Understanding Data Flow: Using Tokenization to Secure Information

Understanding Your Data Flow:
Using Tokenization to Secure
Data

Ulf Mattsson, CTO Protegrity

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.

Welcome
• Type in questions using the Ask A Question button

• All audio is streamed over your computer
– Having technical issues? Click the ? button

• Click the Attachments button to find a printable copy of this
presentation.

• After viewing the webinar, ISACA Members may earn 1 CPE credit.
– Find a link to the CPE Quiz on the Attachments button.
– Once you pass the quiz, you will receive a printable CPE
Certificate.

• Question or suggestion? Email them to eLearning@isaca.org

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2

Ulf Mattsson, CTO Protegrity

• 20 years with IBM Research & Development and
Global Services
• Started Protegrity in 1994 (Data Security)
• Inventor of 25 patents – Encryption and Tokenization
• Member of
– PCI Security Standards Council (PCI SSC)
– American National Standards Institute (ANSI) X9
– International Federation for Information Processing
(IFIP) WG 11.3 Data and Application Security
– ISACA , ISSA and Cloud Security Alliance (CSA)


Agenda

• Trends in Data Breaches & Data Protection
• Encryption Versus Tokenization
• Cloud Environments
• PCI DSS Trends
• Case Studies
• Risk Management


DATA
IS
UNDER ATTACK


A Growing Threat

Attacks by Anonymous include
• CIA, Interpol, Sony, Stratfor and
HBGary Federal

Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous


“Hacktivism” is Dominating

Activist group

Organized criminal group

Relative or acquaintance of employee

Former employee (no longer had access)

Unaffiliated person(s)

Unknown

0 10 20 30 40 50 60 70
%

By percent of records
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/


What Data is Compromised?
Personal information (Name, SS#, Addr, etc.)

Unknown (specific type is not known)

Medical records

Classified information

Trade secrets

Copyrighted/Trademarked material

System information (config, svcs, sw, etc.)

Bank account numbers/data

Sensitive organizational data (reports, plans, etc.)

Authentication credentials (usernames, pwds, etc.)

Payment card numbers/data

0 20 40 60 80 100 %120
By percent of records.


LinkedIn: Class Action Suit

By John Fontana | June 19, 2012

A class action suit against LinkedIn claiming that
violation of its own privacy policies and user agreements
allowed hackers to steal 6.46 million passwords.


Other Major Data Breaches
April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011
Time

Impact $

Attack
Type

Source: IBM 2012 Security Breaches Trend and Risk Report


The Sony Breach
• Lost 100 million passwords and personal
details stored in clear
• Spent $171 million related to the data
breach
• Sony's stock price has fallen 40 percent
• For three pennies an hour, hackers can rent
Amazon.com to wage cyber attacks such as
the one that crippled Sony
• Attack via SQL Injection


What is SQL Injection?

SQL Command Injected

Application

Data
Store


SQL Injection Increasing

25,000

20,000

15,000

10,000

5,000

Q1 2011 Q2 2011 Q3 2011

Source: IBM 2012 Security Breaches Trend and Risk Report


New Industries are Targets

Accommodation and Food Services

Retail Trade

Finance and Insurance

Health Care and Social Assistance

Other

Information

0 10 20 30 40 50 60

By percent of breaches


The Changing Threat Landscape

• Some issues have stayed constant:
– Threat landscape continues to gain
sophistication
– Attackers will always be a step ahead of the
defenders
• We are fighting highly organized, well-funded crime
syndicates and nations
• Move from detective to preventative controls
needed
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2


How are Breaches Discovered?
Notified by law enforcement
Third-party fraud detection (e.g., CPP)
Reported by customer/partner affected
Brag or blackmail by perpetrator
Unknown
Witnessed and/or reported by employee
Other(s)
Internal fraud detection mechanism
Financial audit and reconciliation process
Log analysis and/or review process
Unusual system behavior or performance

0 10 20 30 40 50 60 70 %

By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

16 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 16

Assets Compromised
Database server
Web/application server
Desktop/Workstation
Mail server
Call Center Staff People
Remote Access server
Laptop/Netbook
File server
Pay at the Pump terminal User devices
Cashier/Teller/Waiter People
Payment card (credit, debit, etc.) Offline…
Regular employee/end-user People
Automated Teller Machine (ATM)
POS terminal User devices
POS server (store controller)

0 20 40 60 80 100 % 120


Hacking and Malware
Threat Action Categories
Hacking
Malware
Social
Physical
Misuse
Error
Environmental

0 50 100 % 150



PCI DSS
COMPLIANCE


Was PCI Data Protected?

9: Restrict physical access to cardholder data

5: Use and regularly update anti-virus software

4: Encrypt transmission of cardholder data
2: Do not use vendor-supplied defaults for security
parameters
12: Maintain a policy that addresses information security
1: Install and maintain a firewall configuration to protect
data
8: Assign a unique ID to each person with computer
access
6: Develop and maintain secure systems and
applications
10: Track and monitor all access to network resources
and data
11: Regularly test security systems and processes

7: Restrict access to data by business need-to-know

3: Protect Stored Data
%

0 10 20 30 40 50 60 70 80 90 100
Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study


Amazon’s PCI Compliance

• PCI-DSS 2.0 doesn't address multi-tenancy concerns

• You can store PAN data on S3, but it still needs to be
encrypted in accordance with PCI-DSS requirements
• Amazon doesn't do this for you -- it's something you need to
implement yourself; including key
management, rotation, logging, etc.
• If you deploy a server instance in EC2 it still needs to be assessed
by your QSA

• Your organization's assessment scope isn't necessarily
reduced
• It might be when you move to something like a tokenization service
where you reduce your handling of PAN data
Source: securosis.com

WHAT HAS
THE INDUSTRY
DONE TO
SECURE DATA?


Use of Enabling Technologies

Access controls 1% 91%

Database activity monitoring 18% 47%

Database encryption 30% 35%

Backup / Archive encryption 21% 39%

Data masking 28% 28%

Application-level encryption 7% 29%

Tokenization 22% 23%

Evaluating


Tokenization vs. Encryption

Encryption Tokenization
Used Approach Cipher System Code System

Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY


How can we Secure The Data
Flow?

Retail Bank
Store

Payment Corporate
Network Systems


What Has The Industry Done?
Total Cost Input Value: 3872 3789 1620 3675
Of
Ownership
Strong Encryption !@#$%a^.,mhu7///&*B()_+!@
High AES, 3DES

Format Preserving Encryption 8278 2789 2990 2789
DTP, FPE
Format Preserving

Vault-based Tokenization 8278 2789 2990 2789
Greatly reduced Key
Management

Vaultless Tokenization
Low
No Vault
8278 2789 2990 2789

1970 2000 2005 2010


WHAT IS THE
DIFFERENCE
BETWEEN
VAULT-BASED AND
VAULTLESS
TOKENIZATION?

We Started with Vault-Based Tokenization …


Issues with Vault-based
Tokenization


Goal: Miniaturization of the
Tokenization Server

Evolution

Vault-less
Tokenization
Server

Vault-based Tokenization Server


Tokenization Differentiators

Vault-based Tokenization Vaultless Tokenization
Footprint Large, Expanding. Small, Static.

High Availability, Complex, expensive No replication required.
Disaster Recovery replication required.

Distribution Practically impossible to Easy to deploy at different
distribute geographically. geographically distributed
locations.
Reliability Prone to collisions. No collisions.

Performance, Will adversely impact Little or no latency. Fastest industry
Latency, and performance & scalability. tokenization.
Scalability
Extendibility Practically impossible. Unlimited Tokenization Capability.


External Validation of Vaultless
Tokenization
“The Vaultless tokenization scheme offers excellent security, since it is
based on fully randomized tables. This is a fully distributed tokenization
approach with no need for synchronization and there is no risk for
collisions.“

Prof. Dr. Ir. Bart Preneel
Katholieke University Leuven, Belgium *

Bart Preneel is a Belgian cryptographer and cryptanalyst.
He is a professor at Katholieke Universiteit Leuven, president
of the International Association for Cryptologic Research
* The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.


SPEED
&
SECURITY


Speed of Different Protection
Methods
Transactions per second*
10 000 000 -

1 000 000 -

100 000 -

10 000 -

1 000 -

100 -
I I I I
Vault-based Format AES CBC Vaultless
Data Preserving Encryption Data
Tokenization Encryption Standard Tokenization
*: Speed will depend on the configuration


Security of Different Protection
Methods
Security Level

High

Low

I I I I
Vault-based Format AES CBC Vaultless
Data Preserving Encryption Data
Tokenization Encryption Standard Tokenization


CASE STUDIES
-
VAULTLESS
TOKENIZATION

Case Study: Large Chain Store

Why? Reduce compliance cost by 50%
– 50 million Credit Cards, 700 million daily transactions
– Performance Challenge: 30 days with Basic to 90 minutes with
Vaultless Tokenization
– End-to-End Tokens: Started with the D/W and expanding to stores
– Lower maintenance cost – don’t have to apply all 12 requirements
– Better security – able to eliminate several business and daily reports
– Qualified Security Assessors had no issues
• “With encryption, implementations can spawn dozens of questions”
• “There were no such challenges with tokenization”


Case Studies: Retail
Customer 1: Why? Three major concerns solved
– Performance Challenge; Initial tokenization
– Vendor Lock-In: What if we want to switch payment processor
– Extensive Enterprise End-to-End Credit Card Data Protection
Customer 2: Why? Desired single vendor to provide data
protection
– Combined use of tokenization and encryption
– Looking to expand tokens beyond CCN to PII
Customer 3: Why? Remove compensating controls from the
mainframe
– Tokens on the mainframe to avoid compensating controls


PCI DSS
&
OUT-OF-SCOPE


Tokenization and Encryption are
Different


Tokenization and “PCI Out Of
Scope”
De-tokenization
No Available?

Yes
Random Number
Tokens?
No:
Yes FPE

Isolated from Card
Holder Data
Yes Environment? No

Out of Scope No Scope
Scope Reduction Reduction
Source: http://www.securosis.com


BEYOND
PCI


How Should I Secure Different
Data?
File Field
Encryption Tokenization
Use
Case
Card
Simple - PII Holder PCI
Data

PHI
Protected
Health
Complex - Information
Type of
I I
Data
Un-structured Structured

Flexibility in Token Format
Controls
Type of Data Input Token Comment

Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric

Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed

Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed

Medical ID 29M2009ID 497HF390D Alpha-Numeric

Date 10/30/1955 12/25/2034 Date - multiple date formats

E-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric

SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input

Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail

Binary 0x010203 0x123296910112

Alphanumeric Position to place alpha is
5105 1051 0510 5100 8278 2789 299A 2781
Indicator configurable

Decimal 123.45 9842.56 Non length preserving

Deliver a different token to different
Merchant 1: 8278 2789 2990 2789
Multi-Merchant 3872 3789 1620 3675 merchant based on the same credit
Merchant 2: 9302 8999 2662 6345
card number.


RISK
MANAGEMENT


Choose Your Defenses
Cost
Cost of Aversion – Expected Losses
Protection of Data from the Risk

Total Cost

Optimal
Risk

Protection
I I Option
Data Monitoring
Lockdown


Matching Data Protection with Risk
Level

Risk Level Solution
Data Risk
Field Level Tokenization, s
High Risk
Credit Card Number 25 trong
(16-25)
encryption
Social Security Number 20
Email Address 20 Monitoring,
Customer Name 12 Medium Risk masking, format
Secret Formula 10 (6-15) controlling
Employee Name 9 encryption
Employee Health Record 6
Zip Code 3 Low Risk Monitoring
(1-5)


Summary
• Optimal support of complex enterprise requirements
– Heterogeneous platform supports all operating systems and databases
– Flexible protectors (Database, Application, File)
– Risk Adjusted Data Protection offers the options for protection data with
the appropriate strength.
– Built-in Key Management
– Consistent Enterprise policy enforcement and audit logging
• Innovative
– Pushing data protection with industry leading
• Proven
– Proven platform currently protects the worlds largest companies
• Experienced
– Experienced staff will be there with support along the way to complete data protection


Questions?


Thank you!

Ulf Mattsson
Protegrity CTO
ulf.mattsson AT protegrity.com


Understanding Data Flow: Using Tokenization to Secure Information

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Understanding Data Flow: Using Tokenization to Secure Information

Similar to Understanding Data Flow: Using Tokenization to Secure Information (20)

More from Ulf Mattsson

More from Ulf Mattsson (20)

Recently uploaded

Recently uploaded (20)

Understanding Data Flow: Using Tokenization to Secure Information

Editor's Notes