Apr
16
4:15 PM16:15

"A Smart Home is No Castle: Security and Privacy Challenges for the Smart Home" by Nick Feamster of Princeton University

Location: 18th Floor


As consumers continue to connect smart devices in their homes, the security of these devices and the data that they collect about consumers are receiving increased attention. From a security perspective, devices that consumers connect to their smart homes are often insecure and may participate in attacks both on other devices within the home as well as on services across the broader Internet. From a privacy perspective, many of the devices that users purchase collect data about their usage patterns - often without their knowledge. 

 In this talk, I will highlight the security and privacy challenges for the smart home with demonstrations of both attacks against smart home devices and visualizations of the types of data that smart-home devices collect about consumers. I will also describe possible paths forward, for both consumers and ISPs, showing how consumer-facing tools that run on both user devices and on the CPE can provide users with better visibility into smart home device activity.


View Event →
Apr
16
4:15 PM16:15

"Scaling Security Practices in a Microservice World" by Pankesh Contractor of Comcast

Location: 19th Floor


As we moved all of our back-office application at Xfinity Mobile from the monolith design to a microservice based architecture we have been forced to rethink all aspect of the platform security. From identity management & authorization to data security & security gates.

In this talk, I would like to share my team’s journey in this evolution and how we have had to scale the tooling & practices to work in the world of rapid deployment & cloud native application. I will talk about the challenges and trade-offs and the DevSecOps that helped us succeed.


View Event →
Apr
16
3:35 PM15:35

"NIST Privacy Framework - Status Updates and Next Steps" by Ellen Nadeau of the National Institute of Standards and Technology

Location: 18th Floor


Learn about the NIST Privacy Framework: A Tool for Enterprise Risk Management. Ellen Nadeau, Deputy Manager of the framework effort, will discuss development of the framework to date, tackling topics such as: the stakeholder engagement process since kick-off of this effort, the comments received on NIST’s Request for Information (issued 11/13/18), and the outline of the framework. Attendees will learn how this framework could support their privacy risk management efforts, and will have an opportunity to ask questions.


View Event →
Apr
16
3:35 PM15:35

"Opting-In: Designing Privacy Tracking for Consumer Confidentiality & Cryptographic Assurance for Enterprises" by Brian Scriber of CableLabs

Location: 19th Floor


With GDPR in the EU, PIPEDA in Canada and with CPA in California, there is an immediate need for technical solutions to efficiently running our businesses in this strong regulatory environment. What if you and your department could help enable a revenue opportunity in this space as opposed to just mitigating regulatory risk?

Join us to explore how self-sovereign identity and opt-in/opt-out tracking can work hand in hand using some of the nascent tools in cryptography and software development. We will explore transaction signing, distributed verification, collaborative acknowledgments, time synchronization, user-directed sharing of protected information, the Right to be Forgotten, and cryptographic key distribution systems enforced by smart contracts.


View Event →
Apr
16
2:50 PM14:50

"Practical Security: A Case Study of Product Security at the Speed of Development" by Pranav Patel of Dow Jones

Location: 19th Floor


Implementing DevSecOps practices in an environment with legacy technical debt is not widely discussed. DevSecOps practices are difficult to get off the ground in an environment of heavy technical debt because of the changes required in culture, technology and education. Without automation of security, there is no hope for security teams to keep alongside development velocity. We believe that providing security services to the organization, combined with defined, flexible processes and making security transparent to engineering ensures a high success rate. This talk will focus on areas of our success as we moved from a “scanning team” to a DevSecOps model.

Audience attending this session will take away some key principles that will help them build a robust Product Security Program:

  • Quick integration of security testing into CICD pipelines:  We developed a container-based plug n play solution that integrates basic security tools into the build process. The support structure built around this includes robust reporting, tracking, policies and governance. The advantage of this model was that we could quickly integrate with a development team and start giving them actionable results on the first day.

  •  Integration of Product Security and SecOps to build applications that can defend themselves: As the infrastructure fades into the background, all of a Product’s risk is concentrated in the application layer. Then it becomes important that applications are able to take quick actions themselves without waiting for a SecOps analyst to detect problems. We will present a few threat cases we have developed and automated to help applications defend itself.


View Event →
Apr
16
2:50 PM14:50

"Ensuring Privacy while Utilizing Potentially Sensitive Data for Machine Learning" by Sameer Wadkar and Dave Torok of Comcast

Location: 18th Floor


Our team at Comcast has developed a framework for operationalizing ML Models. It covers the full ML lifecycle from data ingestion, feature engineering, model training, and model deployment to model evaluation at runtime. We process roughly 3-5 billion predictions per day using this platform. The system support proactive (model inference based on event combinations on a stream) as well as reactive (model inference on demand).

ML Models are designed to look for signals via complex feature engineering on raw data, which may contain potentially sensitive information including PII. A solution such as ours must allow ML Model developers to access this information for feature engineering but still ensure that customer privacy is protected. We will describe how our framework manages this using a combination of methods such as encryption, removal, anonymization, and aggregations to protect privacy without losing model efficacy.

We will also describe how we support a consistent feature-engineering pipeline to process data at rest (for model training) and data on stream (for model inference). Consistent feature engineering coupled with appropriate governance processes is another process, which ensures privacy of the user.

We will describe how individual model predictions are persisted to database and can be protected from external access via traditional firewalling methods. Another model called the Decision Engine exposes an endpoint to an external user, which will securely retrieve and aggregate the predictions of the other models and use these to provide recommendations to the end-user. The DE endpoint only takes the account number of the user as the input thereby securing even individual model predictions and their engineered features even further.


View Event →
Apr
16
2:10 PM14:10

"The Advent of Privacy Engineering" by Debra Farber of BigID

Location: 19th Floor


With privacy regulations like GDPR, CCPA and NYDFS proliferating globally and putting unforgiving mandates on data privacy and governance processes, it’s critical that organizations hire talented individuals who can facilitate the technical implementation of privacy and data protection by design and default into products and services. Welcome to the advent of Privacy Engineering.

In this session, Debra Farber, senior director of privacy strategy at BigID, will explore how the field of privacy has traditionally been populated by lawyers and consultants who implement policies, handle contractual risk to data, and manage privacy risk in business processes. But in order to gain and maintain consumer trust, organizations are increasingly turning toward privacy engineers. Debra will offer actionable insight into how privacy engineers can help organizations better adopt privacy-by-design (PbD) principles; answer hard questions around whose data they have, where that data exists and who has access to it; understand critical privacy regulations and policies; and protect personal data. Debra offers that by making the right privacy engineering hires, organizations become more effective in investing in the right enterprise infrastructure, and privacy and data protection solutions – in turn, creating a culture that puts privacy first.


View Event →
Apr
16
2:10 PM14:10

"Emerging Data Security Laws: An Innovation Opportunity" by Philip Yannella of Ballard Spahr

Location: 18th Floor


Over the past decade, in the wake of a continuous string of high profile data breaches (Target, Home Depot, Sony, Yahoo, Equifax, Marriot, the list goes on), state legislatures and federal regulators have begun to pass laws and rules governing data security.  Eighteen states have now implemented data security laws requiring that companies implement reasonable data security.  The FTC also uses reasonableness as the standard for data security. Similarly, Europe's new privacy law, the General Data Protection Regulation (GDPR), requires that companies implement appropriate data security controls.  But what does this abstract concept or reasonableness mean in practice? Is MFA or encryption sufficient? Is a company obligated to conduct annual pen testing? Few laws provide clear guidelines or standards. This issue is of critical importance to companies because the California Consumer Privacy Act (CCPA) goes into effect in January 2020 and allows for statutory fines and a private right of action, where a company’s failure to maintain reasonable data security controls results in a data breach.  The GDPR allows for penalties up to $10 mm euros, or 2% of worldwide revenue for the same failure.  The reasonableness of a company's data security programs is also a central issue in data breach litigation, a growing and costly trend in the US.

For technology companies, like Comcast, the changing legal landscape presents an innovation opportunity.  How can companies develop cost-effective information security technology solutions that meet business needs and are legally compliant?   In this presentation, I will first address the issue of what reasonable data security means under U.S. state and federal law, exploring existing legal standards and projecting, based on my 20 years of litigation experience, how the issue of “reasonable” data security is likely to be addressed by U.S. courts.  Using the GDPR as a recent example, I will then explore the potential technology-focused solutions that Comcast and similar companies can use to meet these new legal standards and shape the security ecosystem.


View Event →
Apr
16
10:50 AM10:50

"Differential Privacy: Theory and Practice" by Aaron Roth of UPENN

Location: Comcast Lift Labs


In this talk, I will introduce differential privacy: what exactly it promises and does not promise, how to achieve it, and what kinds of data analyses can be carried out under its protections. I will also speak about my experiences advising the adoption of differential privacy in industrial settings, the challenges involved, and lessons learned.


View Event →