Your SlideShare is downloading. ×
0
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Ken Smith - Tokenization
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ken Smith - Tokenization

900

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
900
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
41
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. We‟ve secretly replaced your sensitive information with useless data. Ken SmithSOURCE Boston Twitter: @ken5m1th20 April, 2011 Enterprise Security Consultant CISSP CISA GCIH QSA
  • 2.  What‟s so appealing about tokenization? How it works Tokenization types Misconceptions and vendor FUD How to screw it up How to do it well Implementation process The future The Holy Grail 2
  • 3.  Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented 3
  • 4.  Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented*According to fairies and unicorns 4
  • 5.  It addresses the major issues with encryption Source: xkcd.com 5
  • 6.  It addresses the major issues with encryption Image source: www.jakeludington.com 6
  • 7.  It addresses the major issues with encryption 7
  • 8.  Manage access controls for data and keys Encrypt whenever data is at rest Encrypt whenever data is in transit Secure key generation and distribution Records retention and destruction Manage all compliance requirements ◦ PCI DSS ◦ Mass 93H/201CMR17.00 ◦ All other state notification laws ◦ HIPAA 8
  • 9.  Protect the tokenized data according to it‟s new data classification (not sensitive) 9
  • 10. 1. Sensitive data gathered2. Sensitive data encrypted and stored in highly protected vault3. Token value created and returned back to original systems/databases Tokenizing • Credit card # Process • Replacement • SSN • Encryption value • Other • Key mgmt • Not sensitive • Token DB Sensitive Data Token 10
  • 11. Format preserving Hosted shopping cart Pay page Tokenize during clearingTokenize at authorization Offsite vault Onsite vault Tokenize after settlement 11
  • 12. 12
  • 13. 13
  • 14. 14
  • 15. 15
  • 16. 16
  • 17. 17
  • 18. 18
  • 19. 19
  • 20. 20
  • 21. 21
  • 22. 22
  • 23. 23
  • 24. 24
  • 25.  Tokenization is always better than encryption Offload to a third-party and it‟s no longer your problem PCI DSS scope will always be reduced or eliminated It‟s always simple to implement 25
  • 26.  The apps that tokenize the data can also de- tokenize Many users still need/use the sensitive data Put everything on the same system/network Co-mingling tokens with sensitive data Implementing because it‟s a cool buzzword 26
  • 27.  The apps that call the tokenization process should not have ability to de-tokenize, access decryption keys, access stored sensitive data even in encrypted form Encrypted data stored in a segmented and highly secured „vault‟ Standard users should not have the ability to de- tokenize data – the token value is good enough Users that need to de-tokenize data should use an out-of-band method If using third-party offsite solution, remove yourself from the transaction 27
  • 28.  Evaluate your requirements Pick a product Implement product All of your information security challenges have been solved!* In rainbow and unicorn land 28
  • 29.  First, ask the following questions: ◦ 1. Do you really need to store the data? ◦ 2. Are you really really sure? ◦ 3. And the last time that happened was…...? ◦ 4. I know, I know…. but do you need the whole number? 29
  • 30.  Define your requirements Clearly define the scope Investigate all potential solutions Redefine your requirements Redefine the scope Evaluation/POC Implement solution Constantly monitor product effectiveness Continue to assess risk as usual 30
  • 31.  Important component of data protection Improvements to deployment models Moving closer to the point of data capture Cloud adoption will drive the need Employed to protect other types of data Fewer companies managing their own encryption solutions 31
  • 32.  Encrypted data stored in highly secure „vault‟ Most of your business can function with only the token value Sensitive data checks in, doesn‟t check out Access method is “out of band” 32
  • 33.  A step up from encrypting data Get rid of data you don‟t really need Removes the crown jewels Can be used to protect different types of data Multiple flavors to choose from App should tokenize, not de-tokenize The Holy Grail is possible (e-Commerce) Thank you! Ken Smith ◦ ken@ksm1th.com ◦ http://twitter.com/ken5m1th ◦ http://post.ksm1th.com ◦ http://www.linkedin.com/in/1ksmith 33

×