Other Data Protection Techniques

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> We've talked about some of
00:00
the main concerns with protecting data,
00:00
we've talked about the need for encryption of data,
00:00
we've talked about access control at a high level,
00:00
talked about data loss prevention systems
00:00
and protecting exfiltration of data.
00:00
There are a few other ideas that I want to mention,
00:00
and these are used in more specific circumstances.
00:00
In this next section,
00:00
we're going to talk about ideas of obfuscation.
00:00
We'll talk about masking, anonymization,
00:00
and tokenization as providing
00:00
ways of protecting our data.
00:00
Now, the first term, which is obfuscation.
00:00
Obfuscation means that we're
00:00
hiding sensitive information,
00:00
some way that we're disguising what the information is.
00:00
Encryption is one of the main means of obfuscation,
00:00
but also we can use what we refer to as masking.
00:00
Now, for instance, when I type out my password,
00:00
instead of using the letters I'm typing,
00:00
those are masked out with special characters.
00:00
Instead of seeing that my password is sunshine,
00:00
all you see are asterisks.
00:00
That's masking.
00:00
A lot of times you'll see all but
00:00
the last four digits of a credit card
00:00
or Social Security number masked out.
00:00
That's certainly a way to protect information.
00:00
As a matter of fact, that's protecting it from,
00:00
for instance, the customer service rep,
00:00
when you call in and they say,
00:00
''Can you verify the last four digits
00:00
of your Social Security number?''
00:00
When they're looking at the screen,
00:00
everything else is masked out so that
00:00
that customer service rep doesn't have
00:00
more access to your
00:00
personal information than they should.
00:00
Masking is very helpful.
00:00
Another idea is data anonymization.
00:00
Sometimes this is associated with scoping,
00:00
particularly with PCI, DSS,
00:00
and payment card regulations.
00:00
The idea is you only store what you need.
00:00
If you can discard it,
00:00
then you don't have to protect it.
00:00
If you don't store it, you don't have to protect it.
00:00
Let me give you an idea.
00:00
Let's say that I work for
00:00
a health insurance company and I'm
00:00
trying to figure out
00:00
what premiums should be in a certain zip code.
00:00
To decide how much I'm going to charge my customers,
00:00
what I'm going to do is I'm going to look at
00:00
how many people smoke in a certain zip code.
00:00
One of the ways I find this out is I go and purchase
00:00
these lists that grocery stores
00:00
keep of who purchases what.
00:00
When you sign up for those frequent shopper lists,
00:00
they're basically tracking what you purchase.
00:00
When I purchase that list,
00:00
I'm going to find out that John Smith
00:00
buys four cartons of cigarettes a month.
00:00
But along with that information,
00:00
I'm going to find that John Smith
00:00
>> has this phone number,
00:00
>> has this address, along with
00:00
all the other individuals
00:00
whose grocery list information I buy.
00:00
The thing is, for my needs,
00:00
I don't care that John Smith made
00:00
this purchase or what his
00:00
address or what his phone number is.
00:00
I'm just looking for a count of the number of
00:00
cartons of cigarettes smoked in
00:00
a certain zip code. That's all I need.
00:00
The idea is even though I may purchase a list
00:00
with all this personal information,
00:00
I'm going to anonymize or strip away
00:00
what's actually being stored
00:00
>> because it's not necessary.
00:00
>> If I have personally identifiable,
00:00
or financial, or healthcare information,
00:00
if I can strip away the sensitive piece and
00:00
still retrieve what I need to perform my functions,
00:00
then we refer to that as anonymization.
00:00
What I'm doing is taking
00:00
personally identifiable information in
00:00
the example I used and making it not identifiable.
00:00
Anonymization is very helpful for
00:00
an organization in limiting what has to be protected.
00:00
Like I said, with the payment card industry,
00:00
that can be referred to as scoping.
00:00
Another technique is the use of tokens.
00:00
For instance, let's say that I set
00:00
up an electronic wallet on my phone.
00:00
I type in my credit card information, expiration date,
00:00
CVV, code, all that stuff,
00:00
and I get that verified for my credit card company.
00:00
Now I have that credit card in my digital wallet.
00:00
But the thing is, is if really
00:00
my account number in all of
00:00
that information were being stored on my phone,
00:00
that would be very vulnerable information;
00:00
that's very desirable to an attacker.
00:00
But instead, what happens is when
00:00
I enroll my card in the digital wallet,
00:00
what I'm actually being issued is a token.
00:00
Now, the token can be publicly exchanged.
00:00
When I go to the grocery store and make a payment and
00:00
I use my phone to pay for my grocery bill,
00:00
it's actually the token that's
00:00
being transmitted to the vendor.
00:00
The vendor then force that
00:00
token to the credit card company and
00:00
essentially gets authorization for
00:00
certain amount that'll be paid.
00:00
But my account number isn't being transmitted.
00:00
The vendor doesn't get my count number.
00:00
It's all done through a token that's worthless if it's
00:00
not part of this particular designated transaction.
00:00
With the token, you have something
00:00
that's publicly exchangeable that
00:00
actually winds up pointing to
00:00
the back end of sensitive information that's
00:00
protected behind the credit card companies
00:00
firewall and well provided resources.
00:00
Tokenization can be very helpful
00:00
also in protecting our sensitive information.
00:00
This last piece was
00:00
just some additional strategies
00:00
in relation to protection of data,
00:00
primarily focusing on obfuscation through masking,
00:00
tokenization, and we talked about
00:00
anonymization and scoping of data also.
Up Next