SecuPi CEO

Encryption and Masking of Sensitive Data for Spark Analytics (CCPA Compliance & Governance)Les McMonagle Alon RosenthalChief Security Strategist – SecuPi CEO – SecuPi

Les McMonagle - Speaker BioChief Security StrategistLes has 25 years’ experience in information security consulting and advisory services. He has held the position of CISO for a credit card company and ILC bank, founded a computer training & IT outsourcing company and directed the security and network technology practice for Cambridge Technology Partners across Europe and helped several security technology firms develop their initial product strategy.

Les founded and managed Teradata’s InfoSec COE, was Chief Security Strategist at Protegrity, Vice President of Security Strategy at BlueTalon and is now Chief Security Strategist at SecuPi.

Les holds a BS in MIS, CISSP, CISA, ITIL and other relevant industry certifications.

Alon Rosenthal - Speaker BioSecuPi CEOAlon has more than 15 years of technology leadership experience.

Prior to establishing SecuPi in 2014, Alon was the founder of ActiveBase where he invented dynamic data masking. ActiveBase won the 2010 Gartner Cool Vendor prize and the 2011 SC Magazine Innovation Award. Alon sold ActiveBase to Informatica, where it later became Informatica’s DDM solution.

Alon has a MBA degree in Business from Tel Aviv University and dual Bachelors in Industrial Engineering and Economics, both summa cum laude from Technion Israel Institute of Technology. He is a 3rd DAN Okinawan Goju-ryu black belt.

AgendaLes McMonagleBalancing Data Protection with Analytics Value

Satisfying CCPA Privacy Compliance Mandates

Why HYOK Eclipses BYOK

Alon RosenthalDemonstrating practical methods to achieve appropriate balance between data protection and data usability on Spark and Kafka

Plethora of Data Privacy Regulations

California Consumer Privacy Act (CCPA)

New York StateNYDFS 23 NYCRR 500

South Carolina Insurance Data Security Act

EU’s General Data Protection Regulation (GDPR)

Dubai DIFC Data Protection Law

Japan Act on the Protection of Personal Information

Chicago Personal Data Collection & Protection Ordinance (Introduced)

India Personal Data Protection Bill (PDPB)

ColoradoHouse Bill 18-1128

Brazil General Data Protection Regulation

Russia Data Protection Law

San Francisco “Privacy First Policy”: Nov 2018 Ballot

Thailand Personal Data Protection Act (PDPA)

S. Africa Data Protection Act (POPI)

Canada Digital Privacy Act & PIPEDA

Australia Data Privacy Regulations

Family Education Rights and Privacy Act (FERPA)

Common Use Cases

Real-time User Behavior Activity (UBA) Monitoring & AuditingImmediately detect, alert, report or even block any anomalous or abnormal data access

3

4

1

Cross Border / LOB / Business Partner Access RestrictionsGeographic “Fencing” of access within Country / State / Legal Entity

2

Block unauthorized employee access to other staff, neighbors, family member or VIP customer

Staff/VIP/Celebrity Patient Customers/Unmask Feature

Consent & Preference Management (Opt-In / Opt-Out), RTBFEnforce Near Real Time (NRT) “Soft Delete” (RTBF), other Opt-In / Opt-Out preferences in one place

Balancing Two Opposing Forces

▪ Personally Identifable Information (PII) must be protected and access strictly controlled on a “Need-to-Know” basis

▪ California Consumer Protection Act (CCPA) introduces strict new data privacy requirements that must always be satisfied

▪ RTBF, Consent and Preference Management (Opt-In/Opt-Out) must be managed

▪ Unlimited access to all possible data

▪ Data hosted and processed in a plethora of data repositories On-Prem and in the Cloud

▪ Data Mobility and Hosting Flexibility

▪ Freedom to leverage Any or All Analytics Tools or Applications from anywhere

Advanced Data Analytics & Monetization of DataData Protection and Privacy Compliance

Essential Data Protection & Compliance Capabilities

Data Loss Prevention (DLP)

DataGovernance

Column-Level Encryption

Prevent abuse / malicious insiders / credential theft• Fine-grained access control, auditing and activity monitoring including

sensitive columns tokenized or encrypted at rest or not

• Monitor end-user/role/Geo-location

Compliance with GDPR/ CCPA/Geo-Fencing• Row-level security• Dynamic Data Masking• VIP Client filtering• “Right of Erasure”

Column-encryption & decryption without API / code changes• Support Key per column,• 3rd Party HSM or KMS encryption integration

SECURITY

BYOK (Bring your Own Key) versus HYOK (Hold Your Own Key)

Encrypted name: SGDA GBBQA, SSN:731 433 663

BYOK Decryption: John Smith, SSN: 123 456 789 available on the Cloud Data Platform for ALL incoming requests!

Business Users, Analysts & Data Scientists, Application Admins, Developers & DBAs

All can see John Smith, SSN: 123 456 789

Business Users, Analysts & Data Scientists, Application Admins, Developers & DBAs

Authorized users see: John Smith | Unauthorized see: SGDA GBBQA

Encrypted name: SGDA GBBQA, SSN:731 433 663

HYOK Decryption

BYOK – Key SharedDecryption Key resides on Cloud Data Platform!

All users can access decrypted data

HYOK – Key NOT SharedKey Segregated from Cloud Data Platform!Decryption applied only on apps/tools for

users/roles on a ”need-to-know” basis

Sense

PowerBI

Sense

PowerBI

PowerBI

DBeaverDashboardsNative-Cloud

Applications

SageMakerLambda Functions

DynamoDBRDS

EMR

On-prem Data Sources

KSQL Cluster

SecuPi Policy Management Docker Container, K8s ClusterPolicy Management, Orchestration, Audit Trail

Cloud KMS, HSM

REDSHIFT

Applications

KSQL Client

Aurora

Data-Centric Security & Privacy Example for all AWS Data ServicesApply Column-level Encryption (at rest & in transit), Fine-Grained Access Control to ALL sensitive data with Dynamic Masking, Anonymization, Accountability, Audit Trail and UBA across ALL AWS Workloads

1> Column-levelEncrypted HYOK while holding keys on-prem

3> Decrypt per user/role/location on ”Need-to-know”/legal basis…

2> Sensitive Columns Remain Encrypted On All AWS Compute Layer

Information Security Level 2 – Sensitive© 2019 – Proprietary & Confidential Information of SecuPI13

BCBS (Healthcare) – Case Study

• Encrypted Patient ID • Data Discovery & • Data Flow Mapping• HYOK

Support for:Spark, Hive, LLAPKafka, Storm, R, Jupyter

SecuPi Management ServerPolicy Definition, Distribution, Orchestration, …

Data Flow Classification

Sensitive Data User Activity Monitoring

Real Time Activity Monitoring

Discovery & Classification

Data Inventory

Data Discovery & Inventory

Encryption at Rest

Encryption in Use

Logical Deletion

Dynamic Masking

Physical Deletion

Enforcement & Remediation

Consent v Active Directory/LDAPv Send log data and alerts

to SIEMv KMS/HSM Integration

Integrations

Azure CloudColumn

FPE Encryption During Ingestion

SecuPi Application Overlays

Original Data Decrypted on a need-to-know basis & ABAC

(3) SecuPi Gateways

(2) SecuPi ODBC/JDBC Driver Wrappers

(1) SecuPi Application-Server Instrumentation Overlays

PowerBI

Java, .Net, NodeJS, Python, Custom Apps

Snowflake Web Tools, CLI

FPE Encryption

Column levelFPE

Encryption SnowSQL, Python connector

John Smith 123 456 789 SGDA GBBQA 731 433 663 John Smith 123 456 789

Ingestion Consumption

LLAP

BCBS Requirements


Demo

Pole

How important is it for your organization to apply column-level encryption (HYOK) prior to data being hosted in the cloud?

Essential for any Cloud migration involving sensitive or regulated PII

Nice to have the option for data sets involving PII

Not required – No plans to host sensitive or regulated data on Cloud

Cloud Hosting provider file-level encryption and key management is good enough


Elmar Grasser, CTO at Sunrise Switzerland

“At Sunrise, customers’ data protection has the highest priority. Security and data protection is a complex global issue. SecuPi were able to fulfil our requirements, ensuring peace of mind for our enterprise clients and their customers.”

Q & A

Feedback

Your feedback is important to us.

Don’t forget to rate and review the sessions.

Documents

SecuPi CEO