Practical advice for cloud data protection ulf mattsson - jun 2014

  • 128 views
Uploaded on

 

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
128
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
6
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Practical Advice for Cloud Data Protection Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com
  • 2. Member of PCI Security Standards Council: • Tokenization Task Force • Encryption Task Force • Point to Point Encryption Task Force • Risk Assessment SIG • eCommerce SIG • Cloud SIG • Virtualization SIG • Pre-Authorization SIG • Scoping SIG Ulf Mattsson, Protegrity CTO 2
  • 3. Issues with Cloud Computing 3
  • 4. 4
  • 5. 5
  • 6. 6
  • 7. 7
  • 8. 8
  • 9. 9
  • 10. 10
  • 11. 11
  • 12. 12
  • 13. 13
  • 14. 14
  • 15. 15
  • 16. 16
  • 17. Who do You Trust? 17
  • 18. 18
  • 19. 19
  • 20. 20
  • 21. 21
  • 22. 22
  • 23. 23
  • 24. 24
  • 25. What is Cloud Computing? 25
  • 26. Infrastructure as a Service (IaaS), delivers computer infrastructure (typically a platform virtualization environment) as a service, along with raw storage and networking Software as a service (SaaS), sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud Platform as a service (PaaS), is the delivery of a computing platform and solution stack as a service What Is Cloud Computing? Service Models? 26
  • 27. 27
  • 28. 28
  • 29. 29
  • 30. 30
  • 31. 31
  • 32. 32
  • 33. Cloud Services 33
  • 34. 34 Software as a service (SaaS), sometimes referred to as on- demand software Platform as a service (PaaS), is the delivery of a computing platform and solution stack Infrastructure as a Service (IaaS), delivers computer infrastructure along with raw storage and networking Service Orchestration
  • 35. 35
  • 36. 36
  • 37. PCI and Cloud Security 37
  • 38. 38
  • 39. Control shared across different service models 39
  • 40. 40
  • 41. 41
  • 42. 42
  • 43. 043 External Validation of Tokenization “The xxx tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“ Prof. Dr. Ir. Bart Preneel Katholieke University Leuven, Belgium where Advanced Encryption Standard (AES) was invented C. Matthew Curtin, CISSP Founder, Interhack Corporation Ohio State University who broke the U.S. Government's Data Encryption Standard (DES) “Token is not mathematically derived from its input.“ and “None of the attacks that we have identified have a factor of work that is less than that of a brute-force attack.”
  • 44. Cloud Security Model 44
  • 45. 45
  • 46. 46
  • 47. 47
  • 48. 48
  • 49. 49
  • 50. 50
  • 51. 51
  • 52. 52
  • 53. 53
  • 54. Cloud Security Issues 54
  • 55. 55
  • 56. 56
  • 57. 57
  • 58. ADDITIONAL THREATS INDUCERS • Multi-tenancy at an Application Level EXAMPLES OF THREATS • A different tenant using the same SAAS infrastructure gains access to another tenants data through the web layer vulnerabilities (a privilege escalation) TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT ADDITIONAL TESTING CATEGORIES • Multi-Tenancy Testing (an extension of privilege escalation) Threat Vector Inheritance - SAAS 58
  • 59. ADDITIONAL THREATS INDUCERS • Multi-tenancy at a Platform level EXAMPLES OF THREATS • A different tenant using the same infrastructure gains access to another tenants data through the web layer vulnerabilities (a privilege escalation) TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT ADDITIONAL TESTING CATEGORIES • Multi-Tenancy Testing (an extension of privilege escalation) Threat Vector Inheritance - PAAS 59
  • 60. ADDITIONAL THREATS INDUCERS • Multi-tenancy at an Infrastructure Level EXAMPLES OF THREATS • Deficiencies in virtualization security (improper implementation of VM zoning, segregation leading to inter VM attacks across multiple IAAS tenants) TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT • Traditional Infrastructure Vulnerability Assessment ADDITIONAL TESTING CATEGORIES • Inter VM Security / Vulnerability Testing Threat Vector Inheritance - IAAS 60
  • 61. Encrypting the transfer of data to the cloud does not ensure the data is protected in the cloud. Once data arrives in the cloud, it should remain protected both at rest and in use. Do not forget to protect files that are often overlooked, but which frequently include sensitive information. Log files and metadata can be avenues for data leakage. Encrypt using sufficiently durable encryption strengths (such as AES-256 Use open, validated formats and avoid proprietary encryption formats wherever possible. Encryption 61
  • 62. Tokenization. • This is where public cloud service can be integrated/paired with a private cloud that stores sensitive data. • The data sent to the public cloud is altered and would contain a reference to the data residing in the private cloud. Data Anonymization • This is where (for example) Personally Identifiable Information (PII) and Sensitive are stripped before processing. Utilizing access controls built into the database Alternative Approaches to Encryption 62
  • 63. Access Management 63
  • 64. Virtual machine guest hardening Hypervisor security Inter-VM attacks and blind spots Performance concerns Operational complexity from VM sprawl Instant-on gaps Virtual machine encryption Data comingling Virtual machine data destruction Virtual machine image tampering In-motion virtual machines VIRTUALIZATION 64
  • 65. Virtual machine guest hardening Hypervisor security Inter-VM attacks and blind spots Performance concerns Operational complexity from VM sprawl Instant-on gaps Virtual machine encryption Data comingling Virtual machine data destruction Virtual machine image tampering In-motion virtual machines VIRTUALIZATION Hypervisor Architecture Concerns 65
  • 66. 66
  • 67. 67
  • 68. Cloud Security Solutions 68
  • 69. 69
  • 70. 70
  • 71. 71
  • 72. 72
  • 73. 73 Encryption in Cloud Computing
  • 74. 74 It’s 11 p.m. Do you know where your data is?
  • 75. Secure Web gateway Cloud Encryption Gateways Cloud Security Gateways Secure Email Gateways Cloud Access Security Brokers (CASBs) Cloud Services Brokerage (CSB) Gartner - Cloud & Gateways 75
  • 76. Cloud Gateway Benefits Eliminates the threat of third parties exposing your sensitive information Delivers a secure and uncompromised SaaS user experience Ensures data integrity and availability Eases cloud adoption process and acceptance Eliminates data residency concerns and requirements Product is transparent and has close to 0% overhead impact Identifies malicious activity and proves compliance to third parties and detailed audit trails Simplifies compliance requirements Ability to outsource a portion of your IT security requirements
  • 77. 077
  • 78. 078
  • 79. Inline Gateway Deployment 079 Client http(s) Gateway Server Enterprise Security Administrator Security Officer
  • 80. Corporate Network CDE Inline Gateway Deployment – Use Case #1 080 Client http(s) Gateway Server Enterprise Security Administrator Security Officer
  • 81. Corporate Network CDE Inline Gateway Deployment – Use Case #2 081 Backend System http(s) Gateway External Service Enterprise Security Administrator Security Officer
  • 82. TURNING THE TIDE 82 What new technologies and techniques can be used to prevent future attacks?
  • 83. Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security • Access Controls • Field Encryption • Masking • Tokenization • Vaultless Tokenization Evolution of Data Security Methods 83 Evolution
  • 84. Evolution of Protection Techniques 84 Evolution High Low Total Cost of Ownership Strong Encryption (e.g. AES, 3DES) !@#$%a^.,mhu7///&*B()_+!@ Format/Type Preserving Encryption (e.g. DTP, FPE) 8278 2789 2990 2789 Vault-based Tokenization 8278 2789 2990 2789 Vault-less Tokenization 8278 2789 2990 2789 Format Preserving Greatly reduced Key Management No Vault Data length expands and type changes Data stored in the clear 3872 3789 1620 3675
  • 85. Access Privilege Level Risk I High I Low High – Low – Old: Minimal access levels – Least Privilege to avoid high risks New : Much greater flexibility and lower risk in data accessibility The New Fine Grained Data Security 85
  • 86. Fine Grained (Field-Level) Sensitive Data Security allows for a Wider and Deeper Range of Authority Options 86
  • 87. Format Flexibility - PII Description Input Token SSN, numeric 075672278 287382567 SSN, delimiters in input 075-67-2278 287-38-2567 SSN, last 4 digits exposed 075-67-2278 591-20-2278 Date, Multiple date formats 10/30/1955 12/25/2034 Year part exposed 10/30/1955 04/02/1955 Month part exposed 10/30/1955 10/17/3417 Range as a differentiator 10/30/1955 09/26/4741 Datetime 10/30/1955 07:32:59.243 12/25/2034 12:05:47.243 Email domain exposed yuri.gagarin@protegrity.com empo.snaugs@protegrity.com Name Yuri Gagarin A4kq nhHOwtG Telephone (203)550-9985 (203)371-2076
  • 88. Format Flexibility – Credit Card Description Input Token Numeric 3872 3789 1620 3675 8278 2789 2990 2789 Numeric, Last 4 digits exposed (12x4) 3872 3789 1620 3675 1507 4402 1958 3675 Numeric, First 6 last 4 digits exposed (6x6x4) 3872 3789 1620 3675 3872 3789 2990 3675 Alpha-Numeric, Digits exposed (4x8x4) 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Luhn check will fail 3872 3789 1620 3675 7508 1538 4200 9532 Alphabetic indication is a configurable position 3872 3789 1620 3675 9530 4800 323A 6871 Invalid Card Type 3872 3789 1620 3675 2991 1350 6123 4837 Different token for the same credit card number based on merchants, clients or source identifier 3872 3789 1620 3675 ID1: 8278 2789 2990 2789 ID2: 9302 8999 2662 6345 Including non-conflicting combinations of the above
  • 89. Format Flexibility - Other Description Input Token Free text, non length preserved, up to 2k the dog jumped over the lazy fox Eem JqM A4ksIX nhuH OUG zEQT RxV Decimal 123.45 9842.56 Binary, up to 2k 0x010203 0x123296910112 All printable characters ~`’;/!Üñ╗▓╟╚τ }╗æƺe2!⥿*&½ Lower ASCII abcdefghijklmnopqrstuvwxyz F7}yGN6/5&kc!h1?eUt^EcriT-
  • 90. Protegrity Tokenization Differentiators 90 Protegrity Tokenization Traditional Tokenization Footprint Small, Static. Large, Expanding. High Availability, Disaster Recovery No replication required. Complex, expensive replication required. Distribution Easy to deploy at different geographically distributed locations. Practically impossible to distribute geographically. Reliability No collisions. Prone to collisions. Performance, Latency, and Scalability Little or no latency. Fastest industry tokenization. Will adversely impact performance & scalability. Extendibility Unlimited Tokenization Capability. Practically impossible.
  • 91. Fine Grained Data Security Methods 91 Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens TokenizationEncryption
  • 92. Different Tokenization Approaches 92 Property Dynamic Pre-generated Vaultless Vault-based
  • 93. I Format Preserving Encryption Security of Fine Grained Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 93 High Low Security Level
  • 94. 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - Transactions per second* I Format Preserving Encryption Speed of Fine Grained Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 94
  • 95. Tokenization Research Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Tokenization users had 50% fewer security-related incidents than tokenization non-users 95 Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
  • 96. Type of Data Use Case I Structured How Should I Secure Different Data? I Un-structured Simple – Complex – PCI PHI PII Encryption of Files Card Holder Data Tokenization of Fields Protected Health Information 96 Personally Identifiable Information
  • 97. Use Case: Protect PII Data Cross Border CHALLENGES The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.
  • 98. Centralized Policy Management 98 Application File Servers RDBMS Big Data Gateway Servers Protection Servers MPP HP NonStop Base24 IBM Mainframe Protector Security Officer Audit Log Audit Log Audit Log Audit Log Audit Log Audit Log Audit Log Audit Log Audit Log Enterprise Security Administrator PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
  • 99. Enterprise Data Security Policy 99 What is the sensitive data that needs to be protected. Data Element. How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc. Who should have access to sensitive data and who should not. Security access control. Roles & Members. When should sensitive data access be granted to those who have access. Day of week, time of day. Where is the sensitive data stored? This will be where the policy is enforced. At the protector. Audit authorized or un-authorized access to sensitive data. Optional audit of protect/unprotect. What Who When Where How Audit
  • 100. Enterprise Data Security Platform 100 Enterprise Security Administrator (ESA) • Central Point of Data Security Policy Management • Deployed as Soft Appliance • Hardened, High Availability, Backup & Restore Gateway & Protection Servers • Deployed as Soft Appliance • Hardened, High Availability, Backup & Restore Data Protectors • Enforcing data security policy close to the data store • Heterogeneous Coverage: • AIX, HPUX, Linux, Solaris, Windows, z/OS • Teradata, Oracle, Netezza, Pivotal, DB2, UDB, SSQL • Hadoop – Cloudera, Hortonworks, Pivotal, BigInsights, mapR, etc. • Web Services, C/C++, Java, .NET, Cobol Application File Servers RDBMS Big Data Gateway Servers Protection Servers Enterprise Security Administrator MPP HP NonStop Base24 IBM Mainframe Protector
  • 101. Enterprise Platform Versatility Policy Enforcement Point
  • 102. Thank you! Questions? Please contact us for more information www.protegrity.com Ulf.Mattsson@protegrity.com To Request A Copy of the Presentation Email: info@protegrity.com