SlideShare a Scribd company logo

Enterprise Data Protection - Understanding Your Options and Strategies

Ulf Mattsson
Ulf Mattsson

The document provides an overview of enterprise data protection options and strategies. It discusses the changing threat landscape, including increasingly sophisticated attackers and the need for preventative controls. Regarding payment card industry data security standards (PCI DSS), it notes there are 12 rules and 4 approved ways to render credit card numbers unreadable. A case study is presented of a large retail chain that used tokenization to simplify PCI compliance, achieving benefits like faster audits, lower costs, and better security. Different data security methods like hashing, encryption, and tokenization are compared in terms of how they can be applied at the application, database, and storage levels. Best practices for tokenization and evaluating various approaches are also covered.

1 of 38
Download to read offline
Enterprise Data Protection Understanding Your Options and Strategies Ulf Mattsson CTO Protegrity Ulf.mattsson AT protegrity.com
Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents – Encryption and Intrusion Prevention Co-founder of Protegrity (Data Security) Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security Member of PCI Security Standards Council (PCI SSC) American National Standards Institute (ANSI) X9 Information Systems Audit and Control Association (ISACA) Cloud Security Alliance (CSA) Information Systems Security Association (ISSA) 02
03
ISACA Articles – Data Security
Topics Review the changing threat landscape Present different options for data security for PCI DSS Review a case study Show how to protect the entire data flow Discuss how to protect against advanced attacks Show how to balance performance and security with different approaches to tokenization and encryption Review security enforcement at the application level, database level, file level and storage level 05
The Changing Threat Landscape Some issues have stayed constant: Threat landscape continues to gain sophistication Attackers will always be a step ahead of the defenders We're fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed: Several layers of security to address more significant areas of risks Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2 06
2010 Data Breach Investigations Report Six years, 900+ breaches, and over 900 million compromised records Over half of the breaches occurred outside of the U.S. Online Data is Compromised Most Frequently: % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 07
Threat Action Categories 90 % of compromised records lost in highly sophisticated attacks Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 08
Payment Card Industry Data Security Standard (PCI DSS) The PCI Security Standards Council is an open global forum American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc The PCI standard consists of a set of 12 rules Four ways to render the PAN (credit card number) unreadable Two-way cryptography with associated key management processes Truncation One-way cryptographic hash functions Index tokens and pads Source: https://www.pcisecuritystandards.org/organization_info/index.php 09
PCI Encryption Rules Attacker SSL Encrypted Data (PCI DSS) Public Network Private Network Application Clear Text Data Clear Text Data Database Encrypted Data (PCI DSS) OS File System Storage System Data At Rest (PCI DSS) Not Enough to Encrypt Pipes & Files 010
Protecting the Data Flow - Example : Enforcement point Unprotected sensitive information: Protected sensitive information 011
Current, Planned Use of Enabling Technologies Strong interest in database encryption, data masking, tokenization Access controls Database activity monitoring Database encryption Backup / Archive encryption Data masking 18% 47% 30% 35% 21% 16% 10% 39% 4% 28% Application-level encryption Tokenization 91% 5% 1% 28% 7% 7% 22% Evaluating 29% 7% 23% Current Use 13% Planned Use <12 Months 012
Data Security Today is a Catch-22 We need to protect both data and the business processes that rely on that data Enterprises are currently on their own in deciding how to apply emerging technologies for PCI data protection Data Tokenization - an evolving technology How to reduce PCI audit scope and exposure to data 013
Hiding Data in Plain Sight – Data Tokenization Data Entry Y&SFD%))S( 400000 123456 7899 Tokenization Server Data Token 400000 222222 7899 Application Databases 014
Retail Scenario with Tokenization Authorization Stores Stores Token Servers Aggregating Hub for Store Channel Token Servers Settlement Loss Prevention Analysis - EDW ERP Settlement : Integration point 015
Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance By segmenting cardholder data with tokenization, a regional chain of 1,500 local convenience stores is reducing its PCI audit from seven to three months “ We planned on 30 days to tokenize our 30 million card numbers. With Protegrity Tokenization, the whole process took about 90 minutes” 016
Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization “With encryption, implementations can spawn dozens of questions” “There were no such challenges with tokenization” 017
Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance Faster PCI audit – half that time Lower maintenance cost – don’t have to apply all 12 requirements of PCI DSS to every system Better security – able to eliminate several business processes such as generating daily reports for data requests and access Strong performance – rapid processing rate for initial tokenization, sub-second transaction SLA 018
Field Encryption & Tokenization – Data Formats Intrusiveness (to Applications and Databases) Hashing Strong Encryption Alpha - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Standard Encryption !@#$%a^.,mhu7/////&*B()_+!@ aVdSaH 1F4hJ 1D3a Numeric - 666666 777777 8888 Partial - 123456 777777 1234 Clear Text Data - Tokenizing or Formatted Encryption 123456 123456 1234 Encoding Data I I Original Longer Length 019
Risk Management and PCI – Security Aspects Different data security methods and algorithms Policy enforcement implemented at different system layers Data Security Method Hashing Formatted Encryption Strong Encryption Data Tokenization System Layer Application Database Column Database File Storage Device Best Worst 020
Risk Management and PCI – Security Aspects Integration at different system layers Different data security methods and algorithms Data Security Method Hashing Formatted Encryption Strong Encryption Data Tokenization System Layer Application Database Column Database File Storage Device : N/A Best Worst 021
A Distributed Tokenization Approach Large companies may need to utilize the tokenization services for locations throughout the world. How do you deliver tokenization to many locations without the impact of latency? Customer Application Token Server Customer Application Customer Application Token Token Server Server Customer Application 022
Distributed Approach to Generate Random Tokens Random Static Lookup Tables 288910 288910 28891 088910 2 288910 1,000,000 max entries 288910 288910 28891 088910 2 288910 1,000,000 max entries Application Application Application Application Multi-Use Tokens Random Static Lookup Tables Remains the same size no matter the number of unique tokens Example: 50 million = 2 million tokens Performance: 200,000 tokens per second on a commodity standard dual core machine 023
Evaluating Encryption & Tokenization Approaches Evaluation Criteria Area Impact Encryption Database File Encryption Database Column Encryption Tokenization Centralized Tokenization (old) Distributed Tokenization (new) Availability Scalability Latency CPU Consumption Data Flow Protection Compliance Scoping Security Key Management Randomness Separation of Duties Best Worst 024
Evaluating Field Encryption & Distributed Tokenization Evaluation Criteria Strong Field Encryption Formatted Encryption Distributed Tokenization Disconnected environments Distributed environments Performance impact when loading data Transparent to applications Expanded storage size Transparent to databases schema Long life-cycle data Unix or Windows mixed with “big iron” (EBCDIC) Easy re-keying of data in a data flow High risk data Security - compliance to PCI, NIST Best Worst 025
Best Practices for Tokenization Token Generation Token Types Single Use Token Algorithm and Key Reversible Known strong algorithm Multi Use Token - Unique Sequence Number One way Irreversible Function Hash Secret per transaction Secret per merchant Randomly generated value Published July 14, 2010. 026
Comments on Visa’s Tokenization Best Practices Visa recommendations should be simply to use a random number If the output is not generated by a mathematical function applied to the input, it cannot be reversed to regenerate the original PAN data The only way to discover PAN data from a real token is a (reverse) lookup in the token server database The odds are that if you are saddled with PCI-DSS responsibilities, you will not write your own 'home-grown' token servers 027
What Makes a “Secure Tokenization” Algorithm? Ask vendors what their token-generating algorithms are Be sure to analyze anything other than strong random number generators for security. 028
Strong Cryptography - PCI DSS Glossary Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices See NIST (National Institute of Standards and Technology, US) Special Publications 029
NIST Proposed Encryption Modes Appearance of a mode in this list does not constitute endorsement or approval by NIST 1. FCEM Format Controlling Encryption Mode U. Mattsson 2. FFX Format-preserving Feistel-based Encryption Mode M. Bellare, P. Rogaway, T. Spies 3. … http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html 030
Data Protection Challenges Actual protection is not the challenge Management of solutions Key management Security policy Auditing, Monitoring and reporting Minimizing impact on business operations Transparency Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time 031
Best Practices - Data Security Management File System Protector Policy Database Protector Audit Log Application Protector Enterprise Data Security Administrator Secure Archive Tokenization Server : Enforcement point 032
Privacy - More lax in US than in the E.U. European Union United States European Union Data Privacy Directive 95/46/EC - protection and movement of personally identifiable information between E.U. member countries and to outside Rules are primarily state-by-state. Firms are responsible for protecting PII data and also for managing its transfer to others by monitoring compliance of recipients Once the data has been yielded to a company, the company is largely free to use it as it wishes, subject to local state regulations. Medical records are no different from other E.U. citizen’s personal information because a degree of data protection is already afforded. Concern over medical records privacy may increase with the push to reduce health care costs through greater automation. 033
Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit. 034
In the Case Study, Tokenization was yielding some benefits for the retailer: Please select ALL relevant options from below: Faster PCI audit Effective segmentation of cardholder data environments Lower maintenance cost Better security Strong performance ALL is the correct answer 035
What Makes a “Secure Tokenization” Algorithm according to Gartner research? Please select ONE option from below: Hashing algorithms Encryption algorithms Random values Howegrown algorithms “Random values“ is the correct answer 036
The PCI standard consists of how many rules? Please select ONE option from below: 6 8 12 16 12 is the correct answer 037
The PCI standard allows how many different ways to render the PAN (Credit Card Number) unreadable? Please select ONE option from below: 2 3 4 5 6 4 is the correct answer 038

Recommended

New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009Ulf Mattsson
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCUlf Mattsson
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceUlf Mattsson
 
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...Ulf Mattsson
 
Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
 
PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011Ulf Mattsson
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 

Recommended

New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009Ulf Mattsson
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCUlf Mattsson
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceUlf Mattsson
 
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...Ulf Mattsson
 
Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
 
PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011Ulf Mattsson
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityTokenEx
 
Tokenization vs encryption vs masking
Tokenization vs encryption vs maskingTokenization vs encryption vs masking
Tokenization vs encryption vs maskingUlf Mattsson
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance EvolvedSafeNet
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 

More Related Content

What's hot

PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityTokenEx
 
Tokenization vs encryption vs masking
Tokenization vs encryption vs maskingTokenization vs encryption vs masking
Tokenization vs encryption vs maskingUlf Mattsson
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance EvolvedSafeNet
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 

What's hot (20)

PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric Security
 
Tokenization vs encryption vs masking
Tokenization vs encryption vs maskingTokenization vs encryption vs masking
Tokenization vs encryption vs masking
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance Evolved
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 

Similar to Enterprise Data Protection - Understanding Your Options and Strategies

IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUlf Mattsson
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionUlf Mattsson
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionUlf Mattsson
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Ulf Mattsson
 
Cacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalCacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalUlf Mattsson
 
EPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkEPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkErni Susanti
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data securityUlf Mattsson
 
Solve Big Data Security Issues
Solve Big Data Security IssuesSolve Big Data Security Issues
Solve Big Data Security IssuesEditor IJCATR
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Ulf Mattsson
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2SafeNet
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 

Similar to Enterprise Data Protection - Understanding Your Options and Strategies (20)

IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private clouds
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
 
Cacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalCacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 final
 
EPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkEPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber Ark
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data security
 
Solve Big Data Security Issues
Solve Big Data Security IssuesSolve Big Data Security Issues
Solve Big Data Security Issues
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 

More from Ulf Mattsson

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesUlf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeUlf Mattsson
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchainUlf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonUlf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 

More from Ulf Mattsson (20)

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
Book
BookBook
Book
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 

Enterprise Data Protection - Understanding Your Options and Strategies

  • 1. Enterprise Data Protection Understanding Your Options and Strategies Ulf Mattsson CTO Protegrity Ulf.mattsson AT protegrity.com
  • 2. Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents – Encryption and Intrusion Prevention Co-founder of Protegrity (Data Security) Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security Member of PCI Security Standards Council (PCI SSC) American National Standards Institute (ANSI) X9 Information Systems Audit and Control Association (ISACA) Cloud Security Alliance (CSA) Information Systems Security Association (ISSA) 02
  • 3. 03
  • 4. ISACA Articles – Data Security
  • 5. Topics Review the changing threat landscape Present different options for data security for PCI DSS Review a case study Show how to protect the entire data flow Discuss how to protect against advanced attacks Show how to balance performance and security with different approaches to tokenization and encryption Review security enforcement at the application level, database level, file level and storage level 05
  • 6. The Changing Threat Landscape Some issues have stayed constant: Threat landscape continues to gain sophistication Attackers will always be a step ahead of the defenders We're fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed: Several layers of security to address more significant areas of risks Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2 06
  • 7. 2010 Data Breach Investigations Report Six years, 900+ breaches, and over 900 million compromised records Over half of the breaches occurred outside of the U.S. Online Data is Compromised Most Frequently: % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 07
  • 8. Threat Action Categories 90 % of compromised records lost in highly sophisticated attacks Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 08
  • 9. Payment Card Industry Data Security Standard (PCI DSS) The PCI Security Standards Council is an open global forum American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc The PCI standard consists of a set of 12 rules Four ways to render the PAN (credit card number) unreadable Two-way cryptography with associated key management processes Truncation One-way cryptographic hash functions Index tokens and pads Source: https://www.pcisecuritystandards.org/organization_info/index.php 09
  • 10. PCI Encryption Rules Attacker SSL Encrypted Data (PCI DSS) Public Network Private Network Application Clear Text Data Clear Text Data Database Encrypted Data (PCI DSS) OS File System Storage System Data At Rest (PCI DSS) Not Enough to Encrypt Pipes & Files 010
  • 11. Protecting the Data Flow - Example : Enforcement point Unprotected sensitive information: Protected sensitive information 011
  • 12. Current, Planned Use of Enabling Technologies Strong interest in database encryption, data masking, tokenization Access controls Database activity monitoring Database encryption Backup / Archive encryption Data masking 18% 47% 30% 35% 21% 16% 10% 39% 4% 28% Application-level encryption Tokenization 91% 5% 1% 28% 7% 7% 22% Evaluating 29% 7% 23% Current Use 13% Planned Use <12 Months 012
  • 13. Data Security Today is a Catch-22 We need to protect both data and the business processes that rely on that data Enterprises are currently on their own in deciding how to apply emerging technologies for PCI data protection Data Tokenization - an evolving technology How to reduce PCI audit scope and exposure to data 013
  • 14. Hiding Data in Plain Sight – Data Tokenization Data Entry Y&SFD%))S( 400000 123456 7899 Tokenization Server Data Token 400000 222222 7899 Application Databases 014
  • 15. Retail Scenario with Tokenization Authorization Stores Stores Token Servers Aggregating Hub for Store Channel Token Servers Settlement Loss Prevention Analysis - EDW ERP Settlement : Integration point 015
  • 16. Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance By segmenting cardholder data with tokenization, a regional chain of 1,500 local convenience stores is reducing its PCI audit from seven to three months “ We planned on 30 days to tokenize our 30 million card numbers. With Protegrity Tokenization, the whole process took about 90 minutes” 016
  • 17. Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization “With encryption, implementations can spawn dozens of questions” “There were no such challenges with tokenization” 017
  • 18. Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance Faster PCI audit – half that time Lower maintenance cost – don’t have to apply all 12 requirements of PCI DSS to every system Better security – able to eliminate several business processes such as generating daily reports for data requests and access Strong performance – rapid processing rate for initial tokenization, sub-second transaction SLA 018
  • 19. Field Encryption & Tokenization – Data Formats Intrusiveness (to Applications and Databases) Hashing Strong Encryption Alpha - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Standard Encryption !@#$%a^.,mhu7/////&*B()_+!@ aVdSaH 1F4hJ 1D3a Numeric - 666666 777777 8888 Partial - 123456 777777 1234 Clear Text Data - Tokenizing or Formatted Encryption 123456 123456 1234 Encoding Data I I Original Longer Length 019
  • 20. Risk Management and PCI – Security Aspects Different data security methods and algorithms Policy enforcement implemented at different system layers Data Security Method Hashing Formatted Encryption Strong Encryption Data Tokenization System Layer Application Database Column Database File Storage Device Best Worst 020
  • 21. Risk Management and PCI – Security Aspects Integration at different system layers Different data security methods and algorithms Data Security Method Hashing Formatted Encryption Strong Encryption Data Tokenization System Layer Application Database Column Database File Storage Device : N/A Best Worst 021
  • 22. A Distributed Tokenization Approach Large companies may need to utilize the tokenization services for locations throughout the world. How do you deliver tokenization to many locations without the impact of latency? Customer Application Token Server Customer Application Customer Application Token Token Server Server Customer Application 022
  • 23. Distributed Approach to Generate Random Tokens Random Static Lookup Tables 288910 288910 28891 088910 2 288910 1,000,000 max entries 288910 288910 28891 088910 2 288910 1,000,000 max entries Application Application Application Application Multi-Use Tokens Random Static Lookup Tables Remains the same size no matter the number of unique tokens Example: 50 million = 2 million tokens Performance: 200,000 tokens per second on a commodity standard dual core machine 023
  • 24. Evaluating Encryption & Tokenization Approaches Evaluation Criteria Area Impact Encryption Database File Encryption Database Column Encryption Tokenization Centralized Tokenization (old) Distributed Tokenization (new) Availability Scalability Latency CPU Consumption Data Flow Protection Compliance Scoping Security Key Management Randomness Separation of Duties Best Worst 024
  • 25. Evaluating Field Encryption & Distributed Tokenization Evaluation Criteria Strong Field Encryption Formatted Encryption Distributed Tokenization Disconnected environments Distributed environments Performance impact when loading data Transparent to applications Expanded storage size Transparent to databases schema Long life-cycle data Unix or Windows mixed with “big iron” (EBCDIC) Easy re-keying of data in a data flow High risk data Security - compliance to PCI, NIST Best Worst 025
  • 26. Best Practices for Tokenization Token Generation Token Types Single Use Token Algorithm and Key Reversible Known strong algorithm Multi Use Token - Unique Sequence Number One way Irreversible Function Hash Secret per transaction Secret per merchant Randomly generated value Published July 14, 2010. 026
  • 27. Comments on Visa’s Tokenization Best Practices Visa recommendations should be simply to use a random number If the output is not generated by a mathematical function applied to the input, it cannot be reversed to regenerate the original PAN data The only way to discover PAN data from a real token is a (reverse) lookup in the token server database The odds are that if you are saddled with PCI-DSS responsibilities, you will not write your own 'home-grown' token servers 027
  • 28. What Makes a “Secure Tokenization” Algorithm? Ask vendors what their token-generating algorithms are Be sure to analyze anything other than strong random number generators for security. 028
  • 29. Strong Cryptography - PCI DSS Glossary Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices See NIST (National Institute of Standards and Technology, US) Special Publications 029
  • 30. NIST Proposed Encryption Modes Appearance of a mode in this list does not constitute endorsement or approval by NIST 1. FCEM Format Controlling Encryption Mode U. Mattsson 2. FFX Format-preserving Feistel-based Encryption Mode M. Bellare, P. Rogaway, T. Spies 3. … http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html 030
  • 31. Data Protection Challenges Actual protection is not the challenge Management of solutions Key management Security policy Auditing, Monitoring and reporting Minimizing impact on business operations Transparency Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time 031
  • 32. Best Practices - Data Security Management File System Protector Policy Database Protector Audit Log Application Protector Enterprise Data Security Administrator Secure Archive Tokenization Server : Enforcement point 032
  • 33. Privacy - More lax in US than in the E.U. European Union United States European Union Data Privacy Directive 95/46/EC - protection and movement of personally identifiable information between E.U. member countries and to outside Rules are primarily state-by-state. Firms are responsible for protecting PII data and also for managing its transfer to others by monitoring compliance of recipients Once the data has been yielded to a company, the company is largely free to use it as it wishes, subject to local state regulations. Medical records are no different from other E.U. citizen’s personal information because a degree of data protection is already afforded. Concern over medical records privacy may increase with the push to reduce health care costs through greater automation. 033
  • 34. Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit. 034
  • 35. In the Case Study, Tokenization was yielding some benefits for the retailer: Please select ALL relevant options from below: Faster PCI audit Effective segmentation of cardholder data environments Lower maintenance cost Better security Strong performance ALL is the correct answer 035
  • 36. What Makes a “Secure Tokenization” Algorithm according to Gartner research? Please select ONE option from below: Hashing algorithms Encryption algorithms Random values Howegrown algorithms “Random values“ is the correct answer 036
  • 37. The PCI standard consists of how many rules? Please select ONE option from below: 6 8 12 16 12 is the correct answer 037
  • 38. The PCI standard allows how many different ways to render the PAN (Credit Card Number) unreadable? Please select ONE option from below: 2 3 4 5 6 4 is the correct answer 038