Ken Smith - Tokenization

We‟ve secretly replaced your sensitive information with useless data. Ken SmithSOURCE Boston Twitter: @ken5m1th20 April, 2011 Enterprise Security Consultant CISSP CISA GCIH QSA

 What‟s so appealing about tokenization? How it works Tokenization types Misconceptions and vendor FUD How to screw it up How to do it well Implementation process The future The Holy Grail 2

 Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented 3

 Easy to implement One size fits all Your data security concerns go away Compliance is easy once implemented*According to fairies and unicorns 4

 It addresses the major issues with encryption Source: xkcd.com 5

 It addresses the major issues with encryption Image source: www.jakeludington.com 6

 It addresses the major issues with encryption 7

 Manage access controls for data and keys Encrypt whenever data is at rest Encrypt whenever data is in transit Secure key generation and distribution Records retention and destruction Manage all compliance requirements ◦ PCI DSS ◦ Mass 93H/201CMR17.00 ◦ All other state notification laws ◦ HIPAA 8

 Protect the tokenized data according to it‟s new data classification (not sensitive) 9

1. Sensitive data gathered2. Sensitive data encrypted and stored in highly protected vault3. Token value created and returned back to original systems/databases Tokenizing • Credit card # Process • Replacement • SSN • Encryption value • Other • Key mgmt • Not sensitive • Token DB Sensitive Data Token 10

Format preserving Hosted shopping cart Pay page Tokenize during clearingTokenize at authorization Offsite vault Onsite vault Tokenize after settlement 11

 Tokenization is always better than encryption Offload to a third-party and it‟s no longer your problem PCI DSS scope will always be reduced or eliminated It‟s always simple to implement 25

 The apps that tokenize the data can also de- tokenize Many users still need/use the sensitive data Put everything on the same system/network Co-mingling tokens with sensitive data Implementing because it‟s a cool buzzword 26

 The apps that call the tokenization process should not have ability to de-tokenize, access decryption keys, access stored sensitive data even in encrypted form Encrypted data stored in a segmented and highly secured „vault‟ Standard users should not have the ability to de- tokenize data – the token value is good enough Users that need to de-tokenize data should use an out-of-band method If using third-party offsite solution, remove yourself from the transaction 27

 Evaluate your requirements Pick a product Implement product All of your information security challenges have been solved!* In rainbow and unicorn land 28

 First, ask the following questions: ◦ 1. Do you really need to store the data? ◦ 2. Are you really really sure? ◦ 3. And the last time that happened was…...? ◦ 4. I know, I know…. but do you need the whole number? 29

 Define your requirements Clearly define the scope Investigate all potential solutions Redefine your requirements Redefine the scope Evaluation/POC Implement solution Constantly monitor product effectiveness Continue to assess risk as usual 30

 Important component of data protection Improvements to deployment models Moving closer to the point of data capture Cloud adoption will drive the need Employed to protect other types of data Fewer companies managing their own encryption solutions 31

 Encrypted data stored in highly secure „vault‟ Most of your business can function with only the token value Sensitive data checks in, doesn‟t check out Access method is “out of band” 32

 A step up from encrypting data Get rid of data you don‟t really need Removes the crown jewels Can be used to protect different types of data Multiple flavors to choose from App should tokenize, not de-tokenize The Holy Grail is possible (e-Commerce) Thank you! Ken Smith ◦ ken@ksm1th.com ◦ http://twitter.com/ken5m1th ◦ http://post.ksm1th.com ◦ http://www.linkedin.com/in/1ksmith 33

Ken Smith - Tokenization

by SOURCE Conference

Accessibility

Upload Details

Usage Rights

Statistics