Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - What if privacy had an API?, S...

APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

What if privacy had an API?
Sean Falconer, Head of Marketing at Skyflow

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

March 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. © 2021 Skyflow Confidential What if privacy had an API?

    Sean Falconer Head of Developer Relations
  2. Credit Card # Favorite Color Name DOB SSN Email Address

    Not All Data Is Created Equal Plain Text Masking/ Redaction Tokenization Blue Blue Catherine Garcia C***ne G***ia 1970-01-01 *REDACTED* 111-11-1111 XXX-XX-1111 [email protected] C***@gmail.com 4111 1111 1111 1111 sdbo32svd87b
  3. A System With Problems Application Frontend API Gateway / Load

    Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning
  4. A System With Problems Application Frontend API Gateway / Load

    Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning 555-1212
  5. A System With Problems Application Frontend API Gateway / Load

    Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning 555-1212 Logs 555-1212 Logs 555-1212 Logs Dashboards Reports Logs
  6. A System With Problems Application Frontend API Gateway / Load

    Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning 555-1212 Logs 555-1212 Logs 555-1212 Logs Dashboards Reports Sensitive Data Logs
  7. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data.
  8. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. Lives in a segregated network with privileged access
  9. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. Encryption, tokenization, data masking, other privacy-preserving technologies built-in.
  10. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. High availability, throughput, support for structured & unstructured data
  11. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. Native data governance, ABAC/RBAC/PBAC; zero-trust architecture
  12. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. Privacy-preserving analytics, database-like access, workflows and secure cloud functions on sensitive data
  13. A System With Problems Application Frontend API Gateway / Load

    Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning 555-1212 Logs 555-1212 Logs 555-1212 Logs Dashboards Reports Sensitive Data Logs
  14. Introducing the Vault Application Frontend API Gateway / Load Balancer

    Backend Database ETL Data Warehouse Analytics & Machine Learning Data Privacy Vault 555-1212 ABC123 ID Name Phone Number 1001 John Doe 333-1414 1002 Jane Anderson 444-1313 1003 Pat Smith 555-1212 curl -i -X POST '$VAULT_URL/v1/vaults/$VAULT_ID/persons' \ -H 'Authorization: Bearer $BEARER_TOKEN' \ -d '{ "tokenization": true, "records": [ { "fields": { "name": "Pat Smith", "phone_number": "555-1212" } } ] }'
  15. Introducing the Vault Application Frontend API Gateway / Load Balancer

    Backend Database ETL Data Warehouse Analytics & Machine Learning Data Privacy Vault 555-1212 ABC123 ABC123 ABC123
  16. Introducing the Vault Application Frontend API Gateway / Load Balancer

    Backend Database ETL Data Warehouse Analytics & Machine Learning Data Privacy Vault 555-1212 ABC123 Logs Logs Logs Dashboards Reports Logs
  17. Introducing the Vault Application Frontend API Gateway / Load Balancer

    Backend Database ETL Data Warehouse Analytics & Machine Learning Data Privacy Vault 555-1212 ABC123 De-risked Surface Area
  18. Tokenization Masking Polymorphic Encryption Secure Data De-identify Data Execute Custom

    Code Transform and Process Data Secure Workflows Creating an API for Privacy Infrastructure Multi-cloud | Private Network | Isolated | Global Distribution APIs and SDKs Authentication Service Governance Audit Service Secrets Management/KMS Third Party Services
  19. Tokenization Masking Polymorphic Encryption Secure Data De-identify Data Execute Custom

    Code Transform and Process Data Secure Workflows Infrastructure Multi-cloud | Private Network | Isolated | Global Distribution APIs and SDKs Authentication Service Governance Audit Service Secrets Management/KMS Third Party Services
  20. How Can We Limit Access? curl -i -X POST '$VAULT_URL/v1/vaults/$VAULT_ID/detokenize'

    \ -H 'Authorization: Bearer $BEARER_TOKEN' \ -d '{ "detokenizationParameters": [ { "token": "[email protected]" }, { "token": "19292bd8-90aa-49f6-af05-64491bcf50ab" }, { "token": "[email protected]" }, { "token": "df7e401f-c5e2-45e9-8578-d82462a5b52c" } ] }'
  21. Policy-based Access Control Model User Service Account Roles Policies Assigned

    to Group ALLOW READ ON persons.name WITH REDACTION = PLAIN_TEXT ALLOW READ ON persons.credit_card WITH REDACTION = MASKED
  22. Restricting Access Based on Dynamic Data ALLOW READ ON persons.*

    WHERE persons.state = ??? ID outside of the vault ALLOW READ ON persons.* WHERE persons.state = ‘California’
  23. Restricting Access Based on Dynamic Data ALLOW READ ON persons.*

    WHERE persons.state = $ctx let response = await generateBearerTokenFromCreds( JSON.stringify({ clientID: 'da898d92788d4e71ab598ed55d2ab3c2', clientName: 'skyflow', tokenURI: 'https://manage.skyflowapis.tech/v1/auth/sa/oauth/token', keyID: 'e483c36c83af4c03a36e631c6325f209', privateKey: '-----BEGIN PRIVATE KEY-----5sX0S5\n-----END PRIVATE KEY-----' }), { context: state } ); let bearerToken = response.accessToken; // Get vault records using bearerToken const response = await axios.get(customersURI, { headers: { 'Authorization': 'Bearer ' + bearerToken, 'Content-Type': 'application/json' } });
  24. Restricting Access Based on Dynamic Data ALLOW READ ON persons.*

    WHERE persons.person_id = $ctx Frontend with client SDK Backend with server SDK Application Storage Get Person ID Request Bearer Token Return Bearer Token Authenticate with Context Return Auth Confirmation Detokenize Data
  25. Teaching Accessing Student Records Teacher A Teacher B Access Control

    Context: Teacher B Context: Teacher A Students Records Based Restricted by Context Access Control Students in Teacher A’s Class Students in Teacher B’s Class Student ID Name Teacher ID 1111 Bob Anderson A 1112 July Bird B 1113 Sally Smith B 1114 Henry Davis A Student ID Name Teacher ID 1111 Bob Anderson A 1112 July Bird B 1113 Sally Smith B 1114 Henry Davis A Student ID Name Teacher ID 1111 Bob Anderson A 1112 July Bird B 1113 Sally Smith B 1114 Henry Davis A ALLOW READ ON students.* WHERE students.teacher_id = $ctx
  26. Data Privacy as an Architectural Decision PBAC RBAC ABAC Skyflow

    API const skyflow = Skyflow.init({ vaultID: VAULT_ID, vaultURL: VAULT_URL, getBearerToken: generateAccessToken }); let customer = skyflow.getById({ records: [{ ids: [ CUSTOMER_ID ], table: "customers" redaction: Skyflow.RedactionType.DEFAULT }] }); { "fields": { "full_name"::"John Doe", "ssn": "XXX-XX-6789", "dob": "XX-XX-2010", "email": "j*****@gmail.com", "cc": "REDACTED", "exp": "REDACTED", "line_1": "REDACTED", "zip": "REDACTED", "state": "California" } } Data Privacy Vault