Profile

Cover photo
Ulf Mattsson
Works at Protegrity
Attended Chalmers University of Technology
Lives in Connecticut, USA
97 followers|6,179 views
AboutPostsPhotosVideos

Stream

Ulf Mattsson

Shared publicly  - 
 
I agree that “Ultimately, the problem will still require businesses, and individuals, to stop the thefts from happening in the first place.”

My concern is that the EMV Chip and PIN Cards does not protect against malware attacks like those we have been reading about in the news, nor does it prevent card-not-present attacks and hackers attacked not just payment data in recent breaches.

We know that the payment industry already is implementing a very promising tokenization technology that is effective to protect the entire data flow of sensitive payment data. The payment industry is addressing the kinds of new threats used in recent data breaches by creating standards that will offer critical guidance in protecting sensitive data across the entire data flow.

This type of technology is now in use for protecting payment data and can also be used to mitigate the risks associated with other sensitive information, including personal information, IP and national security information.

Ulf Mattsson, CTO Protegrity
It can easily feel as if no one’s bank account or credit card is safe. But for consumers, the effect is quite different from what the headlines suggest.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “Ultimately, it is your responsibility to secure everything that you put onto an AWS environment.”

Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”

The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”

Another recent Gartner report concluded that “Cloud Data Protection Gateways” provides a “High Benefit Rating” and “offer a way to secure sensitive enterprise data and files stored in SaaS applications”.

Ulf Mattsson, CTO Protegrity
Professor Avishai Wool, CTO of security policy management provider AlgoSec, examines some of the key security features of Amazon Web Services, giving a best practice guide to using ;AWS ;securely. ;
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “enterprises are grappling with the challenge of managing risks and data privacy in the cloud,” and that "One way to emulate leading-edge organizations is to implement cloud security intermediaries, such as Cloud Access Security Brokers.”
Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”
The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”
Another recent Gartner report concluded that “Cloud Data Protection Gateways” provides a “High Benefit Rating” and “offer a way to secure sensitive enterprise data and files stored in SaaS applications”.
Source: http://www.bankinfosecurity.com/interviews/cloud-security-lessons-learned-i-2813#disqus_thread
With enterprises now taking to the cloud in the APAC region, it's important to learn security lessons from western counterparts, says Cloud Security Alliance CEO
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that some security tools are “watching the perimeter doors.” I think that this is a general problem with many IT Security deployments. The perimeter is gone and Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks.

According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that “This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”

Ulf Mattsson, CTO Protegrity
Your corporate assets are at risk and every day that you avoid taking action shortens the time until your IP will be leaked. Here are six steps toward better data security.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that analyzing "abnormal activity" can be effective to minimize fraud with tokens. We also know that the EMV specification combines a static token with a dynamic component (the uniquely generated cryptogram) for additional security, and because the value of a static token does not change, it can be multi-use, allowing merchants greater ability to connect the cardholder with transaction history.

I think that we urgently need to neutralize sensitive data to reduce its value to hackers, including PII data. Aberdeen Group reported in a very interesting study with the title "Tokenization Gets Traction" that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

Ulf Mattsson, CTO Protegrity
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I like the idea that “Google does not retain your keys, and only holds them transiently in order to fulfill your request,” but the keys and the clear text data is still exposed exposed in the cloud infrastructure.

Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”

The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”

Ulf Mattsson, CTO Protegrity
Users of Google Compute Engine can now provide their own keys to secure data, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
We have seen a concerning pattern in the recent data breaches, including the breach at the Internal Revenue Services (IRS) and other US government agencies in that the primary target was Social Security Numbers (SSN) and other Personal Identifying Information (PII). Criminals typically started by stealing data from smaller, less protected organizations and then used that data to attack larger but better protected organizations.

Organizations handling SSN and other PII should secure all sensitive data across all data silos, but medium-sized enterprises in particular face the following challenges.
1
Add a comment...
Have him in circles
97 people
Theme Partyplanners's profile photo
jamshad bendichal's profile photo
roopbasant kumar's profile photo
Kalees Jack's profile photo
Thue Tau Du Lich's profile photo
Jyotiprasad (JP) Bhatt's profile photo
고민준's profile photo
Bradd weyand's profile photo
ajm azaam's profile photo

Communities

Ulf Mattsson

Shared publicly  - 
 
I agree that "data thieves only have to find a single exploitable opening," and "We need to change the way we think about security if we want a better prognosis about the realities of today’s threat landscape."

Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that “This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”

We are seeing a number of common issues across recent data breaches, stealing our most sensitive data, and I think it is time to re-think our security approach and be more data-centric. 
 
Ulf Mattsson, CTO Protegrity
Learning more about your attackers helps to improve your security profile and reduce the possibility of a breach.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “Winning at data management means extracting the most use and value from the information available" and "Today, we need databases that are polymorphic, a trait that allows efficient, economic and distinctly different storage for both structured (business) data and unstructured (content) data.”

Big data systems gain utility as more data is brought in and the result is a slow brew of gathering risk without sufficient safeguards.

To reach the goal of securing the data while preserving its value, the data itself must be protected at as fine-grained a level as possible.

Securing individual fields allows for the greatest flexibility in protecting sensitive identifying fields while allowing nonidentifying information to remain in the clear.

Anonymizing privacy data completely may not be feasible in a monetizing scenario, but deidentifying the most sensitive information, e.g., names, social security numbers, birth dates, is vital to protecting the privacy of individuals.

Using data protection methods such as tokenization can also allow businesses to preserve the type and length of the data, as well as deidentifying only part of the data fields, while leaving the relevant parts in the clear, such as exposing a birth year rather than the entire date. This will keep the data usable for third parties to analyze, while helping to protect the privacy of the individuals who make up the data.

Ulf Mattsson, CTO Protegrity
Everything we do in the digital world creates multiple data points about us as consumers.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that "customers need to be focused on the what of IoT—namely the data," and "your corporate data handling and data retention policies may need to be aligned to the new reality of this type of data, because it is a whole new world in IoT and the data old rules may not cleanly apply."
 
Many organizations are not aware of the amount of very sensitive IoT data that is collected and stored on the company’s servers, being used for analytics in Big Data environments, or shared with cloud-based services. There is also an industry-wide shortage in data security personnel, so  many organizations don't even know they are doing anything wrong from a security or regulatory compliance perspective.  
 
I recently read the Gartner Report "Big Data Needs a Data-Centric Security Focus" concluding "In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach. The report suggests that new data-centric audit and protection solutions and management approaches are required.
 
Gartner also released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”
 
The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”
 
Ulf Mattsson, CTO Protegrity
Companies today are grappling with the Internet of Things (IoT), a large network of physical devices that extends beyond the typical computer networks, encompassing devices, industrial equipment, sensors, and extended products. For some manufacturers everything they build could feed into IoT, from cars to buildings or even consumer products. While [...]
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I agree that “we have to do behavioral monitoring, we have to move towards higher levels of encryption, and we have to act proactively and strategically, going forward.”

We need to detect when sensitive data is accessed in a pattern that is not normal, and we need to be able to block that access before all data is stolen. External and internal people can misuse data and our current monitoring and reporting features are not adequate since less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report from Verizon. We need to apply a security monitoring approach that is data-centric.

We need to lock down the sensitive data itself with modern granular data security approaches. I found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data–Centric Audit and Protection.” I recently read another interesting Gartner report, "Big Data Needs a Data-Centric Security Focus," concluding," In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach.

Aberdeen Group reported in a very interesting study with the title “Tokenization Gets Traction” that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data. Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

Ulf Mattsson, CTO Protegrity
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I can understand that "the Cisco 2014 Annual Security Report warned that the worldwide shortage of information security professionals is at1 million openings, even as cyber attacks and data breaches increase each year," and that "security managers reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5%) and inadequate staffing (26.4%)."

Ponemon Institute recently presented the report “The State of Data Security Intelligence.” Ponemon asked “How prepared are organizations to detect a data breach?” Only 21 percent of respondents say their organizations would be able to detect a data breach all the time.

70 percent of respondents believe it could have been avoided if certain processes and intelligence technologies were in place.

Fifty-nine percent of these respondents believe the breach would have been avoided if they had more skilled personnel with data security responsibilities.

Data that is outsourced to cloud is the bigger concern according to this study.  

I agree that "Automated security solutions from the vendor community shows promise for helping to reduce the cyber staffing dilemma."

Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”

The report recommended CIOs and CISOs to address data residency and compliance issues by“applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”
 
Another recent Gartner report concluded that“Cloud Data Protection Gateways” provides a “High Benefit Rating” and “offer away to secure sensitive enterprise data and files stored in SaaS applications”.
 
Ulf Mattsson, CTO Protegrity
Cybersecurity workforce shortage to reach 1.5 million by 2019.
1
Add a comment...
People
Have him in circles
97 people
Theme Partyplanners's profile photo
jamshad bendichal's profile photo
roopbasant kumar's profile photo
Kalees Jack's profile photo
Thue Tau Du Lich's profile photo
Jyotiprasad (JP) Bhatt's profile photo
고민준's profile photo
Bradd weyand's profile photo
ajm azaam's profile photo
Communities
Education
  • Chalmers University of Technology
  • IBM Management School
  • Stockholm University
  • Polhem Institute of Technology
  • Kungsladugardsskolan
  • Skytteskolan
Basic Information
Gender
Male
Story
Introduction
I created vault-less data tokenization and the architecture of Protegrity's data centric security technology. Prior to joining Protegrity, I worked 20 years at IBM in software development and as a consulting resource to IBM's Research organization, specialized in the areas of IT Architecture and IT Security. I received my US Green Card of class 'EB 11 - Individual of Extraordinary Ability' after endorsement by IBM Research in 2004.
I am the inventor of more than 20 patents in the areas of Encryption Key Management, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. One line of my research during the last 15 years is in the area of managing and enforcing policies (security, encryption, audit) for databases, including more than 10 joint projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA.
I am a research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security, ANSI X9 and IEEE. Leading journals and professions magazines, including IEEE Xplore and IBM Journals, have published more than 100 of my in-depth professional articles and papers.
I received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Cisco Systems., Ingres, Google and other leading companies. I have given a series of presentations at leading security and database conferences in US, Europe and ASIA, and frequent tutorials at the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association (ISACA). I received a master's degree in physics in 1979 from Chalmers University of Technology in Sweden, and degrees in electrical engineering and finance.
Bragging rights
Invented vault-less data tokenization
Work
Occupation
Chief Technology Officer
Employment
  • Protegrity
    Chief Technology Officer, present
  • IBM
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Connecticut, USA
Previously
Sweden - Stockholm, Gothenburg
Contact Information
Home
Email
Work
Email