The upcoming PCI DSS version 4.0 will include many new or revised requirements and compensating controls will be removed It will include support for a range of evolving payment environments, technologies, and methodologies for achieving security. PCI DSS v4.0 further supports the use of different new technologies. The new validation option gives organizations the flexibility to take a customized approach to demonstrate how they are meeting the security intent of each PCI DSS requirement. This customized approach supports organizations using security approaches that may be different than traditional PCI DSS requirements.
Through customized validation, entities can show how their specific implementation meets the intent and addresses the risk. Unlike compensating controls, customized validation will not require a business or technical justification for meeting the requirements using alternative methods, as the requirements will now be outcome-based.
We will discuss how PCI DSS v4 may impact:
- Implementation of the new “Customized Controls”
- Cloud implementations
- Compliance cost
- Changes in liability
- Relation to the 49 new US State Laws
- PII and PI privacy
- Measure data re-identifiability for pseudonymization.
- Apply data protection to discovered sensitive data
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
Protecting the increasing use International Unicode characters is required by a growing number of Privacy Laws in many countries and general Privacy Concerns with private data. Current approaches to protect International Unicode characters will increase the size and change the data formats. This will break many applications and slow down business operations. The current approach is also randomly returning data in new and unexpected languages. New approach with significantly higher performance and a memory footprint can be customizable and fit on small IoT devices.
We will discuss new approaches to achieve portability, security, performance, small memory footprint and language preservation for privacy protecting of Unicode data. These new approaches provide granular protection for all Unicode languages and customizable alphabets and byte length preserving protection of privacy protected characters.
Old Approaches
Major Issues
Protecting the increasing use International Unicode characters is required by a growing number of Privacy Laws in many countries and general Privacy Concerns with private data.
Old approaches to protect International Unicode characters will typically increase the size and change the data formats.
This will break many applications and slow down business operations. This is an example of an old approach that is also randomly returning data in new and unexpected languages
Book about
Quantum Computing Blockchain Reversable Protection Privacy by Design, Applications and APIs Privacy, Risks, and Threats Machine Learning and Analytics Non-Reversable Protection International Unicode Secure Multi-party Computing Computing on Encrypted Data Internet of Things II. Data Confidentiality and Integrity Standards and Regulations IV. Applications VI. Summary Best Practices, Roadmap, and Vision Trends, Innovation, and Evolution Hybrid Cloud , CASB and SASE Appendix A B C D E I. Introduction and Vision Section Access Control Zero Trust Architecture Trusted Execution Environments III. Users and Authorization Governance, Guidance, and Frameworks V. Platforms Data User App Innovation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Chapter Discovery and Search Glossary
qubit-conference-new-york-2021: https://nyc.qubitconference.com/
Cybersecurity: Get ready for the unpredictable
Create a sound cybersecurity strategy based on the right technology & budgetary insights, proven practices, and processes for SMEs.
This virtual event will equip CxOs and cybersecurity teams with the right intel to create a sound cybersecurity strategy based on the right technology & budgetary insights, proven practices, and processes specially tailored for SMEs.
Find out how to bring the smart design of cybersecurity architecture and processes, what to automate & how to properly set up internal and external ownership.
The proven cybersecurity strategy fit for your environment can go a long way. Know what to do in-house, what to outsource, set up your budgets right, and get help from the right cybersecurity specialists.
Secure analytics and machine learning in cloud use casesUlf Mattsson
Table of Contents:
Secure Analytics and Machine Learning in Cloud ......................................................................................... 2
Use case #1 in Financial Industry .............................................................................................................. 2
Data Flow .............................................................................................................................................. 2
The approach can be used for other Use-cases .................................................................................... 2
Homomorphic Encryption for Secure Machine Learning in Cloud ............................................................... 3
Evolving Homomorphic Encryption .......................................................................................................... 3
Performance Examples – HE, RSA and AES ........................................................................................... 3
Performance Examples – FHE, NTRU, ECC, RSA and AES ...................................................................... 3
Some popular HE schemes .................................................................................................................... 4
Examples of HE Libraries used by IBM, Duality, and Microsoft ............................................................ 4
Fast Homomorphic Encryption for Secure Analytics in Cloud ...................................................................... 4
Use case #2 in Health Care ........................................................................................................................ 5
Provable security for untrusted environments ..................................................................................... 5
Comparison to multiparty computation and trusted execution environments ................................... 5
Time and memory requirements of HE ................................................................................................ 5
Managing Data Security in Hybrid Cloud ...................................................................................................... 8
Data Security Policy and Zero Trust Architecture ..................................................................................... 8
The future of encryption will change in the Post-Quantum Era: .............................................................. 8
Managing Data Security in a Hybrid World ................................................................................................... 9
Evolving Privacy Regulations ....................................................................................................................... 10
New Ruling in GDPR under "Schrems II" ................................................................................................. 10
The new California Privacy Rights Act (CPRA)
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
We will discuss the Evolving International Privacy Regulations. Cross Border Data Transfer for GDPR under Schrems II is now ruled by an EU court that defined what is required. This ruling can be far reaching for many businesses.
Data encryption and tokenization for international unicodeUlf Mattsson
Unicode is an information technology standard for the consistent encoding, representation, and handling of text expressed in most of the world's writing systems. The standard is maintained by the Unicode Consortium, and as of March 2020, it has a total of 143,859 characters, with Unicode 13.0 (these characters consist of 143,696 graphic characters and 163 format characters) covering 154 modern and historic scripts, as well as multiple symbol sets and emoji. The character repertoire of the Unicode Standard is synchronized with ISO/IEC 10646, each being code-for-code identical with the other.
The Unicode Standard consists of a set of code charts for visual reference, an encoding method and set of standard character encodings, a set of reference data files, and a number of related items, such as character properties, rules for normalization, decomposition, collation, rendering, and bidirectional text display order (for the correct display of text containing both right-to-left scripts, such as Arabic and Hebrew, and left-to-right scripts). Unicode's success at unifying character sets has led to its widespread and predominant use in the internationalization and localization of computer software. The standard has been implemented in many recent technologies, including modern operating systems, XML, Java (and other programming languages), and the .NET Framework.
Unicode can be implemented by different character encodings. The Unicode standard defines Unicode Transformation Formats (UTF) UTF-8, UTF-16, and UTF-32, and several other encodings. The most commonly used encodings are UTF-8, UTF-16, and UCS-2 (a precursor of UTF-16 without full support for Unicode)
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
Protecting the increasing use International Unicode characters is required by a growing number of Privacy Laws in many countries and general Privacy Concerns with private data. Current approaches to protect International Unicode characters will increase the size and change the data formats. This will break many applications and slow down business operations. The current approach is also randomly returning data in new and unexpected languages. New approach with significantly higher performance and a memory footprint can be customizable and fit on small IoT devices.
We will discuss new approaches to achieve portability, security, performance, small memory footprint and language preservation for privacy protecting of Unicode data. These new approaches provide granular protection for all Unicode languages and customizable alphabets and byte length preserving protection of privacy protected characters.
Old Approaches
Major Issues
Protecting the increasing use International Unicode characters is required by a growing number of Privacy Laws in many countries and general Privacy Concerns with private data.
Old approaches to protect International Unicode characters will typically increase the size and change the data formats.
This will break many applications and slow down business operations. This is an example of an old approach that is also randomly returning data in new and unexpected languages
Book about
Quantum Computing Blockchain Reversable Protection Privacy by Design, Applications and APIs Privacy, Risks, and Threats Machine Learning and Analytics Non-Reversable Protection International Unicode Secure Multi-party Computing Computing on Encrypted Data Internet of Things II. Data Confidentiality and Integrity Standards and Regulations IV. Applications VI. Summary Best Practices, Roadmap, and Vision Trends, Innovation, and Evolution Hybrid Cloud , CASB and SASE Appendix A B C D E I. Introduction and Vision Section Access Control Zero Trust Architecture Trusted Execution Environments III. Users and Authorization Governance, Guidance, and Frameworks V. Platforms Data User App Innovation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Chapter Discovery and Search Glossary
qubit-conference-new-york-2021: https://nyc.qubitconference.com/
Cybersecurity: Get ready for the unpredictable
Create a sound cybersecurity strategy based on the right technology & budgetary insights, proven practices, and processes for SMEs.
This virtual event will equip CxOs and cybersecurity teams with the right intel to create a sound cybersecurity strategy based on the right technology & budgetary insights, proven practices, and processes specially tailored for SMEs.
Find out how to bring the smart design of cybersecurity architecture and processes, what to automate & how to properly set up internal and external ownership.
The proven cybersecurity strategy fit for your environment can go a long way. Know what to do in-house, what to outsource, set up your budgets right, and get help from the right cybersecurity specialists.
Secure analytics and machine learning in cloud use casesUlf Mattsson
Table of Contents:
Secure Analytics and Machine Learning in Cloud ......................................................................................... 2
Use case #1 in Financial Industry .............................................................................................................. 2
Data Flow .............................................................................................................................................. 2
The approach can be used for other Use-cases .................................................................................... 2
Homomorphic Encryption for Secure Machine Learning in Cloud ............................................................... 3
Evolving Homomorphic Encryption .......................................................................................................... 3
Performance Examples – HE, RSA and AES ........................................................................................... 3
Performance Examples – FHE, NTRU, ECC, RSA and AES ...................................................................... 3
Some popular HE schemes .................................................................................................................... 4
Examples of HE Libraries used by IBM, Duality, and Microsoft ............................................................ 4
Fast Homomorphic Encryption for Secure Analytics in Cloud ...................................................................... 4
Use case #2 in Health Care ........................................................................................................................ 5
Provable security for untrusted environments ..................................................................................... 5
Comparison to multiparty computation and trusted execution environments ................................... 5
Time and memory requirements of HE ................................................................................................ 5
Managing Data Security in Hybrid Cloud ...................................................................................................... 8
Data Security Policy and Zero Trust Architecture ..................................................................................... 8
The future of encryption will change in the Post-Quantum Era: .............................................................. 8
Managing Data Security in a Hybrid World ................................................................................................... 9
Evolving Privacy Regulations ....................................................................................................................... 10
New Ruling in GDPR under "Schrems II" ................................................................................................. 10
The new California Privacy Rights Act (CPRA)
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
We will discuss the Evolving International Privacy Regulations. Cross Border Data Transfer for GDPR under Schrems II is now ruled by an EU court that defined what is required. This ruling can be far reaching for many businesses.
Data encryption and tokenization for international unicodeUlf Mattsson
Unicode is an information technology standard for the consistent encoding, representation, and handling of text expressed in most of the world's writing systems. The standard is maintained by the Unicode Consortium, and as of March 2020, it has a total of 143,859 characters, with Unicode 13.0 (these characters consist of 143,696 graphic characters and 163 format characters) covering 154 modern and historic scripts, as well as multiple symbol sets and emoji. The character repertoire of the Unicode Standard is synchronized with ISO/IEC 10646, each being code-for-code identical with the other.
The Unicode Standard consists of a set of code charts for visual reference, an encoding method and set of standard character encodings, a set of reference data files, and a number of related items, such as character properties, rules for normalization, decomposition, collation, rendering, and bidirectional text display order (for the correct display of text containing both right-to-left scripts, such as Arabic and Hebrew, and left-to-right scripts). Unicode's success at unifying character sets has led to its widespread and predominant use in the internationalization and localization of computer software. The standard has been implemented in many recent technologies, including modern operating systems, XML, Java (and other programming languages), and the .NET Framework.
Unicode can be implemented by different character encodings. The Unicode standard defines Unicode Transformation Formats (UTF) UTF-8, UTF-16, and UTF-32, and several other encodings. The most commonly used encodings are UTF-8, UTF-16, and UCS-2 (a precursor of UTF-16 without full support for Unicode)
The future of data security and blockchainUlf Mattsson
Discussion of Post-Quantum Cryptography and other technologies:
Data Security Techniques
Secure Multi-Party Computation (SMPC)
Homomorphic encryption (HE)
Differential Privacy (DP) and K-Anonymity
Pseudonymization and Anonymization
Synthetic Data
Zero trust architecture (ZTA)
Zero-knowledge proofs (ZKP)
Private Set Intersection (PSI)
Trusted execution environments (TEE)
Post-Quantum Cryptography
Blockchain
Regulations and Standards in Data Privacy
GDPR and evolving international privacy regulationsUlf Mattsson
Convergence of data privacy principles, standards and regulations
General Data Protection Regulation (GDPR)
GDPR and California Consumer Privacy Act (CCPA)
What role does technologies play in compliance
Use Cases
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
A major challenge that many organizations faces, is how to address data privacy regulations such as CCPA, GDPR and other emerging regulations around the world, including data residency controls as well as enable data sharing in a secure and private fashion. We will present solutions that can reduce and remove the legal, risk and compliance processes normally associated with data sharing projects by allowing organizations to collaborate across divisions, with other organizations and across jurisdictions where data cannot be relocated or shared.
We will discuss secure multi-party computation where organizations want to securely share sensitive data without revealing their private inputs. We will review solutions that are driving faster time to insight by the use of different techniques for privacy-preserving computing including homomorphic encryption, k-anonymity and differential privacy. We will present best practices and how to control privacy and security throughout the data life cycle. We will also review industry standards, implementations, policy management and case studies for hybrid cloud and on-premises.
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
Digital Transformation and the opportunities to use data in Analytics and Machine Learning are growing exponentially, but so too are the business and financial risks in Data Privacy. The increasing number of privacy incidents and data breaches are destroying brands and customer trust, and we will discuss how business prioritization can be benefit from a finance-based data risk assessment (FinDRA).
More than 60 countries have introduced privacy laws and by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations. We will discuss use cases in financial services that are finding a balance between new technology impact, regulatory compliance, and commercial business opportunity. Several privacy-preserving and privacy-enhanced techniques can provide practical security for data in use and data sharing, but none universally cover all use cases. We will discuss what tools can we use mitigate business risks caused by security threats, data residency and privacy issues. We will discuss how technologies like pseudonymization, anonymization, tokenization, encryption, masking and privacy preservation in analytics and business intelligence are used in Analytics and Machine Learning.
Organizations are increasingly concerned about data security in processing personal information in external environments, such as the cloud; and information sharing. Data is spreading across hybrid IT infrastructure on-premises and multi-cloud services and we will discuss how to enforce consistent and holistic data security and privacy policies. Increasing numbers of data security, privacy and identity access management products are in use, but they do not integrate, do not share common policies, and we will discuss use cases in financial services of different techniques to protect and manage data security and privacy.
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
ISACA London Chapter webinar, Feb 16th 2021
Topic: “Protecting Data Privacy in Analytics and Machine Learning”
Abstract:
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about.
This session also discusses international standards and emerging privacy-enhanced computation techniques, secure multiparty computation, zero trust, cloud and trusted execution environments. We will discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
In the shadow of the global pandemic and the associated economic downturn, organizations are focused on cost optimization, which often leads to impulsive decisions to deprioritize compliance with all nonrevenue programs.
Regulators have evolved to adapt with the notable increase in data subject complaints and are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine while Equifax agreed to pay a minimum of $575 million for its breach. The US Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories sued over the company’s failure to take “reasonable steps” to secure its sensitive personal data.
Privacy and data protection are enforced by a growing number of regulations around the world and people are actively demanding privacy protection — and legislators are reacting. More than 60 countries have introduced privacy laws in response to citizens’ cry for transparency and control. By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today, according to Gartner. There is a convergence of data privacy principles, standards and regulations on a common set of fundamental principles.
The opportunities to use data are growing exponentially, but so too are the business and financial risks as the number of data protection and privacy regulations grows internationally.
Join this webinar to learn more about:
- Trends in modern privacy regulations
- The impact on organizations to protect and use sensitive data
- Data privacy principles
- The impact of General Data Protection Regulation (GDPR) and data transfer between US and EU
- The evolving CCPA, the new PCI DSS version 4 and new international data privacy laws or regulations
- Data privacy best practices, use cases and how to control sensitive personal data throughout the data life cycle
What is tokenization in blockchain - BCS LondonUlf Mattsson
BCS North London Branch in association with Central London Branch webinar (by GoToWebinar) Date: 2nd December 2020 Time: 18.00 to 19.30 Event title: Blockchain tokenization “What is tokenization in Blockchain?”
Agenda
Blockchain
What is Blockchain?
Use cases, trends and risks
Vendors and platforms
Data protection techniques and scalability
Tokenization
Digital business
Convert a digital value into a digital token
Local and central models
Cloud
Tokenization in Hybrid cloud
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about.
This session also discusses international standards and emerging privacy-enhanced computation techniques, secure multiparty computation, zero trust, cloud and trusted execution environments. We will discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
Blockchain
- What is Blockchain?
- Blockchain trends
Emerging data protection techniques
- Secure multiparty computation
- Trusted execution environments
- Use cases for analytics
- Industry Standards
Tokenization
- Convert a digital value into a digital token
- Tokenization local or in a centralized model
- Tokenization and scalability
Cloud
- Analytics in Hybrid cloud
Unlock the potential of data security 2020Ulf Mattsson
Explore challenges of managing and protecting data. We'll share best practices on establishing the right balance between privacy, security, and compliance
Tokenization on Blockchain is a steady trend. It seems that everything is being tokenized on Blockchain from paintings, diamonds and company stocks to real estate. Thus, we took an asset, tokenized it and created its digital representation that lives on Blockchain. Blockchain guarantees that the ownership information is immutable.
Unfortunately, some problems need to be solved before we can successfully tokenize real-world assets on Blockchain. Main problem stems from the fact that so far, no country has a solid regulation for cryptocurrency. For example, what happens if a company that handles tokenization sells the property? They have no legal rights on the property and thus are not protected by the law. Another problem is that this system brings us back some sort of centralization. The whole idea of Blockchain and especially smart contracts is to create a trustless environment.
Tokenization is a method that converts a digital value into a digital token. Tokenization can be used as a method that converts rights to an asset into a digital token.
The tokenization system can be implemented local to the data that is tokenized or in a centralized model. We will discuss tokenization implementations that can provide scalability across hybrid cloud models. This session will position different data protection techniques, use cases for blockchain, and protecting blockchain.
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to use open source tools to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about. In this session, we will discuss technologies that help protect people, preserve privacy, and enable you to do machine learning confidentially.
This session discusses industry standards and emerging privacy-enhanced computation techniques, secure multiparty computation, and trusted execution environments. We will discuss Zero Trust philosophy fundamentally changes the way we approach security since trust is a vulnerability that can be exploited particularly when working remotely and increasingly using cloud models. We will also discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
Discover the latest in RegTech and stay up-to-date on compliance tools and best practices.
The move to digital has meant that many organizations have had to rethink legacy systems.
They need to put the customer first, focus on the Customer Experience and Digital Experience Platforms.
They also need to understand the latest in RegTech and solutions for hybrid cloud.
We will discuss Regtech for the financial industry and related technologies for compliance.
We will discuss new International Standards, tools and best practices for financial institutions including PCI v4, FFIEC, NACHA, NIST, GDPR and CCPA.
We will discuss related technologies for Data Security and Privacy, including data de-identification, encryption, tokenization and the new API Economy.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
The future of data security and blockchainUlf Mattsson
Discussion of Post-Quantum Cryptography and other technologies:
Data Security Techniques
Secure Multi-Party Computation (SMPC)
Homomorphic encryption (HE)
Differential Privacy (DP) and K-Anonymity
Pseudonymization and Anonymization
Synthetic Data
Zero trust architecture (ZTA)
Zero-knowledge proofs (ZKP)
Private Set Intersection (PSI)
Trusted execution environments (TEE)
Post-Quantum Cryptography
Blockchain
Regulations and Standards in Data Privacy
GDPR and evolving international privacy regulationsUlf Mattsson
Convergence of data privacy principles, standards and regulations
General Data Protection Regulation (GDPR)
GDPR and California Consumer Privacy Act (CCPA)
What role does technologies play in compliance
Use Cases
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
A major challenge that many organizations faces, is how to address data privacy regulations such as CCPA, GDPR and other emerging regulations around the world, including data residency controls as well as enable data sharing in a secure and private fashion. We will present solutions that can reduce and remove the legal, risk and compliance processes normally associated with data sharing projects by allowing organizations to collaborate across divisions, with other organizations and across jurisdictions where data cannot be relocated or shared.
We will discuss secure multi-party computation where organizations want to securely share sensitive data without revealing their private inputs. We will review solutions that are driving faster time to insight by the use of different techniques for privacy-preserving computing including homomorphic encryption, k-anonymity and differential privacy. We will present best practices and how to control privacy and security throughout the data life cycle. We will also review industry standards, implementations, policy management and case studies for hybrid cloud and on-premises.
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
Digital Transformation and the opportunities to use data in Analytics and Machine Learning are growing exponentially, but so too are the business and financial risks in Data Privacy. The increasing number of privacy incidents and data breaches are destroying brands and customer trust, and we will discuss how business prioritization can be benefit from a finance-based data risk assessment (FinDRA).
More than 60 countries have introduced privacy laws and by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations. We will discuss use cases in financial services that are finding a balance between new technology impact, regulatory compliance, and commercial business opportunity. Several privacy-preserving and privacy-enhanced techniques can provide practical security for data in use and data sharing, but none universally cover all use cases. We will discuss what tools can we use mitigate business risks caused by security threats, data residency and privacy issues. We will discuss how technologies like pseudonymization, anonymization, tokenization, encryption, masking and privacy preservation in analytics and business intelligence are used in Analytics and Machine Learning.
Organizations are increasingly concerned about data security in processing personal information in external environments, such as the cloud; and information sharing. Data is spreading across hybrid IT infrastructure on-premises and multi-cloud services and we will discuss how to enforce consistent and holistic data security and privacy policies. Increasing numbers of data security, privacy and identity access management products are in use, but they do not integrate, do not share common policies, and we will discuss use cases in financial services of different techniques to protect and manage data security and privacy.
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
ISACA London Chapter webinar, Feb 16th 2021
Topic: “Protecting Data Privacy in Analytics and Machine Learning”
Abstract:
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about.
This session also discusses international standards and emerging privacy-enhanced computation techniques, secure multiparty computation, zero trust, cloud and trusted execution environments. We will discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
In the shadow of the global pandemic and the associated economic downturn, organizations are focused on cost optimization, which often leads to impulsive decisions to deprioritize compliance with all nonrevenue programs.
Regulators have evolved to adapt with the notable increase in data subject complaints and are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine while Equifax agreed to pay a minimum of $575 million for its breach. The US Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories sued over the company’s failure to take “reasonable steps” to secure its sensitive personal data.
Privacy and data protection are enforced by a growing number of regulations around the world and people are actively demanding privacy protection — and legislators are reacting. More than 60 countries have introduced privacy laws in response to citizens’ cry for transparency and control. By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today, according to Gartner. There is a convergence of data privacy principles, standards and regulations on a common set of fundamental principles.
The opportunities to use data are growing exponentially, but so too are the business and financial risks as the number of data protection and privacy regulations grows internationally.
Join this webinar to learn more about:
- Trends in modern privacy regulations
- The impact on organizations to protect and use sensitive data
- Data privacy principles
- The impact of General Data Protection Regulation (GDPR) and data transfer between US and EU
- The evolving CCPA, the new PCI DSS version 4 and new international data privacy laws or regulations
- Data privacy best practices, use cases and how to control sensitive personal data throughout the data life cycle
What is tokenization in blockchain - BCS LondonUlf Mattsson
BCS North London Branch in association with Central London Branch webinar (by GoToWebinar) Date: 2nd December 2020 Time: 18.00 to 19.30 Event title: Blockchain tokenization “What is tokenization in Blockchain?”
Agenda
Blockchain
What is Blockchain?
Use cases, trends and risks
Vendors and platforms
Data protection techniques and scalability
Tokenization
Digital business
Convert a digital value into a digital token
Local and central models
Cloud
Tokenization in Hybrid cloud
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about.
This session also discusses international standards and emerging privacy-enhanced computation techniques, secure multiparty computation, zero trust, cloud and trusted execution environments. We will discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
Blockchain
- What is Blockchain?
- Blockchain trends
Emerging data protection techniques
- Secure multiparty computation
- Trusted execution environments
- Use cases for analytics
- Industry Standards
Tokenization
- Convert a digital value into a digital token
- Tokenization local or in a centralized model
- Tokenization and scalability
Cloud
- Analytics in Hybrid cloud
Unlock the potential of data security 2020Ulf Mattsson
Explore challenges of managing and protecting data. We'll share best practices on establishing the right balance between privacy, security, and compliance
Tokenization on Blockchain is a steady trend. It seems that everything is being tokenized on Blockchain from paintings, diamonds and company stocks to real estate. Thus, we took an asset, tokenized it and created its digital representation that lives on Blockchain. Blockchain guarantees that the ownership information is immutable.
Unfortunately, some problems need to be solved before we can successfully tokenize real-world assets on Blockchain. Main problem stems from the fact that so far, no country has a solid regulation for cryptocurrency. For example, what happens if a company that handles tokenization sells the property? They have no legal rights on the property and thus are not protected by the law. Another problem is that this system brings us back some sort of centralization. The whole idea of Blockchain and especially smart contracts is to create a trustless environment.
Tokenization is a method that converts a digital value into a digital token. Tokenization can be used as a method that converts rights to an asset into a digital token.
The tokenization system can be implemented local to the data that is tokenized or in a centralized model. We will discuss tokenization implementations that can provide scalability across hybrid cloud models. This session will position different data protection techniques, use cases for blockchain, and protecting blockchain.
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to use open source tools to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about. In this session, we will discuss technologies that help protect people, preserve privacy, and enable you to do machine learning confidentially.
This session discusses industry standards and emerging privacy-enhanced computation techniques, secure multiparty computation, and trusted execution environments. We will discuss Zero Trust philosophy fundamentally changes the way we approach security since trust is a vulnerability that can be exploited particularly when working remotely and increasingly using cloud models. We will also discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
Discover the latest in RegTech and stay up-to-date on compliance tools and best practices.
The move to digital has meant that many organizations have had to rethink legacy systems.
They need to put the customer first, focus on the Customer Experience and Digital Experience Platforms.
They also need to understand the latest in RegTech and solutions for hybrid cloud.
We will discuss Regtech for the financial industry and related technologies for compliance.
We will discuss new International Standards, tools and best practices for financial institutions including PCI v4, FFIEC, NACHA, NIST, GDPR and CCPA.
We will discuss related technologies for Data Security and Privacy, including data de-identification, encryption, tokenization and the new API Economy.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
3. 3
1. Head of Innovation at TokenEx
2. Chief Technology Officer at
• Protegrity
• Atlantic BT
• Compliance Engineering
3. Developer at IBM Research and Development
4. Inventor of more than 70 issued/awarded US Patents
5. Products and Services
• Contributed to the development of PCI DSS and ANSI X9
• Security and Privacy Benchmarking/Gap-analysis for Financial Industry
• Data Encryption, Tokenization, and Data Discovery,
• Robotics and Applications in Manufacturing,
• Cloud Application Security Brokers, and Web Application Firewalls,
• Managed Security Services, and Security Operation Centers
Ulf Mattsson
4. 4
A first draft of PCI DSS v4.0
• The October RFC will include a first draft of PCI DSS v4.0 and a sample of the draft
reporting template for a proposed new validation method to support customized
implementations.
• A Summary of Changes document that outlines the key changes in the draft will be
provided, as well as guidance for stakeholders to help focus their reviews and maximize
the value of their feedback.
• The draft of PCI DSS v4.0 addresses feedback received during the 2017 RFC and reflects
changes in payments environments and security technologies.
• The updates made to the standard focus on strengthening security and adding
flexibility.
• While the 12 core PCI DSS requirements remain fundamentally the same, several new
requirements are proposed to address evolving risks and threats to payment data and to
reinforce security as a continuous process.
• Additionally, all requirements are redesigned to focus on security objectives, and there
is a new validation option that gives more flexibility to organizations using different
methodologies to meet the intent of PCI DSS requirements.
Source: pcisecuritystandards.org
5. 5
How can you get involved in the RFC process?
There are two ways: The PCI SSC is opening up the RFC process only to Participating Organizations, QSAs, and ASVs.
If you are not currently a Participating Organization, consider joining now, so that you can provide feedback on the PCI
DSS and attend future PCI Community Meetings for no additional cost.
Simply contact your LBMC Information Security lead QSA to let us know of your interest in reviewing the draft of PCI
DSS v.4.0.
Reference Links:
https://blog.pcisecuritystandards.org/5-questions-about-pci-dss-v4-0
https://blog.pcisecuritystandards.org/3-things-to-know-about-pci-dss-v4-0-development
https://blog.pcisecuritystandards.org/pci-dss-looking-ahead-to-version-4.0
Source: https://www.lbmc.com
6. 6
PCI DSS has always been technology neutral
• PCI DSS has always been technology neutral, in that requirements are intended to apply
to all type of environments and support whatever technology being used.
• The draft of PCI DSS v4.0 further supports the use of different technologies, such as
cloud, by introducing more flexibility to the wording of requirements and adding intent
statements.
• The standard is also supported by information supplements that provide guidance and
considerations for applying PCI DSS to specific technologies, including cloud
environments.
Source: pcisecuritystandards.org
7. 7
4.0 Supporting a range of evolving payment environments,
technologies, and methodologies
• With version 4.0, the Council is evolving the PCI DSS to support a range of evolving
payment environments, technologies, and methodologies for achieving security.
• The requirements will be written as outcome-based statements focused on
implementation of the security control as the end result.
• For many requirements, this is achieved by simply changing the language from stating
what ‘must’ be implemented to what the resulting security outcome ‘is’.
• The draft of PCI DSS v4.0 also includes intent statements specifically linking each
requirement to a security outcome.
• The intent statements directly support the new, customized validation approach by
clearly identifying the security outcome that customized implementations are required
to meet.
• This will clarify what needs to be achieved with more flexibility in ‘how’ the organization
achieves the desired security outcome.
Source: pcisecuritystandards.org
8. 8
Changes to PCI DSS’s layout and descriptions
The overall structure of the PCI DSS is retained in version 4.0, and will keep the same 12 high level requirements.
Changes to PCI DSS’s layout and descriptions v.4.0 will include:
1. More accurate requirement titles
2. Additional direction and guidance provided in the Overview section
3. Requirements organized into Security Objectives
4. Requirements refocused as objective or outcome-based statements
5. Clear identification of Intent (Objective) for each requirement
6. Expanded Guidance
As with previous iterations of the PCI DSS, LBMC expects that there will be a grace period for organizations to comply
with the newly defined requirements, and PCI DSS version 3.2.1 will remain valid for a period of time to support
organizations transitioning to the new version of the standard.
Source: https://www.lbmc.com
9. 9
Examples of some of the proposed new requirements
• Examples of some of the proposed new requirements include requirements for
organizations to verify their PCI DSS scope and some additional requirements for service
providers.
• There are also proposed revisions to requirements on passwords to accommodate
different authentication options, and an update to the risk assessment requirement to
provide greater clarity and guidance for organizations on the risk management process.
• The PCI DSS version being provided for RFC is a draft only.
• There may be requirements added, removed, or changed before the standard is finalized
sometime 2020.
Source: pcisecuritystandards.org
10. 10
The next major evolution of the 15-year old PCI DSS
PCI DSS v.4.0 is the next major evolution of the 15-year old PCI DSS framework since the last significant
revision in 2013:
1. Scoping – Increased testing and documentation will be required for confirmation of the accuracy and
completeness of scope of the cardholder data environment (CDE) and periodic scope validation processes.
2. CHD Protection – Card encryption requirements will be expanded to include all transmissions of CHD instead of
only those across public networks.
3. Security awareness training – Requirements for training of end users will be enhanced to include more
information regarding current threats and phishing, social engineering, etc.
4. Risk assessment – The Council recognizes that the current PCI DSS requirement that a risk assessment be
conducted is not always resulting in useful risk analysis and risk management outcomes. This requirement will be
modified to ensure that the risk assessment is not being treated as a “checkbox exercise” by organizations.
5. Authentication – The new version of the DSS will provide more flexibility for the use of authentication techniques
and solutions within the CDE to align them with industry best practices.
6. Cloud environments – Version 4.0 will evolve all requirements to be more accommodating for the use of
technologies such as cloud hosting services.
7. Sampling – Additional direction for assessors on sampling guidance will be included to verify that controls are in
place consistently across the entire population.
Source: https://www.lbmc.com
12. 12
Flexibility to take a customized approach
• The new validation option gives organizations the flexibility to take a customized
approach to demonstrate how they are meeting the security intent of each PCI DSS
requirement.
• This customized approach supports organizations using security approaches that may be
different than traditional PCI DSS requirements.
• Through customized validation, entities can show how their specific implementation
meets the intent and addresses the risk, providing an alternative way to meeting the
requirement as stated.
• By offering two approaches to PCI DSS validation, entities can identify which approach is
best suited to their security implementation for each PCI DSS requirement.
• Customized validation is a natural evolution of compensating controls, which were
designed as a mechanism for organizations to demonstrate how they meet the intent of
PCI DSS requirements in a different way.
• Unlike compensating controls, customized validation will not require a business or
technical justification for meeting the requirements using alternative methods, as the
requirements will now be outcome-based.
• Compensating controls will be removed
Source: pcisecuritystandards.org
13. 13
The “Defined Implementation” Approach
• The Defined Implementation Approach is based upon the current PCI methodology and
is how entities currently assess and report their compliance with PCI DSS.
• The Customized Implementation Approach provides additional levels of flexibility for
assessing and reporting compliance.
• In this approach, the entity is responsible for understanding the intent of each PCI DSS
requirement and demonstrating how its existing security controls achieve the
requirement (which may deviate from the PCI DSS control specifications).
• Organizations can choose to report their compliance via one of these two options or
choose a blended approach where some of the control requirements may be assessed
under the defined implementation and others using the customized implementation
approach.
Source: https://www.lbmc.com
14. 14
PCI compliance using the Defined Approach
Entities choosing to validate their PCI compliance using the Defined Approach will continue
to assess and validate their compliance in the same manner that they have previously
done.
These entities will be responsible for implementing and validating all of the PCI DSS v.4.0
requirements as written, and, entities using a QSA will find that the QSA firm continues to
execute the testing procedures as specified in the PCI DSS Report on Compliance. In this
approach:
The Entity:
Implements and operates control(s) that meets the PCI DSS requirement.
The Assessor:
Plans and conducts the assessment.
Follows PCI DSS testing procedures to assess implemented controls.
Documents results of testing in the RoC.
Source: https://www.lbmc.com
17. 17
PA-DSS and the PCI Software Security Framework (PCI SSF)
The PCI SSF supports a broader array of payment software types, technologies, and development
methodologies. Ultimately PA-DSS and its validation program will be incorporated into the PCI SSF.
Source:
PCI SSC
18. 18
The PCI Software Security Framework (PCI SSF)
SSF series of documents:
1. The Secure Software Lifecycle (Secure SLC or SSLC) Requirements and Assessment Procedures, or the Secure Software
Lifecycle (SLC) Standard
2. The Secure Software Requirements and Assessment Procedures, or the Secure Software Standard
3. The Validation Program, a program for software vendors to validate how they can properly manage the security of
payment software throughout the entire software lifecycle
Example: SD Tool Elements helps with:
1. Minimizing the Attack Surface: confidentiality and integrity of all software
2. Software Protection Mechanisms
3. Secure Software Operations
4. Secure Software Lifecycle Management
5. Account Data Protection
Source:
PCI SSC,
securitycompass.com
19. 19
The new API Economy - Security for Application Microservices
Source: Gartner
Source: Gartner
20. 20
The new API Economy - Products Delivering API Security
Source: Gartner
21. 21
Develop and Test Customized Implementation (Time/$)
The Entity:
Implements control(s) that meet the intent of the PCI DSS requirement.
At a detailed level, the entity will be required to provide documentation that describes the customized
implementation for each control objective to include:
1. The who, what, where, when, and how of the controls
2. Evidence to prove how the controls meet the stated intent
3. Evidence of how controls are maintained, and effectiveness is assured.
The documentation of customized controls must be supported by the entity’s risk assessment to show how the
controls provide equivalent levels of protection.
The Assessor:
1. Plans and conducts the assessment.
2. Reviews information provided by the entity.
3. Develops and derives testing procedures based on controls implemented by the entity and information provided.
4. Documents details of testing procedures and results of testing in the RoC.
5. Assessor firms conducting Customized Approach assessments will need to spend additional time during the RoC
assessment process understanding their clients’ customized control processes and then developing sufficient
testing procedures such that the assessor can confirm the effective implementation and operation of the
customized controls, as well as that those controls do indeed provide equivalent (or better) security as the defined
PCI DSS control.
Source: https://www.lbmc.com
22. 22
Source:
itnews.com
Trustwave had been contracted to perform yearly checks of Heartland's compliance with the
Payment Card Industry Data Security Standards (PCI-DSS) requirements in 2005, moving on to
monthly security scans, network penetration testing and other security services for the
payments processor.
Despite this, Trustwave did not detect that hackers had installed malware in 2007 through a
structured query language (SQL) attack that allowed the attacker to issue commands to an
internet-exposed database, the insurers allege.
The insurers also claim Trustwave missed a May 2008 installation of malware on Heartland's
systems.
Lexington and Beazley say the security vendor certified Heartland as PCI-DSS compliant during
both 2007 and 2008.
As a result of the data breach, in 2009 Visa removed Heartland from its list of PCI-DSS
compliant payments processors and said Trustwave had incorrectly certified the company as
being compliant with the industry security standard.
Trustwave missed that Heartland did not use a firewall, used default passwords, generally
failed to secure systems and applications as well as protect user data, and had no network
access monitoring in place, Visa said in its list of PCI-DSS requirement breaches at the time.
Liability Aspects with Customized Approach?
23. 23
Understanding the Intent of the Requirements
Source: pcisecuritystandards.org, Verizon 2019 Payment Security Report
Emphasize Security and Risk Management to Attain and Maintain Compliance – Compliance does not equal security.
While PCI DSS provides a solid baseline of security controls, it should not be considered a single source for addressing
all security needs.
The focus should be on building a culture of security and protecting an organization’s information assets and IT
infrastructure, allowing compliance to be achieved as a consequence.
24. 24
Best Practices for Maintaining PCI DSS Compliance
Source: Verizon 2019 Payment Security Report
30. 30
Cloud Models and Risk Aspects
Risk
Elasticity
Out-sourcedIn-house
On-premises
system
On-premises Private
Cloud
Hosted Private Cloud
Public Cloud
Low -
High -
Compute Cost
- High
- Low
Risk Adjusted Computation
31. 31
The Day When 3rd Party Security Providers
Disappear into Cloud
• “Active Directory”
• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• AV – Anti Virus
• Network Sec
Public Cloud / Multi-
cloud
Example pricing:
10 % of on-premises alternatives
On-premises
34. 34
Some Privacy
Regulations
Sweden, The Data Act, a national data
protection law went into effect in 1974
India is in the process of passing a
comprehensive data protection bill that
would include GDPR-like requirements
Japan is ready to
implement changes to
domestic legislation to
strengthen privacy
protection in the
country
Brazil passing a comprehensive
data protection regulation
similar to GDPR
1970, Germany passed the first
national data protection law, first
data protection law in the world
The New York Privacy Act
was introduced in 2019
Source: Forrester, PwC
CCPA's impact is
expected to be
global (12+ %),
given California's
status as the fifth
largest global
economy
68% of American companies are expected to spend between $1 million and $10
million to meet the GDPR requirements, and 9% more than $10 million (PwC)
35. 35
Fines for Privacy Violations
• In 2019, Facebook settled with the Federal Trade Commission in the United
States over privacy violations, a settlement that required the social network to
pay $5 billion
• British Airways was fined £183 million by the UK ICO for a series of data
breaches in 2018, followed by a £99 million fine against the Marriott
International hotel chain.
• French data protection regulator CNIL fined Google €50 million in 2019.
• Some companies narrowly avoided a GDPR-scale fine, as their data incident
occurred prior to GDPR's implementation date.
• Both Equifax and Facebook received the maximum fine possible - £500,000
- as per the previous Data Protection Act 1998.
Source: rsaconference.com
36. 36
• Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight against persistent cyber-attacks
• We simply cannot catch the bad guys until it is too late. This picture is not
improving
• Verizon reports concluded that less than 14% of breaches are detected by
internal monitoring tools
• JP Morgan Chase data breach
• Hackers were in the bank’s network for months undetected
• Network configuration errors are inevitable, even at the largest banks
• Capital One data breach
• A hacker gained access to 100 million credit card applications and accounts
• Amazon Web Services, the cloud hosting company that Capital One was
using
• Imperva breach
• A security breach which led to the compromise of customer data at
Imperva was caused by a stolen API key for one of its Amazon Web Services
(AWS) accounts, the firm has revealed.
• The firm was notified of the incident, which affected a subset of its Cloud
WAF customers, by a third party at the end August.
Enterprises Losing Ground Against Cyber-attacks
37. 37
PCI Vs. GDPR: What’s The Difference?
Source: securitymetrics.com
38. 38
Pseudonymisation Under the GDPR
Within the text of the GDPR, there are multiple references to
pseudonymisation as an appropriate mechanism for protecting personal
data.
Pseudonymisation—replacing identifying or sensitive data with
pseudonyms, is synonymous with tokenization—replacing identifying or
sensitive data with tokens.
Article 4 – Definitions
• (1) ‘personal data’ means any information relating to an identified
or identifiable natural person (‘data subject’); …such as a name, an
identification number, location data, an online identifier…
• (5) ‘pseudonymisation’ means the processing personal data in such
a manner that the data can no longer be attributed to a specific
data subject without the use of additional information, provided that
such additional information is kept separately…
What is Personal Data according to EU GDPR?
40. 40
Data sources
Data
Warehouse
In Italy
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Tokenization for Cross Border Data-centric Security (EU GDPR)
• Protecting Personally Identifiable Information
(PII), including names, addresses, phone, email,
policy and account numbers
• Compliance with EU Cross Border Data
Protection Laws
• Utilizing Data Tokenization, and centralized
policy, key management, auditing, and
reporting
43. 43
Application of Data Security and Privacy techniques On-premises, in Public, and Private Clouds
Vault-based tokenization
(VBT)
Suitable for cloud deployment and centralized token generation. CPU impact and latency is typically similar
to a database lookup query transaction.
Vault-less tokenization
(VLT)
Suitable for on-premises deployment and distributed token generation. Suitable for high performance
requirements, including transaction switches and Datawarehouse databases. CPU impact is typically similar
to AES encryption.
Format Preserving
Encryption (FPE)
Suitable for any deployment model. CPU impact is typically 10 times more than AES encryption
Homomorphic Encryption
(HE)
Suitable for public cloud based computation with operations on encrypted data values is required. CPU
impact for asymmetric crypto operational can be significant compared to AES and other symmetric crypto
algorithms.
Masking
Since masking is a one-way process, not reversable, it may be less suitable in operational transaction
systems.
Server Model
Suitable for cloud deployment models. CPU impact for cleaning the database similar to a database scan with
change transactions.
Local Model
Suitable for client side of any deployment model. CPU impact for cleaning the database is similar to a
database scan with change transactions.
L-diversity
Suitable for privacy for any deployment model. CPU impact for cleaning the database similar to a database
scan with change transactions.
T-closeness
Suitable for privacy in any deployment model. CPU impact for cleaning the database similar to a database
scan with change transactions.
Tokenization (T)
Privacy enhancing data de-identification terminology and
classification of techniques
Cryptographic
tools (CT)
Formal privacy
measurement models
(PMM)
Differential
Privacy (DP)
K-anonymity
model
De-identification
techniques (DT)
Data Security and Privacy and On-premises and Clouds Models
44. 44
User
Payment
Application
Payment
Network
Payment
Data
Tokenization (VBT),
encryption
and keys
User CASB Salesforce
User
Data
Warehouse
PII Data
Tokenization
(VLT) User
Analytics
Application
User
Call Center
Application
Format Preserving Encryption (FPE) Differential Privacy (DP),
K-anonymity model
User
Dev/test
Systems
Vault-less tokenization (VLT)
Masking
PII
Data
PII Data
Vault-based
tokenization (VBT)
Microsoft
ElectionGuard
development kit
Homomorphic
Encryption (HE)
PII Data
Election
Data
Use Cases in Different Systems
45. 45
New York's Privacy Bill Is Even Bolder Than (CCPA) – Right to Sue,
Companies of All Sizes
The New York Privacy Act introduced in 2019, according to “New York's Privacy Bill Is
Even Bolder Than California's,” at [3], would “give residents there more control over
their data than in any other state.” It would also require businesses to put their
customers’ privacy before their own profits. The New York Privacy Act bears some
similarity to the California law. Like the CCPA, it would allow people to find out what
data companies are collecting on them, see who they’re sharing that data with, request
that it be corrected or deleted, and avoid having their data shared with or sold to third
parties altogether. But the New York bill, as it’s currently written, departs from the
California model in significant ways. While the California law leaves enforcement to the
state’s attorney general, the New York Privacy Act would give New Yorkers the right to
sue companies directly over privacy violations, possibly setting up a barrage of individual
lawsuits. Industry groups vehemently opposed a similar provision—also known as a
private right of action—in California, and they succeeded in driving it out of the bill
when it was finally signed into law last year. And while California’s law applies only to
businesses that make more than $25 million annual gross revenue, the New York bill
would apply to companies of any size.
Source: New York's Privacy Bill Is Even Bolder Than California's,
https://www.wired.com/story/new-york-privacy-act-bolder/
46. 46
PII Inventory
• Locating sensitive PII is essential to protecting it.
• However data maps alone can't provide a complete protection or privacy
picture.
• New privacy protection regulations mandate an individual's right to
access their own data, the right-tobe-forgotten, the right to port their
data and the right to be notified of a breach.
Source: BigID (TokenEx partner)
54. 54
Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information
56. 56
Source:PCI SSC,
TokenEx
What is the threat model for a tokenization system?
• For a vaulted solution, the tokens are mathematically unrelated to the underlying value to the most effective attack
vector is through our customers.
• The tokens themselves cannot successfully be attacked but the ability to detokenize sensitive data is only as strong as
the customer’s environment and the controls put in place to protect the API credentials.
Best practices:
1. The tokenization product should implement monitoring to detect any malfunctions, anomalies, and suspicious
behavior.
2. Mechanisms should be in place to ensure the integrity of the token-generation process.
3. Critical functions (e.g., the API code) within the tokenization application must be protected by integrity-checking
mechanisms
4. Only authenticated users and system components should be allowed access to the tokenization system and
tokenization/detokenization processes.
5. The tokenization product should have access and tokenization/de-tokenization logging functionality.
6. Tokenization and de-tokenization requests should be logged and the logs should not contain PAN.
7. Tokenization product should support multi-factor authentication for all user access.
8. Where the vendor uses cryptographic primitives, those primitives should be based on published national or
international standards—e.g., AES or ECC.
57. 57
International Standardized Encryption Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Homomorphic Encryption (HE)
*: Multi Party Computation (MPC)
Oper
(Enc_D1,
Enc_D2)
HE
Dec
HE
Enc
HE
Enc
Clear
12
Protected Key
Clear
D2
Enc
D1
Enc
D2
“Untrusted
Party*”Clear
123
Format Preserving Encryption
(FPE)
FPE
Enc Clear
D1
FPE
Dec
Clear
123
Protected Keys
897
58. 58
International Standardized Privacy Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Differential Privacy
(DP)
k-Anonymity
Model
__
__
__
*: Example Apple and Google
Clear
Protected
Curator*
Filter
Clear
Cleanser
Filter
Cleanser
Filter
Clear
__
__
__
Protected
DB DB
59. 59
On Premise tokenization
• Limited PCI DSS scope reduction - must still maintain a
CDE with PCI data
• Higher risk – sensitive data still resident in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from the
environment
• Platform-focused security
• Lower associated costs – cyber insurance, PCI audit,
maintenance
Total Cost and Risk of Tokenization
Example: 50% Lower Total Cost
60. 60
Quantum computing risks
• It will take 3 years for NIST to complete review of quantum safe algorithms (started in November 2017).
• 4-6 year from now for NIST Standards to be released.
• 3-5 years to produce new industry standards based on NIST algorithms from NIST Standards.
• 5-7 years for the industry to fully implement the new industry standards.
• Full industry adoption could take 20 years from now.
• Guidelines for Immediate Steps that can be taken are upgrade to AES, preferably AES-256.
• Use SHA-512 for hashing. Use stateful hash-based signatures for signing, especially for protecting upgrades
of firmware/cryptographic software.
• Use hybrid cryptography to protect against both weaknesses in RSA/ECC and potential weaknesses in post-
quantum algorithms.
• Protecting Data in Transit: No large-scale quantum computers capable of cryptographic attacks.
Source: ANSI X9
62. 62
50 percent of businesses reported data stealing in 2019, while 26 percent of them have become victims of financial
data theft.
The statistics show a significant increase in the number of IT security Incidents among German companies during the last
two years. Back in 2015, 51 percent of companies were affected by IT security incidents. Two years later, in 2017, the
number of afflicted firms modestly increased to 53 percent. The 2019 survey indicates a significant increase, with 75
percent of companies claiming to be affected by IT security incidents.
During 2019, 32 percent of German companies became victims of theft of IT or communication devices, making it the
most ordinary type of IT security incident. Another 16 percent of them were likely affected by such theft. Analog social
engineering was the second most common IT security incident in the German market, with 30 percent of companies
reporting this problem.
Digital Attacks Caused Total Damage of €205.7 Billion in Two Years
The 2019 statistics show that digital attacks caused damage to seven out of ten German companies. Most of them or 25
percent, to be precise, were exposed to password attacks. Another 23 percent of companies reported malware infection.
Phishing took third place on the list, with 23 percent of German companies reporting this type of digital attack.
Compared to 2017 facts, all types of digital attacks marked an increase, except the malware infection.
Nevertheless, data thieves were primarily interested in communication and financial data. Almost 50 percent of
businesses reported communication data stealing in 2019, while 26 percent of them have become victims of financial
data theft. Digital attacks and IT security incidents in German companies have caused total damage of €205.7 billion
within the last two years.