Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 42

Rethinking the Enterprise Perimeter | SnowFROC Presentation

0

Share

Download to read offline

How is your enterprise software company handling sensitive data? IronCore CEO Patrick Walsh's presentation, which you can watch here (https://www.youtube.com/watch?v=LNAC2R39HFA), challenges common assumptions about the traditional perimeter and proposes a new data privacy mindset and solution.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Rethinking the Enterprise Perimeter | SnowFROC Presentation

  1. 1. RETHINKING THE ENTERPRISE PERIMETER PATRICK WALSH March 5, 2020
  2. 2. @zmre Patrick Walsh CEO IronCore Labs 20 years in threat research, cryptography, software architecture, and enterprise cloud applications.
  3. 3. @zmre 74% 13% Source: Gartner 2019 InfoSec Spending 5x more. Classic Security Spend vs. Modern Security Needs
  4. 4. @zmre Other 4% Integrated Risk Mgmt 9% Infrastructure Protection 29% Identity 20% Network Security 25% Cloud Security 0.9% Data Security 7% Application Security 6% Total InfoSec Product Spend $53.22 billion IAM + Infra. Protection + NetSec $39.24 billion 74% AppSec + CloudSec + DataSec $6.99 billion 13% Why? Source: Gartner 2019 InfoSec Spending
  5. 5. @zmre Open Web Application Security Project Organizational firewall? Devs Security Pro’s
  6. 6. @zmre Who here works in the Security or IT organization in their company?
  7. 7. @zmre Who here works in the Engineering or Product Dev organization in their company? Who here works in the Security or IT organization in their company?
  8. 8. @zmre IT Responsibility Engineering Responsibility • Infrastructure Security • Network Security • Risk Management • App Security • Data Security • Cloud Security • Identity Security Teams Invest Where They Have Control
  9. 9. @zmre Significant New Privacy Laws Substantially new or expanded data privacy laws passed or put in effect in 2017, 2018, or 2019. Source: DLA Piper / dlapiperdataprotection.com Since 2017
  10. 10. @zmre Bad Behavior => Regulation • “By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today.” —Gartner • PII is now toxic.
  11. 11. How do we protect PII?
  12. 12. @zmre Control Granularity Evolution Perimeter
  13. 13. @zmre Control Granularity Evolution Perimeter DMZ ➞
  14. 14. @zmre Control Granularity Evolution Perimeter DMZ VLANs ➞ ➞
  15. 15. @zmre Control Granularity Evolution Perimeter DMZ VLANs ➞ ➞ Endpoints ➞ • We keep shrinking our focus. Net to subnet to VLAN to device.
  16. 16. @zmre Control Granularity Evolution Perimeter DMZ VLANs ➞ ➞ Endpoints ➞ • We keep shrinking our focus. Net to subnet to VLAN to device. ➞ ?
  17. 17. @zmre Control Granularity Evolution Perimeter DMZ VLANs ➞ ➞ Endpoints ➞ • Next up: Data • It’s flowing in and out of the perimeter. Not controlled like devices. Data ➞
  18. 18. @zmre On Prem In a Cloud World, PII Proliferates Partner 1 Partner 2 Partner 2 1a 1b 1c
  19. 19. @zmre On Prem Where is the data?
  20. 20. @zmre Ingo Myself Eva Friend Axel Friend Manuel Stranger Susi Stranger Manfred Stranger PGP Web of Trust By Kku - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=80652637
  21. 21. @zmre PGP Web of Trust By Kku - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=80652637 direct trust indirect trust indirect trust indirect trust indirect trust direct trust direct trust direct trust indirect trust Ingo Myself Eva Friend Axel Friend Manuel Stranger Susi Stranger Manfred Stranger direct trust indirect trust indirect trust indirect trust indirect trust direct trust direct trust direct trust direct trust direct trust indirect trust Ingo Myself Eva Friend Axel Friend Manuel Stranger Susi Stranger Manfred Stranger trust indirect trust direct indirect trust
  22. 22. @zmre Options for handling sensitive data 1. Don’t share — Use that network security investment to best effect 2. Hope for the best 3. Privacy preserving techniques 4. Encryption patterns
  23. 23. @zmre Options for handling sensitive data 1. Don’t share 2. Hope for the best — Wait and see how the new laws shake out. 3. Privacy preserving techniques 4. Encryption patterns
  24. 24. @zmre Options for handling sensitive data 1. Don’t share 2. Hope for the best 3. Privacy preserving techniques — Disassociate, deidentify, tokenize, etc 4. Encryption patterns
  25. 25. @zmre Options for handling sensitive data 1. Don’t share 2. Hope for the best 3. Privacy preserving techniques 4. Encryption patterns — Use encryption to manage and track access
  26. 26. @zmre Rest of presentation: tactical approaches to PII 1. Don’t share 2. Hope for the best 3. Privacy preserving techniques — 4 approaches 4. Encryption patterns — 4 approaches
  27. 27. @zmre Separate Out Names Name Account Balance 1 John Smith $5,000 2 Pam Jones $123,000 3 Jeff Bezos $126,000,000,000 4 Alice Walker $1,201,532 1/4
  28. 28. @zmre Name Account Balance 1 John Smith $5,000 2 Pam Jones $123,000 3 Jeff Bezos $126,000,000,000 4 Alice Walker $1,201,532 Removed to isolated lookup table But can you guess which one is Bezos? Separate Out Names 1/4
  29. 29. @zmre Tokenize or Pseudonymize Name Account Balance 1 a1 $5,000 2 b3 $123,000 3 c8 $126,000,000,000 4 d2 $1,201,532 2/4 Same problem. But now separate access control on tokenized data.
  30. 30. @zmre k-anonymize Name Account Balance 1 * $0 - $150,000 2 * $0 - $150,000 3 * $1,000,000 - ∞ 4 * $1,000,000 - ∞ 3/4 Make sure at least k people have identical rows. Typically done with bucketing. But be careful this doesn’t join to other data… Name Account Balance 1 John Smith $5,000 2 Pam Jones $123,000 3 Jeff Bezos $126,000,000,000 4 Alice Walker $1,201,532 2-anonymity
  31. 31. @zmre Differential Privacy App1 App2 App3 1 1 1 0 2 0 1 1 3 0 0 0 4 0 1 0 4/4 Random values mixed in Aggregate values are approximately correct. Hard to say for sure if any one person has App2.
  32. 32. @zmre Privacy Techniques Massaging the Data The Good The Bad • If the data is re-identifiable, you’re still on the hook. It probably is. • Deidentified data is a Cryptogram puzzle — more data points => more likely to solve. • Anonymizing data or deidentifying it is expressly allowed by GDPR. • Relatively simple changes to make to comply.
  33. 33. @zmre • The Weather Channel collected your location data. • Stripped your name, but sold the location. • Trivially reversed by reporters joining public data sets to it.
  34. 34. @zmre Salesforce Shield (w/ Cache-only Keys) 1/4 30% of net premium
  35. 35. @zmre Org • Use existing KMS, policies, SIEM, monitoring -- effectively extend the perimeter around partner. • Subpoena-resistance (unless a gov. can eventually compel code changes). • But still server-side access and use by Salesforce. Salesforce Shield (w/ Cache-only Keys) 1/4
  36. 36. @zmre Org • Others doing similar (or who have announced coming support for it). Shield-like Offerings 1/4
  37. 37. @zmre Encryption Proxy 2/4 Client CASB App DB Client App DB Proxy DB • CASB pattern puts the customer in control, but can be terrible for functionality breaking. • DB Proxy pattern makes life slightly more annoying for hackers, if they somehow hacked the DB but not the app. CASB In-house
  38. 38. @zmre Key Custodian 3/4 Client Key Custodian App DB • Split trust model using a trusted 3rd party • Idea is that keys and encrypted data are separated between organizations and networks. • Essentially end-to-end since app has no access to data. Similar to CASB that way.
  39. 39. @zmre Zero-trust 4/4 Client Facilitator App DB • Encryption-backed access control. • Identity aware. • App can access data with its own keys. • 3rd party never sees keys or data. • Per-service per-datatype access models. Full disclosure: my company offers a solution for this. Also for adding “shield" to existing SaaS products.
  40. 40. @zmre “An ounce of prevention is worth a pound of cure.” —Benjamin Franklin Pick an approach and run with it. The sidelines will be a costly place to watch from.
  41. 41. @zmre Q&A ?
  42. 42. Thank You

×