PII is a PITA

Transcript

1. PII Is a PITA September 2023 Managing Personally Identifiable Information

   in your Production Application

2. z 10 years Cyber Security Tenable Phantom Splunk Pangea Michael

   Weinberger BD & Partners 20 years APIs, Security, Antics Twilio Okta ngrok Pangea Keith Casey Product Manager

3. PII is a PITA • Why it’s a Problem •

   Size of the Problem • Steps to Fix the Problem Agenda

4. There are two constants in software development: every app will

   eventually read email and our security team will not like our next idea and off by one errors Software Development 101 2 Constants

5. The Problem 80% OF DEVELOPERS SUBMIT INSECURE OR NONCOMPLIANT CODE

   Problem With Development

6. Why it Matters • Customer Impact • Reputational Loss •

   Financial Loss • Legal Consequences Problem The Consequences

7. Breaches are more and more common with bigger consequences every

   day… Problem Consequences

8. Where did they fail? Problem Panera Breach Panera made key

   mistakes: • Full profile data • Used sequential user IDs • Unsecured endpoint • No monitoring, rate limiting, or emergency stops Ref: https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/

9. Where did they fail? Problem BA Breach BA made key

   mistakes: • Full credit card details • Minimal tracking & controls over web assets Ref: https://www.wired.com/story/british-airways-hack-details/

10. Where did they fail? Problem Equifax Breach Equifax made key

    mistakes: • Full profile data • Used sequential user IDs • Minimally endpoint • No monitoring, rate limiting, or emergency stops Ref: https://www.nytimes.com/2019/07/22/business/equifax-settlement.html

11. Becoming compliant is hard and takes a lot of time,

    especially when you build an application from scratch! • GDPR • SOC2 • PCI • HIPAA • ISO27001 Problem Regulatory

12. How Do we Fix it?

13. 1. Identify 2. Policy 3. Practice 4. Monitor Solution Steps

    to solve it

14. Identify Risk Areas

15. None
16. None

17. Create Policy

18. 1. Limit Collection 2. Limit Sharing 3. Limit Access Practices

    Steps at Every Stage

19. Practices Steps at Every Stage But often you still need

    to collect, store, and use the data

20. PII in Practice

21. Dealing with Credit Card Numbers - 4111 1111 1111 1111

    - 4111111111111111 Practice Limit Collection

22. Dealing with Phone Numbers - (512) 555-1212 - 5125551212 -

    15125551212 - +15125551212 Practice Limit Collection

23. Practice Limit Collection Dealing with Email Addresses - [email protected] -

    [email protected] - [email protected] - [email protected]

24. Log & Monitor Activity

25. 1. Log sensitive activity 2. Understand what is normal 3.

    Adapt with new apps and systems Logging Safely & Securely

26. Facebook’s mistakes: • Logged all data • Unencrypted Bad Logging

    Problem Panera Breach Ref: https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/

27. T-Mobile’s mistakes • Centralized Logging • Actionable Good Logging Problem

    Panera Breach Ref: https://techcrunch.com/2018/08/24/t-mobile-says-hackers-stole-customer-data-in-data-breach/

28. T-Mobile’s mistakes • Centralized Logging • Actionable Good Logging Problem

    Panera Breach Ref: https://techcrunch.com/2018/08/24/t-mobile-says-hackers-stole-customer-data-in-data-breach/

29. Demo How to Redact PII in a production environment using

    Pangea

30. PII is a PITA • Huge Problem - Size, Scope,

    Consequences • Huge Costs - Financial, Legal, Reputation • (Technically) Simple Fixes Recap

31. https://pangea.cloud