Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Ulf Mattsson
Practical Advice for Cloud Data Security for Oracle
Learn about critical security issues in the Cloud in relation to databases
Learn about Cloud data security guidance and standards
Learn Cloud data security technologies, models and Cloud security in context to the enterprise
The rapid rise of cloud databases, storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of usability, database indexing, database searches, separation of duties, key management, tokenization, compliance, privacy and security in the cloud environment.
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Ulf Mattsson
Practical Advice for Cloud Data Security for Oracle
Learn about critical security issues in the Cloud in relation to databases
Learn about Cloud data security guidance and standards
Learn Cloud data security technologies, models and Cloud security in context to the enterprise
The rapid rise of cloud databases, storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of usability, database indexing, database searches, separation of duties, key management, tokenization, compliance, privacy and security in the cloud environment.
IT infrastructure is changing and needs controls for mobile, cloud, and big data
Guardium is the leader in database and big data security
Heterogeneous support is a great asset to leverage across the infrastructure to reduce risk
Supports separation of duties
Integration with other security products
No additional training for multiple products
Etude sur le marché de la cyber sécurité (2011) PwC France
L’étude « Cyber Security M&A » analyse les opérations de fusions-acquisitions sur le marché de la cyber sécurité, comprenant toutes les entreprises qui fournissent des produits et/ou services pour des applications offensives comme défensives, dans les secteurs industriel, IT et télécom. Les informations utilisées, issues de Thomson Fianncial, analysent les transactions entre le 1er janvier 2008 et le 30 juin 2011.
Retrouvez toutes nos publications : http://www.pwc.fr/publications
On World Backup Day 2014, the Data Loss Gremlins unleashed a dastardly attack on businesses worldwide! Intronis has published this Tech Guide, the 6 Ways to Fight the Data Loss Gremlins, to help IT solutions providers protect their clients from any data loss disaster.
MIST Effective Masquerade Attack Detection in the CloudKumar Goud
Abstract: Cloud computing promises to significantly change the way we use computers and access and store our personal and business information. With these new computing and communications paradigms arise new data security challenges. Existing data protection mechanisms such as encryption have failed in preventing data theft attacks, especially those perpetrated by an insider to the cloud provider. We propose a different approach for securing data in the cloud using offensive decoy technology. We monitor data access in the cloud and detect abnormal data access patterns. When unauthorized access is suspected and then verified using challenge questions, we launch a disinformation attack by returning large amounts of decoy information to the attacker. This protects against the misuse of the user’s real data. Experiments conducted in a local file setting provide evidence that this approach may provide unprecedented levels of user data security in a Cloud environment.
Keywords: Mist, Insider data stealing, Bait information, Lure Files, Validating user
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Your Data Center Boundaries Don’t Exist Anymore! EMC
In the pre-cloud era, data centers were simpler to define and restrict. As organizations move to public, private, and hybrid clouds, they have to account for internal, industrial, and government compliance initiatives and oversight that impacts data center architecture and information flow. This session describes data center challenges in the Cloud Era and articulates real-life best practices to address those challenges.
IT infrastructure is changing and needs controls for mobile, cloud, and big data
Guardium is the leader in database and big data security
Heterogeneous support is a great asset to leverage across the infrastructure to reduce risk
Supports separation of duties
Integration with other security products
No additional training for multiple products
Etude sur le marché de la cyber sécurité (2011) PwC France
L’étude « Cyber Security M&A » analyse les opérations de fusions-acquisitions sur le marché de la cyber sécurité, comprenant toutes les entreprises qui fournissent des produits et/ou services pour des applications offensives comme défensives, dans les secteurs industriel, IT et télécom. Les informations utilisées, issues de Thomson Fianncial, analysent les transactions entre le 1er janvier 2008 et le 30 juin 2011.
Retrouvez toutes nos publications : http://www.pwc.fr/publications
On World Backup Day 2014, the Data Loss Gremlins unleashed a dastardly attack on businesses worldwide! Intronis has published this Tech Guide, the 6 Ways to Fight the Data Loss Gremlins, to help IT solutions providers protect their clients from any data loss disaster.
MIST Effective Masquerade Attack Detection in the CloudKumar Goud
Abstract: Cloud computing promises to significantly change the way we use computers and access and store our personal and business information. With these new computing and communications paradigms arise new data security challenges. Existing data protection mechanisms such as encryption have failed in preventing data theft attacks, especially those perpetrated by an insider to the cloud provider. We propose a different approach for securing data in the cloud using offensive decoy technology. We monitor data access in the cloud and detect abnormal data access patterns. When unauthorized access is suspected and then verified using challenge questions, we launch a disinformation attack by returning large amounts of decoy information to the attacker. This protects against the misuse of the user’s real data. Experiments conducted in a local file setting provide evidence that this approach may provide unprecedented levels of user data security in a Cloud environment.
Keywords: Mist, Insider data stealing, Bait information, Lure Files, Validating user
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Your Data Center Boundaries Don’t Exist Anymore! EMC
In the pre-cloud era, data centers were simpler to define and restrict. As organizations move to public, private, and hybrid clouds, they have to account for internal, industrial, and government compliance initiatives and oversight that impacts data center architecture and information flow. This session describes data center challenges in the Cloud Era and articulates real-life best practices to address those challenges.
BDT101 Big Data with Amazon Elastic MapReduce - AWS re: Invent 2012Amazon Web Services
Big data technologies let you work with any velocity, volume, or variety of data in a highly productive environment. This session seeks to answer questions such as "what is big data," "how can I use unstructured data," and "how can I integrate data collections from different sources" using Hadoop with Amazon Elastic MapReduce. Join general manager of EMR, Peter Sirota, on a journey through real-world use cases of data-driven discovery.
High Availability and Disaster Recovery with Novell Sentinel Log ManagerNovell
Novell Sentinel Log Manager can be implemented in a high availability cluster using the SUSE Linux Enterprise 11 High Availability Extension. This approach, combined with Sentinel Log Manager backup scripts can be used to provide a solution for disaster recovery.
This session will explain the architecture of the high availability and disaster recovery solution available with Sentinel Log Manager as well as implementation details.
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
Protecting the increasing use International Unicode characters is required by a growing number of Privacy Laws in many countries and general Privacy Concerns with private data. Current approaches to protect International Unicode characters will increase the size and change the data formats. This will break many applications and slow down business operations. The current approach is also randomly returning data in new and unexpected languages. New approach with significantly higher performance and a memory footprint can be customizable and fit on small IoT devices.
We will discuss new approaches to achieve portability, security, performance, small memory footprint and language preservation for privacy protecting of Unicode data. These new approaches provide granular protection for all Unicode languages and customizable alphabets and byte length preserving protection of privacy protected characters.
Old Approaches
Major Issues
Protecting the increasing use International Unicode characters is required by a growing number of Privacy Laws in many countries and general Privacy Concerns with private data.
Old approaches to protect International Unicode characters will typically increase the size and change the data formats.
This will break many applications and slow down business operations. This is an example of an old approach that is also randomly returning data in new and unexpected languages
Book about
Quantum Computing Blockchain Reversable Protection Privacy by Design, Applications and APIs Privacy, Risks, and Threats Machine Learning and Analytics Non-Reversable Protection International Unicode Secure Multi-party Computing Computing on Encrypted Data Internet of Things II. Data Confidentiality and Integrity Standards and Regulations IV. Applications VI. Summary Best Practices, Roadmap, and Vision Trends, Innovation, and Evolution Hybrid Cloud , CASB and SASE Appendix A B C D E I. Introduction and Vision Section Access Control Zero Trust Architecture Trusted Execution Environments III. Users and Authorization Governance, Guidance, and Frameworks V. Platforms Data User App Innovation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Chapter Discovery and Search Glossary
qubit-conference-new-york-2021: https://nyc.qubitconference.com/
Cybersecurity: Get ready for the unpredictable
Create a sound cybersecurity strategy based on the right technology & budgetary insights, proven practices, and processes for SMEs.
This virtual event will equip CxOs and cybersecurity teams with the right intel to create a sound cybersecurity strategy based on the right technology & budgetary insights, proven practices, and processes specially tailored for SMEs.
Find out how to bring the smart design of cybersecurity architecture and processes, what to automate & how to properly set up internal and external ownership.
The proven cybersecurity strategy fit for your environment can go a long way. Know what to do in-house, what to outsource, set up your budgets right, and get help from the right cybersecurity specialists.
Secure analytics and machine learning in cloud use casesUlf Mattsson
Table of Contents:
Secure Analytics and Machine Learning in Cloud ......................................................................................... 2
Use case #1 in Financial Industry .............................................................................................................. 2
Data Flow .............................................................................................................................................. 2
The approach can be used for other Use-cases .................................................................................... 2
Homomorphic Encryption for Secure Machine Learning in Cloud ............................................................... 3
Evolving Homomorphic Encryption .......................................................................................................... 3
Performance Examples – HE, RSA and AES ........................................................................................... 3
Performance Examples – FHE, NTRU, ECC, RSA and AES ...................................................................... 3
Some popular HE schemes .................................................................................................................... 4
Examples of HE Libraries used by IBM, Duality, and Microsoft ............................................................ 4
Fast Homomorphic Encryption for Secure Analytics in Cloud ...................................................................... 4
Use case #2 in Health Care ........................................................................................................................ 5
Provable security for untrusted environments ..................................................................................... 5
Comparison to multiparty computation and trusted execution environments ................................... 5
Time and memory requirements of HE ................................................................................................ 5
Managing Data Security in Hybrid Cloud ...................................................................................................... 8
Data Security Policy and Zero Trust Architecture ..................................................................................... 8
The future of encryption will change in the Post-Quantum Era: .............................................................. 8
Managing Data Security in a Hybrid World ................................................................................................... 9
Evolving Privacy Regulations ....................................................................................................................... 10
New Ruling in GDPR under "Schrems II" ................................................................................................. 10
The new California Privacy Rights Act (CPRA)
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
We will discuss the Evolving International Privacy Regulations. Cross Border Data Transfer for GDPR under Schrems II is now ruled by an EU court that defined what is required. This ruling can be far reaching for many businesses.
Data encryption and tokenization for international unicodeUlf Mattsson
Unicode is an information technology standard for the consistent encoding, representation, and handling of text expressed in most of the world's writing systems. The standard is maintained by the Unicode Consortium, and as of March 2020, it has a total of 143,859 characters, with Unicode 13.0 (these characters consist of 143,696 graphic characters and 163 format characters) covering 154 modern and historic scripts, as well as multiple symbol sets and emoji. The character repertoire of the Unicode Standard is synchronized with ISO/IEC 10646, each being code-for-code identical with the other.
The Unicode Standard consists of a set of code charts for visual reference, an encoding method and set of standard character encodings, a set of reference data files, and a number of related items, such as character properties, rules for normalization, decomposition, collation, rendering, and bidirectional text display order (for the correct display of text containing both right-to-left scripts, such as Arabic and Hebrew, and left-to-right scripts). Unicode's success at unifying character sets has led to its widespread and predominant use in the internationalization and localization of computer software. The standard has been implemented in many recent technologies, including modern operating systems, XML, Java (and other programming languages), and the .NET Framework.
Unicode can be implemented by different character encodings. The Unicode standard defines Unicode Transformation Formats (UTF) UTF-8, UTF-16, and UTF-32, and several other encodings. The most commonly used encodings are UTF-8, UTF-16, and UCS-2 (a precursor of UTF-16 without full support for Unicode)
The future of data security and blockchainUlf Mattsson
Discussion of Post-Quantum Cryptography and other technologies:
Data Security Techniques
Secure Multi-Party Computation (SMPC)
Homomorphic encryption (HE)
Differential Privacy (DP) and K-Anonymity
Pseudonymization and Anonymization
Synthetic Data
Zero trust architecture (ZTA)
Zero-knowledge proofs (ZKP)
Private Set Intersection (PSI)
Trusted execution environments (TEE)
Post-Quantum Cryptography
Blockchain
Regulations and Standards in Data Privacy
GDPR and evolving international privacy regulationsUlf Mattsson
Convergence of data privacy principles, standards and regulations
General Data Protection Regulation (GDPR)
GDPR and California Consumer Privacy Act (CCPA)
What role does technologies play in compliance
Use Cases
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
A major challenge that many organizations faces, is how to address data privacy regulations such as CCPA, GDPR and other emerging regulations around the world, including data residency controls as well as enable data sharing in a secure and private fashion. We will present solutions that can reduce and remove the legal, risk and compliance processes normally associated with data sharing projects by allowing organizations to collaborate across divisions, with other organizations and across jurisdictions where data cannot be relocated or shared.
We will discuss secure multi-party computation where organizations want to securely share sensitive data without revealing their private inputs. We will review solutions that are driving faster time to insight by the use of different techniques for privacy-preserving computing including homomorphic encryption, k-anonymity and differential privacy. We will present best practices and how to control privacy and security throughout the data life cycle. We will also review industry standards, implementations, policy management and case studies for hybrid cloud and on-premises.
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
Digital Transformation and the opportunities to use data in Analytics and Machine Learning are growing exponentially, but so too are the business and financial risks in Data Privacy. The increasing number of privacy incidents and data breaches are destroying brands and customer trust, and we will discuss how business prioritization can be benefit from a finance-based data risk assessment (FinDRA).
More than 60 countries have introduced privacy laws and by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations. We will discuss use cases in financial services that are finding a balance between new technology impact, regulatory compliance, and commercial business opportunity. Several privacy-preserving and privacy-enhanced techniques can provide practical security for data in use and data sharing, but none universally cover all use cases. We will discuss what tools can we use mitigate business risks caused by security threats, data residency and privacy issues. We will discuss how technologies like pseudonymization, anonymization, tokenization, encryption, masking and privacy preservation in analytics and business intelligence are used in Analytics and Machine Learning.
Organizations are increasingly concerned about data security in processing personal information in external environments, such as the cloud; and information sharing. Data is spreading across hybrid IT infrastructure on-premises and multi-cloud services and we will discuss how to enforce consistent and holistic data security and privacy policies. Increasing numbers of data security, privacy and identity access management products are in use, but they do not integrate, do not share common policies, and we will discuss use cases in financial services of different techniques to protect and manage data security and privacy.
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
ISACA London Chapter webinar, Feb 16th 2021
Topic: “Protecting Data Privacy in Analytics and Machine Learning”
Abstract:
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about.
This session also discusses international standards and emerging privacy-enhanced computation techniques, secure multiparty computation, zero trust, cloud and trusted execution environments. We will discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
In the shadow of the global pandemic and the associated economic downturn, organizations are focused on cost optimization, which often leads to impulsive decisions to deprioritize compliance with all nonrevenue programs.
Regulators have evolved to adapt with the notable increase in data subject complaints and are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine while Equifax agreed to pay a minimum of $575 million for its breach. The US Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories sued over the company’s failure to take “reasonable steps” to secure its sensitive personal data.
Privacy and data protection are enforced by a growing number of regulations around the world and people are actively demanding privacy protection — and legislators are reacting. More than 60 countries have introduced privacy laws in response to citizens’ cry for transparency and control. By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today, according to Gartner. There is a convergence of data privacy principles, standards and regulations on a common set of fundamental principles.
The opportunities to use data are growing exponentially, but so too are the business and financial risks as the number of data protection and privacy regulations grows internationally.
Join this webinar to learn more about:
- Trends in modern privacy regulations
- The impact on organizations to protect and use sensitive data
- Data privacy principles
- The impact of General Data Protection Regulation (GDPR) and data transfer between US and EU
- The evolving CCPA, the new PCI DSS version 4 and new international data privacy laws or regulations
- Data privacy best practices, use cases and how to control sensitive personal data throughout the data life cycle
What is tokenization in blockchain - BCS LondonUlf Mattsson
BCS North London Branch in association with Central London Branch webinar (by GoToWebinar) Date: 2nd December 2020 Time: 18.00 to 19.30 Event title: Blockchain tokenization “What is tokenization in Blockchain?”
Agenda
Blockchain
What is Blockchain?
Use cases, trends and risks
Vendors and platforms
Data protection techniques and scalability
Tokenization
Digital business
Convert a digital value into a digital token
Local and central models
Cloud
Tokenization in Hybrid cloud
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about.
This session also discusses international standards and emerging privacy-enhanced computation techniques, secure multiparty computation, zero trust, cloud and trusted execution environments. We will discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
Blockchain
- What is Blockchain?
- Blockchain trends
Emerging data protection techniques
- Secure multiparty computation
- Trusted execution environments
- Use cases for analytics
- Industry Standards
Tokenization
- Convert a digital value into a digital token
- Tokenization local or in a centralized model
- Tokenization and scalability
Cloud
- Analytics in Hybrid cloud
Unlock the potential of data security 2020Ulf Mattsson
Explore challenges of managing and protecting data. We'll share best practices on establishing the right balance between privacy, security, and compliance
1. Myths & Realities of Data Security &
Compliance
Ulf Mattsson, CTO, Protegrity
2. Ulf Mattsson
20 years with IBM Development, Manufacturing & Services
Inventor of 21 patents - Encryption Key Management, Policy Driven Data
Encryption, Internal Threat Protection, Data Usage Control and Intrusion
Prevention.
Received Industry's 2008 Most Valuable Performers (MVP) award
together with technology leaders from IBM, Cisco Systems., Ingres,
Google and other leading companies.
Co-founder of Protegrity (Data Security Management)
Received US Green Card of class ‘EB 11 – Individual of Extraordinary
Ability’ after endorsement by IBM Research in 2004.
Research member of the International Federation for Information
Processing (IFIP) WG 11.3 Data and Application Security
Member of
• American National Standards Institute (ANSI) X9
• Information Systems Audit and Control Association (ISACA)
• Information Systems Security Association (ISSA)
• Institute of Electrical and Electronics Engineers (IEEE)
7. Understand Your Enemy & Data Attacks
Breaches attributed to insiders are much larger than those caused by
outsiders
The type of asset compromised most frequently is online data, not
laptops or backups:
Source: Verizon Business Data Breach Investigations Report (2008 and 2009)
8. Top 15 Threat Action Types
Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team
10. Understand Your Enemy – Probability of Attacks
Higher
Probability What is the Probability of Different Attacks on Data?
Errors and Omissions
RECENT
Lost Backups, In Transit ATTACKS
Application User
(e.g. SQL Injection)
SQL Users
Network or Application/RAM Sniffer
Valid User for the Server
(e.g. Stack Overflow, data sets)
Application Developer,
Valid User for Data
Administrator
Higher Complexity
Source: IBM Silicon Valley Lab(2009)
11.
12. Choose Your Defenses
Where is data exposed to attacks?
Data Entry ATTACKERS
990 - 23 - 1013 RECENT ATTACKS
Data System
SNIFFER ATTACK
Authorized/
Application SQL INJECTION
Un-authorized
MALWARE / TROJAN Users
Database
111 - 77 - 1013 DATABASE ATTACK Database
Admin
File System FILE ATTACK
System Admin
MEDIA ATTACK
Storage HW Service People
(Disk)
Contractors
Backup
(Tape)
Unprotected sensitive information:
Protected sensitive information
15. Compliance – How to be Able to Produce Required Reports
User X (or DBA)
Application/Tool
Compliant
Database
User Access Patient Health Record
3rd Party Protected
x Read a xxx
Patient
Health Log
Record DBA Read b xxx
a xxx z Write c xxx
b xxx
Possible DBA
c xxx Not Compliant manipulation
Performance?
Database User Access Patient Health Record
Process 001 No Read
DB Native z Write c xxx
Log
Not Compliant
Health Data Health
User Access Patient
Record Data File
OS File No
3rd Party Database
Read ? ? PHI002
Process 0001 Information
Health Data Database
On User
File PHI002 Read ? ? PHI002
Process 0001 or Record
Database
Write ? ? PHI002
Process 0001
16. Choose Your Defenses – New Methods
Format Controlling Encryption
Example of Encrypted format: Key Manager
111-22-1013
Application Databases
Data Tokenization
Token Server
Example of Token format:
1234 1234 1234 4560 Key Manager
Application Token
Databases
17. A Distributed and Scalable Tokenization Approach
Customer
Application
Token
Server Customer
Application
Customer
Application
Token
Token
Server Customer
Server Application
18. Deploy Defenses
Matching Data Protection Solutions with Risk Level
Risk Level Solution
Data Risk
Field Level Low Risk Monitor
Credit Card Number 25 (1-5)
Social Security Number 20
CVV 20 Monitor, mask,
At Risk
Customer Name 12 access control
(6-15)
Secret Formula 10 limits, format
Employee Name 9 control encryption
Employee Health Record 6
High Risk Replacement,
Zip Code 3
(16-25) strong
encryption
19. Choose Your Defenses – Find the Balance
Cost Expected Losses
Cost of Aversion –
Protection of Data from the Risk
Total Cost
Optimal
Risk
Risk
I I
Active Passive Level
Protection Protection
20. Practical Examples of using a Risk Based
Approach to Data Security
Ulf Mattsson, CTO, Protegrity
21. Developing a Risk-adjusted Data Protection Plan
Know Your Data
Find Your Data
Understand Your Enemy
Understand the New Options in Data Protection
Deploy Defenses
Crunch the Numbers
22. Know Your Data – Identify High Risk Data
Begin by determining the risk profile of all relevant data
collected and stored
• Data that is resalable for a profit
• Value of the information to your organization
• Anticipated cost of its exposure
Data Field Risk Level
Credit Card Number 25
Social Security Number 20
CVV 20
Customer Name 12
Secret Formula 10
Employee Name 9
Employee Health Record 6
Zip Code 3
24. Choose Your Defenses – Cost Effective PCI
Encryption 74%
WAF 55%
DLP 43%
DAM 18%
Source: 2009 PCI DSS Compliance Survey, Ponemon Institute
25. Evaluation Criteria
Performance
• Impact on operations - end users, data processing
windows
Storage
• Impact on data storage requirements
Security & Separation of Duties
• How secure Is the data at rest
• Impact on data access – separation of duties
Transparency
• Changes to application(s)
• Impact on supporting utilities and processes
26. Choose Your Defenses - Operational Impact
Passive Database Protection Approaches
Database Protection Performance Storage Security Transparency Separation
Approach of Duties
Web Application Firewall
Data Loss Prevention
Database Activity
Monitoring
Database Log Mining
Best Worst
Source: 2009 Protegrity Survey
27. Choose Your Defenses - Operational Impact
Active Database Protection Approaches
Database Protection Performance Storage Security Transparency Separation
Approach of Duties
Application Protection - API
Column Level Encryption;
FCE, AES, 3DES
Column Level Replacement;
Tokens
Tablespace - Datafile
Protection
Best Worst
Source: 2009 Protegrity Survey
28. Choose Your Defenses – New Methods
Format Controlling Encryption
Example of Encrypted format: Key Manager
111-22-1013
Application Databases
Data Tokenization
Token Server
Example of Token format:
1234 1234 1234 4560 Key Manager
Application Token
Databases
30. What Is FCE?
Where did it come from?
• Before 2000 – Different approaches, some are based on
block ciphers (AES, 3DES )
• Before 2005 – Used to protect data in transit within
enterprises
What exactly is it?
• Secret key encryption algorithm operating in a new mode
• Cipher text output can be restricted to same as input code
page – some only supports numeric data
• The new modes are not approved by NIST
31. FCE Selling Points
Ease of deployment -- limits the database schema changes that
are required.
Reduces changes to downstream systems
Applicability to data in transit – provides a strict/known data
format that can be used for interchange
Storage space – does not require expanded storage
Test data – partial protection
Outsourced environments & virtual servers
32. FCE Considerations
Unproven level of security – makes significant alterations to
the standard AES algorithm
Encryption overhead – significant CPU consumption is
required to execute the cipher
Key management – is not able to attach a key ID, making key
rotation more complex - SSN
Some implementations only support certain data (based on
data size, type, etc.)
Support for “big iron” systems – is not portable across
encodings (ASCII, EBCDIC)
Transparency – some applications need full clear text
33. FCE Use Cases
Suitable for lower risk data
Compliance to NIST standard not needed
Distributed environments
Protection of the data flow
Added performance overhead can be accepted
Key rollover not needed – transient data
Support available for data size, type, etc.
Point to point protection if “big iron” mixed with Unix or
Windows
Possible to modify applications that need full clear text – or
database plug-in available
35. What Is Data Tokenization?
Where did it come from?
• Found in Vatican archives dating from the 1300s
• In 1988 IBM introduced the Application System/400 with
shadow files to preserve data length
• In 2005 vendors introduced tokenization of account numbers
What exactly is it?
• It IS NOT an encryption algorithm or logarithm.
• It generates a random replacement value which can be used to
retrieve the actual data later (via a lookup)
• Still requires strong encryption to protect the lookup table(s)
36. Tokenization Selling Points
Provides an alternative to masking – in production, test and
outsourced environments
Limits schema changes that are required. Reduces impact on
downstream systems
Can be optimized to preserve pieces of the actual data in-place –
smart tokens
Greatly simplifies key management and key rotation tasks
Centrally managed, protected – reduced exposure
Enables strong separation of duties
Renders data out of scope for PCI
37. Tokenization Considerations
Transparency – not transparent to downstream systems that
require the original data
Performance & availability – imposes significant overhead
from the initial tokenization operation and from subsequent
lookups
Performance & availability – imposes significant overhead if
token server is remote or outsourced
Security vulnerabilities of the tokens themselves –
randomness and possibility of collisions
Security vulnerabilities typical in in-house developed systems
– exposing patterns and attack surfaces
38. Tokenization Use Cases
Suitable for high risk data – payment card data
When compliance to NIST standard needed
Long life-cycle data
Key rollover – easy to manage
Centralized environments
Suitable data size, type, etc.
Support for “big iron” mixed with Unix or Windows
Possible to modify the few applications that need full clear text
– or database plug-in available
39. A Centralized Tokenization Approach
Customer
Application
Token
Server
Customer
Application
Customer
Application
40. A Distributed and Scalable Tokenization Approach
Customer
Application
Token
Server Customer
Application
Customer
Application
Token
Token
Server Customer
Server Application
41. Evaluating Different Tokenization Implementations
Evaluating Different Tokenization Implementations
Evaluation Area Hosted/Outsourced On-site/On-premises
Area Criteria Central (old) Distributed Central (old) Distributed Integrated
Availability
Operati
onal Scalability
Needs
Performance
Per Server
Pricing
Model Per Transaction
Identifiable - PII
Data
Types Cardholder - PCI
Separation
Security
Compliance
Scope
Best Worst
42. Choose Your Defenses – Example
Point of Sale
• ‘Information in the wild’
Collection E-Commerce
- Short lifecycle / High risk
Branch Office
Encryption
• Temporary information
Aggregation - Short lifecycle / High risk
• Operating information
- Typically 1 or more year lifecycle
Operations -Broad and diverse computing and
database environment
Data Token • Decision making information
Analysis - Typically multi-year lifecycle
- Homogeneous environment
- High volume database analysis
• Archive
Archive -Typically multi-year lifecycle
-Preserving the ability to retrieve the
data in the future is important
43. Choose Your Defenses – Strengths & Weakness
*
*
*
Best Worst
* Compliant to PCI DSS 1.2 for making PAN unreadable
Source: 2009 Protegrity Survey
44. An Enterprise View of Different Protection Options
Evaluation Criteria Strong Formatted Token
Encryption Encryption
Disconnected environments
Distributed environments
Performance impact when loading data
Transparent to applications
Expanded storage size
Transparent to databases schema
Long life-cycle data
Unix or Windows mixed with “big iron” (EBCDIC)
Easy re-keying of data in a data flow
High risk data
Security - compliance to PCI, NIST
Best Worst
45. Deploy Defenses
Matching Data Protection Solutions with Risk Level
Risk Level Solution
Data Risk
Field Level Low Risk Monitor
Credit Card Number 25 (1-5)
Social Security Number 20
CVV 20 Monitor, mask,
At Risk
Customer Name 12 access control
(6-15)
Secret Formula 10 limits, format
Employee Name 9 control encryption
Employee Health Record 6
High Risk Replacement,
Zip Code 3
(16-25) strong
encryption
46. Data Protection Implementation Layers
System Layer Performance Transparency Security
Application
Database
File System
Topology Performance Scalability Security
Local Service
Remote Service
Best Worst
47. Compliance – How to be Able to Produce Required Reports
User X (or DBA)
Application/Tool
Compliant
Database
User Access Patient Health Record
3rd Party Protected
x Read a xxx
Patient
Health Log
Record DBA Read b xxx
a xxx z Write c xxx
b xxx
Possible DBA
c xxx Not Compliant manipulation
Performance?
Database User Access Patient Health Record
Process 001 No Read
DB Native z Write c xxx
Log
Not Compliant
Health Data Health
User Access Patient
Record Data File
OS File No
3rd Party Database
Read ? ? PHI002
Process 0001 Information
Health Data Database
On User
File PHI002 Read ? ? PHI002
Process 0001 or Record
Database
Write ? ? PHI002
Process 0001
48. Compliance - How to Control ALL Access to PHI Data
DBA Box
Database
Administration
Database Encrypted Encrypted
Backup (Tape)
Compliant
File Encrypted Encrypted
Database
Administration
Database Clear Text Clear Text
Backup (Tape)
Not Compliant
File Encrypted Clear Text
Unprotected sensitive information: Protected sensitive information
49. Data Protection Challenges
Actual protection is not the challenge
Management of solutions
• Key management
• Security policy
• Auditing and reporting
Minimizing impact on business operations
• Transparency
• Performance vs. security
Minimizing the cost implications
Maintaining compliance
Implementation Time
50. Example - Centralized Data Protection Approach
Secure
Secure Database
Archive
Storage Protector
Secure
Distribution
File System Secure
Protector Policy & Key Policy Usage
Creation
Audit
Log
Enterprise
Data Security
Administrator Secure
Collection
Application
Auditing &
Protector Reporting
Big Iron
Protector
51. Protegrity Value Proposition
Protegrity delivers, application, database, file
protectors across all major enterprise platforms.
Protegrity’s Risk Adjusted Data Security Platform
continuously secures data throughout its lifecycle.
Underlying foundation for the platform includes
comprehensive data security policy, key
management, and audit reporting.
Enables customers to achieve data security
compliance (PCI, HIPAA, PEPIDA, SOX and Federal &
State Privacy Laws)
52. Please contact us for more information
Ulf Mattsson
Phone – 203 570 6919
Email - ulf.mattsson@protegrity.com