Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr

Do You Have a Roadmap for
EU GDPR Compliance?
Ulf Mattsson
umattsson@tokenex.com
ulf@ulfmattsson.com

ULF MATTSSON
INVENTOR OF MORE THAN 55 ISSUED US
PATENTS
INDUSTRY INVOLVEMENT:
• GDPR INSTITUTE
• PCI DSS - PCI SECURITY STANDARDS
COUNCIL
ENCRYPTION, TOKENIZATION, CLOUD &
VIRTUALIZATION
• CSA - CLOUD SECURITY ALLIANCE
• ANSI X9 - AMERICAN NATIONAL STANDARDS
INSTITUTE
• NIST - NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY
• USER GROUPS
SECURITY: ISACA & ISSA
DATABASES: IBM & ORACLE
IFIP - INTERNATIONAL FEDERATION FOR
INFORMATION PROCESSING
UMATTSSON@TOKENEX.COM
ULF@ULFMATTSSON.COM 2

1. GDPR
• Roadmap
• How to measure Cybersecurity Preparedness
• Oversight of Third Parties
• Related International Standards
• Killing Cloud Quickly?
2. Technology
• International/EU PII Customer Case Studies
• Available Data Protection Options
• How to Integrate Security into Application Development
• Security Metrics
3
AGENDA

1. GDPR
• Roadmap
2. Technology
4
AGENDA

Compliance
Gap
Analysis
Security
Reviews
Use Case
Management
Consent
Management
Technology
Assessments
Business
Process
Management
THE GDPR ROADMAP
Privacy
Impact
Assessment
Legal
Advice
Detailed
Readiness
Assessment
© 2018 - The GDPR Institute - All Rights Reserved
Educate
&
Train
Data
Subject Access
Management
Threat
Detection
GDPR
Testing
GDPR
Defensible
Position
Annual
GDPR
Audits
Breach Case
Management
5

1. GDPR
• Roadmap
2. Technology
6
AGENDA

7
Source: https://info.skyhighnetworks.com, “GDPR – An Action Guide for IT”
1. Do you know where your data is today?
2. Do you have a process to provide data to individuals who ask?
3. Do you have a process to delete data if demanded?
4. Do you understand the consent rules?
5. Do you know which outsourcers have access to the data?
6. Are you sure you can detect data breaches?
7. Do you follow privacy by design and privacy by default principles when designing new
systems?
8. Have all processes and data flows been documented?
How to Measure Cybersecurity Preparedness?

1. GDPR
• Roadmap
2. Technology
8
AGENDA

Discover and thwart third party vulnerabilities and security
gaps in real-time to better control the impact of breaches.
Source: SecurityScoreCard
# Vulnerabilities
Time
9
Visibility Into Third Party Risk - Example

10
Source: Optiv
Oversight of third parties
• Organizations can have hundreds to thousands of relevant third parties in scope for GDPR.
• There are three priorities for third-party management:
• Understanding the different roles defined in GDPR;
• Key contract elements to consider for GDPR processors; and
• Assessing the applicable processors for compliance.
• The controller is responsible for all actions taken by the processor.
• The GDPR also states that processors are not permitted to subcontract their services without
approval from the controller.
• Contract Agreements
• Under GDPR, controllers need to understand that they are largely responsible for anything that
processors do
• Assessing Your Relevant Third Parties
• Because of the extensive use of outsourcing and SAAS, IAAS and PAAS services, one of the most
onerous tasks in GDPR preparation is the assessment of relevant third parties.

1. GDPR
• Roadmap
2. Technology
11
AGENDA

12+ GDPR RELATED INTERNATIONAL STANDARDS & CLOUD
12
ISO/IEC 27018 PII in Cloud (Basic Requirements)
ISO/IEC 27002 Security Controls
ISO/IEC 27001 PII OnPrem
ISO/IEC 27005 Risk Management
ISO/IEC 29134 Privacy Impact
ISO/IEC 17789 Cloud Architecture
ISO/IEC 29101 Privacy by Design
ISO/IEC 29100 Privacy for Cloud
ISO/IEC 17788 Definitions
ISO/IEC 27000 series –
ITSEC Management
+
PII Processor
(Enforcement)
PII Controller
(Privacy Rules)
GDPR
(Adding Requirements)
+

13
ISO/IEC 27018
PII in Cloud
ISO/IEC 27002 Security Controls
ISO/IEC 27001 PII OnPrem
ISO/IEC 27005 Risk Management
ISO/IEC 29134 Privacy Impact
ISO/IEC 17789 Cloud Architecture
ISO/IEC 29101 Privacy by Design
ISO/IEC 29100 Privacy for Cloud
ISO/IEC 17788 Definitions
ISO/IEC 27000 series –
ITSEC Management
ISO/IEC 27002
5 Information security policies
6 Organization of information security
7 Human resource security
8 Asset management
9 Access control
10 Cryptography
11 Physical and environmental security
12 Operations security
13 Communications security
14 System acquisition, development and
maintenance
15 Supplier relationships
16 Information security incident management
17 Information security aspects of business
continuity management
18 Compliance
GDPR
12+ GDPR RELATED INTERNATIONAL STANDARDS & CLOUD

1. GDPR
• Roadmap
2. Technology
14
AGENDA

16
THREAT VECTOR INHERITANCE
16

• Rather than making the protection platform based, the security
is applied directly to the data
• Protecting the data wherever it goes, in any environment
• Cloud environments by nature have more access points and
cannot be disconnected
• Data-centric protection reduces the reliance on controlling the
high number of access points
DATA-CENTRIC PROTECTION INCREASES SECURITY IN
CLOUD COMPUTING
17

Safe Integration – Enterprise & Public Cloud
Safe Integration
18

PROTECT SENSITIVE CLOUD DATA
Internal Network
Administrator
Attacker
Remote
User
Internal User
Public Cloud Examples
Each sensitive
field is protected
Each
authorized
field is in
clear
Cloud Gateway
19
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
SecDevOps

Trust
RISK ADJUSTED COMPUTATION – LOCATION AWARENESS
Elasticity
Out-sourcedIn-house
Corporate
Network
Private Cloud
Private Cloud
Public Cloud
H
L
ProcessingCost
H
L
20

VIRTUAL MACHINES & CONTAINERS
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and
rest)
Source: GiacomoVacca/docker-from-scratch
SecDevOps
SecDevOps
21

22
GDPR: Killing cloud quickly?
• “It will be harder to use cloud computing to process personal
data compliantly with the proposed General Data Protection
Regulation”
• “With contracts expiring after the GDPR takes effect, change
control or change of law clauses will need to be included
now, so that they can be amended to comply”
Source: IAPP, The International Association of Privacy Professionals

23
The main problem
• Infrastructure cloud providers are treated as processors; equipment
manufacturers, vendors and lessors are not. Individuals and organizations
use infrastructure services for computing, storage and networking purposes
instead of buying their own equipment.
• Under the GDPR, if controller-customers process any personal data in-
cloud, the providers of these services (i.e., IaaS/PaaS and pure storage
SaaS) are considered “processors”.
• This approach may deter cloud use despite its cost and flexibility
benefits.

24
The main problem – Example
• For example, organizations buying or renting equipment for
self-processing of personal data needn’t specify in the
contract the processing’s subject-matter, duration, nature,
purpose or types of personal data, etc.
• But if organizations use infrastructure cloud for the same
processing, Article 26(2) of the GDPR would force them to
include this information in their contracts or face fines up
to €10m or 2 percent of total annual turnover if higher.

1. GDPR
• Roadmap
2. Technology
25
AGENDA

CASE STUDY - INTERNATIONAL DATA PROTECTION
26

27
EU Customer Case Study
A major international bank performed a consolidation of all European operational
data from various European bank entities:
• Protecting Personally Identifiable Information (PII), including names, addresses,
phone, email, policy and account numbers
• Compliance with EU Cross Border Data Protection Laws
• Utilizing Data Tokenization, and centralized policy, key management, auditing, and
reporting
• The bank achieved end-to-end data security with complete, fine-grained de-
identification of sensitive data

OS File
System
Encryption
User / Client
Database
Native
Encryption
User Access Patient Health Record
x Read a xxx
DBA Read b xxx
z Write c xxx
User Access Patient Health Record
z Write c xxx
User
Acces
s
Patient
Health
Data
Record
Health
Data
File
Database
Process
0001
Read ? ? PHI002
Database
Process
0001
Read ? ? PHI002
Database
Process
0001
Write ? ? PHI002
Possible DBA manipulation
Complete
Log
No Read
Log
No
Information
On User
or Record
3rd Party
Database
Encryption
PII/PHI/HIPAA Case Study: Granularity of Reporting and Separation
of Duties
Possible DBA manipulation
: Security controls, Encryption services, 28

1. GDPR
• Roadmap
2. Technology
29
AGENDA

Time
Total Cost of
Ownership
Total Cost of Ownership
1. System Integration
2. Performance Impact
3. Key Management
4. Policy Management
5. Reporting
6. Paper Handling
7. Compliance Audit
8. …
Strong Encryption:
3DES, AES …
I
2010
I
1970
Cost Of Encryption / Tokenization
I
2005
I
2000
Format Preserving Encryption:
FPE, DTP …
Basic Tokenization
Vaultless Tokenization
High -
Low -
30

CLOUD GATEWAY - REQUIREMENTS ADJUSTED
PROTECTION
Data Protection Methods Scalability Storage Security Transparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
32

DE-IDENTIFICATION / ANONYMIZATION
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail
Address
joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital
stays and discharges, clinical,
billing, etc.
Financial Services Consumer
Products and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
33

Type of
Data
Use
Case
I
Structured
How Should I Secure Different Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
34
Personally Identifiable
Information

TOKENIZATION VS. ENCRYPTION
Used Approach Cipher System Code
System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
35

POSITIONING DIFFERENT PROTECTION
OPTIONS
Evaluation Criteria Strong
Encryption
Formatted
Encryption
Tokens
Security & Compliance
Total Cost of Ownership
Use of Encoded Data
Best Worst
36

TOKENIZATION SERVER LOCATION -
EXAMPLE
Best Worst
Tokenization Server Location
Evaluation Aspects Mainframe Remote
Area Criteria DB2 Work
Load
Manager
Separate
Address Space
In-house Out-sourced
Operational
Availability
Latency
Performance
Security
Separation
Compliance
37

1. GDPR
• Roadmap
2. Technology
38
AGENDA

WORRY ONLY ABOUT THE MAJOR BREACH PATTERNS
Source: Verizon Data Breach Investigations Report
39
Application
Attacks

DATA SECURITY CONTEXT
Operating System
Security Controls & Agents
OS File System
Database
Application Framework
Application Source Code
Application
Data
Network
External Network
Internal Network
Application Server
40
High -
Low -
Data Security Context

A SECDEVOPS FLOW
Static
Application
Security
Testing
(SAST)
Dynamic Application Security Testing
(DAST)
Fuzz testing
is
essentially
throwing lots
of random
garbage
Vulnerabilit
y Analysis
Runtime
Application
Self
Protection
(RASP)
Interactive
Application
Self-Testing
(IAST)
41

1. GDPR
• Roadmap
2. Technology
42
AGENDA

SECURITY METRICS FROM SECDEVOPS
43
# Vulnerabilities
Time

THE BOARD’S PERCEPTION OF CYBERSECURITY RISKS
Source: PWC – The Global State of Information Security Survey
Increased+
Increased ++
High
No change
44

TRENDS IN BOARD INVOLVEMENT IN CYBER SECURITY
45

QUESTIONS THE BOARD WILL ASK
46

CEOS, CFOS, BUSINESS RISK OWNERS & CISOS
QUESTIONS
1."How much cyber risk do we have in dollars and cents?"
2."How much cyber insurance do we need?"
3."Why am I investing in this cyber security tool?"
4."How well are our crown jewel assets protected?"
5."How do I know that we’ve actually lowered our risk
exposure?"
6. "As my business changes through M&A, adding new business
applications and new cyber risks , how can I get the quickest
view of the impact on my overall business risk?"
47

NIST Cybersecurity
Framework
A Common Language to
Communicate with Executives
Source: https://www.ftc.gov

GENERATING KEY SECURITY METRICS
49
# Vulnerabilities
Time

AUDIENCE FOCUSED DASHBOARDS
CISO CEO and Board
of Directors
Senior
Management
How compliant
are we?
How much risk
do we have?
What work do we
need to prioritize?
50
50
Source: Innosec

SECURITY CONTROLS & RISK MANAGEMENT
Are your security
controls covering all
sensitive data?
Are your deployed
security controls
failing?
Source: Innosec
Are you prioritizing
business asset risk?
51

OUR BRIGHTTALK.COM GDPR WEBINARS
52
25-May-18 GDPR: Deadline Day Special
23-May-18 GDPR: Responding to a Breach
22-May-18 GDPR: Protecting Your Data
13-Apr-18 GDPR and its impact on the Financial Services Sector
23-Mar-18 GDPR: Brace for Impact or Not?
22-Jan-18
EU/GDPR Compliance - How do you test for
Compliance?
17-Aug-17 Do You Have a Roadmap for EU GDPR Compliance?
Source: https://www.brighttalk.com/

53
Source: https://www.brighttalk.com/
OUR MAR 23 BRIGHTTALK.COM GDPR WEBINAR

THANK YOU!
QUESTIONS?
UMATTSSON@TOKENEX.COM
ULF@ULFMATTSSON.COM

Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr

Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr

Similar to Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr (20)

More from Ulf Mattsson

More from Ulf Mattsson (20)

Recently uploaded

Recently uploaded (20)

Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr