Google Cloud Platform (GCP) claims to cut through the complexity and offers solutions for your storage, analytics, big data, machine learning, and application development needs.
Who best than an existing user to share the experience of using GCP? So, we present today in this video, Mr. Roy Bryant of Scotiabank who discusses the security journey of Scotiabank and its cloud-native approach to ingesting PII into GCP.
Scotiabank: Brief Introduction
Bryant begins this session by giving a brief introduction of Scotiabank at 00:45 which has been around for about 200 years.
It was founded in 1823 and have 25M customers with 97K employees & has an asset of 998B as of oct 31, 2018. It is the 1st International Bank of Canada and its 3rd biggest bank. They are into the top 3 in lot of Latin American countries & Caribbean using lot of stuff to cloud and their latest development is to move data to GCP.
Security Bar for PII in Cloud vs On – Premises
Describing the basic difference between cloud and premises, he states at 01:35 that organized data needs more protection and so they have raised the bar by using Cloud which is much safer than on premises.
Bryant goes on to describe at 03:24 some basics which everybody does to lock down an application using authentication, authorization, careful management of accounts, constraining the network, encrypting data, harden and patch VM images, etc.
Change Management: Automated Control Enforcement
To reduce the risk of accidental changes, infrastructure must be managed as a code and at 06:56 he informs that the bank has done a good job of articulating the security control and there is a list of hundreds of control that need to be enforced. They have built infrastructure pieces and run the task to ensure it is compliant with all those controls.
At 07:13, he talks about the 1st part they implemented was just that the application can be made safe. They have made sure that the platform, if used properly ensures application is safe & can be demonstrated with a bunch of tasks. The next part that they are enforcing now is that while using the platform you cannot do anything unsafe.
PLATO’s Principles to keep PII Safe
Discussing the PLATO’s Principles at 08:13 he tells us about tokenizing the personally identifiable information and leaving these tokens intact for most operations so that re – identification is rare. It also includes governing the intent instead of managing artifacts.
Explaining the Basics at 09:50, he tells us how PLATO tokenizes PII during ingestion to cloud & does transformation to standardize it. Each individual sensitive data item is replaced with a joinable token which can flow freely and is governed by access rules.
Further he goes on to describe at 11:00 about the basic reason which encouraged them to use this was that it took less than 5 milli second to do encrypt or decrypt and a 100 byte strings costs only about 3 cents per million records.
PLATO manages intent to access PII
With an example at 13:30, he demonstrates how PLATO manages intent to access PII. Here he shows how the zero-trust policy makes it practically impossible for any hacker to defeat the system. At 18:30, he says that even if a hacker manages to reach a single system, he will not be able to see any PII because its encrypted.
Moreover, even if someone manages to read some tokens, it cannot be reidentified. The system manages to show you all the clear intentions, allowing you to trace through the system which gave the certificate to pass through different levels of stack.
GCP: An excellent Cloud platform for PII
Bryant tells us at 21:15 about their extremely satisfactory relationship with google is due to its strength of technology, foundational performance, security, and the good relationship with engineering team. Further he highlights about Cloud data loss prevention (DLP) and Cloud key Management System (KMS)
Summary of PLATO’s PII Posture
Summarizing the session at 23:11 he highlights the main features which ensures that “No single hack of PLATO’s cloud data platform can expose PII.” This includes authentication, authorization, network constraints, quick detection of hacking of even a single cloud system and tracking of intent. All of these simplifies PII management and implements the zero-trust policy.
Bryant concludes this session at 28 :25 with his Pitch for zero trust PII Management.