ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
Upcoming SlideShare
Loading in...5
×
 

ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson

on

  • 693 views

 

Statistics

Views

Total Views
693
Views on SlideShare
693
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • CACS 2012 NYM 2012
  • CACS 2012 NYM 2012
  • Used at NYM 2011 ISACACACS 2012
  • CACS 2012 NYM 2012
  • CACS 2012 NYM 2012
  • CACS 2012 NYM 2012
  • CACS 2012 NYM 2012

ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson Presentation Transcript

  • Understanding Your Data Flow Using Tokenization to Secure Data Ulf Mattsson CTO Protegrity1
  • 2
  • 03
  • Ulf Mattsson, CTO Protegrity • 20 years with IBM Development & Global Services • Started Protegrity 1994 • Inventor of 22 patents – Encryption and Tokenization • Member of – PCI Security Standards Council (PCI SSC) – American National Standards Institute (ANSI) X9 – International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security – ISACA (Information Systems Audit and Control Association) – Information Systems Security Association (ISSA) – Cloud Security Alliance (CSA)4
  • Session topics • Discuss threats against data • Review solutions for securing data – Evaluate different options for data tokenization and encryption • Review case studies – Discuss how to stay out of scope for PCI DSS • Review data protection cost efficiency – Introduce a business risk approach • Discuss cloud and outsourced environments5
  • THIEVES ARE STEALING OUR DATA!6
  • Albert Gonzalez 20 Years In US Federal Prison US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS •Breach expenses $140M Source: http://en.wikipedia.org/wiki/Albert_Gonzalez Source: http://www.youtube.com/user/ProtegrityUSA7
  • What about Breaches & PCI? Was Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study8
  • WHAT TYPES OF DATA ARE UNDER ATTACK NOW?9
  • What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Payment card numbers/data Unknown (specific type is not known) Medical records Medical Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Sensitive organizational data (reports, plans, etc.) Authentication credentials… 0 20 40 60 80 100 %120 By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/10
  • Today “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/11
  • Growing Threat of “hacktivism” by Groups such as Anonymous Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous12
  • Let’s Review Some Major Recent Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Attack Type, Time and Impact $ Source: IBM 2012 Security Breaches Trend and Risk Report13
  • The Sony Breach & Cloud • Lost 100 million passwords and personal details stored in clear • Spent $171 million related to the data breach • Sonys stock price has fallen 40 percent • For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony • Attack via SQL Injection14
  • SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report15
  • WHAT IS SQL INJECTION?16
  • What is an SQL Injection Attack? SQL Command Injected Application Data Store17
  • WHO IS THE NEXT TARGET?18
  • New Industry Groups are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 % By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/19
  • The Changing Threat Landscape  Some issues have stayed constant:  Threat landscape continues to gain sophistication  Attackers will always be a step ahead of the defenders  We are fighting highly organized, well-funded crime syndicates and nations  Move from detective to preventative controls neededSource: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
  • How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/21
  • WHERE IS DATA LOST?22
  • What Assets are Compromised? Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter PeoplePayment card (credit, debit, etc.) Offline data Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/23
  • Hacking and Malware are Leading Threat Action Categories Hacking Social Misuse Environmental 0 50 100 % 150 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/24
  • Thieves Are Attacking the Data Flow Application Application025
  • THIS IS A CATCH 22!26
  • Thieves Cant Steal Whats Not There: Fake Data Application Application ???-??-????27
  • HOW CAN WE SECURE THE DATA FLOW?28
  • Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems29
  • WHAT HAS THE INDUSTRY DONE TO SECURE DATA?30
  • What Has The Industry Done? Total Cost of Ownership Total Cost of 1. System Integration Ownership 2. Performance Impact 3. Key Management Strong Encryption: High - 4. Policy Management 3DES, AES … 5. Reporting 6. Paper Handling Format Preserving Encryption: 7. Compliance Audit FPE, DTP … 8. … Basic Tokenization Vaultless Tokenization Low - I I I I Time 1970 2000 2005 201031
  • Case Study: Large Chain Store Why? Reduce compliance cost by 50% – 50 million Credit Cards, 700 million daily transactions – Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization – End-to-End Tokens: Started with the D/W and expanding to stores – Lower maintenance cost – don’t have to apply all 12 requirements – Better security – able to eliminate several business and daily reports – Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization”32
  • HOW CAN WE POSITION DIFFERENT SECURITY OPTIONS?33
  • Speed of Different Protection Methods Transactions per second 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Speed will depend on the configuration Tokenization Encryption Standard Tokenization34
  • WHAT IS VAULT-LESS DATA TOKENIZATION?35
  • Different Tokenization Approaches Basic Tokenization Vault-less Tokenization* Footprint Large, Expanding. Small, Static. High Availability, Complex, expensive No replication required. Disaster Recovery replication required. Distribution Practically impossible to Easy to deploy at different distribute geographically. geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability. tokenization. Scalability Extendibility Practically impossible. Unlimited Tokenization Capability. *: Validated by 3rd party experts36
  • HOW IMPORTANT IS COST?37
  • Impact of Different Protection Methods Intrusiveness (to Applications and Databases) Encryption Standard Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Strong Encryption - !@#$%a^.,mhu7///&*B()_+!@Data Type & Format Alpha - aVdSaH 1F4hJ 1D3a Tokenizing or Encoding Numeric - 666666 777777 8888 Formatted Encryption Partial - 123456 777777 1234 Clear Text Data - 123456 123456 1234 Data I Length Original38
  • WHEN CAN I USE TOKENIZATION?39
  • How Should I Secure Different Data? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected HealthComplex - Information Type of I I Data Un-structured Structured40
  • Tokenizing Different Types of Data Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date E-mail Ulf.mattsson@protegrit empo.snaugs@svtiensnni Alpha Numeric, Address y.com .snk delimiters in input preserved SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed41
  • ANY TOKENIZATION GUIDELINES?42
  • Tokenization Guidelines, Visa Token Generation Token Types Single Use Multi Use Token Token Algorithm Known strong and Key Reversible algorithm  No Unique Sequence Number   One way Hash Secret per Secret per Irreversible Function transaction merchant Randomly generated value  43
  • Tokenization vs. Encryption Encryption Tokenization Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY44
  • HOW SECURE IS ENCRYPTION?45
  • Many Broken Algorithms
  • KEYS EVERYWHERE!47
  • PCI DSS : Tokenization and Encryption are Different If the token is mathematically derived from the original PAN through the use of an encryption algorithm and cryptographic key No Scope Reduction48
  • TOKENS ARE RANDOM49
  • Tokenization and “PCI Out Of Scope” De-tokenization No Available? Random Number Yes Tokens? No: Yes FPE Isolated from Card Holder Data Yes Environment? No Out of Scope No Scope Scope Reduction Reduction Source: http://www.securosis.com50
  • Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI • Get rid of unwanted paper copies • No need to rewrite/redevelop or restructure business applications • A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow • Better understanding of business flow • Opportunity to clean up a few business oddities51
  • Evaluating Encryption & Tokenization Database Database Basic Vaultless Area Criteria File Column Tokenization Tokenization Encryption Encryption AvailabilityScalability Latency CPU Consumption Data Flow Protection Compliance Scoping Security Key Management Data Collisions Separation of Duties Best
  • Case Studies: Retail Customer 1: Why? Three major concerns solved – Performance Challenge; Initial tokenization – Vendor Lock-In: What if we want to switch payment processor – Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe – Tokens on the mainframe to avoid compensating controls53
  • WHAT IS THE CURRENT USE OF ENABLING TECHNOLOGIES?54
  • Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating55
  • Is Data Masking Secure? Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - System I I I I Type Test / dev Integration Trouble Production testing shooting56
  • Data Tokens = Lower Risk Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - Data Tokens System I I I I Type Test / dev Integration Trouble Production testing shooting57
  • CAN SECURITY HELP CREATIVITY?58
  • Old Security = Less Creativity Risk High Traditional Access Control Low Access I I Right Level Less More Source: InformationWeek Aug 15, 201159
  • New Data Security = More Creativity Risk High Traditional Access Control New: Creativity Happens At the edge Low Data Tokens Access I I Right Level Less More Source: InformationWeek Aug 15, 201160
  • WHAT IS THE IMPACT ON RISK MANAGEMENT?61
  • Choose Your Defenses Cost Cost of Aversion – Expected Losses Protection of Data from the Risk Total Cost Optimal Risk Protection I I Option Data Monitoring Lockdown62
  • DATA SECURITY ADVANCES ARE CHANGING THE BALANCE63
  • Matching Data Protection with Risk Level Risk Level Solution Data Risk Field Level Tokenization, str High Risk ong encryption Credit Card Number 25 (16-25) Social Security Number 20 Email Address 20 Monitoring, Customer Name 12 Medium Risk masking, format Secret Formula 10 (6-15) controlling Employee Name 9 encryption Employee Health Record 6 Zip Code 3 Low Risk Monitoring (1-5)64
  • SEPARATION OF DUTIES!65
  • Security of Different Protection Methods Security Level High Low I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization66
  • HOW CAN I SECURE DATA IN CLOUD?67
  • Risks with Cloud Computing Handing over sensitive data to a third… Threat of data breach or loss Weakening of corporate network… Uptime/business continuity Financial strength of the cloud… Inability to customize applications 0 10 20 30 40 50 60 70 % Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study68
  • PCI & Cloud• The PCI councils security caution over virtualization is justified, because virtualized environments are susceptible to types of attacks not seen in any other environment – Bob Russo, general manager of the PCI Security Standards Council
  • Amazon’s PCI Compliance • PCI-DSS 2.0 doesnt address multi-tenancy concerns • You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesnt do this for you -- its something you need to implement yourself; including key management, rotation, logging, etc. • If you deploy a server instance in EC2 it still needs to be assessed by your QSA • Your organizations assessment scope isnt necessarily reduced • It might be when you move to something like a tokenization service where you reduce your handling of PAN data Source: securosis.com070
  • Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems71
  • Why Tokenization? Why Tokenization 1. No Masking 2. No Encryption 3. No Key Management Why Vaultless Tokenization $ 1. Lower Cost / TCO 2. Better 3. Faster72
  • Conclusion • Organizations need to understand their data flow and current security technologies – Determine most significant security exposures – Target budgets toward addressing the most critical issues – Strengthen security and compliance profiles • Achieve the right balance between business needs and security demands – I increasingly important as companies are changing their security strategies to better protect sensitive data – Following continuing attacks73
  • About Protegrity • Proven enterprise data security software and innovation leader – Sole focus on the protection of data – Patented Technology, Continuing to Drive Innovation • Growth driven by compliance and risk management – PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI (Protected Health Information) – US State and Foreign Privacy Laws, Breach Notification Laws • Cross-industry applicability – Retail, Hospitality, Travel and Transportation – Financial Services, Insurance, Banking – Healthcare, Telecommunications, Media and Entertainment – Manufacturing and Government74
  • Thank you! Q&A ulf.mattsson@protegrity.com www.protegrity.com 203-326-720075