• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Isaca e symposium   understanding your data flow jul 6
 

Isaca e symposium understanding your data flow jul 6

on

  • 541 views

ISACA eSymposium, The 2012 ISACA Webinar Series : Understanding Your Data Flow - Using Tokenization to Secure Data

ISACA eSymposium, The 2012 ISACA Webinar Series : Understanding Your Data Flow - Using Tokenization to Secure Data

Statistics

Views

Total Views
541
Views on SlideShare
539
Embed Views
2

Actions

Likes
0
Downloads
16
Comments
0

1 Embed 2

http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Big change in this years Verizon reportWe are seeing more identity theftLess payment data theft
  • The rules for PCI out of scope – will save cost – will reduce riskSame came be applied to PII/PHI

Isaca e symposium   understanding your data flow jul 6 Isaca e symposium understanding your data flow jul 6 Presentation Transcript

  • Understanding Your Data Flow: Using Tokenization to Secure DataUlf Mattsson, CTO Protegrity 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
  • Welcome• Type in questions using the Ask A Question button• All audio is streamed over your computer – Having technical issues? Click the ? button• Click the Attachments button to find a printable copy of this presentation.• After viewing the webinar, ISACA Members may earn 1 CPE credit. – Find a link to the CPE Quiz on the Attachments button. – Once you pass the quiz, you will receive a printable CPE Certificate.• Question or suggestion? Email them to eLearning@isaca.org 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2
  • Ulf Mattsson, CTO Protegrity • 20 years with IBM Research & Development and Global Services • Started Protegrity in 1994 (Data Security) • Inventor of 25 patents – Encryption and Tokenization • Member of – PCI Security Standards Council (PCI SSC) – American National Standards Institute (ANSI) X9 – International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security – ISACA , ISSA and Cloud Security Alliance (CSA) 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 3
  • Agenda • Trends in Data Breaches & Data Protection • Encryption Versus Tokenization • Cloud Environments • PCI DSS Trends • Case Studies • Risk Management 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 4
  • DATA ISUNDER ATTACK 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 5
  • A Growing Threat Attacks by Anonymous include • CIA, Interpol, Sony, Stratfor and HBGary FederalSource: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 6
  • “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 7
  • What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Unknown (specific type is not known) Medical records Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Sensitive organizational data (reports, plans, etc.) Authentication credentials (usernames, pwds, etc.) Payment card numbers/data 0 20 40 60 80 100 %120 By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 8
  • LinkedIn: Class Action Suit By John Fontana | June 19, 2012 A class action suit against LinkedIn claiming that violation of its own privacy policies and user agreements allowed hackers to steal 6.46 million passwords. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 9
  • Other Major Data Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Time Impact $ Attack Type Source: IBM 2012 Security Breaches Trend and Risk Report 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 10
  • The Sony Breach • Lost 100 million passwords and personal details stored in clear • Spent $171 million related to the data breach • Sonys stock price has fallen 40 percent • For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony • Attack via SQL Injection 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 11
  • What is SQL Injection? SQL Command Injected Application Data Store 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 12
  • SQL Injection Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 13
  • New Industries are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 14
  • The Changing Threat Landscape • Some issues have stayed constant: – Threat landscape continues to gain sophistication – Attackers will always be a step ahead of the defenders • We are fighting highly organized, well-funded crime syndicates and nations • Move from detective to preventative controls needed Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 15
  • How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/16 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 16
  • Assets Compromised Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter People Payment card (credit, debit, etc.) Offline… Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 17
  • Hacking and Malware Threat Action Categories Hacking Malware Social Physical Misuse Error Environmental 0 50 100 % 150 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 18
  • PCI DSS COMPLIANCE19 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 19
  • Was PCI Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 20
  • Amazon’s PCI Compliance• PCI-DSS 2.0 doesnt address multi-tenancy concerns• You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesnt do this for you -- its something you need to implement yourself; including key management, rotation, logging, etc. • If you deploy a server instance in EC2 it still needs to be assessed by your QSA• Your organizations assessment scope isnt necessarily reduced • It might be when you move to something like a tokenization service where you reduce your handling of PAN data Source: securosis.com 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 21
  • WHAT HAS THE INDUSTRY DONE TO SECURE DATA?22 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 22
  • Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 23
  • Tokenization vs. Encryption Encryption Tokenization Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 24
  • How can we Secure The DataFlow? Retail Bank Store Payment Corporate Network Systems 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 25
  • What Has The Industry Done? Total Cost Input Value: 3872 3789 1620 3675 Of Ownership Strong Encryption !@#$%a^.,mhu7///&*B()_+!@ High AES, 3DES Format Preserving Encryption 8278 2789 2990 2789 DTP, FPE Format Preserving Vault-based Tokenization 8278 2789 2990 2789 Greatly reduced Key Management Vaultless Tokenization Low No Vault 8278 2789 2990 2789 1970 2000 2005 2010 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 26
  • WHAT IS THE DIFFERENCE BETWEENVAULT-BASED AND VAULTLESS TOKENIZATION? 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 27
  • We Started with Vault-Based Tokenization …28 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 28
  • Issues with Vault-basedTokenization 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 29
  • Goal: Miniaturization of theTokenization Server Evolution Vault-less Tokenization Server Vault-based Tokenization Server 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 30
  • Tokenization Differentiators Vault-based Tokenization Vaultless Tokenization Footprint Large, Expanding. Small, Static. High Availability, Complex, expensive No replication required. Disaster Recovery replication required. Distribution Practically impossible to Easy to deploy at different distribute geographically. geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability. tokenization. Scalability Extendibility Practically impossible. Unlimited Tokenization Capability. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 31
  • External Validation of VaultlessTokenization “The Vaultless tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“ Prof. Dr. Ir. Bart Preneel Katholieke University Leuven, Belgium * Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, president of the International Association for Cryptologic Research * The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 32
  • SPEED &SECURITY2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 33
  • Speed of Different ProtectionMethods Transactions per second* 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Vault-based Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization *: Speed will depend on the configuration 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 34
  • Security of Different ProtectionMethods Security Level High Low I I I I Vault-based Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 35
  • CASE STUDIES - VAULTLESS TOKENIZATION36 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 36
  • Case Study: Large Chain Store Why? Reduce compliance cost by 50% – 50 million Credit Cards, 700 million daily transactions – Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization – End-to-End Tokens: Started with the D/W and expanding to stores – Lower maintenance cost – don’t have to apply all 12 requirements – Better security – able to eliminate several business and daily reports – Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization” 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 37
  • Case Studies: Retail Customer 1: Why? Three major concerns solved – Performance Challenge; Initial tokenization – Vendor Lock-In: What if we want to switch payment processor – Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe – Tokens on the mainframe to avoid compensating controls 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 38
  • PCI DSS & OUT-OF-SCOPE39 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 39
  • Tokenization and Encryption areDifferent 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 40
  • Tokenization and “PCI Out OfScope” De-tokenization No Available? Yes Random Number Tokens? No: Yes FPE Isolated from Card Holder Data Yes Environment? No Out of Scope No Scope Scope Reduction Reduction Source: http://www.securosis.com 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 41
  • BEYOND PCI42 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 42
  • How Should I Secure DifferentData? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected Health Complex - Information Type of I I Data Un-structured Structured 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 43
  • Flexibility in Token FormatControls Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date - multiple date formats E-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail Binary 0x010203 0x123296910112 Alphanumeric Position to place alpha is 5105 1051 0510 5100 8278 2789 299A 2781 Indicator configurable Decimal 123.45 9842.56 Non length preserving Deliver a different token to different Merchant 1: 8278 2789 2990 2789 Multi-Merchant 3872 3789 1620 3675 merchant based on the same credit Merchant 2: 9302 8999 2662 6345 card number. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 44
  • RISKMANAGEMENT 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 45
  • Choose Your Defenses Cost Cost of Aversion – Expected Losses Protection of Data from the Risk Total Cost Optimal Risk Protection I I Option Data Monitoring Lockdown 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 46
  • Matching Data Protection with RiskLevel Risk Level Solution Data Risk Field Level Tokenization, s High Risk Credit Card Number 25 trong (16-25) encryption Social Security Number 20 Email Address 20 Monitoring, Customer Name 12 Medium Risk masking, format Secret Formula 10 (6-15) controlling Employee Name 9 encryption Employee Health Record 6 Zip Code 3 Low Risk Monitoring (1-5) 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 47
  • Summary • Optimal support of complex enterprise requirements – Heterogeneous platform supports all operating systems and databases – Flexible protectors (Database, Application, File) – Risk Adjusted Data Protection offers the options for protection data with the appropriate strength. – Built-in Key Management – Consistent Enterprise policy enforcement and audit logging • Innovative – Pushing data protection with industry leading • Proven – Proven platform currently protects the worlds largest companies • Experienced – Experienced staff will be there with support along the way to complete data protection 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 48
  • Questions?2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 49
  • Thank you! Ulf Mattsson Protegrity CTO ulf.mattsson AT protegrity.com 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 50