We‟ve secretly replaced your        sensitive information with        useless data.                                       ...
   What‟s so appealing about tokenization?   How it works   Tokenization types   Misconceptions and vendor FUD   How ...
   Easy to implement   One size fits all   Your data security concerns go away   Compliance is easy once implemented  ...
   Easy to implement   One size fits all   Your data security concerns go away   Compliance is easy once implemented*A...
   It addresses the major issues with encryption                    Source: xkcd.com                                     ...
   It addresses the major issues with encryption                 Image source: www.jakeludington.com                     ...
   It addresses the major issues with encryption                                                    7
   Manage access controls for data and keys   Encrypt whenever data is at rest   Encrypt whenever data is in transit  ...
   Protect the tokenized data according to it‟s    new data classification (not sensitive)                               ...
1.   Sensitive data gathered2.   Sensitive data encrypted and stored in highly     protected vault3.   Token value created...
Format preserving                       Hosted shopping cart  Pay page                   Tokenize during clearingTokenize ...
12
13
14
15
16
17
18
19
20
21
22
23
24
   Tokenization is always better than encryption   Offload to a third-party and it‟s no longer your    problem   PCI DS...
   The apps that tokenize the data can also de-    tokenize   Many users still need/use the sensitive data   Put everyt...
   The apps that call the tokenization process    should not have ability to de-tokenize, access    decryption keys, acce...
   Evaluate your requirements   Pick a product   Implement product   All of your information security challenges    ha...
   First, ask the following questions:    ◦ 1. Do you really need to store the data?    ◦ 2. Are you really really sure? ...
   Define your requirements   Clearly define the scope   Investigate all potential solutions   Redefine your requireme...
   Important component of data protection   Improvements to deployment models   Moving closer to the point of data capt...
   Encrypted data stored in highly secure „vault‟   Most of your business can function with only    the token value   S...
   A step up from encrypting data   Get rid of data you don‟t really need   Removes the crown jewels   Can be used to ...
Upcoming SlideShare
Loading in...5
×

Ken Smith - Tokenization

909

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
909
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
41
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Ken Smith - Tokenization

  1. 1. We‟ve secretly replaced your sensitive information with useless data. Ken SmithSOURCE Boston Twitter: @ken5m1th20 April, 2011 Enterprise Security Consultant CISSP CISA GCIH QSA
  2. 2.  What‟s so appealing about tokenization? How it works Tokenization types Misconceptions and vendor FUD How to screw it up How to do it well Implementation process The future The Holy Grail 2
  3. 3.  Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented 3
  4. 4.  Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented*According to fairies and unicorns 4
  5. 5.  It addresses the major issues with encryption Source: xkcd.com 5
  6. 6.  It addresses the major issues with encryption Image source: www.jakeludington.com 6
  7. 7.  It addresses the major issues with encryption 7
  8. 8.  Manage access controls for data and keys Encrypt whenever data is at rest Encrypt whenever data is in transit Secure key generation and distribution Records retention and destruction Manage all compliance requirements ◦ PCI DSS ◦ Mass 93H/201CMR17.00 ◦ All other state notification laws ◦ HIPAA 8
  9. 9.  Protect the tokenized data according to it‟s new data classification (not sensitive) 9
  10. 10. 1. Sensitive data gathered2. Sensitive data encrypted and stored in highly protected vault3. Token value created and returned back to original systems/databases Tokenizing • Credit card # Process • Replacement • SSN • Encryption value • Other • Key mgmt • Not sensitive • Token DB Sensitive Data Token 10
  11. 11. Format preserving Hosted shopping cart Pay page Tokenize during clearingTokenize at authorization Offsite vault Onsite vault Tokenize after settlement 11
  12. 12. 12
  13. 13. 13
  14. 14. 14
  15. 15. 15
  16. 16. 16
  17. 17. 17
  18. 18. 18
  19. 19. 19
  20. 20. 20
  21. 21. 21
  22. 22. 22
  23. 23. 23
  24. 24. 24
  25. 25.  Tokenization is always better than encryption Offload to a third-party and it‟s no longer your problem PCI DSS scope will always be reduced or eliminated It‟s always simple to implement 25
  26. 26.  The apps that tokenize the data can also de- tokenize Many users still need/use the sensitive data Put everything on the same system/network Co-mingling tokens with sensitive data Implementing because it‟s a cool buzzword 26
  27. 27.  The apps that call the tokenization process should not have ability to de-tokenize, access decryption keys, access stored sensitive data even in encrypted form Encrypted data stored in a segmented and highly secured „vault‟ Standard users should not have the ability to de- tokenize data – the token value is good enough Users that need to de-tokenize data should use an out-of-band method If using third-party offsite solution, remove yourself from the transaction 27
  28. 28.  Evaluate your requirements Pick a product Implement product All of your information security challenges have been solved!* In rainbow and unicorn land 28
  29. 29.  First, ask the following questions: ◦ 1. Do you really need to store the data? ◦ 2. Are you really really sure? ◦ 3. And the last time that happened was…...? ◦ 4. I know, I know…. but do you need the whole number? 29
  30. 30.  Define your requirements Clearly define the scope Investigate all potential solutions Redefine your requirements Redefine the scope Evaluation/POC Implement solution Constantly monitor product effectiveness Continue to assess risk as usual 30
  31. 31.  Important component of data protection Improvements to deployment models Moving closer to the point of data capture Cloud adoption will drive the need Employed to protect other types of data Fewer companies managing their own encryption solutions 31
  32. 32.  Encrypted data stored in highly secure „vault‟ Most of your business can function with only the token value Sensitive data checks in, doesn‟t check out Access method is “out of band” 32
  33. 33.  A step up from encrypting data Get rid of data you don‟t really need Removes the crown jewels Can be used to protect different types of data Multiple flavors to choose from App should tokenize, not de-tokenize The Holy Grail is possible (e-Commerce) Thank you! Ken Smith ◦ ken@ksm1th.com ◦ http://twitter.com/ken5m1th ◦ http://post.ksm1th.com ◦ http://www.linkedin.com/in/1ksmith 33
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×