Your SlideShare is downloading. ×
0
Understanding Your Data Flow      Using Tokenization to Secure Data                   Ulf Mattsson                  CTO Pr...
2
03
Ulf Mattsson, CTO Protegrity    • 20 years with IBM Development & Global Services    • Started Protegrity 1994    • Invent...
Session topics    •   Discuss threats against data    •   Review solutions for securing data        – Evaluate different o...
THIEVES ARE     STEALING     OUR DATA!6
Albert Gonzalez                                            20 Years In US Federal Prison    US Federal indictments:       ...
What about Breaches & PCI?                                                   Was Data Protected?                      9: R...
WHAT TYPES OF DATA    ARE UNDER ATTACK          NOW?9
What Data is Compromised?           Personal information (Name, SS#, Addr, etc.)                                  Payment ...
Today “Hacktivism” is Dominating                                                 Activist group                           ...
Growing Threat of “hacktivism” by                                       Groups such as Anonymous                          ...
Let’s Review Some Major Recent Breaches                                        April 2011          May 2011   Jun 2011   J...
The Sony Breach & Cloud     • Lost 100 million passwords and personal details       stored in clear     • Spent $171 milli...
SQL Injection Attacks are Increasing                  25,000                  20,000                  15,000              ...
WHAT IS     SQL INJECTION?16
What is an SQL Injection Attack?                         SQL Command Injected                  Application                ...
WHO IS     THE NEXT TARGET?18
New Industry Groups are Targets     Accommodation and Food Services                                              Retail Tr...
The Changing Threat Landscape             Some issues have stayed constant:                   Threat landscape continues...
How are Breaches Discovered?                            Notified by law enforcement               Third-party fraud detect...
WHERE IS     DATA LOST?22
What Assets are Compromised?                            Database server                      Web/application server       ...
Hacking and Malware are Leading                                                          Threat Action Categories         ...
Thieves Are Attacking the Data Flow           Application   Application025
THIS IS A     CATCH 22!26
Thieves Cant Steal Whats Not There:                   Fake Data           Application        Application                  ...
HOW CAN WE SECURE       THE DATA FLOW?28
Securing The Data Flow with Tokenization     Retail                                        Bank     Store              Pay...
WHAT HAS     THE INDUSTRY       DONE TO     SECURE DATA?30
What Has The Industry Done?                                                                  Total Cost of Ownership     T...
Case Study: Large Chain Store     Why? Reduce compliance cost by 50%        – 50 million Credit Cards, 700 million daily t...
HOW CAN WE         POSITION         DIFFERENT     SECURITY OPTIONS?33
Speed of Different Protection Methods                             Transactions per second                    10 000 000 - ...
WHAT IS         VAULT-LESS     DATA TOKENIZATION?35
Different Tokenization Approaches                                Basic Tokenization             Vault-less Tokenization*  ...
HOW IMPORTANT        IS COST?37
Impact of Different Protection Methods                                   Intrusiveness    (to Applications and Databases) ...
WHEN CAN I          USE     TOKENIZATION?39
How Should I Secure Different Data?                   File                Field                Encryption          Tokeniz...
Tokenizing Different Types of                                      Data     Type of Data Input                      Token ...
ANY     TOKENIZATION      GUIDELINES?42
Tokenization Guidelines, Visa            Token Generation                         Token Types                             ...
Tokenization vs. Encryption                                                                Encryption   Tokenization      ...
HOW SECURE IS      ENCRYPTION?45
Many Broken Algorithms
KEYS     EVERYWHERE!47
PCI DSS : Tokenization and      Encryption are Different                      If the token is                       mathem...
TOKENS ARE      RANDOM49
Tokenization and “PCI Out Of Scope”                                                        De-tokenization                ...
Case Study: Energy Industry     Why? Reduce PCI Scope        • Best way to handle legacy, we got most of it out of PCI    ...
Evaluating Encryption & Tokenization                                      Database     Database       Basic         Vaultl...
Case Studies: Retail     Customer 1: Why? Three major concerns solved        – Performance Challenge; Initial tokenization...
WHAT IS     THE CURRENT USE       OF ENABLING      TECHNOLOGIES?54
Use of Enabling Technologies                  Access controls   1%                          91%     Database activity moni...
Is Data Masking Secure?     Risk                      Data at rest                    Data display     High –             ...
Data Tokens = Lower Risk         Risk                      Data at rest                    Data display     High –        ...
CAN SECURITY     HELP CREATIVITY?58
Old Security = Less Creativity         Risk           High                                            Traditional         ...
New Data Security = More Creativity         Risk           High                                            Traditional    ...
WHAT IS THE IMPACT ON      RISK MANAGEMENT?61
Choose Your Defenses     Cost            Cost of Aversion –                Expected Losses            Protection of Data  ...
DATA SECURITY     ADVANCES ARE       CHANGING      THE BALANCE63
Matching Data Protection with Risk Level                                    Risk Level     Solution               Data    ...
SEPARATION OF        DUTIES!65
Security of Different Protection Methods     Security Level              High               Low                          I...
HOW CAN I     SECURE DATA IN        CLOUD?67
Risks with Cloud Computing     Handing over sensitive data to a third…                  Threat of data breach or loss     ...
PCI & Cloud• The PCI councils security caution over  virtualization is justified, because virtualized  environments are su...
Amazon’s PCI Compliance              • PCI-DSS 2.0 doesnt address multi-tenancy concerns              • You can store PAN ...
Securing The Data Flow with Tokenization     Retail                                        Bank     Store              Pay...
Why Tokenization?     Why Tokenization     1.   No Masking     2.   No Encryption     3.   No Key Management     Why Vault...
Conclusion     •       Organizations need to understand their data flow             and current security technologies     ...
About Protegrity     • Proven enterprise data security software and innovation leader        – Sole focus on the protectio...
Thank you!             Q&A     ulf.mattsson@protegrity.com          www.protegrity.com             203-326-720075
Upcoming SlideShare
Loading in...5
×

ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson

484

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
484
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • CACS 2012 NYM 2012
  • CACS 2012 NYM 2012
  • Used at NYM 2011 ISACACACS 2012
  • CACS 2012 NYM 2012
  • CACS 2012 NYM 2012
  • CACS 2012 NYM 2012
  • CACS 2012 NYM 2012
  • Transcript of "ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson"

    1. 1. Understanding Your Data Flow Using Tokenization to Secure Data Ulf Mattsson CTO Protegrity1
    2. 2. 2
    3. 3. 03
    4. 4. Ulf Mattsson, CTO Protegrity • 20 years with IBM Development & Global Services • Started Protegrity 1994 • Inventor of 22 patents – Encryption and Tokenization • Member of – PCI Security Standards Council (PCI SSC) – American National Standards Institute (ANSI) X9 – International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security – ISACA (Information Systems Audit and Control Association) – Information Systems Security Association (ISSA) – Cloud Security Alliance (CSA)4
    5. 5. Session topics • Discuss threats against data • Review solutions for securing data – Evaluate different options for data tokenization and encryption • Review case studies – Discuss how to stay out of scope for PCI DSS • Review data protection cost efficiency – Introduce a business risk approach • Discuss cloud and outsourced environments5
    6. 6. THIEVES ARE STEALING OUR DATA!6
    7. 7. Albert Gonzalez 20 Years In US Federal Prison US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS •Breach expenses $140M Source: http://en.wikipedia.org/wiki/Albert_Gonzalez Source: http://www.youtube.com/user/ProtegrityUSA7
    8. 8. What about Breaches & PCI? Was Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study8
    9. 9. WHAT TYPES OF DATA ARE UNDER ATTACK NOW?9
    10. 10. What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Payment card numbers/data Unknown (specific type is not known) Medical records Medical Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Sensitive organizational data (reports, plans, etc.) Authentication credentials… 0 20 40 60 80 100 %120 By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/10
    11. 11. Today “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/11
    12. 12. Growing Threat of “hacktivism” by Groups such as Anonymous Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous12
    13. 13. Let’s Review Some Major Recent Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Attack Type, Time and Impact $ Source: IBM 2012 Security Breaches Trend and Risk Report13
    14. 14. The Sony Breach & Cloud • Lost 100 million passwords and personal details stored in clear • Spent $171 million related to the data breach • Sonys stock price has fallen 40 percent • For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony • Attack via SQL Injection14
    15. 15. SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report15
    16. 16. WHAT IS SQL INJECTION?16
    17. 17. What is an SQL Injection Attack? SQL Command Injected Application Data Store17
    18. 18. WHO IS THE NEXT TARGET?18
    19. 19. New Industry Groups are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 % By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/19
    20. 20. The Changing Threat Landscape  Some issues have stayed constant:  Threat landscape continues to gain sophistication  Attackers will always be a step ahead of the defenders  We are fighting highly organized, well-funded crime syndicates and nations  Move from detective to preventative controls neededSource: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
    21. 21. How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/21
    22. 22. WHERE IS DATA LOST?22
    23. 23. What Assets are Compromised? Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter PeoplePayment card (credit, debit, etc.) Offline data Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/23
    24. 24. Hacking and Malware are Leading Threat Action Categories Hacking Social Misuse Environmental 0 50 100 % 150 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/24
    25. 25. Thieves Are Attacking the Data Flow Application Application025
    26. 26. THIS IS A CATCH 22!26
    27. 27. Thieves Cant Steal Whats Not There: Fake Data Application Application ???-??-????27
    28. 28. HOW CAN WE SECURE THE DATA FLOW?28
    29. 29. Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems29
    30. 30. WHAT HAS THE INDUSTRY DONE TO SECURE DATA?30
    31. 31. What Has The Industry Done? Total Cost of Ownership Total Cost of 1. System Integration Ownership 2. Performance Impact 3. Key Management Strong Encryption: High - 4. Policy Management 3DES, AES … 5. Reporting 6. Paper Handling Format Preserving Encryption: 7. Compliance Audit FPE, DTP … 8. … Basic Tokenization Vaultless Tokenization Low - I I I I Time 1970 2000 2005 201031
    32. 32. Case Study: Large Chain Store Why? Reduce compliance cost by 50% – 50 million Credit Cards, 700 million daily transactions – Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization – End-to-End Tokens: Started with the D/W and expanding to stores – Lower maintenance cost – don’t have to apply all 12 requirements – Better security – able to eliminate several business and daily reports – Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization”32
    33. 33. HOW CAN WE POSITION DIFFERENT SECURITY OPTIONS?33
    34. 34. Speed of Different Protection Methods Transactions per second 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Speed will depend on the configuration Tokenization Encryption Standard Tokenization34
    35. 35. WHAT IS VAULT-LESS DATA TOKENIZATION?35
    36. 36. Different Tokenization Approaches Basic Tokenization Vault-less Tokenization* Footprint Large, Expanding. Small, Static. High Availability, Complex, expensive No replication required. Disaster Recovery replication required. Distribution Practically impossible to Easy to deploy at different distribute geographically. geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability. tokenization. Scalability Extendibility Practically impossible. Unlimited Tokenization Capability. *: Validated by 3rd party experts36
    37. 37. HOW IMPORTANT IS COST?37
    38. 38. Impact of Different Protection Methods Intrusiveness (to Applications and Databases) Encryption Standard Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Strong Encryption - !@#$%a^.,mhu7///&*B()_+!@Data Type & Format Alpha - aVdSaH 1F4hJ 1D3a Tokenizing or Encoding Numeric - 666666 777777 8888 Formatted Encryption Partial - 123456 777777 1234 Clear Text Data - 123456 123456 1234 Data I Length Original38
    39. 39. WHEN CAN I USE TOKENIZATION?39
    40. 40. How Should I Secure Different Data? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected HealthComplex - Information Type of I I Data Un-structured Structured40
    41. 41. Tokenizing Different Types of Data Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date E-mail Ulf.mattsson@protegrit empo.snaugs@svtiensnni Alpha Numeric, Address y.com .snk delimiters in input preserved SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed41
    42. 42. ANY TOKENIZATION GUIDELINES?42
    43. 43. Tokenization Guidelines, Visa Token Generation Token Types Single Use Multi Use Token Token Algorithm Known strong and Key Reversible algorithm  No Unique Sequence Number   One way Hash Secret per Secret per Irreversible Function transaction merchant Randomly generated value  43
    44. 44. Tokenization vs. Encryption Encryption Tokenization Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY44
    45. 45. HOW SECURE IS ENCRYPTION?45
    46. 46. Many Broken Algorithms
    47. 47. KEYS EVERYWHERE!47
    48. 48. PCI DSS : Tokenization and Encryption are Different If the token is mathematically derived from the original PAN through the use of an encryption algorithm and cryptographic key No Scope Reduction48
    49. 49. TOKENS ARE RANDOM49
    50. 50. Tokenization and “PCI Out Of Scope” De-tokenization No Available? Random Number Yes Tokens? No: Yes FPE Isolated from Card Holder Data Yes Environment? No Out of Scope No Scope Scope Reduction Reduction Source: http://www.securosis.com50
    51. 51. Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI • Get rid of unwanted paper copies • No need to rewrite/redevelop or restructure business applications • A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow • Better understanding of business flow • Opportunity to clean up a few business oddities51
    52. 52. Evaluating Encryption & Tokenization Database Database Basic Vaultless Area Criteria File Column Tokenization Tokenization Encryption Encryption AvailabilityScalability Latency CPU Consumption Data Flow Protection Compliance Scoping Security Key Management Data Collisions Separation of Duties Best
    53. 53. Case Studies: Retail Customer 1: Why? Three major concerns solved – Performance Challenge; Initial tokenization – Vendor Lock-In: What if we want to switch payment processor – Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe – Tokens on the mainframe to avoid compensating controls53
    54. 54. WHAT IS THE CURRENT USE OF ENABLING TECHNOLOGIES?54
    55. 55. Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating55
    56. 56. Is Data Masking Secure? Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - System I I I I Type Test / dev Integration Trouble Production testing shooting56
    57. 57. Data Tokens = Lower Risk Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - Data Tokens System I I I I Type Test / dev Integration Trouble Production testing shooting57
    58. 58. CAN SECURITY HELP CREATIVITY?58
    59. 59. Old Security = Less Creativity Risk High Traditional Access Control Low Access I I Right Level Less More Source: InformationWeek Aug 15, 201159
    60. 60. New Data Security = More Creativity Risk High Traditional Access Control New: Creativity Happens At the edge Low Data Tokens Access I I Right Level Less More Source: InformationWeek Aug 15, 201160
    61. 61. WHAT IS THE IMPACT ON RISK MANAGEMENT?61
    62. 62. Choose Your Defenses Cost Cost of Aversion – Expected Losses Protection of Data from the Risk Total Cost Optimal Risk Protection I I Option Data Monitoring Lockdown62
    63. 63. DATA SECURITY ADVANCES ARE CHANGING THE BALANCE63
    64. 64. Matching Data Protection with Risk Level Risk Level Solution Data Risk Field Level Tokenization, str High Risk ong encryption Credit Card Number 25 (16-25) Social Security Number 20 Email Address 20 Monitoring, Customer Name 12 Medium Risk masking, format Secret Formula 10 (6-15) controlling Employee Name 9 encryption Employee Health Record 6 Zip Code 3 Low Risk Monitoring (1-5)64
    65. 65. SEPARATION OF DUTIES!65
    66. 66. Security of Different Protection Methods Security Level High Low I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization66
    67. 67. HOW CAN I SECURE DATA IN CLOUD?67
    68. 68. Risks with Cloud Computing Handing over sensitive data to a third… Threat of data breach or loss Weakening of corporate network… Uptime/business continuity Financial strength of the cloud… Inability to customize applications 0 10 20 30 40 50 60 70 % Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study68
    69. 69. PCI & Cloud• The PCI councils security caution over virtualization is justified, because virtualized environments are susceptible to types of attacks not seen in any other environment – Bob Russo, general manager of the PCI Security Standards Council
    70. 70. Amazon’s PCI Compliance • PCI-DSS 2.0 doesnt address multi-tenancy concerns • You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesnt do this for you -- its something you need to implement yourself; including key management, rotation, logging, etc. • If you deploy a server instance in EC2 it still needs to be assessed by your QSA • Your organizations assessment scope isnt necessarily reduced • It might be when you move to something like a tokenization service where you reduce your handling of PAN data Source: securosis.com070
    71. 71. Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems71
    72. 72. Why Tokenization? Why Tokenization 1. No Masking 2. No Encryption 3. No Key Management Why Vaultless Tokenization $ 1. Lower Cost / TCO 2. Better 3. Faster72
    73. 73. Conclusion • Organizations need to understand their data flow and current security technologies – Determine most significant security exposures – Target budgets toward addressing the most critical issues – Strengthen security and compliance profiles • Achieve the right balance between business needs and security demands – I increasingly important as companies are changing their security strategies to better protect sensitive data – Following continuing attacks73
    74. 74. About Protegrity • Proven enterprise data security software and innovation leader – Sole focus on the protection of data – Patented Technology, Continuing to Drive Innovation • Growth driven by compliance and risk management – PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI (Protected Health Information) – US State and Foreign Privacy Laws, Breach Notification Laws • Cross-industry applicability – Retail, Hospitality, Travel and Transportation – Financial Services, Insurance, Banking – Healthcare, Telecommunications, Media and Entertainment – Manufacturing and Government74
    75. 75. Thank you! Q&A ulf.mattsson@protegrity.com www.protegrity.com 203-326-720075
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×