* Posts by UlfMattsson

6 posts • joined 10 Apr 2013

How do you anonymize personal databases and protect people's privacy – over to you, NIST

UlfMattsson

Urgent need

I agree that "Given the growing interest in de-identification, there is a clear need for standards and assessment techniques that can measurably address the breadth of data and risks," but standards may take an additional 10 years to agree on and enforcing regulations is always difficult.

We know that NIST is concluding that "Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory." It may take many years to fix this issue.

We know that "the risk depends upon the availability of data in the future that may not be available now." So we need a policy driven approach that can be easily adjusted over time as more data is available.

I like to consider employing "a combination of several approaches to mitigate re-identification risk. These include technical controls." I've seen two interesting technical approaches that can provide a balanced combined solution to address the growing issue of privacy and access to data. The first approach is based on a service oriented privacy-preserving data publishing. This service oriented approach can provide policy driven control over how combinations of different data is accessed and the accumulated volume of data that is accessed. The second approach is based on data tokenization and dynamic masking, can secure the data itself against misuse and theft.

I think that a balance between the first and second approach can provide an attractive data centric solution for different sensitivity levels.

I agree that we need a "balance between providing privacy and useful data," and we are running out of time to fix this growing issue.

Ulf Mattsson, CTO Protegrity

Experian-T-Mobile US hack: 'We trusted them, now that trust is broken'

UlfMattsson

How could Experian allow decryption of 15 million Social Security Numbers?

How could Experian allow decryption of 15 million Social Security Numbers? We know that most banks limit the amount you can withdraw from an ATM on a daily basis to limit fraud.

Encryption and decryption is only a way to enforce a security policy. A security policy can be applied to encryption or tokenization services. The PCI DSS Tokenization Guidelines, released 2011, suggests that tokenization systems can be configured to throttle or reject abnormal requests, reducing the potential exposure of unauthorized activity.

Also the Visa Tokenization Best Practices guide for tokenization, released in 2010, suggests that tokenization systems can be configured to throttle or reject abnormal requests, reducing the potential exposure of unauthorized activity.

I suggest that also all encryption/decryption services should apply similar rate limiting rules to prevent or limit theft of sensitive information from databases.

Ulf Mattsson, CTO Protegrity

UlfMattsson

Encryption?

I find it very concerning that “Experian has determined that this encryption may have been compromised."

Aberdeen Group reported in a very interesting study with the title “Tokenization Gets Traction” that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

Visa, Amex, MasterCard and ApplePay are now switching to tokenization for the same reasons.

We can “reduce the amount of data that is sensitive” by using data tokenization.

Ulf Mattsson, CTO Protegrity

Make sure big data doesn't land you in big trouble

UlfMattsson

New practical security approaches are required

I agree that “they probably have no idea of the security burden it will bring” and will end up with a lot of sensitive data that will lead to a security crisis:

1. I think a big data security crisis is likely to occur very soon and few organizations have the ability to deal with it.

2. We have little knowledge about data loss or theft in big data environments.

3. I imagine it is happening today but has not been disclosed to the public.

There is unfortunately a shortage in Big Data skills and an industry-wide shortage in data security personnel, so many organizations don’t even know they are doing anything wrong from a security and compliance perspective.

So we need to take a data-centric approach to Big Data security and I agree to encrypt “data to help protect it from attack.”

But unfortunately Hadoop only offers file layer encryption. This approach with coarse-grained encryption is old school security and will not provide the needed balance between security, regulatory compliance and data insights, since the whole data file is either encrypted or decrypted and wide open to attackers.

We also know that “homomorphic encryption” is a very interesting research area but unfortunately not a viable solution any time soon.

I agree with CSA which “advises wrapping NoSQL databases in a secure middleware layer to shield direct access to the data.” since most Big Data platforms are lacking the security that we find in traditional database environments.

I think that new practical security approaches that provide fine-grained encryption or data tokenization are required. Today, vendors such as Teradata, Hortonworks, and Cloudera, have partnered with data security vendors to help fill the security gap. What they’re seeking is advanced functionality equal to the task of balancing security and regulatory compliance with data insights and “big answers”.

Ulf Mattsson, CTO Protegrity

Amazon cloud gobbles Microsoft data

UlfMattsson
Thumb Up

How can my data be protected and compliant

I really like that "You can use the Storage Gateway to marry your existing on-premises storage systems with the AWS cloud for backup, departmental file share storage, or disaster recovery,"

How can my data be protected and compliant to US State laws, PCI DSS and HIPAA / HITECH?

Ulf Mattsson, CTO Protegrity

Your consent 'almost always' needed when firms use your data to profile you

UlfMattsson

I agree that strong enforcement is critical

I agree that strong enforcement is critical. I like the the statements that "those firms would still require to insure that the information is kept confidential and secure", and "EU's Charter of Fundamental Rights indicates a hardening of attitude,". I also like the statement "Expect to spend time looking at your purposes and consents much more closely before you embark on your next big data project,", since I believe that the big data security crisis is just around the corner:

1. I think a big data security crisis is likely to occur very soon and few organizations have the ability to deal with it.

2. We have little knowledge about data loss or theft in big data environments.

3. I imagine it is happening today but has not been disclosed to the public.

What do you think?

Ulf Mattsson, CTO Protegrity

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021