1. Encryption and
Tokenization
1Source: The IBM GDRP framework
Discover
Data Assets
Security
by Design
A GDPR FRAMEWORK - 5 KEY ACTIVITIES TO ADDRESS GDPR

2. 2 2Source: Forrester 2017
BEST PRACTICE - FIND AND PROTECT YOUR SENSITIVE DATA

3. Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial
Services
Dr. visits, prescriptions, hospital stays and discharges, clinical,
billing, etc. Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data,
but not needed with de-identification
3Source: Customer Case Study
DATA DE-IDENTIFICATION / ANONYMIZATION

4. 4 4Source: Gartner
ENCRYPTION & TOKENIZATION LEVELS

5. 5 5Source: Gartner
Less Secure
More Secure
ENCRYPTION AND TOKENIZATION BEST PRACTICES

6. Tokens Tokens
PII
Tokens Tokens
• Protecting Personally Identifiable Information (PII), including
names, addresses, phone, email, policy and account numbers
• Compliance with EU Cross Border Data Protection Laws
• Utilizing Data Tokenization, and centralized policy, key
management, auditing, and reporting
6 6Source: International Customer Case Study
PROTECT PII DATA CROSS BORDER - BEST PRACTICES

7. *: Underlying sensitive value (USV)
Source: ANSI X9 7
ANSI X9 - CURRENT TOKENIZATION STANDARD

8. • Format-preserving encryption (FPE) is useful in situations where fixed-format data, such as
Primary account numbers Social Security numbers, must be protected.
• FPE will limit changes to existing communication protocols, database schemata or application
code.
8Source: Accredited Standards Committee ANSI X9
2018 ANSI X9 STANDARD FOR FORMAT PRESERVING ENCRYPTION

9. Quantum computers will be able to instantly break the encryption of sensitive
data protected by today's strongest security, warns the head of IBM Research.
This could happen in a little more than five years because of advances in quantum
computer technologies.
Encryption and Tokenization today are effective means to protect a data subject's PII per the GDPR
regulation, and that they will not be soon due to the enhancements in Quantum computing.
9Source: IBM and ZDNet
STANDARD ENCRYPTION AND TOKENIZATION ARE EFFECTIVE TO MEET GDPR

10. 10Source: THALES at RSA Conference 2018
Quantum Cryptanalysis is effectively “breaking cryptology with quantum computers”
THIS IS A BIG THREAT!
If our cryptography is broken, then everything breaks!
Glover’s algorithm
Given a functioning Universal Quantum Computer,
Glover’s algorithm weakens the currently assumed
strength of symmetric algorithms like AES
Shor’s algorithm
Given a functioning Universal Quantum Computer,
Shor’s algorithm weakens the currently assumed
strength of symmetric algorithms like RSA, ECC
QUANTUM CRYPTANALYSIS

11. Quantum cryptography
allows communication
that is guaranteed to be
secure, thanks to the
laws of physics.
And it is becoming
increasingly important.
Physicists have long known
that quantum computers will be
able to break almost all other
types of cryptography. Since
these devices are becoming
more capable, the writing is on
the wall for conventional
encryption.
11Source: MIT University
CHINESE SATELLITES USING QUANTUM ENCRYPTION

12. 12Source: Thales
Quantum Cryptography is effectively “doing cryptography with quantum computers”
There are several potential techniques
One thing that is well established is Quantum Key Distribution
• This has almost nothing to do with Quantum Computing
• Transmit keys from one place to another as quantum state in photons
• Relies on the quantum mechanical phenomenon that you cannot observe a
photon without disturbing its state
• Theoretically extremely secure, but suffers practical issues
Famously recently used by China in satellites
QUANTUM CRYPTOGRAPHY

13. 13Source: scmp.com/news/china/economy
The mission can provide
unbreakable secret
communications
channels, in principle,
using the laws of
quantum science.
Is China winning the race
with the US to develop
quantum computers?
Chinese funding to research the next generation in
computing may be dwarfing American efforts,
according to US experts.
IS CHINA WINNING THE RACE?

14. Quantum key distribution (QKD), which is the process of using quantum communication to establish a shared key
between two parties (Alice and Bob, for example) without a third party (Eve) learning anything about that key,
even if Eve can eavesdrop on all communication between Alice and Bob.
If Eve tries to learn information about the key being established, key establishment will fail causing Alice and Bob
to notice.
Once the key is established, it is then typically used for encrypted communication using classical techniques.
1414Source: C. H. Bennett and G. Brassard: Quantum cryptography: Public key distribution
What is Quantum Key Distribution?
HOW IS QUANTUM KEY CRYPTOGRAPHY DIFFERENT?

15. 15
15Source: The RSAC 2018 Conference
Zulfikar Ramzan, Ph.D.
Chief Technology Officer, RSA
Moderator
Whitfield Diffie
Cryptographer and Security Expert,
Cryptomathic
Paul Kocher
Security Researcher,
Independent
Moxie Marlinspike
Founder,
Signal
Ronald Rivest
MIT Institute Professor,
MIT
Adi Shamir
Borman Professor of Computer Science,
The Weizmann Institute, Israel
The three inventors, which the RSA patent is named after, are Ronald Rivest, Adi Shamir, and Leonard Adleman.
*: Matthew Rosenfield, known as Moxie Marlinspike, is an American computer security researcher,
*
THE RSAC 2018 CRYPTOGRAPHERS PANEL

16. Lattice-based cryptography is the
generic term for constructions of
cryptographic primitives that involve
lattices, either in the construction itself
or in the security proof.
Lattice-based constructions are
currently important candidates for post-
quantum cryptography.
Unlike more widely used and known
public-key schemes such as the RSA,
Diffie-Hellman or Elliptic-Curve
cryptosystems.
16Source: RSAC 2018
Will Lattice-based cryptography to replace RSA, ECC and D-H?
LATTICE-BASED CRYPTOLOGY

17. 17
ISO/IEC 27002 Security Controls
ISO/IEC 27001
ISO/IEC 27005 Risk Management
ISO/IEC 29134 Privacy Impact
ISO/IEC 27018 PII in Cloud
ISO/IEC 29101 Privacy by Design
ISO/IEC 29100 Privacy for Cloud
ISO/IEC 17788 Definitions
ISO/IEC 27000 series –
ITSEC Management
A company that has implemented ISO 27001
has already done at least half the job of
achieving GDPR compliance
Source: itgovernance.co.uk
Information technology - Security techniques
- Code of practice for protection of
personally identifiable information (PII) in
public clouds acting as PII processors
International Organization for Standardization
ISO 27001 HALF THE JOB OF ACHIEVING GDPR COMPLIANCE

18. • Methods a quantum computer could use to break
encryption and how these attacks will specifically affect the
different cryptographic methods used today
• Updates on the work being done by NIST to identify
quantum safe algorithms
• Guidance for financial services organizations to mitigate
quantum computing risk
• Next steps that X9, as a standards body, needs to take over
the next few years to prepare for the post-quantum world
18Source: MIT University and ANXI X9
NIST and ANSI X9 Defining Quantum Safe Encryption Algorithms
PREPARE FOR THE POST QUANTUM WORLD

19. 19
GDPR and TokenEx
If you are a data controller who has a valid reason--other than consent from the data subject--for the processing of his or her
personal data “for a purpose other than that for which the personal data have been collected”, Article 6(4)(e) obligates you to
use “appropriate safeguards, which may include encryption or pseudonymization.
The TokenEx platform enables you to pseudonymize personal data within your environment, by replacing it with tokens, and
storing the personal data in an encrypted TokenEx cloud token vault.
The GDPR requires “data protection by design and by default.” Article 25(1) specifically obligates controllers to
“…implement appropriate technical and organizational measures, such as pseudonymization.”
The TokenEx platform enables you to pseudonymize personal data within your environment, replacing it with tokens, and
storing the data in an encrypted TokenEx cloud token vault. The pseudonymized data will likely present a lower risk, thus
possibly reducing the number of additional security measures required to meet this obligation. Using a cloud-based tokenization
provider like TokenEx to pseudonymize direct identifiers in the personal data your controls is a clear indication that you are
considering data protection by design and striving to implement technical measures appropriate to the risk.
Article 32(1) obligates controllers as well as processors to “implement appropriate technical and organizational
measures to ensure a level of security appropriate to the risk,” including pseudonymization of personal data.
The TokenEx platform enables you to pseudonymize personal data within your environment, replacing it with tokens, and
storing the data in an encrypted TokenEx cloud token vault. The pseudonymized data will likely present a lower risk, thus
possibly reducing the number of additional security measures required to meet this obligation.
TokenEx:
“Tokenization”
GDPR Article 6(4)e):
“Encryption”
TokenEx:
“Tokenization and
Encryption”
GDPR Article 25(1):
“Data Protection by
Design” Article 25(1):
“Encryption”
GDPR Article 32(1)
“Pseudonymization of
Personal Data”
TokenEx:
“Pseudonymize
Personal Data”
KEY ACTIVITIES TO ADDRESS GDPR
Source: https://tokenex.com/gdpr

20. 20 20
REQUIREMENTS SUPPORTED
Tokenization
Encryption
Pseudonymization
De-identification