apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Detecting and Protecting PII at Runtime
Rob Dickinson, Co-Founder & CEO at Resurface Labs
4. API monitoring is the key to better APIs
4
Perimeter
Whack-a-Mole
Stronger API
Services
…but this requires working with PII
5. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here
8. 💣 Challenges to detecting & securing PII
• Tightening regulations
• Rapid rate of change
• Expanding definitions of PII
• So many vendors/platforms
• Inability to change apps or
databases in many cases
• Many different techniques for
security and privacy protection
7
• No “easy button”
• High cost of compliance
• Security by default?
• Legit data sharing
• Implementing revocation
• Handling zero-day failures/attacks
• Getting developer attention 😬
9. 💥 Anti-patterns for PII security and user privacy
• “No PII here” strategy
• “All data is PII” strategy
• Impossible approval process
• “God mode” administrators
• Failing to get user consent
• Undisclosed 3rd party transfers
8
• The honeypot database
• Overly destructive transforms
• One-time masking (on write)
• Perimeter security will be enough
• Just encrypt at disk/volume level
• Production-only configurations
(non-repeatable processes)
11. 🚀 Strategies for discovering/securing PII at runtime
• People are the weakest link
• Optimize for number of
conspirators required
• Enforce narrowest group-level and
user-level permissions at runtime
• Regularly audit databases and
permissions
10
• Data needs to be siloed, and
microservices are great for this!
• Optimize for number of silos that
must be breached
• Keep data close to source 😀
• Expire data automatically 😍
• Monitor PII transfer 🤩
• Virtualize access to master data
records through query layer 🥳
FOR PEOPLE FOR TECH
12.
13. Query data in place with Trino
12
What kinds of data sources?
Accumulo, BigQuery,
Cassandra, ClickHouse, Druid,
Elastic, Iceberg, Hive, Kafka,
Kinesis, Kudu, Mongo, MySQL,
Oracle, Phoenix, Pinot,
Postgresql, Prometheus, Redis,
SQL Server
…and of course Resurface
14. Virtualized data access with Trino and Resurface
13
• Trino for distributed queries
• Resurface for API system of record
• Column selection, row selection,
tokenizing, masking, sampling and
map/reduce through views
• User and group-level GRANTs
• Views can inherit from other views
• Views apply retroactively
• No changes to existing databases
15. 🚀 Separation between physical & virtual access
Physical schemas – CREATE TABLE
• Raw data records
• Persistent storage
• System specific
• Difficult to change
• Two-person rule for admins 🤩
14
Virtual schemas – CREATE VIEW
• Specific columns, rows
• In-memory computation
• Audience specific 🥳
• Easy to change (retroactively)
• Single-user access w/log
17. Continuous API intelligence with Resurface
16
• Purpose built for API monitoring & OWASP top 10
• Security and quality checks for REST and GraphQL
• Capture API calls from network, gateway or microservice
• Native alerting for Slack and Teams
• Built on Trino
20. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here