Ulf mattsson webinar jun 7 2012 slideshare version


Published on

Webinar about "Choosing the Right Data Security Solution"

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ulf mattsson webinar jun 7 2012 slideshare version

  1. 1. Choosing the Right Data Security Solution Ulf Mattsson, CTO Protegrity June 7th, 2012
  2. 2. Ulf Mattsson, CTO Protegrity 20 years with IBM Research & Development and Global Services Started Protegrity in 1994 (Data Security) Inventor of 25 patents – Encryption and Tokenization Member of • PCI Security Standards Council (PCI SSC) • American National Standards Institute (ANSI) X9 • International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security • ISACA , ISSA and Cloud Security Alliance (CSA)2
  3. 3. Agenda Data Breaches Data Protection Trends Encryption versus Tokenization Vault-based Tokenization versus Vaultless Tokenization Case studies Summary03
  5. 5. Albert Gonzalez: 20 Years In US Federal Prison US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS • $140M in breach expenses Source: http://en.wikipedia.org/wiki/Albert_Gonzalez Source: http://www.youtube.com/user/ProtegrityUSA5
  6. 6. What about Breaches & PCI? Was Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study6
  8. 8. What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Payment card numbers/data Unknown (specific type is not known) Medical records Medical Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Authentication credentials… 0 20 40 60 80 100 %120 By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/8
  9. 9. Today “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/9
  10. 10. Growing Threat of “hacktivism” Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous10
  11. 11. Some Major Data Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Time Impact $ Attack Type Source: IBM 2012 Security Breaches Trend and Risk Report11
  12. 12. The Sony Breach & The Cloud Lost 100 million passwords and personal details stored in clear Spent $171 million related to the data breach Sonys stock price has fallen 40 percent For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony Attack via SQL Injection12
  13. 13. SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report13
  15. 15. What is SQL Injection? SQL Command Injected Application Data Store15
  16. 16. New Industry Groups are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 % By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/16
  17. 17. The Changing Threat Landscape Some issues have stayed constant: • Threat landscape continues to gain sophistication • Attackers will always be a step ahead of the defenders We are fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=217
  18. 18. How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/18
  19. 19. WHERE IS DATA LOST?19
  20. 20. What Assets are Compromised? Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter People Payment card (credit, debit, etc.) Offline… Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/20
  21. 21. Hacking and Malware are Leading Threat Action Categories Hacking Malware Social Physical Misuse Error Environmental 0 50 100 % 150 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/21
  22. 22. Thieves Are Attacking the Data Flow Application Application22
  23. 23. THIS IS A CATCH 22!23
  24. 24. How can we Secure The Data Flow? Retail Bank Store Payment 9999 9999 Corporate Network Systems24
  26. 26. What Has The Industry Done? Input Value: 3872 3789 1620 3675 TCO Strong Encryption !@#$%a^.,mhu7///&*B()_+!@ High AES, 3DES Format Preserving Encryption 8278 2789 2990 2789 DTP, FPE Format Preserving Vault-based Tokenization 8278 2789 2990 2789 Greatly reduced Key Management Vaultless Tokenization 8278 2789 2990 2789 Low No Vault 1970 2000 2005 201026
  27. 27. Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating27
  29. 29. We Started with Vault-Based Tokenization …29
  30. 30. Issues with Vault-based Tokenization30
  31. 31. Miniaturization of the Tokenization Server Evolution Vault-less Tokenization Server Vault-based Tokenization Server31
  32. 32. Protegrity Tokenization Differentiators Vault-based Tokenization Vaultless Tokenization Footprint Large, Expanding. Small, Static. High Availability, Complex, expensive No replication required. Disaster Recovery replication required. Distribution Practically impossible to Easy to deploy at different distribute geographically. geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability. tokenization. Scalability Extendibility Practically impossible. Unlimited Tokenization Capability.32
  33. 33. External Validation for Protegrity Vaultless Tokenization “The Protegrity tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“ Prof. Dr. Ir. Bart Preneel Katholieke University Leuven, Belgium * Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, president of the International Association for Cryptologic Research * The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.33
  34. 34. SPEED & SECURITY34
  35. 35. Speed of Different Protection Methods Transactions per second 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Speed will depend on Tokenization Encryption Standard Tokenization the configuration35
  36. 36. Security of Different Protection Methods Security Level High Low I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization36
  37. 37. CASE STUDIES37
  38. 38. Case Study: Large Chain Store Why? Reduce compliance cost by 50% • 50 million Credit Cards, 700 million daily transactions • Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization • End-to-End Tokens: Started with the D/W and expanding to stores • Lower maintenance cost – don’t have to apply all 12 requirements • Better security – able to eliminate several business and daily reports • Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization”38
  39. 39. Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI – Get rid of unwanted paper copies – No need to rewrite/redevelop or restructure business applications – A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow – Better understanding of business flow – Opportunity to clean up a few business oddities39
  40. 40. Case Studies: Retail Customer 1: Why? Three major concerns solved • Performance Challenge; Initial tokenization • Vendor Lock-In: What if we want to switch payment processor • Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection • Combined use of tokenization and encryption • Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe • Tokens on the mainframe to avoid compensating controls40
  42. 42. Tokenization and Encryption are Different42
  43. 43. Tokenization and “PCI Out Of Scope” De-tokenization No Available? Yes Random Number Tokens? No: FPE Yes Isolated from Card Holder Data Yes Environment? No Out of Scope No Scope Scope Reduction Reduction Source: http://www.securosis.com43
  44. 44. PII DATA44
  45. 45. How Should I Secure Different Data? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected HealthComplex - Information Type of I I Data Un-structured Structured45
  46. 46. Flexibility in Token Format ControlsType of Data Input Token CommentCredit Card 3872 3789 1620 3675 8278 2789 2990 2789 NumericCredit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposedCredit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposedMedical ID 29M2009ID 497HF390D Alpha-NumericDate 10/30/1955 12/25/2034 Date - multiple date formatsE-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha NumericSSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in inputInvalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will failBinary 0x010203 0x123296910112Alphanumeric Position to place alpha is 5105 1051 0510 5100 8278 2789 299A 2781Indicator configurableDecimal 123.45 9842.56 Non length preserving Deliver a different token to different Merchant 1: 8278 2789 2990 2789Multi-Merchant 3872 3789 1620 3675 merchant based on the same credit Merchant 2: 9302 8999 2662 6345 card number.
  47. 47. What are the benefits of Tokenization? Reduces complexity of key management. Reduces the number of hacker targets. What are the benefits of Tokenisation? Reduces the remediation for protecting systems. Reduces the cost of PCI Compliance. Additional benefits with Protegrity Vaultless Tokenization Infinitely Scalable Fastest tokenization method in the world Simplicity and Security: No replication, No collisions Flexible and easy to deploy and distribute Lower Total Cost of Ownership than Basic Tokenization
  49. 49. About Protegrity Proven enterprise data security software and innovation leader • Sole focus on the protection of data • Patented Technology, Continuing to Drive Innovation Growth driven by compliance and risk management • PCI (Payment Card Industry) • PII (Personally Identifiable Information) • PHI (Protected Health Information) – HIPAA • State and Foreign Privacy Laws, Breach Notification Laws • Requirements to eliminate the threat of data breach and non-compliance Cross-industry applicability • Retail, Hospitality, Travel and Transportation • Financial Services, Insurance and Banking • Healthcare, Telecommunications, Media and Entertainment • Manufacturing and Government49
  50. 50. What are Industry Analyst’s Saying? “Protegrity has a comprehensive approach to a range of data security problems, while most vendors only have one stovepipe solution with no coherent strategy.” - Scott Crawford, EMA “I’m really impressed that you’ve expanded your Tokenization solution to include PII and HIPAA. I haven’t seen this from other vendors. It’s really nice to see that vendors are driving innovation, before there’s a big demand from customers.” - Derek Brink, Aberdeen “Tokenizing payment data holds the promise of improving security while reducing auditing costs, generating great demand amongst the merchant community. Tokenization is a simple technology with a clear value proposition.” - Adrian Lane, Analyst and CTO, Securosis “Protegrity’s approach to tokenization is very elegant and it’s clear your solution is very fast and flexible.” – A leading Industry Analyst Firm50
  51. 51. Summary Optimal support of complex enterprise requirements • Heterogeneous platform supports all operating systems and databases • Flexible protectors (Database, Application, File) • Risk Adjusted Data Protection offers the options for protection data with the appropriate strength. • Built-in Key Management • Consistent Enterprise policy enforcement and audit logging Innovative • Pushing data protection with industry leading Proven • Proven platform currently protects the worlds largest companies Experienced • Experienced staff will be there with support along the way to complete data protection51
  52. 52. Questions and Answers Elaine Evans Protegrity Marketing elaine.evans@protegrity.com www.protegrity.com