information structure 27570 TS Privacy Guidelines for Smart Cities 29184 IS Online privacy notices and consent 31700 IS Consumer Protection - Privacy-by-design for consumer goods and services Privacy Standards Big Data Framework Risk Design Consent and Deletion Smart Cities IoT IS: International Standard TS: Technical Specification Authentication Audit 16 International Privacy Standards in development (ISO)
  • 25. 25 Data protection techniques: Deployment on-premises, and clouds Data Warehouse Centralized Distributed On- premises Public Cloud Private Cloud Vault-based tokenization y y Vault-less tokenization y y y y y y Format preserving encryption y y y y y Homomorphic encryption y y Masking y y y y y y Hashing y y y y y y Server model y y y y y y Local model y y y y y y L-diversity y y y y y y T-closeness y y y y y y Privacy enhancing data de-identification terminology and classification of techniques De- identification techniques Tokenization Cryptographic tools Suppression techniques Formal privacy measurement models Differential Privacy K-anonymity model
  • 26. 26 • Privacy enhancing data de-identification terminology and classification of techniques Source: INTERNATIONAL STANDARD ISO/IEC 20889 Encrypted data has the same format Server model Local model Differential Privacy (DP) Formal privacy measurement models (PMM) De-identification techniques (DT) Cryptographic tools (CT) Format Preserving Encryption (FPE) Homomorphic Encryption (HE) Two values encrypted can be combined* K-anonymity model Responses to queries are only able to be obtained through a software component or “middleware”, known as the “curator** The entity receiving the data is looking to reduce risk Ensures that for each identifier there is a corresponding equivalence class containing at least K records *: Multi Party Computation (MPC) **: Example Apple and Google ISO Standard for Encryption and Privacy Models
  • 27. 27 Field Privacy Action (PA) PA Config Variant Twin Output Gender Pseudonymise AD-lks75HF9aLKSa Pseudonymization Generalization Field Privacy Action (PA) PA Config Variant Twin Output Age Integer Range Bin Step 10 + Pseud. Age_KXYC Age Integer Range Bin Custom Steps 18-25 Aggregation/Binning Field Privacy Action (PA) PA Config Variant Twin Output Balance Nearest Unit Value Thousand 94000 Rounding Generalization Source data: Output data: Last name Balance Age Gender Folds 93791 23 m … … … … Generalization Source data: Output data: Patient Age Gender Region Disease 173965429 57 Female Hamburg Gastric ulcer Patient Age Gender Region Disease 173965429 >50 Female Germany Gastric ulcer Generalization Examples of data de-identification Source: INTERNATIONAL STANDARD ISO/IEC 20889, Privitar, Anonos
  • 29. 29 Protected Curator* (Filter) Output Cleanser (Filter) Input Protected Database Privacy measurement models Differential Privacy Differential privacy is a model that provides mathematical guarantees that the probability distribution of the output of this analysis differs by a factor no greater than a specified parameter regardless of whether any data principal is included in the input dataset. Source: INTERNATIONAL STANDARD ISO/IEC 20889 *: Example: Apple
  • 30. 30 Differential privacy model Differential privacy is a formal privacy measurement model that, if incorporated in the design of a particular statistical analysis, provides mathematical guarantees that the probability distribution of the output of this analysis differs by a factor no greater than a specified parameter regardless of whether any particular data principal is included in the input dataset. — a mathematical definition of privacy which posits that, for the outcome of any statistical analysis distribution independent of whether any given data principal is added to or removed from the dataset; and — a measure of privacy that enables monitoring of cumulative privacy loss and setting of a “budget” for loss limit. When adequately implemented and used, provide a mathematically proven guarantee of privacy. The design and construction of a differentially private algorithm requires appropriate expertise in the field of probability and statistics, and of the theory of differential privacy. Differentially private algorithms are built by adding a certain amount of “random noise” that is generated from a carefully selected probability distribution, such that the desired usefulness of data is preserved. NOTE For detailed treatment of these and other relevant topics on the subject, see [9], [45] and [15]. And Annex E
  • 31. 31 Clear text data Cleanser Filter Database Privacy measurement models K-anonymity model The k-anonymity model that ensures that groups smaller than k individuals cannot be identified. • Queries will return at least k number of records. K- anonymity is a formal privacy measurement model that ensures that for each identifier there is a corresponding equivalence class containing at least K records. Source: INTERNATIONAL STANDARD ISO/IEC 20889 Anonymized text data Some of the de-identification techniques can be used either independently or in combination with each other to satisfy the K- anonymity model. Suppression techniques, generalization techniques, and microaggregation* can be applied to different types of attributes in a dataset to achieve the desired results. *: Microaggregation replaces all values of continuous attributes with their averages computed in a certain algorithmic way.
  • 32. 32 Privacy measurement models K-anonymity model The k-anonymity can thwart the ability to link field-structured databases Given person-specific field-structured data, produce a release of the data with scientific guarantees that the individuals who are the subjects of the data cannot be reidentified while the data remain practically useful. A release provides k-anonymity if the data for each person cannot be distinguished from at least k-1 individuals whose data also appears in the release Source: INTERNATIONAL STANDARD ISO/IEC 20889 Datashouldbeprotected
  • 33. 33 Risk reduction and truthfulness of standardized de-identification techniques and models Source: INTERNATIONAL STANDARD ISO/IEC 20889 Transit Use Storage Singling out Linking Inference Pseudonymization Tokenization Protects the data flow from attacks Yes Yes Yes Yes Direct identifiers No Partially No Deterministic encryption Protects the data when not used in processing operations Yes No Yes Yes All attributes No Partially No Order-preserving encryption Protects the data from attacks Partially Partially Partially Yes All attributes No Partially No Homomorphic encryption Protects the data also when used in processing operations Yes Yes Yes Yes All attributes No No No Masking Protects the data in dev/test and analytical applications Yes Yes Yes Yes Local identifiers Yes Partially No Local suppression Protects the data in analytical applications Yes Yes Yes Yes Identifying attributes Partially Partially Partially Record suppression Removes the data from the data set Yes Yes Yes Yes All attributes Yes Yes Yes Sampling Exposes only a subset of the data for analytical applications Partially Partially Partially Yes All attributes Partially Partially Partially Generalization Protects the data in dev/test and analytical applications Yes Yes Yes Yes Identifying attributes Partially Partially Partially Rounding Protects the data in dev/test and analytical applications Yes Yes Yes Yes Identifying attributes No Partially Partially Top/bottom coding Protects the data in dev/test and analytical applications Yes Yes Yes Yes Identifying attributes No Partially Partially Noise addition Protects the data in dev/test and analytical applications Yes Yes Yes No Identifying attributes Partially Partially Partially Permutation Protects the data in dev/test and analytical applications Yes Yes Yes No Identifying attributes Partially Partially Partially Micro aggregation Protects the data in dev/test and analytical applications Yes Yes Yes No All attributes No Partially Partially Differential privacy Protects the data in analytical applications No Yes Yes No Identifying attributes Yes Yes Partially K-anonymity Protects the data in analytical applications No Yes Yes Yes Quai identifiers Yes Partially No Privacy models Applicable to types of attributes Reduces the risk of Cryptographic tools Suppression Generalization Technique name Data truthfulness at record level Use Case / User Story Data protected in Randomization
  • 35. 35 Operation on encrypted data* HE Decryption HE Encryption HE Encryption Clear text data 12 Encrypted data Encrypted data “Untrusted Parties” Homomorphic Encryption (HE) Encrypted result Source: INTERNATIONAL STANDARD ISO/IEC 20889 *: Secure Multi Party Computation (SMPC) Clear text data D2 Clear text data D1 Database Operation on encrypted data* Data should be protected
  • 36. 36 Homomorphic Encryption (HE) Anonymous data processing with fully homomorphic encryption www.ntt-review.jp Anonymous data processing involves multiple users sending some sensitive data to a cloud server, where it is aggregated, stripped of identifying information, and analyzed, typically to extract some statistical information, which is then delivered to the final recipient. • The security requirement is that the cloud server must learn nothing about the content of users’ data, and the recipient must obtain only the anonymized results of the statistical analysis, and, no information on individual users.
  • 37. 37 Type of Data Use Case I Structured I Un-structured Simple - Complex - Payment Card Information PHI Personal Information (PI*) or Personally Identifiable Information (PII) Encryption of Files Tokenization of Fields Protected Health Information Personally Identifiable Information How to protect different types of data with encryption and tokenization Card Holder Data *: California CCPA
  • 38. 38 Access to Data Sources / FieldsLow High High - Low - I I Risk, productivity and access to more data fields User Productivity
  • 39. 39 Data sources Data Warehouse Complete policy- enforced de- identification of sensitive data across all bank entities Example of Cross Border Data-centric Security using Tokenization • Protecting Personally Identifiable Information (PII), including names, addresses, phone, email, policy and account numbers • Compliance with EU Cross Border Data Protection Laws • Utilizing Data Tokenization, and centralized policy, key management, auditing, and reporting Data should be protected
  • 40. 40 Local Data Security Gateways (DSG) Central Security Manager (ESA) Use Case - Compliance with cross-border and other privacy restrictions • 200 million users • 160 countries
  • 41. 41 A Data Security Gateway (DSG) can turn sensitive data to Ciphertext or Tokens DSG* *: Example of supported protocols include HTTP, HTTPS, SFTP, SMTP and API utilizing web services or REST
  • 44. 44Source: Gartner Source: Netskope Current use or plan to use: Spending by Deployment Model, Digital Commerce Platforms, Worldwide
  • 45. 45 Securing Cloud Workloads – Greatest Increase in Spending 451 Research
  • 46. 46 Security controls can be applied On-premises or Cloud • “Active Directory” • WAF • SIEM • Firewall • Encryption • Tokenization • Key Management • AV – Anti Virus • Network Sec Public Cloud / Multi- cloud
  • 47. 47 Shared responsibilities across cloud service models Source: Microsoft The Customer is Responsible for the Data across all Cloud Service Models
  • 48. 48 Legal Compliance and Nation-State Attacks • Many companies have information that is attractive to governments and intelligence services. • Others worry that litigation may result in a subpoena for all their data. Securosis, 2019 Multi-Cloud Key Management considerations Jurisdiction • Cloud service providers, especially IaaS vendors, offer services in multiple countries, often in more than one region, with redundant data centers. • This redundancy is great for resilience, but regulatory concerns arises when moving data across regions which may have different laws and jurisdictions. SecuPi
  • 49. 49Securosis, 2019 Consistency • Most firms are quite familiar with their on-premises encryption and key management systems, so they often prefer to leverage the same tool and skills across multiple clouds. • Firms often adopt a “best of breed” cloud approach. Multi-Cloud Key Management considerations Trust • Some customers simply do not trust their vendors. Vendor Lock-in and Migration • A common concern is vendor lock-in, and an inability to migrate to another cloud service provider. • Some native cloud encryption systems do not allow customer keys to move outside the system, and cloud encryption systems are based on proprietary interfaces. • The goal is to maintain protection regardless of where data resides, moving between cloud vendors. Cloud Gateway Google Cloud AWS Cloud Azure Cloud
  • 50. 50 • Amazon S3 encryption and decryption takes place in the EMRFS client on your cluster. • Objects are encrypted before being uploaded to Amazon S3 and decrypted after they are downloaded. • The EMR (Elastic MapReduce) File System (EMRFS) is an implementation of HDFS that all Amazon EMR clusters use for reading and writing regular files from Amazon EMR directly to Amazon S3. Amazon S3 client-side encryption
  • 51. 51 • Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources • Your virtual networking environment allows selection of your own IP address range, creation of subnets, and configuration AWS encryption key management
  • 52. 52 Risk Elasticity Out-sourcedIn-house On-premises On-premises Private Cloud Hosted Private Cloud Public Cloud Low - High - Computing Cost - High - Low • Encryption/decryption Point Protected data U U U • Encryption Key Management U U Multi-Cloud Key Management
  • 53. 53 A Cloud Security Gateway (CASB) can protect sensitive data in Cloud (SaaS) • Example of supported protocols include HTTP, HTTPS, SFTP, and SMTP • Based on configuration instead of programming • Secures existing web services or REST API calls • See and control where sensitive data travels 1. Install the Cloud Security Gateway in your trusted domain 2. Select the fields to be protected 3. Start using Salesforce with enhanced security • Policy Enforcement Point (PEP) Protected data fields U • Encryption Key Management Separation of Duties
  • 54. 54 Protect data before landing Enterprise Policies Apps using de-identified data Sensitive data streams Enterprise on- prem Data lifted to S3 is protected before use S3 • Applications can use de- identified data or data in the clear based on policies • Protection of data in AWS S3 before landing in a S3 bucket Protection of data in AWS S3 with Separation of Duties • Policy Enforcement Point (PEP) Separation of Duties • Encryption Key Management
  • 55. 55 Protection throughout the lifecycle of data in Hadoop Big Data Protector tokenizes or encrypts sensitive data fields Enterprise Policies Policies may be managed on-prem or Google Cloud Platform (GCP) • Policy Enforcement Point (PEP) Protected data fields U UU Big Data Protection with Granular Field Level Protection for Google Cloud Separation of Duties • Encryption Key Management
  • 56. 56 Underlying Technology for RegTech Solutions Source: medium, fintechnews
  • 57. 57 Shared platforms are most useful when built with digital technologies - Examples Source: https://regtechassociation.org/wp-content/uploads/2019/11/Protiviti-IRTA-Urgent-Call-KYC-Optimization-Final-Report.pdf
  • 58. 58 Gartner Forecast: Blockchain Business Value, Worldwide How Does Blockchain Impact RegTech? • Blockchain, the software of virtual currencies on cryptocurrencies has a major impact on RegTech. • A lot of banks are exploring blockchain and crypto initiatives for startups, technology partners, and innovators. • The blockchain technology promises to reshape RegTech.
  • 59. 59 Emerging De Jure Standards for Self-Sovereign Identity (SSI) Source: sovrin PEER DISTRIBUTED LEDGER (BLOCKCHAIN) DIGITAL WALLET CONNECTION GET CREDENTIAL SHOW CREDENTIAL 1 DIDs 2 DKMS 1. Verifiable Credentials, (W3C) 2. DID Auth, (IETF) 3. DKMS (Decentralized Key Management System), (OASIS) 4. DID (Decentralized Identifier), (W3C) SSI Example:
  • 60. 60 A zero trust architecture (US NIST, ANSI X9) 1. All data sources and computing services are considered resources. 2. All communication is secured regardless of network location. 3. Access to individual enterprise resources is granted on a per-session basis. 4. Access to resources is determined by dynamic policy—including the observable state of client identity, application, and other behavioral attributes. 5. The enterprise monitors assets to ensure that they remain in the most secure state possible. 6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. 7. The enterprise collects the current state of network infrastructure and communications.
  • 61. 61 References: 1. California Consumer Privacy Act, OCT 4, 2019, https://www.csoonline.com/article/3182578/california-consumer-privacy-act-what- you-need-to-know-to-be-compliant.html 2. CIS Controls V7.1 Mapping to NIST CSF, https://dataprivacylab.org/projects/identifiability/paper1.pdf 3. GDPR and Tokenizing Data, https://tdwi.org/articles/2018/06/06/biz-all-gdpr-and-tokenizing-data-3.aspx 4. GDPR VS CCPA, https://wirewheel.io/wp-content/uploads/2018/10/GDPR-vs-CCPA-Cheatsheet.pdf 5. General Data Protection Regulation, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation 6. IBM Framework Helps Clients Prepare for the EU's General Data Protection Regulation, https://ibmsystemsmag.com/IBM- Z/03/2018/ibm-framework-gdpr 7. INTERNATIONAL STANDARD ISO/IEC 20889, https://webstore.ansi.org/Standards/ISO/ISOIEC208892018?gclid=EAIaIQobChMIvI- k3sXd5gIVw56zCh0Y0QeeEAAYASAAEgLVKfD_BwE 8. INTERNATIONAL STANDARD ISO/IEC 27018, https://webstore.ansi.org/Standards/ISO/ ISOIEC270182019?gclid=EAIaIQobChMIleWM6MLd5gIVFKSzCh3k2AxKEAAYASAAEgKbHvD_BwE 9. New Enterprise Application and Data Security Challenges and Solutions https://www.brighttalk.com/webinar/new-enterprise- application-and-data-security-challenges-and-solutions/ 10. Machine Learning and AI in a Brave New Cloud World https://www.brighttalk.com/webcast/14723/357660/machine-learning-and-ai- in-a-brave-new-cloud-world 11. Emerging Data Privacy and Security for Cloud https://www.brighttalk.com/webinar/emerging-data-privacy-and-security-for-cloud/ 12. New Application and Data Protection Strategies https://www.brighttalk.com/webinar/new-application-and-data-protection- strategies-2/ 13. The Day When 3rd Party Security Providers Disappear into Cloud https://www.brighttalk.com/webinar/the-day-when-3rd-party- security-providers-disappear-into-cloud/ 14. Advanced PII/PI Data Discovery https://www.brighttalk.com/webinar/advanced-pii-pi-data-discovery/ 15. Emerging Application and Data Protection for Cloud https://www.brighttalk.com/webinar/emerging-application-and-data-protection- for-cloud/ 16. Data Security: On Premise or in the Cloud, ISSA Journal, December 2019, ulf@ulfmattsson.com 17. Webinars and slides, www.ulfmattsson.com