IBM Share Conference 2010, Boston, Ulf Mattsson


Published on

IBM Share Conference 2010, Boston, Ulf Mattsson

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Protegrity Questions From a strict compliance standpoint, what is your view on the requirements regarding storage of tokens within the same RDBMS vs. storing the tokens in a separate and distinct system (e.g. an appliance)? Can you compare and contrast the different ways of delivering tokenization; for example, as a add-on to payment processing services vs. as an in-house enterprise solution for the data center? (Even if you have it externally, you are still responsible for that data) What is your estimate of the size and growth rate of the token marketplace? How many inquiries are you getting about tokenization? Who are the leaders in the token marketplace in your opinion? Is there a Forrester Wave for this?
  • ULF
  • Performance Impact on operations - end users, data processing windows Storage Impact on data storage requirements Security How secure Is the data at rest Impact on data access – separation of duties Transparency Changes to application(s) Impact on supporting utilities and processes
  • ULF
  • These are particular use cases where you should “watch out”. It does not capture ALL of criteria and use cases
  • 53 Lets go back to our Example of Data with different Risk Levels WE can now Pick a Risk Value, and map it to the most Cost-Effective solution from a Risk management Perspective. The key thing to remember here is that one size security solutions are never the best fit. The strongest protection for high risk data will be strong encryption (or tokenization) of individual data fields. . The risk levels here will depend on value of the data, data volumes, the servers, connectivity, physical security, HR aspects, geography, compensating controls and other issues.
  • 39 Source: 2009 PCI DSS Compliance Survey, Ponemon Institute According to the report, only 18% considered database scanning and monitoring highly cost effective for PCI DSS compliance -- ranking 15 out of 18 security technologies surveyed . In fact, almost half (49%) gave DAM a low rating for cost effectiveness in enabling PCI DSS compliance . Database activity monitoring had its roots in inspection of SQL traffic for indications of data loss. However, most database access is through an application path which has its own security mechanisms. The DAM market was hyped well ahead of actual customer requirements and well beyond the track record of early entrants to the space. Security technology needs to evolve into the infrastructure to be effective and efficient. New security concepts are often necessarily layered on existing infrastructures to lessen side-effects on applications while the security technology and administration procedures mature. However, over time selective capabilities such as database activity monitoring should be assimilated into database systems and application designs to improve performance and reduce overhead costs.  
  • This slide includes the original animation.
  • Protection of data from acquisition to deletion Defense in depth
  • IBM Share Conference 2010, Boston, Ulf Mattsson

    1. 1. Beyond PCI – A Cost Effective Approach to Data Protection Ulf Mattsson CTO Protegrity [email_address] August 5, 2010 Session 7192
    2. 2. Ulf Mattsson <ul><li>20 years with IBM Software Development </li></ul><ul><ul><li>Received US Green Card ‘EB 11 – Individual of Extraordinary Ability’ endorsed by IBM Research </li></ul></ul><ul><li>Inventor of 21 Patents </li></ul><ul><ul><li>Encryption Key Management, Policy Driven Data Encryption, Distributed Tokenization and Intrusion Prevention </li></ul></ul><ul><li>Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security </li></ul><ul><li>Created the Architecture of the Protegrity Database Security Technology </li></ul><ul><li>Received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Google, Cisco, Ingres and other leading companies </li></ul>
    3. 3. 0
    4. 4. 0 September 23, 2009
    5. 5. Source of Information about PCI Research
    6. 6. Agenda <ul><li>Review trends in data security threats </li></ul><ul><li>Present case studies - protecting PCI and PII data </li></ul><ul><li>Position different data security options </li></ul><ul><li>Discuss how to protect the entire data flow </li></ul><ul><li>Present a risk adjusted approach to data security </li></ul><ul><li>Discuss data security in cloud and test environments </li></ul>
    7. 7. Online Data Under Attack – Not Laptops or Backup Slide source: Verizon Business 2008 Data Breach Investigations Report Breaches attributed to insiders are much larger than those caused by outsiders The type of asset compromised most frequently is online data:
    8. 8. Source: 2009 Data Breach Investigations Supplemental Report, Verizon Top 15 Threat Action Types % of Records % of Breaches
    9. 9. The Gartner 2010 CyberThreat Landscape The danger of advanced persistent threats (APTs) to enterprises.
    10. 10. File System Data Entry Database Storage Application Attacks at Different System Layers Backup DATABASE ATTACK MALWARE / TROJAN FILE ATTACK SQL INJECTION MEDIA ATTACK … SNIFFER ATTACK Network Authorized/ Un-authorized Users HW Service Contractors Vendors Database Admin System Admin … “ The perimeter is gone – need for new security approaches”
    11. 11. PCI DSS - Payment Card Industry Data Security Standard <ul><li>Applies to all organizations that hold, process, or exchange cardholder information </li></ul><ul><li>A worldwide information security standard defined by the Payment Card Industry Security Standards Council (formed in 2004) </li></ul><ul><li>Began as five different programs: </li></ul><ul><ul><li>Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. </li></ul></ul><ul><li>12 requirements for compliance, organized into six logically related groups, which are called &quot;control objectives.&quot; </li></ul>
    12. 12. PCI DSS # 3, 6, 7, 10 & 12 Build and maintain a secure network. <ul><li>Install and maintain a firewall configuration to protect data </li></ul><ul><li>Do not use vendor-supplied defaults for system passwords and other security parameters </li></ul>Protect cardholder data. <ul><li>Protect stored data </li></ul><ul><li>Encrypt transmission of cardholder data and sensitive information across public networks </li></ul>Maintain a vulnerability management program. <ul><li>Use and regularly update anti-virus software </li></ul><ul><li>Develop and maintain secure systems and applications </li></ul>Implement strong access control measures. <ul><li>Restrict access to data by business need-to-know </li></ul><ul><li>Assign a unique ID to each person with computer access </li></ul><ul><li>Restrict physical access to cardholder data </li></ul>Regularly monitor and test networks. <ul><li>Track and monitor all access to network resources and cardholder data </li></ul><ul><li>Regularly test security systems and processes </li></ul>Maintain an information security policy. <ul><li>Maintain a policy that addresses information security </li></ul>
    13. 13. PCI DSS #3 & 4 – Protect Cardholder Data <ul><li>3.4 Render PAN, at minimum, unreadable anywhere it is stored by using any of the following approaches: </li></ul><ul><ul><li>One-way hashes based on strong cryptography </li></ul></ul><ul><ul><li>Truncation </li></ul></ul><ul><ul><li>Index tokens and pads (pads must be securely stored) </li></ul></ul><ul><ul><li>Strong cryptography with associated key-management processes and procedures </li></ul></ul><ul><li>4.1 Use strong cryptography to safeguard sensitive cardholder data during transmission over open, public networks. </li></ul><ul><li>Comments – Cost effective compliance </li></ul><ul><ul><li>Encrypted PAN is always “in PCI scope” </li></ul></ul><ul><ul><li>Tokens can be “out of PCI scope” </li></ul></ul>
    14. 14. <ul><li>‘ Information in the wild’ </li></ul><ul><ul><li>Short lifecycle / High risk </li></ul></ul><ul><ul><li>Databases often found at collection points </li></ul></ul><ul><li>Temporary information </li></ul><ul><ul><li>Short lifecycle / High risk </li></ul></ul><ul><ul><li>Use the transition to re-key the locks </li></ul></ul><ul><li>Operating information </li></ul><ul><ul><li>Typically 1 or more year lifecycle </li></ul></ul><ul><ul><li>Broad and diverse computing and </li></ul></ul><ul><ul><li>database environment </li></ul></ul><ul><li>Decision making information </li></ul><ul><ul><li>Typically multi-year lifecycle </li></ul></ul><ul><ul><li>High volume database analysis </li></ul></ul><ul><ul><li>Wide internal audience with privileges </li></ul></ul><ul><li>Archive </li></ul><ul><ul><li>Typically multi-year lifecycle </li></ul></ul><ul><ul><li>Preserving the ability to retrieve the </li></ul></ul><ul><ul><li>data in the future is important </li></ul></ul>Aggregation Operations Analysis Archive Point of Sale E-Commerce Branch Office Case Studies – Retail Environments : Encryption service
    15. 15. Case Studies – PCI DSS Compliance <ul><li>Case study #1: US Retailer </li></ul><ul><li>Transparent to exiting applications </li></ul><ul><li>Protect the flow of sensitive credit card information </li></ul><ul><ul><li>From thousands of stores, Back office systems and Data warehouse </li></ul></ul><ul><li>Central key management </li></ul><ul><li>Ensuring performance on the mainframe </li></ul><ul><li>Case study #2: US Retailer </li></ul><ul><li>Protection against advanced attacks </li></ul><ul><li>Protect the flow of sensitive credit card information </li></ul><ul><ul><li>From thousands of stores, Back office systems and Data warehouse </li></ul></ul><ul><li>Central key management </li></ul>0
    16. 16. Case Study 1: Goal – PCI Compliance & Application Transparency File Encryption: Windows Database Encryption: DB2 (zOS, iSeries), Oracle, SQL Server Applications Retail Store Applications FTP File Decryption Central HQ Location File Encryption: Windows, UNIX, Linux, zOS Credit Card Entry : Encryption service
    17. 17. Case Study 2: Goal – Addressing Advanced Attacks & PCI DSS Application Application FTP Database Encryption: DB2, SQL Server File Encryption: Windows, UNIX, zOS Retail Store Central HQ Location Credit Card Entry Application Application Encryption : Encryption service End-to-End-Encryption (E2EE)
    18. 18. UDF VIEW CPACF (CCF) EDITPROC ICSF CPACF EDITPROC FIELDPROC <ul><ul><li>Encryption Topologies – Mainframe Example </li></ul></ul>: Encryption service * : 20 bytes Local Encryption Remote Encryption TCP/IP UDF VIEW Mainframe (z/OS) DB2 DB2 DB2 DB2 User Defined Function Integrated Cryptographic Services Facility CP Assist for Cryptographic Function Key Server Crypto Server 1 Micro-second* 1 Micro-second* 1000 Micro-seconds* 1 Micro-second*
    19. 19. Data Loading (Batch) 1 000 000 – 100 000 - 10 000 – 1 000 – Encryption Topology Rows Decrypted / s (100 bytes) z/OS Hardware Crypto - CPACF (All Operations) Queries (Data Warehouse & OLTP) Column Encryption Performance - Different Topologies I Network Attached Encryption (SW/HW) I Local Encryption (SW/HW)
    20. 20. Evaluation of Encryption Options for DB2 on z/OS Best Worst Encryption Interface Performance PCI DSS Security Transparency API UDF DB2 V8 UDF DB2 V9 - Fieldproc Editproc
    21. 21. Choose Your Defenses – Newer Data Security Approaches Application Databases Key Manager Format Controlling Encryption Token Server Token Data Tokenization Example of Token format: 1234 1234 1234 4560 Application Databases Key Manager Example of Encrypted format: 111-22- 1013 : Encryption service
    22. 22. What Is Formatted Encryption? <ul><li>Where did it come from? </li></ul><ul><ul><li>Before 2000 – Different approaches, some are based on block ciphers (AES, 3DES …) </li></ul></ul><ul><ul><li>Before 2005 – Used to protect data in transit within enterprises </li></ul></ul><ul><li>What exactly is it? </li></ul><ul><ul><li>Secret key encryption algorithm operating in a new mode </li></ul></ul><ul><ul><li>Cipher text output can be restricted to same as input code page – some only supports numeric data </li></ul></ul><ul><ul><li>The new modes are not approved by NIST </li></ul></ul>
    23. 23. Formatted Encryption - Considerations <ul><li>Unproven level of security – makes significant alterations to the standard AES algorithm </li></ul><ul><li>Encryption overhead – significant CPU consumption is required to execute the cipher </li></ul><ul><li>Key management – is not able to attach a key ID, making key rotation more complex - SSN </li></ul><ul><li>Some implementations only support certain data (based on data size, type, etc.) </li></ul><ul><li>Support for “big iron” systems – is not portable across encodings (ASCII, EBCDIC) </li></ul><ul><li>Transparency – some applications need full clear text </li></ul>
    24. 24. What Is Data Tokenization? <ul><li>Where did it come from? </li></ul><ul><ul><li>Found in Vatican archives dating from the 1300s </li></ul></ul><ul><ul><li>In 1988 IBM introduced the Application System/400 with shadow files to preserve data length </li></ul></ul><ul><ul><li>In 2005 vendors introduced tokenization of account numbers </li></ul></ul><ul><li>What exactly is it? </li></ul><ul><ul><li>It IS NOT an encryption algorithm or logarithm. </li></ul></ul><ul><ul><li>It generates a random replacement value which can be used to retrieve the actual data later (via a lookup) </li></ul></ul><ul><ul><li>Still requires strong encryption to protect the lookup table(s) </li></ul></ul>
    25. 25. Central Tokenization - Considerations <ul><li>Transparency – not transparent to downstream systems that require the original data </li></ul><ul><li>Performance & availability </li></ul><ul><ul><li>Imposes significant overhead from the initial tokenization operation and from subsequent lookups </li></ul></ul><ul><ul><li>Imposes significant overhead if token server is remote or outsourced </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>Vulnerabilities of the tokens themselves – randomness and possibility of collisions </li></ul></ul><ul><ul><li>Vulnerabilities typical in in-house developed systems – exposing patterns and attack surfaces </li></ul></ul>
    26. 26. New Tokenization Approach - Distributed Servers Security Management Customer Application Token Server Customer Application Customer Application Token Server Customer Application Token Server
    27. 27. 200 000 – 100 000 – 10 000 – 1000 – 5 – Tokenization Topology PAN Tokenization (per second) New Distributed Tokenization Approach (per deployed token server) Different Tokenization Approaches - Performance I New Old Centralized Tokenization Approach (enterprise total) I Old Outsourced On-site On-site
    28. 28. Evaluating Different Tokenization Solutions Best Worst Evaluating Different Tokenization Implementations Evaluation Area Hosted/Outsourced On-site/On-premises Area Criteria Central (old) Distributed Central (old) Distributed Integrated Operational Needs Availability Scalability Performance Pricing Model Per Server Per Transaction Data Types Identifiable - PII Cardholder - PCI Security Separation Compliance Scope
    29. 29. 0 123456 777777 1234 123456 123456 1234 aVdSaH gF4fJh sDla !@#$%a^&*B()_+!@4#$2%p^&* How to not Break the Data Format Hashing - Binary Encryption - Alpha Encoding - Encoding - Partial Encoding - Clear Text - Data Field Length Protection Method !@#$%a^&*B()_+!@ 666666 777777 8888 Tokenizing or Formatted Encryption Length and Type Changed Type Changed CCN / PAN
    30. 30. Different Security Options for Data Fields Best Worst Evaluation Criteria Strong Encryption Formatted Encryption New Distributed Tokenization Old Central Tokenization Disconnected environments Distributed environments Performance impact – data loading Transparent to applications Expanded storage size Transparent to database schema Long life-cycle data Unix or Windows &“big iron” Re-keying of data in a data flow High risk data Compliance to PCI, NIST
    31. 31. Matching Data Protection Solutions with Risk Level Risk Level Solution Monitor Monitor, mask, access control limits, format control encryption Tokenization, strong encryption Low Risk (1-5) At Risk (6-15) High Risk (16-25) Data Field Risk Level Credit Card Number 25 Social Security Number 20 CVV 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3
    32. 32. Choose Your Defenses – A Balanced Approach Database Server Database Activity Monitoring / Data Loss Prevention Web Application Firewall Database Files Database Log Files Applications Database Columns Database Activity Monitoring
    33. 33. Source: 2009 PCI DSS Compliance Survey, Ponemon Institute Cost Effective Technology for PCI DSS Encryption 74% WAF 55% DLP 43% DAM 18%
    34. 34. Best Worst Choose Your Defenses – Positioning of Alternatives Database Protection Approach Performance Storage Availability Transparency Security Monitoring, Blocking, Masking Column Level Formatted Encryption Column Level Strong Encryption Distributed Tokenization Central Tokenization Database File Encryption
    35. 35. Use Case –Data Protection in Cloud Environments Cloud Environment Data Token Encryption User Security Administrator Encryption Token
    36. 36. Use Case – Data Protection in Test/Dev Environments Test Environment Production Environment Security Administrator Data Tokenization Formatted Encryption Masking Encryption Token
    37. 37. Data Protection Challenges <ul><li>Actual protection is not the challenge </li></ul><ul><li>Management of solutions </li></ul><ul><ul><li>Key management </li></ul></ul><ul><ul><li>Security policy </li></ul></ul><ul><ul><li>Auditing and reporting </li></ul></ul><ul><li>Minimizing impact on business operations </li></ul><ul><ul><li>Transparency </li></ul></ul><ul><ul><li>Performance vs. security </li></ul></ul><ul><li>Minimizing the cost implications </li></ul><ul><li>Maintaining compliance </li></ul><ul><li>Implementation Time </li></ul>
    38. 38. Single Point of Control for Data Encryption <ul><li>Central Manager for: </li></ul><ul><li>Encryption keys </li></ul><ul><li>Security policy </li></ul><ul><li>Reporting </li></ul>Hardware Security RACF Applications DB2 z/OS Files ICSF Encryption Solution Mainframe z/OS DB2 LUW Informix System i Other Hardware Security API : Encryption service
    39. 39. Summary <ul><ul><li>New threats to data & new regulations </li></ul></ul><ul><ul><li>New “best practices” for data protection </li></ul></ul><ul><ul><li>New approaches for data protection </li></ul></ul><ul><ul><li>Protect the data flow </li></ul></ul><ul><ul><li>Risk-adjusted approach to data security </li></ul></ul><ul><li>Centralized key management, policy and reporting </li></ul>
    40. 40. Protegrity Data Security Management Database Protector Secure Distribution Audit Log Secure Archive Secure Collection Enterprise Data Security Administrator Broad Platform Support File System Protector Policy Application Protector Tokenization Server
    41. 41. Protegrity Corporate Overview <ul><ul><li>Enterprise Data Security Management </li></ul></ul><ul><ul><li>Founded 1996 </li></ul></ul><ul><ul><li>300+ customers </li></ul></ul><ul><ul><li>Market leader in PCI DSS & PII data security </li></ul></ul><ul><ul><li>14 patents granted/issued </li></ul></ul><ul><ul><li>Global reach - 60% NA, 30% EMEA, 10% Asia </li></ul></ul>
    42. 42. Beyond PCI – A Cost Effective Approach to Data Protection Ulf Mattsson CTO Protegrity [email_address] August 5, 2010 Session 7192