An important part of RSAC 2020 focused on Business-Critical Application Security and we're seeing a transformational shift in technology. The enterprise architecture we used to know is changing. Cloud application development is accelerating and diversifying where many organizations have virtual machines, containers, and now serverless applications running in the cloud, transforming code into infrastructure. Microservices make a lot of sense for scale and development agility, but if everything is talking to everything else via APIs, it’s likely that there are many (and I mean many) application vulnerabilities. Additionally, API security is new, so processes are likely immature, and API security sits somewhere between application developers, DevOps, and cybersecurity, leading to organizational and skills challenges. We will organize this chaos from RSAC and discuss Security in The API Ecosystem.
Security is morphing to a hybrid model for distributed policy enforcement across cloud-based environments. At the same time, organizations want central policy management for the whole environment.
You will learn more about what I found interesting at RSAC:
1. “Emerging Privacy Issues”
2. “The Human Factor”
3. “Cloud Security”
4. “Advancements in Machine Learning”
5. “Security in App Development”
6. “Trends from the Innovation Sandbox”
7. “New Standards and Regulations”
8. “Security for The API Economy”
3. Ulf Mattsson
• Head of Innovation at TokenEx
• Chief Technology Officer at Protegrity
• Chief Technology Officer at Atlantic BT Security Solutions
• Chief Technology Officer at Compliance Engineering
• Developer at IBM Research and Development
• Inventor of 70+ issued US patents
• Provided products and services for
• Application Development,
• Robotics, ERP, CRM and Web Apps,
• Data Encryption and Tokenization,
• Data Discovery,
• Cloud Application Security Broker (CASB),
• Web Application Firewall (WAF),
• Managed Security Services,
• Security Operation Center (SOC),
• Benchmarking/Gap-analysis
4. RSAC USA 2020:
1. An important part of RSAC 2020 focused on Business-Critical Application Security and
we're seeing a transformational shift in technology.
2. The enterprise architecture we used to know is changing.
3. Cloud application development is accelerating and diversifying where many
organizations have virtual machines, containers, and now serverless applications
running in the cloud, transforming code into infrastructure.
4. Microservices make a lot of sense for scale and development agility, but if everything
is talking to everything else via APIs, it’s likely that there are many (and I mean many)
application vulnerabilities.
5. API security is new, so processes are likely immature, and API security sits somewhere
between application developers, DevOps, and cybersecurity, leading to organizational
and skills challenges.
6. We will organize this chaos from RSAC and discuss Security in The API Ecosystem.
7. Security is morphing to a hybrid model for distributed policy enforcement across
cloud-based environments.
www.TokenEx.com
5. Interesting at RSAC USA 2020:
1.Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
www.TokenEx.com
8. Interesting at RSAC USA 2020:
1. Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
9.
10. Interesting at RSAC USA 2020:
1. Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
12. The Difference Between Artificial Intelligence and Machine
Learning
• Artificial Intelligence describes the ability of machines to perform tasks that
are typically associated with human activity and intelligence: reasoning,
learning, natural language processing, perception, etc. Any “smart” activity
performed by a machine falls under AI.
• Artificial Intelligence is the capability of a machine to imitate intelligent
human behavior.
• Machine Learning is a subset of AI.
• ML is a set of algorithms that are built to achieve AI: those algorithms
require the ability to learn from data, modify themselves when exposed to
more data, and are able to achieve a goal without being explicitly
programmed.
Source: BigID and Groundlabs www.TokenEx.com
15. Interesting at RSAC USA 2020:
1. Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
16. DevOps & Security Day:
Last year was a turning point for DevSecOps
Days at RSA Conference, with over 800
practitioners engaging in the day-long
Monday event.
This year, the focus will be on how
practitioners are handling the transformation
to DevSecOps within their company, the types
of problems they are surfacing which
impeded their progress and how they are
getting buy-in from all levels of the company.
18. Security Tools for DevOps
Static Application
Security Testing
(SAST) examines all
code — or runtime
binaries
(less effective for
Micro Services)
Fuzz testing is
essentially throwing
lots of random
garbage at
applications,
seeing whether any
particular (type of)
garbage causes
errors
Vulnerability
Analysis including
platform
configuration, patch
levels or application
composition to
detect known
vulnerabilities
Runtime Application
Self Protection
(RASP) provides
execution path
scanning,
monitoring and
embedded
application white
listing
(effective for Micro
Services)
Interactive
Application Self-
Testing (IAST)
provides execution
path scanning,
monitoring and
embedded
application white
listing
(emerging)
Source: Securosis, Webomates
Regression testing enhances the
visibility on your build quality before
putting it in production.
Examples:
Full Regressions, Overnight Targeted
Checks and Smoke Checks executed
with manual, automation, crowdsourcing
and artificial intelligence and allows a
software development team to quickly
validate their UI and API as well as
load test it.
19. DevOps - Security for APIs and Microservices
Source: Securosis
Trend:
Test/scan API flows,
context, parameter
input/output.
DAST works better.
Old:
Larger monolithic apps that
contain more context.
SAST works well.
Shift right
Trend:
IAST is
emerging
20. Interesting at RSAC USA 2020:
1. Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
20
21. Trends from the Innovation Sandbox:
- 6 vendors addressing app sec
www.TokenEx.com21
23. Interesting at RSAC USA 2020:
1. Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
23
26. #3 Self-Sovereign Identity (SSI)
YOU
CONNECTION
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
Source: Sovrin.org
The Sovrin Network is the first public-permissioned blockchain designed as a global public utility exclusively to
support self-sovereign identity and verifiable claims. Recent advancements in blockchain technology now allow
every public key to have its own address, which is called a decentralized identifier (DID).
26
27. Emerging De Jure Standards for SSI
Verifiable Credentials
DID Auth
DKMS
(Decentralized Key
Management System)
DID
(Decentralized Identifier)
Source: Sovrin.org
27
28. • Privacy enhancing data de-identification terminology and classification of techniques
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Encrypted data
has the same
format
Server model Local model
Differential
Privacy (DP)
Formal privacy measurement models
(PMM)
De-identification techniques
(DT)
Cryptographic tools
(CT)
Format
Preserving
Encryption (FPE)
Homomorphic
Encryption
(HE)
Two values
encrypted can
be combined*
K-anonymity
model
Responses to queries
are only able to be
obtained through a
software component
or “middleware”,
known as the
“curator**
The entity
receiving the
data is looking
to reduce risk
Ensures that for
each identifier there
is a corresponding
equivalence class
containing at least K
records
*: Multi Party Computation (MPC)
**: Example Apple and Google
ISO Standard for Encryption and Privacy Models
28
30. Data
Warehouse
Centralized Distributed
On-
premises
Public
Cloud
Private
Cloud
Vault-based tokenization y y
Vault-less tokenization y y y y y y
Format preserving
encryption
y y y y y
Homomorphic encryption y y
Masking y y y y y y
Hashing y y y y y y
Server model y y y y y y
Local model y y y y y y
L-diversity y y y y y y
T-closeness y y y y y y
Formal
privacy
measurement
models
Differential
Privacy
K-anonymity
model
Privacy enhancing data de-identification
terminology and classification of techniques
De-
identification
techniques
Tokenization
Cryptographic
tools
Suppression
techniques
Example of mapping of data security and privacy techniques (ISO) to different
deployment models
30
31. Interesting at RSAC USA 2020:
1. Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
31
32. Source: Gartner
Coding security directly
into APIs has the following
disadvantages:
■ Violates separation of
duties.
■ Makes code more
complex and fragile.
■ Adds extra maintenance
burden.
■ Is unlikely to cover all
aspects that are required
in a full API security policy.
■ Not reusable.
■ Not visible to security
teams.
Security for Microservices
www.TokenEx.com32
33. Source: Gartner
Apply policies to APIs
(for example, using
an API gateway) but
avoid situations
where each API has
a unique security
policy
Instead, leverage a
reusable set of
policies that are
applied to APIs based
on their
categorization.
Abstract any specific
API characteristics
(such as URL path)
from the policies
themselves
Products Delivering API Security
www.TokenEx.com33
34. On Premise tokenization
• Limited PCI DSS scope reduction - must
still maintain a CDE with PCI data
• Higher risk – sensitive data still resident
in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed
from the environment
• Platform-focused security
• Lower associated costs – cyber
insurance, PCI audit, maintenance
Total Cost and Risk of Tokenization in Cloud vs On-prem
www.TokenEx.com34
35. Interesting at RSAC USA 2020:
1. Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
www.TokenEx.com35
55. Interesting at RSAC USA 2020:
1. Emerging Privacy Issues
2. The Human Factor
3. Advancements in Machine Learning
4. Security in App Development
5. Trends from the Innovation Sandbox
6. New Standards and Regulations
7. Security for The API Economy
8. CSA Summit at RSA Conference 2020
9. Voting Security at RSA Conference 2020
www.TokenEx.com55