SlideShare a Scribd company logo

New york oracle users group 2013 spring general meeting ulf mattsson

Ulf Mattsson, profile picture
Ulf Mattsson

The document outlines a five-point methodology for data protection aimed at balancing security and data insight, emphasizing the need to classify, discover, protect, enforce, and monitor sensitive data. It discusses the importance of compliance with regulations like PCI DSS and HIPAA in protecting sensitive information, and mentions strategies such as tokenization and encryption to mitigate risks. It also highlights the need for continuous monitoring and the proactive approach of integrating granular protection techniques to counteract insider threats and ensure data privacy.

Technology
1 of 46
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Bridging the Gap Between Privacy and Data Insight Ulf Mattsson CTO, Protegrity ulf . mattsson [at] protegrity . com
2 Security Analysis Customer Support Customer Profiles Sales & Marketing Social Media Business Improvement Big Data Regulations & Breaches Increased profits Increased profits Increased profits Increased profits Increased profits Balancing security and data insight
Balancing security and data insight Tug of war between security and data insight Big Data is designed for access, not security Privacy regulations require de-identification which creates problems with privileged users in an access control security model Only way to truly protect data is to provide data- level protection Traditional means of security don’t offer granular protection that allows for seamless data use 3
4 1. Classify 2. Discovery 3. Protect 4. Enforce 5. Monitor Five Point Data Protection Methodology
5 1 Classify Determine what data is sensitive to your organization.
1. Classify 6 Data is classified as sensitive and must be protected in response to Laws and regulations such as PCI DSS, HIPAA, State Privacy Laws and others. Companies may also have Intellectual Property and other Company Secrets that must be secured against the competition. All companies have sensitive data about their Customers and about their Employees.
1. Classify: Examples of Sensitive Data 7 Sensitive Information Compliance Regulation / Laws Credit Card Numbers PCI DSS Names HIPAA, State Privacy Laws Address HIPAA, State Privacy Laws Dates HIPAA, State Privacy Laws Phone Numbers HIPAA, State Privacy Laws Personal ID Numbers HIPAA, State Privacy Laws Personally owned property numbers HIPAA, State Privacy Laws Personal Characteristics HIPAA, State Privacy Laws Asset Information HIPAA, State Privacy Laws Breach notification laws are often the catalyst for a deep audit in companies resulting in large fines.
HIPAA PHI: List of 18 Identifiers 1. Names 2. All geographical subdivisions smaller than a State 3. All elements of dates (except year) related to individual 4. Phone numbers 5. Fax numbers 6. Electronic mail addresses 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 8 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger prints 17. Full face photographic images 18. Any other unique identifying number
PCI DSS (Payment Card Industry Data Security Standard) Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data. 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a vulnerability management program. 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement strong access control measures. 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks. 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy. 12. Maintain a policy that addresses information security 9
10 2 Discovery Discover where the sensitive data is located, how it flows, who can access it, the performance requirements and other requirements for protection.
The Discovery process peers into the enterprise to find sensitive data in preparation for delivering an optimal protection solution. • Existing Sensitive Data • New Sensitive Data • Archived Data 2. Discovery 11
2. Discovery in a large enterprise with many systems 012 System System Corporate Firewall System System System System System 012 System System System System System System Focus on systems that contain sensitive data
2. Discovery: Determine the context to the Business 013 System System Corporate Firewall System System 013 System System System Retail Employees Corporate IP Healthcare
2. Discover: Context to the Business and to Security 014 Stores & Ecommerce Corporate Firewall Applications Processing Retail Transactions Research Databases Customer Data Protection Solution Requirements File Server containing IP File Server landing zone for store and e- commerce transactions Sensitive data in columns in databases Sensitive data in Hadoop Stores and e-commerce collecting transactions
15 3 Protect Protect the sensitive data at rest and in transit.
Big Data and The Insider Threat 16
Privacy Laws (See Appendix) 54 International Privacy Laws 30 United States Privacy Laws 17
Financial Services - Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SARBOX), USA PATRIOT ACT, PCI Data Security Standard, and the Basel II Accord (EU) Healthcare and Pharmaceuticals - HIPAA (Health Insurance Portability and Accountability Act of 1996) and FDA 21 CFR Part 11 Infrastructure and Energy - Guidelines for FERC and NERC Cybersecurity Standards, the Chemical Sector Cyber Security Program and Customs-Trade Partnership Against Terrorism (C-TPAT) Federal Government - Compliance with FISMA and related NSA Guidelines and NIST Standards Select US Regulations for Security and Privacy 18
Oracle’s Big Data Platform 019 Source: http://www.oracle.com/us/technologies/big-data/index.html
Software on Oracle Big Data Appliance 20 Source: http://www.oracle.com/us/products/database/big-data-for-enterprise-519135.pdf
Software Layout - Oracle Big Data Appliance 21 Source: 04_Oracle_Big_Data_Appliance_Deep_Dive.pdf
Hadoop - Protection Beyond Kerberos Data Access Framework Pig Hive Sqoop Avro Data Storage Framework (HDFS) Data Processing Framework (MapReduce) BI Applications 22 Volume Encryption with Policy based access control of Files and Monitoring. Field level data protection with Policy based access control and Monitoring; existing and new data. API enabled Field level data protection with Policy based access control and Monitoring. API enabled Field level data protection with Policy based access control and Monitoring.
Many Ways to Hack Big Data Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 23 HDFS (Hadoop Distributed File System) MapReduce (Job Scheduling/Execution System) Hbase (Column DB) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS Avro(Serialization) Zookeeper(Coordination) Hackers Privileged Users Unvetted Applications Or Ad Hoc Processes
Table scans Encryption • Data Size • Data type • Performance (SLA) Analytics Inter-node data movement What’s the Problem with Securing Data? 24
Reduction of Pain with New Protection Techniques 25 1970 2000 2005 2010 High Low Pain & TCO Strong Encryption AES, 3DES Format Preserving Encryption DTP, FPE Vault-based Tokenization Vaultless Tokenization Input Value: 3872 3789 1620 3675 !@#$%a^.,mhu7///&*B()_+!@ 8278 2789 2990 2789 8278 2789 2990 2789 Format Preserving Greatly reduced Key Management No Vault 8278 2789 2990 2789
Protection Granularity: Field Protection 26 Production Systems Non-Production Systems Encryption • Reversible • Policy Control (authorized / Unauthorized Access) • Lacks Integration Transparency • Complex Key Management • Example Masking • Not reversible • No Policy, Everyone can access the data • Integrates Transparently • No Complex Key Management • Example 0389 3778 3652 0038 Vaultless Tokenization / Pseudonymization • Reversible • Policy Control (Authorized / Unauthorized Access) • Not Reversible • Integrates Transparently • No Complex Key Management • Business Intelligence Credit Card: 0389 3778 3652 0038 !@#$%a^.,mhu7///&*B()_+!@
Research Brief “Tokenization Gets Traction” Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization non- users 28 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
Enterprise Flexibility in Token Format Controls Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Credit Card 3872 3789 1620 3675 3872 3789 2990 3675 Numeric, First 6, Last 4 digits exposed Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed Account Num 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date - multiple date formats E-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric, delimiters in input preserved SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input Binary 0x010203 0x123296910112 Decimal 123.45 9842.56 Non length preserving Alphanumeric Indicator 5105 1051 0510 5100 8278 2789 299A 2781 Position to place alpha is configurable Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail Multi-Merchant or Multi-Client ID 3872 3789 1620 3675 ID 1: 8278 2789 2990 2789 ID 2: 9302 8999 2662 6345 This supports delivery of a different token to different merchant or clients based on the same credit card number. 29
Protection Beyond Kerberos Data Access Framework Pig Hive Sqoop Avro Data Storage Framework (HDFS) Data Processing Framework (MapReduce) BI Applications 30 Volume Encryption with Policy based access control of Files and Monitoring. Field level data protection with Policy based access control and Monitoring; existing and new data. API enabled Field level data protection with Policy based access control and Monitoring. API enabled Field level data protection with Policy based access control and Monitoring.
Volume Encryption 31 HDFS MapReduce Protected with Volume Encryption Entire file is in the clear when analyzed
Volume Encryption + Gateway Field Protection 32 HDFS MapReduce Kerberos Access Control Granular Field Level Protection Protected with Volume Encryption Data Protection File Gateway
Volume Encryption + Internal MapReduce Field Protection 33 HDFS MapReduce Kerberos Access Control Granular Field Level Protection Protected with Volume Encryption Hadoop Staging MapReduce
34 4 Enforce Policies are used to enforce rules about how sensitive data should be treated in the enterprise.
4. Enforce 35 The goal of policy enforcement is to; 1. Hide sensitive data from un-authorized users but disclose sensitive data to authorized users. 2. Deliver the minimum information to an individual or a process who needs the information to accomplish a task. Least Privilege by NIST. 3. Collect information about who is attempting to access sensitive data – both authorized and unauthorized.
A Data Security Policy 36 What is the sensitive data that needs to be protected. Data Element. How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc. Who should have access to sensitive data and who should not. Security access control. Roles & Members. When should sensitive data access be granted to those who have access. Day of week, time of day. Where is the sensitive data stored? This will be where the policy is enforced. At the protector. Audit authorized or un-authorized access to sensitive data. Optional audit of protect/unprotect. What Who When Where How Audit
4. Enforce Enterprise Data Warehouse Big Data Clusters 37 Privileged Users Corporate Firewall Access Control External User & ProcessesBusiness Application Users Bad Guys Data Protection Policy
Volume Encryption + Field Protection + Policy Enforcement 38 HDFS Protected with Volume Encryption MapReduce Data Protection Policy
4. Authorized User Example 39 Presentation to requestor Name: Joe Smith Address: 100 Main Street, Pleasantville, CA Protection at rest Name: csu wusoj Address: 476 srta coetse, cysieondusbak, CA Data Scientist, Business Analyst Policy Enforcement Does the requestor have the authority to access the protected data? AuthorizedRequest Response
4. Un-Authorized User Example 40 Request Response Presentation to requestor Name: csu wusoj Address: 476 srta coetse, cysieondusbak, CA Protection at rest Name: csu wusoj Address: 476 srta coetse, cysieondusbak, CA Privileged Used, DBA, Syste m Administrators Policy Enforcement Does the requestor have the authority to access the protected data? Not Authorized
41 5 Monitor A critically important part of a security solution is the ongoing monitoring of any activity on sensitive data.
5. Monitor 42 Policy enforcement collects information in the form of audit logs about any activity on sensitive data. Monitoring enables security personnel to gain insights on what’s going on with your sensitive data. It enables the understanding of what’s normal and what’s not normal activity on sensitive data.
De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare Data – Primary Care Data Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Protection methods can be equally applied to the actual healthcare data, but not needed with de-identification 43
Best Practices for Protecting Big Data Start Early – Don’ wait until you have terabytes of sensitive data in Hadoop before starting your Big Data protection program. Granular protection in addition to access control and volume protection. Future proof your protection. Select the optimal protection for today and for the future. Enterprise coverage to ensure nothing is left vulnerable. Protection against insider threat is more important today than ever before. Can only achieve this through granular data protection techniques. You can protect highly sensitive data while in a way that is mostly transparent to the analysis process. Policy based protection provides a shield to your sensitive data while recording all events on that data. 44
Proven enterprise data security software and innovation leader • Sole focus on the protection of data Growth driven by risk management and compliance • PCI (Payment Card Industry) • PII (Personally Identifiable Information) • PHI (Protected Health Information) – HIPAA • State and Foreign Privacy Laws, Breach Notification Laws Successful across many key industries Introduction to Protegrity 45
How Protegrity Can Help 46 1 2 3 4 5 We can help you Classify the sensitive data that needs to be secured in your enterprise. We can help you Discover where the sensitive data sits in your environment and design the optimal security solution. We can help you Protect your sensitive data with a flexible set of protectors and protection methods. We can help you Enforce policies that will enable business functions while preventing sensitive data from getting in the wrong hands. We can help you Monitor activity on sensitive data to gain insights on abnormal behaviors.
Please contact me for more information Ulf . Mattsson [at] protegrity . Com Info@protegrity.com www.protegrity.com

More Related Content

PDF
Key note in nyc the next breach target and how oracle can help - nyoug
Ulf Mattsson
 
PDF
Isaca new delhi india privacy and big data
Ulf Mattsson
 
PDF
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
PPTX
Securing data today and in the future - Oracle NYC
Ulf Mattsson
 
PDF
Where Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
 
PPTX
Jul 16 isaca london data protection, security and privacy risks - on premis...
Ulf Mattsson
 
PPTX
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
PPTX
Privacy preserving computing and secure multi party computation
Ulf Mattsson
 
Key note in nyc the next breach target and how oracle can help - nyoug
Ulf Mattsson
 
Isaca new delhi india privacy and big data
Ulf Mattsson
 
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
Securing data today and in the future - Oracle NYC
Ulf Mattsson
 
Where Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Ulf Mattsson
 
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
Privacy preserving computing and secure multi party computation
Ulf Mattsson
 

What's hot (20)

PDF
Where data security and value of data meet in the cloud brighttalk webinar ...
Ulf Mattsson
 
PPTX
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
PDF
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Ulf Mattsson
 
PPTX
New technologies for data protection
Ulf Mattsson
 
PPTX
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Ulf Mattsson
 
PDF
The past, present, and future of big data security
Ulf Mattsson
 
PPTX
Emerging application and data protection for multi cloud
Ulf Mattsson
 
PPTX
Data protection on premises, and in public and private clouds
Ulf Mattsson
 
PPTX
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
Ulf Mattsson
 
PPTX
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
PPTX
New regulations and the evolving cybersecurity technology landscape
Ulf Mattsson
 
PPT
Protecting Your Data in the Cloud - CSO - Conference 2011
Ulf Mattsson
 
PPTX
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
PPTX
Risk Management Practices for PCI DSS 2.0
Ulf Mattsson
 
PPTX
Isaca atlanta - practical data security and privacy
Ulf Mattsson
 
PPTX
ISACA Houston - How to de-classify data and rethink transfer of data between ...
Ulf Mattsson
 
PPTX
Unlock the potential of data security 2020
Ulf Mattsson
 
PPT
Future data security ‘will come from several sources’
John Davis
 
PPTX
ISACA Houston - Practical data privacy and de-identification techniques
Ulf Mattsson
 
PPTX
Protecting Data Privacy in Analytics and Machine Learning
Ulf Mattsson
 
Where data security and value of data meet in the cloud brighttalk webinar ...
Ulf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Ulf Mattsson
 
New technologies for data protection
Ulf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Ulf Mattsson
 
The past, present, and future of big data security
Ulf Mattsson
 
Emerging application and data protection for multi cloud
Ulf Mattsson
 
Data protection on premises, and in public and private clouds
Ulf Mattsson
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
Ulf Mattsson
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
Ulf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Ulf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
Risk Management Practices for PCI DSS 2.0
Ulf Mattsson
 
Isaca atlanta - practical data security and privacy
Ulf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
Ulf Mattsson
 
Unlock the potential of data security 2020
Ulf Mattsson
 
Future data security ‘will come from several sources’
John Davis
 
ISACA Houston - Practical data privacy and de-identification techniques
Ulf Mattsson
 
Protecting Data Privacy in Analytics and Machine Learning
Ulf Mattsson
 
Ad

Similar to New york oracle users group 2013 spring general meeting ulf mattsson (20)

PPT
BigData and Privacy webinar at Brighttalk
Ulf Mattsson
 
PDF
Five steps to secure big data
Ulf Mattsson
 
PDF
Isaca new delhi india - privacy and big data
Ulf Mattsson
 
PDF
Key Concepts for Protecting the Privacy of IBM i Data
Precisely
 
PDF
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
PPTX
PCI DSS Conference in London UK 2011
Ulf Mattsson
 
PDF
Is it time for an IT Assessment?
Raffa Learning Community
 
PPTX
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Precisely
 
PDF
Dataguise hortonworks insurance_feb25
Hortonworks
 
PPTX
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
Ulf Mattsson
 
PDF
Closing the Governance Gap - Enabling Governed Self-Service Analytics
Privacera
 
PPT
IBM Share Conference 2010, Boston, Ulf Mattsson
Ulf Mattsson
 
PDF
Maturing Your Organization's Information Risk Management Strategy
Privacera
 
PPTX
L2 - Protecting Security of Assets_.pptx
RebeccaMunasheChimhe
 
PDF
Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...
BigDataEverywhere
 
PDF
Isaca journal - bridging the gap between access and security in big data...
Ulf Mattsson
 
PPT
Life After Compliance march 2010 v2
SafeNet
 
PDF
Protecting your data against cyber attacks in big data environments
at MicroFocus Italy ❖✔
 
PDF
Protecting your data against cyber attacks in big data environments
at MicroFocus Italy ❖✔
 
PPTX
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Ulf Mattsson
 
BigData and Privacy webinar at Brighttalk
Ulf Mattsson
 
Five steps to secure big data
Ulf Mattsson
 
Isaca new delhi india - privacy and big data
Ulf Mattsson
 
Key Concepts for Protecting the Privacy of IBM i Data
Precisely
 
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
PCI DSS Conference in London UK 2011
Ulf Mattsson
 
Is it time for an IT Assessment?
Raffa Learning Community
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Precisely
 
Dataguise hortonworks insurance_feb25
Hortonworks
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
Ulf Mattsson
 
Closing the Governance Gap - Enabling Governed Self-Service Analytics
Privacera
 
IBM Share Conference 2010, Boston, Ulf Mattsson
Ulf Mattsson
 
Maturing Your Organization's Information Risk Management Strategy
Privacera
 
L2 - Protecting Security of Assets_.pptx
RebeccaMunasheChimhe
 
Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...
BigDataEverywhere
 
Isaca journal - bridging the gap between access and security in big data...
Ulf Mattsson
 
Life After Compliance march 2010 v2
SafeNet
 
Protecting your data against cyber attacks in big data environments
at MicroFocus Italy ❖✔
 
Protecting your data against cyber attacks in big data environments
at MicroFocus Italy ❖✔
 
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Ulf Mattsson
 
Ad

More from Ulf Mattsson (18)

PPTX
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
PPTX
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
PPTX
Book
Ulf Mattsson
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
PPTX
Qubit conference-new-york-2021
Ulf Mattsson
 
PDF
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
PDF
Data encryption and tokenization for international unicode
Ulf Mattsson
 
PPTX
The future of data security and blockchain
Ulf Mattsson
 
PPTX
GDPR and evolving international privacy regulations
Ulf Mattsson
 
PPTX
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
PPTX
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
PPTX
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
PPTX
What is tokenization in blockchain?
Ulf Mattsson
 
PPTX
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
PPTX
What is tokenization in blockchain?
Ulf Mattsson
 
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
Book
Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Qubit conference-new-york-2021
Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
Data encryption and tokenization for international unicode
Ulf Mattsson
 
The future of data security and blockchain
Ulf Mattsson
 
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
What is tokenization in blockchain?
Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
What is tokenization in blockchain?
Ulf Mattsson
 

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
A Presentation on Artificial Intelligence
memembruh336
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Teaching material agriculture food technology
LiaRayya
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

New york oracle users group 2013 spring general meeting ulf mattsson

  • 1. Bridging the Gap Between Privacy and Data Insight Ulf Mattsson CTO, Protegrity ulf . mattsson [at] protegrity . com
  • 2. 2 Security Analysis Customer Support Customer Profiles Sales & Marketing Social Media Business Improvement Big Data Regulations & Breaches Increased profits Increased profits Increased profits Increased profits Increased profits Balancing security and data insight
  • 3. Balancing security and data insight Tug of war between security and data insight Big Data is designed for access, not security Privacy regulations require de-identification which creates problems with privileged users in an access control security model Only way to truly protect data is to provide data- level protection Traditional means of security don’t offer granular protection that allows for seamless data use 3
  • 4. 4 1. Classify 2. Discovery 3. Protect 4. Enforce 5. Monitor Five Point Data Protection Methodology
  • 5. 5 1 Classify Determine what data is sensitive to your organization.
  • 6. 1. Classify 6 Data is classified as sensitive and must be protected in response to Laws and regulations such as PCI DSS, HIPAA, State Privacy Laws and others. Companies may also have Intellectual Property and other Company Secrets that must be secured against the competition. All companies have sensitive data about their Customers and about their Employees.
  • 7. 1. Classify: Examples of Sensitive Data 7 Sensitive Information Compliance Regulation / Laws Credit Card Numbers PCI DSS Names HIPAA, State Privacy Laws Address HIPAA, State Privacy Laws Dates HIPAA, State Privacy Laws Phone Numbers HIPAA, State Privacy Laws Personal ID Numbers HIPAA, State Privacy Laws Personally owned property numbers HIPAA, State Privacy Laws Personal Characteristics HIPAA, State Privacy Laws Asset Information HIPAA, State Privacy Laws Breach notification laws are often the catalyst for a deep audit in companies resulting in large fines.
  • 8. HIPAA PHI: List of 18 Identifiers 1. Names 2. All geographical subdivisions smaller than a State 3. All elements of dates (except year) related to individual 4. Phone numbers 5. Fax numbers 6. Electronic mail addresses 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 8 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger prints 17. Full face photographic images 18. Any other unique identifying number
  • 9. PCI DSS (Payment Card Industry Data Security Standard) Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data. 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a vulnerability management program. 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement strong access control measures. 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks. 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy. 12. Maintain a policy that addresses information security 9
  • 10. 10 2 Discovery Discover where the sensitive data is located, how it flows, who can access it, the performance requirements and other requirements for protection.
  • 11. The Discovery process peers into the enterprise to find sensitive data in preparation for delivering an optimal protection solution. • Existing Sensitive Data • New Sensitive Data • Archived Data 2. Discovery 11
  • 12. 2. Discovery in a large enterprise with many systems 012 System System Corporate Firewall System System System System System 012 System System System System System System Focus on systems that contain sensitive data
  • 13. 2. Discovery: Determine the context to the Business 013 System System Corporate Firewall System System 013 System System System Retail Employees Corporate IP Healthcare
  • 14. 2. Discover: Context to the Business and to Security 014 Stores & Ecommerce Corporate Firewall Applications Processing Retail Transactions Research Databases Customer Data Protection Solution Requirements File Server containing IP File Server landing zone for store and e- commerce transactions Sensitive data in columns in databases Sensitive data in Hadoop Stores and e-commerce collecting transactions
  • 15. 15 3 Protect Protect the sensitive data at rest and in transit.
  • 16. Big Data and The Insider Threat 16
  • 17. Privacy Laws (See Appendix) 54 International Privacy Laws 30 United States Privacy Laws 17
  • 18. Financial Services - Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SARBOX), USA PATRIOT ACT, PCI Data Security Standard, and the Basel II Accord (EU) Healthcare and Pharmaceuticals - HIPAA (Health Insurance Portability and Accountability Act of 1996) and FDA 21 CFR Part 11 Infrastructure and Energy - Guidelines for FERC and NERC Cybersecurity Standards, the Chemical Sector Cyber Security Program and Customs-Trade Partnership Against Terrorism (C-TPAT) Federal Government - Compliance with FISMA and related NSA Guidelines and NIST Standards Select US Regulations for Security and Privacy 18
  • 19. Oracle’s Big Data Platform 019 Source: http://www.oracle.com/us/technologies/big-data/index.html
  • 20. Software on Oracle Big Data Appliance 20 Source: http://www.oracle.com/us/products/database/big-data-for-enterprise-519135.pdf
  • 21. Software Layout - Oracle Big Data Appliance 21 Source: 04_Oracle_Big_Data_Appliance_Deep_Dive.pdf
  • 22. Hadoop - Protection Beyond Kerberos Data Access Framework Pig Hive Sqoop Avro Data Storage Framework (HDFS) Data Processing Framework (MapReduce) BI Applications 22 Volume Encryption with Policy based access control of Files and Monitoring. Field level data protection with Policy based access control and Monitoring; existing and new data. API enabled Field level data protection with Policy based access control and Monitoring. API enabled Field level data protection with Policy based access control and Monitoring.
  • 23. Many Ways to Hack Big Data Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 23 HDFS (Hadoop Distributed File System) MapReduce (Job Scheduling/Execution System) Hbase (Column DB) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS Avro(Serialization) Zookeeper(Coordination) Hackers Privileged Users Unvetted Applications Or Ad Hoc Processes
  • 24. Table scans Encryption • Data Size • Data type • Performance (SLA) Analytics Inter-node data movement What’s the Problem with Securing Data? 24
  • 25. Reduction of Pain with New Protection Techniques 25 1970 2000 2005 2010 High Low Pain & TCO Strong Encryption AES, 3DES Format Preserving Encryption DTP, FPE Vault-based Tokenization Vaultless Tokenization Input Value: 3872 3789 1620 3675 !@#$%a^.,mhu7///&*B()_+!@ 8278 2789 2990 2789 8278 2789 2990 2789 Format Preserving Greatly reduced Key Management No Vault 8278 2789 2990 2789
  • 26. Protection Granularity: Field Protection 26 Production Systems Non-Production Systems Encryption • Reversible • Policy Control (authorized / Unauthorized Access) • Lacks Integration Transparency • Complex Key Management • Example Masking • Not reversible • No Policy, Everyone can access the data • Integrates Transparently • No Complex Key Management • Example 0389 3778 3652 0038 Vaultless Tokenization / Pseudonymization • Reversible • Policy Control (Authorized / Unauthorized Access) • Not Reversible • Integrates Transparently • No Complex Key Management • Business Intelligence Credit Card: 0389 3778 3652 0038 !@#$%a^.,mhu7///&*B()_+!@
  • 27. Research Brief “Tokenization Gets Traction” Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization non- users 28 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
  • 28. Enterprise Flexibility in Token Format Controls Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Credit Card 3872 3789 1620 3675 3872 3789 2990 3675 Numeric, First 6, Last 4 digits exposed Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed Account Num 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date - multiple date formats E-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric, delimiters in input preserved SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input Binary 0x010203 0x123296910112 Decimal 123.45 9842.56 Non length preserving Alphanumeric Indicator 5105 1051 0510 5100 8278 2789 299A 2781 Position to place alpha is configurable Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail Multi-Merchant or Multi-Client ID 3872 3789 1620 3675 ID 1: 8278 2789 2990 2789 ID 2: 9302 8999 2662 6345 This supports delivery of a different token to different merchant or clients based on the same credit card number. 29
  • 29. Protection Beyond Kerberos Data Access Framework Pig Hive Sqoop Avro Data Storage Framework (HDFS) Data Processing Framework (MapReduce) BI Applications 30 Volume Encryption with Policy based access control of Files and Monitoring. Field level data protection with Policy based access control and Monitoring; existing and new data. API enabled Field level data protection with Policy based access control and Monitoring. API enabled Field level data protection with Policy based access control and Monitoring.
  • 30. Volume Encryption 31 HDFS MapReduce Protected with Volume Encryption Entire file is in the clear when analyzed
  • 31. Volume Encryption + Gateway Field Protection 32 HDFS MapReduce Kerberos Access Control Granular Field Level Protection Protected with Volume Encryption Data Protection File Gateway
  • 32. Volume Encryption + Internal MapReduce Field Protection 33 HDFS MapReduce Kerberos Access Control Granular Field Level Protection Protected with Volume Encryption Hadoop Staging MapReduce
  • 33. 34 4 Enforce Policies are used to enforce rules about how sensitive data should be treated in the enterprise.
  • 34. 4. Enforce 35 The goal of policy enforcement is to; 1. Hide sensitive data from un-authorized users but disclose sensitive data to authorized users. 2. Deliver the minimum information to an individual or a process who needs the information to accomplish a task. Least Privilege by NIST. 3. Collect information about who is attempting to access sensitive data – both authorized and unauthorized.
  • 35. A Data Security Policy 36 What is the sensitive data that needs to be protected. Data Element. How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc. Who should have access to sensitive data and who should not. Security access control. Roles & Members. When should sensitive data access be granted to those who have access. Day of week, time of day. Where is the sensitive data stored? This will be where the policy is enforced. At the protector. Audit authorized or un-authorized access to sensitive data. Optional audit of protect/unprotect. What Who When Where How Audit
  • 36. 4. Enforce Enterprise Data Warehouse Big Data Clusters 37 Privileged Users Corporate Firewall Access Control External User & ProcessesBusiness Application Users Bad Guys Data Protection Policy
  • 37. Volume Encryption + Field Protection + Policy Enforcement 38 HDFS Protected with Volume Encryption MapReduce Data Protection Policy
  • 38. 4. Authorized User Example 39 Presentation to requestor Name: Joe Smith Address: 100 Main Street, Pleasantville, CA Protection at rest Name: csu wusoj Address: 476 srta coetse, cysieondusbak, CA Data Scientist, Business Analyst Policy Enforcement Does the requestor have the authority to access the protected data? AuthorizedRequest Response
  • 39. 4. Un-Authorized User Example 40 Request Response Presentation to requestor Name: csu wusoj Address: 476 srta coetse, cysieondusbak, CA Protection at rest Name: csu wusoj Address: 476 srta coetse, cysieondusbak, CA Privileged Used, DBA, Syste m Administrators Policy Enforcement Does the requestor have the authority to access the protected data? Not Authorized
  • 40. 41 5 Monitor A critically important part of a security solution is the ongoing monitoring of any activity on sensitive data.
  • 41. 5. Monitor 42 Policy enforcement collects information in the form of audit logs about any activity on sensitive data. Monitoring enables security personnel to gain insights on what’s going on with your sensitive data. It enables the understanding of what’s normal and what’s not normal activity on sensitive data.
  • 42. De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare Data – Primary Care Data Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Protection methods can be equally applied to the actual healthcare data, but not needed with de-identification 43
  • 43. Best Practices for Protecting Big Data Start Early – Don’ wait until you have terabytes of sensitive data in Hadoop before starting your Big Data protection program. Granular protection in addition to access control and volume protection. Future proof your protection. Select the optimal protection for today and for the future. Enterprise coverage to ensure nothing is left vulnerable. Protection against insider threat is more important today than ever before. Can only achieve this through granular data protection techniques. You can protect highly sensitive data while in a way that is mostly transparent to the analysis process. Policy based protection provides a shield to your sensitive data while recording all events on that data. 44
  • 44. Proven enterprise data security software and innovation leader • Sole focus on the protection of data Growth driven by risk management and compliance • PCI (Payment Card Industry) • PII (Personally Identifiable Information) • PHI (Protected Health Information) – HIPAA • State and Foreign Privacy Laws, Breach Notification Laws Successful across many key industries Introduction to Protegrity 45
  • 45. How Protegrity Can Help 46 1 2 3 4 5 We can help you Classify the sensitive data that needs to be secured in your enterprise. We can help you Discover where the sensitive data sits in your environment and design the optimal security solution. We can help you Protect your sensitive data with a flexible set of protectors and protection methods. We can help you Enforce policies that will enable business functions while preventing sensitive data from getting in the wrong hands. We can help you Monitor activity on sensitive data to gain insights on abnormal behaviors.
  • 46. Please contact me for more information Ulf . Mattsson [at] protegrity . Com Info@protegrity.com www.protegrity.com

Editor's Notes

  • #28: Risk Adjusted Data Protection simply means that you should protect data based on the risk of the sensitive data.You can determine your risk by deciding what is the value of the data to the bad guys and what is its exposure. For valuable data with wide exposure, such as a credit card number or SSN, you can protect with strong encryption like AES or by tokenizing. For your data that might have little or no value, but is still widely exposed, you can protect with monitoring or Data Type Preserving Encryption.This chart shows several approaches to protect sensitive data along with a set of criteria that we have found useful when comparing the merits of each method.- Performance and security are self explanatory Storage refers to the impact that a method has on storage. For example, strong encryption will require adding padding to the crypto text so that the final data will be larger than the original. When a data store is billions of records this can have an impact on the cost of the solution. Transparency refers to the degree to which a protection method effects business processes, applications, databases and any architecture. A protection method that is not transparent will require remediation to systems that are being protected. This could translate to higher protection costs. Tokenization has been gaining popularity due to it’s high transparent characteristics that are seen to reduce protection costs.For example, a system that has no data protection will have optimal performance because you’re not protecting anything and there’s no increased storage. It will require no system remediation, but it will have no security. This is basically the status quo.By contrast, using tokenization, you are not going to have any performance impact, or any increased storage because we are creating a unique token of the same type and length as the original data. With regard to security, tokenization gives you optimum security, and we’ll get into this later. From a transparency perspective, while it is not as transparent as using no protection, among other things, you are not introducing changes to your database schema.The message here really is that, as you change your security profile, there are a number of other factors that you’ll need to take into account.
  • #32: Joel – what do you do with the nodes - elastic
  • #33: Joel – what do you do with the nodes - elastic
  • #34: Joel – what do you do with the nodes - elastic
  • #37: Everything we do depends on the policy. The security policy is the foundation for protecting data. It is usually managed by the Security Officer. Think of it as the glue that binds distributed data protection throughout the enterprise. You can have one policy or many policies , but every policy includes the following core components:What: First you need to identify what you need to protect, i.e. credit card data, social security number and user names and passwords . This is the data element. And you can think of a data element as simply a label, such as CCN. It simply says I’m protecting credit card data.Who: This is your access control. Once you know what you want to protect, the “Who” determines who has access to the data and who doesn’t. We do this through Roles and we associate Members with Roles. We can take members from a number of sources, such as LDAP or Active Directory, a database or a flat file.When: We have a time parameter in our policy that enables us to control the day and the time of day when sensitive data can and cannot be accessed. It is completely customizable by role.Where: Where does the data exist? This is an important property that sets up apart. We need to know this to be able to deploy policy to our agent that enforces policy on the protection point. You might have many, many protection points, so we need to know where the policy needs to be deployed. It also enables us to pinpoint where unauthorized attempts at accessing sensitive data are taking place. And, when we talk about key management, we are the only platform that tracks where keys have been deployed.How: This is what everyone focuses on – how data is protected. This is another differentiator for us. We are not just a strong encryption vendor. We expanded our capabilities and we have a whole host of methods for protecting sensitive data. We do something that we call Risk Adjusted Data Protection that allows you to scale up or scale down your data protection based on the sensitivity of the data you’re trying to protect. We will discuss this later.Audit: Lastly, we have an auditing function. In the policy, the security officer sets up audit requirements that are carried out by the policy enforcement process. You can audit authorized or unauthorized users in addition to controlling operations such as insert, update and delete in a database scenario. You can make the Policy is as customized as you want it to be.This is policy based data security.
  • #39: Joel – what do you do with the nodes - elastic