Ulf mattsson webinar jun 7 2012 slideshare version

  • 271 views
Uploaded on

Webinar about "Choosing the Right Data Security Solution"

Webinar about "Choosing the Right Data Security Solution"

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
271
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Choosing the Right Data Security Solution Ulf Mattsson, CTO Protegrity June 7th, 2012
  • 2. Ulf Mattsson, CTO Protegrity 20 years with IBM Research & Development and Global Services Started Protegrity in 1994 (Data Security) Inventor of 25 patents – Encryption and Tokenization Member of • PCI Security Standards Council (PCI SSC) • American National Standards Institute (ANSI) X9 • International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security • ISACA , ISSA and Cloud Security Alliance (CSA)2
  • 3. Agenda Data Breaches Data Protection Trends Encryption versus Tokenization Vault-based Tokenization versus Vaultless Tokenization Case studies Summary03
  • 4. WE KNOW THAT DATA IS UNDER ATTACK4
  • 5. Albert Gonzalez: 20 Years In US Federal Prison US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS • $140M in breach expenses Source: http://en.wikipedia.org/wiki/Albert_Gonzalez Source: http://www.youtube.com/user/ProtegrityUSA5
  • 6. What about Breaches & PCI? Was Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study6
  • 7. WHAT TYPES OF DATA ARE UNDER ATTACK NOW?7
  • 8. What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Payment card numbers/data Unknown (specific type is not known) Medical records Medical Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Authentication credentials… 0 20 40 60 80 100 %120 By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/8
  • 9. Today “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/9
  • 10. Growing Threat of “hacktivism” Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous10
  • 11. Some Major Data Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Time Impact $ Attack Type Source: IBM 2012 Security Breaches Trend and Risk Report11
  • 12. The Sony Breach & The Cloud Lost 100 million passwords and personal details stored in clear Spent $171 million related to the data breach Sonys stock price has fallen 40 percent For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony Attack via SQL Injection12
  • 13. SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report13
  • 14. WHAT IS SQL INJECTION?14
  • 15. What is SQL Injection? SQL Command Injected Application Data Store15
  • 16. New Industry Groups are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 % By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/16
  • 17. The Changing Threat Landscape Some issues have stayed constant: • Threat landscape continues to gain sophistication • Attackers will always be a step ahead of the defenders We are fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=217
  • 18. How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/18
  • 19. WHERE IS DATA LOST?19
  • 20. What Assets are Compromised? Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter People Payment card (credit, debit, etc.) Offline… Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/20
  • 21. Hacking and Malware are Leading Threat Action Categories Hacking Malware Social Physical Misuse Error Environmental 0 50 100 % 150 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/21
  • 22. Thieves Are Attacking the Data Flow Application Application22
  • 23. THIS IS A CATCH 22!23
  • 24. How can we Secure The Data Flow? Retail Bank Store Payment 9999 9999 Corporate Network Systems24
  • 25. WHAT HAS THE INDUSTRY DONE TO SECURE DATA?25
  • 26. What Has The Industry Done? Input Value: 3872 3789 1620 3675 TCO Strong Encryption !@#$%a^.,mhu7///&*B()_+!@ High AES, 3DES Format Preserving Encryption 8278 2789 2990 2789 DTP, FPE Format Preserving Vault-based Tokenization 8278 2789 2990 2789 Greatly reduced Key Management Vaultless Tokenization 8278 2789 2990 2789 Low No Vault 1970 2000 2005 201026
  • 27. Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating27
  • 28. WHAT IS THE DIFFERENCE BETWEEN VAULT-BASED AND VAULTLESS TOKENIZATION?28
  • 29. We Started with Vault-Based Tokenization …29
  • 30. Issues with Vault-based Tokenization30
  • 31. Miniaturization of the Tokenization Server Evolution Vault-less Tokenization Server Vault-based Tokenization Server31
  • 32. Protegrity Tokenization Differentiators Vault-based Tokenization Vaultless Tokenization Footprint Large, Expanding. Small, Static. High Availability, Complex, expensive No replication required. Disaster Recovery replication required. Distribution Practically impossible to Easy to deploy at different distribute geographically. geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability. tokenization. Scalability Extendibility Practically impossible. Unlimited Tokenization Capability.32
  • 33. External Validation for Protegrity Vaultless Tokenization “The Protegrity tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“ Prof. Dr. Ir. Bart Preneel Katholieke University Leuven, Belgium * Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, president of the International Association for Cryptologic Research * The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.33
  • 34. SPEED & SECURITY34
  • 35. Speed of Different Protection Methods Transactions per second 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Speed will depend on Tokenization Encryption Standard Tokenization the configuration35
  • 36. Security of Different Protection Methods Security Level High Low I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization36
  • 37. CASE STUDIES37
  • 38. Case Study: Large Chain Store Why? Reduce compliance cost by 50% • 50 million Credit Cards, 700 million daily transactions • Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization • End-to-End Tokens: Started with the D/W and expanding to stores • Lower maintenance cost – don’t have to apply all 12 requirements • Better security – able to eliminate several business and daily reports • Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization”38
  • 39. Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI – Get rid of unwanted paper copies – No need to rewrite/redevelop or restructure business applications – A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow – Better understanding of business flow – Opportunity to clean up a few business oddities39
  • 40. Case Studies: Retail Customer 1: Why? Three major concerns solved • Performance Challenge; Initial tokenization • Vendor Lock-In: What if we want to switch payment processor • Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection • Combined use of tokenization and encryption • Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe • Tokens on the mainframe to avoid compensating controls40
  • 41. PCI DSS GUIDELINES41
  • 42. Tokenization and Encryption are Different42
  • 43. Tokenization and “PCI Out Of Scope” De-tokenization No Available? Yes Random Number Tokens? No: FPE Yes Isolated from Card Holder Data Yes Environment? No Out of Scope No Scope Scope Reduction Reduction Source: http://www.securosis.com43
  • 44. PII DATA44
  • 45. How Should I Secure Different Data? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected HealthComplex - Information Type of I I Data Un-structured Structured45
  • 46. Flexibility in Token Format ControlsType of Data Input Token CommentCredit Card 3872 3789 1620 3675 8278 2789 2990 2789 NumericCredit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposedCredit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposedMedical ID 29M2009ID 497HF390D Alpha-NumericDate 10/30/1955 12/25/2034 Date - multiple date formatsE-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha NumericSSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in inputInvalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will failBinary 0x010203 0x123296910112Alphanumeric Position to place alpha is 5105 1051 0510 5100 8278 2789 299A 2781Indicator configurableDecimal 123.45 9842.56 Non length preserving Deliver a different token to different Merchant 1: 8278 2789 2990 2789Multi-Merchant 3872 3789 1620 3675 merchant based on the same credit Merchant 2: 9302 8999 2662 6345 card number.
  • 47. What are the benefits of Tokenization? Reduces complexity of key management. Reduces the number of hacker targets. What are the benefits of Tokenisation? Reduces the remediation for protecting systems. Reduces the cost of PCI Compliance. Additional benefits with Protegrity Vaultless Tokenization Infinitely Scalable Fastest tokenization method in the world Simplicity and Security: No replication, No collisions Flexible and easy to deploy and distribute Lower Total Cost of Ownership than Basic Tokenization
  • 48. ABOUT PROTEGRITY48
  • 49. About Protegrity Proven enterprise data security software and innovation leader • Sole focus on the protection of data • Patented Technology, Continuing to Drive Innovation Growth driven by compliance and risk management • PCI (Payment Card Industry) • PII (Personally Identifiable Information) • PHI (Protected Health Information) – HIPAA • State and Foreign Privacy Laws, Breach Notification Laws • Requirements to eliminate the threat of data breach and non-compliance Cross-industry applicability • Retail, Hospitality, Travel and Transportation • Financial Services, Insurance and Banking • Healthcare, Telecommunications, Media and Entertainment • Manufacturing and Government49
  • 50. What are Industry Analyst’s Saying? “Protegrity has a comprehensive approach to a range of data security problems, while most vendors only have one stovepipe solution with no coherent strategy.” - Scott Crawford, EMA “I’m really impressed that you’ve expanded your Tokenization solution to include PII and HIPAA. I haven’t seen this from other vendors. It’s really nice to see that vendors are driving innovation, before there’s a big demand from customers.” - Derek Brink, Aberdeen “Tokenizing payment data holds the promise of improving security while reducing auditing costs, generating great demand amongst the merchant community. Tokenization is a simple technology with a clear value proposition.” - Adrian Lane, Analyst and CTO, Securosis “Protegrity’s approach to tokenization is very elegant and it’s clear your solution is very fast and flexible.” – A leading Industry Analyst Firm50
  • 51. Summary Optimal support of complex enterprise requirements • Heterogeneous platform supports all operating systems and databases • Flexible protectors (Database, Application, File) • Risk Adjusted Data Protection offers the options for protection data with the appropriate strength. • Built-in Key Management • Consistent Enterprise policy enforcement and audit logging Innovative • Pushing data protection with industry leading Proven • Proven platform currently protects the worlds largest companies Experienced • Experienced staff will be there with support along the way to complete data protection51
  • 52. Questions and Answers Elaine Evans Protegrity Marketing elaine.evans@protegrity.com www.protegrity.com