With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced data privacy and security solutions has become even more critical. French regulators cited GDPR in fining Google $57 million and the U.K.'s Information Commissioner's Office is seeking a $230 million fine against British Airways and seeking $124 million from Marriott. Facebook is setting aside $3 billion to cover the costs of a privacy investigation launched by US regulators.
This session will take a practical approach to address guidance and standards from the Federal Financial Institutions Examination Council (FFIEC), EU GDPR, California CCPA, NIST Risk Management Framework, COBIT and the ISO 31000 Risk management Principles and Guidelines.
Learn how new data privacy and security techniques can help with compliance and data breaches, on-premises, and in public and private clouds.
3. 3
Ulf Mattsson
• Head of Innovation at TokenEx
• Chief Technology Officer at Protegrity
• Chief Technology Officer at Atlantic BT Security Solutions
• Chief Technology Officer at Compliance Engineering
• Developer at IBM Research and Development
• Inventor of 70+ issued US patents
• Provided products and services for
• Benchmarking/Gap-analysis,
• Data Discovery,
• Data Encryption and Tokenization,
• Robotics, ERP, CRM in Manufacturing,
• Cloud Application Security Broker (CASB),
• Web Application Firewall (WAF),
• Managed Security Services,
• Security Operation Center (SOC)
4. 4
Agenda
1. The Breach Epidemic – Financial Industry
• Version Data Breach Investigations Report (DBIR) and Ponemon Institute
2. EU General Data Protection Regulation (GDPR)
• GDPR Security Framework
3. California Consumer Privacy Act (CCPA)
• CCPA Redefines Personal Data
4. International Organization for Standardization (ISO)
• ISO Risk Management Principles and Guidelines
• ISO Data Privacy and Security Standard
5. US National Institute of Standards and Technology (NIST)
• NIST Cybersecurity Framework (CSF)
• NIST Security Controls Requirements
6. Information Systems Audit and Control Association (ISACA)
• Control Objectives for Information and Related Technology (COBIT)
• COBIT, ValIT and Risk IT
7. Federal Financial Institutions Examination Council (FFIEC)
• FFIEC Information Technology Examination Handbook (IT Handbook)
8. Payment Card Industry Data Security Standard (PCI DSS)
• PCI DSS version 4.0
9. Deployments on-premises and cloud
6. 6
The privacy breach trend is alarming
The US FEDERAL TRADE COMMISSION (FTC) reported that credit card
fraud tops the list of identity theft reports in 2018. FTC received nearly
three million complaints from consumers in 2018.
The FTC received more than 167,000 reports from people who said their
information was misused on an existing account or to open a new credit
card account
Source: Redhat / IBM
7. 7
Source:
Bitglass, Ponemon, 2019
The cost per breached
record within financial
services exceeds that
of all other industries
except healthcare (which
was $429).
Technology came in third
place at $183, while the
public sector came in last at
$78.
8. 8
Source:
Bitglass,
2019
With global Cloud Adoption reaching 86%
and bring your own device (BYOD) policies finding their way into 85% of organizations, it can
be challenging to maintain proper visibility and control over data—particularly when the
appropriate cloud and mobile security solutions are not put in place.
10. 10
Privacy Fines
• British Airways was fined £183 million by the UK ICO for a series of data breaches in
2018, followed by a £99 million fine against the Marriott International hotel chain.
• French data protection regulator CNIL fined Google €50 million in 2019.
• Some companies narrowly avoided a GDPR-scale fine, as their data incident occurred
prior to GDPR's implementation date.
• Both Equifax and Facebook received the maximum fine possible - £500,000 - as per
the previous Data Protection Act 1998.
• In 2019, Facebook settled with the Federal Trade Commission in the United States over
privacy violations, a settlement that required the social network to pay $5 billion
14. 14
Data sources
Data
Warehouse
In Italy
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Example of Cross Border Data-centric Security
• Protecting Personally Identifiable Information
(PII), including names, addresses, phone, email,
policy and account numbers
• Compliance with EU Cross Border Data
Protection Laws
• Utilizing Data Tokenization, and centralized
policy, key management, auditing, and
reporting
16. 16
CCPA Redefines Personal Data
• According to “PI Vs PII: How CCPA Redefines What Is Personal Data” the CCPA
definition “creates the potential for extremely broad legal interpretation around
what constitutes personal information, holding that personal information is any
data that could be linked with a California individual or household.”
• CCPA states that ”Personal information” means information that identifies,
relates to, describes, is capable of being associated with, or could reasonably be
linked, directly or indirectly, with a particular consumer or household.“
• This goes well beyond data that is obviously associated with an identity, such
as name, birth date, or social security number, which is traditionally regarded as
PII.
• It’s ultimately this “indirect” information–such as product preference or
geolocation data that is material since it is much more difficult to identify it and
connect it with a person than well-structured personally identifiable information
18. 18
GDPR Related to ISO International Standards
ISO/IEC 27018 PII in Cloud (Basic Requirements)
ISO/IEC 27002 Security Controls
ISO/IEC 27001 PII OnPrem
ISO/IEC 27005 Risk Management
ISO/IEC 29134 Privacy Impact
ISO/IEC 17789 Cloud Architecture
ISO/IEC 29101 Privacy by Design
ISO/IEC 29100 Privacy for Cloud
ISO/IEC 17788 Definitions
ISO/IEC 27000 series –
ITSEC Management
+
PII Processor
(Enforcement)
PII Controller
(Privacy Rules)
GDPR
(Adding Requirements)
+
19. 19
ISO/IEC 27002
Information technology
— Security techniques
— Code of practice
for information security
controls
The ISO/IEC 27000 family
of standards helps
organizations keep
information assets secure
20. 20
ISO/IEC 27001 - PII OnPrem
3 Terms and definitions
4 Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of
interested parties
4.3 Determining the scope of the information security
management system
4.4 Information security management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and authorities
6 Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to
achieve them
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9 Performance evaluation
9.1 Monitoring, measurement, analysis and
evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
Annex A (normative) Reference control objectives and controls
28. 28
Example – Risk Management Tool
Are your
security controls
covering all
sensitive data?
Are your
deployed
security controls
failing?
Source: innosec.com
29. 29
NIST SP 800-39
Risk Management
Source:
https://csrc.nist.gov/csrc/media/publications/nist
ir/8170/draft/documents/nistir8170-draft.pdf
NIST
(National Institute of
Standards and Technology)
is part of the U.S.
Department of Commerce.
NIST promotes the U.S.
economy and public welfare
by providing technical
leadership for the nation’s
measurement and standards
infrastructure
30. 30
NIST 800-137 Cybersecurity Framework (CSF)
• The NIST Cybersecurity Framework provides a policy framework of computer security guidance
for how private sector organizations in the United States can assess and improve their ability to
prevent, detect, and respond to cyber attacks.
• It is unrecognized outside the USA. It "provides a high level taxonomy of cybersecurity outcomes
and a methodology to assess and manage those outcomes."
• Is being used by a wide range of businesses and organizations and helps shift organizations to be
proactive about risk management.
• A security framework adoption study reported that 70% of the surveyed organizations see NIST's
framework as a popular best practice for computer security, but many note that it requires
significant investment
• It includes guidance on relevant protections for privacy and civil liberties
32. 32
Source; Corserva
NIST 800-171 Family of Requirements
3.1 Access Control
3.2 Awareness and Training
3.3 Audit and
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.7 Maintenance NIST Requirements Family
3.8 Media Protection
3.9 Personnel Security
3.10 Physical Protection
3.11 Risk Assessment
3.12 Security Assessment
3.13 System and Communications
Protection
3.14 System and Information Integrity
34. 34
FFIEC is a formal U.S. government interagency body that includes five
banking regulators—
the Federal Reserve Board of Governors (FRB),
the Federal Deposit Insurance Corporation (FDIC),
the National Credit Union Administration (NCUA),
the Office of the Comptroller of the Currency (OCC),
and the Consumer Financial Protection Bureau (CFPB).
It is "empowered to prescribe uniform principles, standards, and report
forms to promote uniformity in the supervision of financial institutions"
Source: WIKPEDIA
Federal Financial Institutions Examination Council (FFIEC)
35. 35
Mapping FFIEC to NIST Cybersecurity Framework – Some Examples
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
The content of the
Assessment is
consistent with the
principles of the FFIEC
Information
Technology
Examination
Handbook (IT
Handbook) and the
National Institute of
Standards and
Technology (NIST)
Cybersecurity
Framework
38. 38
PCI Vs. GDPR: What’s The Difference?
Source: securitymetrics.com
PCI DSS 12 Requirements
39. 39
Best Practices for Maintaining PCI DSS Compliance
Source: Verizon 2019 Payment Security Report
40. 40
Compliance Program Performance Evaluation Framework Source: Verizon 2019
Payment Security Report
• There are no
significant
concerns about
capacity,
capability,
competence,
commitment or
communication
• The competence
, control risk, does
not exist
• There is
uncertainty
whether the
needed
competence
exists internally
42. 42
Source:
Forrester
Data Security And Control
Framework
1) defining the data
2) dissecting and analyzing the
data
3) defending the data
Anonymization is:
“A method of de-identification
that removes all personally
identifiable information from a
data set to the extent that makes
the possibility of re-identification
of the data negligible”
Defining your data via data discovery and classification
43. 43
Source:
Forrester
Examples of de-
identification techniques
• Interest in technical
capabilities for
anonymizing data
expanded as the GDPR
came into force
• With truly anonymized
data, data protection
authorities no longer
consider it personally
identifiable information
and it falls outside of
scope for the regulation
De-identification of data
44. 44
• Privacy enhancing data de-identification terminology and classification of techniques
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Encrypted data
has the same
format
Server model Local model
Differential
Privacy (DP)
Formal privacy measurement models
(PMM)
De-identification techniques
(DT)
Cryptographic tools
(CT)
Format
Preserving
Encryption (FPE)
Homomorphic
Encryption
(HE)
Two values
encrypted can
be combined*
K-anonymity
model
Responses to queries
are only able to be
obtained through a
software component
or “middleware”,
known as the
“curator**
The entity
receiving the
data is looking
to reduce risk
Ensures that for
each identifier there
is a corresponding
equivalence class
containing at least K
records
*: Multi Party Computation (MPC)
**: Example Apple and Google
ISO Standard for Encryption and Privacy Models
45. 45
Positioning of some Encryption and Privacy Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Clear
123 897
Differential Privacy (DP)Format Preserving
Encryption (FPE)
Homomorphic
Encryption (HE)
FPE
Enc
**: Example Apple
Clear_D1
Protected
Curator**
Filter
Clear
Cleanser
Filter
Clear
__
__
__
*: Multi Party Computation (MPC)
Op
(Enc_D1,
Enc_D2)
HE Dec
HE Enc
HE Enc
Clear12
FPE
Dec
Clear
123
Protec
ted
DB
Protected
Keys
Protected
Key
Clear_D2
Enc_D1
Enc_D2
“Untrusted
Party*”
k-Anonymity Model
__
__
__
Clear
Cleanser
Filter
DB
46. 46
Data
Warehouse
Centralized Distributed
On-
premises
Public
Cloud
Private
Cloud
Vault-based tokenization y y
Vault-less tokenization y y y y y y
Format preserving
encryption
y y y y y
Homomorphic encryption y y
Masking y y y y y y
Hashing y y y y y y
Server model y y y y y y
Local model y y y y y y
L-diversity y y y y y y
T-closeness y y y y y y
Formal
privacy
measurement
models
Differential
Privacy
K-anonymity
model
Privacy enhancing data de-identification
terminology and classification of techniques
De-
identification
techniques
Tokenization
Cryptographic
tools
Suppression
techniques
Example of mapping of data security and privacy techniques (ISO) to different
deployment models
47. 47
Risk reduction and truthfulness of some de-identification techniques and
models
Singling out Linking Inference
Deterministic
encryption
Yes All attributes No Partially No
Order-preserving
encryption
Yes All attributes No Partially No
Homomorphic
encryption
Yes All attributes No No No
Masking Yes Local identifiers Yes Partially No
Local suppression Yes Identifying attributes Partially Partially Partially
Record suppression Yes
Sampling Yes N/A Partially Partially Partially
Pseudonymization Yes Direct identifiers No Partially No
Generalization Yes Identifying attributes
Rounding Yes Identifying attributes No Partially Partially
Top/bottom coding Yes Identifying attributes No Partially Partially
Noise addition No Identifying attributes Partially Partially Partially
Cryptographic tools
Suppression
Generalization
Technique name
Data
truthfulness at
record level
Applicable to types of
attributes
Reduces the risk of
Source: INTERNATIONAL STANDARD ISO/IEC 20889
48. 48Source: Forrester
Example of 29 Vendors Providing Different Data Protection Options
# Employees De-identification Data in-use protection Application-level encryption Data at-rest encryption Data masking
72000 to 350000
600 to 5600
14000 to 15000
3 to 15
20 to 30
50 to 93
104 to 500
49. 49
Source:
Forrester, USPTO
Example of 21 Smaller Vendors Innovating in Data Protection (Patent Applications)
#
Employees
Data in-use
protection
De-
identification
App level
encryption
Data at rest
encryption
Data
masking
Format
Preserving
Encryption
# Patent
Applications
Innovative
Patent
Applications
0
0
0
2
10
0
2
14
16
2
1
0
12
0
0
0
15
5
5
1
6
3 to 25
30 to 95
104 to 180
51. 51
User
Payment
Applicatio
n
Payment
Network
Tokens
User
Call
Center
Applicatio
n
Example of a Payment Application
Tokenization
(VBT),
encryption
and keys
A Gateway can work in the background, enabling an
organization to keep existing business operations with
few modifications.
Tokenization is turning sensitive data into non-sensitive data called "tokens" that can be
used in a database or internal system without bringing it into scope.
BROWSER
Browser-Based Encryption
with iFrames
MOBILE
Native Applications or
Web-Based Applications
Private Cloud
(example - Armor.com) can
provide security and
compliance benefits by
mapping security controls to
PCI compliance mandates that
reduces regulatory scope,
simplifying the auditing process
and lowering management
costs.
52. 52
Cloud transformations are accelerating
Risk
Elasticity
Out-sourcedIn-house
On-premises
system
On-premises Private
Cloud
Hosted Private Cloud
Public Cloud
Low -
High -
Compute Cost
- High
- Low
Risk Adjusted Computation
54. 54
Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information
55. 55
On Premise tokenization
• Limited PCI DSS scope reduction - must
still maintain a CDE with PCI data
• Higher risk – sensitive data still resident
in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed
from the environment
• Platform-focused security
• Lower associated costs – cyber
insurance, PCI audit, maintenance
Total Cost and Risk of Tokenization in Cloud vs On-prem
Source: TokenEx
56. 56
Which of the following most closely describes what ‘hybrid cloud’ means in your
organization?
Source: Forrester
57. 57
For each of the
following data
center and IT
infrastructure
components, how
much outsourcing
and managed
services does your
firm use for IT
operation?
(excluding systems
integrators for
project
implementation)
Source: Forrester
59. 59
References:
1. California Consumer Privacy Act, OCT 4, 2019, https://www.csoonline.com/article/3182578/california-consumer-privacy-act-what-
you-need-to-know-to-be-compliant.html
2. CIS Controls V7.1 Mapping to NIST CSF, https://dataprivacylab.org/projects/identifiability/paper1.pdf
3. GDPR and Tokenizing Data, https://tdwi.org/articles/2018/06/06/biz-all-gdpr-and-tokenizing-data-3.aspx
4. GDPR VS CCPA, https://wirewheel.io/wp-content/uploads/2018/10/GDPR-vs-CCPA-Cheatsheet.pdf
5. General Data Protection Regulation, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
6. IBM Framework Helps Clients Prepare for the EU's General Data Protection Regulation, https://ibmsystemsmag.com/IBM-
Z/03/2018/ibm-framework-gdpr
7. INTERNATIONAL STANDARD ISO/IEC 20889, https://webstore.ansi.org/Standards/ISO/ISOIEC208892018?gclid=EAIaIQobChMIvI-
k3sXd5gIVw56zCh0Y0QeeEAAYASAAEgLVKfD_BwE
8. INTERNATIONAL STANDARD ISO/IEC 27018, https://webstore.ansi.org/Standards/ISO/
ISOIEC270182019?gclid=EAIaIQobChMIleWM6MLd5gIVFKSzCh3k2AxKEAAYASAAEgKbHvD_BwE
9. ISO/TS 25237:2008(E), Health Informatics—Pseudonymization, https://www.sis.se/api/document/preview/911119/
10. NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT,
https://www.nist.gov/system/files/documents/2019/09/09/nist_privacy_framework_preliminary_draft.pdf
11. NIST Releases Evaluation of Cloud Computing Services Based on NIST SP 800-145 (NIST SP 500-322), https://www.nist.gov/news-
events/news/2018/02/nist-releases-evaluation-cloud-computing-services-based-nist-sp-800-145 , February 23, 2018
12. NIST Special Publication 800-53, https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
13. NISTIR 8053, De-Identification of Personal Information, https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf
14. Tokenization Product Security Guidelines, Version: 1.0, April 2015, PCI Security Standards Council
https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_Guidelines.pdf?agreement=true&time=15708805
09645
15. Trust the IAPP for actionable information on the California Consumer Privacy Act, https://iapp.org/l/ccpaga/?gclid=EAIaIQobChMI-
cnYtffG5QIVIueGCh09Cw56EAAYBCAAEgIEp_D_BwE
16. Data Security: On Premise or in the Cloud, ISSA Journal, December 2019