The document provides an overview of enterprise data protection options and strategies. It discusses the changing threat landscape, including increasingly sophisticated attackers and the need for preventative controls. Regarding payment card industry data security standards (PCI DSS), it notes there are 12 rules and 4 approved ways to render credit card numbers unreadable. A case study is presented of a large retail chain that used tokenization to simplify PCI compliance, achieving benefits like faster audits, lower costs, and better security. Different data security methods like hashing, encryption, and tokenization are compared in terms of how they can be applied at the application, database, and storage levels. Best practices for tokenization and evaluating various approaches are also covered.

1. Enterprise Data Protection Understanding Your Options
and Strategies
Ulf Mattsson
CTO Protegrity
Ulf.mattsson AT protegrity.com

2. Ulf Mattsson
20 years with IBM Development & Global Services
Inventor of 22 patents – Encryption and Intrusion Prevention
Co-founder of Protegrity (Data Security)
Research member of the International Federation for
Information Processing (IFIP) WG 11.3 Data and Application
Security
Member of
PCI Security Standards Council (PCI SSC)
American National Standards Institute (ANSI) X9
Information Systems Audit and Control Association (ISACA)
Cloud Security Alliance (CSA)
Information Systems Security Association (ISSA)
02

3. 03

4. ISACA Articles – Data Security

5. Topics
Review the changing threat landscape
Present different options for data security for PCI DSS
Review a case study
Show how to protect the entire data flow
Discuss how to protect against advanced attacks
Show how to balance performance and security with different
approaches to tokenization and encryption
Review security enforcement at the application level,
database level, file level and storage level
05

6. The Changing Threat Landscape
Some issues have stayed constant:
Threat landscape continues to gain sophistication
Attackers will always be a step ahead of the defenders
We're fighting highly organized, well-funded crime syndicates and
nations
Move from detective to preventative controls needed:
Several layers of security to address more significant areas of risks
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
06

7. 2010 Data Breach Investigations Report
Six years, 900+ breaches, and over 900 million
compromised records
Over half of the breaches occurred outside of the U.S.
Online Data is Compromised Most Frequently:
%
Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS
07

8. Threat Action Categories
90 % of compromised records lost in highly sophisticated attacks
Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS
08

9. Payment Card Industry Data Security Standard
(PCI DSS)
The PCI Security Standards Council is an open global forum
American Express, Discover Financial Services, JCB
International, MasterCard Worldwide, and Visa Inc
The PCI standard consists of a set of 12 rules
Four ways to render the PAN (credit card number) unreadable
Two-way cryptography with associated key management processes
Truncation
One-way cryptographic hash functions
Index tokens and pads
Source: https://www.pcisecuritystandards.org/organization_info/index.php
09

10. PCI Encryption Rules
Attacker
SSL
Encrypted
Data
(PCI DSS)
Public
Network
Private Network
Application
Clear Text
Data
Clear Text Data
Database
Encrypted
Data
(PCI DSS)
OS File System
Storage
System
Data
At Rest
(PCI DSS)
Not Enough to Encrypt Pipes & Files
010

11. Protecting the Data Flow - Example
: Enforcement point
Unprotected sensitive information:
Protected sensitive information
011

12. Current, Planned Use of Enabling Technologies
Strong interest in database encryption, data masking, tokenization
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
18%
47%
30%
35%
21%
16%
10%
39% 4%
28%
Application-level encryption
Tokenization
91% 5%
1%
28% 7%
7%
22%
Evaluating
29% 7%
23%
Current Use
13%
Planned Use <12 Months
012

13. Data Security Today is a Catch-22
We need to protect both data and the business processes that rely
on that data
Enterprises are currently on their own in deciding how to apply
emerging technologies for PCI data protection
Data Tokenization - an evolving technology
How to reduce PCI audit scope and exposure to data
013

14. Hiding Data in Plain Sight – Data Tokenization
Data Entry
Y&SFD%))S(
400000 123456 7899
Tokenization
Server
Data Token
400000 222222 7899
Application
Databases
014

15. Retail Scenario with Tokenization
Authorization
Stores
Stores
Token
Servers
Aggregating
Hub for Store
Channel
Token
Servers
Settlement
Loss Prevention
Analysis - EDW
ERP
Settlement
: Integration point
015

16. Case Study - Large Chain Store Uses
Tokenization to Simplify PCI Compliance
By segmenting cardholder data with tokenization, a regional
chain of 1,500 local convenience stores is reducing its PCI
audit from seven to three months
“ We planned on 30 days to tokenize our 30 million card
numbers. With Protegrity Tokenization, the whole process
took about 90 minutes”
016

17. Case Study - Large Chain Store Uses
Tokenization to Simplify PCI Compliance
Qualified Security Assessors had no issues with the effective
segmentation provided by Tokenization
“With encryption, implementations can spawn dozens of
questions”
“There were no such challenges with tokenization”
017

18. Case Study - Large Chain Store Uses
Tokenization to Simplify PCI Compliance
Faster PCI audit – half that time
Lower maintenance cost – don’t have to apply all 12
requirements of PCI DSS to every system
Better security – able to eliminate several business processes
such as generating daily reports for data requests and access
Strong performance – rapid processing rate for initial
tokenization, sub-second transaction SLA
018

19. Field Encryption & Tokenization – Data Formats
Intrusiveness
(to Applications and Databases)
Hashing Strong Encryption Alpha -
!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*
Standard
Encryption
!@#$%a^.,mhu7/////&*B()_+!@
aVdSaH 1F4hJ 1D3a
Numeric -
666666 777777 8888
Partial -
123456 777777 1234
Clear Text Data -
Tokenizing or
Formatted
Encryption
123456 123456 1234
Encoding
Data
I
I
Original
Longer
Length
019

20. Risk Management and PCI – Security Aspects
Different data security methods and algorithms
Policy enforcement implemented at different system layers
Data Security Method
Hashing
Formatted
Encryption
Strong
Encryption
Data
Tokenization
System Layer
Application
Database Column
Database File
Storage Device
Best
Worst
020

21. Risk Management and PCI – Security Aspects
Integration at different system layers
Different data security methods and algorithms
Data Security Method
Hashing
Formatted
Encryption
Strong
Encryption
Data
Tokenization
System Layer
Application
Database Column
Database File
Storage Device
: N/A
Best
Worst
021

22. A Distributed Tokenization Approach
Large companies may need to utilize the tokenization services
for locations throughout the world.
How do you deliver tokenization to many locations without the
impact of latency?
Customer
Application
Token
Server
Customer
Application
Customer
Application
Token
Token
Server
Server
Customer
Application
022

23. Distributed Approach to Generate Random Tokens
Random Static Lookup Tables
288910
288910
28891
088910
2
288910
1,000,000
max entries
288910
288910
28891
088910
2
288910
1,000,000
max entries
Application
Application
Application
Application
Multi-Use Tokens
Random Static Lookup Tables
Remains the same size no matter the
number of unique tokens
Example: 50 million = 2 million
tokens
Performance: 200,000 tokens per
second on a commodity standard
dual core machine
023

24. Evaluating Encryption & Tokenization Approaches
Evaluation Criteria
Area
Impact
Encryption
Database
File
Encryption
Database
Column
Encryption
Tokenization
Centralized
Tokenization
(old)
Distributed
Tokenization
(new)
Availability
Scalability
Latency
CPU Consumption
Data Flow
Protection
Compliance Scoping
Security
Key Management
Randomness
Separation of Duties
Best
Worst
024

25. Evaluating Field Encryption & Distributed Tokenization
Evaluation Criteria
Strong Field
Encryption
Formatted
Encryption
Distributed
Tokenization
Disconnected environments
Distributed environments
Performance impact when loading data
Transparent to applications
Expanded storage size
Transparent to databases schema
Long life-cycle data
Unix or Windows mixed with “big iron” (EBCDIC)
Easy re-keying of data in a data flow
High risk data
Security - compliance to PCI, NIST
Best
Worst
025

26. Best Practices for Tokenization
Token Generation
Token Types
Single Use Token
Algorithm and
Key Reversible
Known strong algorithm
Multi Use Token
-
Unique Sequence
Number
One way
Irreversible
Function
Hash
Secret per
transaction
Secret per
merchant
Randomly generated
value
Published July 14, 2010.
026

27. Comments on Visa’s Tokenization Best Practices
Visa recommendations should be simply to use a random number
If the output is not generated by a mathematical function applied
to the input, it cannot be reversed to regenerate the original PAN
data
The only way to discover PAN data from a real token is a (reverse)
lookup in the token server database
The odds are that if you are saddled with PCI-DSS responsibilities,
you will not write your own 'home-grown' token servers
027

28. What Makes a “Secure Tokenization” Algorithm?
Ask vendors what their token-generating algorithms are
Be sure to analyze anything other than strong random
number generators for security.
028

29. Strong Cryptography - PCI DSS Glossary
Cryptography based on industry-tested and accepted
algorithms, along with strong key lengths and proper
key-management practices
See NIST (National Institute of Standards and
Technology, US) Special Publications
029

30. NIST Proposed Encryption Modes
Appearance of a mode in this list does not constitute
endorsement or approval by NIST
1. FCEM Format Controlling Encryption Mode
U. Mattsson
2. FFX Format-preserving Feistel-based Encryption Mode
M. Bellare, P. Rogaway, T. Spies
3. …
http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html
030

31. Data Protection Challenges
Actual protection is not the challenge
Management of solutions
Key management
Security policy
Auditing, Monitoring and reporting
Minimizing impact on business operations
Transparency
Performance vs. security
Minimizing the cost implications
Maintaining compliance
Implementation Time
031

32. Best Practices - Data Security Management
File
System
Protector
Policy
Database
Protector
Audit
Log
Application
Protector
Enterprise
Data Security
Administrator
Secure
Archive
Tokenization
Server
: Enforcement point
032

33. Privacy - More lax in US than in the E.U.
European Union
United States
European Union Data Privacy Directive
95/46/EC - protection and movement of
personally identifiable information between E.U.
member countries and to outside
Rules are primarily state-by-state.
Firms are responsible for protecting PII data and
also for managing its transfer to others by
monitoring compliance of recipients
Once the data has been yielded to a
company, the company is largely free to
use it as it wishes, subject to local state
regulations.
Medical records are no different from other
E.U. citizen’s personal information because a
degree of data protection is already afforded.
Concern over medical records privacy
may increase with the push to reduce health
care costs through greater automation.
033

34. Questions?
Click on the questions tab on your screen, type in your question, name
and e-mail address; then hit submit.
034

35. In the Case Study, Tokenization was
yielding some benefits for the retailer:
Please select ALL relevant options from below:
Faster PCI audit
Effective segmentation of cardholder data environments
Lower maintenance cost
Better security
Strong performance
ALL is the correct answer
035

36. What Makes a “Secure Tokenization”
Algorithm according to Gartner
research?
Please select ONE option from below:
Hashing algorithms
Encryption algorithms
Random values
Howegrown algorithms
“Random values“ is the correct answer
036

37. The PCI standard consists of how many
rules?
Please select ONE option from below:
6
8
12
16
12 is the correct answer
037

38. The PCI standard allows how many
different ways to render the PAN
(Credit Card Number) unreadable?
Please select ONE option from below:
2
3
4
5
6
4 is the correct answer
038