How to evaluate data protection technologies - Mastercard conference

Ulf Mattsson, CTO, Protegrity Corporation How to Evaluate Data Protection Technologies

Protecting Data in the Enterprise Data FlowCollection • ‘Information in the wild’ - Short lifecycle / High risk POS e-commerce Branch • Temporary informationAggregation - Short lifecycle / High risk • Operating information - Typically 1 or more year lifecycle - Broad and diverse computing and databaseOperations environment • Decision making information - Typically multi-year lifecycle Analysis - Homogeneous computing environment - High volume database analysis • Archive -Typically multi-year lifecycle Archive -Preserving the ability to retrieve the data in the future is important Payment System Integrity

PCI Case Study – Large Retailer• Minimal impact to the legacy environment – Encrypting PAN in the POS application and decrypting in HQ server – Encrypting PAN in databases, transparent to applications – Software encryption – 10 million transactions per second• End-to-end encryption within the control of a single enterprise – Modifications of applications, files and databases – Definition of “Strong cryptography” - PCI DSS Glossary 1.2 – Central management of encryption keys, policy and reporting – Key Management - Industry Standards are missing (IEEE P1619.3, OASIS/KMIP …)Payment System Integrity 03

End-to-end Encryption - Challenges• End-to-end encryption in the financial environment – End-to-end encryption is a very difficult thing to accomplish in the financial environment – The people and devices at one end do not usually have any relationship (such as shared keys) with those at the other end - things are more point-to-point – Expanding the scope - flow through the existing payment networks and not break them – Or change all those networks (not easy!) or provide a separate path for messages using a new scheme – OASIS/KMIP Key Management is immature in the area of support for banking and finance requirements – Some vendors add proprietary encryption capability to the terminals themselves Payment System Integrity 4

Planned Proposal to X9 for New Standard • Current scope - client-end-terminal to acquirer – Its not quite clear what direction this will end up taking – Encryption/decryption to be done in software for performance reasons • X9 ANSI Standard may be published within 36-40 months – ASC X9 working group - one initial meeting so far – More time for people to actually implement it • Target audience for this guideline or standard – POS Device Implementers, ATM Implementers, Store Controller Implementers, Retail Host System Implementers, Processing System Implementers and Acquiring System Implementers Payment System Integrity 5

Protecting Data in the Enterprise Data Flow Passive Approaches and Active Approaches = End-To-End Protection Passive Approaches Active Approaches Web Application Database Firewall Columns Database Activity Applications Monitoring Database Activity Database Monitoring / Log Files Data Loss Prevention Tablespace Datafiles Database Server Payment System Integrity 6

Passive Data Protection Approaches• Web Application Firewall – Protects against malicious attacks by inspecting application traffic• Data Loss Prevention – Tags and monitors movement of sensitive assets – Protects against the unintentional outbound leakage of sensitive assets• Database Activity Monitoring – Inspects , monitors, and reports database traffic into and out of databases – Can block malicious activity; seldom used due to false positives• Database Log Mining – Mines log files that are created by databases for good or bad activityPayment System Integrity 7

Active Data Protection Approaches• Application Protection – Utilizes crypto APIs to protect sensitive assets in applications – This approach helps you protect data as it enters your business systems• Column Level Protection – Protects data inside the database at the column level – Can be deployed in a transparent approach to minimizes changes to your environment – Considered to be the most secure approach to protect sensitive assets• Database file protection – Protects the data by encrypting the entire database filePayment System Integrity 8

Passive Database Protection Approaches Operational Impact ProfileDatabase Protection Performance Storage Security Transparency SeparationApproach of DutiesWeb Application FirewallData Loss PreventionDatabase Activity MonitoringDatabase Log Mining Best Worst Payment System Integrity 9

Active Database Protection Approaches Operational Impact ProfileDatabase Protection Performance Storage Security Transparency SeparationApproach of DutiesApplication Protection - APIColumn Level Encryption;FCE, AES, 3DESColumn Level Replacement;TokensTablespace - DatafileProtection Best Worst Payment System Integrity 10

How about Native Database Encryption?• Advantages – Available from most database vendors – Enables you to get started quickly• Disadvantages – Mostly non-transparent solutions – Some vendors do not protect the Data Encryption Keys well enough – Lack of secure interoperability between instances of the same vendor – No secure interoperability with databases from other vendors – No centralization of policy, key management, and audit reportingPayment System Integrity 11

Security for the Sensitive Data Flow Points of collection Store Back Office Collectio Web Retail Store Apps Locales$%&# $%&# T-Logs, Back $%&# Store Journals $%&# Office DBBranches/ $%&# Applicati Stores ons HQ Polling Server Log $%&# Aggregation ` Poli Poli cy cy Manager $%^& *@K$ Operations Multiplex ERP Reports Log ing Log Platform Analytics Detailed Analytical 7ks##@ Tactical Focused / Summary Analytical Archive Partners (Financial Log Active Access / AlertingInstitutions) Payment System Integrity 12

Data Protection Options and Formats• Clear – actual value is readable – not for cardholder data• Hash – unreadable, not reversible – not for cardholder data• Encrypted – unreadable, reversible• Replacement value (tokens) – unreadable, reversible• Partial encryption/replacement – unreadable, reversiblePayment System Integrity 13

Data in the Clear• Description – Audit only – Masking – Access Control Limits• Advantages – Low impact on existing applications – Performance and time to deploy• Considerations – Underlying data exposedPayment System Integrity 14

Strong Encryption• Description – Industry standard (AES CBC …)• Advantages – Widely deployed – Compatibility – Performance• Considerations – Storage and type – Transparency to applications – Key rotationPayment System Integrity 15

Format Controlling Encryption• Description Maintains data type, length –• Advantages – Reduces changes to downstream systems – Storage – Partial encryption• Considerations – Performance – Security and key rotation – Transparency to applicationsPayment System Integrity 16

Replacement Value (i.e. tokens, alias)• Description – Proxy value created to replace original data – Centrally managed, protected• Advantages – No changes to most downstream systems – Out of scope for compliance – No local key rotation• Considerations – Transparency for applications needing original data – Availability and performance for applications needing original dataPayment System Integrity 17

“Strong cryptography” - PCI DSSGlossary 1.2• Examples - AES (128 bits and higher) and TDES – Payment Card Industry (PCI) Data Security Standard (DSS) – Payment Application Data Security Standard (PA-DSS)• NIST Special Publication 800-57 – Five confidentiality modes (ECB, CBC, OFB, CFB, and CTR) – One authentication mode (CMAC) – Two combined modes for confidentiality and authentication (CCM and GCM)• Some New Encryption Modes of operation that NIST is consideringPayment System Integrity – FFSEM, Feistel Finite Set Encryption Mode (Posted February,

Data Protection Capabilities Storage Performance Storage Security Transparency Clear Strong Encryption Format Controlling Encryption Token Hash Best WorstPayment System Integrity 19

Data Protection Implementation Choices• Data Protection Layers – Application – Database – File System• Data Protection Topologies – Remote or local service• Data Security Management – Central management of keys, policy and reportingPayment System Integrity 20

Data Protection Implementation Choices System Layer Performance Transparency Security Application Database File System Topology Performance Scalability Security Local Service Remote Service Best WorstPayment System Integrity 21

Data Protection Strategies• Where to start? – “Perimeter towards Database” Strategy – “Database towards Perimeter” Strategy – Combined Strategy• Use risk based methodology to determine how to protect sensitive assets – Value of your data X Exposure = Risk – Apply the appropriate approach based on risk• Choose a protection vendor with – Broad coverage of protection options – Central policy, key, and audit management – Ability to protect across a wide range of database platformsPayment System Integrity 22

How to evaluate data protection technologies - Mastercard conference

by Ulf Mattsson

Accessibility

Categories

Upload Details

Usage Rights

Statistics