Jon-Michael C. Brook, CISSP, CCSK

Yesterday's legislated "private" data comes from a handful of common sources. The price on the black market isn't nearly what you'd think. The real treasure are today's privacy "diamonds in the rough". With further cloud adoption and new technologies, the advancement/proliferation of these diamonds will continue. Knowing who wants the information, how they may be combated and what advancements will be necessary to continue privacy protections will be key in the future.

"The Treacherous 12 – Cloud Computing Top Threats in 2016” plays a crucial role in the CSA research ecosystem. The report provides organizations with up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk-management decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in CSA community about the most significant security issues in the cloud.

Explore enterprise architectures of yesterday and today to help avoid common mistakes

If analyzing a move to a public cloud service provider has you scared, hold onto your pants. In this presentation, we’ll review brokerage tricks and traps uncovered working with customers in the most regulated environments, including examples from government, healthcare and finance.

Box.net, DropBox, iCloud, SkyDrive, Amazon Cloud Drive... the list goes on for convenient cloud storage options. Some have had a security incident; the rest will. All implement some form of protection against accidental exposure with varying degrees of protection. Are these sufficient and, in the ones claiming cryptographic isolation, truly implemented in a manner enough for more than sharing pictures of the kids with Aunt Betty? We’ll examine the technologies, architectures, risks and… Show more

Box.net, DropBox, iCloud, SkyDrive, Amazon Cloud Drive... the list goes on for convenient cloud storage options. Some have had a security incident; the rest will. All implement some form of protection against accidental exposure with varying degrees of protection. Are these sufficient and, in the ones claiming cryptographic isolation, truly implemented in a manner enough for more than sharing pictures of the kids with Aunt Betty? We’ll examine the technologies, architectures, risks and mitigations associated with cloud storage and the cryptographic techniques employed. Show less

Let's be honest: how many of you have tried logging in to one of your former employer’s accounts? Maybe you had a CRM solution and you wanted to get the name of that guy who suggested he had the next hot idea. You didn't set your out-of-office message with your new/personal contact information in the hosted email service. The travel site for the previous company was just plain better than anything else you can access. As security professionals, we know the risks: the lag time for deprovisioning… Show more

Let's be honest: how many of you have tried logging in to one of your former employer’s accounts? Maybe you had a CRM solution and you wanted to get the name of that guy who suggested he had the next hot idea. You didn't set your out-of-office message with your new/personal contact information in the hosted email service. The travel site for the previous company was just plain better than anything else you can access. As security professionals, we know the risks: the lag time for deprovisioning varies, but best practices suggest when an employee walks out the door, all of his administrative access shuts down as it closes. That has been harder to do in the cloud. Even with SAML tokens and a smathering of open standards for authentication, inconsistent support by SaaS providers and spotty enterprise directory integration leave opportunities for exploitation that simply don't exist in the on-premise IT world. Show less

Cloud computing represents a significant market opportunity for communications service providers (CSPs). CSPs are in an excellent position to add cloud services to existing enterprise connectivity and hosting portfolios, and many have advanced plans for doing so.

CSPs that can provide cloud services with the highest levels of trust and availability at the lowest cost will profit most from the cloud. Such CSPs will persuade a critical mass of enterprises to migrate to the cloud and… Show more

Cloud computing represents a significant market opportunity for communications service providers (CSPs). CSPs are in an excellent position to add cloud services to existing enterprise connectivity and hosting portfolios, and many have advanced plans for doing so.

CSPs that can provide cloud services with the highest levels of trust and availability at the lowest cost will profit most from the cloud. Such CSPs will persuade a critical mass of enterprises to migrate to the cloud and benefit from the increased revenues this will bring.
Show less

Personally Identifiable Information (PII) collection occurs daily, when a doctor’s office asks for a social security number, or a bank confirms your name and date of birth prior to accepting a check deposit. Laws govern day-to-day PII collection within the banking (FACT Act ), medical (HIPPA ), and telephone (TCPA ) industries. Within the law enforcement and intelligence arenas, similar laws apply. The 1968 Wiretap Act and FISA require warrants prior to surveillance.
During the… Show more

Personally Identifiable Information (PII) collection occurs daily, when a doctor’s office asks for a social security number, or a bank confirms your name and date of birth prior to accepting a check deposit. Laws govern day-to-day PII collection within the banking (FACT Act ), medical (HIPPA ), and telephone (TCPA ) industries. Within the law enforcement and intelligence arenas, similar laws apply. The 1968 Wiretap Act and FISA require warrants prior to surveillance.
During the course of a legal investigation, PII collection opens a host of liability issues and questions regarding probable cause and stirs enormous controversy within the privacy arena, especially with regards to PII storage and sharing. The problems with sensitive disclosures are well reported with 1 out of 4 US citizens experiencing a PII disclosure , and numerous agencies, the VA and NSA notwithstanding, receive black eyes for misappropriate data handling. Ignoring the storage problems, once collected, how can evidence be shared between departments or agencies without violating someone’s civil liberties? May data mining be done in those circumstances, where a possible match is not even known to exist?
Anonymization is one step in mitigating disclosure risks within an organization. Generically, anonymization replaces sensitive identifying data elements with a non-sensitive identifier. The sensitive data, such as a social security number, may thereby be separated from the non-sensitive data. How the split occurs controls what other actions may be performed later and what residual risks remain. Show less

Think of four facts that can separate you from the rest of the general populous: name, address, date of birth, or Social Security Number perhaps. They are all likely what's currently referred to as Personally Identifiable Information (PII). In the data privacy realm, PII disclosure is the CSI trace evidence that corporations are increasingly finding themselves as silhouettes within blood splatter patterns on the wall. These PII disclosures may be avoided through the use of anonymization, or… Show more

Think of four facts that can separate you from the rest of the general populous: name, address, date of birth, or Social Security Number perhaps. They are all likely what's currently referred to as Personally Identifiable Information (PII). In the data privacy realm, PII disclosure is the CSI trace evidence that corporations are increasingly finding themselves as silhouettes within blood splatter patterns on the wall. These PII disclosures may be avoided through the use of anonymization, or more importantly, pseudonymization. This talk will focus on the history, methodology, benefits, risks and mitigations, and current players, as well as provide a demonstration of the technology. Show less

An information sharing problem exists, sometimes referred to as an electronic tearline. In essence, it is a computer version of a perforated document, where information inappropriate for a user is simply torn off. Executive Order 13356 describes a system:
“(b) requiring records and reports related to terrorism information to be produced with multiple versions at an unclassified level and at varying levels of classification, for multiple versions at an unclassified level and at varying… Show more

An information sharing problem exists, sometimes referred to as an electronic tearline. In essence, it is a computer version of a perforated document, where information inappropriate for a user is simply torn off. Executive Order 13356 describes a system:
“(b) requiring records and reports related to terrorism information to be produced with multiple versions at an unclassified level and at varying levels of classification, for multiple versions at an unclassified level and at varying levels of classification, for example on an electronic tearline basis, allowing varying degrees of access by other agencies and personnel commensurate with their particular security clearance levels and special access approvals;”
Currently, no solution can send a single document which effectively presents information appropriate to a recipient’s classification level and need-to-know. Congressional legislation, IT plans and industry effort descriptions similar to Executive Order 13356 specifically name eXtensible Markup Language (XML) data tagging as a possible solution.
Existing Technology Solutions
Current tearline solutions miss for various reasons, including complexity, excessive risk of compromise, or exorbitant resource/monetary costs. Rights management solutions adopted products like XrML (XrightsML) from Content Guard & Entertrust, but have not been applied to tearline like problems for similar reasons.
Show less