0
Choosing the Right Data Security Solution                                   Ulf Mattsson, CTO                             ...
Ulf Mattsson, CTO Protegrity    20 years with IBM Research & Development and    Global Services    Started Protegrity in 1...
Agenda    Data Breaches    Data Protection Trends    Encryption versus Tokenization    Vault-based Tokenization versus Vau...
4
A Growing Threat                                                                     Attacks by Anonymous include         ...
Today “Hacktivism” is Dominating                                               Activist group                             ...
What Data is Compromised?         Personal information (Name, SS#, Addr, etc.)                    Unknown (specific type i...
LinkedIn Hit with $5 Million Class Action Suit                       By John Fontana | June 19, 2012    A class action sui...
Some Major Data Breaches                                 April 2011        May 2011    Jun 2011   Jul 2011   Aug 2011     ...
The Sony Breach     Lost 100 million passwords and personal     details stored in clear     Spent $171 million related to ...
SQL Injection Attacks are Increasing                 25,000                 20,000                 15,000                 ...
New Industry Groups are Targets     Accommodation and Food Services                                             Retail Tra...
The Changing Threat Landscape               Some issues have stayed constant:                  •    Threat landscape conti...
How are Breaches Discovered?                              Notified by law enforcement              Third-party fraud detec...
What Assets are Compromised?                           Database server                     Web/application server         ...
Hacking and Malware are Leading                                                      Threat Action Categories             ...
17
Use of Enabling Technologies                 Access controls    1%                         91%     Database activity monit...
How can we Secure The Data Flow?     Retail                                        Bank     Store              Payment    ...
What Has The Industry Done?Total Cost    Input Value: 3872 3789 1620 3675OfOwnership              Strong Encryption   !@#$...
21
We Started with Vault-Based Tokenization …22
Issues with Vault-based Tokenization23
Goal: Miniaturization of the Tokenization Server                                            Evolution                     ...
Tokenization Differentiators                         Vault-based Tokenization         Vaultless Tokenization     Footprint...
26
Speed of Different Protection Methods                 Transactions per second*           10 000 000 -             1 000 00...
Security of Different Protection Methods Security Level            High            Low                       I            ...
External Validation of Vaultless Tokenization     “The Vaultless tokenization scheme offers excellent security, since it i...
30
Case Study: Large Chain Store     Why? Reduce compliance cost by 50%         • 50 million Credit Cards, 700 million daily ...
Case Studies: Retail     Customer 1: Why? Three major concerns solved          • Performance Challenge; Initial tokenizati...
What about Breaches & PCI? Was Data Protected?                9: Restrict physical access to cardholder data              ...
How Should I Secure Different Data?                   File                Field                Encryption          Tokeniz...
Flexibility in Token Format Controls     Type of Data     Input                         Token                             ...
What are the benefits of Tokenization?       Reduces complexity of key management          • Reduces the number of hacker ...
About Protegrity     Proven enterprise data security software and innovation leader        •   Sole focus on the protectio...
Summary     Optimal support of complex enterprise requirements        • Heterogeneous platform supports all operating syst...
Questions and Answers                          Ulf Mattsson                         Protegrity CTO          ulf.mattsson A...
Upcoming SlideShare
Loading in...5
×

Choosing the Right Data Security Solution

894

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
894
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Choosing the Right Data Security Solution"

  1. 1. Choosing the Right Data Security Solution Ulf Mattsson, CTO Protegrity ulf.mattsson AT protegrity.com
  2. 2. Ulf Mattsson, CTO Protegrity 20 years with IBM Research & Development and Global Services Started Protegrity in 1994 (Data Security) Inventor of 25 patents – Encryption and Tokenization Member of • PCI Security Standards Council (PCI SSC) • American National Standards Institute (ANSI) X9 • International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security • ISACA , ISSA and Cloud Security Alliance (CSA)2
  3. 3. Agenda Data Breaches Data Protection Trends Encryption versus Tokenization Vault-based Tokenization versus Vaultless Tokenization Case studies Summary3
  4. 4. 4
  5. 5. A Growing Threat Attacks by Anonymous include • CIA, Interpol, Sony, Stratfor and HBGary Federal Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous5
  6. 6. Today “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/6
  7. 7. What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Unknown (specific type is not known) Medical records Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Sensitive organizational data (reports, plans, etc.) Authentication credentials (usernames, pwds, etc.) Payment card numbers/data 0 20 40 60 80 100 %120 By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/7
  8. 8. LinkedIn Hit with $5 Million Class Action Suit By John Fontana | June 19, 2012 A class action suit against LinkedIn claiming that violation of its own privacy policies and user agreements allowed hackers to steal 6.46 million passwords.8
  9. 9. Some Major Data Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Time Impact $ Attack Type Source: IBM 2012 Security Breaches Trend and Risk Report9
  10. 10. The Sony Breach Lost 100 million passwords and personal details stored in clear Spent $171 million related to the data breach Sonys stock price has fallen 40 percent For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony Attack via SQL Injection10
  11. 11. SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report11
  12. 12. New Industry Groups are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 % By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/12
  13. 13. The Changing Threat Landscape Some issues have stayed constant: • Threat landscape continues to gain sophistication • Attackers will always be a step ahead of the defenders We are fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=213
  14. 14. How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/14
  15. 15. What Assets are Compromised? Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter People Payment card (credit, debit, etc.) Offline… Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/15
  16. 16. Hacking and Malware are Leading Threat Action Categories Hacking Malware Social Physical Misuse Error Environmental 0 50 100 % 150 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/16
  17. 17. 17
  18. 18. Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating18
  19. 19. How can we Secure The Data Flow? Retail Bank Store Payment 9999 9999 Corporate Network Systems19
  20. 20. What Has The Industry Done?Total Cost Input Value: 3872 3789 1620 3675OfOwnership Strong Encryption !@#$%a^.,mhu7///&*B()_+!@ High AES, 3DES Format Preserving Encryption 8278 2789 2990 2789 DTP, FPE Format Preserving Vault-based Tokenization 8278 2789 2990 2789 Greatly reduced Key Management Vaultless Tokenization 8278 2789 2990 2789 Low No Vault 1970 2000 2005 201020
  21. 21. 21
  22. 22. We Started with Vault-Based Tokenization …22
  23. 23. Issues with Vault-based Tokenization23
  24. 24. Goal: Miniaturization of the Tokenization Server Evolution Vault-less Tokenization Server Vault-based Tokenization Server24
  25. 25. Tokenization Differentiators Vault-based Tokenization Vaultless Tokenization Footprint Large, Expanding. Small, Static. High Availability, Complex, expensive No replication required. Disaster Recovery replication required. Distribution Practically impossible to Easy to deploy at different distribute geographically. geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability. tokenization. Scalability Extendibility Practically impossible. Unlimited Tokenization Capability.25
  26. 26. 26
  27. 27. Speed of Different Protection Methods Transactions per second* 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Vault-based Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization*: Speed will depend on the configuration27
  28. 28. Security of Different Protection Methods Security Level High Low I I I I Vault-based Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization28
  29. 29. External Validation of Vaultless Tokenization “The Vaultless tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“ Prof. Dr. Ir. Bart Preneel Katholieke University Leuven, Belgium * Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, president of the International Association for Cryptologic Research * The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.29
  30. 30. 30
  31. 31. Case Study: Large Chain Store Why? Reduce compliance cost by 50% • 50 million Credit Cards, 700 million daily transactions • Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization • End-to-End Tokens: Started with the D/W and expanding to stores • Lower maintenance cost – don’t have to apply all 12 requirements • Better security – able to eliminate several business and daily reports • Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization”31
  32. 32. Case Studies: Retail Customer 1: Why? Three major concerns solved • Performance Challenge; Initial tokenization • Vendor Lock-In: What if we want to switch payment processor • Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection • Combined use of tokenization and encryption • Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe • Tokens on the mainframe to avoid compensating controls32
  33. 33. What about Breaches & PCI? Was Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study33
  34. 34. How Should I Secure Different Data? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected HealthComplex - Information Type of I I Data Un-structured Structured34
  35. 35. Flexibility in Token Format Controls Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date - multiple date formats E-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail Binary 0x010203 0x123296910112 Alphanumeric Position to place alpha is 5105 1051 0510 5100 8278 2789 299A 2781 Indicator configurable Decimal 123.45 9842.56 Non length preserving Deliver a different token to different Merchant 1: 8278 2789 2990 2789 Multi-Merchant 3872 3789 1620 3675 merchant based on the same credit Merchant 2: 9302 8999 2662 6345 card number.35
  36. 36. What are the benefits of Tokenization? Reduces complexity of key management • Reduces the number of hacker targets Reduces theare the benefits of Tokenisation? What remediation for protecting systems • Reduces the cost of PCI Compliance Additional benefits with Protegrity Vaultless Tokenization Infinitely Scalable • Fastest tokenization method in the world Simplicity and Security: No replication, No collisions Flexible and easy to deploy and distribute • Lower Total Cost of Ownership than Vault-based Tokenization36
  37. 37. About Protegrity Proven enterprise data security software and innovation leader • Sole focus on the protection of data • Patented Technology, Continuing to Drive Innovation Growth driven by compliance and risk management • PCI (Payment Card Industry) • PII (Personally Identifiable Information) • PHI (Protected Health Information) – HIPAA • State and Foreign Privacy Laws, Breach Notification Laws Cross-industry applicability • Retail, Hospitality, Travel and Transportation • Financial Services, Insurance and Banking • Healthcare, Telecommunications, Media and Entertainment • Manufacturing and Government37
  38. 38. Summary Optimal support of complex enterprise requirements • Heterogeneous platform supports all operating systems and databases • Flexible protectors (Database, Application, File) • Risk Adjusted Data Protection offers the options for protection data with the appropriate strength. • Built-in Key Management • Consistent Enterprise policy enforcement and audit logging Innovative • Pushing data protection with industry leading Proven • Proven platform currently protects the worlds largest companies Experienced • Experienced staff will be there with support along the way to complete data protection38
  39. 39. Questions and Answers Ulf Mattsson Protegrity CTO ulf.mattsson AT protegrity.com Elaine Evans Protegrity Marketing elaine.evans AT protegrity.com www.protegrity.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×