Ulf Mattsson, profile picture
Uploaded byUlf Mattsson
PPTX, PDF3,061 views

Tokenization vs encryption vs masking

The document discusses various data protection methods including tokenization, encryption, and their implementation in compliance with security standards like PCI DSS and NIST. It evaluates different approaches based on criteria such as performance, security, and total cost of ownership, while emphasizing the need for adaptable protection methods as security requirements evolve. The document also highlights the importance of integrating these security measures in both production and non-production environments for maintaining data confidentiality and integrity.

Embed presentation

Downloaded 114 times
SIGNIFICANTLY DIFFERENT TOKENIZATION APPROACHES Property Dynamic Pre-generated Vault-based Vaultless 1
TOKENIZATION VS. ENCRYPTION Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY TokenizationEncryption 2
POSITIONING DIFFERENT PROTECTION OPTIONS Evaluation Criteria Strong Encryption Formatted Encryption Tokens Security & Compliance Total Cost of Ownership Use of Encoded Data Best Worst 3
TOKENIZATION SERVER LOCATION Best Worst Tokenization Server Location Evaluation Aspects Mainframe Remote Area Criteria DB2 Work Load Manager Separate Address Space In-house Out-sourced Operational Availability Latency Performance Security Separation PCI DSS Scope 4
RISK ADJUSTED DATA PROTECTION Data Protection Methods Performance Storage Security Transparency System without data protection Monitoring + Blocking + Masking Format Controlling Encryption Downstream Masking Strong Encryption Tokenization Hashing Best Worst Protection Method Extensibility: Data Protection Methods must evolve with changes in the security industry and with compliance requirements. The Protegrity Data Security Platform can be easily extended to meet security and compliance requirements. 5
Making Data Unreadable – Protection Methods (Pro’s & Con’s) Evaluating Different Tokenization ImplementationsIO Interface Protection Method System Layer Granularity AES/CBC, AES/CTR … Formatted Encryption Data Tokenization Hashing Data Masking Application Column/Field Record Database Column Table Table Space OS File IO Block Storage System IO Block Best Worse 66
Best Worst Area Impact Formatted Encryption Strong Encryption Dynamic Tokenization (old) Static Tokenization (new) Scalability Availability Latency CPU Consumption Security Data Flow Protection Compliance Scoping Key Management Randomness Separation of Duties Evaluating Column Encryption & Tokenization Database Column EncryptionEvaluation Criteria Tokenization 7
POSITIONING DIFFERENT PROTECTION OPTIONS Area Evaluation Criteria Strong Field Encryption Formatted Encryption Distributed Token Security High risk data Compliance to PCI, NIST Initial Cost Transparent to applications Expanded storage size Transparent to databases schema Operation al Cost Performance impact when loading data Long life-cycle data Unix or Windows mixed with “big iron” (EBCDIC) Easy re-keying of data in a data flow Disconnected environments Distributed environments Best Worst 8
DE-IDENTIFICATION / ANONYMIZATION Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 9
123456 777777 1234 123456 123456 1234 !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing - Strong Encryption - Alpha - Partial - Clear Text Data - Intrusiveness (to Applications and Databases) I Original I Longer !@#$%a^.,mhu7/////&*B()_+!@ Tokenizing or Formatted Encryption Data Length Standard Encryption Encoding Evaluating Field Encryption & Tokenization 123456 aBcdeF 1234 10
I Format Preserving Encryption Security of Different Protection Methods I Modern Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization High Low Security Level 11
10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - Transactions per second I Format Preserving Encryption Speed of Different Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization Speed will depend on the configuration 12
Time Total Cost of Ownership Total Cost of Ownership 1. System Integration 2. Performance Impact 3. Key Management 4. Policy Management 5. Reporting 6. Paper Handling 7. Compliance Audit 8. … Strong Encryption: 3DES, AES … I 2010 I 1970 What Has The Industry Done? I 2005 I 2000 Format Preserving Encryption: FPE, DTP … Basic Tokenization Vaultless Tokenization High - Low - 13
FINE GRAINED SECURITY: ENCRYPTION OF FIELDS 14 Production Systems Encryption of fields • Reversible • Policy Control (authorized / Unauthorized Access) • Lacks Integration Transparency • Complex Key Management • Example: !@#$%a^.,mhu7///&*B()_+!@ Non-Production Systems
FINE GRAINED SECURITY: MASKING OF FIELDS 15 Non-Production Systems Masking of fields • Not reversible • No Policy, Everyone can access the data • Integrates Transparently • No Complex Key Management • Example: 0389 3778 3652 0038 Production Systems
FINE GRAINED SECURITY: TOKENIZATION OF FIELDS 16 Production Systems Non-Production Systems Tokenization (Pseudonymization) • No Complex Key Management • Business Intelligence • Example: 0389 3778 3652 0038 • Reversible • Policy Control (Authorized / Unauthorized Access) • Not Reversible • Integrates Transparently
Safe Integration – Enterprise & Public Cloud Safe Integration 17
Corporate Network SECURITY GATEWAY DEPLOYMENT – APPLICATION EXAMPLE Backend System Cloud Gateway External Service Enterprise Security Administrator Security Officer 18
Corporate Network SECURITY GATEWAY DEPLOYMENT – DATABASE EXAMPLE Backend System Cloud Gateway Enterprise Security Administrator Security Officer RDBMS 19
Corporate Network Backend System Cloud Gateway Enterprise Security Administrator Security Officer SECURITY GATEWAY DEPLOYMENT – INDEXING RDBMS Index Index Query re-write 20
Corporate Network Backend System Cloud Gateway Enterprise Security Administrator Security Officer SECURITY GATEWAY DEPLOYMENT – SEARCH RDBMS Query re-write Order preserving encryption 21
Trust RISK ADJUSTED COMPUTATION – LOCATION AWARENESS Elasticity Out- sourced In-house Corporate Network Private Cloud Private Cloud Public Cloud H L Processing Cost H L 22
Trust BALANCING RISK & OPERATIONAL REQUIREMENTS Elasticity Out- sourced In-house Private Cloud Private Cloud Public Cloud H L Clear Data Index Data Encryption Keys & Token Mappings Protected Data 23
Type of Data Use Case I Structured How Should I Secure Different Data? I Un-structured Simple – Complex – PCI PHI PII Encryption of Files Card Holder Data Tokenization of Fields Protected Health Information 24 Personally Identifiable Information

More Related Content

PDF
Public key Infrastructure (PKI)
byVenkatesh Jambulingam
 
PPT
Ch07 Access Control Fundamentals
byInformation Technology
 
PPT
6. cryptography
by7wounders
 
PPT
Ch12 Cryptographic Protocols and Public Key Infrastructure
byInformation Technology
 
PPTX
Secure coding practices
byScott Hurrey
 
PPTX
Presentation1.pptx
bychWaqasZahid
 
PPTX
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
byLior Rotkovitch
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
Public key Infrastructure (PKI)
byVenkatesh Jambulingam
 
Ch07 Access Control Fundamentals
byInformation Technology
 
6. cryptography
by7wounders
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
byInformation Technology
 
Secure coding practices
byScott Hurrey
 
Presentation1.pptx
bychWaqasZahid
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
byLior Rotkovitch
 
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 

What's hot

PPTX
Unit-4-User-Authentication.pptx
byPuskar Bhandari
 
PPTX
SSO introduction
byAidy Tificate
 
PPTX
Ip security
byNaveen Dubey
 
PDF
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
byEdureka!
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
PPTX
Chapter 9: Access Control Management
byNada G.Youssef
 
PPTX
Overview of Google’s BeyondCorp Approach to Security
byPriyanka Aash
 
PDF
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
PPTX
Access Controls
byprimeteacher32
 
PPTX
Oracle Database Security
byTroy Kitch
 
PDF
Public Vs. Private Keys
by101 Blockchains
 
PPTX
5 Steps to a Zero Trust Network - From Theory to Practice
byAlgoSec
 
PPT
Symmetric and Asymmetric Encryption.ppt
byHassanAli980906
 
PDF
Secure Your Encryption with HSM
byNarudom Roongsiriwong, CISSP
 
PDF
Endpoint Detection & Response - FireEye
byPrime Infoserv
 
PPT
Access control matrix
byAravindharamanan S
 
PPTX
Symmetric ciphermodel
bypriyapavi96
 
PPT
Pgp
byReham Maher El-Safarini
 
PPTX
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
PPTX
Zero Trust Model
byYash
 
Unit-4-User-Authentication.pptx
byPuskar Bhandari
 
SSO introduction
byAidy Tificate
 
Ip security
byNaveen Dubey
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
byEdureka!
 
Secure coding practices
byMohammed Danish Amber
 
Chapter 9: Access Control Management
byNada G.Youssef
 
Overview of Google’s BeyondCorp Approach to Security
byPriyanka Aash
 
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
Access Controls
byprimeteacher32
 
Oracle Database Security
byTroy Kitch
 
Public Vs. Private Keys
by101 Blockchains
 
5 Steps to a Zero Trust Network - From Theory to Practice
byAlgoSec
 
Symmetric and Asymmetric Encryption.ppt
byHassanAli980906
 
Secure Your Encryption with HSM
byNarudom Roongsiriwong, CISSP
 
Endpoint Detection & Response - FireEye
byPrime Infoserv
 
Access control matrix
byAravindharamanan S
 
Symmetric ciphermodel
bypriyapavi96
 
Pgp
byReham Maher El-Safarini
 
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
Zero Trust Model
byYash
 

Similar to Tokenization vs encryption vs masking

PPTX
Isaca how innovation can bridge the gap between privacy and regulations
byUlf Mattsson
 
PPTX
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
byUlf Mattsson
 
PDF
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
byPrecisely
 
PDF
Enterprise Data Protection - Understanding Your Options and Strategies
byUlf Mattsson
 
PPTX
Streamlining Data Encryption While Maintaining IBM i Availability
byPrecisely
 
PDF
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
byPrecisely
 
PDF
Data security to protect pci data flow ulf mattsson - insecure-mag-40
byUlf Mattsson
 
PPTX
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
byUlf Mattsson
 
PPTX
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
byUlf Mattsson
 
PDF
Securing Sensitive IBM i Data At-Rest and In-Motion
byPrecisely
 
PDF
Isaca global journal - choosing the most appropriate data security solution ...
byUlf Mattsson
 
PPTX
Cacs na isaca session 414 ulf mattsson may 10 final
byUlf Mattsson
 
PDF
Tokenization vs Encryption Difference Explained.pdf
byimoliviabennett
 
PDF
Where Data Security and Value of Data Meet in the Cloud
byUlf Mattsson
 
PPTX
Data protection on premises, and in public and private clouds
byUlf Mattsson
 
PDF
Understanding Tokenization and Encryption: A Comprehensive Comparison
byaayushipinto
 
PPTX
Why Disk Level Encryption is Not Enough for Your IBM i
byPrecisely
 
PPTX
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
byUlf Mattsson
 
PDF
Key Concepts for Protecting the Privacy of IBM i Data
byPrecisely
 
PPT
IBM Share Conference 2010, Boston, Ulf Mattsson
byUlf Mattsson
 
Isaca how innovation can bridge the gap between privacy and regulations
byUlf Mattsson
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
byUlf Mattsson
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
byPrecisely
 
Enterprise Data Protection - Understanding Your Options and Strategies
byUlf Mattsson
 
Streamlining Data Encryption While Maintaining IBM i Availability
byPrecisely
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
byPrecisely
 
Data security to protect pci data flow ulf mattsson - insecure-mag-40
byUlf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
byUlf Mattsson
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
byUlf Mattsson
 
Securing Sensitive IBM i Data At-Rest and In-Motion
byPrecisely
 
Isaca global journal - choosing the most appropriate data security solution ...
byUlf Mattsson
 
Cacs na isaca session 414 ulf mattsson may 10 final
byUlf Mattsson
 
Tokenization vs Encryption Difference Explained.pdf
byimoliviabennett
 
Where Data Security and Value of Data Meet in the Cloud
byUlf Mattsson
 
Data protection on premises, and in public and private clouds
byUlf Mattsson
 
Understanding Tokenization and Encryption: A Comprehensive Comparison
byaayushipinto
 
Why Disk Level Encryption is Not Enough for Your IBM i
byPrecisely
 
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
byUlf Mattsson
 
Key Concepts for Protecting the Privacy of IBM i Data
byPrecisely
 
IBM Share Conference 2010, Boston, Ulf Mattsson
byUlf Mattsson
 

More from Ulf Mattsson

PPTX
Jun 29 new privacy technologies for unicode and international data standards ...
byUlf Mattsson
 
PPTX
Jun 15 privacy in the cloud at financial institutions at the object managemen...
byUlf Mattsson
 
PPTX
Book
byUlf Mattsson
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
byUlf Mattsson
 
PPTX
Qubit conference-new-york-2021
byUlf Mattsson
 
PDF
Secure analytics and machine learning in cloud use cases
byUlf Mattsson
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
PDF
Data encryption and tokenization for international unicode
byUlf Mattsson
 
PPTX
The future of data security and blockchain
byUlf Mattsson
 
PPTX
New technologies for data protection
byUlf Mattsson
 
PPTX
GDPR and evolving international privacy regulations
byUlf Mattsson
 
PPTX
Privacy preserving computing and secure multi-party computation ISACA Atlanta
byUlf Mattsson
 
PPTX
Safeguarding customer and financial data in analytics and machine learning
byUlf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning ISACA London UK
byUlf Mattsson
 
PPTX
New opportunities and business risks with evolving privacy regulations
byUlf Mattsson
 
PPTX
What is tokenization in blockchain - BCS London
byUlf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning - ISACA
byUlf Mattsson
 
PPTX
What is tokenization in blockchain?
byUlf Mattsson
 
PPTX
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
byUlf Mattsson
 
PPTX
Unlock the potential of data security 2020
byUlf Mattsson
 
Jun 29 new privacy technologies for unicode and international data standards ...
byUlf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
byUlf Mattsson
 
Book
byUlf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
byUlf Mattsson
 
Qubit conference-new-york-2021
byUlf Mattsson
 
Secure analytics and machine learning in cloud use cases
byUlf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
Data encryption and tokenization for international unicode
byUlf Mattsson
 
The future of data security and blockchain
byUlf Mattsson
 
New technologies for data protection
byUlf Mattsson
 
GDPR and evolving international privacy regulations
byUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
byUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
byUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
byUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
byUlf Mattsson
 
What is tokenization in blockchain - BCS London
byUlf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
byUlf Mattsson
 
What is tokenization in blockchain?
byUlf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
byUlf Mattsson
 
Unlock the potential of data security 2020
byUlf Mattsson
 

Recently uploaded

PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
How Much Does It Cost To Build Software
bycollinmishell2
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 

Tokenization vs encryption vs masking

  • 1.
    SIGNIFICANTLY DIFFERENT TOKENIZATIONAPPROACHES Property Dynamic Pre-generated Vault-based Vaultless 1
  • 2.
    TOKENIZATION VS. ENCRYPTION UsedApproach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY TokenizationEncryption 2
  • 3.
    POSITIONING DIFFERENT PROTECTIONOPTIONS Evaluation Criteria Strong Encryption Formatted Encryption Tokens Security & Compliance Total Cost of Ownership Use of Encoded Data Best Worst 3
  • 4.
    TOKENIZATION SERVER LOCATION BestWorst Tokenization Server Location Evaluation Aspects Mainframe Remote Area Criteria DB2 Work Load Manager Separate Address Space In-house Out-sourced Operational Availability Latency Performance Security Separation PCI DSS Scope 4
  • 5.
    RISK ADJUSTED DATAPROTECTION Data Protection Methods Performance Storage Security Transparency System without data protection Monitoring + Blocking + Masking Format Controlling Encryption Downstream Masking Strong Encryption Tokenization Hashing Best Worst Protection Method Extensibility: Data Protection Methods must evolve with changes in the security industry and with compliance requirements. The Protegrity Data Security Platform can be easily extended to meet security and compliance requirements. 5
  • 6.
    Making Data Unreadable– Protection Methods (Pro’s & Con’s) Evaluating Different Tokenization ImplementationsIO Interface Protection Method System Layer Granularity AES/CBC, AES/CTR … Formatted Encryption Data Tokenization Hashing Data Masking Application Column/Field Record Database Column Table Table Space OS File IO Block Storage System IO Block Best Worse 66
  • 7.
    Best Worst Area Impact Formatted Encryption Strong Encryption Dynamic Tokenization (old) Static Tokenization (new) Scalability Availability Latency CPUConsumption Security Data Flow Protection Compliance Scoping Key Management Randomness Separation of Duties Evaluating Column Encryption & Tokenization Database Column EncryptionEvaluation Criteria Tokenization 7
  • 8.
    POSITIONING DIFFERENT PROTECTIONOPTIONS Area Evaluation Criteria Strong Field Encryption Formatted Encryption Distributed Token Security High risk data Compliance to PCI, NIST Initial Cost Transparent to applications Expanded storage size Transparent to databases schema Operation al Cost Performance impact when loading data Long life-cycle data Unix or Windows mixed with “big iron” (EBCDIC) Easy re-keying of data in a data flow Disconnected environments Distributed environments Best Worst 8
  • 9.
    DE-IDENTIFICATION / ANONYMIZATION FieldReal Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 9
  • 10.
    123456 777777 1234 123456123456 1234 !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing - Strong Encryption - Alpha - Partial - Clear Text Data - Intrusiveness (to Applications and Databases) I Original I Longer !@#$%a^.,mhu7/////&*B()_+!@ Tokenizing or Formatted Encryption Data Length Standard Encryption Encoding Evaluating Field Encryption & Tokenization 123456 aBcdeF 1234 10
  • 11.
    I Format Preserving Encryption Security of DifferentProtection Methods I Modern Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization High Low Security Level 11
  • 12.
    10 000 000- 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - Transactions per second I Format Preserving Encryption Speed of Different Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization Speed will depend on the configuration 12
  • 13.
    Time Total Cost of Ownership TotalCost of Ownership 1. System Integration 2. Performance Impact 3. Key Management 4. Policy Management 5. Reporting 6. Paper Handling 7. Compliance Audit 8. … Strong Encryption: 3DES, AES … I 2010 I 1970 What Has The Industry Done? I 2005 I 2000 Format Preserving Encryption: FPE, DTP … Basic Tokenization Vaultless Tokenization High - Low - 13
  • 14.
    FINE GRAINED SECURITY:ENCRYPTION OF FIELDS 14 Production Systems Encryption of fields • Reversible • Policy Control (authorized / Unauthorized Access) • Lacks Integration Transparency • Complex Key Management • Example: !@#$%a^.,mhu7///&*B()_+!@ Non-Production Systems
  • 15.
    FINE GRAINED SECURITY:MASKING OF FIELDS 15 Non-Production Systems Masking of fields • Not reversible • No Policy, Everyone can access the data • Integrates Transparently • No Complex Key Management • Example: 0389 3778 3652 0038 Production Systems
  • 16.
    FINE GRAINED SECURITY:TOKENIZATION OF FIELDS 16 Production Systems Non-Production Systems Tokenization (Pseudonymization) • No Complex Key Management • Business Intelligence • Example: 0389 3778 3652 0038 • Reversible • Policy Control (Authorized / Unauthorized Access) • Not Reversible • Integrates Transparently
  • 17.
    Safe Integration –Enterprise & Public Cloud Safe Integration 17
  • 18.
    Corporate Network SECURITY GATEWAYDEPLOYMENT – APPLICATION EXAMPLE Backend System Cloud Gateway External Service Enterprise Security Administrator Security Officer 18
  • 19.
    Corporate Network SECURITY GATEWAYDEPLOYMENT – DATABASE EXAMPLE Backend System Cloud Gateway Enterprise Security Administrator Security Officer RDBMS 19
  • 20.
  • 21.
    Corporate Network Backend System Cloud Gateway Enterprise Security Administrator Security Officer SECURITYGATEWAY DEPLOYMENT – SEARCH RDBMS Query re-write Order preserving encryption 21
  • 22.
    Trust RISK ADJUSTED COMPUTATION– LOCATION AWARENESS Elasticity Out- sourced In-house Corporate Network Private Cloud Private Cloud Public Cloud H L Processing Cost H L 22
  • 23.
    Trust BALANCING RISK &OPERATIONAL REQUIREMENTS Elasticity Out- sourced In-house Private Cloud Private Cloud Public Cloud H L Clear Data Index Data Encryption Keys & Token Mappings Protected Data 23
  • 24.
    Type of Data Use Case I Structured How ShouldI Secure Different Data? I Un-structured Simple – Complex – PCI PHI PII Encryption of Files Card Holder Data Tokenization of Fields Protected Health Information 24 Personally Identifiable Information

Editor's Notes

  • #2 Compare Vaultless tokenization to other tokenization approaches No data replication/collision issues – guaranties data integrity, no data corruption, allows parallel computing across many servers and location High scalability and performance
  • #3 CACS 2012 NYM 2012
  • #4 These are particular use cases where you should “watch out”. It does not capture ALL of criteria and use cases
  • #6 Risk Adjusted Data Protection means that you should protect data based on the risk of the sensitive data. Risk can be assessed by acknowledging the value of the data (is the data valuable to the bad guys) and its exposure. So, valuable data that is widely exposed should be protected with strong protection like Strong encryption or tokenization while data that may have little or no value to the bad guys that is also widely exposed can be protected with a reduced protection approach like monitoring without encryption or Format Controlling Encryption. This chart shows several approaches to protect sensitive data along with a set of criteria that we have found useful when comparing the merits of each method. Performance is self describing, storage refers to the impact that a method has on storage. For example, strong encryption will require adding padding to the crypto text so that the final data will be larger than the original. When a data store is billions of records this can have an impact on the cost of the solution. Some methods are considered more secure than others. Format Controlling Encryption and Strong Encryption are both encryption approaches but FCE is not NIST approved and so it’s security properties are less secure than strong encryption. Some compliance requirements may require a method that is NIST approved. Finally, transparency refers to the degree to which a protection method effects systems and processes. A protection method that is not transparent will require remediation to systems that are being protected. This could translate to higher protection costs. Tokenization has been gaining popularity due to it’s high transparent characteristics that are seen to reduce protection costs. I then select one or two protection methods and mention something about them; Strong encryption and tokenization provide extreme protection while FCE, due to it’s non NIST approval and it’s performance issues may have limited use. (this is a landmine for Voltage that can be mentioned explicitly or implicitly – depending on the audience and the prospect)
  • #9 These are particular use cases where you should “watch out”. It does not capture ALL of criteria and use cases
  • #10  De-identification or Anonymization can be a cost effective approach to protect data
  • #12 CACS 2012 NYM 2012
  • #13 CACS 2012 abstract NYM 2012
  • #14 CACS 2012 abstract NYM 2012
  • #15 What are the key characteristics of encryption, tokenization and masking and how the can be used in production and test /dev? Encryption of fields Reversible Policy Control (authorized / Unauthorized Access) Lacks Integration Transparency Complex Key Management Example !@#$%a^.,mhu7///&*B()_+!@
  • #16 What are the key characteristics of masking? Masking of fields Not reversible No Policy, Everyone can access the data Integrates Transparently No Complex Key Management Example 0389 3778 3652 0038
  • #17 What are the key characteristics of tokenization? No Complex Key Management Business Intelligence Production systems Reversible Policy Control (Authorized / Unauthorized Access) Test / dev Not Reversible Integrates Transparently
  • #18 The reason for high interest is based on the Cloud Gateway Benefits Example Eliminates the threat of third parties exposing your sensitive information Delivers a secure and uncompromised SaaS user experience  Identifies malicious activity and proves compliance to third parties and detailed audit trails Eases cloud adoption process and acceptance Product is transparent and has close to 0% overhead impact Simplifies compliance requirements Ability to outsource a portion of your IT security requirements Eliminates data residency concerns and requirements Greatly reduces cloud application security risk Enables partner access to your sensitive data Controls cloud security from the enterprise Protects your business from third party access
  • #19 Important use case. Example - How it works The enterprise wants to protect their sensitive data before it leaves their Trusted Domain and enters the SaaS . The enterprise users (and their Security/IT personnel) will likely not possess detailed knowledge of the contents of the web services protocols running between their client devices and the SaaS  servers. However, as part of their work flows, they know their business-intelligence data they are entering in a web form (e.g. in HTML). Further, they are able to identify the individual fields in various web forms that need to be protected. The goal then is to determine how to map web form fields to the web services protocol / payload data elements such that an in-line  security gateway can protect those fields. Protecting data on a Server (or Service) located outside of the their trust domain, or the Server may be located inside your enterprise or in a private cloud environment such provided by Cloud Service Providers (CSP). Cloud Gateway can be installed on a physical server or virtual machine behind your corporate firewall, or deploy it in a virtual private cloud. Talk about the Enterprise Security Administration – a single point of control for data security.
  • #20 Important use case. Example - How it works The enterprise wants to protect their sensitive data before it leaves their Trusted Domain and enters the SaaS . The enterprise users (and their Security/IT personnel) will likely not possess detailed knowledge of the contents of the web services protocols running between their client devices and the SaaS  servers. However, as part of their work flows, they know their business-intelligence data they are entering in a web form (e.g. in HTML). Further, they are able to identify the individual fields in various web forms that need to be protected. The goal then is to determine how to map web form fields to the web services protocol / payload data elements such that an in-line  security gateway can protect those fields. Protecting data on a Server (or Service) located outside of the their trust domain, or the Server may be located inside your enterprise or in a private cloud environment such provided by Cloud Service Providers (CSP). Cloud Gateway can be installed on a physical server or virtual machine behind your corporate firewall, or deploy it in a virtual private cloud. Talk about the Enterprise Security Administration – a single point of control for data security.
  • #21 Important use case. Example - How it works The enterprise wants to protect their sensitive data before it leaves their Trusted Domain and enters the SaaS . The enterprise users (and their Security/IT personnel) will likely not possess detailed knowledge of the contents of the web services protocols running between their client devices and the SaaS  servers. However, as part of their work flows, they know their business-intelligence data they are entering in a web form (e.g. in HTML). Further, they are able to identify the individual fields in various web forms that need to be protected. The goal then is to determine how to map web form fields to the web services protocol / payload data elements such that an in-line  security gateway can protect those fields. Protecting data on a Server (or Service) located outside of the their trust domain, or the Server may be located inside your enterprise or in a private cloud environment such provided by Cloud Service Providers (CSP). Cloud Gateway can be installed on a physical server or virtual machine behind your corporate firewall, or deploy it in a virtual private cloud. Talk about the Enterprise Security Administration – a single point of control for data security.
  • #22 Important use case. Example - How it works The enterprise wants to protect their sensitive data before it leaves their Trusted Domain and enters the SaaS . The enterprise users (and their Security/IT personnel) will likely not possess detailed knowledge of the contents of the web services protocols running between their client devices and the SaaS  servers. However, as part of their work flows, they know their business-intelligence data they are entering in a web form (e.g. in HTML). Further, they are able to identify the individual fields in various web forms that need to be protected. The goal then is to determine how to map web form fields to the web services protocol / payload data elements such that an in-line  security gateway can protect those fields. Protecting data on a Server (or Service) located outside of the their trust domain, or the Server may be located inside your enterprise or in a private cloud environment such provided by Cloud Service Providers (CSP). Cloud Gateway can be installed on a physical server or virtual machine behind your corporate firewall, or deploy it in a virtual private cloud. Talk about the Enterprise Security Administration – a single point of control for data security.
  • #23 Cloud is only one of the platforms in an Enterprise. The flow of Sensitive data need to be secured across all platforms, including Cloud. Important Goals: GWs & Agents enforce Enterprise Policy across Cloud & On-premises Data & Applications Goals: Automated Protection of the entire Data flow, including legacy systems, Cloud and Big Data. Single point of control for policy and audit. You security posture depends on the policy and the enforcement. The security policy is the foundation for protecting data. It is usually managed by the Security Officer. Think of it as the glue that binds distributed data protection throughout the enterprise. This is policy based data security, protecting the entire data flow against threats and minimizing audit and compliance requirements. This is also an illustration of the Protegrity Software. You can find more information in the attached material.
  • #24 Cloud is only one of the platforms in an Enterprise. The flow of Sensitive data need to be secured across all platforms, including Cloud. Important Goals: GWs & Agents enforce Enterprise Policy across Cloud & On-premises Data & Applications Goals: Automated Protection of the entire Data flow, including legacy systems, Cloud and Big Data. Single point of control for policy and audit. You security posture depends on the policy and the enforcement. The security policy is the foundation for protecting data. It is usually managed by the Security Officer. Think of it as the glue that binds distributed data protection throughout the enterprise. This is policy based data security, protecting the entire data flow against threats and minimizing audit and compliance requirements. This is also an illustration of the Protegrity Software. You can find more information in the attached material.