Presented by:

Billy

Billy VanCannon

Baffle, Inc

Billy VanCannon has over 15 years of experience in cybersecurity. This includes network and software security, public-key infrastructure, and identity and access management. He is currently the Director of Product Management at Baffle, where we work to make encryption easy. Billy has an BS in electrical engineering, an MBA at Northwestern's Kellogg school of management and is CISSP certified.

No video of the event yet, sorry!
Download the Slides

Encryption is widely accepted as a very powerful access control mechanism and the only one directly applied to data. Despite this, it isn’t as widely used as it could be. Using the PCI-DSS security framework for payment card data, we will investigate what it says about encryption regarding audit scope and securing credit card information. We will show the role of encryption can be expanded to least privilege and customer data isolation. We will also discuss ways to overcome the common obstacles to implementing encryption.

All security and privacy frameworks depend on the concept of “least privilege”, where people should only get access to sensitive data that they need to do their job and no more. This concept is easy to understand and hard to implement, especially considering the DBA. Almost every auditor assumes the DBA must have access to all the information in the database to do their job, but is this true? Should the DBA have access to the company financials before earnings announcements? Should they have access to employee social security numbers or customer credit card numbers? Does the DBA even want this responsibility?

In this discussion, we will 1. Brief Introduction to PCI-DSS 2. Use PCI-DSS to discuss how encryption and tokenization can be used to define what is “in-scope” of an audit. 3. Discuss how encryption and masking can further be used to define least privilege for all employees, including the DBA. 4. How encryption can be used to isolate customer data in a multi-tenant environment 5. How database operations can be done on sensitive encrypted data without revealing that data (Privacy Enhanced Computing) using postgres user-defined functions.

Date:
2024 April 19 14:00 PDT
Duration:
50 min
Room:
Winchester
Conference:
Postgres Conference 2024
Language:
English
Track:
Ops
Difficulty:
Intermediate