Controlling Privacy and the Use of Data Assets - Volume 1 - Who Owns the New Oil?

Read more

"Ulf Mattsson leverages his decades of experience as a CTO and security expert to show how companies can achieve data compliance without sacrificing operability."

• Jim Ambrosini, CISSP, CRISC, Cybersecurity Consultant and Virtual CISO

"Ulf Mattsson lays out not just the rationale for accountable data governance, he provides clear strategies and tactics that every business leader should know and put into practice. As individuals, citizens and employees, we should all take heart that following his sound thinking can provide us all with a better future."

• Richard Purcell, CEO Corporate Privacy Group and former Microsoft Chief Privacy Officer

Many security experts excel at working with traditional technologies but fall apart in utilizing newer data privacy techniques to balance compliance requirements and the business utility of data. This book will help readers grow out of a siloed mentality and into an enterprise risk management approach to regulatory compliance and technical roles, including technical data privacy and security issues.
The book uses practical lessons learned in applying real-life concepts and tools to help security leaders and their teams craft and implement strategies. These projects deal with a variety of use cases and data types. A common goal is to find the right balance between compliance, privacy requirements, and the business utility of data.
This book reviews how new and old privacy-preserving techniques can provide practical protection for data in transit, use, and rest. It positions techniques like pseudonymization, anonymization, tokenization, homomorphic encryption, dynamic masking, and more. Topics include

• Trends and Evolution



• Best Practices, Roadmap, and Vision



• Zero Trust Architecture



• Applications, Privacy by Design, and APIs



• Machine Learning and Analytics



• Secure Multiparty Computing



• Blockchain and Data Lineage



• Hybrid Cloud, CASB, and SASE



• HSM, TPM, and Trusted Execution Environments



• Internet of Things



• Quantum Computing



• And much more!

List of contents

Introduction, Acknowledgments. About the Author. SECTION I Introduction and Vision. Chapter 1 Privacy, Risks, and Threats. Chapter 2 Trends and Evolution. Chapter 3 Best Practices, Roadmap, and Vision. SECTION II Data Confidentiality and Integrity. Chapter 4 Computing on Encrypted Data. Chapter 5 Reversible Data Protection Techniques. Chapter 6 Non-Reversible Data Protection Techniques. SECTION III Users and Authorization. Chapter 7 Access Control. Chapter 8 Zero Trust Architecture. SECTION IV Applications. Chapter 9 Applications, APIs, and Privacy by Design. Chapter 10 Machine Learning and Analytics. Chapter 11 Secure Multiparty Computing. Chapter 12 Encryption and Tokenization of International Unicode Data. Chapter 13 Blockchain and Data Lineage. SECTION V Platforms. Chapter 14 Hybrid Cloud, CASB, and SASE. Chapter 15 HSM, TPM, and Trusted Execution Environments. Chapter 16 Internet of Things. Chapter 17 Quantum Computing. Chapter 18 Summary. Appendix A Standards and Regulations. Appendix B Governance, Guidance, and Frameworks. Appendix C Data Discovery and Search. Appendix D Digital Commerce, Gamification, and AI. Appendix E Innovation and Products. Appendix F Glossary. Index.

About the author

Ulf Mattsson is a recognized information security and data privacy expert with a strong track record of more than two decades implementing cost-effective data security and privacy controls for global Fortune 500 institutions, including Citigroup, Goldman Sachs, GE Capital, BNY Mellon, AIG, Visa USA, Mastercard Worldwide, American Express, The Coca Cola Company, Wal-Mart, BestBuy, KOHL’s, Microsoft, IBM, Informix, Sybase, Teradata, and RSA Security. He is currently the Chief Security Strategist and earlier the Chief Technology Officer at Protegrity, a data security company he co-founded after working 20 years at IBM in software development. Ulf is an inventor of more than 70 issued US patents in data privacy and security. Ulf is active in the information security industry as a contributor to the development of data privacy and security standards in the Payment Card Industry Data Security Standard (PCI DSS) and American National Standards Institute (ANSI) X9 for financial industry. He is on the advisory board of directors at PACE University, NY, in the area of cloud security and a frequent speaker at various international events and conferences, including the RSA Conference, and the author of more than 100 in-depth professional articles and papers on data privacy and security, including IBM Journals, IEEE Xplore, ISSA Journal and ISACA Journal. Ulf also holds a master’s in physics in Engineering from Chalmers University of Technology in Sweden and is Co-Author of Defending the database (Elsevier Ltd, 2007) and Real security for virtual machines (Elsevier Ltd, 2009)

Summary

This book uses practical lessons learned in applying real-life concepts and tools to help security leaders and their teams craft and implement strategies. These projects deal with a variety of use cases and data types.

Report

Praise for the Book

"Ulf Mattsson's book is a very comprehensive guidebook that sheds light on the often mystical intersection of Cyber security and privacy. This book is a must have, must read and must keep for Cyber security and privacy practitioners and also C-level executives that need to demonstrate both visible and vocal support for their organization's Cyber security and privacy executives."
- Taiye Lambo, Founder, Holistic Information Security Practitioner Institute (HISPI), eFortresses, CloudeAssurance and Pioneer vCISO
"Ulf Mattsson, whose security insights I have cherished for years, has written the book that C-levels need to read. Data's value to an enterprise is well known, but Ulf explores how it's also a danger. It's a danger to the business in the hands of a cyberthief, it's a danger to the business if it disappears (accidentally or maliciously), it's a danger to business operations if it can't be effectively managed, analyzed, stored and retrieved and it's absolutely a danger to an enterprise when it hurts customers, which is what new data privacy laws are all about. Is data friend or foe? Frustratingly, it's both. Read this book to know how to control data and stop it from controlling you."

- Evan Schuman, Computerworld columnist, cybersecurity writer for McKinsey and founding editor-in-chief of StorefrontBacktalk

"This book navigates the complex intersection of privacy and data security while addressing the challenges of emerging risks posed by Artificial Intelligence, Machine Learning, Quantum Computing. The illustrations are extremely powerful because they describe the technologies being reviewed and how they fit into the overall ecosystem. Practitioners will benefit from the insights and practical advice being offered."

- Renee Guttmann, former CISO at The Coca-Cola Company and VP Information Security and Privacy at Time Warner Inc.

"Rather than a simple walkthrough through how different privacy exploits work, Ulf Mattson goes into fine detail about the importance of privacy regulations, adhering to GDPR, and building a privacy risk management framework. Ulf discusses several instances that took place over the years in cybersecurity and provides a deep understanding of data security and the know-how to build a security framework amid the emerging trends. Another interesting aspect is how it stands out from general academic texts. The book provides practical general advice, strategy outlines, and serves more like a handbook to privacy and data security. I highly recommend the book for any security professional looking to add a privacy and data security guide to their reading list. "
- Apu Pavithran, CEO Hexnode
"Privacy has become an ever-evolving landscape of regulation and controls. Ulf Mattsson leverages his decades of experience as a CTO and security expert to show how companies can achieve data compliance without sacrificing operability. "

- Jim Ambrosini, CISSP, CRISC, Cybersecurity Consultant and Virtual CISO

"Privacy is not just a something that means help protect individuals and companies. It is the last line of defense for companies to protect customer and companies Crown Jewels. Where algorithms serve as insights and intelligence to growth and manage companies. Not to mention that regulation in this space is becoming ever more complicated. Ulf's book on privacy provides a commonsense approach to establish understand and proactively techniques this protect your organization data."

- Brian Albertson, Director of Programs at ISACA Atlanta Chapter / Technology Manager at State Farm

"In the last five years, the privacy conversation grew in volume and frequency. New standards and requirements certainly drove this conversation as did the increasing complexity of how applications are developed and deployed. Ulf captured the challenges privacy regulations create from the most basic challenges, to working with bleeding edge technologies such as Homomorphic Encryption and Quantum Computing. Any privacy professional should have this book as their reference during daily work."

- Branden Williams, Vice President Ping Identity and former VP/CTO, Security & Fraud Solutions at First Data Corporation

"Controlling Privacy and the Use of Data Assets" clearly demonstrates that commercial success is tied to protecting data responsibly through collaborative efforts among those heading up privacy, security, technical, business, A Table of Contents and Introduction and legal governance measures. Ulf Mattsson lays out not just the rationale for accountable data governance, he provides clear strategies and tactics that every business leader should know and put into practice. As individuals, citizens and employees, we should all take heart that following his sound thinking can provide us all with a better future."

- Richard Purcell, CEO Corporate Privacy Group & former Microsoft Chief Privacy Officer

"Privacy is an increasingly important topic, but many companies either do not understand the importance, or do not understand how to solve the problems. A focus on profits over customer data privacy is particularly problematic. However, both customers and regulatory agencies are increasingly demanding improvements to privacy protection, and this book describes both the issues themselves and the various methods that exist to address them - which is good for everyone."

- Todd Arnold, retired Senior Technical Staff Member and Master Inventor in cryptographic technology product development at IBM

"With the number of cyber startups going into DLP aka data protection, this book is great to understand what data protection is and where it fits in your cyber program. Got a question on how to secure a data? This book outlines every option you can have. Very pictorial book which is great for visual centric folks. you will not be able to put the book down. For all new CISO/CSO, this will help you to navigate the subject with legal, management, I.T. and the business. For season cyber leaders, this is a great refresher and eye opener to what other industries are doing."

- Alex Tan, Chief Security Officer at Paya & former I.T. Risk & Cybersecurity Audit Director at Global Payments Inc.

"It is important to capture concepts of privacy over time. Those issues of the past still are relevant, but we also have new challenges to address. We need to understand that when it comes to privacy, no concepts ever really go away, we just keep adding to them. Reading Ulf's Table of Contents, he is covering a wide swath of important privacy topics that are currently relevant and that must be addressed now, and far into the foreseeable future. It looks like a book that those who want to learn more about privacy, and to continue to build upon their knowledge and understanding, will want to read, as well as add to their privacy book collection."

- Rebecca Herold, CEO, The Privacy Professor consultancy / CEO, Privacy & Security Brainiacs SaaS Services

"Privacy, risk, compliance and security must be understood in context. Without a strong privacy program the company is exposed to billions of dollars of financial exposure, penalties and fines. Without privacy protection we run the risk of falling prey not just to cybercrime but fascism and other autocratic regimes. Ulf's book is timely and allows companies to understand privacy in context."
- Professor Ariel Evans, Chairperson of Cybersecurity Certification at Pace and CEO of Cyber Innovative Technologies
"Around 6 million years ago, water rushing off the Rockies formed the Colorado River, which eventually morphed into the Grand Canyon. The power of a few drops of water can subsequently create massive things. Privacy leaks are like those drops of water that created the Grand Canyon. They may not seem like much at first, but wait a while, and their effects can be devastating. Firms need to build privacy deep into their information technology and security DNA to avoid devastating data breaches. This is far from a trivial task. For those that are truly serious about dealing with privacy, Ulf's book provides the foundation for doing that. Privacy truly takes a village, and that village needs a detailed plan a program. Those who don't implement Ulf's details will have no one but themselves to blame when they become victims of a privacy breach."

- Ben Rothke CISSP, CISM, Senior Information Security Manager, Tapad, Inc.

"Data must be protected regardless of where it resides. Know where your High Value Information Assets Reside and now that includes not only trade secrets and operational Achille's heals, it includes people data - anonymized or deanonymized. Build awareness, alignment and consensus within the business by effectively marketing, communicating and answering the "Why must we do this?"

- Joseph Davis is Chief Security Advisor at Microsoft and former CISO

"I really love the approach for your book. The information is grouped together for easy reference, especially for CISOs and DPOs."

- Wei Tschang, Head of Information Security at Cadwallader, Wickersham & Taft LLP

"Data protection has become a matter of survival in recent years, as executives are caught between a rock (increasing regulations, such as GDPR) and a hard place (data breaches, ransomware, and their dire consequences). Ulf's book, with its depth and breadth, equips enterprises with an understanding of the methods and technologies they need to master in order to face those challenges."

- Claude Baudoin, c-chair of Data Governance W.G. and Cloud W.G. at Object Management Group (OMG) and the Industrial Internet Consortium (IIC)

"Ulf Mattsson, who I have been lucky enough to hear speak in person and be mentored by, more than delivers with this book, so aptly titled, Controlling Privacy and the Use of Data Assets! Whether you are grappling to understand the current technologies and emerging trends, are an expert in the field, or just entering the field you won't want to miss all he shares. With this book, he manages to untangle much confusion and uncertainty about the way forward for so many of us in the field. Take charge of your data privacy solution and have a defensible security program and read this book!"

- Kelly Yamaguchi, IT/SEC Professor, NVCC and Strayer University

"As the text notes, data is the new oil---but increasingly aware of the risks, users and customers are seeking out "privacy" as a desirable quality in their choices. This handbook provides a valuable guide for many classes of stakeholders to navigate these important issues."

- Sean Smith, Professor at Dartmouth College

"We can't have privacy without security, and the teams charged with designing, building and maintaining secure systems have to have a solid understanding of old and new technologies to be successful. With this book, Ulf Mattsson has written a must-read guidebook for serious ITsec teams, as well as for the management and boards who oversee them. If you want to learn something new about this subject, read this book."

- Bill Montgomery, CEO - VIBE Cybersecurity
"Privacy is the goal, security is the way. This is a must read for anyone in the industry. The book is structured in such a way as to make it immediately useful based on your needs. I'll be buying copies for my team!"

- Bil Harmer, Chief Evangelist & CISO at SecureAuth Corporation

"With the growing number of regulations around privacy and consumers' growing awareness of and demand for privacy, it's clear that privacy needs to be a priority for every organization. Controlling Privacy and the Use of Data Assets by Ulf Mattsson provides a holistic perspective on data protection and the technology that can support privacy. This book is a must-read for anyone responsible for privacy or curious about privacy-preserving applications and platforms."

- Safia Kazi, Privacy Professional Practices Associate at ISACA

"The outline looks interesting, and I particularly like the mapping of readers to content. That is unique and valuable. The topics are timely. We have seen security, privacy and confidentiality grow into perhaps the most challenging part of contracting with a buyer to license our platform. Security audits and legal wrangling about the DPA addendum to a technology license has slowed deal progression by months. Most buyers and nearly all lawyers do not understand any of these topics, and in the ignorance lies fear, so the go in circles negotiating and writing legal terms to allocate liability that they don't understand. We need to educate the masses, and we need to get to a point where the rules are understood by all. I hope your book can help."

- Gordon Rapkin, Chief Executive Officer, Zift Solutions

"As a security professional on the business side, I find my clients are invariably challenged to manage the myriad of requirements and functions around data privacy due to its complexity and broad scope. Ulf's book is a terrific resource for organizations trying to move forward with this fundamental privacy challenge."

- Sean McCloskey, CISSP -Cyber Security Sales Executive
"In data we trust, but can the data subjects, trust you, to protect their data? It is becoming more and more clear to people that their information is valuable, information on who they are, what they do, who they know, their believes, what they purchase, and other relevant information is assets - their assets, worth to protect. We as companies get to loan this information - and by that our customers and partners put trust in how we protect is. Can and should they?"
- Jonas Halldin, Partner, Nordic Cyber Security Market Leader at EY, CISSP, CISA, CISM, CRISC, CDPSE
"The book looks very comprehensive and presents current real-world issues and technological mitigation strategies. Your inclusions of the risks to both owners and custodians provide a strong case for why people should care"

- Chuck Viator, former Responsible for U.S. Government relations at Protegrity

"Thanks to Ulf Mattson for his work with 'Controlling Privacy and the Use of Data Assets.' Privacy! This one single word is such an important concept and has been under steady attack since 9-11. People think we must compromise privacy in order to have security. Nonsense! Our privacy has never been more important than it is today, with an all-out assault on it from corporations, nation states, law enforcement, politicians, and criminals. Our own democracy needs privacy in order to allow journalists and activists to do their jobs to help protect our government and speak the truth. I have heard many boast, "I have nothing to be ashamed of..." or "...afraid of becoming public." Tell that to those who have been victims of abuse, sexual assault, or political rivals. Only with strong encryption, with no back doors for law enforcement, can our privacy be protected."

- Richard Greenberg, President of ISSA Los Angeles and CEO of Security Advisors LLC
"Controlling Privacy and the Use of Data Assets" will prove to be a valuable contribution to our security and privacy industry. Ulf's comprehensive and insightful expertise covers the spectrum of today's ever increasing and important challenges."
- Tamara Thompson, Vice President Emerita, ISSA San Francisco, CA
"Companies are under increasing pressure from regulators, customers and business partners to demonstrate the basis for why they should be trusted with the personal information that is essential for their business operations. "Controlling Privacy and the Use of Data Assets" provides both the technical fundamentals and global business context companies need to navigate this complex topic and earn this trust. On the basis of my experience assisting a wide variety of companies across the globe develop effective risk management strategies, this book will be helpful to a broad audience."
- Thomas Parenty, Former NSA analyst and author of the Harvard Business Review Press books "A Leader's Guide to Cybersecurity" and "Digital Defense."

"The foundation of any security program is knowing what sensitive data you have, and building layers of defense around it to keep it secure and private. Ulf's book is a great treatise to the important topic privacy in the modern age. I highly recommend it."
- Aleksandr Yampolskiy, CEO SecurityScorecard
"Ulf Mattsson has written a timely cyber-awareness treatise of prophetic importance. To wit, organizations must mature their "discrete data" security, privacy and trust framework today if there is to be any hope of protection against pattern- and AI-based "behavioral data" and "propensity data" attacks on customers and users tomorrow.
Filled with practical advice, "Controlling Privacy and the Use of Data Assets" introduces the idea of Trust as the common ground between competing (and often myopic) interests of business, regulatory and technical stakeholders. Ulf's approach to crafting such a security, privacy and trust framework is both holistic and balanced. A must-read for business leaders, practitioners, and regulatory agencies alike, offering a powerful look at what's truly possible."

- Jeannine A. Bartlett, CEO & Chief Digital Strategist, Perfa, Inc.

 
 

Foreword:
"Perhaps one of the most intriguing issues of our time, data privacy has assumed an ever present and ever pressing role in our society. Individuals, corporations, and governments all have an interest in using and protecting data. It can be difficult to get a sense of the various factors that make up the data privacy ecosystem considering the variety of legal, technological, and economic issues at play. As we try to educate ourselves and others on these topics, the staggering breadth and depth of information we must consider quickly becomes apparent.
In the past few years, we have seen a global rise, not only in the implementation of data privacy laws, but in consumer interest in how their data is stored, managed, and sold. We have seen how data, once thought superfluous, has very real value with the growth of predictive modeling and analytics. We have seen burgeoning technology and sophisticated software disrupt this space time and time again, yet many of the core tenets of data privacy (outlined in this book) have not changed.
The costs of neglecting these principles are real. Year over year we have seen data privacy breaches cripple organizations large and small, and these incidents have affected billions of people. Mistakes in security are costly, and for professionals the margin of error can feel unbearably slim. To stay ahead, security experts continuously must harden their environments to all known angles of attacks, GRC teams must consider all laws applicable to their organization, and individuals must educate themselves on the risks of being online.
Those who don't see the urgency in protecting their data are either not paying attention or have not yet had their eyes opened. To demonstrate this to my students each semester, I have my class pair up and spend 15 minutes searching for their partner on the internet. Armed with only a first and last name, these college students are able to find shockingly sensitive data points on their classmates. Their current phone numbers, their current addresses, their parent's addresses, where they went to high school, their pet's names, their birthdays, their sports statistics, and many more equally comedic and unsettling facts. After the laughter and commotion settles, I try to impart on them the implication of this exercise. If this is what a couple of amateurs can scrounge up in a handful of minutes, what could someone with skill find or do over time?
While this may seem like a somber and disheartening conclusion, we know that educating ourselves is the key to understanding and mitigating the risks of having our data online. In this work, Ulf serves not only as author, but also as cartographer, laying out a comprehensive map of the current data privacy landscape for us to survey. With various routes to follow, Ulf distills the nuanced intersections of these concepts, highlights the most important lessons learned in his decades of experience in the industry, and wastes no time getting you to your destination. Regardless of where you are starting, this work will inform and prepare you not only for the risks that are on the horizon, but for the risks that are here today."

- Stephen Fitzgerald, Instructor in-Residence at University of Connecticut.