api’s, data and you · its all about the data! • 2.5 quintillion bytes of data created each day...
TRANSCRIPT
API’s, Data and You
Wesley Dunnington, Field CTO
Copyright ©2019 Ping Identity Corporation. All rights reserved.
Copyright ©2019 Ping Identity Corporation. All rights reserved. 2
WHO AM I?
Name: Wesley Dunnington Location: Boston Email: [email protected] Wesley has been in the identity and security space for over 25 years. Wesley Dunnington is currently Field CTO for Ping Identity In this role he helps customers understand both the business value and implications of new technologies, and helps Ping maintain its thought leadership position via blogs, whitepapers, conference presentations, and standards body work. As director of engineering with CA Technologies SiteMinder he led the teams building CA’s federation, web service, and secure proxy products. Transitioning into an architectural VP position Wesley became chief architect for CA’s Secure Cloud IDaaS offering More recently Wesley was lead platform architect for Sophos Central, an AWS based SaaS platform for Sophos’ cloud cybersecurity offerings that protect 100 million people and 100,000 businesses in 150 countries. Wesley is on the OpenID Foundation board of directors, is actively participating in the FastFed working group, and was a member of Kantara’s Interoperability Review Board
Copyright ©2019 Ping Identity Corporation. All rights reserved.
Its all about the Data! • 2.5 Quintillion bytes of data created each day
• 90 percent of the data in the world was generated in the last 2 years!
• DevOps
• CI/CD systems (Jenkins, etc.)
• Configuration as code
• AI/ML
• Training is only as good as the training set data
• UEBA/Adaptive Authentication
• Gather inputs from a variety of data sources to learn what is “normal”
• More sensors = more precision
• IoT/IIoT
• Dynamic system updates
• Proactive issue determination
3
A Minute on Access Control
• Q: What are we good at?
• A: Protecting web pages
• PingAccess, SiteMinder, etc. protect the most critical resources, and have not been broken yet – Trust me, many have tried
• Q: What are we ok at?
• A: Protecting API’s
• North South – OAuth, OpenID Connect
• East-West – pretty new (Istio) or ad-hoc (API Keys in S3 buckets, etc.)
• Timely breach detection still a big issue
• Good audit trails an issue
Copyright ©2019 Ping Identity Corporation. All rights reserved. 4
API Average Time to Breach
API Average Time to Detect First Breach
Q: What are we terrible at?
• A: Protecting data!
• How many data breaches do you want me to name?...
• Q: Why are we so bad?
• A1: Because its hard!
• A2: Because the consequences were pretty minimal
• Customers keep going back to sites that exposed their data
• Until recently the total cost of breaches was not well understood
• Q: What's changed?
• A: Lots!
• Regulations
• Recognition of full cost of breaches
• Changing customer expectations
Copyright ©2019 Ping Identity Corporation. All rights reserved. 5
0
1000
2000
3000
4000
5000
6000
7000
8000
2014 2015 2016 2017 2018
Data Breaches Per Year
0
2000
4000
6000
8000
10000
2014 2015 2016 2017 2018
Records Exposed Per Year
In Millions
Current/Upcoming Privacy Regulations
▪ GDPR
▪ HIPAA
▪ CCPA
▪ UK Data Protection Act 2018
▪ Vermont Data Privacy Law
▪ NJ S2834
▪ US Data Care Act
▪ PIPEDA
▪ Australian Consumer Data Right/CDS
▪ Ecuador Protection of Personal Information
▪ South Carolina Insurance Data Security Act
▪ ……..
▪ We are asking development teams to become compliance experts
California Consumer Privacy Act
Copyright ©2019 Ping Identity Corporation. All rights reserved. 6
Cost of Breaches – from 2019 IBM Report
• Avg Cost of Breach - $3.92 million
• Avg Cost of Breach in US - $8.19m
• Cost per lost record - $150
• Mega Breach (>1m records) - $42m
• Up 8% over 2018
• Mega Mega Breach (>50m records)
• Up 11% over 2018
• Some notable fines:
• Equifax $575m, British Airways $230m, Uber $148m
Copyright ©2019 Ping Identity Corporation. All rights reserved. 7
$1.42m [PERCENTAGE]
$1.22m [PERCENTAGE]
$1.07m [PERCENTAGE]
$0.21m [PERCENTAGE]
Cost of Breach
Lost Business
Dection and Escalation
Post Breach Response and Fines
Notification
Data Breaches = Loss of Customer Trust
• 33% report being victim of a data breach
• Consumers blame companies above everyone else – even the hackers!
• 58% would would consider divesting
• 75% now limit amount of personal information they share
• 72% concerned about identity theft
• 42% GenZ concerned about blackmail
Copyright ©2019 Ping Identity Corporation. All rights reserved. 8
Why is Protecting Data Hard?
• Because we still think of the data as a side effect of an application
• …or safely stored for eternity in a database
• What about the breakup of applications into Microservices?
• Starting to get more single-responsibility
• But until recently mostly worried about just securing north-south and east-west traffic
• Compliance and audit still hard
Copyright ©2019 Ping Identity Corporation. All rights reserved. 9
Copyright ©2019 Ping Identity Corporation. All rights reserved.
API’s and Protecting Data
• Q: What do most API’s do?
• A:
• Ingest Data
• Export Data
• Transform Data
• Think about the data as much as the functionality
• Well defined API contracts
• End to end Data flow diagram
• Moving to a Data Governance Mindset…
10
Adopting a Data Governance Mindset
▪ Data Inventory – What data does each API collect or use?
– Where is the data stored?
– Is the data subject to any privacy initiative?
▪ Data Security and retention policy – Is the data encrypted at rest?
– Is there a defined retention period for the data?
– Can all sensitive data be removed upon request?
▪ Privacy and compliance – Are there documented policies which define who can read/write the data?
– Can these policies be enforced in a consistent manner across all applications and data sources?
– Is user consent driving data collection and sharing?
Copyright ©2019 Ping Identity Corporation. All rights reserved. 11
Consent is Critical!
▪ GDPR – Article 4(11)
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, ..
▪ Open Banking Customer Experience Guidelines
– The AISP must provide the PSU sufficient information to enable the PSU to make an informed decision, …
▪ CCPA
– Consumers have the right to opt-out from selling of their personal information.
▪ Blanket consent is rarely acceptable these days
▪ Capture subjects consent
▪ Use this consent to drive policy! Copyright ©2019 Ping Identity Corporation. All rights reserved. 12
Copyright ©2019 Ping Identity Corporation. All rights reserved.
What is the Solution? – Look at the Data!
• Move from application by application data policies to centrally managed policies
• Provide control plane at the API layer
• Visibility and control for security pros and business analysts
• Privacy, consent, compliance even if API is in error
13
Evolves to
Copyright ©2019 Ping Identity Corporation. All rights reserved.
PingDataGovernance – A control plane for data
14
Copyright ©2019 Ping Identity Corporation. All rights reserved.
Powerful Dynamic Policies
• Build policies based on:
• Request URL
• Request body
• Request headers
• User directory records
• External data via REST API’s
• Polices managed by admins, security pros, business analysts
• Policies can act on request or response
• Conditional policy branching and chaining
• Centralize Policy and Audit
15
Body of an API Call
Securing Customer Data APIs
Copyright ©2019 Ping Identity Corporation. All rights reserved.
16
Request Response
Pin
gD
ata
Go
vern
an
ce
Pin
gD
ata
Go
vern
an
ce
JSON
Copyright ©2019 Ping Identity Corporation. All rights reserved.
Defense in Depth
• Services should also participate and enforce authorizations!
• Global compliance layered on local business policy
• Services can also call the PDP via REST API and get decisions
• The right team for the right task!
17
Policy Creation via GUI
Stakeholders collaborate with
development teams
Policy Sets - grouped and
deployed to ensure compliance
with specific regulations
This is an example of the open
Banking compliance policy set
Development team builds lower
level widgets and adds to toolbox
Business/compliance/security
teams use these to build higher
level security and compliance
policies
Copyright ©2019 Ping Identity Corporation. All rights reserved. 18
UI Demo
Copyright ©2019 Ping Identity Corporation. All rights reserved. 19
UI Demo Policy
Copyright ©2019 Ping Identity Corporation. All rights reserved. 20
Consent in action demo
Copyright ©2019 Ping Identity Corporation. All rights reserved. 21
How PDG Helps
HIPAA: PHI Privacy Rule
Need to enforce access controls
to Protected Health Information
In a data store, track Y/N:
– Is this PHI?
– Did patient give consent?
– Is this a trusted recipient?
1. Use trust framework to connect
to these three criteria as data
attributes for policies
2. Use policies to create rules that
checks all three of these criteria
are yes before allowing PHI to be
shared
3. Deploy PDG across all customer
data access points and channels
Policy Requirement PingDataGovernance
Enforces that PHI isn’t shared
without consent
Enforces that PHI is only shared
with trusted recipients
Automatically allows PHI to be
shared with trusted recipients
when patient has given consent
Benefits
22 Copyright ©2019 Ping Identity Corporation. All rights reserved.
Use Case Example: Protected Health Information (PHI) Enforce patient consent to share PHI with only
trusted recipients
How PDG Helps
One GDPR example
Determine which GDPR use
case you’re trying to enforce
In a data source, store qualified
partners and not-qualified
partners
Geolocate partner’s requests
for data
1. Use trust framework to connect
to qualified/non-qualified partner
attribute and geolocation as data
attributes for policies
2. Use policies to create rules that
checks these criteria
3. Deploy PDG across all customer
data access points and channels
Policy Requirement PingDataGovernance
Enforces fine-grained access
controls on data
Sensitive data is filtered so
that it’s not sent outside the
allowed EU geolocation,
UNLESS the partner is
qualified
Sensitive data is permitted to
partners inside the EU
Benefits
23 Copyright ©2019 Ping Identity Corporation. All rights reserved.
Use Case Example: Cross-border data transfers Sensitive data can’t leave EU region,
unless the partner is qualified
Copyright ©2019 Ping Identity Corporation. All rights reserved.
Key Takeaways • Company wide Data Governance Policy Critical
• Inventory
• Retention
• Security
• Access Policies
• Transparency
• Everyone must know what data is being collected
• And how it is used
• Consent
• Capture Consent
• Use consent to drive access policy
• Compliance
• Make affirmative statement about compliance!
• And enforce it!
24
Instead of:
Questions?
Copyright ©2019 Ping Identity Corporation. All rights reserved. 25
Backup
Copyright ©2019 Ping Identity Corporation. All rights reserved. 26