APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)

Transcript

1. © 2021 Skyflow Confidential What if privacy had an API?

   Sean Falconer Head of Developer Relations
2. None
3. None
4. None

5. Credit Card # Favorite Color Name DOB SSN Email Address

   Not All Data Is Created Equal Plain Text Masking/ Redaction Tokenization Blue Blue Catherine Garcia C***ne G***ia 1970-01-01 *REDACTED* 111-11-1111 XXX-XX-1111 [email protected] C***@gmail.com 4111 1111 1111 1111 sdbo32svd87b

6. A System With Problems Application Frontend API Gateway / Load

   Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning

7. A System With Problems Application Frontend API Gateway / Load

   Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning 555-1212

8. A System With Problems Application Frontend API Gateway / Load

   Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning 555-1212 Logs 555-1212 Logs 555-1212 Logs Dashboards Reports Logs

9. A System With Problems Application Frontend API Gateway / Load

   Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning 555-1212 Logs 555-1212 Logs 555-1212 Logs Dashboards Reports Sensitive Data Logs
10. None

11. Appendix How Do You Solve This Problem?

12. Leading Companies Built Zero-Trust Vaults They all built logically centralized

    vaults for sensitive customer data

13. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data.

14. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. Lives in a segregated network with privileged access

15. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. Encryption, tokenization, data masking, other privacy-preserving technologies built-in.

16. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. High availability, throughput, support for structured & unstructured data

17. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. Native data governance, ABAC/RBAC/PBAC; zero-trust architecture

18. What is a Data Privacy Vault? A Data Privacy Vault

    isolates, secures, stores, and tightly controls access to manage and use sensitive data. Privacy-preserving analytics, database-like access, workflows and secure cloud functions on sensitive data

19. A System With Problems Application Frontend API Gateway / Load

    Balancer Backend Database ETL Data Warehouse Analytics & Machine Learning 555-1212 Logs 555-1212 Logs 555-1212 Logs Dashboards Reports Sensitive Data Logs

20. Introducing the Vault Application Frontend API Gateway / Load Balancer

    Backend Database ETL Data Warehouse Analytics & Machine Learning Data Privacy Vault 555-1212 ABC123 ID Name Phone Number 1001 John Doe 333-1414 1002 Jane Anderson 444-1313 1003 Pat Smith 555-1212 curl -i -X POST '$VAULT_URL/v1/vaults/$VAULT_ID/persons' \ -H 'Authorization: Bearer $BEARER_TOKEN' \ -d '{ "tokenization": true, "records": [ { "fields": { "name": "Pat Smith", "phone_number": "555-1212" } } ] }'

21. Introducing the Vault Application Frontend API Gateway / Load Balancer

    Backend Database ETL Data Warehouse Analytics & Machine Learning Data Privacy Vault 555-1212 ABC123 ABC123 ABC123

22. Introducing the Vault Application Frontend API Gateway / Load Balancer

    Backend Database ETL Data Warehouse Analytics & Machine Learning Data Privacy Vault 555-1212 ABC123 Logs Logs Logs Dashboards Reports Logs

23. Introducing the Vault Application Frontend API Gateway / Load Balancer

    Backend Database ETL Data Warehouse Analytics & Machine Learning Data Privacy Vault 555-1212 ABC123 De-risked Surface Area

24. The Data Privacy Vault is what makes an API for

    privacy possible.

25. Appendix The Evolution of an API for Privacy

26. Tokenization Masking Polymorphic Encryption Secure Data De-identify Data Execute Custom

    Code Transform and Process Data Secure Workflows Creating an API for Privacy Infrastructure Multi-cloud | Private Network | Isolated | Global Distribution APIs and SDKs Authentication Service Governance Audit Service Secrets Management/KMS Third Party Services

27. Tokenization Masking Polymorphic Encryption Secure Data De-identify Data Execute Custom

    Code Transform and Process Data Secure Workflows Infrastructure Multi-cloud | Private Network | Isolated | Global Distribution APIs and SDKs Authentication Service Governance Audit Service Secrets Management/KMS Third Party Services

28. Appendix Controlling Access to Sensitive Data

29. How Can We Limit Access? curl -i -X POST '$VAULT_URL/v1/vaults/$VAULT_ID/detokenize'

    \ -H 'Authorization: Bearer $BEARER_TOKEN' \ -d '{ "detokenizationParameters": [ { "token": "[email protected]" }, { "token": "19292bd8-90aa-49f6-af05-64491bcf50ab" }, { "token": "[email protected]" }, { "token": "df7e401f-c5e2-45e9-8578-d82462a5b52c" } ] }'

30. Policy-based Access Control Model User Service Account Roles Policies Assigned

    to Group ALLOW READ ON persons.name WITH REDACTION = PLAIN_TEXT ALLOW READ ON persons.credit_card WITH REDACTION = MASKED

31. Quick Demo

32. Appendix Dynamic Access of Sensitive Data

33. Restricting Access Based on Dynamic Data ALLOW READ ON persons.*

    WHERE persons.state = ??? ID outside of the vault ALLOW READ ON persons.* WHERE persons.state = ‘California’

34. Restricting Access Based on Dynamic Data ALLOW READ ON persons.*

    WHERE persons.state = $ctx let response = await generateBearerTokenFromCreds( JSON.stringify({ clientID: 'da898d92788d4e71ab598ed55d2ab3c2', clientName: 'skyflow', tokenURI: 'https://manage.skyflowapis.tech/v1/auth/sa/oauth/token', keyID: 'e483c36c83af4c03a36e631c6325f209', privateKey: '-----BEGIN PRIVATE KEY-----5sX0S5\n-----END PRIVATE KEY-----' }), { context: state } ); let bearerToken = response.accessToken; // Get vault records using bearerToken const response = await axios.get(customersURI, { headers: { 'Authorization': 'Bearer ' + bearerToken, 'Content-Type': 'application/json' } });

35. Restricting Access Based on Dynamic Data ALLOW READ ON persons.*

    WHERE persons.person_id = $ctx Frontend with client SDK Backend with server SDK Application Storage Get Person ID Request Bearer Token Return Bearer Token Authenticate with Context Return Auth Confirmation Detokenize Data

36. Teaching Accessing Student Records Teacher A Teacher B Access Control

    Context: Teacher B Context: Teacher A Students Records Based Restricted by Context Access Control Students in Teacher A’s Class Students in Teacher B’s Class Student ID Name Teacher ID 1111 Bob Anderson A 1112 July Bird B 1113 Sally Smith B 1114 Henry Davis A Student ID Name Teacher ID 1111 Bob Anderson A 1112 July Bird B 1113 Sally Smith B 1114 Henry Davis A Student ID Name Teacher ID 1111 Bob Anderson A 1112 July Bird B 1113 Sally Smith B 1114 Henry Davis A ALLOW READ ON students.* WHERE students.teacher_id = $ctx

37. Data Privacy as an Architectural Decision PBAC RBAC ABAC Skyflow

    API const skyflow = Skyflow.init({ vaultID: VAULT_ID, vaultURL: VAULT_URL, getBearerToken: generateAccessToken }); let customer = skyflow.getById({ records: [{ ids: [ CUSTOMER_ID ], table: "customers" redaction: Skyflow.RedactionType.DEFAULT }] }); { "fields": { "full_name"::"John Doe", "ssn": "XXX-XX-6789", "dob": "XX-XX-2010", "email": "j*****@gmail.com", "cc": "REDACTED", "exp": "REDACTED", "line_1": "REDACTED", "zip": "REDACTED", "state": "California" } } Data Privacy Vault

38. T***k Y***u! Sean F*&j$@r, Head of Developer Relations s****r@skyflow.com **REDACTED**

    **REDACTED**

39. Thank You! Sean Falconer, Head of Developer Relations sean.falconer@skyflow.com https://skyflow.com/podcast

    https://skyflow.com/community