api’s, data and you · its all about the data! • 2.5 quintillion bytes of data created each day...

API’s, Data and You

Wesley Dunnington, Field CTO

Copyright ©2019 Ping Identity Corporation. All rights reserved.

Copyright ©2019 Ping Identity Corporation. All rights reserved. 2

WHO AM I?

Name: Wesley Dunnington Location: Boston Email: [email protected] Wesley has been in the identity and security space for over 25 years. Wesley Dunnington is currently Field CTO for Ping Identity In this role he helps customers understand both the business value and implications of new technologies, and helps Ping maintain its thought leadership position via blogs, whitepapers, conference presentations, and standards body work. As director of engineering with CA Technologies SiteMinder he led the teams building CA’s federation, web service, and secure proxy products. Transitioning into an architectural VP position Wesley became chief architect for CA’s Secure Cloud IDaaS offering More recently Wesley was lead platform architect for Sophos Central, an AWS based SaaS platform for Sophos’ cloud cybersecurity offerings that protect 100 million people and 100,000 businesses in 150 countries. Wesley is on the OpenID Foundation board of directors, is actively participating in the FastFed working group, and was a member of Kantara’s Interoperability Review Board

mailto:[email protected]


Its all about the Data! • 2.5 Quintillion bytes of data created each day

• 90 percent of the data in the world was generated in the last 2 years!

• DevOps

• CI/CD systems (Jenkins, etc.)

• Configuration as code

• AI/ML

• Training is only as good as the training set data

• UEBA/Adaptive Authentication

• Gather inputs from a variety of data sources to learn what is “normal”

• More sensors = more precision

• IoT/IIoT

• Dynamic system updates

• Proactive issue determination

3

A Minute on Access Control

• Q: What are we good at?

• A: Protecting web pages

• PingAccess, SiteMinder, etc. protect the most critical resources, and have not been broken yet – Trust me, many have tried

• Q: What are we ok at?

• A: Protecting API’s

• North South – OAuth, OpenID Connect

• East-West – pretty new (Istio) or ad-hoc (API Keys in S3 buckets, etc.)

• Timely breach detection still a big issue

• Good audit trails an issue


API Average Time to Breach

API Average Time to Detect First Breach

Q: What are we terrible at?

• A: Protecting data!

• How many data breaches do you want me to name?...

• Q: Why are we so bad?

• A1: Because its hard!

• A2: Because the consequences were pretty minimal

• Customers keep going back to sites that exposed their data

• Until recently the total cost of breaches was not well understood

• Q: What's changed?

• A: Lots!

• Regulations

• Recognition of full cost of breaches

• Changing customer expectations


0

1000

2000

3000

4000

5000

6000

7000

8000

2014 2015 2016 2017 2018

Data Breaches Per Year

0

2000

4000

6000

8000

10000

2014 2015 2016 2017 2018

Records Exposed Per Year

In Millions

Current/Upcoming Privacy Regulations

▪ GDPR

▪ HIPAA

▪ CCPA

▪ UK Data Protection Act 2018

▪ Vermont Data Privacy Law

▪ NJ S2834

▪ US Data Care Act

▪ PIPEDA

▪ Australian Consumer Data Right/CDS

▪ Ecuador Protection of Personal Information

▪ South Carolina Insurance Data Security Act

▪ ……..

▪ We are asking development teams to become compliance experts

California Consumer Privacy Act


Cost of Breaches – from 2019 IBM Report

• Avg Cost of Breach - $3.92 million

• Avg Cost of Breach in US - $8.19m

• Cost per lost record - $150

• Mega Breach (>1m records) - $42m

• Up 8% over 2018

• Mega Mega Breach (>50m records)

• Up 11% over 2018

• Some notable fines:

• Equifax $575m, British Airways $230m, Uber $148m


$1.42m [PERCENTAGE]

$1.22m [PERCENTAGE]

$1.07m [PERCENTAGE]

$0.21m [PERCENTAGE]

Cost of Breach

Lost Business

Dection and Escalation

Post Breach Response and Fines

Notification

Data Breaches = Loss of Customer Trust

• 33% report being victim of a data breach

• Consumers blame companies above everyone else – even the hackers!

• 58% would would consider divesting

• 75% now limit amount of personal information they share

• 72% concerned about identity theft

• 42% GenZ concerned about blackmail


Why is Protecting Data Hard?

• Because we still think of the data as a side effect of an application

• …or safely stored for eternity in a database

• What about the breakup of applications into Microservices?

• Starting to get more single-responsibility

• But until recently mostly worried about just securing north-south and east-west traffic

• Compliance and audit still hard



API’s and Protecting Data

• Q: What do most API’s do?

• A:

• Ingest Data

• Export Data

• Transform Data

• Think about the data as much as the functionality

• Well defined API contracts

• End to end Data flow diagram

• Moving to a Data Governance Mindset…

10

Adopting a Data Governance Mindset

▪ Data Inventory – What data does each API collect or use?

– Where is the data stored?

– Is the data subject to any privacy initiative?

▪ Data Security and retention policy – Is the data encrypted at rest?

– Is there a defined retention period for the data?

– Can all sensitive data be removed upon request?

▪ Privacy and compliance – Are there documented policies which define who can read/write the data?

– Can these policies be enforced in a consistent manner across all applications and data sources?

– Is user consent driving data collection and sharing?


Consent is Critical!

▪ GDPR – Article 4(11)

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, ..

▪ Open Banking Customer Experience Guidelines

– The AISP must provide the PSU sufficient information to enable the PSU to make an informed decision, …

▪ CCPA

– Consumers have the right to opt-out from selling of their personal information.

▪ Blanket consent is rarely acceptable these days

▪ Capture subjects consent

▪ Use this consent to drive policy! Copyright ©2019 Ping Identity Corporation. All rights reserved. 12


What is the Solution? – Look at the Data!

• Move from application by application data policies to centrally managed policies

• Provide control plane at the API layer

• Visibility and control for security pros and business analysts

• Privacy, consent, compliance even if API is in error

13

Evolves to


PingDataGovernance – A control plane for data

14


Powerful Dynamic Policies

• Build policies based on:

• Request URL

• Request body

• Request headers

• User directory records

• External data via REST API’s

• Polices managed by admins, security pros, business analysts

• Policies can act on request or response

• Conditional policy branching and chaining

• Centralize Policy and Audit

15

Body of an API Call

Securing Customer Data APIs


16

Request Response

Pin

gD

ata

Go

vern

an

ce

Pin

gD

ata

Go

vern

an

ce

JSON


Defense in Depth

• Services should also participate and enforce authorizations!

• Global compliance layered on local business policy

• Services can also call the PDP via REST API and get decisions

• The right team for the right task!

17

Policy Creation via GUI

Stakeholders collaborate with

development teams

Policy Sets - grouped and

deployed to ensure compliance

with specific regulations

This is an example of the open

Banking compliance policy set

Development team builds lower

level widgets and adds to toolbox

Business/compliance/security

teams use these to build higher

level security and compliance

policies


UI Demo


UI Demo Policy


Consent in action demo


How PDG Helps

HIPAA: PHI Privacy Rule

Need to enforce access controls

to Protected Health Information

In a data store, track Y/N:

– Is this PHI?

– Did patient give consent?

– Is this a trusted recipient?

1. Use trust framework to connect

to these three criteria as data

attributes for policies

2. Use policies to create rules that

checks all three of these criteria

are yes before allowing PHI to be

shared

3. Deploy PDG across all customer

data access points and channels

Policy Requirement PingDataGovernance

Enforces that PHI isn’t shared

without consent

Enforces that PHI is only shared

with trusted recipients

Automatically allows PHI to be

shared with trusted recipients

when patient has given consent

Benefits

22 Copyright ©2019 Ping Identity Corporation. All rights reserved.

Use Case Example: Protected Health Information (PHI) Enforce patient consent to share PHI with only

trusted recipients

How PDG Helps

One GDPR example

Determine which GDPR use

case you’re trying to enforce

In a data source, store qualified

partners and not-qualified

partners

Geolocate partner’s requests

for data

1. Use trust framework to connect

to qualified/non-qualified partner

attribute and geolocation as data

attributes for policies

2. Use policies to create rules that

checks these criteria

3. Deploy PDG across all customer

data access points and channels

Policy Requirement PingDataGovernance

Enforces fine-grained access

controls on data

Sensitive data is filtered so

that it’s not sent outside the

allowed EU geolocation,

UNLESS the partner is

qualified

Sensitive data is permitted to

partners inside the EU

Benefits

23 Copyright ©2019 Ping Identity Corporation. All rights reserved.

Use Case Example: Cross-border data transfers Sensitive data can’t leave EU region,

unless the partner is qualified


Key Takeaways • Company wide Data Governance Policy Critical

• Inventory

• Retention

• Security

• Access Policies

• Transparency

• Everyone must know what data is being collected

• And how it is used

• Consent

• Capture Consent

• Use consent to drive access policy

• Compliance

• Make affirmative statement about compliance!

• And enforce it!

24

Instead of:

Questions?


Backup


api’s, data and you · its all about the data! • 2.5 quintillion bytes of data created each day...

Documents