Profile

Cover photo
Ulf Mattsson
Works at Protegrity
Attended Chalmers University of Technology
Lives in Connecticut, USA
100 followers|6,717 views
AboutPostsPhotosVideos

Stream

Ulf Mattsson

Shared publicly  - 
 
Third Circuit Holds FTC Has Authority to Regulate Cybersecurity under Unfairness Prong of 15 U.S.C. § 45(a)

Source: http://www.natlawreview.com/article/third-circuit-holds-ftc-has-authority-to-regulate-cybersecurity-under-unfairness#sthash.jxnTrGsO.dpuf

I think it is concerning that Wyndham "Allowed its hotels to store payment card information in clear, readable text."

Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that “This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”

I recently read an interesting report from the Aberdeen Group that revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users”. The name of the study, is “Tokenization Gets Traction”.

Ulf Mattsson, CTO Protegrity
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “They’re rushing forward into federated environments with multiple partners, into mobility and into big data,” and “without questioning how to use them securely.” The increased use of cloud is adding to these security issues.

Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”

The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization.”

I recently read the Gartner Report "Big Data Needs a Data-Centric Security Focus" concluding "In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach.

Big Data distributions, like Hortonworks, recently started to include the type of advanced security features that Gartner is recommending, including masking, fine grained encryption, and data tokenization.

Ulf Mattsson, CTO Protegrity
LAS VEGAS – On any list of what is keeping chief security officers (CSOs) up at night, avoiding presiding over the next
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
It is concerning that “The lack of security and ability to check for malware could potentially lead to serious data breaches; however, this doesn't seem to be a concern to many SMBs, with only 18% believing their data was worth stealing.”
 
Cloud services often offer dramatically reduced overheads and increased flexibility over traditional solutions for stretched medium-sized enterprises. However, corporate risk management policies, privacy standards and compliance concerns create numerous data security challenges for businesses that are increasingly relying on cloud services that are holding more of their sensitive data.
 
Cloud data protection gateways easily leverage tokenization and encryption to transparently isolate and protect sensitive data before it gets to the cloud and offer activity monitoring, including cloud-based big data, databases, or applications giving businesses the freedom to use any type of private or public cloud service without the risk of exposure.
 
Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”
 
The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”
 
Another recent Gartner report concluded that “Cloud Data Protection Gateways” provides a “High Benefit Rating” and “offer a way to secure sensitive enterprise data and files.”
 
Ulf Mattsson, CTO Protegrity
Latest reports from McAfee, Blue Coat Systems and Trend Micro highlight worrying trends.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “Privacy is at the heart of democratic modernity, and it must be preserved. The manipulation of the information we share with organisations online, increasingly extensive and sensitive in nature, makes digital processes a question of life (private life, certainly) and, potentially, death.”

Big data is rapidly becoming a big target for attackers. I think a big data security crisis is likely to occur very soon and few organizations have the ability to deal with it.

There is an industry-wide shortage in data security personnel, so many organizations don’t even know they are doing anything wrong from a security perspective.

The good news is that some organizations are proactive and successfully using new security approaches are required since big data is based on new and different architecture.

To reach the goal of securing the data while preserving its value, the data itself must be protected at as fine-grained a level as possible. Securing individual fields allows for the greatest flexibility in protecting sensitive identifying fields while allowing nonidentifying information to remain in the clear.
 
Anonymizing privacy data completely may not be feasible in a monetizing scenario, but deidentifying the most sensitive information, e.g., names, social security numbers, birth dates, is vital to protecting the privacy of individuals.

Using data protection methods such as tokenization can also allow businesses to preserve the type and length of the data, as well as deidentifying only part of the data fields, while leaving the relevant parts in the clear, such as exposing a birth year rather than the entire date.

Ulf Mattsson, CTO Protegrity
Enticed by the promise of “discreet indiscretions”, millions of people sign up to a global website offering extramarital encounters. Last month, legions of those same people found their names, personal preferences and other intimate details sprayed
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “By layering encryption and tokenization with EMV and POS compatible systems, merchants can minimize security weaknesses and address authorization vulnerabilities. “
 
Cloud services often offer dramatically reduced overheads and increased flexibility over traditional solutions for stretched medium-sized enterprises. However, corporate risk management policies, privacy standards and compliance concerns create numerous data security challenges for businesses that are increasingly relying on cloud services that are holding more of their sensitive data.

Cloud data protection gateways easily leverage tokenization and encryption to transparently isolate and protect sensitive data before it gets to the cloud and offer activity monitoring, including cloud-based big data, databases, or applications giving businesses the freedom to use any type of private or public cloud service without the risk of exposure.
 
Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”
 
The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”
 
Another recent Gartner report concluded that “Cloud Data Protection Gateways” provides a “High Benefit Rating” and “offer a way to secure sensitive enterprise data and files.”
 
Ulf Mattsson, CTO Protegrity
With the increased frequency and sophistication of modern cyber attacks, it is more important than ever for business owners to educate themselves and their staff about the dramatic effects of a data breach. With so many big businesses making the headlines for failed security over the past year (Target, Sony, Anthem, just to name [...]
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
"Be proactive, not reactive, in protecting healthcare data."

Source: http://www.healthcarefinancenews.com/blog/be-proactive-not-reactive-protecting-healthcare-data

I agree that "healthcare information is more vulnerable than financial information because the industry is often 10-15 years behind in its IT practices."

I think that healthcare is also unique in that there are a greater number of people who come in contact with sensitive information during the course of normal business operations than in other industries.

The attraction of PHI is that its value does not degrade as rapidly as credit card data, which can be changed or updated quickly.

I recently read a study from Aberdeen Group that revealed “a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data” and that half of the organizations are using data tokenization for PII and PHI data. The name of the study is “Tokenization Gets Traction”.

This is a short list of effective measures that I suggest organizations should take:

1. Fine-grained de-identification of both PII (Personally Identifiable Information) and PHI.

2. Fine-grained tokenization of PHI, to alleviate the need for plain-text data and exposure in-memory across the entire data flow.

3. Strong credentials, including password improvement and rotation, plus separation of duties to prevent privileged users, such as database administrators or system administrators, from accessing sensitive data.
    
Secure the data to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization.

Ulf Mattsson, CTO Protegrity
This form of identity theft is extremely costly to the victim as well the company that gets hacked.
1
Add a comment...
Have him in circles
100 people
Girish Misal's profile photo
Daniil Karp's profile photo
Pooja Singh's profile photo
Thue Tau Du Lich's profile photo
Mike Gurevich's profile photo
Woodrow Pollack's profile photo
Oleg Abzalov's profile photo
Vic Levy's profile photo
Fabrizio Volpe's profile photo

Communities

Ulf Mattsson

Shared publicly  - 
 
I agree that “The security industry is messy and complicated, and we spend the bulk of our dollars on products that don't really solve the problem. It simply isn't working.”
 
Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks.
 
According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.
 
Ponemon concluded that “This is often because organizationshave traditionally spent money on network security and so it is earmarked inthe budget and requires no further justification.”
 
I also found great guidance in a recent report from Gartner.The report analyzed solutions for Data Protection and Data Access Governanceand the title of the report is "Market Guide for Data-Centric Audit and Protection.”
 
The report concluded that "Organizations that have notdeveloped data-centric security policies to coordinate management processes and security controls across data silos need to act."
 
Ulf Mattsson, CTO Protegrity
While the idea of network virtualization has been around a while, it has not been adopted in the enterprise as quickly as virtualization for servers. Now, VMware, one of the biggest proponents of virtualizing the entire data center, is touting one tangible benefit to the virtual network: better security.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that "We need to get out there and talk to our users." I think that healthcare is unique in that there are a greater number of people who come in contact with sensitive information during the course of normal business operations than in other industries.
The healthcare industry is also a valuable target for cyber thieves and an easier target to attack due to less cyber security than some other industries, including financial services.
So, when you combine the number of people involved with handling multiple forms of PHI records, along with the immaturity of the data security systems and practices that are in place, there are so many opportunities for mistakes or intentional breaches to take place.
The attraction of PHI is that its value does not degrade as rapidly as credit card data, which can be changed or updated quickly. I recently read a study from Aberdeen Group that revealed “a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data” and that half of the organizations are using data tokenization for PII and PHI data. The name of the study is “Tokenization Gets Traction”.
Secure the data to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization.
Ulf Mattsson, CTO Protegrity
Information technology and data security isn't what it used to be. Today, the stereotypical introverted, somewhat reclusive, more-into-computers-than people techie isn't going to cut it as CISO. And there are plenty of people who will tell you why.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
It is concerning that “small businesses are being increasingly targeted by cybercriminals precisely because they are soft targets, and a successful infiltration could result in some juicy leads to help crack into a bigger organization,” and “only 18 per cent of those surveyed believed their business data was worth stealing.”

Cloud services often offer dramatically reduced overheads and increased flexibility over traditional solutions for stretched medium-sized enterprises. However, corporate risk management policies, privacy standards and
compliance concerns create numerous data security challenges for businesses
that are increasingly relying on cloud services that are holding more of their
sensitive data.

Cloud data protection gateways easily leverage tokenization and encryption to
transparently isolate and protect sensitive data before it gets to the cloud
and offer activity monitoring, including cloud-based big data, databases, or
applications giving businesses the freedom to use any type of private or public
cloud service without the risk of exposure.

Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”

The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”

Another recent Gartner report concluded that “Cloud Data Protection Gateways” provides a “High Benefit Rating” and “offer a way to secure sensitive enterprise data and files.”

Ulf Mattsson, CTO Protegrity
The state of security is pretty woeful in the small to medium business world, at least if the latest research from Trend Micro is anything to go by.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
How to Combat 3 of the Biggest Cloud Storage Security Threats
 
Source: http://www.informationsecuritybuzz.com/how-to-combat-3-of-the-biggest-cloud-storage-security-threats/comment-page-1/#comment-9602  
I am concerned that “devices will send information back to the cloud,” and that “This could lead to an ongoing threat of attacks for sensitive patient information and malicious tampering.”
 
Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”
 
The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”
 
Another recent Gartner report concluded that “Cloud Data Protection Gateways” provides a “High Benefit Rating” and “offer a way to secure sensitive enterprise data and files.”
 
Ulf Mattsson, CTO Protegrity
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “Eventually hackers may push those numbers to even more unbelievable heights and discover big data analytics as the quickest tool in their box.", but big data is rapidly also becoming a big target for attackers.
 
There is an industry-wide shortage in data security personnel, so many organizations don’t even know they are doing anything wrong from a security perspective. I think a big data security crisis is likely to occur very soon and few organizations have the ability to deal with it.
 
The good news is that some organizations are proactive and successfully using new security approaches are required since big data is based on new and different architecture.
 
To reach the goal of securing the data while preserving its value, the data itself must be protected at as fine-grained a level as possible. Securing individual fields allows for the greatest flexibility in protecting sensitive identifying fields while allowing nonidentifying information to remain in the clear. 

Anonymizing privacy data completely may not be feasible in a monetizing scenario, but deidentifying the most sensitive information, e.g., names, social security numbers, birth dates, is vital to protecting the privacy of individuals.

Using data protection methods such as tokenization can also allow businesses to preserve the type and length of the data, as well as deidentifying only part of the data fields, while leaving the relevant parts in the clear, such as exposing a birth year rather than the entire date.

Ulf Mattsson, CTO Protegrity
Do the data records stolen in a pair of recent hacks signal the start of something more sinister?
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “Given current high levels of threats, many security leaders are becoming more concerned when protecting sensitive data. Not only must these leaders protect data, they are also faced with the urging of moving things into the cloud.”
 
Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 and recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”
 
Ulf Mattsson, CTO Protegrity
1
Add a comment...
People
Have him in circles
100 people
Girish Misal's profile photo
Daniil Karp's profile photo
Pooja Singh's profile photo
Thue Tau Du Lich's profile photo
Mike Gurevich's profile photo
Woodrow Pollack's profile photo
Oleg Abzalov's profile photo
Vic Levy's profile photo
Fabrizio Volpe's profile photo
Communities
Education
  • Chalmers University of Technology
  • IBM Management School
  • Stockholm University
  • Polhem Institute of Technology
  • Kungsladugardsskolan
  • Skytteskolan
Basic Information
Gender
Male
Story
Introduction
I created vault-less data tokenization and the architecture of Protegrity's data centric security technology. Prior to joining Protegrity, I worked 20 years at IBM in software development and as a consulting resource to IBM's Research organization, specialized in the areas of IT Architecture and IT Security. I received my US Green Card of class 'EB 11 - Individual of Extraordinary Ability' after endorsement by IBM Research in 2004.
I am the inventor of more than 20 patents in the areas of Encryption Key Management, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. One line of my research during the last 15 years is in the area of managing and enforcing policies (security, encryption, audit) for databases, including more than 10 joint projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA.
I am a research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security, ANSI X9 and IEEE. Leading journals and professions magazines, including IEEE Xplore and IBM Journals, have published more than 100 of my in-depth professional articles and papers.
I received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Cisco Systems., Ingres, Google and other leading companies. I have given a series of presentations at leading security and database conferences in US, Europe and ASIA, and frequent tutorials at the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association (ISACA). I received a master's degree in physics in 1979 from Chalmers University of Technology in Sweden, and degrees in electrical engineering and finance.
Bragging rights
Invented vault-less data tokenization
Work
Occupation
Chief Technology Officer
Employment
  • Protegrity
    Chief Technology Officer, present
  • IBM
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Connecticut, USA
Previously
Sweden - Stockholm, Gothenburg
Contact Information
Home
Email
Work
Email