Uploaded bynmeyen
PPTX, PDF74 views

PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptx

The document discusses handling personally identifiable information (PII) in data engineering within the framework of various data protection laws, including Sri Lanka's Personal Data Protection Act and international standards like GDPR and CCPA. It emphasizes general principles for managing PII, such as data minimization, purpose limitation, and employs techniques like tokenization, encryption, and masking to protect sensitive data. Furthermore, it explores advanced tokenization methods and highlights the implications of privacy in the context of quantum encryption and AI technologies.

Embed presentation

Download to read offline
Techniques to Handle PII Data in Data Engineering Workflows to Ensure Compliance to Data Protection Laws Sri Lanka 2023 Nuzhi Meyen
Importance of Compliance Introduction • The Personal Data Protection Act No. 9 of 2022 (PDPA) in Sri Lanka. • Digital Personal Data Protection (DPDP) Act in India (2023) • GDPR in the EU (201 8) • CCPA in California, USA (201 8) • COPPA (1 998) • HIPPA (1 996) • PCI DSS (2004) Source - Data Privacy Vocabulary - W3C Data Privacy Vocabularies and Controls CG (DPVCG) Maximum of 2.5 Billion INR and Minimum of 500 Million INR DPDP Upto 1 0 Million Euros or 2% of preceding fiscal year turnover* GDPR Upto a maximum of 1 0 Million LKR PDPA Sri Lanka 2023
What is PII Data ? Sensitive Data Confidential Data PII stands for Personally Identifable Infformation. It is any data that could potentially identify a specific individual. Sometimes referred to as “Public” data, sensitive data is any information that can be found in public records like newspapers, telephone books, or social media sites Confidential (or “private”) Data is information that an individual would prefer not be made public. This can include information such as: • Physical home address • Telephone number (mobile, business, and personal numbers) • Date or location of their birth High-Risk Data Sometimes labeled “Restricted” data, high-risk data is the highly confidential information that supports cyber-crime activities and typically can’t be found through legal means of inquiry. This can include data such as: • Credit card information • Medical records • Social Security or TIN (Tax Identification Number) Sources - dataprivacymanager.net & digitalguardian.com Sri Lanka 2023
Data Minimization Purpose Limitation Storage Limitation General Principles for Handling PII The principle of data minimization encourages organizations to only collect the data that is absolutely necessary for the specific purpose it will serve. This principle states that data should only be used for the purpose for which it was initially collected. This principle advocates for the deletion of personal data once it is no longer necessary for the purpose it was collected for. Sri Lanka 2023
Data Engineering Techniques Tokenization Replace sensitive data with non-sensitive placeholders. There are several data engineering techniques which can be considered in the context of handling PII data. A few of them are given below. Encryption • At-rest: Encrypte data when it's stored • In- transit: Use SSL/TLS encryption during data transfer. Masking Conceal portions of the data to protect it. Role-Based Access Control (RBAC) Limit access to data based on roles within the organization Auditing & Monitoring Track who access what data, when and why. Sri Lanka 2023
What it is : This algorithm keeps the format of the input data. For example, if a 1 6-digit credit card number is tokenized, the token will also be a 1 6-digit number. Use Case: Useful in scenarios where the format of the tokenized data needs to be similar to the original data, such as in legacy systems. Format-Preserving Encryption (FPE) Tokenization Secure Hash Algorithm (SHA) Tokenization What it is : Uses a one-way hash function to create a hash of the original data. A random salt is then added to the hash. The salted hash is then stored as a token. Use Case: Suited for situations where you don't need to retrieve the original data but do need to verify the integrity of the data.. Random Tokenization What it is : Generates a completely random string as a token and maps it to the original data in a secure lookup table. Use Case: Good for general- purpose tokenization where format preservation is not necessary. Cipher-Based Tokenization What it is : Generates a completely random string as a token and maps it to the original data in a secure lookup table. Use Case: Good for general- purpose tokenization where format preservation is not necessary. Vault-Based Tokenization What it is : Stores the original data in a highly secure data vault. Each piece of stored data is mapped to a unique token. Use Case: Ideal for applications that require high levels of security but also need to detokenize data frequently. Sri Lanka 2023
# Install with: pip install pyffx (Format-preserving, Feistel based Encryption - FFX) import pyffx key = b'secret-key' credit_card = '1234567812345678' # Create an FPE cipher object e = pyffx.String(key, alphabet='0123456789', length=len(credit_card)) # Tokenize token = e.encrypt(credit_card) # Detokenize original = e.decrypt(token) print(f'Token: {token}, Original: {original}') Tokenization - FPE Sri Lanka 2023
import hashlib import os def sha_tokenization(data): salt = os.urandom(16) hash_obj = hashlib.sha256() hash_obj.update(data.encode('utf-8')) hash_obj.update(salt) return hash_obj.hexdigest() original_data = "sensitive_information" token = sha_tokenization(original_data) print(f'Token: {token}') ) Tokenization - SHA Sri Lanka 2023
import uuid def random_tokenization(data, token_map): token = str(uuid.uuid4()) token_map[token] = data return token token_map = {} original_data = "sensitive_data" token = random_tokenization(original_data, token_map) print(f'Token: {token}, Original: {token_map[token]}') ) Tokenization - Random Sri Lanka 2023
# Install with: pip install cryptography from cryptography.fernet import Fernet key = Fernet.generate_key() cipher_suite = Fernet(key) # Tokenize token = cipher_suite.encrypt(b"Sensitive Data") # Detokenize original = cipher_suite.decrypt(token) print(f'Token: {token}, Original: {original.decode()}') Tokenization - Cipher based Sri Lanka 2023
import hvac # Initialize Vault client client = hvac.Client() # Verify if Vault is initialized and unsealed assert client.is_initialized() is True assert client.sys.is_sealed() is False # Create a secret in the Vault (Tokenization) write_response = client.secrets.kv.v2.create_or_update_secret( path='my-secret', secret=dict(sensitive_data="This is very secret information"), ) # The returned `write_response` will contain metadata, not the token # In Vault, the token is usually the path ('my-secret' in this case) # Retrieve the secret from the Vault (Detokenization) read_response = client.secrets.kv.read_secret_version( path='my-secret', ) sensitive_data = read_response['data']['data']['sensitive_data'] print(f"Sensitive Data Retrieved: {sensitive_data}") Tokenization - Vault based Sri Lanka 2023
What it is : To completely hide the original data. Use Case: Useful for fields where the actual information is extremely sensitive and should not be exposed under any circumstances, such as Social Security numbers or passwords in a system log. Redaction Masking Partial Masking What it is : To conceal only part of the data, leaving some characters visible. Use Case: Commonly used for email addresses or phone numbers in customer interfaces, where the full visibility of the data is not necessary but some context is useful. For instance, showing only the last four digits of a credit card number. Shuffling What it is : To randomize the order of the characters in the data. Use Case: Suitable for textual data where the format needs to be preserved but the data should not be recognizable. It's not ideal for numerical data or data with a specific pattern Substitution What it is : To replace each character or substring with another character or substring based on a mapping. Use Case: Useful when you need a reversible masking process. For example, during software testing, you might want to mask sensitive data but will need to revert it back to its original form for verification Number Variance What it is : To add a random variance to numerical data. Use Case: Useful for datasets involving numbers where the exact number is sensitive but the general range is not. For instance, in a dataset used for salary analysis, you might add variance to the actual salaries to protect individual privacy while maintaining the overall distribution for analytical purposes. Sri Lanka 2023
Sri Lanka 2023 Real World Implications
1 0% Points to consider ... • What will privacy look like in a post quantum encryption timeline ? NIST has already developed standards for quantum-safe cryptographic algorithms. • How will Generative AI technology such as LLM in the form of ChatGPT etc. impact how developers in the middle develop secure code without privacy leaks in the context of code generation? eg: CodexLeaks: Privacy Leaks from Code Generation Language Models in GitHub Copilot Sri Lanka 2023

More Related Content

PPTX
PCI DSS Conference in London UK 2011
byUlf Mattsson
 
PPTX
New york oracle users group 2013 spring general meeting ulf mattsson
byUlf Mattsson
 
PDF
Enterprise Data Protection - Understanding Your Options and Strategies
byUlf Mattsson
 
PPT
IBM Share Conference 2010, Boston, Ulf Mattsson
byUlf Mattsson
 
PPT
Protecting Sensitive Data using Encryption and Key Management
byStuart Marsh
 
PPTX
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
byUlf Mattsson
 
PPTX
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
byUlf Mattsson
 
PDF
Data security to protect pci data flow ulf mattsson - insecure-mag-40
byUlf Mattsson
 
PCI DSS Conference in London UK 2011
byUlf Mattsson
 
New york oracle users group 2013 spring general meeting ulf mattsson
byUlf Mattsson
 
Enterprise Data Protection - Understanding Your Options and Strategies
byUlf Mattsson
 
IBM Share Conference 2010, Boston, Ulf Mattsson
byUlf Mattsson
 
Protecting Sensitive Data using Encryption and Key Management
byStuart Marsh
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
byUlf Mattsson
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
byUlf Mattsson
 
Data security to protect pci data flow ulf mattsson - insecure-mag-40
byUlf Mattsson
 

Similar to PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptx

PDF
Isaca global journal - choosing the most appropriate data security solution ...
byUlf Mattsson
 
PDF
Data security or technology what drives dlp implementation
bySatyanandan Atyam
 
PPTX
What I learned at the Infosecurity ISACA North America Conference 2019
byUlf Mattsson
 
PPTX
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
byUlf Mattsson
 
PDF
SIH20241668PII20240930095055.pdfidididiidididi
byragavananitham
 
PDF
Data Privacy with Apache Spark: Defensive and Offensive Approaches
byDatabricks
 
PPTX
Protecting Sensitive Data (and be PCI Compliant too!)
bySecurity Innovation
 
PPT
Protecting Your Data in the Cloud - CSO - Conference 2011
byUlf Mattsson
 
PPTX
ISSA Atlanta - Emerging application and data protection for multi cloud
byUlf Mattsson
 
PPTX
Cacs na isaca session 414 ulf mattsson may 10 final
byUlf Mattsson
 
PPTX
Data protection on premises, and in public and private clouds
byUlf Mattsson
 
PPTX
Securing data today and in the future - Oracle NYC
byUlf Mattsson
 
PDF
Key Concepts for Protecting the Privacy of IBM i Data
byPrecisely
 
PDF
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
byIRJET Journal
 
PPTX
Isaca how innovation can bridge the gap between privacy and regulations
byUlf Mattsson
 
PDF
Privacy Management System: Protect Data or Perish
byRSIS International
 
PDF
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
byIRJET Journal
 
PPTX
Isaca atlanta - practical data security and privacy
byUlf Mattsson
 
PDF
A Survey On Data Leakage Detection
byIJERA Editor
 
PPTX
Tokenization on the Node - Data Protection for Security and Compliance
byUlf Mattsson
 
Isaca global journal - choosing the most appropriate data security solution ...
byUlf Mattsson
 
Data security or technology what drives dlp implementation
bySatyanandan Atyam
 
What I learned at the Infosecurity ISACA North America Conference 2019
byUlf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
byUlf Mattsson
 
SIH20241668PII20240930095055.pdfidididiidididi
byragavananitham
 
Data Privacy with Apache Spark: Defensive and Offensive Approaches
byDatabricks
 
Protecting Sensitive Data (and be PCI Compliant too!)
bySecurity Innovation
 
Protecting Your Data in the Cloud - CSO - Conference 2011
byUlf Mattsson
 
ISSA Atlanta - Emerging application and data protection for multi cloud
byUlf Mattsson
 
Cacs na isaca session 414 ulf mattsson may 10 final
byUlf Mattsson
 
Data protection on premises, and in public and private clouds
byUlf Mattsson
 
Securing data today and in the future - Oracle NYC
byUlf Mattsson
 
Key Concepts for Protecting the Privacy of IBM i Data
byPrecisely
 
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
byIRJET Journal
 
Isaca how innovation can bridge the gap between privacy and regulations
byUlf Mattsson
 
Privacy Management System: Protect Data or Perish
byRSIS International
 
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
byIRJET Journal
 
Isaca atlanta - practical data security and privacy
byUlf Mattsson
 
A Survey On Data Leakage Detection
byIJERA Editor
 
Tokenization on the Node - Data Protection for Security and Compliance
byUlf Mattsson
 

Recently uploaded

PPTX
Image to Text converts images into editable text - AI Image to Text
byAI Image to Text
 
PPTX
Computing Adnans presentation OTHM level 3
bymashikhossain23
 
PDF
apidays Paris 2025 | AI and APIs - Ensuring Platform Migration Reliability wi...
byapidays
 
PDF
AI Concepts - MCP Neurons
byPhilip Schwarz
 
PDF
Common CRM Implementation Mistakes & How to Avoid Them.pdf
byCRMLeaf
 
PDF
Ready to go Zillow Clone Script from Zipprr
byZipprr Official
 
PPTX
The Best Open Source Analytics Platform Like ThoughtSpot.pptx
byVarsha Nayak
 
PDF
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
PDF
Achieving App Stability through mobile performance testing
byAvekshaa Technologies
 
PDF
Wormhole Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
PDF
DSD-INT 2025 Flexible Reservoir Modelling with Ribasim - From Simple to Compl...
byDeltares
 
PDF
AI Development Services: MVP to Production Guide
byShiv Technolabs Pvt. Ltd.
 
PDF
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
PDF
erp software for trading business in india.pdf
byZipERP
 
PDF
How ISO 27001 Automation Reduces Audit Effort and Improves Security Controls
bySoclyio
 
PPTX
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
PDF
The Hidden Cost of “Quick” Web App Development
byiProgrammer Solutions Private Limited
 
PDF
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
PDF
Python Services Power Smart Data-Driven Software
byShiv Technolabs Pvt. Ltd.
 
PDF
ment.tech-What Infrastructure as Code Means for Businesses.pdf
bysj2643598
 
Image to Text converts images into editable text - AI Image to Text
byAI Image to Text
 
Computing Adnans presentation OTHM level 3
bymashikhossain23
 
apidays Paris 2025 | AI and APIs - Ensuring Platform Migration Reliability wi...
byapidays
 
AI Concepts - MCP Neurons
byPhilip Schwarz
 
Common CRM Implementation Mistakes & How to Avoid Them.pdf
byCRMLeaf
 
Ready to go Zillow Clone Script from Zipprr
byZipprr Official
 
The Best Open Source Analytics Platform Like ThoughtSpot.pptx
byVarsha Nayak
 
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
Achieving App Stability through mobile performance testing
byAvekshaa Technologies
 
Wormhole Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
DSD-INT 2025 Flexible Reservoir Modelling with Ribasim - From Simple to Compl...
byDeltares
 
AI Development Services: MVP to Production Guide
byShiv Technolabs Pvt. Ltd.
 
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
erp software for trading business in india.pdf
byZipERP
 
How ISO 27001 Automation Reduces Audit Effort and Improves Security Controls
bySoclyio
 
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
The Hidden Cost of “Quick” Web App Development
byiProgrammer Solutions Private Limited
 
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
Python Services Power Smart Data-Driven Software
byShiv Technolabs Pvt. Ltd.
 
ment.tech-What Infrastructure as Code Means for Businesses.pdf
bysj2643598
 

PyData Sri Lanka 2023 Presentation - Nuzhi Meyen-V2.pptx

  • 1.
    Techniques to HandlePII Data in Data Engineering Workflows to Ensure Compliance to Data Protection Laws Sri Lanka 2023 Nuzhi Meyen
  • 2.
    Importance of Compliance Introduction •The Personal Data Protection Act No. 9 of 2022 (PDPA) in Sri Lanka. • Digital Personal Data Protection (DPDP) Act in India (2023) • GDPR in the EU (201 8) • CCPA in California, USA (201 8) • COPPA (1 998) • HIPPA (1 996) • PCI DSS (2004) Source - Data Privacy Vocabulary - W3C Data Privacy Vocabularies and Controls CG (DPVCG) Maximum of 2.5 Billion INR and Minimum of 500 Million INR DPDP Upto 1 0 Million Euros or 2% of preceding fiscal year turnover* GDPR Upto a maximum of 1 0 Million LKR PDPA Sri Lanka 2023
  • 3.
    What is PIIData ? Sensitive Data Confidential Data PII stands for Personally Identifable Infformation. It is any data that could potentially identify a specific individual. Sometimes referred to as “Public” data, sensitive data is any information that can be found in public records like newspapers, telephone books, or social media sites Confidential (or “private”) Data is information that an individual would prefer not be made public. This can include information such as: • Physical home address • Telephone number (mobile, business, and personal numbers) • Date or location of their birth High-Risk Data Sometimes labeled “Restricted” data, high-risk data is the highly confidential information that supports cyber-crime activities and typically can’t be found through legal means of inquiry. This can include data such as: • Credit card information • Medical records • Social Security or TIN (Tax Identification Number) Sources - dataprivacymanager.net & digitalguardian.com Sri Lanka 2023
  • 4.
    Data Minimization Purpose Limitation StorageLimitation General Principles for Handling PII The principle of data minimization encourages organizations to only collect the data that is absolutely necessary for the specific purpose it will serve. This principle states that data should only be used for the purpose for which it was initially collected. This principle advocates for the deletion of personal data once it is no longer necessary for the purpose it was collected for. Sri Lanka 2023
  • 5.
    Data Engineering Techniques Tokenization Replace sensitivedata with non-sensitive placeholders. There are several data engineering techniques which can be considered in the context of handling PII data. A few of them are given below. Encryption • At-rest: Encrypte data when it's stored • In- transit: Use SSL/TLS encryption during data transfer. Masking Conceal portions of the data to protect it. Role-Based Access Control (RBAC) Limit access to data based on roles within the organization Auditing & Monitoring Track who access what data, when and why. Sri Lanka 2023
  • 6.
    What it is: This algorithm keeps the format of the input data. For example, if a 1 6-digit credit card number is tokenized, the token will also be a 1 6-digit number. Use Case: Useful in scenarios where the format of the tokenized data needs to be similar to the original data, such as in legacy systems. Format-Preserving Encryption (FPE) Tokenization Secure Hash Algorithm (SHA) Tokenization What it is : Uses a one-way hash function to create a hash of the original data. A random salt is then added to the hash. The salted hash is then stored as a token. Use Case: Suited for situations where you don't need to retrieve the original data but do need to verify the integrity of the data.. Random Tokenization What it is : Generates a completely random string as a token and maps it to the original data in a secure lookup table. Use Case: Good for general- purpose tokenization where format preservation is not necessary. Cipher-Based Tokenization What it is : Generates a completely random string as a token and maps it to the original data in a secure lookup table. Use Case: Good for general- purpose tokenization where format preservation is not necessary. Vault-Based Tokenization What it is : Stores the original data in a highly secure data vault. Each piece of stored data is mapped to a unique token. Use Case: Ideal for applications that require high levels of security but also need to detokenize data frequently. Sri Lanka 2023
  • 7.
    # Install with:pip install pyffx (Format-preserving, Feistel based Encryption - FFX) import pyffx key = b'secret-key' credit_card = '1234567812345678' # Create an FPE cipher object e = pyffx.String(key, alphabet='0123456789', length=len(credit_card)) # Tokenize token = e.encrypt(credit_card) # Detokenize original = e.decrypt(token) print(f'Token: {token}, Original: {original}') Tokenization - FPE Sri Lanka 2023
  • 8.
    import hashlib import os defsha_tokenization(data): salt = os.urandom(16) hash_obj = hashlib.sha256() hash_obj.update(data.encode('utf-8')) hash_obj.update(salt) return hash_obj.hexdigest() original_data = "sensitive_information" token = sha_tokenization(original_data) print(f'Token: {token}') ) Tokenization - SHA Sri Lanka 2023
  • 9.
    import uuid def random_tokenization(data,token_map): token = str(uuid.uuid4()) token_map[token] = data return token token_map = {} original_data = "sensitive_data" token = random_tokenization(original_data, token_map) print(f'Token: {token}, Original: {token_map[token]}') ) Tokenization - Random Sri Lanka 2023
  • 10.
    # Install with:pip install cryptography from cryptography.fernet import Fernet key = Fernet.generate_key() cipher_suite = Fernet(key) # Tokenize token = cipher_suite.encrypt(b"Sensitive Data") # Detokenize original = cipher_suite.decrypt(token) print(f'Token: {token}, Original: {original.decode()}') Tokenization - Cipher based Sri Lanka 2023
  • 11.
    import hvac # InitializeVault client client = hvac.Client() # Verify if Vault is initialized and unsealed assert client.is_initialized() is True assert client.sys.is_sealed() is False # Create a secret in the Vault (Tokenization) write_response = client.secrets.kv.v2.create_or_update_secret( path='my-secret', secret=dict(sensitive_data="This is very secret information"), ) # The returned `write_response` will contain metadata, not the token # In Vault, the token is usually the path ('my-secret' in this case) # Retrieve the secret from the Vault (Detokenization) read_response = client.secrets.kv.read_secret_version( path='my-secret', ) sensitive_data = read_response['data']['data']['sensitive_data'] print(f"Sensitive Data Retrieved: {sensitive_data}") Tokenization - Vault based Sri Lanka 2023
  • 12.
    What it is: To completely hide the original data. Use Case: Useful for fields where the actual information is extremely sensitive and should not be exposed under any circumstances, such as Social Security numbers or passwords in a system log. Redaction Masking Partial Masking What it is : To conceal only part of the data, leaving some characters visible. Use Case: Commonly used for email addresses or phone numbers in customer interfaces, where the full visibility of the data is not necessary but some context is useful. For instance, showing only the last four digits of a credit card number. Shuffling What it is : To randomize the order of the characters in the data. Use Case: Suitable for textual data where the format needs to be preserved but the data should not be recognizable. It's not ideal for numerical data or data with a specific pattern Substitution What it is : To replace each character or substring with another character or substring based on a mapping. Use Case: Useful when you need a reversible masking process. For example, during software testing, you might want to mask sensitive data but will need to revert it back to its original form for verification Number Variance What it is : To add a random variance to numerical data. Use Case: Useful for datasets involving numbers where the exact number is sensitive but the general range is not. For instance, in a dataset used for salary analysis, you might add variance to the actual salaries to protect individual privacy while maintaining the overall distribution for analytical purposes. Sri Lanka 2023
  • 13.
  • 14.
    1 0% Points toconsider ... • What will privacy look like in a post quantum encryption timeline ? NIST has already developed standards for quantum-safe cryptographic algorithms. • How will Generative AI technology such as LLM in the form of ChatGPT etc. impact how developers in the middle develop secure code without privacy leaks in the context of code generation? eg: CodexLeaks: Privacy Leaks from Code Generation Language Models in GitHub Copilot Sri Lanka 2023

Editor's Notes