With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Learn about the Identity and Data Protection solutions for enterprise security organizations can take a data-centric approach to their security posture.
Learn about the new trends in Data Masking, Tokenization and Encryption.
Learn about the guidance and standards from FFIEC, PCI DSS, ISO and NIST.
Learn about the new API Economy and eCommerce trends and how to control sensitive data — both on-premises, and in public and private clouds.
This session is for worldwide directors and managers in Fin services, healthcare, energy, government and more
2. 2
My Work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Guidelines Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC Tokenization Products Task Force
2
3. 3
Data Centric Security and PCI DSS
Data Security
PCI DSS 3.2
Data Centric Audit and
Protection
Protect stored
Cardholder data
Cardholder Information
Security Program (CISP)
by Visa USA
Year
2000 2004 20162014
FFIEC NIST
ANSI X9
ISO / IEC GDPR
5. 5
Protect Sensitive Cloud Data - Example
Administrator
Attacker
Remote User
Internal User
Public Cloud
Each
sensitive
field is
protected
Each
authorized
field is in clear
Each
sensitive
field is
protected
Transparent
Gateway
Sensitive Data
6. 6
Reduction of Pain with Different Protection Techniques
1970 2000 2005 2010
High
Low
Pain
& TCO
Strong Encryption Output:
AES, 3DES
Format Preserving Encryption
DTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key
Management
No Vault
8278 2789 2990 2789
Year
8. 8
Data sources
Data
Warehouse
In Italy
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Example of Cross Border Data-centric Security
• Protecting Personally Identifiable Information
(PII), including names, addresses, phone, email,
policy and account numbers
• Compliance with EU Cross Border Data
Protection Laws
• Utilizing Data Tokenization, and centralized
policy, key management, auditing, and
reporting
12. 12
Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information
13. 13
What is the difference?
• Encryption - A data security measure using mathematic algorithms to generate rule-based values in place of original data
• Tokenization - A data security measure using mathematic algorithms to generate randomized values in place of original data
Encryption alone is not a full solution
• With encryption, sensitive data remains in business systems. With tokenization, sensitive data is removed completely from business systems and
securely vaulted.
Tokens are versatile
• Format-preserving tokens can be utilized where masked information is required
Encryption vs Tokenization
14. 14
Examples of Protected Data
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays and
discharges, clinical, billing, etc.
Financial Services Consumer Products and
activities
Protection methods can be equally applied
to the actual data, but not needed with de-
identification
19. 19
On Premise tokenization
• Limited PCI DSS scope reduction - must still maintain a
CDE with PCI data
• Higher risk – sensitive data still resident in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from the
environment
• Platform-focused security
• Lower associated costs – cyber insurance, PCI audit,
maintenance
Total Cost and Risk of Tokenization
21. 21
D E S C O P I N G A N
E C O M M E R C E
S O L U T I O N
A PCI SAQ A contains 22 controls compared to more than 300 for the full PCI DSS
• Use a hosted iFrame or payments page provided by a validated service provider to capture and tokenize CHD
• Do not transmit, process or store CHD via any other acceptance channel and utilize payment services of
tokenization provider to process transactions
Minimize Cost of PCI Tokenization
24. 24
Quantum computers will be able to instantly break the encryption of sensitive
data protected by today's strongest security, warns the head of IBM Research.
This could happen in a little more than five years because of advances in quantum
computer technologies.
24Source: IBM and ZDNet
34. 34
#3 Self-Sovereign Identity (SSI)
YOU
CONNECTION
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
Source: Sovrin.org
The Sovrin Network is the first public-permissioned blockchain designed as a global public utility exclusively to
support self-sovereign identity and verifiable claims. Recent advancements in blockchain technology now allow
every public key to have its own address, which is called a decentralized identifier (DID).
35. 35
#3 Self-Sovereign Identity (SSI)
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
DIGITAL
WALLET
CONNECTION
GET CREDENTIAL
SHOW CREDENTIAL
1 DIDs
2 DKMS
3 DID AUTH
4
Verifiable
Credentials
Source: Sovrin.org
39. 39
• Format-preserving encryption (FPE) is useful in situations where fixed-format data, such as
Primary account numbers Social Security numbers, must be protected.
• FPE will limit changes to existing communication protocols, database schemata or application
code.
39Source: Accredited Standards Committee ANSI X9
2018 ANSI X9 STANDARD FOR FORMAT PRESERVING ENCRYPTION
42. 42
FFIEC Cybersecurity Assessment Tool – FAIR International Standard
Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool
Factor Analysis of
Information Risk
(FAIR)
42
43. 43
FFIEC is a Formal U.S. Government Interagency Body
It includes five banking regulators
Source: WIKPEDIA
43
1. Federal Reserve Board of Governors (FRB),
2. Federal Deposit Insurance Corporation (FDIC),
3. National Credit Union Administration (NCUA),
4. Office of the Comptroller of the Currency (OCC), and
5. Consumer Financial Protection Bureau (CFPB).
It is "empowered to prescribe uniform principles, standards, and report
forms to promote uniformity in the supervision of financial institutions"
44. 44
FFIEC Cybersecurity Assessment Tool
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
• Technologies and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats
Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:
• Cyber Risk Management and Oversight
• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 44
45. 45
FFIEC Cybersecurity Assessment Tool –
Maturity Levels
Each maturity level includes a set of declarative statements
that describe how the behaviors, practices, and processes of
an institution can consistently produce the desired outcomes.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf
Definitions for each of the maturity levels
The Assessment starts at the Baseline
maturity level and progresses to the
highest maturity, the Innovative level
45
47. 47
FFIEC Cybersecurity Assessment Tool - Excel Template
The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to
complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment.
The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against
defined targets based on the completed assessment worksheets.
Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
47
48. 48
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity
Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected
for each domain.
Source: FFIEC
Cybersecurity
Assessment
Tool Excel
Template by
Tony
DiMichele
49. 49
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity
The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack
thereof.
Source: FFIEC
Cybersecurity
Assessment
Tool Excel
Template by
Tony
DiMichele
49
53. 53
Mapping FFIEC to NIST Cybersecurity Framework – Some Examples
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
The content of the
Assessment is
consistent with the
principles of the FFIEC
Information
Technology
Examination
Handbook (IT
Handbook) and the
National Institute of
Standards and
Technology (NIST)
Cybersecurity
Framework
56. 56
Verizon: Worry Only About the Major Breach Patterns
Source: Verizon Data Breach Investigations Report
56
Application
Attacks
Percentage (blue bar), and
count
of breaches per pattern.
The gray line represents the
percentage of breaches from
57. 57
Source: Gartner
Coding security directly
into APIs has the following
disadvantages:
■ Violates separation of
duties.
■ Makes code more
complex and fragile.
■ Adds extra maintenance
burden.
■ Is unlikely to cover all
aspects that are required
in a full API security policy.
■ Not reusable.
■ Not visible to security
teams.
Security for Microservices
59. 59
Source: Gartner
Apply policies to APIs
(for example, using
an API gateway) but
avoid situations
where each API has
a unique security
policy
Instead, leverage a
reusable set of
policies that are
applied to APIs based
on their
categorization.
Abstract any specific
API characteristics
(such as URL path)
from the policies
themselves
Products Delivering API Security
60. 60
A Data Security API Platform Example
3rd-Party Ingress
Batch
Mobile
eCommerce Payment Support
Token Formats
Vaulting
Token Lifecycle
3rd-Party EgressWeb Services
P2PE Encryption Cost Structure
Data Security
Platform