Ken Smith - Tokenization
Upcoming SlideShare
Loading in...5

Ken Smith - Tokenization






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Ken Smith - Tokenization Ken Smith - Tokenization Presentation Transcript

  • We‟ve secretly replaced your sensitive information with useless data. Ken SmithSOURCE Boston Twitter: @ken5m1th20 April, 2011 Enterprise Security Consultant CISSP CISA GCIH QSA
  •  What‟s so appealing about tokenization? How it works Tokenization types Misconceptions and vendor FUD How to screw it up How to do it well Implementation process The future The Holy Grail 2
  •  Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented 3
  •  Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented*According to fairies and unicorns 4
  •  It addresses the major issues with encryption Source: 5
  •  It addresses the major issues with encryption Image source: 6
  •  It addresses the major issues with encryption 7
  •  Manage access controls for data and keys Encrypt whenever data is at rest Encrypt whenever data is in transit Secure key generation and distribution Records retention and destruction Manage all compliance requirements ◦ PCI DSS ◦ Mass 93H/201CMR17.00 ◦ All other state notification laws ◦ HIPAA 8
  •  Protect the tokenized data according to it‟s new data classification (not sensitive) 9
  • 1. Sensitive data gathered2. Sensitive data encrypted and stored in highly protected vault3. Token value created and returned back to original systems/databases Tokenizing • Credit card # Process • Replacement • SSN • Encryption value • Other • Key mgmt • Not sensitive • Token DB Sensitive Data Token 10
  • Format preserving Hosted shopping cart Pay page Tokenize during clearingTokenize at authorization Offsite vault Onsite vault Tokenize after settlement 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  •  Tokenization is always better than encryption Offload to a third-party and it‟s no longer your problem PCI DSS scope will always be reduced or eliminated It‟s always simple to implement 25
  •  The apps that tokenize the data can also de- tokenize Many users still need/use the sensitive data Put everything on the same system/network Co-mingling tokens with sensitive data Implementing because it‟s a cool buzzword 26
  •  The apps that call the tokenization process should not have ability to de-tokenize, access decryption keys, access stored sensitive data even in encrypted form Encrypted data stored in a segmented and highly secured „vault‟ Standard users should not have the ability to de- tokenize data – the token value is good enough Users that need to de-tokenize data should use an out-of-band method If using third-party offsite solution, remove yourself from the transaction 27
  •  Evaluate your requirements Pick a product Implement product All of your information security challenges have been solved!* In rainbow and unicorn land 28
  •  First, ask the following questions: ◦ 1. Do you really need to store the data? ◦ 2. Are you really really sure? ◦ 3. And the last time that happened was…...? ◦ 4. I know, I know…. but do you need the whole number? 29
  •  Define your requirements Clearly define the scope Investigate all potential solutions Redefine your requirements Redefine the scope Evaluation/POC Implement solution Constantly monitor product effectiveness Continue to assess risk as usual 30
  •  Important component of data protection Improvements to deployment models Moving closer to the point of data capture Cloud adoption will drive the need Employed to protect other types of data Fewer companies managing their own encryption solutions 31
  •  Encrypted data stored in highly secure „vault‟ Most of your business can function with only the token value Sensitive data checks in, doesn‟t check out Access method is “out of band” 32
  •  A step up from encrypting data Get rid of data you don‟t really need Removes the crown jewels Can be used to protect different types of data Multiple flavors to choose from App should tokenize, not de-tokenize The Holy Grail is possible (e-Commerce) Thank you! Ken Smith ◦ ◦ ◦ ◦ 33