01<br />Ulf Mattsson<br />Chief Technology Officer<br />Protegrity Corporation<br />Ulf . mattsson at  protegrity . com <b...
02<br />
Source of Information about PCI Research<br />http://www.knowpci.com<br />
PCI Requirements and Data Protection Options<br />Advanced Attacks on Cardholder Data<br />PCI Requirements<br />Data Prot...
Enterprise Data Flow – Cardholder Data<br /><ul><li> ‘Information in the wild’</li></ul>- Short lifecycle / High risk<br /...
06<br />
Data  Level Attacks on the Enterprise Data Flow<br />MALWARE /<br />TROJAN<br />DBA <br />ATTACK<br />TRUSTED<br /> SEGMEN...
Data Protection Challenges <br />Actual protection is not the challenge<br />Management of solutions<br />Key management<b...
Addressing Data Protection Challenges<br />Full mapping of sensitive data flow<br />Where is the data<br />Where does it n...
The Goal: Good, Cost Effective Security<br />The goal is to deliver a solution that is a balance between security, cost, a...
PCI DSS 1.2 Applicability Information & PII Aspects<br />11<br />
Discussion of Data Protection for PCI DSS<br />12<br />
PCI – Compensating Controls<br />13<br />
Data Protection Layers<br />Data Protection - Wrapping<br />How sensitive data is rendered unreadable<br />Data Access Con...
Data Protection Options<br />Data Stored As<br />Clear – actual value is readable<br />Hash – unreadable, not reversible<b...
Data in the Clear<br />Control the Access Path<br />Reporting and alerting<br />Display masking<br />Data usage control<br...
Hash<br />Non – reversible<br />Strong protection if …<br />Keyed hash (HMAC) or salt<br />Advantages<br />None really for...
Traditional Strong Encryption<br />Industry Standard <br />Algorithms & modes - AES CBC, 3DES CBC …<br />Approved by NIST ...
Newer Data Protection Options<br />Format Controlling Encryption (FCE)<br />
FCE Security Model<br />Example of Formatted Encryption<br />1234 1234 1234 4560<br />Application Databases<br />(e.g. Mar...
What Is FCE?<br />Where did it come from?<br />Before 2000 – Different approaches, some are based on block ciphers (AES, 3...
FCE Selling Points<br />Ease of deployment -- limits the database schema changes that are required.  <br />Reduces changes...
FCE Considerations<br />Unproven level of security – makes significant alterations to the standard AES algorithm<br />Encr...
FCE Use Cases<br />Suitable for lower risk data<br />Compliance to NIST standard not needed<br />Distributed environments<...
025<br />Applications are Sensitive to the Data Format <br />Data Type<br />Binary (Hash) -<br />Binary (Encryption) -<br ...
Limitations in functionality
Limitations in data search
Performance issues</li></ul>Many Applications<br />Most Applications<br />Text <br />Data<br />All Applications<br />Data<...
Newer Data Protection Options<br />Tokenization<br />
Original Credit Card Number<br />Example of Token format:<br />1234 1234 1234 4560<br />$%.&gt;/$&#<br />Cipher <br />Text...
What Is Data Tokenization?<br />Where did it come from?<br />Found in Vatican archives dating from the 1300s<br />In 1988 ...
Tokenization Selling Points<br />Provides an alternative to masking – in production, test and outsourced environments<br /...
Tokenization Considerations<br />Transparency – not transparent to downstream systems that require the original data<br />...
Tokenization Use Cases<br />Suitable for high risk data – payment card data<br />When compliance to NIST standard needed<b...
Evaluation Criteria<br />Performance<br />Impact on operations - end users, data processing windows<br />Storage<br />Impa...
Evaluating Data Protection Options<br />033<br />Worst<br />Best<br />
Enterprise View of Different Protection Options<br />034<br />
Application Transparency – Encryption, Tokens & Hashing<br />Transparency level<br />High<br />Low<br />Database Encryptio...
Data Protection Options-Use Cases<br />036<br />
Data Protection Options in the Enterprise<br />Application Databases<br />(CCN, SSN …)<br />Strong Encryption<br />Kjh3409...
Partial Encryption/Tokenizing - Example<br />Many applications/tools <br /><ul><li>Moving data around</li></ul>Some applic...
Data Protection Options – 3 Use Cases<br />Can use stored protected value:<br />1234 1234 1234 4560<br />Or<br />Kjh3409)(...
How will different Protection Options Impact Applications?<br />Application<br />Databases<br />(CCN, SSN …)<br />Can use ...
Application Impact with Different Protection Options<br />Transparency<br />Security<br />041<br />
Application Impact with Different Protection Options<br />Performance and scalability<br />Availability<br />042<br />
Data Protection in the Enterprise – Implementation Example<br />Collection<br />Need partial Information<br />in clear:<br...
Data Protection Implementation Layers<br />Data Protection Options are not mutually exclusive<br />Data Protection Layers<...
045<br />Data Protection Implementation - Enforcement Points<br />Data<br />Entry<br />Network<br />123456 123456 1234<br ...
Generalization: Encryption at Different System Layers<br />High<br />Ease of Deployment<br />(Transparency)<br />Separatio...
047<br />Data Protection Implementation Layers<br />Best<br />Worst<br />
Column Encryption Performance - Different Topologies<br />Rows Per Second<br />10 000 000 –<br />1 000 000 –<br />100 000 ...
A Few Comments on PCI Compliance<br />Formatted encryption is NOT for PCI<br /><ul><li>When PCI refers to encryption, it m...
PCI provides high-level examples of what constitutes strong encryption, then refers to NIST for more details
NIST publishes a list of acceptable ciphers and operating modes
NIST has been considering new operating modes related to formatted encryption since 2000</li></ul>Tokenization<br /><ul><l...
The pad needs to be protected with strong encryption</li></li></ul><li>Main Takeaways<br />Formatted encryption and tokeni...
Data Protection and Encryption in the Enterprise<br />RACF<br />Applications<br />ICSF<br />Mainframe <br />z/OS<br />Encr...
052<br />CPACF - CP Assist for Cryptographic Functions<br />CP = Central Processor<br />
Vendors Providing Encryption on IBM Mainframe<br />053<br />Worst<br />Best<br />
Data Protection and Encryption on z/OS – PCI DSS<br />API<br />RACF<br />Applications<br />ICSF<br />Fieldproc,<br />Editp...
Evaluation of Encryption Options for DB2 on z/OS<br />Best<br />Worst<br />055<br />
Field Encryption – Protecting the Data Flow<br />Windows,<br />Unix,<br />Linux,<br />iSeries<br />…<br />File<br />Encryp...
Transparent Encryption – No Application Changes<br />Encrypt<br />Database<br />Windows,<br />Unix,<br />Linux,<br />iSeri...
Main Takeaways<br />DB2 for z/OS has good data protection options.  <br />Often data and use cases may require additional ...
Vendors Providing Data Protection<br />059<br />Worst<br />Best<br />
Protecting Data in the Enterprise Data Flow<br />Passive Approaches <br />+<br />Active Approaches <br />= <br />End-To-En...
Protecting Data in the Enterprise Data Flow<br />Passive Approaches<br />Active Approaches<br />Passive Approaches and Act...
Passive Data Protection Approaches<br />Web Application Firewall<br />Protects against malicious attacks by inspecting app...
Active Data Protection Approaches<br />Application Protection<br />Utilizes crypto APIs to protect sensitive assets in app...
Passive Database Protection Approaches<br />Operational Impact Profile <br />Best <br />Worst<br />
Active Database Protection Approaches<br />Operational Impact Profile <br />Best <br />Worst<br />
Risk Adjusted Data Protection<br />066<br />Assign value to your data<br />Assess exposure<br />Determine risk<br />Unders...
Assign Value to Your Data<br />067<br />Identify sensitive data<br />If available, utilize data classification project<br ...
Assess Exposure and Probability<br />Locate the sensitive data<br />Applications, databases, files, data transfers across ...
Determine “Risk” – A Simplified Model<br />Data Security Risk=Data Value * Exposure<br />069<br />Enables prioritization<b...
Matching Data Protection Solutions with Risk Level<br />070<br />Risk<br />Solutions<br />Low Risk<br /> (1-5)<br />Monito...
Estimate Costs<br />Cost = Solution Cost + Operations Cost<br />Solution Cost = cost to license or develop, install and ma...
Operation Cost Factors<br />Performance<br />Impact on operations - end users, data processing windows<br />Storage<br />I...
Operation Cost Factors<br />Solution should be able to change with the environment<br />Progress from less to more secure ...
How to Protect the Weak Links in your Data Flow<br />074<br />Review Risk & Determine Protection Approach<br /><ul><li>Ana...
Identify Assets and Assign Business Value to each
Identify Vulnerabilities for each Asset
Identify potential Attack Vectors & Attackers
Assess the Risk
Compliance Aspects
Select Data Protection Points & Protection Methods</li></ul>Assess Total Impact<br /><ul><li>Functionality Limitations
Performance & Scalability
Application Transparency
Platform Support & Development Life Cycle Support
Key Management, Administration & Reporting
Deployment  Cost, Time & Risk</li></ul>Adjust<br />
Cost Effective Data Protection<br />Uses Risk as an adjusting factor for determining a Data Protection strategy<br />Risk=...
Use of production data in a test system<br />Production data is in many cases needed to ensure quality in system testing <...
Data Masking – One-way vs. Two-way<br />Data Quality & <br />Exposed Details<br />3rd Party<br />Interface<br />Testing<br...
Business Value vs. Ease of Compliance<br />Ease of <br />Compliance<br />High<br />Business<br />Value<br />Encryption<br ...
Data Security Management<br />An integral part of technical and business process<br />Security Policy<br />Centralized con...
Managing Data Security in the Enterprise<br />Central Management of Security Policy, Reporting,<br />Encryption Keys,  <br...
How about Native Database Encryption?<br />Advantages<br />Available from most database vendors <br />Enables you to get s...
http://www.net-security.org/dl/insecure/INSECURE-Mag-2.pdf<br />
Protecting the Data Flow:<br />Case Studies<br />083<br />
Partners<br />(Financial <br />Institutions)<br />Data Protection in the Enterprise Data Flow<br />Points of collection<br...
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1144290<br />
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1051481<br />
Case Studies<br />One of the most widely recognized credit and debit card brands in the world <br /><ul><li>Their volume o...
Case 1: Goal – PCI Compliance & Application Transparency<br />Credit<br />Card<br />Entry<br />Application  <br />Applicat...
089<br />Case 1: File Encryption & FTP<br />Credit<br />Card<br />Entry<br />Attacker<br />Attacker<br />Network<br />POS ...
090<br />Case 1: From Encrypted File to Encrypted Database<br />Attacker<br />Application<br />Attacker<br />Network<br />...
Case 2a: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<...
092<br />Case 2a: Application Encryption to Encrypted Database<br />Point<br />Of Data<br />Acquisition<br />Network<br />...
Case 2b: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<...
094<br />Case 2b: From Encrypted Database to File & FTP<br />Point<br />Of Data<br />Acquisition<br />aVdSaH 1F4hJ5 1D3a<b...
095<br />Case 2b: From Selectively Encrypted File to Encrypted Database<br />Network<br />123456 123456 1234<br />Applicat...
Case 3: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<b...
097<br />Case 3: Gateway Encryption<br />Attacker<br />Attacker<br />Network<br />123456 123456 1234<br />123456 123456 12...
098<br />http://papers.ssrn.com/sol3/papers.cfm?abstract_id=940287<br />
Different ‘Tokenizing’ Approaches & Topologies<br />Algorithmic<br />Tokenizer<br />CCN<br />123456 123456 1234<br />ABCDE...
How to Protect the Data Flow Against Advanced Attacks<br />0100<br />Point Of  Data Acquisition<br />123456 123456 1234<br...
How to Protect the Data Flow Against Advanced Attacks<br />0101<br />Point Of  Data Acquisition<br />123456 123456 1234<br...
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1330466<br />
0103<br />http://www.quest-pipelines.com/newsletter-v7/0706_C.htm<br />
0104<br />
Protegrity Solutions<br />0105<br />Protecting data<br />Protecting web applications<br />Managing data security<br />
Data Security Management<br />An integral part of technical and business process<br />Security Policy<br />Centralized con...
The Protegrity Defiance© Suite<br />Data Protection System (DPS)<br />Encryption, monitoring, masking<br />Database, file ...
Questions?<br />If you would like a copy of the slides, please email ulf.mattsson@protegrity.com<br />
0109<br />APPENDIX<br />
Current Discussion of Data Protection for PCI DSS<br />110<br />https://www.pcisecuritystandards.org<br />Protegrity:<br /...
PCI Security Standards Council about Data in Transit<br />The PCI Security Standards Council (https://www.pcisecuritystand...
the PCI Knowledge Base (www.KnowPCI.com)-Based on Over 450 Hours of 100% Anonymous Interviews – Not a Survey<br />
0113<br />
The Major Features of the PCI Knowledge Base (www.KnowPCI.com)<br />IT IS FREE TO REGISTER<br />INTERACT WITH OUR PANEL OF...
Based on Over 450 Hours of 100% Anonymous Interviews – Not a Survey<br />Interviews with retailers focus on best practices...
Why is Tokenization Such a Hot Issue for PCI Compliance?<br />Lowers Security Cost – Tokenization reduces or eliminates “s...
Why is Tokenization Such a Hot Issue for PCI Compliance?<br />Source: PCI Knowledge Base, July 2009<br />
Multi-Channel Issues: Is One Tokenization Solution Possible?<br />BUYER 1<br />BUYER 2<br />BUYER 3<br />(Virtual)<br />PO...
Proving Tokenization Works:  Is it Being Used Beyond Pilots / Trials?<br />Since June 2008, our interview data has shown a...
Cost:  How to Compare Tokenization Costs vs PCI Compliance Costs?<br />ISSUE:  The cost savings due to tokenization vs the...
Token Options:  How and When Can Tokens be Generated & Managed?<br />OPTION #1<br />Example: Homegrown tokenization<br />C...
PED / POS<br />Vendors<br />(Encrypt from Swipe to Acquirer)<br />Corporations<br />Homegrown tokens (e.g., Hashes)<br />V...
Getting the Most Value from Tokenization Solutions<br />Scalability:  The more data repositories and systems that store, p...
Integrating Tokenization:  How to Make it “Part of” Applications?<br />ISSUE: The debit & credit settlement process often ...
Why Keep Card Data at All?  When to Outsource Payment Processing<br />One of the biggest changes we have seen in the last ...
Adopt “Secure Tokenization” to Remove Card Data But Retain Analytics<br />Current vs Potential Use of Secure Tokenization<...
The Bottom Line:  Tokenization is an Enterprise Strategy<br />Tokenization is a strategy when it is applied as a way to ce...
0128<br />
0129<br />
PCI Research<br />0130<br />
0131<br />
0132<br />
0133<br />
0134<br />
0135<br />
Upcoming SlideShare
Loading in …5
×

ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection

1,243 views

Published on

PCI and Beyond: A Cost Effective Approach to Data Protection, ISSA New England Chapter, Ulf Mattsson, Oct 20, 2009.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,243
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection

  1. 1. 01<br />Ulf Mattsson<br />Chief Technology Officer<br />Protegrity Corporation<br />Ulf . mattsson at protegrity . com <br />
  2. 2. 02<br />
  3. 3. Source of Information about PCI Research<br />http://www.knowpci.com<br />
  4. 4. PCI Requirements and Data Protection Options<br />Advanced Attacks on Cardholder Data<br />PCI Requirements<br />Data Protection Options <br />Data Protection Use Cases<br />A Risks Adjusted Data Protection Approach<br />Appendix: PCI Research and Resources <br />
  5. 5. Enterprise Data Flow – Cardholder Data<br /><ul><li> ‘Information in the wild’</li></ul>- Short lifecycle / High risk<br />Collection<br />POS<br />Branch<br />e-commerce<br /><ul><li> Temporary information </li></ul>- Short lifecycle / High risk<br />Aggregation<br /><ul><li> Operating information</li></ul>- Typically 1 or more year lifecycle<br />- Broad and diverse computing and database environment<br />Operations<br /><ul><li> Decision making information</li></ul>- Typically multi-year lifecycle<br />- Homogeneous computing environment<br />- High volume database analysis<br />Analysis<br /><ul><li> Archive</li></ul> -Typically multi-year lifecycle<br /> -Preserving the ability to retrieve the data in the future is important<br />Archive<br />
  6. 6. 06<br />
  7. 7. Data Level Attacks on the Enterprise Data Flow<br />MALWARE /<br />TROJAN<br />DBA <br />ATTACK<br />TRUSTED<br /> SEGMENT<br />DMZ <br />TRANSACTIONS<br />End-<br />point<br />Internal<br />Users<br />Enterprise<br />Apps<br />DB Server<br />Server<br />Load<br />Balancing<br />SAN,<br />NAS,<br />Tape<br />Internet<br />NW<br />Proxy<br />FW<br />Proxy<br />FW<br />Proxy<br />FW<br />IDS/<br />IPS<br />Wire-<br />less<br />Network<br />Devices<br />Server<br />Web Apps<br />OS ADMIN<br />FILE ATTACK<br />SQL<br /> INJECTION<br />SNIFFER <br />ATTACK<br />MEDIA <br />ATTACK<br />07<br />
  8. 8. Data Protection Challenges <br />Actual protection is not the challenge<br />Management of solutions<br />Key management<br />Reporting<br />Policy<br />Minimizing impact on business operations<br />Performance v. security<br />Minimizing impact (and costs)<br />Changes to applications<br />Impact on downstream systems<br />Time<br />8<br />
  9. 9. Addressing Data Protection Challenges<br />Full mapping of sensitive data flow<br />Where is the data<br />Where does it need to be<br />Identify what data is needed for processing in which applications<br />What are the performance SLAs<br />Understand the impact of changing/removing data<br />Will it break legacy systems<br />Address PCI, strategize for the larger security issue<br />
  10. 10. The Goal: Good, Cost Effective Security<br />The goal is to deliver a solution that is a balance between security, cost, and impact on the current business processes and user community<br />Security plan - short term, long term, ongoing<br />How much is ‘good enough’<br />Security versus compliance<br />Good Security = Compliance<br />Compliance ≠ Good Security<br />010<br />
  11. 11. PCI DSS 1.2 Applicability Information & PII Aspects<br />11<br />
  12. 12. Discussion of Data Protection for PCI DSS<br />12<br />
  13. 13. PCI – Compensating Controls<br />13<br />
  14. 14. Data Protection Layers<br />Data Protection - Wrapping<br />How sensitive data is rendered unreadable<br />Data Access Control - Path<br />How the data is presented to the end user and/or application<br />014<br />
  15. 15. Data Protection Options<br />Data Stored As<br />Clear – actual value is readable<br />Hash – unreadable, not reversible<br />Encrypted – unreadable, reversible, binary/text<br />Replacement value (tokens) – unreadable, reversible<br />Partial encryption/replacement – unreadable, reversible<br />015<br />
  16. 16. Data in the Clear<br />Control the Access Path<br />Reporting and alerting<br />Display masking<br />Data usage control<br />Advantages<br />Low impact on existing applications<br />Performance<br />Time to deploy<br />Considerations<br />Underlying data exposed<br />Discover breach after the fact<br />PCI aspects<br />016<br />
  17. 17. Hash<br />Non – reversible<br />Strong protection if …<br />Keyed hash (HMAC) or salt<br />Advantages<br />None really for PCI and PII data<br />Considerations<br />Size and type<br />Transparency<br />Key rotation for keyed hash<br />017<br />
  18. 18. Traditional Strong Encryption<br />Industry Standard <br />Algorithms & modes - AES CBC, 3DES CBC …<br />Approved by NIST (National Institute of Standards and Technology) <br />Advantages<br />Widely deployed<br />Compatibility<br />Performance<br />Considerations<br />Storage and type<br />Transparency to applications<br />Key rotation<br />018<br />
  19. 19. Newer Data Protection Options<br />Format Controlling Encryption (FCE)<br />
  20. 20. FCE Security Model<br />Example of Formatted Encryption<br />1234 1234 1234 4560<br />Application Databases<br />(e.g. Marketing, Loss Prevention, POS)<br />Original Credit Card Number<br />Key Manager<br />
  21. 21. What Is FCE?<br />Where did it come from?<br />Before 2000 – Different approaches, some are based on block ciphers (AES, 3DES …)<br />Before 2005 – Used to protect data in transit within enterprises <br />What exactly is it?<br />Secret key encryption algorithm operating in a new mode<br />Cipher text output can be restricted to same as input code page – some only supports numeric data<br />The new modes are not approved by NIST<br />
  22. 22. FCE Selling Points<br />Ease of deployment -- limits the database schema changes that are required. <br />Reduces changes to downstream systems<br />Applicability to data in transit – provides a strict/known data format that can be used for interchange<br />Storage space – does not require expanded storage<br />Test data – partial protection<br />Outsourced environments & virtual servers<br />
  23. 23. FCE Considerations<br />Unproven level of security – makes significant alterations to the standard AES algorithm<br />Encryption overhead – significant CPU consumption is required to execute the cipher<br />Key management – is not able to attach a key ID, making key rotation more complex - SSN<br />Some implementations only support certain data (based on data size, type, etc.)<br />Support for “big iron” systems – is not portable across encodings (ASCII, EBCDIC)<br />Transparency – some applications need full clear text<br />
  24. 24. FCE Use Cases<br />Suitable for lower risk data<br />Compliance to NIST standard not needed<br />Distributed environments<br />Protection of the data flow<br />Added performance overhead can be accepted<br />Key rollover not needed – transient data<br />Support available for data size, type, etc.<br />Point to point protection if “big iron” mixed with Unix or Windows<br />Possible to modify applications that need full clear text – or database plug-in available<br />
  25. 25. 025<br />Applications are Sensitive to the Data Format <br />Data Type<br />Binary (Hash) -<br />Binary (Encryption) -<br />Alphanum (FCE, Token) -<br />Numeric (FCE, Token) -<br />Numeric (Clear Text) -<br />No Applications<br />Bin<br />Data<br />Few Applications<br />Increased intrusiveness:<br /><ul><li>Application changes
  26. 26. Limitations in functionality
  27. 27. Limitations in data search
  28. 28. Performance issues</li></ul>Many Applications<br />Most Applications<br />Text <br />Data<br />All Applications<br />Data<br />Field<br />Length<br />I<br />Original<br />I<br />Longer<br />This is a generalized example<br />
  29. 29. Newer Data Protection Options<br />Tokenization<br />
  30. 30. Original Credit Card Number<br />Example of Token format:<br />1234 1234 1234 4560<br />$%.&gt;/$&#<br />Cipher <br />Text<br />Application<br />Databases<br />(e.g. Marketing, <br />Loss Prevention, POS)<br />Token<br />Key Manager<br />Token Server<br />Tokenization Data Security Model<br />
  31. 31. What Is Data Tokenization?<br />Where did it come from?<br />Found in Vatican archives dating from the 1300s<br />In 1988 IBM introduced the Application System/400 with shadow files to preserve data length <br />In 2005 vendors introduced tokenization of account numbers<br />What exactly is it?<br />It IS NOT an encryption algorithm or logarithm. <br />It generates a random replacement value which can be used to retrieve the actual data later (via a lookup)<br />Still requires strong encryption to protect the lookup table(s)<br />
  32. 32. Tokenization Selling Points<br />Provides an alternative to masking – in production, test and outsourced environments<br />Limits schema changes that are required. Reduces impact on downstream systems<br />Can be optimized to preserve pieces of the actual data in-place – smart tokens <br />Greatly simplifies key management and key rotation tasks<br />Centrally managed, protected – reduced exposure<br />Enables strong separation of duties<br />Renders data out of scope for PCI<br />
  33. 33. Tokenization Considerations<br />Transparency – not transparent to downstream systems that require the original data<br />Performance & availability – imposes significant overhead from the initial tokenization operation and from subsequent lookups<br />Performance & availability – imposes significant overhead if token server is remote or outsourced <br />Security vulnerabilities of the tokens themselves – randomness and possibility of collisions<br />Security vulnerabilities typical in in-house developed systems – exposing patterns and attack surfaces<br />
  34. 34. Tokenization Use Cases<br />Suitable for high risk data – payment card data<br />When compliance to NIST standard needed<br />Long life-cycle data<br />Key rollover – easy to manage<br />Centralized environments<br />Suitable data size, type, etc.<br />Support for “big iron” mixed with Unix or Windows<br />Possible to modify the few applications that need full clear text – or database plug-in available<br />
  35. 35. Evaluation Criteria<br />Performance<br />Impact on operations - end users, data processing windows<br />Storage<br />Impact on data storage requirements<br />Security<br />How secure Is the data at rest<br />Impact on data access – separation of duties<br />Transparency<br />Changes to application(s)<br />Impact on supporting utilities and processes <br />032<br />
  36. 36. Evaluating Data Protection Options<br />033<br />Worst<br />Best<br />
  37. 37. Enterprise View of Different Protection Options<br />034<br />
  38. 38. Application Transparency – Encryption, Tokens & Hashing<br />Transparency level<br />High<br />Low<br />Database Encryption<br />Smart Tokens<br />Hashing<br />Database<br />Operation<br />I<br />Look-up<br />I<br />Range<br />Search<br />I<br />Process<br />Clear-values<br />
  39. 39. Data Protection Options-Use Cases<br />036<br />
  40. 40. Data Protection Options in the Enterprise<br />Application Databases<br />(CCN, SSN …)<br />Strong Encryption<br />Kjh3409)(*&@$%^&<br />Key Manager<br />Formatted Encryption<br />1234 1234 1234 4560<br />Token<br />1234 1234 1234 4560<br />Token <br />Server<br />$%.&gt;/$&#<br />Cipher <br />Text<br />Token<br />037<br />
  41. 41. Partial Encryption/Tokenizing - Example<br />Many applications/tools <br /><ul><li>Moving data around</li></ul>Some applications <br /><ul><li>Partial clear data</li></ul>Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />123456 777777 1234<br />Application<br />Application<br />Few applications<br /><ul><li>Full clear data </li></ul>Decryption<br />Application<br />
  42. 42. Data Protection Options – 3 Use Cases<br />Can use stored protected value:<br />1234 1234 1234 4560<br />Or<br />Kjh3409)(*&@$%^&<br />Application 1<br />Need partial Information<br />in clear:<br />1234 1234 1234 4560<br />Application 2<br />Need full Information<br />in clear:<br />55 49 9437 0789 4560<br />Application 3<br />039<br />
  43. 43. How will different Protection Options Impact Applications?<br />Application<br />Databases<br />(CCN, SSN …)<br />Can use stored <br />protected value:<br />1234 1234 1234 4560<br />Or<br />Kjh3409)(*&@$%^&<br />Application 1<br />Key Manager<br />Strong Encryption<br />Kjh3409)(*&@$%^&<br />Need partial Information<br />in clear:<br />1234 1234 1234 4560<br />Application 2<br />Formatted Encryption<br />1234 1234 1234 4560<br />Need full Information<br />in clear:<br />55 49 9437 0789 4560<br />Application 3<br />$%.&gt;/$&#<br />Cipher <br />Text<br />Token<br />1234 1234 1234 4560<br />Token<br />Token Server<br />Token<br />Cipher <br />040<br />
  44. 44. Application Impact with Different Protection Options<br />Transparency<br />Security<br />041<br />
  45. 45. Application Impact with Different Protection Options<br />Performance and scalability<br />Availability<br />042<br />
  46. 46. Data Protection in the Enterprise – Implementation Example<br />Collection<br />Need partial Information<br />in clear:<br />1234 1234 1234 4560<br />Key Manager<br />POS<br />Branch<br />e-commerce<br />Aggregation<br />Need full Information<br />in clear:<br />55 49 9437 0789 4560<br />Operations<br />Analysis<br />$%.&gt;/$&#<br />Can use stored <br />protected value:<br />1234 1234 1234 4560<br />Cipher <br />Text<br />Token<br />Token Server<br />Archive<br />Token<br />Cipher <br />043<br />
  47. 47. Data Protection Implementation Layers<br />Data Protection Options are not mutually exclusive<br />Data Protection Layers<br />Application <br />Database<br />File System<br />Data Protection Topologies<br />Remote services<br />Local service<br />Data Security Management<br />Central management of keys, policy and reporting<br />044<br />
  48. 48. 045<br />Data Protection Implementation - Enforcement Points<br />Data<br />Entry<br />Network<br />123456 123456 1234<br />123456 123456 1234<br />@$%$^D&^YTOIUO*^<br />Application <br />Application <br />Application <br />Application <br />Database<br />Database<br />File <br />System<br />File <br />System<br />Storage (Disk)<br />Storage (Disk)<br />Backup (Tape)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
  49. 49. Generalization: Encryption at Different System Layers<br />High<br />Ease of Deployment<br />(Transparency)<br />Separation of Duties<br />(Security Level)<br />Low<br />Encryption<br />Layer<br />I<br />File System<br /> Layer<br />I<br />Database <br />Layer<br />I<br />Storage Layer<br />SAN/NAS…<br />I<br />Application <br />Layer<br />
  50. 50. 047<br />Data Protection Implementation Layers<br />Best<br />Worst<br />
  51. 51. Column Encryption Performance - Different Topologies<br />Rows Per Second<br />10 000 000 –<br />1 000 000 –<br />100 000 –<br />10 000 –<br />1 000 –<br />Data Warehouse<br />Platforms<br />Mainframe<br />Platforms <br />Unix Platforms<br />Windows Platforms<br />Data Loading (Batch)<br />Queries (Data Warehouse & OLTP)<br />Encryption<br />Topology<br />I<br />Network Attached<br />Encryption (SW/HW)<br />I<br />Local<br />Encryption (SW/HW)<br />
  52. 52. A Few Comments on PCI Compliance<br />Formatted encryption is NOT for PCI<br /><ul><li>When PCI refers to encryption, it must be “strong”
  53. 53. PCI provides high-level examples of what constitutes strong encryption, then refers to NIST for more details
  54. 54. NIST publishes a list of acceptable ciphers and operating modes
  55. 55. NIST has been considering new operating modes related to formatted encryption since 2000</li></ul>Tokenization<br /><ul><li>PCI refers to this as an “index pad”
  56. 56. The pad needs to be protected with strong encryption</li></li></ul><li>Main Takeaways<br />Formatted encryption and tokenization are two very different techniques<br />They are good solutions for particular use cases<br />Enterprises should carefully evaluate these techniques against their use cases, adjusting for factors such as risk, cost, and compliance<br />050<br />
  57. 57. Data Protection and Encryption in the Enterprise<br />RACF<br />Applications<br />ICSF<br />Mainframe <br />z/OS<br />Encryption<br />Solution<br />DB2<br />Hardware<br />Security <br />Module<br />Files<br />DB2 UDB<br />Central Key <br />Manager<br />Informix<br />Hardware<br />Security <br />Module<br />System i<br />Oracle<br />…<br />Resource Access Control Facility (RACF) <br />Integrated Cryptographic Service Facility (ISCF) <br />
  58. 58. 052<br />CPACF - CP Assist for Cryptographic Functions<br />CP = Central Processor<br />
  59. 59. Vendors Providing Encryption on IBM Mainframe<br />053<br />Worst<br />Best<br />
  60. 60. Data Protection and Encryption on z/OS – PCI DSS<br />API<br />RACF<br />Applications<br />ICSF<br />Fieldproc,<br />Editproc,<br />UDF<br />Encryption<br />Solution<br />Mainframe <br />z/OS<br />DB2<br />Hardware<br />Security <br />Module<br />Utility<br />Files<br />
  61. 61. Evaluation of Encryption Options for DB2 on z/OS<br />Best<br />Worst<br />055<br />
  62. 62. Field Encryption – Protecting the Data Flow<br />Windows,<br />Unix,<br />Linux,<br />iSeries<br />…<br />File<br />Encrypt<br />Application<br />Crypto<br />Solution<br />Fields<br />File<br />File<br />Central Key <br />Manager<br />Application<br />Mainframe <br />z/OS<br />DB2<br />Decrypt<br />Crypto<br />Solution<br />Application<br />Fields<br />
  63. 63. Transparent Encryption – No Application Changes<br />Encrypt<br />Database<br />Windows,<br />Unix,<br />Linux,<br />iSeries<br />…<br />Fields<br />Crypto<br />Solution<br />Application<br />File<br />File<br />Central Key <br />Manager<br />Decrypt<br />Utility<br />Fields<br />Mainframe <br />z/OS<br />File<br />Crypto<br />Solution<br />Application<br />Encrypt<br />DB2<br />Fields<br />
  64. 64. Main Takeaways<br />DB2 for z/OS has good data protection options.  <br />Often data and use cases may require additional protection options, including better protection granularity<br />Data protection approaches – transparency vs. security<br />Different topologies for data protection solutions – performance, scalability and availability<br />Enterprise management – keys, policy and reporting<br />Enterprises should carefully evaluate these techniques against their use cases, adjusting for factors such as risk, cost, and compliance<br />058<br />
  65. 65. Vendors Providing Data Protection<br />059<br />Worst<br />Best<br />
  66. 66. Protecting Data in the Enterprise Data Flow<br />Passive Approaches <br />+<br />Active Approaches <br />= <br />End-To-End Protection<br />
  67. 67. Protecting Data in the Enterprise Data Flow<br />Passive Approaches<br />Active Approaches<br />Passive Approaches and Active Approaches = End-To-End Protection<br />Database Server<br />Database<br />Columns<br />Web Application <br />Firewall<br />Database <br />Activity <br />Monitoring<br />Applications<br />Database Activity <br />Monitoring /<br />Data Loss Prevention<br />Database <br />Log Files<br />Tablespace<br />Datafiles<br />
  68. 68. Passive Data Protection Approaches<br />Web Application Firewall<br />Protects against malicious attacks by inspecting application traffic<br />Data Loss Prevention<br />Tags and monitors movement of sensitive assets<br />Protects against the unintentional outbound leakage of sensitive assets<br />Database Activity Monitoring<br />Inspects , monitors, and reports database traffic into and out of databases<br />Can block malicious activity; seldom used due to false positives<br />Database Log Mining<br />Mines log files that are created by databases for good or bad activity<br />
  69. 69. Active Data Protection Approaches<br />Application Protection<br />Utilizes crypto APIs to protect sensitive assets in applications<br />This approach helps you protect data as it enters your business systems<br />Column Level Protection<br />Protects data inside the database at the column level<br />Can be deployed in a transparent approach to minimizes changes to your environment<br />Considered to be the most secure approach to protect sensitive assets<br />Database file protection<br />Protects the data by encrypting the entire database file<br />
  70. 70. Passive Database Protection Approaches<br />Operational Impact Profile <br />Best <br />Worst<br />
  71. 71. Active Database Protection Approaches<br />Operational Impact Profile <br />Best <br />Worst<br />
  72. 72. Risk Adjusted Data Protection<br />066<br />Assign value to your data<br />Assess exposure<br />Determine risk<br />Understand which Data Protection solutions are available to you<br />Estimate costs<br />Choose most cost effective method<br />
  73. 73. Assign Value to Your Data<br />067<br />Identify sensitive data<br />If available, utilize data classification project<br />Rank what is sensitive on its own (think PCI)<br />Consider what is sensitive in combination (think Privacy)<br />How valuable is the data to (1) your company and (2) to a thief<br />Corporate IP, Credit Card numbers, Personally Identifiable Information<br />Assign a numeric value: high=5, low=1<br />
  74. 74. Assess Exposure and Probability<br />Locate the sensitive data<br />Applications, databases, files, data transfers across internal and external networks<br />Location on network<br />Segmented<br />External or partner facing application<br />Access<br />How many users have access to the sensitive data?<br />Who is accessing sensitive data?<br />How much and how frequently data is being accessed?<br />Assign a numeric value: high=5, low=1<br />068<br />
  75. 75. Determine “Risk” – A Simplified Model<br />Data Security Risk=Data Value * Exposure<br />069<br />Enables prioritization<br />Groups data for potential solutions<br />
  76. 76. Matching Data Protection Solutions with Risk Level<br />070<br />Risk<br />Solutions<br />Low Risk<br /> (1-5)<br />Monitor<br />Monitor, mask, access control limits, format control encryption<br />At Risk<br /> (6-15)<br />Select risk-adjusted solutions for costing<br />Replacement, strong encryption<br />High Risk<br /> (16-25)<br />
  77. 77. Estimate Costs<br />Cost = Solution Cost + Operations Cost<br />Solution Cost = cost to license or develop, install and maintain<br />Operations Cost = cost to change applications, impact on downstream systems, meeting SLAs, user experience<br />071<br />
  78. 78. Operation Cost Factors<br />Performance<br />Impact on operations - end users, data processing windows<br />Storage<br />Impact on data storage requirements<br />Security<br />How secure Is the data at rest<br />Impact on data access – separation of duties<br />Transparency<br />Changes to application(s)<br />Impact on supporting utilities and processes <br />072<br />
  79. 79. Operation Cost Factors<br />Solution should be able to change with the environment<br />Progress from less to more secure solution, or the reverse<br />Add new defenses for future threats<br />Plug into existing infrastructure, integrate with other systems<br />073<br />
  80. 80. How to Protect the Weak Links in your Data Flow<br />074<br />Review Risk & Determine Protection Approach<br /><ul><li>Analyze the Data Flow
  81. 81. Identify Assets and Assign Business Value to each
  82. 82. Identify Vulnerabilities for each Asset
  83. 83. Identify potential Attack Vectors & Attackers
  84. 84. Assess the Risk
  85. 85. Compliance Aspects
  86. 86. Select Data Protection Points & Protection Methods</li></ul>Assess Total Impact<br /><ul><li>Functionality Limitations
  87. 87. Performance & Scalability
  88. 88. Application Transparency
  89. 89. Platform Support & Development Life Cycle Support
  90. 90. Key Management, Administration & Reporting
  91. 91. Deployment Cost, Time & Risk</li></ul>Adjust<br />
  92. 92. Cost Effective Data Protection<br />Uses Risk as an adjusting factor for determining a Data Protection strategy<br />Risk=Data Value*Exposure<br />Determines solutions that fit the risk level, then determines cost<br />Cost=Solution Cost + Operational Cost<br />Prepare for the future<br />075<br />
  93. 93. Use of production data in a test system<br />Production data is in many cases needed to ensure quality in system testing <br />Key data fields that can be used to identify an individual or corporation need to be cleansed to depersonalize the information<br />Cleansed data needs to be easily restored (for downstream systems and feeding systems), at least in the early stages of implementation<br />This requires two-way processing. <br />The restoration process should be limited to situations for which there is no alternative to using production data (interface testing with a third party or for firefighting situations, for example).<br />Authorization to use this process must be limited and controlled. In some situations, business rules must be maintained during any cleansing operation (addresses for processing, dates of birth for age processing, names for gender distinction). <br />There should also be the ability to set parameters, or to select or identify fields to be scrambled, based on a combination of business rules. <br />A solution must be based on secure encryption, robust key management, separation of duties, and auditing.<br />076<br />
  94. 94. Data Masking – One-way vs. Two-way<br />Data Quality & <br />Exposed Details<br />3rd Party<br />Interface<br />Testing<br />Data Entry<br />Partner<br />Interface<br />Fire<br />Fighting<br />High –<br />Low –<br />Two-Way<br />Masking<br />Two-Way<br />Masking<br />One-Way<br />Masking<br />One-Way<br />Masking<br />Information<br />Life Cycle<br /> I I I I I I I<br />Development Testing Staging Production Operational Analytics Archive<br />Protected sensitive information<br />Unprotected sensitive information:<br />077<br />
  95. 95. Business Value vs. Ease of Compliance<br />Ease of <br />Compliance<br />High<br />Business<br />Value<br />Encryption<br />Tokenizing<br />Hashing<br />Simple<br />Masking<br />Low<br /> I I I I <br />Deleting Data Masking One-way Masking-Two-Way Clear Data<br />Lost Data<br />Reusable Data<br />
  96. 96. Data Security Management<br />An integral part of technical and business process<br />Security Policy<br />Centralized control of security policy<br />Consistent enforcement of protection<br />Separation of duties<br />Reporting and Auditing<br />Compliance reports<br />Organization wide security event reporting<br />Alerting<br />Integration with SIM/SEM <br />Key Management<br />079<br />
  97. 97. Managing Data Security in the Enterprise<br />Central Management of Security Policy, Reporting,<br />Encryption Keys, <br />And Data Tokens<br />Mainframe <br />z/OS<br />DB2 UDB<br />Informix<br />iSeries<br />Oracle,<br />SQL Server<br />…<br />
  98. 98. How about Native Database Encryption?<br />Advantages<br />Available from most database vendors <br />Enables you to get started quickly<br />Disadvantages<br />Mostly non-transparent solutions <br />Some vendors do not protect the Data Encryption Keys well enough<br />Lack of secure interoperability between instances of the same vendor<br />No secure interoperability with databases from other vendors<br />No centralization of policy, key management, and audit reporting<br />
  99. 99. http://www.net-security.org/dl/insecure/INSECURE-Mag-2.pdf<br />
  100. 100. Protecting the Data Flow:<br />Case Studies<br />083<br />
  101. 101. Partners<br />(Financial <br />Institutions)<br />Data Protection in the Enterprise Data Flow<br />Points of collection<br />Store Back Office<br />Web<br />Apps<br />Retail<br />Locales<br />Store Back Office Applications<br />Store<br />DB<br />T-Logs,Journals<br />$%&#<br />Collection<br />$%&#<br />$%&#<br />$%&#<br />$%&#<br />Branches/Stores<br />HQ<br />Polling Server<br />Aggregation<br />Log<br />$%&#<br />Policy<br />Policy<br />Policy<br />Policy<br />Policy<br />Policy<br />Policy<br />Manager<br />Multiplexing Platform<br />ERP<br />$%^&<br />*@K$<br />Operations<br />Reports<br />Log<br />Log<br />Analytics<br />Detailed Analytical<br />Archive<br />7ks##@<br />Focused / Summary Analytical<br />Tactical<br />Active Access / Alerting<br />Log<br />
  102. 102. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1144290<br />
  103. 103. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1051481<br />
  104. 104. Case Studies<br />One of the most widely recognized credit and debit card brands in the world <br /><ul><li>Their volume of data is in the multiple billions of rows and needed a solution that would not degrade performance.</li></ul>Major financial institution <br />Protecting high-worth clients financial information.<br />Central key management and separation of duties were of the utmost importance. <br />One of the world largest retailers <br />Protecting the flow of sensitive credit card information from the store, through to back office systems and into the data warehouse and storage. <br />The central key management and ability to support thousands of stores was critical for this success. <br />Transparent to exiting applications. <br />Protect sensitive information in their Teradata data warehouse. iSeries (AS/400), zSeries (mainframe), Oracle and MS SQL Server, and to protect files that reside across platforms including Unix and z/Series. <br />087<br />
  105. 105. Case 1: Goal – PCI Compliance & Application Transparency<br />Credit<br />Card<br />Entry<br />Application <br />Application <br />File<br />Encryption<br />FTP<br />Settlement<br />Batch<br />File<br />Encryption<br />Windows<br />File<br />Encryption:<br />Windows,<br />UNIX,Linux,<br />zOS<br />Database<br />Encryption:<br />DB2 (zOS, iSeries),<br />Oracle,<br />SQL Server<br />Local<br />Store Location<br />(Branch)<br />Financial<br />Institution<br />Central HQ Location<br />
  106. 106. 089<br />Case 1: File Encryption & FTP<br />Credit<br />Card<br />Entry<br />Attacker<br />Attacker<br />Network<br />POS Application <br />FTP<br />Application <br />123456 123456 1234<br />123456 123456 1234<br />@$%$^D&^YTOIUO*^<br />@$%$^D&^YTOIUO*^<br />File System (Memory)<br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
  107. 107. 090<br />Case 1: From Encrypted File to Encrypted Database<br />Attacker<br />Application<br />Attacker<br />Network<br />@$%$^D&^YTOIUO*^<br />123456 123456 1234<br />123456 123456 1234<br />FTP Application <br />Database<br />@$%$^D&^YTOIUO*^<br />File<br />File<br />Protected sensitive information<br />Unprotected sensitive information:<br />
  108. 108. Case 2a: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<br /> protection of sensitive data fields<br />Application<br />Encryption <br />Application <br />Application <br />FTP<br />Decryption<br />Settlement<br />FTP<br />File<br />Encryption<br />Windows<br />File<br />Encryption:<br />Windows,<br />UNIX,Linux,<br />zOS<br />Database<br />Encryption:<br />DB2<br />Oracle<br />SQL Server<br />Financial<br />Institution<br />Local<br />Store Location<br />(Branch)<br />Central HQ Location<br />
  109. 109. 092<br />Case 2a: Application Encryption to Encrypted Database<br />Point<br />Of Data<br />Acquisition<br />Network<br />123456 123456 1234<br />POS<br />Application <br />Application <br />123456 777777 1234<br />Database<br />File <br />System<br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
  110. 110. Case 2b: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<br /> protection of sensitive data fields<br />Application <br />Database<br />Encryption:<br />SQL Server<br />Application <br />FTP<br />Database<br />Encryption:<br />DB2 zOS<br />Central <br />HQ Location<br />Local<br />Store Location<br />
  111. 111. 094<br />Case 2b: From Encrypted Database to File & FTP<br />Point<br />Of Data<br />Acquisition<br />aVdSaH 1F4hJ5 1D3a<br />123456 123456 1234<br />Extraction<br />Application<br />Order<br />Application <br />FTP Application <br />aVdSaH 1F4hJ5 1D3a<br />Database<br />aVdSaH 1F4hJ5 1D3a<br />File <br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
  112. 112. 095<br />Case 2b: From Selectively Encrypted File to Encrypted Database<br />Network<br />123456 123456 1234<br />Application<br />aVdSaH 1F4hJ5 1D3a<br />aVdSaH 1F4hJ5 1D3a<br />FTP Application <br />Database<br />File<br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
  113. 113. Case 3: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<br /> protection of sensitive data fields<br />Authorization<br />Transaction<br />Online<br />Decrypting<br />Gateway<br />Encrypting<br />Gateway <br />Application <br />Application <br />Files<br />Databases<br />Local<br />Store Location<br />(Branch)<br />Financial<br />Institution<br />Central<br />HQ Location<br />
  114. 114. 097<br />Case 3: Gateway Encryption<br />Attacker<br />Attacker<br />Network<br />123456 123456 1234<br />123456 123456 1234<br />Encrypting Gateway<br />Decrypting Gateway<br />123456 777777 1234<br />123456 777777 1234<br />Applications <br />Database<br />File System<br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
  115. 115. 098<br />http://papers.ssrn.com/sol3/papers.cfm?abstract_id=940287<br />
  116. 116. Different ‘Tokenizing’ Approaches & Topologies<br />Algorithmic<br />Tokenizer<br />CCN<br />123456 123456 1234<br />ABCDEF GHIJKL 1234<br />Application<br />‘Encryption’<br />Algorithm<br />On-site<br />Local<br />Tokenizer<br />Token<br />Token<br />&<br />Encrypted<br />CCN<br />Branch Office / Stores<br />Network<br />Home Office / HQ<br />On-site<br />Central<br />Tokenizer<br />Token<br />&<br />Encrypted<br />CCN<br />Token<br />Network<br />Outsourced / ASP<br />ASP<br />Central<br />Tokenizer<br />Token<br />&<br />Encrypted<br />CCN<br />
  117. 117. How to Protect the Data Flow Against Advanced Attacks<br />0100<br />Point Of Data Acquisition<br />123456 123456 1234<br />Continuously protected data flow <br />Encrypt<br />123456 777777 1234<br />123456 777777 1234<br />123456 777777 1234<br />Decrypt<br />Decrypt<br />123456 123456 1234<br />123456 123456 1234<br />Payment<br />Authorization<br />Settlement &<br />Charge-back<br />Unprotected sensitive information:<br />Protected sensitive information<br />
  118. 118. How to Protect the Data Flow Against Advanced Attacks<br />0101<br />Point Of Data Acquisition<br />123456 123456 1234<br />Continuously protected data flow <br />Encrypt<br />123456 777777 1234<br />123456 777777 1234<br />123456 777777 1234<br />Decrypt<br />Decrypt<br />Payment<br />Authorization<br />Settlement &<br />Charge-back<br />Unprotected sensitive information:<br />123456 123456 1234<br />123456 123456 1234<br />Protected sensitive information<br />
  119. 119. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1330466<br />
  120. 120. 0103<br />http://www.quest-pipelines.com/newsletter-v7/0706_C.htm<br />
  121. 121. 0104<br />
  122. 122. Protegrity Solutions<br />0105<br />Protecting data<br />Protecting web applications<br />Managing data security<br />
  123. 123. Data Security Management<br />An integral part of technical and business process<br />Security Policy<br />Centralized control of security policy<br />Consistent enforcement of protection<br />Separation of duties<br />Reporting and Auditing<br />Compliance reports<br />Organization wide security event reporting<br />Alerting<br />Integration with SIM/SEM <br />Key Management<br />0106<br />
  124. 124. The Protegrity Defiance© Suite<br />Data Protection System (DPS)<br />Encryption, monitoring, masking<br />Database, file and application level<br />Threat Management System (TMS)<br />Web application firewall<br />Enterprise Security Administrator<br />Security policy<br />Key management<br />Alerting, reporting, and auditing<br />107<br />
  125. 125. Questions?<br />If you would like a copy of the slides, please email ulf.mattsson@protegrity.com<br />
  126. 126. 0109<br />APPENDIX<br />
  127. 127. Current Discussion of Data Protection for PCI DSS<br />110<br />https://www.pcisecuritystandards.org<br />Protegrity:<br />Participating <br />Organization<br />PCI SSC is currently studying the effect on the standard by different technologies (i.e. End to end encryption, tokenization, chip and pin etc.)<br />Bob Russo (GM) & PCI SSC is currently are working in Europe with the European Payment Council (EPC) .<br />
  128. 128. PCI Security Standards Council about Data in Transit<br />The PCI Security Standards Council (https://www.pcisecuritystandards.org/) manages the PCI DSS standards <br />End-to-end encryption is likely to be a central focus as the council seeks input on how this might best be achieved in the payment-card environment through different technologies. <br />If that is accomplished, it might result in a decidedly new PCI standard in the future for card-data protection, PCI Security Standards Council says in http://www.networkworld.com/news/2008/100108-pci-credit-card.html?page=2 . <br />&quot;Today we say if you&apos;re going outside the network, you need to be encrypted, but it doesn&apos;t need to be encrypted internally,&quot; PCI Security Standards Council says. <br />&quot;But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging. <br />Maybe you wouldn’t have to do that. So we&apos;ll be looking at that in 2009.&quot; <br />0111<br />
  129. 129. the PCI Knowledge Base (www.KnowPCI.com)-Based on Over 450 Hours of 100% Anonymous Interviews – Not a Survey<br />
  130. 130. 0113<br />
  131. 131. The Major Features of the PCI Knowledge Base (www.KnowPCI.com)<br />IT IS FREE TO REGISTER<br />INTERACT WITH OUR PANEL OF 85+ PCI EXPERTS<br />LATEST PCI NEWS FEEDS<br />WE HOST A WEEKLY PCI RESEACH WEBINAR SERIES<br />YOU WON’T SEE THE “KNOWLEDGE BASE” UNTIL YOU ARE LOGGED IN<br />ASK QUESTIONS OF PEERS AND ASSESSORS IN OUR FREE PCI DISCUSSION FORUMS<br />SEARCH OUR DATABASE OF OVER 3000 BEST PRACTICES FROM MERCHANTS, PCI ASSESSORS, BANKS, CARD PROCESSORS AND MANY OTHERS.<br />PURCHASE OUR LATEST RESEARCH REPORTS & TREND ANALYSIS<br />WE’VE CONDUCTED 300 HOURS OF ANONYMOUS INTERVIEWS AND HAVE 1800+ MEMBERS<br />
  132. 132. Based on Over 450 Hours of 100% Anonymous Interviews – Not a Survey<br />Interviews with retailers focus on best practices, experiences, QSA and vendor feedback, budgets and priorities.<br />450+<br />Hours<br />Interviews with QSAs, consultants and IT providers focused on vulnerabilities, risks and technology adoption trends.<br />Source: PCI Knowledge Base, July 2009<br />
  133. 133. Why is Tokenization Such a Hot Issue for PCI Compliance?<br />Lowers Security Cost – Tokenization reduces or eliminates “sensitive” data from your systems. The less data you have to protect, the less it costs to secure it.<br />Reduces Compliance Scope – Only systems that store, process or transmit cardholder data are in PCI scope. By eliminating card data from most or all of your systems, the number of systems that have to be assessed and secured is greatly reduced.<br />Lowers Breach Risk – Tokenization replaces data that has “black market” value with data that has no value. If thieves know that you have no valuable data, they have no reason to try to break into your systems.<br />Source: PCI Knowledge Base, July 2009<br />
  134. 134. Why is Tokenization Such a Hot Issue for PCI Compliance?<br />Source: PCI Knowledge Base, July 2009<br />
  135. 135. Multi-Channel Issues: Is One Tokenization Solution Possible?<br />BUYER 1<br />BUYER 2<br />BUYER 3<br />(Virtual)<br />POS<br />Call<br />Center<br />Shopping<br />Cart<br />GL / AR / AP<br />Loss<br />Prevention<br />Sales<br />Audit<br />FRONT OFFICE APPLICATIONS<br />BACK OFFICE APPLICATIONS<br />Secure Data Storage, <br />Mgmt & Retrieval<br />“Fake” Data<br />“Real” Data<br />PAYMENT PROCESSING<br />ISO /<br />Processor<br />Acquiring<br />Bank<br />Payment<br />Gateway<br />Source: PCI Knowledge Base, July 2009<br />
  136. 136. Proving Tokenization Works: Is it Being Used Beyond Pilots / Trials?<br />Since June 2008, our interview data has shown a major shift in how merchants, payment processors and PCI assessors view tokenization. <br />In our anonymous discussions, we find that more merchants are aware of tokenization, and most are now planning to implement it, or at least considering tokenization. <br />Source: PCI Knowledge Base, July 2009<br />
  137. 137. Cost: How to Compare Tokenization Costs vs PCI Compliance Costs?<br />ISSUE: The cost savings due to tokenization vs the cost of all PCI controls, not just encryption.<br />Access Controls<br />Access Controls<br />Access Controls<br />Encryption<br />Encryption<br />Encryption<br />Payment<br />Terminal<br />POS<br />Server<br />Polling<br />Server<br />PW Vaulting<br />PW Vaulting<br />PW Vaulting<br />Temp<br />FTP<br />Logging<br />Logging<br />Logging<br />E2E Encryption & Enterprise Key Management, A Needed, but Complex Dependency<br />Access Controls<br />Access Controls<br />Access Controls<br />Email<br />Encryption<br />Encryption<br />Encryption<br />Web<br />Store<br />Call<br />Center<br />Fraud<br />Mgmt<br />ISSUE: E2E encryption will also reduce costs long term, but the up front costs are likely to be higher<br />PW Vaulting<br />PW Vaulting<br />PW Vaulting<br />Logging<br />Logging<br />Logging<br />Source: PCI Knowledge Base, May 2009<br />
  138. 138. Token Options: How and When Can Tokens be Generated & Managed?<br />OPTION #1<br />Example: Homegrown tokenization<br />Card #<br />In-Store<br />POS Apps<br />ERP<br />Application<br />Token<br />The best token generation & management may vary depending on business needs. Hospitality has different transaction timeframes than most retail, for example.<br />Processor<br />Token Mgmt<br />Card #<br />Most Web<br />or POS<br />Applications<br />E-Commerce<br />Web Host<br />Token<br />Token<br />OPTION #2<br />OPTION #3<br />Card #<br />Industry<br />Token Mgmt<br />Hospitality<br />Applications<br />Call Center<br />Applications<br />Token<br />Token<br />Source: PCI Knowledge Base, July 2009<br />
  139. 139. PED / POS<br />Vendors<br />(Encrypt from Swipe to Acquirer)<br />Corporations<br />Homegrown tokens (e.g., Hashes)<br />Vendor Decisions: How to Choose Among the Tokenization Options?<br />ISSUE: Who is best positioned to manage end-to-end encryption?<br />Processors<br />(Outsourced Payment Mgmt<br />Solutions)<br />Encryption SW<br />Encryption & Key Mgmt SW that generates tokens<br />ISSUE: How to best reduce the number of data repositories and ensure that “encrypt / decrypt / re-encrypt” cycles are eliminated, so the vulnerabilities can be eliminated or reduced?<br />Payment Terminal<br />Card Swipe<br />POS Terminal<br />w/Payment SW<br />Store Server<br />w/Payment SW<br />In-House Payment<br />Gateway / Switch<br />Source: PCI Knowledge Base, January 2009<br />
  140. 140. Getting the Most Value from Tokenization Solutions<br />Scalability: The more data repositories and systems that store, process or transmit cardholder (or other confidential) data, the more value you will receive from tokenization. Consider these examples:<br />E-Commerce<br />Website<br />Call Center<br />Applications<br />In-Store<br />POS Apps<br />Operations<br />Applications<br />Fraud / Loss<br />Prevention<br />Sales Audit<br />System<br />SMEs<br />Mid-Tier Merchants<br />F1000 Level Merchants<br />Single Channel<br />Single App<br />POS + MOTO Sales Channels<br />+ Some Tracking Apps<br />Multi-Channel Business + Internal Data Stores + <br />Service Providers for Sales Analysis, etc. <br />Value added:<br />1. Data Mgmt<br />2. Reduce Risk<br />3. Part of data outsourcing <br />Value added:<br />1. Reduces data redundancy<br />2. Reduces unauthorized access by employees<br />3. May be homegrown<br />Value added:<br />1. Major PCI scope and cost reductions<br />2. Identifies risky data flows & processes<br />3. Offered as a service by processors or other third parties<br />Source: PCI Knowledge Base, July 2009<br />MOTO = Mail Order / Telephone Order<br />
  141. 141. Integrating Tokenization: How to Make it “Part of” Applications?<br />ISSUE: The debit & credit settlement process often means that ERP, CRM and SCM apps are in PCI scope, and rewriting them is far more costly than PCI compliance.<br />ISSUE: The movement of card data among systems creates dozens of different intermediate processes & data stores, greatly increasing risk, and process re-design can take years.<br />ISSUE: The average Level 1 or large Level 2 merchant has 4-6 different encryption systems. Complete replacement is not an option for most of them, and enterprise-wide encryption can cost &gt; $1M<br />Source: PCI Knowledge Base, May 2009<br />
  142. 142. Why Keep Card Data at All? When to Outsource Payment Processing<br />One of the biggest changes we have seen in the last year is the growth in the consideration of outsourcing. Mostly, this is among firms that have been running their own payment gateway across their divisions.<br />Source: PCI Knowledge Base, May 2009<br />
  143. 143. Adopt “Secure Tokenization” to Remove Card Data But Retain Analytics<br />Current vs Potential Use of Secure Tokenization<br />A few leading retailers are using secure tokenization systems. But some of the first generation tools and in-house projects are not sufficiently secure and will need to be replaced before they will pass. <br />Source: PCI Knowledge Base, January 2009<br />
  144. 144. The Bottom Line: Tokenization is an Enterprise Strategy<br />Tokenization is a strategy when it is applied as a way to centralize and improve the management of confidential data, enterprise-wide.<br />Tokenization’s value is not in the “substitution” process but in the management of confidential data.<br />Tokenization drives the discovery (and removal) of confidential data from potentially hundreds or thousands of files and DBs across the enterprise.<br />Tokenization has tactical value for PCI compliance, because it can greatly reduce the scope of PCI assessment as well as PCI compliance costs.<br />Tokenization, at an enterprise level, must not impact system and process performance by making “real” data retrieval impossible or cumbersome.<br />Tokenization as an enterprise strategy must be capable of supporting a multi-channel sales and service environment.<br />Tokenization does not necessarily require that confidential data be removed from all enterprise systems, but the fewer systems that contain this data, the lower the risk.<br />Tokenization providers must be thoroughly vetted, both technically and as service providers, as they become mission critical partners.<br />Source: PCI Knowledge Base, July 2009<br />Data Breach Survey, Ponemon Institue, 2006<br />
  145. 145. 0128<br />
  146. 146. 0129<br />
  147. 147. PCI Research<br />0130<br />
  148. 148. 0131<br />
  149. 149. 0132<br />
  150. 150. 0133<br />
  151. 151. 0134<br />
  152. 152. 0135<br />
  153. 153. 0136<br />
  154. 154. 0137<br />
  155. 155. 0138<br />
  156. 156. 0139<br />
  157. 157. Data Protection Formats<br />0140<br />
  158. 158. 0141<br />Preserving the Data Format <br />Data Type<br />!@#$%a^&*B()_+!@4#$2%p^&*<br />Hash -<br />Encryption -<br />Alphanumeric –<br />Encoding –<br />Partial Enc– <br />Clear Text -<br />Binary<br />Data<br />!@#$%a^&*B()_+!@<br />aVdSaH 1F4hJ5 1D3a<br />666666 777777 8888<br />Token /<br />Encoding<br />Text <br />Data<br />123456 777777 1234<br />Numeric<br />Data<br />Field<br />Length<br />123456 123456 1234<br />I<br />Original<br />Length<br />I<br />Longer<br />This is a generalized example<br />
  159. 159. Field Level Data Protection Methods vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />Key<br />Rotation<br />Strong Encryption<br />(AES CBC)<br />Keyed Hash<br />(HMAC)<br />Format Controlling<br />Encryption<br />(AES FCE)<br />Plain Hash<br />(SHA-1 on CCN)<br />Medium<br />Time<br />
  160. 160. Format Controlling Encryption vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />AES FCE <br />(numeric & IV)<br />AES FCE<br />(alphanumeric & fix IV)<br />Medium<br />Time<br />
  161. 161. Field Level Data Protection Methods vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />AES CBC (rotating IV)<br />AES CBC (fix IV, long data)<br />AES CBC (fix IV, short data)<br />AES ECB<br />Medium<br />Time<br />
  162. 162. Application Transparency<br />Transparency level<br />High<br />Low<br />Database<br />File Encryption<br />3rd Party Database<br />Column Encryption<br />Native Database<br />Column Encryption<br />Smart<br />Tokens<br />Tokens<br />Key based<br />Hash<br />(HMAC)<br />Plain <br />Hash<br />(SHA-2)<br />Security <br />Level<br />
  163. 163. PCI DSSTesting Procedures<br />
  164. 164. PCI 3.1 Keep cardholder data storage to a minimum.<br />147<br />
  165. 165. PCI 3.2 Do not store sensitive authentication data<br />148<br />
  166. 166. PCI 3.3 Mask PAN when displayed<br />149<br />
  167. 167. PCI 3.4 Render PAN unreadable anywhere it is stored<br />150<br />
  168. 168. PCI 3.5 Protect cryptographic keys<br />151<br />
  169. 169. PCI 3.6 Fully document and implement all key-managementprocesses and procedures<br />152<br />

×