Ulf Mattsson presented on new enterprise application and data security challenges and solutions. He discussed how 20% of organizations are expected to budget for quantum computing projects by 2023 compared to less than 1% currently. He also summarized that web application security is needed based on Verizon's 2018 breach report showing many breaches originate from applications. Finally, he emphasized the importance of integrating security into the application development process from the beginning using approaches like SecDevOps and DevSecOps.
2. 2
Ulf Mattsson, BIO
+ Mr. Mattsson is currently the Head of Innovation at TokenEx, a cloud-based data security
company, was previously Chief Technology Officer at Atlantic BT Security Solutions, and
earlier Chief Technology Officer at Compliance Engineering. He was the Chief Technology
Officer and a technology founder of Protegrity.
+ Prior to Protegrity, he worked 20 years at IBM's Research and Development organization, in
the areas of Application and Database Security. He also worked at companies providing
Data Discovery Services, Cloud Application Security Brokers, Web Application Firewalls,
Managed Security Service, Security Operation Center, and Cybersecurity consulting.
+ Mr. Mattsson is an Inventor of 73 Awarded and Issued US Patents.
+ He delivered joint Application and Data Protection products and development teams at
IBM, Microsoft, Hewlett-Packard, Oracle, Teradata, and RSA Security (Dell). Mr. Mattsson is a
also advising companies in the area of AI, Machine Learning and Quantum Computing
technologies.
+ Mr. Mattsson also owns and manages the BrightTALK “Cybersecurity - The No Spin Zone”
and “The Blockchain Channel.”
3. 3
*: By 2023, 20% of organizations will be budgeting for quantum computing projects, compared to less than 1% in 2018, Gartner.
*
6. 6
Data Security Context
Operating System
Security Controls
OS File System
Database
Application Framework
Application Source Code
Data
Security
Context
High
Low
Application
Data
Network
External Network
Internal Network
Application Server
6
8. 8
SecDevOps vs DevSecOps
SecDevOps (Securing DevOps)
1. Embed security into the DevOps style of operation
2. Ensuring "secure by design" discipline in the software delivery methodology using techniques such as
automated security review of code, automated application security testing
DevSecOps (Applying DevOps to Security Operations)
1. Developing and deploying a series of minimum viable products on security programs
2. In implementing security log monitoring, rather than have very large high value program with a waterfall
delivery plan to design, implement, test
3. Operating a SIEM that monitors a large number of log sources
4. Onboard small sets of sources onto a cloud based platform and slowly evolve the monitoring capability
Source: Capgemini
8
18. 18
The API Product Manager Sits Between API
Consumers and API Producers
Source: Gartner
19. 19
Source: Gartner
Coding security directly
into APIs has the following
disadvantages:
■ Violates separation of
duties.
■ Makes code more
complex and fragile.
■ Adds extra maintenance
burden.
■ Is unlikely to cover all
aspects that are required
in a full API security policy.
■ Not reusable.
■ Not visible to security
teams.
Security for Microservices
21. 21
Source: Gartner
Apply policies to APIs
(for example, using
an API gateway) but
avoid situations
where each API has
a unique security
policy
Instead, leverage a
reusable set of
policies that are
applied to APIs based
on their
categorization.
Abstract any specific
API characteristics
(such as URL path)
from the policies
themselves
Products Delivering API Security
22. 22
AI-Driven Development
AI-driven development explores the evolution of tools, technologies and best practices for embedding
AI capabilities into applications. It also explores the use of AI to create AI-powered tools used in the
development process itself. This trend is evolving along three dimensions:
■ The tools used to build AI-powered solutions are expanding from tools targeting data scientists (AI
infrastructure, AI frameworks and AI platforms) to tools targeting the professional developer
community (AI platforms and AI services).
■ The tools used to build AI-powered solutions are themselves being empowered with AI-driven
capabilities that assist professional developers and automate tasks related to the development of AI-
enhanced solutions.
■ AI-enabled tools in particular are evolving from assisting and automating functions related to
application development (AD) to being enhanced with business-domain expertise and automating
activities higher on the AD process stack (from general development to business solution design).
Source: Gartner , 2018
24. 24
Positioning of some Encryption and Privacy Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Privacy enhancing data de-identification terminology and classification of techniques
Data has the same
format, including
the length, as the
original data.
Server model Local model
Differential Privacy (DP)
Formal privacy measurement models (PMM)De-identification techniques (DT)
Cryptographic tools (CT)
Format Preserving
Encryption (FPE)
Homomorphic
Encryption (HE)
Two values
encrypted with
the same public
key can be
combined
K-anonymity model
Responses to queries
are only able to be
obtained through a
software component
or “middleware”,
known as the
“curator”
The entity
receiving the
data is looking
to reduce risk
Ensures that for each
identifier there is a
corresponding
equivalence class
containing at least K
records
Enc
Enc
Enc
App Curator*Dec
__
__
__
*: Example Apple
25. 25
Positioning of Encryption models
Source:
INTERNATION
AL STANDARD
ISO/IEC 20889
Reference
number
ISO/IEC
20889:2018(E)
First edition
2018-11
Format
Preserving
Encryption (FPE)
Format-preserving encryption is designed for data that is not necessarily binary. In particular, given any finite set
of symbols, like the decimal numerals, a method for format-preserving encryption transforms data that is
formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format,
including the length, as the original data.
Homomorphic
Encryption (HE)
Homomorphic encryption is a form of randomized encryption. When employed as part of a de-identification
technique, homomorphic encryption is able to be used to replace any identifying or sensitive attribute within a
data record with an encrypted value. The property of homomorphic encryption that enables the usefulness of
the de-identified data is that two values encrypted with the same public key can be combined with the
homomorphic operator of the cryptographic scheme to produce a new ciphertext representing the result of the
operation on the de-identified values.
Server model
Mechanisms that follow the “server model” for differential privacy typically preserve data in unmodified form in
a secure database. In order to preserve privacy, responses to queries are only able to be obtained through a
software component or “middleware”, known as the “curator”. The curator takes queries from system users, or
from reporting software, and obtains the correct, noise-free answer from the database.
Local model
The local model is useful when the entity receiving the data is not necessarily trusted by the data principals, or if
the entity receiving the data is looking to reduce risk and practice data minimization.
L-diversity
L-diversity is an enhancement to K-anonymity for datasets with poor attribute variability. It is designed to
protect against deterministic inference attempts by ensuring that each equivalence class has at least L well-
represented values for each sensitive attribute. L-diversity is not a single model but a group of models (E.7).
Each model has diversity defined slightly differently, e.g. by counting distinct values or by entropy.
T-closeness
T-closeness is an enhancement to L-diversity for datasets with attributes that are unevenly distributed, belong
to a small range of values, or are categorical. It is designed to protect against statistical inference attempts, as it
ensures that the distance between the distribution of a sensitive attribute in any equivalence class and the
distribution of the attribute in the overall dataset is less than a threshold T. This technique is useful when it is
important for the resulting dataset to remain as close as possible to the original one.
De-
identification
techniques
(DT)
Cryptographic
tools (CT)
Differential
Privacy (DP)
Privacy enhancing data de-identification terminology and classification of techniques
K-anonymity
model
Formal privacy
measurement
models (PMM)
30. 30
Securing Big Data - Examples of Security Agents
Import de-identified
data
Export identifiable data
Export audit for
reporting
Data protection at
database,
application, file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
30
SecDevOps
33. 33
Protect Sensitive Cloud Data
Internal Network
Administrator
Attacker
Remote
User
Internal User
Public Cloud Examples
Each sensitive
field is protected
Each
authorized
field is in
clear
Cloud Gateway
33
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
SecDevOps
The issue is INTENTIONAL use of
UNSANCTIONED public cloud storage
for ease of use for corporate data
38. 38
Data sources
Data
Warehouse
In Italy
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Example of Cross Border Data-centric Security
• Protecting Personally Identifiable Information
(PII), including names, addresses, phone, email,
policy and account numbers
• Compliance with EU Cross Border Data
Protection Laws
• Utilizing Data Tokenization, and centralized
policy, key management, auditing, and
reporting
40. 40
On Premise tokenization
• Limited PCI DSS scope reduction - must still maintain a
CDE with PCI data
• Higher risk – sensitive data still resident in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from the
environment
• Platform-focused security
• Lower associated costs – cyber insurance, PCI audit,
maintenance
Total Cost and Risk of Tokenization in Cloud vs On-prem
42. 42
Quantum computers will be able to instantly break the encryption of sensitive
data protected by today's strongest security, warns the head of IBM Research.
This could happen in a little more than five years because of advances in quantum
computer technologies.
42Source: IBM and ZDNet
Security Concerns with Quantum Encryption
51. 51
#3 Self-Sovereign Identity (SSI)
YOU
CONNECTION
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
Source: Sovrin.org
The Sovrin Network is the first public-permissioned blockchain designed as a global public utility exclusively to
support self-sovereign identity and verifiable claims. Recent advancements in blockchain technology now allow
every public key to have its own address, which is called a decentralized identifier (DID).
52. 52
#3 Self-Sovereign Identity (SSI)
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
DIGITAL
WALLET
CONNECTION
GET CREDENTIAL
SHOW CREDENTIAL
1 DIDs
2 DKMS
3 DID AUTH
4
Verifiable
Credentials
Source: Sovrin.org
55. 55
Emerging De Jure Standards for SSI
Verifiable Credentials
DID Auth
DKMS
(Decentralized Key
Management System)
DID
(Decentralized Identifier)
Source: Sovrin.org
56. 56
• Format-preserving encryption (FPE) is useful in situations where fixed-format data, such as
Primary account numbers Social Security numbers, must be protected.
• FPE will limit changes to existing communication protocols, database schemata or application
code.
56Source: Accredited Standards Committee ANSI X9
2018 ANSI X9 STANDARD FOR FORMAT PRESERVING ENCRYPTION
60. 60
Thank You!
Ulf Mattsson, TokenEx
ullf@ulfmattsson.com
www.TokenEx.com
Webinar Title: New Enterprise Application and Data Security Challenges and Solutions
Webcast Live Date & Time: 10:00 am Apr 25 2019 United States - Los Angeles