Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Choosing the Most Appropriate    Data Security Solution     for an Organization        Ulf Mattsson, CTO Protegrity
2
Ulf Mattsson, CTO Protegrity    • 20 years with IBM Research & Development and      Global Services    • Started Protegrit...
WE KNOW THAT       DATA IS    UNDER ATTACK …5
Albert Gonzalez                                            20 Years In US Federal Prison    US Federal indictments:       ...
What about Breaches & PCI?                                                   Was Data Protected?                      9: R...
WHAT TYPES OF DATA    ARE UNDER ATTACK          NOW?8
What Data is Compromised?          Personal information (Name, SS#, Addr, etc.)                                 Payment ca...
Today “Hacktivism” is Dominating                                                 Activist group                           ...
Growing Threat of “hacktivism” by                                       Groups such as Anonymous                          ...
Let’s Review Some Major Recent Breaches                                        April 2011          May 2011   Jun 2011   J...
The Sony Breach & Cloud     • Lost 100 million passwords and personal details       stored in clear     • Spent $171 milli...
SQL Injection Attacks are Increasing                  25,000                  20,000                  15,000              ...
WHAT IS     SQL INJECTION?15
What is an SQL Injection Attack?                         SQL Command Injected                  Application                ...
New Industry Groups are Targets     Accommodation and Food Services                                              Retail Tr...
The Changing Threat Landscape             Some issues have stayed constant:                   Threat landscape continues...
How are Breaches Discovered?                            Notified by law enforcement               Third-party fraud detect...
WHERE IS     DATA LOST?20
What Assets are Compromised?                            Database server                      Web/application server       ...
Hacking and Malware are Leading                                                          Threat Action Categories         ...
Thieves Are Attacking the Data Flow           Application   Application023
THIS IS A     CATCH 22!24
Securing The Data Flow with Tokenization     Retail                                        Bank     Store              Pay...
WHAT HAS     THE INDUSTRY       DONE TO     SECURE DATA?26
What Has The Industry Done?                                                                  Total Cost of Ownership     T...
Case Study: Large Chain Store     Why? Reduce compliance cost by 50%        – 50 million Credit Cards, 700 million daily t...
Speed of Different Protection Methods                             Transactions per second                    10 000 000 - ...
Case Studies: Retail     Customer 1: Why? Three major concerns solved        – Performance Challenge; Initial tokenization...
Impact of Different Protection Methods                                   Intrusiveness    (to Applications and Databases) ...
How Should I Secure Different Data?                   File                Field                Encryption          Tokeniz...
ANY     TOKENIZATION      GUIDELINES?33
PCI DSS : Tokenization and Encryption                  are Different34
Tokenization and “PCI Out Of Scope”                                                        De-tokenization                ...
Case Study: Energy Industry     Why? Reduce PCI Scope        • Best way to handle legacy, we got most of it out of PCI    ...
RISK MANAGEMENT37
Choose Your Defenses     Cost            Cost of Aversion –                Expected Losses            Protection of Data  ...
Matching Data Protection with Risk Level                                    Risk Level     Solution               Data    ...
Security of Different Protection Methods     Security Level              High               Low                          I...
Use of Enabling Technologies                  Access controls   1%                          91%     Database activity moni...
Is Data Masking Secure?     Risk                      Data at rest                    Data display     High –             ...
Data Tokens = Lower Risk         Risk                      Data at rest                    Data display     High –        ...
CAN SECURITY HELP        CREATIVITY?44
Old Security = Less Creativity         Risk           High                                            Traditional         ...
New Data Security = More Creativity         Risk           High                                            Traditional    ...
About Protegrity     • Proven enterprise data security software and innovation leader        – Sole focus on the protectio...
Thank you!              Q&A     ulf.mattsson AT protegrity.com          www.protegrity.com              203-326-720048
ISACA New York Metro April 30 2012
Upcoming SlideShare
Loading in …5
×

ISACA New York Metro April 30 2012

574 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ISACA New York Metro April 30 2012

  1. 1. Choosing the Most Appropriate Data Security Solution for an Organization Ulf Mattsson, CTO Protegrity
  2. 2. 2
  3. 3. Ulf Mattsson, CTO Protegrity • 20 years with IBM Research & Development and Global Services • Started Protegrity in 1994 (Data Security) • Inventor of 25 patents – Encryption and Tokenization • Member of – PCI Security Standards Council (PCI SSC) – American National Standards Institute (ANSI) X9 – International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security – ISACA , ISSA and Cloud Security Alliance (CSA)4
  4. 4. WE KNOW THAT DATA IS UNDER ATTACK …5
  5. 5. Albert Gonzalez 20 Years In US Federal Prison US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS •Breach expenses $140M Source: http://en.wikipedia.org/wiki/Albert_Gonzalez6
  6. 6. What about Breaches & PCI? Was Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study7
  7. 7. WHAT TYPES OF DATA ARE UNDER ATTACK NOW?8
  8. 8. What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Payment card numbers/data Unknown (specific type is not known) Medical records Medical Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Sensitive organizational data (reports, plans, etc.) Authentication credentials… 0 20 40 60 80 100 120 % By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/9
  9. 9. Today “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/10
  10. 10. Growing Threat of “hacktivism” by Groups such as Anonymous Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous11
  11. 11. Let’s Review Some Major Recent Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Attack Type, Time and Impact $ Source: IBM 2012 Security Breaches Trend and Risk Report12
  12. 12. The Sony Breach & Cloud • Lost 100 million passwords and personal details stored in clear • Spent $171 million related to the data breach • Sonys stock price has fallen 40 percent • For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony • Attack via SQL Injection13
  13. 13. SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report14
  14. 14. WHAT IS SQL INJECTION?15
  15. 15. What is an SQL Injection Attack? SQL Command Injected Application Data Store16
  16. 16. New Industry Groups are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 % By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/17
  17. 17. The Changing Threat Landscape  Some issues have stayed constant:  Threat landscape continues to gain sophistication  Attackers will always be a step ahead of the defenders  We are fighting highly organized, well-funded crime syndicates and nations  Move from detective to preventative controls neededSource: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
  18. 18. How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/19
  19. 19. WHERE IS DATA LOST?20
  20. 20. What Assets are Compromised? Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter PeoplePayment card (credit, debit, etc.) Offline data Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/21
  21. 21. Hacking and Malware are Leading Threat Action Categories Hacking Social Misuse Environmental 0 50 100 150 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/22
  22. 22. Thieves Are Attacking the Data Flow Application Application023
  23. 23. THIS IS A CATCH 22!24
  24. 24. Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems25
  25. 25. WHAT HAS THE INDUSTRY DONE TO SECURE DATA?26
  26. 26. What Has The Industry Done? Total Cost of Ownership Total Cost of 1. System Integration Ownership 2. Performance Impact 3. Key Management Strong Encryption: High - 4. Policy Management 3DES, AES … 5. Reporting 6. Paper Handling Format Preserving Encryption: 7. Compliance Audit FPE, DTP … 8. … Basic Tokenization Vaultless Tokenization Low - I I I I Time 1970 2000 2005 201027
  27. 27. Case Study: Large Chain Store Why? Reduce compliance cost by 50% – 50 million Credit Cards, 700 million daily transactions – Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization – End-to-End Tokens: Started with the D/W and expanding to stores – Lower maintenance cost – don’t have to apply all 12 requirements – Better security – able to eliminate several business and daily reports – Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization”28
  28. 28. Speed of Different Protection Methods Transactions per second 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Speed will depend on the configuration Tokenization Encryption Standard Tokenization29
  29. 29. Case Studies: Retail Customer 1: Why? Three major concerns solved – Performance Challenge; Initial tokenization – Vendor Lock-In: What if we want to switch payment processor – Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe – Tokens on the mainframe to avoid compensating controls30
  30. 30. Impact of Different Protection Methods Intrusiveness (to Applications and Databases) Encryption Standard Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Strong Encryption - !@#$%a^.,mhu7///&*B()_+!@Data Type & Format Alpha - aVdSaH 1F4hJ 1D3a Tokenizing or Encoding Numeric - 666666 777777 8888 Formatted Encryption Partial - 123456 777777 1234 Clear Text Data - 123456 123456 1234 Data I Length Original31
  31. 31. How Should I Secure Different Data? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected HealthComplex - Information Type of I I Data Un-structured Structured32
  32. 32. ANY TOKENIZATION GUIDELINES?33
  33. 33. PCI DSS : Tokenization and Encryption are Different34
  34. 34. Tokenization and “PCI Out Of Scope” De-tokenization No Available? Random Number Yes Tokens? No: Yes FPE Isolated from Card Holder Data Yes Environment? No Out of Scope No Scope Scope Reduction Reduction Source: http://www.securosis.com35
  35. 35. Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI • Get rid of unwanted paper copies • No need to rewrite/redevelop or restructure business applications • A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow • Better understanding of business flow • Opportunity to clean up a few business oddities36
  36. 36. RISK MANAGEMENT37
  37. 37. Choose Your Defenses Cost Cost of Aversion – Expected Losses Protection of Data from the Risk Total Cost Optimal Risk Protection I I Option Data Monitoring Lockdown38
  38. 38. Matching Data Protection with Risk Level Risk Level Solution Data Risk Field Level Tokenization, str High Risk ong encryption Credit Card Number 25 (16-25) Social Security Number 20 Email Address 20 Monitoring, Customer Name 12 Medium Risk masking, format Secret Formula 10 (6-15) controlling Employee Name 9 encryption Employee Health Record 6 Zip Code 3 Low Risk Monitoring (1-5)39
  39. 39. Security of Different Protection Methods Security Level High Low I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization40
  40. 40. Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating41
  41. 41. Is Data Masking Secure? Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - System I I I I Type Test / dev Integration Trouble Production testing shooting42
  42. 42. Data Tokens = Lower Risk Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - Data Tokens System I I I I Type Test / dev Integration Trouble Production testing shooting43
  43. 43. CAN SECURITY HELP CREATIVITY?44
  44. 44. Old Security = Less Creativity Risk High Traditional Access Control Low Access I I Right Level Less More Source: InformationWeek Aug 15, 201145
  45. 45. New Data Security = More Creativity Risk High Traditional Access Control New: Creativity Happens At the edge Low Data Tokens Access I I Right Level Less More Source: InformationWeek Aug 15, 201146
  46. 46. About Protegrity • Proven enterprise data security software and innovation leader – Sole focus on the protection of data – Patented Technology, Continuing to Drive Innovation • Growth driven by compliance and risk management – PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI (Protected Health Information) – US State and Foreign Privacy Laws, Breach Notification Laws • Cross-industry applicability – Retail, Hospitality, Travel and Transportation – Financial Services, Insurance, Banking – Healthcare, Telecommunications, Media and Entertainment – Manufacturing and Government47
  47. 47. Thank you! Q&A ulf.mattsson AT protegrity.com www.protegrity.com 203-326-720048

×