SlideShare a Scribd company logo

Ken Smith - Tokenization

Source Conference
Source Conference
1 of 33
Download to read offline
We‟ve secretly replaced your sensitive information with useless data. Ken Smith SOURCE Boston Twitter: @ken5m1th 20 April, 2011 Enterprise Security Consultant CISSP CISA GCIH QSA
 What‟s so appealing about tokenization?  How it works  Tokenization types  Misconceptions and vendor FUD  How to screw it up  How to do it well  Implementation process  The future  The Holy Grail 2
 Easy to implement  One size fits all  Your data security concerns go away  Compliance is easy once implemented 3
 Easy to implement  One size fits all  Your data security concerns go away  Compliance is easy once implemented *According to fairies and unicorns 4
 It addresses the major issues with encryption Source: xkcd.com 5
 It addresses the major issues with encryption Image source: www.jakeludington.com 6
 It addresses the major issues with encryption 7
 Manage access controls for data and keys  Encrypt whenever data is at rest  Encrypt whenever data is in transit  Secure key generation and distribution  Records retention and destruction  Manage all compliance requirements ◦ PCI DSS ◦ Mass 93H/201CMR17.00 ◦ All other state notification laws ◦ HIPAA 8
 Protect the tokenized data according to it‟s new data classification (not sensitive) 9
1. Sensitive data gathered 2. Sensitive data encrypted and stored in highly protected vault 3. Token value created and returned back to original systems/databases Tokenizing • Credit card # Process • Replacement • SSN • Encryption value • Other • Key mgmt • Not sensitive • Token DB Sensitive Data Token 10
Format preserving Hosted shopping cart Pay page Tokenize during clearing Tokenize at authorization Offsite vault Onsite vault Tokenize after settlement 11
12
13
14
15
16
17
18
19
20
21
22
23
24
 Tokenization is always better than encryption  Offload to a third-party and it‟s no longer your problem  PCI DSS scope will always be reduced or eliminated  It‟s always simple to implement 25
 The apps that tokenize the data can also de- tokenize  Many users still need/use the sensitive data  Put everything on the same system/network  Co-mingling tokens with sensitive data  Implementing because it‟s a cool buzzword 26
 The apps that call the tokenization process should not have ability to de-tokenize, access decryption keys, access stored sensitive data even in encrypted form  Encrypted data stored in a segmented and highly secured „vault‟  Standard users should not have the ability to de- tokenize data – the token value is good enough  Users that need to de-tokenize data should use an out-of-band method  If using third-party offsite solution, remove yourself from the transaction 27
 Evaluate your requirements  Pick a product  Implement product  All of your information security challenges have been solved! * In rainbow and unicorn land 28
 First, ask the following questions: ◦ 1. Do you really need to store the data? ◦ 2. Are you really really sure? ◦ 3. And the last time that happened was…...? ◦ 4. I know, I know…. but do you need the whole number? 29
 Define your requirements  Clearly define the scope  Investigate all potential solutions  Redefine your requirements  Redefine the scope  Evaluation/POC  Implement solution  Constantly monitor product effectiveness  Continue to assess risk as usual 30
 Important component of data protection  Improvements to deployment models  Moving closer to the point of data capture  Cloud adoption will drive the need  Employed to protect other types of data  Fewer companies managing their own encryption solutions 31
 Encrypted data stored in highly secure „vault‟  Most of your business can function with only the token value  Sensitive data checks in, doesn‟t check out  Access method is “out of band” 32
 A step up from encrypting data  Get rid of data you don‟t really need  Removes the crown jewels  Can be used to protect different types of data  Multiple flavors to choose from  App should tokenize, not de-tokenize  The Holy Grail is possible (e-Commerce)  Thank you!  Ken Smith ◦ ken@ksm1th.com ◦ http://twitter.com/ken5m1th ◦ http://post.ksm1th.com ◦ http://www.linkedin.com/in/1ksmith 33

Recommended

Bunker mail security
Bunker mail securityBunker mail security
Bunker mail securityTodd Merrill
 
PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011Ulf Mattsson
 
Understanding Blockchain Security
Understanding Blockchain SecurityUnderstanding Blockchain Security
Understanding Blockchain SecurityITU
 
Blockchain technology
Blockchain technologyBlockchain technology
Blockchain technologySubhashKumar329
 
Block Chain Basics
Block Chain BasicsBlock Chain Basics
Block Chain BasicsUniversity of Hertfordshire
 
Vaultless_Tokenization_Payments_Industry
Vaultless_Tokenization_Payments_IndustryVaultless_Tokenization_Payments_Industry
Vaultless_Tokenization_Payments_IndustryJohan Dentant
 
Securing data at rest with encryption
Securing data at rest with encryptionSecuring data at rest with encryption
Securing data at rest with encryptionRuban Deventhiran
 
Blockchain - Navigating this Game-Changing Technology
Blockchain - Navigating this Game-Changing TechnologyBlockchain - Navigating this Game-Changing Technology
Blockchain - Navigating this Game-Changing TechnologyConor Svensson
 

Recommended

Bunker mail security
Bunker mail securityBunker mail security
Bunker mail securityTodd Merrill
 
PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011Ulf Mattsson
 
Understanding Blockchain Security
Understanding Blockchain SecurityUnderstanding Blockchain Security
Understanding Blockchain SecurityITU
 
Blockchain technology
Blockchain technologyBlockchain technology
Blockchain technologySubhashKumar329
 
Block Chain Basics
Block Chain BasicsBlock Chain Basics
Block Chain BasicsUniversity of Hertfordshire
 
Vaultless_Tokenization_Payments_Industry
Vaultless_Tokenization_Payments_IndustryVaultless_Tokenization_Payments_Industry
Vaultless_Tokenization_Payments_IndustryJohan Dentant
 
Securing data at rest with encryption
Securing data at rest with encryptionSecuring data at rest with encryption
Securing data at rest with encryptionRuban Deventhiran
 
Blockchain - Navigating this Game-Changing Technology
Blockchain - Navigating this Game-Changing TechnologyBlockchain - Navigating this Game-Changing Technology
Blockchain - Navigating this Game-Changing TechnologyConor Svensson
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption MythsHighCloud Security
 
Encryption 2021
Encryption 2021Encryption 2021
Encryption 2021JoeOrlando16
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionUlf Mattsson
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Symantec APJ
 
Attacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdfAttacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdfssuser264cc11
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
Self defending data webinar (feb13)
Self defending data webinar (feb13)Self defending data webinar (feb13)
Self defending data webinar (feb13)Vic Winkler
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last standGeorge Delikouras
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...Ulf Mattsson
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...Denodo
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011Atlantic Security Conference
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 
Password Problem - Solved!
Password Problem - Solved!Password Problem - Solved!
Password Problem - Solved!Cyber Security Summit
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 

More Related Content

Similar to Ken Smith - Tokenization

ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionUlf Mattsson
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Symantec APJ
 
Attacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdfAttacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdfssuser264cc11
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
Self defending data webinar (feb13)
Self defending data webinar (feb13)Self defending data webinar (feb13)
Self defending data webinar (feb13)Vic Winkler
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last standGeorge Delikouras
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...Ulf Mattsson
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...Denodo
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 

Similar to Ken Smith - Tokenization (20)

Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
 
Encryption 2021
Encryption 2021Encryption 2021
Encryption 2021
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
 
Attacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdfAttacking Decentralized Identity.pdf
Attacking Decentralized Identity.pdf
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private clouds
 
Self defending data webinar (feb13)
Self defending data webinar (feb13)Self defending data webinar (feb13)
Self defending data webinar (feb13)
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last stand
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
Cryptographie avancée et Logical Data Fabric : Accélérez le partage et la mig...
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud
 
Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
Password Problem - Solved!
Password Problem - Solved!Password Problem - Solved!
Password Problem - Solved!
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 

Ken Smith - Tokenization

  • 1. We‟ve secretly replaced your sensitive information with useless data. Ken Smith SOURCE Boston Twitter: @ken5m1th 20 April, 2011 Enterprise Security Consultant CISSP CISA GCIH QSA
  • 2. What‟s so appealing about tokenization?  How it works  Tokenization types  Misconceptions and vendor FUD  How to screw it up  How to do it well  Implementation process  The future  The Holy Grail 2
  • 3. Easy to implement  One size fits all  Your data security concerns go away  Compliance is easy once implemented 3
  • 4. Easy to implement  One size fits all  Your data security concerns go away  Compliance is easy once implemented *According to fairies and unicorns 4
  • 5. It addresses the major issues with encryption Source: xkcd.com 5
  • 6. It addresses the major issues with encryption Image source: www.jakeludington.com 6
  • 7. It addresses the major issues with encryption 7
  • 8. Manage access controls for data and keys  Encrypt whenever data is at rest  Encrypt whenever data is in transit  Secure key generation and distribution  Records retention and destruction  Manage all compliance requirements ◦ PCI DSS ◦ Mass 93H/201CMR17.00 ◦ All other state notification laws ◦ HIPAA 8
  • 9. Protect the tokenized data according to it‟s new data classification (not sensitive) 9
  • 10. 1. Sensitive data gathered 2. Sensitive data encrypted and stored in highly protected vault 3. Token value created and returned back to original systems/databases Tokenizing • Credit card # Process • Replacement • SSN • Encryption value • Other • Key mgmt • Not sensitive • Token DB Sensitive Data Token 10
  • 11. Format preserving Hosted shopping cart Pay page Tokenize during clearing Tokenize at authorization Offsite vault Onsite vault Tokenize after settlement 11
  • 12. 12
  • 13. 13
  • 14. 14
  • 15. 15
  • 16. 16
  • 17. 17
  • 18. 18
  • 19. 19
  • 20. 20
  • 21. 21
  • 22. 22
  • 23. 23
  • 24. 24
  • 25. Tokenization is always better than encryption  Offload to a third-party and it‟s no longer your problem  PCI DSS scope will always be reduced or eliminated  It‟s always simple to implement 25
  • 26. The apps that tokenize the data can also de- tokenize  Many users still need/use the sensitive data  Put everything on the same system/network  Co-mingling tokens with sensitive data  Implementing because it‟s a cool buzzword 26
  • 27. The apps that call the tokenization process should not have ability to de-tokenize, access decryption keys, access stored sensitive data even in encrypted form  Encrypted data stored in a segmented and highly secured „vault‟  Standard users should not have the ability to de- tokenize data – the token value is good enough  Users that need to de-tokenize data should use an out-of-band method  If using third-party offsite solution, remove yourself from the transaction 27
  • 28. Evaluate your requirements  Pick a product  Implement product  All of your information security challenges have been solved! * In rainbow and unicorn land 28
  • 29. First, ask the following questions: ◦ 1. Do you really need to store the data? ◦ 2. Are you really really sure? ◦ 3. And the last time that happened was…...? ◦ 4. I know, I know…. but do you need the whole number? 29
  • 30. Define your requirements  Clearly define the scope  Investigate all potential solutions  Redefine your requirements  Redefine the scope  Evaluation/POC  Implement solution  Constantly monitor product effectiveness  Continue to assess risk as usual 30
  • 31. Important component of data protection  Improvements to deployment models  Moving closer to the point of data capture  Cloud adoption will drive the need  Employed to protect other types of data  Fewer companies managing their own encryption solutions 31
  • 32. Encrypted data stored in highly secure „vault‟  Most of your business can function with only the token value  Sensitive data checks in, doesn‟t check out  Access method is “out of band” 32
  • 33. A step up from encrypting data  Get rid of data you don‟t really need  Removes the crown jewels  Can be used to protect different types of data  Multiple flavors to choose from  App should tokenize, not de-tokenize  The Holy Grail is possible (e-Commerce)  Thank you!  Ken Smith ◦ ken@ksm1th.com ◦ http://twitter.com/ken5m1th ◦ http://post.ksm1th.com ◦ http://www.linkedin.com/in/1ksmith 33