Tokenization Webinar featuring Securosis - Intel

  • 743 views
Uploaded on

 

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
743
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Title: Enterprise API Best Practices (John) – ~15 slides – Talk for 25-30 minutes I. API Evolution – Where did they come from? (6-8 slides)  a. APIs evolved from SOA as services  b. Now they are pervasive – REST/JSON is king  c. 2011 API growth was huge – what will 2012 look like? d. API business model slides – which types of businesses benefit the most from APIs? (Blake to help with this) e. Comparison to website – APIs are the new “website” II. Categories: Open APIs versus Private APIs (4 slides)  a. Open APIs focus on developer on-boarding and platform enablement – name examples b. Private APIs (Enterprise APIs) focus on security, scalability, and availability – name examples of these (if you have some)  c. For Enterprise APIs, developer on-boarding is less of an issueIII. Hosted vs On-Premise (1-2 slides)  a. What are the pros and cons of hosting an API through an enabler service (Mashery/APIgee) versus doing it yourself.b. Hosted – Good for open APIs, as the developer community is more importantc. On-Premise – Good for private/enterprise grade APIs, as security and scalability are paramount   (Blake) – 8 to 10 slides – Talk for 10-15 minutes III. Enterprise Use cases – Types of things an Enterprise wants to do (1-2 slides)IV. The value of the gateway pattern – abstraction (consuming APIs) and security (protecting APIs) – (2 slides)V. Security overview – threats, trust, anti-malware, data loss prevention (1 slide)VI. Intel Expressway Product Pitch (2 slides)VII. Customer Examples (2 slides)
  • Embedded Secure Vault – Clustered, high performance secure vault with unlimited token capacityHorizontal Scalability – Additive, Load scalability increases performance for each additional nodeHigh Availability – N-to-N/Active-Active HA Clustering. Hitless Key Rotation – Change vault encryption keys with zero downtimeHardware Upgrade – 10G Ethernet, Dual Disks, 32GB Memory, Dual SSD drives (300GB)Log Privacy and Security – RedactionCustom Credit Card Support – User-defined credit card length support, including 19 digit cardsVault Back-Up & Restore – Supports manual back-up and restore for archival.
  • Resources on the PCI Solutions page of DP include the following: Eval Version of Tokenization Broker Data Sheet PCI DSS White Paper Gateway Tokenization Webinar Playback QSA Assessors Guide (New content’s being added on a regular basis- Please keep posted!)

Transcript

  • 1. Choosing From 3 Core PCI-DSS Tokenization Models A. Tokenize 100% B. Modify Apps C. Proxy-data in transitAdrian Lane – Securosis PCI-DSS AnalystBlake Dournaee, Intel Application Security & Identity Products 1
  • 2. Today’s Agenda • Basic tokenization flows- recap • Differing tokenization needs based on volume & merchant type • Pros/cons outsource vs on-prem • Proxy & encryption models Scope • 3 core solution deployment patterns Reduction • Use cases Application Security and Identity Products 2
  • 3. Presents Tokenization Use CasesAdrian Lane, CTOalane@securosis.comTwitter: @AdrianLane
  • 4. About Securosis
  • 5. One key question:Why use tokenization?
  • 6. • Tokenization means: - Fewer controls - Less complexity - Reduced audit scope - Fewer systems to reviewTo make data security easier ...
  • 7. To save time ...
  • 8. And to save money.• Fewer security products for fewersystems• Fewer reports• Auditors have less to do
  • 9. How does it work?
  • 10. • By removing confidential data • Replace with low value token • Reduce CC#/PAN access • Reducing system interdependence • Fewer checks, controls and reportsHere’s how:
  • 11. 2 Minute Tokenization Primer:• Tokenization replaces sensitive data with a random value.• Sensitive data is kept encrypted in a data vault.• The real data is only exposed when absolutely necessary.• Applications function as normal as token preserves format and data type.
  • 12. The Tokens• Should be random or semi-random.• Same format as original value (e.g. 16 digits, passes LUHN check).• Some characteristics may carry-over (e.g. last 4 digits of a credit card number).• Single or multi-use.
  • 13. Basic Architecture
  • 14. Integration Options• Application API Calls• Proxy Agents• Database Queries• Back-office Systems
  • 15. Non-CDE Cardholder Data Environment Token Database Token Server Authorized Tokenized Applicationdatabases out Tokenized of scope systems in De-tokenization request scope
  • 16. Failover & Performance • Distributed • Replicated • Code books
  • 17. You can’t steal what’s not there!
  • 18. PCI Security StandardsCouncil on Tokenization
  • 19. Is it right for me?• Answer: It depends • Your type of business • Your application environment • The size of your business • Your goals
  • 20. Deployment Models•In-house software/hardware•Edge tokenization•Tokenization-aaS•FPE
  • 21. Use Case #1: Big Box Retail Chain• Web and retail locations• Huge transaction volume• POS, Card-swipe and web payment options• Tightly integrated back office systems• Full PCI Audits
  • 22. In-house Tokenization
  • 23. Use Case #1: Buying Decision• Per-transaction cost overriding factor• Worried about modifying existing applications• Want to reduce audit costs• Want reduced complexity, and scope reduction through reduced card storage
  • 24. Use Case #2:Small Service Provider• Small transaction volume• Handful of retail locations• POS & Web site• Need to comply with self-assessment• No in-house security staff
  • 25. Tokenization-aaS
  • 26. Use Case #2: Buying Decision• Have no idea what PCI is but must comply as credit cards are key to their business• Accept higher per-transaction costs for removal of all PAN/Mag stripe data• Provider supports repayments/remediation• Minimal modification to existing applications
  • 27. Use Case #3 Giant Web Retailer• No physical stores• Huge transaction volume• Multiple payment providers, promotions• Web payment and shopping cart applications• Data and IT security expertise• COTS applications with customizations
  • 28. Edge/Proxy Tokenization
  • 29. Use Case #3 Buying Decision• Very minor software upgrade• Dramatically reduced audit scope• Far less chance of data breach• Supports multiple payment providers via single shopping cart application• Maintains customer relationship
  • 30. Use Case #4 Mid-sized merchant• All in-store sales, small web presence• Sizable POS investment• Highly cost-conscious• COTS applications, no in-house software• No in-house IT security• Worried about liability, CC# theft
  • 31. Tokenization with FPE
  • 32. Encryption vs. Tokenization Encryption Key + Algorithm Tokenization Tokenization Server
  • 33. Use Case #4 Buying Decision• Did not require application modifications• FPE built into existing infrastructure• Reduced scope through highly restricted key access and key management• Moderate per-transaction service fees
  • 34. Buying decisions ...• How much are transaction costs?• How costly to integrate into my apps?• Does it reduce PCI scope?• Does it work with my systems?• Is it reliable? Is it fast?• Have I reduced my risk?
  • 35. Selection Process
  • 36. Summary• Reduces security risks• Reduces complexity• Minimal IT systems impact• Reduces compliance costs• Securosis Whitepaper’s for more details
  • 37. Adrian Lane Securosis, L.L.C.alane@securosis.com Twitter: AdrianLane
  • 38. Cloud Service Broker Capabilities Reduce PCI Scope, Lower Costs & Protect Cardholder Data Blake Dournaee, Product Management Application Security and Identity Products 39
  • 39. Tokenization Strategies // Input data to be tokenized. String inputData = new String("1234 5678 9012 3456"); // Get new instance of tokenization server TS server = new TokenizationServer(“192. 167.1.1”, “443); // Tokenize data, and catch exceptions try { String token =Server.tokenize(inputDa ta); } catch (Exception e) {Monolithic “Big Bang” Tokenization API or SDK Tokenization Proxy Tokenization (Modify Everything) (Modify Point Applications) (Modify In Data in Transit) Costs reduced by rip and replace Costs reduced by point Costs reduced by altering of entire architecture application changes data online with minimal application changes 40
  • 40. Tokenization StrategiesType Strategy Key Challenges Key Benefits ExampleMonolithic Strive to take the entire Time to value, requires Eventually results RSA/FirstData, Verifone, VoltageTokenization datacenter out of scope POS retail upgrades, in cost savings (P2P Encryption+Tokenization) (Big Bang) bank/payment processor lock-in; inflexible to changeAPI or SDK Remove individual Each application requires Results in modest Protegrity, nuBridges, Safenet,Tokenization applications from scope code changes, usually scope and risk Voltage through an SDK or agent; reduction structured vault is difficult to scale; each application changed must be assessedModular or Proxy Remove data flows Applications must Faster time to Intel Expressway TokenizationTokenization from scope using a redirect data flows to a value, Requires Broker proxy new IP address fewer application changes; data is tokenized on the wire; massive scalability; assessment is centralized to a security gateway 41
  • 41. Typical Retail Architecture Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon)Browser E-Commerce Website Engine 42
  • 42. Typical PCI DSS Scope Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend:Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 43
  • 43. Scope with Expressway Tokenization Broker Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend:Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 44
  • 44. Product Details 45
  • 45. Intel® Expressway Tokenization Broker – V2 (1H, 2012) Hardware or Software Broker • Tamper resistant appliance with redundant, solid state storage • Software on Linux AS5-64 Sample Tokenization Application • Token Exchange • Token Management • User-defined credit card lengths, including 19 digit cards SQL databases are fundamentally non- scalable, and there is no magical pixie Secure Token Vault dust that we, or anyone, can sprinkle on • Clustered, high performance secure vault with unlimited token capacity them to suddenly make them scale. • Base configuration supports 300M tokens -Adam Wiggins, Founder of Heroku Highly Scalable “NoSQL” Vault (Cloud APaaS, Acquired by Salesforce.com) • Horizontal scalability increases performance for each additional node • High availability provided by N-to-N/Active-Active HA Clustering • Full back-up and restore capabilities Hitless Key Rotation •Change vault encryption keys with zero downtime •Addresses PCI-DSS 3.6.4 without stopping a single transaction Intel® Services Designer & Web Interface • Policy Design and Deployment • Token Exchange / Management Actions • Policy Deployment & Monitoring Application Security and Identity Products 46
  • 46. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment ProcessorE-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 47
  • 47. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment ProcessorE-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 48
  • 48. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Customer Customized BillsBilling Information and Statements Documents Large Data with original PAN Feeds with PAN data Data Connected App. Databases Portals IBM WebSphere Middleware Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 49
  • 49. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Data w/ Tokens Customer Customized BillsBilling Information and Statements Documents Large Data with original PAN Edge Security + Tokenization Feeds with PAN data Data Connected App. Databases Portals Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 50
  • 50. For Additional Information, go to: www.intel.com/go/identity Download Eval Data Sheet PCI White Paper Assessors Guide E-mail: intelsoainfo@intel.com 51