This session will take a practical approach to IT risk management and discuss multi cloud, Verizon Data Breach Investigations Report (DBIR) and how Enterprises are losing ground in the fight against persistent cyber-attacks. We simply cannot catch the bad guys until it is too late. This picture is not improving. Verizon reports concluded that less than 14% of breaches are detected by internal monitoring tools. We will review the JP Morgan Chase data breach were hackers were in the bank’s network for months undetected. Network configuration errors are inevitable, even at the largest banks as Capital One that recently had a data breach where a hacker gained access to 100 million credit card applications and accounts. Viewers will also learn about: - Macro trends in Cloud security and Micro trends in Cloud security - Risks from Quantum Computing and when we should move to alternate forms of encryption - Review “Kill Chains” from Lockhead Martin in relation to APT and DDoS Attacks - Risk Management methods from ISACA and other organizations Speaker: Ulf Mattsson, Head of Innovation, TokenEx

1. 1
Practical Risk Management
for the Multi-Cloud
•
Ulf Mattsson
Verizon
TokenEx

2. 2
• Head of Innovation at TokenEx
• Chief Technology Officer at Protegrity
• Chief Technology Officer at Atlantic BT Security Solutions
• Chief Technology Officer at Compliance Engineering
• Developer at IBM Research and Development
• Inventor of 70+ issued US patents
• Providing products and services for Robotics, ERP, CRM, Data
Encryption and Tokenization, Data Discovery, Cloud Application
Security Broker, Web Application Firewall, Managed Security
Services, Security Operation Center, and Benchmarking/Gap-
analysis
Ulf Mattsson

3. 3
Global Risk Perception
Source: ISSA

4. 4
• Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight against persistent
cyber-attacks
• We simply cannot catch the bad guys until it is too late. This
picture is not improving
• Verizon reports concluded that less than 14% of breaches are
detected by internal monitoring tools
• JP Morgan Chase data breach
• Hackers were in the bank’s network for months undetected
• Network configuration errors are inevitable, even at the largest
banks
• Capital One data breach
• A hacker gained access to 100 million credit card applications
and accounts
• Amazon Web Services, the cloud hosting company that Capital
One was using
Enterprises Losing Ground Against Cyber-attacks

5. 5
Threat Actors and Motivations
Source: ISSA

6. 6Source: Verizon 2019 DBIR, data-breach-investigations-report
Threat Actors

7. 7

8. 8Source: Verizon
Threat actors
in breaches
over time

9. 9

10. 10
Tactics and Commonalities

11. 11Source: Verizon 2019 DBIR, data-breach-investigations-report
Term clusters in criminal forum and marketplace posts

12. 12Source: Verizon
Threat Actions and Asset Categories
over time

13. 13Source: Verizon 2019 DBIR

14. 14Source: Verizon

15. 15
We need some cloud compute!

16. 16

17. 17
Securing Cloud Workloads – Greatest Increase in Spending

18. 18
Management direction is clear

19. 19
Micro trends in Cloud security

20. 20
We need some cloud compute!
Source: Tagore
Example of Cloud Platform

21. 21
Shared
responsibilities
across cloud
service models
Source: Microsoft
Bench-marking /
Gap-analysis

22. 22
Payment
Application
Payment Systems
Remote
User
Internal
User
Payment
Application
Data Protection for Multi-cloud
Data Tokenization / encryption
Secure
Cloud
Armor.
Payment
Network
Data Tokens

23. 23
Cloud Access Security
Broker
(CASB)
Administrator
Data Security for including encryption, tokenization or
masking of fields or files (at transit and rest)
Remote
User
Internal
User
Cloud
Encryption
Gateway
(CASB)
Secure
Cloud
Security Separation
Armor.com

24. 24
Risk
Risk Adjusted Computation
Elasticity
Out-sourcedIn-house
On-prem
On-prem Private Cloud
Hosted Private Cloud
Public Cloud
Low -
High -
Processing Cost
- High
- Low

25. 25
On Premise tokenization
• Limited PCI DSS scope reduction - must still maintain a
CDE with PCI data
• Higher risk – sensitive data still resident in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from the
environment
• Platform-focused security
• Lower associated costs – cyber insurance, PCI audit,
maintenance
Total Cost and Risk of Tokenization
Example: 50% Lower Total Cost

26. 26
Multi Party Computation (MPC) – Lower Risk
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Encrypted data
has the same
format
Server model Local model
Differential
Privacy (DP)
Formal privacy measurement models
(PMM)
De-identification techniques
(DT)
Cryptographic tools
(CT)
Format
Preserving
Encryption (FPE)
Homomorphic
Encryption
(HE)
Two values
encrypted can
be combined*
K-anonymity
model
Responses to queries
are only able to be
obtained through a
software component
or “middleware”,
known as the
“curator**”
The entity
receiving the
data is looking
to reduce risk
Ensures that for
each identifier there
is a corresponding
equivalence class
containing at least K
records
*: Multi Party Computation (MPC)
**: Example Apple and Google

27. 27
Encryption and Privacy Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Homomorphic Encryption (HE)
*: Multi Party Computation (MPC)
Oper
(Enc_D1,
Enc_D2)
HE
Dec
HE
Enc
HE
Enc
Clear
12
Protected Key
Clear
D2
Enc
D1
Enc
D2
“Untrusted
Party*”Clear
123
Format Preserving Encryption
(FPE)
FPE
Enc Clear
D1
FPE
Dec
Clear
123
Protected Keys
897

28. 28
Encryption and Privacy Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Differential Privacy
(DP)
k-Anonymity
Model
__
__
__
*: Example Apple and Google
Clear
Protected
Curator*
Filter
Clear
Cleanser
Filter
Cleanser
Filter
Clear
__
__
__
Protected
DB DB
• Differential Privacy (Google, Apple) and k-Anonymity Model

29. 29
Minimization Devaluation/Pseudonymisation/
Tokenization
Data Hashing/Masking Encryption
DataUtility
Data Protection
Max
Utility
Min
Utility
Min
Protection
Max
Protection
Source:TokenEx
Data Security Approaches

30. 30
Examples of Tokenized Data Fields
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial Services
Dr. visits, prescriptions, hospital stays and
discharges, clinical, billing, etc.
Financial Services Consumer Products and
activities
Protection methods can be equally applied to
the actual data, but not needed with de-
identification

31. 31
Business Value from Data
• User Productivity, Creativity and Data Access
Access
to
Data
High -
Low -
I I
User Productivity
Low High
High Risk Exposure
(Clear Data)

32. 32
Business Value from Data
• User Productivity, Creativity and Data Access
Access to
Data
Low High
High -
Low -
I I
High Risk Exposure
(Clear Data)
Low Exposure (Tokens)
Level

33. 33
Summary of Risks from Quantum Computing
Guidelines for Immediate Steps that can be taken
• Upgrade to AES, preferably AES-256
• Use SHA-512 for hashing
• Use stateful hash-based signatures for signing, especially for protecting upgrades of
firmware/cryptographic software
• Use hybrid cryptography to protect against both weaknesses in RSA/ECC and potential
weaknesses in post-quantum algorithms
Protecting Data in Transit
• As of 2018, there were no large-scale quantum computers capable of cryptographic
attacks.
• However, the lack of a quantum computer does not imply that bad actors cannot prepare
to mount quantum-aided attacks.
• While the attacks themselves may not be possible to launch as of 2018, preparations can
be made to more easily launch them when a large-scale quantum-computer becomes
available.
Source: ANSI X9

34. 34
What to do about Risks from Quantum Computing
Arvind Krishna – Director of IBM Research
• “Anyone that wants to make sure that their data is protected for longer than 10 years should move to
alternate forms of encryption now,” said Arvind Krishna, Director of IBM Research…
• “Quantum computers can solve some types of problems near-instantaneously compared with
billions of years of processing using conventional computers.
National Institute of Standards and Technology (NIST)
• “For public key cryptography, the damage from quantum computers will be catastrophic. We must
look for quantum-resistant counterparts for these cryptosystems.”
• Dr. Lily Chen, head of the National Institute of Standards and Technology’s Cryptographic Technology Group.
Institute for Quantum Computing University of Waterloo, CA
• Dr. Michele Mosca, cofounder of the Institute for Quantum Computing at the University of Waterloo.
• It isn’t too early [to act now] for companies handling data that remains valuable for many years, such
as medical or financial records.
• Such companies need to consider the risk that an adversary could capture encrypted data and store
it until the day a quantum computer can decrypt it, says Mosca.
• Mosca estimates a one in seven chance that by 2026 someone, likely a nation state, will have a
quantum computer able to crack encryption used for critical data today.
• “The industry’s usual recipe of waiting for catastrophe and then fixing it is very risky,” he says.
Source: ANSI X9

35. 35
FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing
Assessment Results
Source:
https://www.ffiec.gov/pdf/cyb
ersecurity/FFIEC_CAT_June_20
15_PDF2.pdf
35

36. 36
Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity
Framework
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 36

37. 37
Source: Modulo
/ SAI Global
37

38. 38
Source: Modulo
/ SAI Global
38

39. 39
Source: Modulo
/ SAI Global
39

40. 40

41. 41
PII Inventory Risk
• Locating sensitive PII is essential to protecting it.
• However data maps alone can't provide a complete protection or privacy
picture.
• New privacy protection regulations mandate an individual's right to access
their own data, the right-tobe-forgotten, the right to port their data and
the right to be notified of a breach.
• All these require knowing what data belongs to whom.
• BigID’s data discovery technology determines which data belongs to which
data subject and with what level of correlation.
Source: BigID (TokenEx partner)

42. 42
Data Minimization
• Increasingly organizations are adopting data minimization strategies for security and
privacy reasons. By deleting or reducing inessential duplicate or unused data,
organizations can minimize potential attack vectors.
• Unlike prior discovery tools, BigID can both quickly report on duplicate data but also
provide residency and usage detail so minimization strategies can be based on secondary
factors like jurisdiction and activity history.
• BigID is transforming enterprise protection and privacy of personal data.
• Organizations are facing record breaches of personal information and proliferating global
privacy regulations with fines reaching 10% of annual revenue.
Source: BigID (TokenEx partner)

43. 43
The Board’s Perception of Cybersecurity Risks
Increased
Increased
significantly
High
No change
43
Source: PWC

44. 44
Questions the Board Will Ask
Source: PWC – The Global State of Information Security Survey
44

45. 45
Security Metrics from DevOps
45
# Vulnerabilities
Time

46. 46
Asset Sensitivity, Risk and Quarterly Findings
Source: innosec.com

47. 47
Visibility Into Third Party Risk
Discover and thwart third party vulnerabilities and security
gaps in real-time to better control the impact of breaches.
Source: SecurityScoreCard, CloudeAssurance
# Vulnerabilities
Time
47

48. 48
Positioning COBIT, ValIT and Risk IT (ISACA)

49. 49
EU General Data Protection Regulation (GDPR)
• What is Personal Data according to GDPR?
Article 4 – Definitions
• (1) ‘personal data’ means any
information relating to an identified
or identifiable natural person
• (5) ‘pseudonymisation’ means the
processing personal data in such
a manner that the data can no
longer be attributed to a specific
data subject

50. 50
GDPR Fines
• When French regulators cited Europe's fledgling General Data Protection Act in fining
Google $57 million earlier this year for playing fast and loose with consumer data in
personalizing ads, experts called what was then the biggest fine issued under the new
law the "tip of the iceberg.“
• The U.K.'s Information Commissioner's Office (ICO) on July 8 cited GDPR in announcing
it would seek a $230 million fine against British Airways (equal to 1.5 percent of the
company's annual revenue) for a September 2018 breach in which attackers accessed
the protected data of nearly 500,000 customers through the airline's website and mobile
applications.
• The ICO alleged that ineffective security practices were to blame.
• ICO added Marriott to the list, saying it intends to seek nearly $124 million from
Marriott (or 3 percent of its annual revenue) for a breach that saw hackers maintain
access to the Starwood guest reservation database between 2014 and 2018,
compromising 383 million customer records.
Source: rsaconference.com

51. 51Source: IBM
Encryption and
Tokenization
Discover
Data Assets
Security
by Design
GDPR Security Requirements – Encryption and Tokenization

52. 52
Example of Cross Border Data-centric Security
Data sources
Data
Warehouse
In Italy
Complete policy-enforced de-
identification of sensitive data
across all bank entities

53. 53
Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information

54. 54
Gartner Forecast: Blockchain Business Value, Worldwide

55. 55
Board-Level Opinions on Blockchain and Digital Currencies, Gartner

56. 56
“Kill Chains” for APT and DDoS Attacks (Lockhead Martin)
Source:
ISSA

57. 57
Best Data Security
Software
(G2 Crowd Grid)

58. 58
Thank You!
Ulf Mattsson, TokenEx
www.TokenEx.com