SlideShare a Scribd company logo

Cacs na isaca session 414 ulf mattsson may 10 final

Download as PPTX, PDF
Ulf Mattsson
Ulf Mattsson

Understanding Your Data Flow - ISACA USA

Technology
1 of 75
Understanding Your Data Flow Using Tokenization to Secure Data Ulf Mattsson CTO Protegrity 1
2
03
4 • 20 years with IBM Development & Global Services • Started Protegrity 1994 • Inventor of 22 patents – Encryption and Tokenization • Member of – PCI Security Standards Council (PCI SSC) – American National Standards Institute (ANSI) X9 – International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security – ISACA (Information Systems Audit and Control Association) – Information Systems Security Association (ISSA) – Cloud Security Alliance (CSA) Ulf Mattsson, CTO Protegrity
Session topics • Discuss threats against data • Review solutions for securing data – Evaluate different options for data tokenization and encryption • Review case studies – Discuss how to stay out of scope for PCI DSS • Review data protection cost efficiency – Introduce a business risk approach • Discuss cloud and outsourced environments 5
THIEVES ARE STEALING OUR DATA! 6
Albert Gonzalez 20 Years In US Federal Prison 7 Source: http://www.youtube.com/user/ProtegrityUSA US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS •Breach expenses $140M Source: http://en.wikipedia.org/wiki/Albert_Gonzalez
8 What about Breaches & PCI? Was Data Protected? Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study % 0 10 20 30 40 50 60 70 80 90 100 3: Protect Stored Data 7: Restrict access to data by business need-to-know 11: Regularly test security systems and processes 10: Track and monitor all access to network resources and data 6: Develop and maintain secure systems and applications 8: Assign a unique ID to each person with computer access 1: Install and maintain a firewall configuration to protect data 12: Maintain a policy that addresses information security 2: Do not use vendor-supplied defaults for security parameters 4: Encrypt transmission of cardholder data 5: Use and regularly update anti-virus software 9: Restrict physical access to cardholder data
WHAT TYPES OF DATA ARE UNDER ATTACK NOW? 9
10 What Data is Compromised? By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 0 20 40 60 80 100 120 Authentication credentials (usernames, pwds,… Sensitive organizational data (reports, plans, etc.) Bank account numbers/data System information (config, svcs, sw, etc.) Copyrighted/Trademarked material Trade secrets Classified information Medical records Medical Unknown (specific type is not known) Payment card numbers/data Personal information (Name, SS#, Addr, etc.) %
11 Today “Hacktivism” is Dominating 0 10 20 30 40 50 60 70 Unknown Unaffiliated person(s) Former employee (no longer had access) Relative or acquaintance of employee Organized criminal group Activist group By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ %
12 Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous Growing Threat of “hacktivism” by Groups such as Anonymous Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal
April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 13 Attack Type, Time and Impact $ Source: IBM 2012 Security Breaches Trend and Risk Report Let’s Review Some Major Recent Breaches
• Lost 100 million passwords and personal details stored in clear • Spent $171 million related to the data breach • Sony's stock price has fallen 40 percent • For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony • Attack via SQL Injection 14 The Sony Breach & Cloud
Q1 2011 Q2 2011 Q3 2011 15 SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Source: IBM 2012 Security Breaches Trend and Risk Report
WHAT IS SQL INJECTION? 16
What is an SQL Injection Attack? Application SQL Command Injected Data Store 17
WHO IS THE NEXT TARGET? 18
19 New Industry Groups are Targets 0 10 20 30 40 50 60 Information Other Health Care and Social Assistance Finance and Insurance Retail Trade Accommodation and Food Services By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ %
The Changing Threat Landscape  Some issues have stayed constant:  Threat landscape continues to gain sophistication  Attackers will always be a step ahead of the defenders  We are fighting highly organized, well-funded crime syndicates and nations  Move from detective to preventative controls needed Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
21 How are Breaches Discovered? 0 10 20 30 40 50 60 70 Unusual system behavior or performance Log analysis and/or review process Financial audit and reconciliation process Internal fraud detection mechanism Other(s) Witnessed and/or reported by employee Unknown Brag or blackmail by perpetrator Reported by customer/partner affected Third-party fraud detection (e.g., CPP) Notified by law enforcement By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ %
WHERE IS DATA LOST? 22
23 What Assets are Compromised? By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 0 20 40 60 80 100 120 POS server (store controller) POS terminal User devices Automated Teller Machine (ATM) Regular employee/end-user People Payment card (credit, debit, etc.) Offline data Cashier/Teller/Waiter People Pay at the Pump terminal User devices File server Laptop/Netbook Remote Access server Call Center Staff People Mail server Desktop/Workstation Web/application server Database server %
24 Threat Action Categories 0 50 100 150 Environmental Error Misuse Physical Social Malware Hacking By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ % Hacking and Malware are Leading
Thieves Are Attacking the Data Flow 025 Application Application
THIS IS A CATCH 22! 26
Thieves Can't Steal What's Not There: Fake Data Application Application ???-??-???? 27
HOW CAN WE SECURE THE DATA FLOW? 28
Securing The Data Flow with Tokenization Retail Store Bank Payment Network 9999 9999 Corporate Systems 29
WHAT HAS THE INDUSTRY DONE TO SECURE DATA? 30
Time Total Cost of Ownership Total Cost of Ownership 1. System Integration 2. Performance Impact 3. Key Management 4. Policy Management 5. Reporting 6. Paper Handling 7. Compliance Audit 8. … Strong Encryption: 3DES, AES … I 2010 I 1970 What Has The Industry Done? I 2005 I 2000 Format Preserving Encryption: FPE, DTP … Basic Tokenization Vaultless Tokenization High - Low - 31
Case Study: Large Chain Store Why? Reduce compliance cost by 50% – 50 million Credit Cards, 700 million daily transactions – Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization – End-to-End Tokens: Started with the D/W and expanding to stores – Lower maintenance cost – don’t have to apply all 12 requirements – Better security – able to eliminate several business and daily reports – Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization” 32
HOW CAN WE POSITION DIFFERENT SECURITY OPTIONS? 33
10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - Transactions per second I Format Preserving Encryption Speed of Different Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization Speed will depend on the configuration 34
WHAT IS VAULT-LESS DATA TOKENIZATION? 35
Different Tokenization Approaches Basic Tokenization Vault-less Tokenization* Footprint Large, Expanding. Small, Static. High Availability, Disaster Recovery Complex, expensive replication required. No replication required. Distribution Practically impossible to distribute geographically. Easy to deploy at different geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Latency, and Scalability Will adversely impact performance & scalability. Little or no latency. Fastest industry tokenization. Extendibility Practically impossible. Unlimited Tokenization Capability. *: Validated by 3rd party experts 36
HOW IMPORTANT IS COST? 37
123456 777777 1234 123456 123456 1234 aVdSaH 1F4hJ 1D3a !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing - Strong Encryption - Alpha - Numeric - Partial - Clear Text Data - Intrusiveness (to Applications and Databases) I Original !@#$%a^.,mhu7///&*B()_+!@ 666666 777777 8888 Tokenizing or Formatted Encryption Data Length Standard Encryption Encoding 38 DataType&Format Impact of Different Protection Methods
WHEN CAN I USE TOKENIZATION? 39
Type of Data Use Case I Structured How Should I Secure Different Data? I Un-structured Simple - Complex - PCI PHI PII File Encryption Card Holder Data Field Tokenization Protected Health Information 40
Tokenizing Different Types of Data Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date E-mail Address Ulf.mattsson@protegrit y.com empo.snaugs@svtiensnni .snk Alpha Numeric, delimiters in input preserved SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed 41
ANY TOKENIZATION GUIDELINES? 42
43 Token Generation Token Types Single Use Token Multi Use Token Algorithm and Key Reversible Known strong algorithm One way Irreversible Function Unique Sequence Number Hash Randomly generated value      Secret per transaction Secret per merchant Tokenization Guidelines, Visa No
Tokenization vs. Encryption 44 Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY TokenizationEncryption
HOW SECURE IS ENCRYPTION? 45
Many Broken Algorithms
KEYS EVERYWHERE! 47
PCI DSS : Tokenization and Encryption are Different 48 No Scope Reduction If the token is mathematically derived from the original PAN through the use of an encryption algorithm and cryptographic key
TOKENS ARE RANDOM 49
50 Source: http://www.securosis.com Tokenization and “PCI Out Of Scope” De-tokenization Available? Random Number Tokens? Isolated from Card Holder Data Environment? Out of Scope Scope Reduction No Scope Reduction No No: FPE Yes Yes Yes No
Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI • Get rid of unwanted paper copies • No need to rewrite/redevelop or restructure business applications • A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow • Better understanding of business flow • Opportunity to clean up a few business oddities 51
Best Area Criteria Database File Encryption Database Column Encryption Basic Tokenization Vaultless Tokenization Scalability Availability Latency CPU Consumption Security Data Flow Protection Compliance Scoping Key Management Data Collisions Separation of Duties Evaluating Encryption & Tokenization
Case Studies: Retail Customer 1: Why? Three major concerns solved – Performance Challenge; Initial tokenization – Vendor Lock-In: What if we want to switch payment processor – Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe – Tokens on the mainframe to avoid compensating controls 53
WHAT IS THE CURRENT USE OF ENABLING TECHNOLOGIES? 54
Use of Enabling Technologies 1% 18% 30% 21% 28% 7% 22% 91% 47% 35% 39% 28% 29% 23% Access controls Database activity monitoring Database encryption Backup / Archive encryption Data masking Application-level encryption Tokenization Evaluating 55
System Type Risk Data display Masking I Production I Test / dev High – Low - Data at rest Masking I Integration testing I Trouble shooting Exposure: Data in clear before masking Exposure: Data is only obfuscated 56 Is Data Masking Secure?
System Type Risk Data Tokens I Production I Test / dev Data Tokens = Lower Risk High – Low - I Integration testing I Trouble shooting 57 Data display Masking Data at rest Masking Exposure: Data in clear before masking Exposure: Data is only obfuscated
CAN SECURITY HELP CREATIVITY? 58
Access Right Level Risk Traditional Access Control I More I Less High Low Source: InformationWeek Aug 15, 2011 Old Security = Less Creativity 59
Access Right Level Risk Traditional Access Control I More I Less High Low Source: InformationWeek Aug 15, 2011 New Data Security = More Creativity 60 Data Tokens New: Creativity Happens At the edge
WHAT IS THE IMPACT ON RISK MANAGEMENT? 61
Protection Option Cost Optimal Risk Expected Losses from the Risk Cost of Aversion – Protection of Data Total Cost I Monitoring I Data Lockdown Choose Your Defenses 62
DATA SECURITY ADVANCES ARE CHANGING THE BALANCE 63
Matching Data Protection with Risk Level Risk Level Solution Monitoring Monitoring, masking, format controlling encryption Tokenization, strong encryption Low Risk (1-5) Medium Risk (6-15) High Risk (16-25) Data Field Risk Level Credit Card Number 25 Social Security Number 20 Email Address 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3 64
SEPARATION OF DUTIES! 65
I Format Preserving Encryption Security of Different Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 66 High Low Security Level
HOW CAN I SECURE DATA IN CLOUD? 67
Risks with Cloud Computing Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study 0 10 20 30 40 50 60 70 Inability to customize applications Financial strength of the cloud… Uptime/business continuity Weakening of corporate network… Threat of data breach or loss Handing over sensitive data to a third… % 68
PCI & Cloud • The PCI council's security caution over virtualization is justified, because virtualized environments are susceptible to types of attacks not seen in any other environment – Bob Russo, general manager of the PCI Security Standards Council
Amazon’s PCI Compliance • PCI-DSS 2.0 doesn't address multi-tenancy concerns • You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesn't do this for you -- it's something you need to implement yourself; including key management, rotation, logging, etc. • If you deploy a server instance in EC2 it still needs to be assessed by your QSA • Your organization's assessment scope isn't necessarily reduced • It might be when you move to something like a tokenization service where you reduce your handling of PAN data Source: securosis.com 070
Securing The Data Flow with Tokenization Retail Store Bank Payment Network 9999 9999 Corporate Systems 71
Why Tokenization? Why Tokenization 1. No Masking 2. No Encryption 3. No Key Management Why Vaultless Tokenization 1. Lower Cost / TCO 2. Better 3. Faster $ 72
Conclusion • Organizations need to understand their data flow and current security technologies – Determine most significant security exposures – Target budgets toward addressing the most critical issues – Strengthen security and compliance profiles • Achieve the right balance between business needs and security demands – I increasingly important as companies are changing their security strategies to better protect sensitive data – Following continuing attacks 73
About Protegrity • Proven enterprise data security software and innovation leader – Sole focus on the protection of data – Patented Technology, Continuing to Drive Innovation • Growth driven by compliance and risk management – PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI (Protected Health Information) – US State and Foreign Privacy Laws, Breach Notification Laws • Cross-industry applicability – Retail, Hospitality, Travel and Transportation – Financial Services, Insurance, Banking – Healthcare, Telecommunications, Media and Entertainment – Manufacturing and Government 74
Thank you! Q&A ulf.mattsson@protegrity.com www.protegrity.com 203-326-7200 75

Recommended

A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 

Recommended

A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Enterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and StrategiesEnterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and StrategiesUlf Mattsson
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSKimberly Simon MBA
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualKimberly Simon MBA
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresNisum
 
PCI Security Standards on Big Data Platform (1)
PCI Security Standards on Big Data Platform (1)PCI Security Standards on Big Data Platform (1)
PCI Security Standards on Big Data Platform (1)Chris Cheng-Hsun Lin
 

More Related Content

What's hot

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
Enterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and StrategiesEnterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and StrategiesUlf Mattsson
 

What's hot (20)

Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Enterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and StrategiesEnterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and Strategies
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 

Viewers also liked

White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresNisum
 
PCI Security Standards on Big Data Platform (1)
PCI Security Standards on Big Data Platform (1)PCI Security Standards on Big Data Platform (1)
PCI Security Standards on Big Data Platform (1)Chris Cheng-Hsun Lin
 
CTI Tokenization Concepts 160408B
CTI Tokenization Concepts 160408BCTI Tokenization Concepts 160408B
CTI Tokenization Concepts 160408BPatrick Maroney
 
Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataUlf Mattsson
 
Payments 2020: Banks & Payments
Payments 2020: Banks & PaymentsPayments 2020: Banks & Payments
Payments 2020: Banks & PaymentsMohit Kant
 
Banks can Implement NFC Payment Choosing between two Options - HCE platform &...
Banks can Implement NFC Payment Choosing between two Options - HCE platform &...Banks can Implement NFC Payment Choosing between two Options - HCE platform &...
Banks can Implement NFC Payment Choosing between two Options - HCE platform &...Mahindra Comviva
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security
 
Samsung pay: tokenized numbers flaws and issues
Samsung pay: tokenized numbers flaws and issuesSamsung pay: tokenized numbers flaws and issues
Samsung pay: tokenized numbers flaws and issuesPriyanka Aash
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudAmazon Web Services
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 

Viewers also liked (15)

White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
 
PCI Security Standards on Big Data Platform (1)
PCI Security Standards on Big Data Platform (1)PCI Security Standards on Big Data Platform (1)
PCI Security Standards on Big Data Platform (1)
 
Cryptov2 v1
Cryptov2 v1Cryptov2 v1
Cryptov2 v1
 
CTI Tokenization Concepts 160408B
CTI Tokenization Concepts 160408BCTI Tokenization Concepts 160408B
CTI Tokenization Concepts 160408B
 
Isaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big dataIsaca new delhi india - privacy and big data
Isaca new delhi india - privacy and big data
 
Payments 2020: Banks & Payments
Payments 2020: Banks & PaymentsPayments 2020: Banks & Payments
Payments 2020: Banks & Payments
 
Banks can Implement NFC Payment Choosing between two Options - HCE platform &...
Banks can Implement NFC Payment Choosing between two Options - HCE platform &...Banks can Implement NFC Payment Choosing between two Options - HCE platform &...
Banks can Implement NFC Payment Choosing between two Options - HCE platform &...
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentation
 
Samsung pay: tokenized numbers flaws and issues
Samsung pay: tokenized numbers flaws and issuesSamsung pay: tokenized numbers flaws and issues
Samsung pay: tokenized numbers flaws and issues
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Mobile Payment Security Trends for the Future
Mobile Payment Security Trends for the FutureMobile Payment Security Trends for the Future
Mobile Payment Security Trends for the Future
 

Similar to Cacs na isaca session 414 ulf mattsson may 10 final

Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachUlf Mattsson
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf Mattsson
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUlf Mattsson
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Ulf Mattsson
 
CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017Joseph John
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Amazon Web Services
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...Ulf Mattsson
 
Isaca how innovation can bridge the gap between privacy and regulations
Isaca how innovation can bridge the gap between privacy and regulationsIsaca how innovation can bridge the gap between privacy and regulations
Isaca how innovation can bridge the gap between privacy and regulationsUlf Mattsson
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2SafeNet
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 

Similar to Cacs na isaca session 414 ulf mattsson may 10 final (20)

Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breach
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare version
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private clouds
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
 
CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloud
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...Where data security and value of data meet in the cloud brighttalk webinar ...
Where data security and value of data meet in the cloud brighttalk webinar ...
 
Isaca how innovation can bridge the gap between privacy and regulations
Isaca how innovation can bridge the gap between privacy and regulationsIsaca how innovation can bridge the gap between privacy and regulations
Isaca how innovation can bridge the gap between privacy and regulations
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 

More from Ulf Mattsson

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesUlf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeUlf Mattsson
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchainUlf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonUlf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 

More from Ulf Mattsson (20)

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
Book
BookBook
Book
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Cacs na isaca session 414 ulf mattsson may 10 final

  • 1. Understanding Your Data Flow Using Tokenization to Secure Data Ulf Mattsson CTO Protegrity 1
  • 2. 2
  • 3. 03
  • 4. 4 • 20 years with IBM Development & Global Services • Started Protegrity 1994 • Inventor of 22 patents – Encryption and Tokenization • Member of – PCI Security Standards Council (PCI SSC) – American National Standards Institute (ANSI) X9 – International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security – ISACA (Information Systems Audit and Control Association) – Information Systems Security Association (ISSA) – Cloud Security Alliance (CSA) Ulf Mattsson, CTO Protegrity
  • 5. Session topics • Discuss threats against data • Review solutions for securing data – Evaluate different options for data tokenization and encryption • Review case studies – Discuss how to stay out of scope for PCI DSS • Review data protection cost efficiency – Introduce a business risk approach • Discuss cloud and outsourced environments 5
  • 7. Albert Gonzalez 20 Years In US Federal Prison 7 Source: http://www.youtube.com/user/ProtegrityUSA US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS •Breach expenses $140M Source: http://en.wikipedia.org/wiki/Albert_Gonzalez
  • 8. 8 What about Breaches & PCI? Was Data Protected? Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study % 0 10 20 30 40 50 60 70 80 90 100 3: Protect Stored Data 7: Restrict access to data by business need-to-know 11: Regularly test security systems and processes 10: Track and monitor all access to network resources and data 6: Develop and maintain secure systems and applications 8: Assign a unique ID to each person with computer access 1: Install and maintain a firewall configuration to protect data 12: Maintain a policy that addresses information security 2: Do not use vendor-supplied defaults for security parameters 4: Encrypt transmission of cardholder data 5: Use and regularly update anti-virus software 9: Restrict physical access to cardholder data
  • 9. WHAT TYPES OF DATA ARE UNDER ATTACK NOW? 9
  • 10. 10 What Data is Compromised? By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 0 20 40 60 80 100 120 Authentication credentials (usernames, pwds,… Sensitive organizational data (reports, plans, etc.) Bank account numbers/data System information (config, svcs, sw, etc.) Copyrighted/Trademarked material Trade secrets Classified information Medical records Medical Unknown (specific type is not known) Payment card numbers/data Personal information (Name, SS#, Addr, etc.) %
  • 11. 11 Today “Hacktivism” is Dominating 0 10 20 30 40 50 60 70 Unknown Unaffiliated person(s) Former employee (no longer had access) Relative or acquaintance of employee Organized criminal group Activist group By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ %
  • 12. 12 Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous Growing Threat of “hacktivism” by Groups such as Anonymous Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal
  • 13. April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 13 Attack Type, Time and Impact $ Source: IBM 2012 Security Breaches Trend and Risk Report Let’s Review Some Major Recent Breaches
  • 14. • Lost 100 million passwords and personal details stored in clear • Spent $171 million related to the data breach • Sony's stock price has fallen 40 percent • For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony • Attack via SQL Injection 14 The Sony Breach & Cloud
  • 15. Q1 2011 Q2 2011 Q3 2011 15 SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Source: IBM 2012 Security Breaches Trend and Risk Report
  • 17. What is an SQL Injection Attack? Application SQL Command Injected Data Store 17
  • 18. WHO IS THE NEXT TARGET? 18
  • 19. 19 New Industry Groups are Targets 0 10 20 30 40 50 60 Information Other Health Care and Social Assistance Finance and Insurance Retail Trade Accommodation and Food Services By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ %
  • 20. The Changing Threat Landscape  Some issues have stayed constant:  Threat landscape continues to gain sophistication  Attackers will always be a step ahead of the defenders  We are fighting highly organized, well-funded crime syndicates and nations  Move from detective to preventative controls needed Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
  • 21. 21 How are Breaches Discovered? 0 10 20 30 40 50 60 70 Unusual system behavior or performance Log analysis and/or review process Financial audit and reconciliation process Internal fraud detection mechanism Other(s) Witnessed and/or reported by employee Unknown Brag or blackmail by perpetrator Reported by customer/partner affected Third-party fraud detection (e.g., CPP) Notified by law enforcement By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ %
  • 23. 23 What Assets are Compromised? By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 0 20 40 60 80 100 120 POS server (store controller) POS terminal User devices Automated Teller Machine (ATM) Regular employee/end-user People Payment card (credit, debit, etc.) Offline data Cashier/Teller/Waiter People Pay at the Pump terminal User devices File server Laptop/Netbook Remote Access server Call Center Staff People Mail server Desktop/Workstation Web/application server Database server %
  • 24. 24 Threat Action Categories 0 50 100 150 Environmental Error Misuse Physical Social Malware Hacking By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ % Hacking and Malware are Leading
  • 25. Thieves Are Attacking the Data Flow 025 Application Application
  • 26. THIS IS A CATCH 22! 26
  • 27. Thieves Can't Steal What's Not There: Fake Data Application Application ???-??-???? 27
  • 28. HOW CAN WE SECURE THE DATA FLOW? 28
  • 29. Securing The Data Flow with Tokenization Retail Store Bank Payment Network 9999 9999 Corporate Systems 29
  • 30. WHAT HAS THE INDUSTRY DONE TO SECURE DATA? 30
  • 31. Time Total Cost of Ownership Total Cost of Ownership 1. System Integration 2. Performance Impact 3. Key Management 4. Policy Management 5. Reporting 6. Paper Handling 7. Compliance Audit 8. … Strong Encryption: 3DES, AES … I 2010 I 1970 What Has The Industry Done? I 2005 I 2000 Format Preserving Encryption: FPE, DTP … Basic Tokenization Vaultless Tokenization High - Low - 31
  • 32. Case Study: Large Chain Store Why? Reduce compliance cost by 50% – 50 million Credit Cards, 700 million daily transactions – Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization – End-to-End Tokens: Started with the D/W and expanding to stores – Lower maintenance cost – don’t have to apply all 12 requirements – Better security – able to eliminate several business and daily reports – Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization” 32
  • 34. 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - Transactions per second I Format Preserving Encryption Speed of Different Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization Speed will depend on the configuration 34
  • 36. Different Tokenization Approaches Basic Tokenization Vault-less Tokenization* Footprint Large, Expanding. Small, Static. High Availability, Disaster Recovery Complex, expensive replication required. No replication required. Distribution Practically impossible to distribute geographically. Easy to deploy at different geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Latency, and Scalability Will adversely impact performance & scalability. Little or no latency. Fastest industry tokenization. Extendibility Practically impossible. Unlimited Tokenization Capability. *: Validated by 3rd party experts 36
  • 38. 123456 777777 1234 123456 123456 1234 aVdSaH 1F4hJ 1D3a !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing - Strong Encryption - Alpha - Numeric - Partial - Clear Text Data - Intrusiveness (to Applications and Databases) I Original !@#$%a^.,mhu7///&*B()_+!@ 666666 777777 8888 Tokenizing or Formatted Encryption Data Length Standard Encryption Encoding 38 DataType&Format Impact of Different Protection Methods
  • 40. Type of Data Use Case I Structured How Should I Secure Different Data? I Un-structured Simple - Complex - PCI PHI PII File Encryption Card Holder Data Field Tokenization Protected Health Information 40
  • 41. Tokenizing Different Types of Data Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date E-mail Address Ulf.mattsson@protegrit y.com empo.snaugs@svtiensnni .snk Alpha Numeric, delimiters in input preserved SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed 41
  • 43. 43 Token Generation Token Types Single Use Token Multi Use Token Algorithm and Key Reversible Known strong algorithm One way Irreversible Function Unique Sequence Number Hash Randomly generated value      Secret per transaction Secret per merchant Tokenization Guidelines, Visa No
  • 44. Tokenization vs. Encryption 44 Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY TokenizationEncryption
  • 48. PCI DSS : Tokenization and Encryption are Different 48 No Scope Reduction If the token is mathematically derived from the original PAN through the use of an encryption algorithm and cryptographic key
  • 50. 50 Source: http://www.securosis.com Tokenization and “PCI Out Of Scope” De-tokenization Available? Random Number Tokens? Isolated from Card Holder Data Environment? Out of Scope Scope Reduction No Scope Reduction No No: FPE Yes Yes Yes No
  • 51. Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI • Get rid of unwanted paper copies • No need to rewrite/redevelop or restructure business applications • A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow • Better understanding of business flow • Opportunity to clean up a few business oddities 51
  • 52. Best Area Criteria Database File Encryption Database Column Encryption Basic Tokenization Vaultless Tokenization Scalability Availability Latency CPU Consumption Security Data Flow Protection Compliance Scoping Key Management Data Collisions Separation of Duties Evaluating Encryption & Tokenization
  • 53. Case Studies: Retail Customer 1: Why? Three major concerns solved – Performance Challenge; Initial tokenization – Vendor Lock-In: What if we want to switch payment processor – Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe – Tokens on the mainframe to avoid compensating controls 53
  • 54. WHAT IS THE CURRENT USE OF ENABLING TECHNOLOGIES? 54
  • 55. Use of Enabling Technologies 1% 18% 30% 21% 28% 7% 22% 91% 47% 35% 39% 28% 29% 23% Access controls Database activity monitoring Database encryption Backup / Archive encryption Data masking Application-level encryption Tokenization Evaluating 55
  • 56. System Type Risk Data display Masking I Production I Test / dev High – Low - Data at rest Masking I Integration testing I Trouble shooting Exposure: Data in clear before masking Exposure: Data is only obfuscated 56 Is Data Masking Secure?
  • 57. System Type Risk Data Tokens I Production I Test / dev Data Tokens = Lower Risk High – Low - I Integration testing I Trouble shooting 57 Data display Masking Data at rest Masking Exposure: Data in clear before masking Exposure: Data is only obfuscated
  • 60. Access Right Level Risk Traditional Access Control I More I Less High Low Source: InformationWeek Aug 15, 2011 New Data Security = More Creativity 60 Data Tokens New: Creativity Happens At the edge
  • 61. WHAT IS THE IMPACT ON RISK MANAGEMENT? 61
  • 62. Protection Option Cost Optimal Risk Expected Losses from the Risk Cost of Aversion – Protection of Data Total Cost I Monitoring I Data Lockdown Choose Your Defenses 62
  • 64. Matching Data Protection with Risk Level Risk Level Solution Monitoring Monitoring, masking, format controlling encryption Tokenization, strong encryption Low Risk (1-5) Medium Risk (6-15) High Risk (16-25) Data Field Risk Level Credit Card Number 25 Social Security Number 20 Email Address 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3 64
  • 66. I Format Preserving Encryption Security of Different Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 66 High Low Security Level
  • 67. HOW CAN I SECURE DATA IN CLOUD? 67
  • 68. Risks with Cloud Computing Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study 0 10 20 30 40 50 60 70 Inability to customize applications Financial strength of the cloud… Uptime/business continuity Weakening of corporate network… Threat of data breach or loss Handing over sensitive data to a third… % 68
  • 69. PCI & Cloud • The PCI council's security caution over virtualization is justified, because virtualized environments are susceptible to types of attacks not seen in any other environment – Bob Russo, general manager of the PCI Security Standards Council
  • 70. Amazon’s PCI Compliance • PCI-DSS 2.0 doesn't address multi-tenancy concerns • You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesn't do this for you -- it's something you need to implement yourself; including key management, rotation, logging, etc. • If you deploy a server instance in EC2 it still needs to be assessed by your QSA • Your organization's assessment scope isn't necessarily reduced • It might be when you move to something like a tokenization service where you reduce your handling of PAN data Source: securosis.com 070
  • 71. Securing The Data Flow with Tokenization Retail Store Bank Payment Network 9999 9999 Corporate Systems 71
  • 72. Why Tokenization? Why Tokenization 1. No Masking 2. No Encryption 3. No Key Management Why Vaultless Tokenization 1. Lower Cost / TCO 2. Better 3. Faster $ 72
  • 73. Conclusion • Organizations need to understand their data flow and current security technologies – Determine most significant security exposures – Target budgets toward addressing the most critical issues – Strengthen security and compliance profiles • Achieve the right balance between business needs and security demands – I increasingly important as companies are changing their security strategies to better protect sensitive data – Following continuing attacks 73
  • 74. About Protegrity • Proven enterprise data security software and innovation leader – Sole focus on the protection of data – Patented Technology, Continuing to Drive Innovation • Growth driven by compliance and risk management – PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI (Protected Health Information) – US State and Foreign Privacy Laws, Breach Notification Laws • Cross-industry applicability – Retail, Hospitality, Travel and Transportation – Financial Services, Insurance, Banking – Healthcare, Telecommunications, Media and Entertainment – Manufacturing and Government 74