Do you have a GDPR Roadmap?
- How to measure Cybersecurity Preparedness
- Oversight of Third Parties
- Related International Standards
- Killing Cloud Quickly?
Technology aspects:
- International/EU PII Customer Case Studies
- Available Data Protection Options
- How to Integrate Security into Application Development
- Security Metrics
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
1. Do You Have a Roadmap for
EU GDPR Compliance?
Ulf Mattsson
umattsson@tokenex.com
ulf@ulfmattsson.com
2. ULF MATTSSON
INVENTOR OF MORE THAN 55 ISSUED US
PATENTS
INDUSTRY INVOLVEMENT:
• GDPR INSTITUTE
• PCI DSS - PCI SECURITY STANDARDS
COUNCIL
ENCRYPTION, TOKENIZATION, CLOUD &
VIRTUALIZATION
• CSA - CLOUD SECURITY ALLIANCE
• ANSI X9 - AMERICAN NATIONAL STANDARDS
INSTITUTE
• NIST - NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY
• USER GROUPS
SECURITY: ISACA & ISSA
DATABASES: IBM & ORACLE
IFIP - INTERNATIONAL FEDERATION FOR
INFORMATION PROCESSING
UMATTSSON@TOKENEX.COM
ULF@ULFMATTSSON.COM 2
3. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
3
AGENDA
4. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
4
AGENDA
6. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
6
AGENDA
7. 7
Source: https://info.skyhighnetworks.com, “GDPR – An Action Guide for IT”
1. Do you know where your data is today?
2. Do you have a process to provide data to individuals who ask?
3. Do you have a process to delete data if demanded?
4. Do you understand the consent rules?
5. Do you know which outsourcers have access to the data?
6. Are you sure you can detect data breaches?
7. Do you follow privacy by design and privacy by default principles when designing new
systems?
8. Have all processes and data flows been documented?
How to Measure Cybersecurity Preparedness?
8. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
8
AGENDA
9. Discover and thwart third party vulnerabilities and security
gaps in real-time to better control the impact of breaches.
Source: SecurityScoreCard
# Vulnerabilities
Time
9
Visibility Into Third Party Risk - Example
10. 10
Source: Optiv
Oversight of third parties
• Organizations can have hundreds to thousands of relevant third parties in scope for GDPR.
• There are three priorities for third-party management:
• Understanding the different roles defined in GDPR;
• Key contract elements to consider for GDPR processors; and
• Assessing the applicable processors for compliance.
• The controller is responsible for all actions taken by the processor.
• The GDPR also states that processors are not permitted to subcontract their services without
approval from the controller.
• Contract Agreements
• Under GDPR, controllers need to understand that they are largely responsible for anything that
processors do
• Assessing Your Relevant Third Parties
• Because of the extensive use of outsourcing and SAAS, IAAS and PAAS services, one of the most
onerous tasks in GDPR preparation is the assessment of relevant third parties.
11. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
11
AGENDA
13. 13
ISO/IEC 27018
PII in Cloud
ISO/IEC 27002 Security Controls
ISO/IEC 27001 PII OnPrem
ISO/IEC 27005 Risk Management
ISO/IEC 29134 Privacy Impact
ISO/IEC 17789 Cloud Architecture
ISO/IEC 29101 Privacy by Design
ISO/IEC 29100 Privacy for Cloud
ISO/IEC 17788 Definitions
ISO/IEC 27000 series –
ITSEC Management
ISO/IEC 27002
5 Information security policies
6 Organization of information security
7 Human resource security
8 Asset management
9 Access control
10 Cryptography
11 Physical and environmental security
12 Operations security
13 Communications security
14 System acquisition, development and
maintenance
15 Supplier relationships
16 Information security incident management
17 Information security aspects of business
continuity management
18 Compliance
GDPR
12+ GDPR RELATED INTERNATIONAL STANDARDS & CLOUD
14. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
14
AGENDA
17. • Rather than making the protection platform based, the security
is applied directly to the data
• Protecting the data wherever it goes, in any environment
• Cloud environments by nature have more access points and
cannot be disconnected
• Data-centric protection reduces the reliance on controlling the
high number of access points
DATA-CENTRIC PROTECTION INCREASES SECURITY IN
CLOUD COMPUTING
17
19. PROTECT SENSITIVE CLOUD DATA
Internal Network
Administrator
Attacker
Remote
User
Internal User
Public Cloud Examples
Each sensitive
field is protected
Each
authorized
field is in
clear
Cloud Gateway
19
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
SecDevOps
20. Trust
RISK ADJUSTED COMPUTATION – LOCATION AWARENESS
Elasticity
Out-sourcedIn-house
Corporate
Network
Private Cloud
Private Cloud
Public Cloud
H
L
ProcessingCost
H
L
20
21. VIRTUAL MACHINES & CONTAINERS
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and
rest)
Source: GiacomoVacca/docker-from-scratch
SecDevOps
SecDevOps
21
22. 22
GDPR: Killing cloud quickly?
• “It will be harder to use cloud computing to process personal
data compliantly with the proposed General Data Protection
Regulation”
• “With contracts expiring after the GDPR takes effect, change
control or change of law clauses will need to be included
now, so that they can be amended to comply”
Source: IAPP, The International Association of Privacy Professionals
23. 23
GDPR: Killing cloud quickly?
The main problem
• Infrastructure cloud providers are treated as processors; equipment
manufacturers, vendors and lessors are not. Individuals and organizations
use infrastructure services for computing, storage and networking purposes
instead of buying their own equipment.
• Under the GDPR, if controller-customers process any personal data in-
cloud, the providers of these services (i.e., IaaS/PaaS and pure storage
SaaS) are considered “processors”.
• This approach may deter cloud use despite its cost and flexibility
benefits.
Source: IAPP, The International Association of Privacy Professionals
24. 24
GDPR: Killing cloud quickly?
The main problem – Example
• For example, organizations buying or renting equipment for
self-processing of personal data needn’t specify in the
contract the processing’s subject-matter, duration, nature,
purpose or types of personal data, etc.
• But if organizations use infrastructure cloud for the same
processing, Article 26(2) of the GDPR would force them to
include this information in their contracts or face fines up
to €10m or 2 percent of total annual turnover if higher.
Source: IAPP, The International Association of Privacy Professionals
25. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
25
AGENDA
27. 27
EU Customer Case Study
A major international bank performed a consolidation of all European operational
data from various European bank entities:
• Protecting Personally Identifiable Information (PII), including names, addresses,
phone, email, policy and account numbers
• Compliance with EU Cross Border Data Protection Laws
• Utilizing Data Tokenization, and centralized policy, key management, auditing, and
reporting
• The bank achieved end-to-end data security with complete, fine-grained de-
identification of sensitive data
28. OS File
System
Encryption
User / Client
Database
Native
Encryption
User Access Patient Health Record
x Read a xxx
DBA Read b xxx
z Write c xxx
User Access Patient Health Record
z Write c xxx
User
Acces
s
Patient
Health
Data
Record
Health
Data
File
Database
Process
0001
Read ? ? PHI002
Database
Process
0001
Read ? ? PHI002
Database
Process
0001
Write ? ? PHI002
Possible DBA manipulation
Complete
Log
No Read
Log
No
Information
On User
or Record
3rd Party
Database
Encryption
PII/PHI/HIPAA Case Study: Granularity of Reporting and Separation
of Duties
Possible DBA manipulation
: Security controls, Encryption services, 28
29. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
29
AGENDA
30. Time
Total Cost of
Ownership
Total Cost of Ownership
1. System Integration
2. Performance Impact
3. Key Management
4. Policy Management
5. Reporting
6. Paper Handling
7. Compliance Audit
8. …
Strong Encryption:
3DES, AES …
I
2010
I
1970
Cost Of Encryption / Tokenization
I
2005
I
2000
Format Preserving Encryption:
FPE, DTP …
Basic Tokenization
Vaultless Tokenization
High -
Low -
30
32. CLOUD GATEWAY - REQUIREMENTS ADJUSTED
PROTECTION
Data Protection Methods Scalability Storage Security Transparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
32
33. DE-IDENTIFICATION / ANONYMIZATION
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail
Address
joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital
stays and discharges, clinical,
billing, etc.
Financial Services Consumer
Products and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
33
34. Type of
Data
Use
Case
I
Structured
How Should I Secure Different Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
34
Personally Identifiable
Information
35. TOKENIZATION VS. ENCRYPTION
Used Approach Cipher System Code
System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
35
37. TOKENIZATION SERVER LOCATION -
EXAMPLE
Best Worst
Tokenization Server Location
Evaluation Aspects Mainframe Remote
Area Criteria DB2 Work
Load
Manager
Separate
Address Space
In-house Out-sourced
Operational
Availability
Latency
Performance
Security
Separation
Compliance
37
38. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
38
AGENDA
39. WORRY ONLY ABOUT THE MAJOR BREACH PATTERNS
Source: Verizon Data Breach Investigations Report
39
Application
Attacks
40. DATA SECURITY CONTEXT
Operating System
Security Controls & Agents
OS File System
Database
Application Framework
Application Source Code
Application
Data
Network
External Network
Internal Network
Application Server
40
High -
Low -
Data Security Context
41. A SECDEVOPS FLOW
Static
Application
Security
Testing
(SAST)
Dynamic Application Security Testing
(DAST)
Fuzz testing
is
essentially
throwing lots
of random
garbage
Vulnerabilit
y Analysis
Runtime
Application
Self
Protection
(RASP)
Interactive
Application
Self-Testing
(IAST)
41
42. 1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
42
AGENDA
44. THE BOARD’S PERCEPTION OF CYBERSECURITY RISKS
Source: PWC – The Global State of Information Security Survey
Increased+
Increased ++
High
No change
44
45. TRENDS IN BOARD INVOLVEMENT IN CYBER SECURITY
Source: PWC – The Global State of Information Security Survey
45
46. QUESTIONS THE BOARD WILL ASK
Source: PWC – The Global State of Information Security Survey
46
47. CEOS, CFOS, BUSINESS RISK OWNERS & CISOS
QUESTIONS
1."How much cyber risk do we have in dollars and cents?"
2."How much cyber insurance do we need?"
3."Why am I investing in this cyber security tool?"
4."How well are our crown jewel assets protected?"
5."How do I know that we’ve actually lowered our risk
exposure?"
6. "As my business changes through M&A, adding new business
applications and new cyber risks , how can I get the quickest
view of the impact on my overall business risk?"
47
Source: PWC – The Global State of Information Security Survey
50. AUDIENCE FOCUSED DASHBOARDS
CISO CEO and Board
of Directors
Senior
Management
How compliant
are we?
How much risk
do we have?
What work do we
need to prioritize?
50
50
Source: Innosec
51. SECURITY CONTROLS & RISK MANAGEMENT
Are your security
controls covering all
sensitive data?
Are your deployed
security controls
failing?
Source: Innosec
Are you prioritizing
business asset risk?
51
52. OUR BRIGHTTALK.COM GDPR WEBINARS
52
25-May-18 GDPR: Deadline Day Special
23-May-18 GDPR: Responding to a Breach
22-May-18 GDPR: Protecting Your Data
13-Apr-18 GDPR and its impact on the Financial Services Sector
23-Mar-18 GDPR: Brace for Impact or Not?
22-Jan-18
EU/GDPR Compliance - How do you test for
Compliance?
17-Aug-17 Do You Have a Roadmap for EU GDPR Compliance?
Source: https://www.brighttalk.com/