1. We‟ve secretly replaced your
sensitive information with
useless data.
Ken Smith
SOURCE Boston Twitter: @ken5m1th
20 April, 2011 Enterprise Security Consultant
CISSP CISA GCIH QSA
2. What‟s so appealing about tokenization?
How it works
Tokenization types
Misconceptions and vendor FUD
How to screw it up
How to do it well
Implementation process
The future
The Holy Grail
2
3. Easy to implement
One size fits all
Your data security concerns go away
Compliance is easy once implemented
3
4. Easy to implement
One size fits all
Your data security concerns go away
Compliance is easy once implemented
*According to fairies and unicorns
4
5. It addresses the major issues with encryption
Source: xkcd.com
5
6. It addresses the major issues with encryption
Image source: www.jakeludington.com
6
7. It addresses the major issues with encryption
7
8. Manage access controls for data and keys
Encrypt whenever data is at rest
Encrypt whenever data is in transit
Secure key generation and distribution
Records retention and destruction
Manage all compliance requirements
◦ PCI DSS
◦ Mass 93H/201CMR17.00
◦ All other state notification laws
◦ HIPAA
8
9. Protect the tokenized data according to it‟s
new data classification (not sensitive)
9
10. 1. Sensitive data gathered
2. Sensitive data encrypted and stored in highly
protected vault
3. Token value created and returned back to
original systems/databases
Tokenizing
• Credit card # Process • Replacement
• SSN • Encryption value
• Other • Key mgmt • Not sensitive
• Token DB
Sensitive Data Token
10
11. Format preserving
Hosted shopping cart
Pay page
Tokenize during clearing
Tokenize at authorization Offsite vault
Onsite vault
Tokenize after settlement
11
25. Tokenization is always better than encryption
Offload to a third-party and it‟s no longer your
problem
PCI DSS scope will always be reduced or
eliminated
It‟s always simple to implement
25
26. The apps that tokenize the data can also de-
tokenize
Many users still need/use the sensitive data
Put everything on the same system/network
Co-mingling tokens with sensitive data
Implementing because it‟s a cool buzzword
26
27. The apps that call the tokenization process
should not have ability to de-tokenize, access
decryption keys, access stored sensitive data
even in encrypted form
Encrypted data stored in a segmented and highly
secured „vault‟
Standard users should not have the ability to de-
tokenize data – the token value is good enough
Users that need to de-tokenize data should use
an out-of-band method
If using third-party offsite solution, remove
yourself from the transaction
27
28. Evaluate your requirements
Pick a product
Implement product
All of your information security challenges
have been solved!
* In rainbow and unicorn land
28
29. First, ask the following questions:
◦ 1. Do you really need to store the data?
◦ 2. Are you really really sure?
◦ 3. And the last time that happened was…...?
◦ 4. I know, I know…. but do you need the
whole number?
29
30. Define your requirements
Clearly define the scope
Investigate all potential solutions
Redefine your requirements
Redefine the scope
Evaluation/POC
Implement solution
Constantly monitor product effectiveness
Continue to assess risk as usual
30
31. Important component of data protection
Improvements to deployment models
Moving closer to the point of data capture
Cloud adoption will drive the need
Employed to protect other types of data
Fewer companies managing their own
encryption solutions
31
32. Encrypted data stored in highly secure „vault‟
Most of your business can function with only
the token value
Sensitive data checks in, doesn‟t check out
Access method is “out of band”
32
33. A step up from encrypting data
Get rid of data you don‟t really need
Removes the crown jewels
Can be used to protect different types of data
Multiple flavors to choose from
App should tokenize, not de-tokenize
The Holy Grail is possible (e-Commerce)
Thank you!
Ken Smith
◦ ken@ksm1th.com
◦ http://twitter.com/ken5m1th
◦ http://post.ksm1th.com
◦ http://www.linkedin.com/in/1ksmith
33