apidays LIVE London 2021 - Reaching Maximum Potential in Banking & Insurance with API Mindset October 27 & 28, 2021 API Security Managing API privacy and compliance at the source: Securing PII at runtime Rob Dickinson, CTO & Co-founder of Resurface Labs Inc

1. Managing API privacy and
compliance at the source
Securing PII
at Runtime

2. 2
Hello!
I am Rob Dickinson
CTO at Resurface Labs
@robfromboulder rob@resurface.io

3. The challenge
Anti-patterns
Strategies
Data Architecture
Agenda

4. API monitoring is the key to better APIs
4
Perimeter
Whack-a-Mole
Stronger API
Services
…but this requires working with PII

5. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here

6. Common emotions and attitudes regarding PII
5

7. Breaches by the numbers
• Breaches due to malicious attack: 52%
• Breaches due to system/human failures: 48%
• Breaches with customer PII: 80%
• Average time to identify and contain a breach: 280 days
• Average time to detect and contain a breach caused by a malicious attack: 315 days
• Average savings of containing a breach in less than 200 days: $1.12 million
-- 2020 Cost of Data Breach Report, the Ponemon Institute
6

8. Insecure handling of PII is getting expensive
7

9. 💣 Challenges to securing PII at runtime
• Tightening regulations
• Rapid rate of change
• Expanding definitions of PII
• So many vendors/platforms
• Inability to change apps or
databases in many cases
• Many different techniques for
security and privacy protection
8
• No “easy button”
• High cost of compliance
• Security by default?
• Legit data sharing
• Implementing revocation
• Handling zero-day failures/attacks
• Getting developer attention 😬

10. 9

11. 💥 Anti-patterns for PII security and user privacy
• “No PII here” strategy
• “All data is PII” strategy
• Impossible approval process
• “God mode” administrators
• Failing to get user consent
• Undisclosed 3rd party transfers
10
• The honeypot database
• Overly destructive transforms
• One-time masking (on write)
• Perimeter security will be enough
• Just encrypt at disk/volume level
• Production-only configurations

12. 11

13. 🚀 Strategies for securing PII at runtime
• People are the weakest link
• Optimize for number of
conspirators required
• Enforce narrowest group-level and
user-level permissions at runtime
• Regularly audit permissions
12
• Data needs to be siloed, and
microservices are great for this!
• Optimize for number of silos that
must be breached
• Keep data close to source 😀
• Expire data automatically 😍
• Monitor PII transfer 🤩
• Virtualize access to master data
records through query layer 🤩
FOR PEOPLE FOR TECH

14. Virtualized data access with Trino and Resurface
13
• Trino for distributed queries
• Resurface for API system of record
• Column selection, row selection,
tokenizing, masking, sampling and
map/reduce through views
• User and group-level GRANTs
• Views can inherit from other views
• Views apply retroactively
• No changes to existing databases

15. Monitoring PII leaks with Resurface
14

16. Security is necessary for new & creative uses of PII
15

17. 16
Thank you!
Any Questions?
You can reach me after this talk:
@robfromboulder rob@resurface.io

18. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here