 Hello everyone and welcome to our next EDW session titled securing your data assets against hackers Which will be presented by Seth Nielsen the founder and chief scientist of crimson business All audience members are muted during these sessions So please submit your questions in the Q&A window on the right of the screen and our speaker will respond to as many questions as possible at the end of the talk Please note that there's a link to form At the bottom of the page titled EDW conference session survey This is where you can submit session feedback and we encourage you to do so So let's begin our presentation now. Thank you and welcome Seth Thank you very much. I'm happy to be here today Obviously, I'm sure you hear this from everyone, but we all wish we could meet in person Truthfully, I Not my favorite kind of teaching style. I prefer to be with people and able to move around and engage with people I teach classes at the university level where I have to I have to teach using this method as well. So It's not that I don't use it. Just wish we had other options to meet in person With that said, let me tell you just a little bit about myself So you can kind of see where I'm coming from I am a Consultant I I work with people on matters of computer security. I Have a bachelor's and master's degree from Brigham Young University and a PhD in computer science from Rice On a more personal note because I think sometimes that I think that's useful just kind of We all know a little bit about each other. I have five really great kids I love Jane Austen novels and movies and I've written but not published a fantasy novel Just so you can kind of get a little bit of a view into my head Let me also say just a little bit about the type of computer security that I do Because this will also clue in to what I'm really going to focus on in the presentation A lot of times when I interact with a client one of their first questions is Well, okay, we'd like you to do some penetration testing Penetration testing is not What I do penetration testing is a very very narrow specific part of Computer security. I do a broader Computer security effort that you could call cyber security engineering Which is we start with the big picture. We figure out what our needs are we figure out what our Real issues are what we need to protect why and how and that's going to figure in pretty prominently into Today's conversations, and I think this will actually be really useful for you as most of you are attending this conference focused on data and your interests are in data and Data as we're going to see should really be driving your organizations security planning Data should be driving your Organization security planning Again, I said I tell you just a little bit about the type of projects I've worked on to put this into reference. I have worked on a really wide range I've worked on things from medical devices medical devices that were being Infiltrated from long distance. So you're at the hospital. You think the device is giving you one treatment But maybe it's being interfered with I have worked on Systems related to banks and by the way at this bank. I was working with it was a data Issue they were not bringing me in to analyze how the intruders got in There had been another team that did that they'd already locked it down. They'd already secured the breach my analysis was on the data How Importance was the data? What could an attacker do with it? I have worked on Projects related to ransomware. I've worked on projects related to secret codes. I've worked on Projects related to phishing attacks and I emphasize this breadth again to emphasize that The way I think about security and what I think is most important is Understanding these big picture issues understanding motivations understanding value And and understanding organizational goals So today we're really going to talk about how data Drives important decisions and and planning and understanding for computer security So even if none of you are Very familiar with computer security my hope my goal is that you go back to your organizations you find your security team and you say You should be talking with me if you're not already if your security team is not Integrated with you who are in charge of data or or involved in the collection of data or the management of data There is already a problem. I don't know where it is, but it's already there and today, I'm going to try and talk with you about what how you think about data in a security context so you can go back to your group and and Insert yourself where it's appropriate Now you may have noticed if you've looked at the slides if you pulled them down I have 160 or so we are obviously not going through all of those today I've left these in from previous presentations where it was full day because I think the slides are good and there may be Information in there that you can read it and if you don't fully understand it and at least tell you where to Google So we're going to actually skip to the end of my slide deck Which is where we hit the punch lines, but I've provided the whole slide deck to you Because I believe it could be helpful But with that in mind, we're going to jump all the way down to slide number 119 Where we really get in To the punch line of all of the presentation I Want to credit right from the start if you're looking at my video camera I am a big fan of Danette McGillvray's book Executing data quality projects. She now has a second edition out which I need to get and in the interest of full disclosure, I am related to her by marriage but I Read her book and it was eye-opening to me as a security individual It changed how I think about computer security So as you'll see here in my slides, I'm going to quote from her just a little bit and I want to start by talking about data governance Which I do not claim to be an expert in some of you maybe know more about it than I do But I'm going to introduce you to how I see it as a security person So here's a quote That is data governance is the organization and implementation of policies procedures structures roles and responsibilities that outline and enforce rules of engagement decision rights and Accountabilities for the effective management of information assets. I Will admit to you that I was probably this guy leaning back in the chair at one point and thinking to myself What does this have to do with security or privacy? Well, I Had a really deep realization that you can't secure data. You can't go Okay, I'm gonna repeat that this is so important. I feel like I should make t-shirts or put it on mugs You can't secure data. You can't go and on the flip side You can't govern data. You can't secure Okay, so this topic super important So let's talk about access controls. I have slides about this earlier But for now, let me just simplify it down to it just enforces access. I mean, it's it's kind of a circular definition But the idea is anything you have that attempts to control access to data Whether it's physical like a locked room or digital like a password is a type of access control So with access controls, here's an example of a digital control Maybe a program that only lets User one here access sales data and not payroll data. That would be an access control or a locked room you may have heard of Roll based access controls. These are very popular right now The idea is instead of giving one user a set of permissions You give a roll a set of permissions and then you assign a user to one But often multiple roles By the way, if you wonder why I'm using names like Alice and Bob for my characters here It's actually a little joke from computer security We usually talk about party a as Alice and party B as Bob So little insight humor for you. Here we have Bob leaning back in his chair Bob is Has a role as an administrator and analyst and in data entry Okay, and then depending on which role Bob uses to log into the system Bob gets access to different databases different applications, etc This slide is hinting at one of the problems that often shows up in role based access control if any of you have worked Long enough in an organization you have often found that you get role Creep meaning You started out in a role Bob here started out in data entry having very little to do with anything else Bob gets promoted to analysts But as many of you are probably aware Do they ever stop having Bob do some amount of data entry or being involved in the data entry or at least Well, Bob, we know you've moved on but Somebody who's in your role now has a question. Can you come show them how to do it? And because of problems like this a Lot of times people don't get their roles that they're out of removed And this is a security problem because they're only supposed to have access to the information and processes that are appropriate for their role Are you seeing why data governance is important in this? So here's my point Governance is about The outline and enforcement of rules of engagement if those are weak It doesn't matter how good your security software is It doesn't matter how strong the encryption is it doesn't matter if they release a new security patch You will have security issues because the business rules about who can access data and how are weak so One place for you to look to insert yourself in with the security team is the security team clear on Who Accesses data if they're not Their security rules are wrong somewhere Okay, let's talk about privacy and again. I have a series of slides on PII or personally identifiable information Sometimes it's a good policy to restrict PII to a single database and you kind of mark it as a very critical database But again, that's no good if you have no idea who can access the database All right, what about things like? Accountability, which is also part of data governance I think most of you have probably either been a part of or been aware of an Organization where accountability was not clearly defined Audits for example are very valuable to computer security Audits are very important for computer security however Without accountability, what's going to happen to the audience? Suppose an audit reveals that PII was retained incorrectly. Yeah, okay, we need to follow the law We have to disclose. We have to do this. We have to do that but no one was accountable if there were no accountabilities for the the The allocation of the data the access of the data the the responsibility for the the the use Then any of the audits won't actually have much of an impact on Making sure it doesn't happen in the future Okay, I'm going to briefly talk to you about a technical concept This may or may not be something you need to be super involved in but because it's data related I'm going to share it with you one of the most important problems with secret codes cryptography or encryption is What you do with the keys It turns out there is supposed to be an entire key Life cycle a key a key is the thing if you're not familiar and again We couldn't go through all those details today, but a key is like it's usually a Number I mean it's usually a small amount of data maybe a hundred and twenty eight bits That's sixteen bytes or thirty two bytes Certain keys are a little bit longer Maybe a few thousand bytes, but these keys control your ability to encrypt data Decrypt data do digital signatures some of these kind of things Keys have a life cycle They have an amount of time for which they should be active Then there should be a certain amount of time where they're suspended not used further except for data that still Requires them and then eventually deactivated. There should be a process for if they are compromised This is always the hardest part of cryptography For those of you who are responsible for data in your organization You might want to integrate with your security team to make sure that the data related to keys is Properly accounted for and managed if your organization does not have good management of keys There is a security problem. I don't know where but it's there Keys must be managed and this is often a place of weakness and this is a another example of a place where data architects Data users data managers should be involved Okay We're going to move on This is kind of wrapping up what I was saying if you a key is tied to Decision rights often if you don't know who should have a key For how long or for what purpose no key management? Okay Now we're going to switch. We've been kind of focused on the people Right or governance so far. I've kind of been focusing in on people But now I want to talk about the data itself Okay, if you're talking about PII suppose your organization is doing an audit to see if personally Identifiable information is being adequately Protected according to GPR or the California privacy law or any of those You probably need to Be sure that you know that the PII is only coming in from authorized entry points Okay, not every not every data entry point should be a place where PII can be admitted But this relies on a very important assumption that most organizations think they know but often don't and that is Do you know all of your data entry points? Do you know all of your data entry points? Do you know where the data is created and coming from if you don't? Then you can't be certain that your PII is only coming in from authorized entry points This again, I drew this quite a bit from Danette McGillvray's book Do you know where the data is in your system? And I mean the entire business system Do you know if you have duplication? The sources of a given piece of data how it is shared and how it is disposed of You can't secure what you don't know now. Let me tell you a story of a company. I've worked with this company Was responsible for handling some private data and they said we are handling all of our private data It is encrypted. It is this it is that Well, it turned out that a more deep and detailed audit found that they had what is called a caching server If you're not familiar with a caching server, the idea is that you might have a Big database that for whatever reason is Somewhat slow on its accesses maybe maybe because of where it is in the cloud or maybe because of certain characteristics It it isn't highly performant there are certain types of in between devices that as the data is coming out of the database and being routed to a client a Computer that that is using it Data gets cash and that way if the user asked for the same piece of data again a few minutes later You don't go all the way back to the database to get the answer Well, it turned out they had a caching system That was caching data for 90 days unencrypted and There was a large amount of PII on this system that was unencrypted The organization was largely unaware that that caching even existed Didn't even know it was there This is what I'm driving at. Do you know where the data is in your system? Do you know if you have any duplication? Do you know all the sources of a given piece of data without this information? You can't secure it because you can't secure what you don't know Now this is Another quote from McGillbray that I really like and believe is very important information quality It is the degree to which information and data can be a trusted source for All-required users it is having the right set of correct information at the right time in the right place for the right people and I bet even before you read what Alice says here at the bottom of my slide You could see where I was going with this an Organization with low data quality will almost certainly have poor data security and privacy Because if you don't have the right set of information, or it's not in the right time or in the right place I promise you it isn't being secured correctly Now this is a quote that comes from one of my security books But I actually think was meant to be married with this information So I'm going to give you a little bit of an example of what I think is going to be the right set of data security I think was meant to be married with this quote on information security This is a book that I use in all of my classes when I teach and I've taught classes at Johns Hopkins University And currently I teach at the University of Texas at Austin and I try and drive this concept into my students head many systems fail because their designers protect the wrong things or Protect the right things, but in the wrong way Now if you think about this we can combine this with our information security quotes So I'm sorry information quality clothes, and I give you my version Many systems fail because their designers protect the wrong data Or protect the right data, but in the wrong way At least in part because they don't know what data they have How correct it is where it came from and what it's used for So that I'm quoting myself now that's really exciting. I like that quote Okay, so where do we go with this? Well, I really like Donets book I think to net McGill raised book the 10 steps to quality data and trusted information is a great place to start on the data quality end because And if I if I'm repeating myself It's because I'm really really into this concept that you have to know your data in order to secure it So then that also has an acronym now She uses this for information in general, but but for information lifecycle But I'm going to adapt this for security. That's called pause math So she says in the information lifecycle. There is planning for data obtaining data storing and sharing data maintaining data applying data and disposing of data I'm taking her formulation here, and we're going to adapt it just a little bit for security and privacy Okay, here we go How does planning for data tie in to security and privacy? I Hope these are all useful pieces of information that you can take back to your organization Even if you're like, I don't know the first thing about Cryptography, I don't know the first thing about data security. This is where you can absolutely Make a massive difference in your organization start by helping your organization Identify your data security and privacy requirements You may know better than anybody in your organization exactly what those should be and if you don't you may be the most qualified person to help them figure it out If Anybody in the room as you're doing this says, oh, so what kind of encryption should we use stop them immediately? This is not what we're talking about Rather what we are really talking about are what are the requirements? Who is allowed to view it how under what conditions are they allowed to view it? What do we have to do for chain of custody? What are the disposal rules? We'll have access to the data is it going to require keys How will the keys be managed are the regulatory and ethical obligations? This is what Needs to happen in order to plan for the security and privacy of your data Okay Once we have a plan in place then we need to talk about obtaining it This is also important because in security we often say that it is at the boundaries Where things go wrong? So you might think about this in terms of a house most of your Would-be burglars are not Harry Potter like wizards that can apparate inside your house Most of them will need to use a door or a window and not a wall But there's another reason why boundaries are are important and That is the transition there is there is there is usually some Change in the state of the data involved in the transmission and security is sometimes a part of that so securely collecting data usually comes in one of two ways either already secured or Or it has to be secured as it's coming in So the biggest problem, and this is why I was driving out earlier with this transition is security context Context is everything in security and what might be secure in one context may not be secure in another and so understanding how you obtain data and how the security requirements may change from one boundary to another and Critical let's do an example Although I didn't have time to talk about PII today. There is a concept called linkable PII Some data may not be considered personally Identifiable information When it is by itself But it becomes PII when it is With other data that can be linked and through the linking you can identify the individual so you can imagine that there is a piece of data that in our external secure boundary was Was secure it was fine. It was not PII But it comes into our boundary and all of a sudden because we're collecting data from multiple sources It becomes PII My point is What was sufficient for protecting it externally is not sufficient for protecting it internally So as part of the obtaining process you need to be aware of those changes from security requirements once again You may be the most qualified person in your organization to help the security team figure out What those requirements are and where these kind of Context changes happen Right once we obtain the data Then we get into what is kind of your classic security I guess, you know, we need to and we need to store it safely in a file cabinet or something So once you get data in the system You have to control where it is and who has access to it Ensured that all locations where the data is stored are no Ensured that equivalent Security controls are used in all locations This is another example of where data governance and data quality are so important One of the things that you all know from duplication, right? You you can get mismatching information or you can have Various reasons why if the same information is coming from multiple sources, that's a that's a data quality problem well same thing with security if You have data that over in server a is protected with 2fa to factor Authentication But a copy of it is available over on server being without to factor Authentication you're in trouble. I'll tell you another true story that happened just a few months ago I was working with an organization where somebody had intruded into their system and stolen a bunch of passwords It turns out that 90 some percent of their users had 2fa to factor authentication and There were a few that did Well, who do the attackers attack the stronger the week and I don't mean that the person was weak I simply mean that the security control was weak They always attack the week So the way to look at this is not to say will 95% of our users use 2fa. So we're secure No, it doesn't work that way if 5% of your users are using weaker security then 95% of your security it all lowers down to the lowest common denominator This is a mistake companies make all the time. We're doing great We have 95% of everybody using two-factor authentication. No, you're not done. Sorry the attackers will get the 5% who don't have it This is not random chance. It's not like there was some stray bullet. This is Dedicated determined they wake up and do their nine to five job trying to get into your organization They aren't going to use the 95% who have 2fa involved They'll use the 5% without So again data governance. Do you know all of your users? Do you know all of their security procedures? Are we keeping it uniform across the organization? Do we have some back doors? Well, they're just a Contractor the contractor doesn't have to have to say no no no no can't do that For data that has to be secured. You have to make sure that all access has the same security level Used role-based access controls like we talked about But manage the roles and get rid of roles that are no longer in use Maintain data this is kind of going back to making sure those roles are still in use If you've heard of data decay We're going to talk about security decay data decay of course is where As the data sits there might become less relevant or it might be on date Or for whatever reason it's no longer accurate that same type of decay also happens with security I'm not going to go through all of these but the world change is an example, right? Somebody is in role a then they get promoted to role B and they're left with their access to role a that is a security vulnerability staff turnover Person comes in they get a password They get access and they're fired three weeks later and nobody remembers to disable their access So we have to maintain the security of our data by watching for sources of decay As a quick note if you remember the Equifax breach they didn't catch a server. They knew was vulnerable That's security decay Alright applying the data. We're not going to talk about too much here as we're running short on time I'm really I'm just gonna say what I say here, which is it's a microcosm of the other elements As you go to use the data, there is its own kind of little mini internal POS mad cycle Within your own organization, you may have to have plan for how it's used in case there are Security rules there may be changes in the security context so that moving it from where it's stored to where it's Actually applied requires A careful management and when you're all done using it you may need to dispose of it from that location so Pause man, you could kind of reduce it down to how that's being done when the data is actually being used in computing But finally what we're going to talk about last here is dispose of data Please dispose of your data It is important for computer security now something of data disposal as I took a hard drive and I had the hard drive shred That's one type of disposal. That's media disposal more holistically You need to account for security issues like has all access been revoked We need to destroy data if you think about it access information is data, right? Somebody's access to a system is a piece of data That data needs to be destroyed when they should no longer have access Here's another one remember how I mentioned that caching server sometimes you'll find there are Pieces of software or hardware that even when you think you've destroyed a copy of the data The data is still being used by a copy still exists What about remote device usage? What about and of course the physical we talked about destroying the hard drive if it's data that needs to be deleted securely you should use something called cryptographic shredding or Overwriting if you don't know what that is your your security team should but you as the data experts Need to take the lead on which data should be securely deleted Document the destruction if required by policy or regulation Release keys access controls, etc associated with the data and also look around for meta data You may need to if you've got a secure piece of data and you delete it there may be meta data That could be used to recreate all or part of the secure data that was supposed to be destroyed Okay Lastly just as my last kind of slide here or two Information quality is I believe critical and I haven't even really addressed that at all I really just talked about the pause mad cycle for how you should think about securing your data We obviously can't talk about it today But there are a lot of great resources on it again encourage your organizations to have good information Quality so they can also have good data security and privacy Okay That's kind of That's kind of my pitch for this first part of the presentation. I guess we have about 10 minutes left I'm happy to take Q&A for the 10 minutes If you want to reference a slide in your question feel free and we can jump back to it Or we can just talk about any questions you might have about security or data security and privacy So that's great. We don't have any questions just yet, but we just have one come in from Mark So keep an eye on it for now in just one second sure good question So I haven't spent a lot of time investigating those those other models for the access controls So I can't give you a good answer right now if you want to Follow up with me afterwards I could I could do a little more investigation and answer that Zero trust is a really interesting Concept zero trust actually is kind of going in all kinds of directions right now and It's probably going to It's probably going to be the way things go in the future one way or another I'm a little bit more familiar with zero trust from the perspective of how do we Create a network that is secure Zero trust as it's used for example Like with Google's beyond court where it doesn't matter if you are inside the building or connecting remotely It is the same level of security and they check both that it's you right They check both that it that you have your username password to factor Authentication they also make sure it's a machine that they trust with a certificate and then The machine also has to go through a certain kind of Policy check to make sure that it's up on its patches. It's operating system whatever else and then There's actually a database that only lets the machine talk to Servers and processes for which that user and that machine are jointly authorized There are a lot of reasons that we are switching to this kind of a model a lot of people feel like Perimeter security if you're familiar with that for networks is is dead and And That it was never really Good enough to begin with the problem that that people are finding in zero trust is the classic problem in security usability trade-offs some people think that that least that type of beyond court model for zero trust is Too Fragile I know some people have really struggled to feel like it's it's useful And then sometimes the the quality of that security degrades because you just find workarounds but It seems pretty It seems like there's a lot of consensus around the idea that zero trust models are are The thing of the future and that Perimeter models are not I'm not sure if that answers your question on the zero trust side I Feel free to ask a follow-up see if we're talking about the same the same part of that I've also not paid a lot of attention yet to this other Authorization pattern, but again if you want to sync up with me offline I can look into it and and give you some thoughts about it Again kind of the the approach that I'll typically take with a Appliance is to start at the high level and then work down to these kind of specificities For tools related to collecting the attributes and metadata that is not actually my area of expertise That would probably be more for The data people which is kind of my point like this is why I feel like a lot of Organizations are really struggling with their security is I feel like there are a lot of walls that go up between The security people and and the data people So that would probably be a good conversation to have between the security team and the data team. I Feel bad because I'm not giving you Answers to the specifics you're looking for on those on those topics directly, but Again, if you'd like to discuss it further afterwards we could dig in and go into some more detail together if you'd like and Do you have your contact information on the last slide is that what the slide is? Yes, there you go. Let's go ahead and pop that up to the day you can see it And then while we wait for maybe a couple other questions that come in What's uh, if you had to distill it down and so what's the one main takeaway that you'd like for the audience to walk away with? Information quality is necessary for data security and If you are involved in data You should be involved with the security team And then what do you think and this may be sort of the reverse of the same answer But what do you think that the main barrier or obstacle or pitfall that somebody might face? as they tried to implement this or overhaul their security There are a couple that's a really good question. The first question is a lot of security Maybe like I was saying in answer to Mark's question a lot of security has been very much focused on the perino Right like how do you keep bad people from getting in? That's that's actually a very narrow-minded way to think about security our number one concern Of course, we don't want bad people getting in but the number one concern is almost always the data. We don't want We don't want the data being sent where it shouldn't used how it shouldn't accessed shared Applied in ways that it shouldn't and the data is kind of this critical thing But a lot of security is just focused on this perimeter concept And then like well security is only responsible for the perimeter and whatever happens inside is none of our business that is that is That is very broken and but there's a culture and a mindset So part of what's important is for data people to get executives on board with the idea that the data is the keys of the kingdom the data is the the the valuables the crown jewels and that the starting point is The starting point is How do we protect our data? And if we start with that starting point and we we ask our security teams to retool from that perspective With an emphasis on the importance of the quality of our data, which is not something most security folks are trained in That is where I think organizations can make Make a difference I see this other question. What would be your pitch statement for data security? Well, I kind of think I was already giving it data is probably what makes your organization its money and and Also data is also the place where we're coming up with big fines, you know those GDPR fines or lawsuits or You know all of these different things. It's it's the data is where we'll make our money and the data is where we'll lose our money So the starting point for our security It's it's you start with the goals in mind not the not the implementation The goal is to secure the data and not protect the border. It's a slight You know, it's it's not that they're not related, but you start with what matters most and you work out from there That's great. It's like we don't have any other questions and we're running up on time So thank you so much for your presentation and thank you to our attendees for tuning in Please remember to complete your conference session survey at the bottom of this page and the next sessions will start in about 10 minutes Also, we encourage you to check stop by the sponsor booth to get some great free resources If you're able to find time in the remaining of the session or this Conference day. Thank you so much again Seth and have a great day Thanks email if you have questions