• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ken Smith - Tokenization

Ken Smith - Tokenization






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Ken Smith - Tokenization Ken Smith - Tokenization Presentation Transcript

    • We‟ve secretly replaced your sensitive information with useless data. Ken SmithSOURCE Boston Twitter: @ken5m1th20 April, 2011 Enterprise Security Consultant CISSP CISA GCIH QSA
    •  What‟s so appealing about tokenization? How it works Tokenization types Misconceptions and vendor FUD How to screw it up How to do it well Implementation process The future The Holy Grail 2
    •  Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented 3
    •  Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented*According to fairies and unicorns 4
    •  It addresses the major issues with encryption Source: xkcd.com 5
    •  It addresses the major issues with encryption Image source: www.jakeludington.com 6
    •  It addresses the major issues with encryption 7
    •  Manage access controls for data and keys Encrypt whenever data is at rest Encrypt whenever data is in transit Secure key generation and distribution Records retention and destruction Manage all compliance requirements ◦ PCI DSS ◦ Mass 93H/201CMR17.00 ◦ All other state notification laws ◦ HIPAA 8
    •  Protect the tokenized data according to it‟s new data classification (not sensitive) 9
    • 1. Sensitive data gathered2. Sensitive data encrypted and stored in highly protected vault3. Token value created and returned back to original systems/databases Tokenizing • Credit card # Process • Replacement • SSN • Encryption value • Other • Key mgmt • Not sensitive • Token DB Sensitive Data Token 10
    • Format preserving Hosted shopping cart Pay page Tokenize during clearingTokenize at authorization Offsite vault Onsite vault Tokenize after settlement 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    •  Tokenization is always better than encryption Offload to a third-party and it‟s no longer your problem PCI DSS scope will always be reduced or eliminated It‟s always simple to implement 25
    •  The apps that tokenize the data can also de- tokenize Many users still need/use the sensitive data Put everything on the same system/network Co-mingling tokens with sensitive data Implementing because it‟s a cool buzzword 26
    •  The apps that call the tokenization process should not have ability to de-tokenize, access decryption keys, access stored sensitive data even in encrypted form Encrypted data stored in a segmented and highly secured „vault‟ Standard users should not have the ability to de- tokenize data – the token value is good enough Users that need to de-tokenize data should use an out-of-band method If using third-party offsite solution, remove yourself from the transaction 27
    •  Evaluate your requirements Pick a product Implement product All of your information security challenges have been solved!* In rainbow and unicorn land 28
    •  First, ask the following questions: ◦ 1. Do you really need to store the data? ◦ 2. Are you really really sure? ◦ 3. And the last time that happened was…...? ◦ 4. I know, I know…. but do you need the whole number? 29
    •  Define your requirements Clearly define the scope Investigate all potential solutions Redefine your requirements Redefine the scope Evaluation/POC Implement solution Constantly monitor product effectiveness Continue to assess risk as usual 30
    •  Important component of data protection Improvements to deployment models Moving closer to the point of data capture Cloud adoption will drive the need Employed to protect other types of data Fewer companies managing their own encryption solutions 31
    •  Encrypted data stored in highly secure „vault‟ Most of your business can function with only the token value Sensitive data checks in, doesn‟t check out Access method is “out of band” 32
    •  A step up from encrypting data Get rid of data you don‟t really need Removes the crown jewels Can be used to protect different types of data Multiple flavors to choose from App should tokenize, not de-tokenize The Holy Grail is possible (e-Commerce) Thank you! Ken Smith ◦ ken@ksm1th.com ◦ http://twitter.com/ken5m1th ◦ http://post.ksm1th.com ◦ http://www.linkedin.com/in/1ksmith 33