PCI DSS Compliance<br />Ulf Mattsson, CTO<br />Ulf.mattsson @ protegrity.com<br />
Bio<br />20 years with IBM Development & Services  <br />IBM Software Development  & IBM Research consulting resource <br ...
03<br />  PCI DSS Compliance<br />
Agenda<br />PCI Information Sources<br />Data Protection Options for PCI and Beyond<br />PCI Case Studies<br />Advanced At...
Source of Information about PCI DSS<br />http://www.knowpci.com<br />
06<br />
Current Discussion of Data Protection for PCI DSS<br />7<br />https://www.pcisecuritystandards.org<br />Protegrity:<br />P...
PCI Security Standards Council about Data in Transit<br />The PCI Security Standards Council (https://www.pcisecuritystand...
09<br />
010<br />
011<br />http://papers.ssrn.com/sol3/papers.cfm?abstract_id=940287<br />
http://ssrn.com/abstract=1126002      <br />
PCI DSS 1.2 Applicability Information & PII Aspects<br />14<br />
Discussion of Data Protection for PCI DSS<br />15<br />
Requirement 3: Protect stored cardholder data<br />Section 3.4<br />Render PAN, at minimum, unreadable anywhere it is stor...
Section 3.5<br />“Protect encryption keys used for encryption of cardholder data against both disclosure and misuse.<br />...
Split knowledge and dual control of keys requires two or three people, each knowing only their part of the key, to reconst...
Currently KM vendor products support different and isolated areas (tape, storage, network, end points …):<br />Over time (...
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1051481<br />
PCI – Compensating Controls<br />21<br />
Data Protection Challenges <br />Actual protection is not the challenge<br />Management of solutions<br />Key management<b...
Addressing Data Protection Challenges<br />Full mapping of sensitive data flow<br />Where is the data<br />Where does it n...
Data Protection Approaches<br />Data Access Control<br />How the data is presented to the end user and/or application<br /...
Data Protection Options<br />Data Stored As<br />Clear – actual value is readable<br />Hash – unreadable, not reversible<b...
Data Protection Options<br />Data in the Clear<br />Audit only<br />Masking<br />Access Control Limits<br />Advantages<br ...
Data Protection Options<br />Hash <br />Non – reversible<br />Strong protection<br />Keyed hash (HMAC)<br />Unique value i...
Data Protection Options<br />Strong Encryption<br />Industry standard (NIST modes - AES CBC …)<br />Highest security level...
Data Protection Options<br />Format Controlling Encryption <br />Maintains data type, length<br />Advantages<br />Reduces ...
Data Protection Options<br />Replacement Value (i.e. tokens, alias)<br />Proxy value created to replace original data<br /...
Different ‘Tokenizing’ Approaches & Topologies<br />Algorithmic<br />Tokenizer<br />CCN<br />123456 123456 1234<br />ABCDE...
Limit Exposure across the Data Flow - Partial Encryption/Tokenizing<br />A policy driven approach<br /><ul><li>Decide what...
A high level of transparency to applications</li></ul>Many applications/tools <br /><ul><li>Moving data around</li></ul>So...
How to Protect the Data Flow Against Advanced Attacks<br />033<br />Point Of  Data Acquisition<br />123456 123456 1234<br ...
034<br />Applications are Sensitive to the Data Format <br />Data Type<br />Binary (Hash) -<br />Binary (Encryption) -<br ...
Limitations in functionality
Limitations in data search
Performance issues</li></ul>Many Applications<br />Most Applications<br />Text <br />Data<br />All Applications<br />Data<...
035<br />Preserving the Data Format <br />Data Type<br />!@#$%a^&*B()_+!@4#$2%p^&*<br />Hash -<br />Encryption -<br />Alph...
Field Level Data Protection Methods vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />Key<br />Rotati...
Format Controlling Encryption vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />AES FCE <br />(numeri...
Field Level Data Protection Methods vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />AES CBC (rotati...
Data Protection Options & Cost Factors<br />039<br />Highest<br />Lowest<br />
Data Protection Capabilities<br />040<br />Highest<br />Lowest<br />
Data Protection Implementation Choices<br />Data Protection Options are not mutually exclusive<br />Data Protection Layers...
042<br />Data Protection Implementation Choices<br />Highest<br />Lowest<br />
Column Encryption Performance - Different Topologies<br />Rows Per Second<br />10 000 000 –<br />1 000 000 –<br />100 000 ...
Generalization: Encryption at Different System Layers<br />High<br />Ease of Deployment<br />(Transparency)<br />Separatio...
Application Transparency – Encryption, Tokens & Hashing<br />Transparency level<br />High<br />Low<br />Database Encryptio...
Application Transparency<br />Transparency level<br />High<br />Low<br />Database<br />File Encryption<br />3rd Party Data...
Business Value vs. Ease of Compliance<br />Ease of <br />Compliance<br />High<br />Business<br />Value<br />Encryption<br ...
Protecting the Data Flow:<br />Case Studies<br />048<br />
Data  Level Attacks<br />DBA <br />ATTACK<br />MALWARE /<br />TROJAN<br />TRUSTED<br /> SEGMENT<br />DMZ <br />TRANSACTION...
Case Studies<br />One of the most widely recognized credit and debit card brands in the world <br /><ul><li>Their volume o...
Partners<br />(Financial <br />Institutions)<br />Security for the Sensitive Data Flow<br />Points of collection<br />Stor...
Case 1: Goal – PCI Compliance & Application Transparency<br />Credit<br />Card<br />Entry<br />Application  <br />Applicat...
053<br />Case 1: File Encryption & FTP<br />Credit<br />Card<br />Entry<br />Attacker<br />Attacker<br />Network<br />POS ...
054<br />Case 1: From Encrypted File to Encrypted Database<br />Attacker<br />Application<br />Attacker<br />Network<br />...
Case 2a: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<...
056<br />Case 2a: Application Encryption to Encrypted Database<br />Point<br />Of Data<br />Acquisition<br />Network<br />...
Case 2b: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<...
058<br />Case 2b: From Encrypted Database to File & FTP<br />Point<br />Of Data<br />Acquisition<br />aVdSaH 1F4hJ5 1D3a<b...
059<br />Case 2b: From Selectively Encrypted File to Encrypted Database<br />Network<br />123456 123456 1234<br />Applicat...
Case 3: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<b...
061<br />Case 3: Gateway Encryption<br />Attacker<br />Attacker<br />Network<br />123456 123456 1234<br />123456 123456 12...
Determine Risk<br />Data Security Risk=Data Value * Exposure<br />062<br />Enables prioritization<br />Groups data for pot...
Matching Data Protection Solutions with Risk Level<br />063<br />Risk<br />Solutions<br />Low Risk<br /> (1-5)<br />Monito...
Matching Data Protection Solutions with Risk Level<br />064<br />Risk<br />Solutions<br />Low Risk<br /> (1-5)<br />Monito...
Estimate Costs<br />Cost = Solution Cost + Operations Cost<br />Solution Cost = cost to license or develop, install and ma...
Operation Cost Factors<br />Performance<br />Impact on operations - end users, data processing windows<br />Storage<br />I...
Operation Cost Factors<br />Solution should be able to change with the environment<br />Progress from less to more secure ...
Data Security Management<br />An integral part of technical and business process<br />Security Policy<br />Centralized con...
Cost Effective Data Protection<br />Uses Risk as an adjusting factor for determining a Data Protection strategy<br />Risk=...
How to Protect the Data Flow Against Advanced Attacks<br />070<br />Point Of  Data Acquisition<br />123456 123456 1234<br ...
How to Protect the Weak Links in your Data Flow<br />071<br />Review Risk & Determine Protection Approach<br /><ul><li>Ana...
Identify Assets and Assign Business Value to each
Identify Vulnerabilities for each Asset
Identify potential Attack Vectors & Attackers
Assess the Risk
Compliance Aspects
Select Data Protection Points & Protection Methods</li></ul>Assess Total Impact<br /><ul><li>Functionality Limitations
Performance & Scalability
Application Transparency
Platform Support & Development Life Cycle Support
Key Management, Administration & Reporting
Deployment  Cost, Time & Risk</li></ul>Adjust<br />
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1330466<br />
073<br />http://www.quest-pipelines.com/newsletter-v7/0706_C.htm<br />
http://www.net-security.org/dl/insecure/INSECURE-Mag-2.pdf<br />
Data Masking – One-way vs. Two-way<br />Data Quality & <br />Exposed Details<br />3rd Party<br />Interface<br />Testing<br...
076<br />
Separation of Duties (DBA)<br />Separation of Duties (DBA)<br />Database<br />Column<br />Encryption<br />Yes -<br />No -<...
Upcoming SlideShare
Loading in …5
×

New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009

888 views

Published on

New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
888
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • We have taken representative approaches from each class; clear, strong encryption, FPE, Tokens, Hashing, and MaskingWe would like to explore the characteristics of each class of data protection against the cost criteria;PerformanceStorageSecurityTransparency
  • Hand off to UlfThis is a ‘simplistic’ calculation, but for this purpose, this is really all that is needed. You are using this to determine a the right data protection solutions for your data.
  • Pick a Risk Value, apply here, choose solutions
  • The main challenge for protecting data isn’t the technology itself; on the interent can get algorithms to encrypt or hash dataThe real challenge for an enterprise is the management of the solution -
  • Our definition of “risk” may not equal a true risk professional, but it does make the point
  • Our definition of “risk” may not equal a true risk professional, but it does make the point
  • Hand off to UlfThis is a ‘simplistic’ calculation, but for this purpose, this is really all that is needed. You are using this to determine a the right data protection solutions for your data.
  • Integrated
  • New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009

    1. 1. PCI DSS Compliance<br />Ulf Mattsson, CTO<br />Ulf.mattsson @ protegrity.com<br />
    2. 2. Bio<br />20 years with IBM Development & Services <br />IBM Software Development & IBM Research consulting resource <br />IBM Certified in IT Architecture & IT Security<br />Created Protegrity's Data Security Technology<br />Protegrity Policy driven Data Encryption (1994)<br />Inventor of 20+ Patents <br />In the areas of Encryption Key Management, Separation of Duties, Policy Driven Data Encryption, Tokenization, Internal Threat Protection, Data Usage Control, Dynamic Access Control, Intrusion Prevention and Cross System Layer Security. <br />Master's degree in Physics and degrees in Finance and Electrical engineering<br />Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security. <br />Member of IEEE, OASIS, Computer Security Institute (CSI), Object Management Group (OMG) CORBA Security Service, Open Web Application Security Project (OWASP), Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA),, The International Association of Science and Technology for Development (IAST), The Medical Records Institute (MRI), and The World Scientific and Engineering Academy and Society for Computer Security (WSEAS). <br />02<br />
    3. 3. 03<br /> PCI DSS Compliance<br />
    4. 4. Agenda<br />PCI Information Sources<br />Data Protection Options for PCI and Beyond<br />PCI Case Studies<br />Advanced Attacks on Data Flow<br />Appendix<br />PCI Feedback<br />Determining Risks<br />Cost Effective Approach <br />Resources<br />
    5. 5. Source of Information about PCI DSS<br />http://www.knowpci.com<br />
    6. 6. 06<br />
    7. 7. Current Discussion of Data Protection for PCI DSS<br />7<br />https://www.pcisecuritystandards.org<br />Protegrity:<br />Participating <br />Organization<br />PCI SSC is currently studying the effect on the standard by different technologies (i.e. End to end encryption, tokenization, chip and pin etc.)<br />Bob Russo (GM) & PCI SSC is currently are working in Europe with the European Payment Council (EPC) .<br />
    8. 8. PCI Security Standards Council about Data in Transit<br />The PCI Security Standards Council (https://www.pcisecuritystandards.org/) manages the PCI DSS standards <br />End-to-end encryption is likely to be a central focus as the council seeks input on how this might best be achieved in the payment-card environment through different technologies. <br />If that is accomplished, it might result in a decidedly new PCI standard in the future for card-data protection, PCI Security Standards Council says in http://www.networkworld.com/news/2008/100108-pci-credit-card.html?page=2 . <br />"Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally," PCI Security Standards Council says. <br />"But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging. <br />Maybe you wouldn’t have to do that. So we'll be looking at that in 2009." <br />08<br />
    9. 9. 09<br />
    10. 10. 010<br />
    11. 11. 011<br />http://papers.ssrn.com/sol3/papers.cfm?abstract_id=940287<br />
    12. 12.
    13. 13. http://ssrn.com/abstract=1126002 <br />
    14. 14. PCI DSS 1.2 Applicability Information & PII Aspects<br />14<br />
    15. 15. Discussion of Data Protection for PCI DSS<br />15<br />
    16. 16. Requirement 3: Protect stored cardholder data<br />Section 3.4<br />Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches:<br />One-way hashes based on strong cryptography<br />Truncation<br />Index tokens and pads (pads must be securely stored)<br />Strong cryptography with associated key-management processes and procedures<br />The MINIMUM account information that must be rendered unreadable is the PAN.<br />Notes:<br />If for some reason, a company is unable render the PAN unreadable, refer to Appendix B: Compensating Controls.<br />“Strong cryptography” is defined in the PCI DSS Glossary of Terms, Abbreviations, and Acronyms<br />016<br />
    17. 17. Section 3.5<br />“Protect encryption keys used for encryption of cardholder data against both disclosure and misuse.<br />3.5.1 Restrict access to keys to the fewest number of custodians necessary<br />3.5.2 Store keys securely in the fewest possible locations and forms.”<br />Section 3.6<br />“Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data, including the following:<br /> 3.6.1 Generation of strong keys<br /> 3.6.2 Secure key distribution<br /> 3.6.3 Secure key storage<br /> 3.6.4 Periodic changing of keys<br />• As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically. At least annually.<br /> 3.6.5 Destruction of old keys<br /> 3.6.6 Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key)<br /> 3.6.7 Prevention of unauthorized substitution of keys<br /> 3.6.8 Replacement of known or suspected compromised keys<br /> 3.6.9 Revocation of old or invalid keys<br />017<br />Requirement 3: Protect stored cardholder data<br />
    18. 18. Split knowledge and dual control of keys requires two or three people, each knowing only their part of the key, to reconstruct the whole key <br />The principle behind dual control and split knowledge is required to access the clear text key. <br />Only a single master key will be needed under this control. <br />The determination of any part of the key must require the collusion between at least two trusted individuals. <br />Any feasible method to violate this axiom means that the principles of dual control and split knowledge are not being upheld. <br />At least two people are required to ‘reconstruct’ the key, and they each must have a physical thing and they each must have some information that is required. <br />The use of a key in memory to encipher or decipher data, or access to a key that is enciphered under another key does not require such control by PCI DSS. <br />Keys appearing in the clear in memory, the principles of dual control and split knowledge are difficult but not impossible to enforce. <br />Please review http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1126002 for additional discussion.<br />018<br />Requirement 3.6.6: Split knowledge and dual control <br />
    19. 19. Currently KM vendor products support different and isolated areas (tape, storage, network, end points …):<br />Over time (maybe years from now) the emerging KM standards will be finalized (and hopefully converge) and eventually be supported by major KM vendor products (and end point platforms that actually can use the keys). <br />This is a list of the major (and conflicting) emerging KM standards and guidelines:<br />OASIS KMIP TC is very broad including e-mail encryption and more compared to the mainly storage-related IEEE P1619.3 and EKMI that is primarily symmetric key focused.  <br />KMIP TC is not directly related to the more mature P1619.x and specifically P1619.3, though they share many members.  <br />ANSI X9.24 is solving management of symmetric keys with focus on financial and retail industry.<br />NIST SP 800-57 is a very solid recommendation for key management and key states.<br />IETF KEYPROV is defining how to provision symmetric keys.<br />SKSML from the OASIS EKMI group is defining a protocol for acquiring symmetric keys.<br />Key Management Standards & Vendors<br />
    20. 20. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1051481<br />
    21. 21. PCI – Compensating Controls<br />21<br />
    22. 22. Data Protection Challenges <br />Actual protection is not the challenge<br />Management of solutions<br />Key management<br />Reporting<br />Policy<br />Minimizing impact on business operations<br />Performance v. security<br />Minimizing impact (and costs)<br />Changes to applications<br />Impact on downstream systems<br />Time<br />22<br />
    23. 23. Addressing Data Protection Challenges<br />Full mapping of sensitive data flow<br />Where is the data<br />Where does it need to be<br />Identify what data is needed for processing in which applications<br />What are the performance SLAs<br />Understand the impact of changing/removing data<br />Will it break legacy systems<br />Address PCI, strategize for the larger security issue<br />
    24. 24. Data Protection Approaches<br />Data Access Control<br />How the data is presented to the end user and/or application<br />Data Protection<br />How sensitive data is rendered unreadable<br />024<br />
    25. 25. Data Protection Options<br />Data Stored As<br />Clear – actual value is readable<br />Hash – unreadable, not reversible<br />Encrypted – unreadable, reversible<br />Replacement value (tokens) – unreadable, reversible<br />Partial encryption/replacement – unreadable, reversible<br />025<br />
    26. 26. Data Protection Options<br />Data in the Clear<br />Audit only<br />Masking<br />Access Control Limits<br />Advantages<br />Low impact on existing applications<br />Performance<br />Time to deploy<br />Considerations<br />Underlying data exposed<br />Discover breach after the fact<br />PCI aspects<br />026<br />
    27. 27. Data Protection Options<br />Hash <br />Non – reversible<br />Strong protection<br />Keyed hash (HMAC)<br />Unique value if salt is used<br />Advantages<br />None really<br />Considerations<br />Key rotation for keyed hash<br />Size and type<br />Transparency<br />027<br />
    28. 28. Data Protection Options<br />Strong Encryption<br />Industry standard (NIST modes - AES CBC …)<br />Highest security level<br />Advantages<br />Widely deployed<br />Compatibility<br />Performance<br />Considerations<br />Storage and type<br />Transparency to applications<br />Key rotation<br />028<br />
    29. 29. Data Protection Options<br />Format Controlling Encryption <br />Maintains data type, length<br />Advantages<br />Reduces changes to downstream systems<br />Storage<br />Partial encryption<br />Considerations<br />Performance<br />Security and compliance<br />Key rotation<br />Transparency to applications<br />029<br />
    30. 30. Data Protection Options<br />Replacement Value (i.e. tokens, alias)<br />Proxy value created to replace original data<br />Centrally managed, protected<br />Advantages<br />No changes to most downstream systems<br />Out of scope for compliance<br />No local key rotation<br />Partial replacement<br />Considerations<br />Transparency for applications needing original data<br />Availability and performance for applications needing original data<br />030<br />
    31. 31. Different ‘Tokenizing’ Approaches & Topologies<br />Algorithmic<br />Tokenizer<br />CCN<br />123456 123456 1234<br />ABCDEF GHIJKL 1234<br />Application<br />‘Encryption’<br />Algorithm<br />On-site<br />Local<br />Tokenizer<br />Token<br />Token<br />&<br />Encrypted<br />CCN<br />Branch Office / Stores<br />Network<br />Home Office / HQ<br />On-site<br />Central<br />Tokenizer<br />Token<br />&<br />Encrypted<br />CCN<br />Token<br />Network<br />Outsourced / ASP<br />ASP<br />Central<br />Tokenizer<br />Token<br />&<br />Encrypted<br />CCN<br />
    32. 32. Limit Exposure across the Data Flow - Partial Encryption/Tokenizing<br />A policy driven approach<br /><ul><li>Decide what sensitive bytes to protect
    33. 33. A high level of transparency to applications</li></ul>Many applications/tools <br /><ul><li>Moving data around</li></ul>Some applications <br /><ul><li>Partial clear data</li></ul>Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />Application<br />123456 777777 1234<br />Application<br />Application<br />Few applications<br /><ul><li>Full clear data </li></ul>Decryption<br />Application<br />
    34. 34. How to Protect the Data Flow Against Advanced Attacks<br />033<br />Point Of Data Acquisition<br />123456 123456 1234<br />Continuously protected data flow <br />Encrypt<br />123456 777777 1234<br />123456 777777 1234<br />123456 777777 1234<br />Decrypt<br />Decrypt<br />123456 123456 1234<br />123456 123456 1234<br />Payment<br />Authorization<br />Settlement &<br />Charge-back<br />Unprotected sensitive information:<br />Protected sensitive information<br />
    35. 35. 034<br />Applications are Sensitive to the Data Format <br />Data Type<br />Binary (Hash) -<br />Binary (Encryption) -<br />Alphanumeric (Token) -<br />Numeric (Token) -<br />Numeric (Clear Text) -<br />No Applications<br />Few Applications<br />Increased intrusiveness:<br /><ul><li>Application changes
    36. 36. Limitations in functionality
    37. 37. Limitations in data search
    38. 38. Performance issues</li></ul>Many Applications<br />Most Applications<br />Text <br />Data<br />All Applications<br />Data<br />Field<br />Length<br />I<br />Original<br />I<br />Longer<br />This is a generalized example<br />
    39. 39. 035<br />Preserving the Data Format <br />Data Type<br />!@#$%a^&*B()_+!@4#$2%p^&*<br />Hash -<br />Encryption -<br />Alphanumeric –<br />Encoding –<br />Partial Enc– <br />Clear Text -<br />Binary<br />Data<br />!@#$%a^&*B()_+!@<br />aVdSaH 1F4hJ5 1D3a<br />666666 777777 8888<br />Token /<br />Encoding<br />Text <br />Data<br />123456 777777 1234<br />Numeric<br />Data<br />Field<br />Length<br />123456 123456 1234<br />I<br />Original<br />Length<br />I<br />Longer<br />This is a generalized example<br />
    40. 40. Field Level Data Protection Methods vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />Key<br />Rotation<br />Strong Encryption<br />(AES CBC)<br />Keyed Hash<br />(HMAC)<br />Format Controlling<br />Encryption<br />(AES FCE)<br />Plain Hash<br />(SHA-1 on CCN)<br />Medium<br />Time<br />
    41. 41. Format Controlling Encryption vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />AES FCE <br />(numeric & IV)<br />AES FCE<br />(alphanumeric & fix IV)<br />Medium<br />Time<br />
    42. 42. Field Level Data Protection Methods vs. Time<br />Protection<br />Level<br />Tokenized Data<br />High<br />AES CBC (rotating IV)<br />AES CBC (fix IV, long data)<br />AES CBC (fix IV, short data)<br />AES ECB<br />Medium<br />Time<br />
    43. 43. Data Protection Options & Cost Factors<br />039<br />Highest<br />Lowest<br />
    44. 44. Data Protection Capabilities<br />040<br />Highest<br />Lowest<br />
    45. 45. Data Protection Implementation Choices<br />Data Protection Options are not mutually exclusive<br />Data Protection Layers<br />Application <br />Database<br />File System<br />Data Protection Topologies<br />Remote services<br />Local service<br />Data Security Management<br />Central management of keys, policy and reporting<br />041<br />
    46. 46. 042<br />Data Protection Implementation Choices<br />Highest<br />Lowest<br />
    47. 47. Column Encryption Performance - Different Topologies<br />Rows Per Second<br />10 000 000 –<br />1 000 000 –<br />100 000 –<br />10 000 –<br />1 000 –<br />Data Warehouse<br />Platforms<br />Mainframe<br />Platforms <br />Unix Platforms<br />Windows Platforms<br />Data Loading (Batch)<br />Queries (Data Warehouse & OLTP)<br />Encryption<br />Topology<br />I<br />Network Attached<br />Encryption (SW/HW)<br />I<br />Local<br />Encryption (SW/HW)<br />
    48. 48. Generalization: Encryption at Different System Layers<br />High<br />Ease of Deployment<br />(Transparency)<br />Separation of Duties<br />(Security Level)<br />Low<br />Encryption<br />Layer<br />I<br />File System<br /> Layer<br />I<br />Database <br />Layer<br />I<br />Storage Layer<br />SAN/NAS…<br />I<br />Application <br />Layer<br />
    49. 49. Application Transparency – Encryption, Tokens & Hashing<br />Transparency level<br />High<br />Low<br />Database Encryption<br />Smart Tokens<br />Hashing<br />Database<br />Operation<br />I<br />Look-up<br />I<br />Range<br />Search<br />I<br />Process<br />Clear-values<br />
    50. 50. Application Transparency<br />Transparency level<br />High<br />Low<br />Database<br />File Encryption<br />3rd Party Database<br />Column Encryption<br />Native Database<br />Column Encryption<br />Smart<br />Tokens<br />Tokens<br />Key based<br />Hash<br />(HMAC)<br />Plain <br />Hash<br />(SHA-2)<br />Security <br />Level<br />
    51. 51. Business Value vs. Ease of Compliance<br />Ease of <br />Compliance<br />High<br />Business<br />Value<br />Encryption<br />Tokenizing<br />Hashing<br />Simple<br />Masking<br />Low<br /> I I I I <br />Deleting Data Masking One-way Masking-Two-Way Clear Data<br />Lost Data<br />Reusable Data<br />
    52. 52. Protecting the Data Flow:<br />Case Studies<br />048<br />
    53. 53. Data Level Attacks<br />DBA <br />ATTACK<br />MALWARE /<br />TROJAN<br />TRUSTED<br /> SEGMENT<br />DMZ <br />TRANSACTIONS<br />End-<br />point<br />Internal<br />Users<br />Enterprise<br />Apps<br />DB Server<br />Server<br />Load<br />Balancing<br />SAN,<br />NAS,<br />Tape<br />Internet<br />NW<br />Proxy<br />FW<br />Proxy<br />FW<br />Proxy<br />FW<br />IDS/<br />IPS<br />Wire-<br />less<br />Network<br />Devices<br />Server<br />Web Apps<br />OS ADMIN<br />FILE ATTACK<br />SQL<br /> INJECTION<br />SNIFFER <br />ATTACK<br />MEDIA <br />ATTACK<br />
    54. 54. Case Studies<br />One of the most widely recognized credit and debit card brands in the world <br /><ul><li>Their volume of data is in the multiple billions of rows and needed a solution that would not degrade performance.</li></ul>Major financial institution <br />Protecting high-worth clients financial information.<br />Central key management and separation of duties were of the utmost importance. <br />One of the world largest retailers <br />Protecting the flow of sensitive credit card information from the store, through to back office systems and into the data warehouse and storage. <br />The central key management and ability to support thousands of stores was critical for this success. <br />Transparent to exiting applications. <br />Protect sensitive information in their Teradata data warehouse. iSeries (AS/400), zSeries (mainframe), Oracle and MS SQL Server, and to protect files that reside across platforms including Unix and z/Series. <br />050<br />
    55. 55. Partners<br />(Financial <br />Institutions)<br />Security for the Sensitive Data Flow<br />Points of collection<br />Store Back Office<br />Web<br />Apps<br />Retail<br />Locales<br />Store Back Office Applications<br />Store<br />DB<br />T-Logs,Journals<br />$%&#<br />Collection<br />$%&#<br />$%&#<br />$%&#<br />$%&#<br />Branches/Stores<br />HQ<br />Polling Server<br />Aggregation<br />Log<br />$%&#<br />Policy<br />Policy<br />Policy<br />Policy<br />Policy<br />Policy<br />Policy<br />Manager<br />Multiplexing Platform<br />ERP<br />$%^&<br />*@K$<br />Operations<br />Reports<br />Log<br />Log<br />Analytics<br />Analytics<br />Detailed Analytical<br />Archive<br />7ks##@<br />Focused / Summary Analytical<br />Tactical<br />Active Access / Alerting<br />Log<br />
    56. 56. Case 1: Goal – PCI Compliance & Application Transparency<br />Credit<br />Card<br />Entry<br />Application <br />Application <br />File<br />Encryption<br />FTP<br />Settlement<br />Batch<br />File<br />Encryption<br />Windows<br />File<br />Encryption:<br />Windows,<br />UNIX,Linux,<br />zOS<br />Database<br />Encryption:<br />DB2 (zOS, iSeries),<br />Oracle,<br />SQL Server<br />Local<br />Store Location<br />(Branch)<br />Financial<br />Institution<br />Central HQ Location<br />
    57. 57. 053<br />Case 1: File Encryption & FTP<br />Credit<br />Card<br />Entry<br />Attacker<br />Attacker<br />Network<br />POS Application <br />FTP<br />Application <br />123456 123456 1234<br />123456 123456 1234<br />@$%$^D&^YTOIUO*^<br />@$%$^D&^YTOIUO*^<br />File System (Memory)<br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
    58. 58. 054<br />Case 1: From Encrypted File to Encrypted Database<br />Attacker<br />Application<br />Attacker<br />Network<br />@$%$^D&^YTOIUO*^<br />123456 123456 1234<br />123456 123456 1234<br />FTP Application <br />Database<br />@$%$^D&^YTOIUO*^<br />File<br />File<br />Protected sensitive information<br />Unprotected sensitive information:<br />
    59. 59. Case 2a: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<br /> protection of sensitive data fields<br />Application<br />Encryption <br />Application <br />Application <br />FTP<br />Decryption<br />Settlement<br />FTP<br />File<br />Encryption<br />Windows<br />File<br />Encryption:<br />Windows,<br />UNIX,Linux,<br />zOS<br />Database<br />Encryption:<br />DB2<br />Oracle<br />SQL Server<br />Financial<br />Institution<br />Local<br />Store Location<br />(Branch)<br />Central HQ Location<br />
    60. 60. 056<br />Case 2a: Application Encryption to Encrypted Database<br />Point<br />Of Data<br />Acquisition<br />Network<br />123456 123456 1234<br />POS<br />Application <br />Application <br />123456 777777 1234<br />Database<br />File <br />System<br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
    61. 61. Case 2b: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<br /> protection of sensitive data fields<br />Application <br />Database<br />Encryption:<br />SQL Server<br />Application <br />FTP<br />Database<br />Encryption:<br />DB2 zOS<br />Central <br />HQ Location<br />Local<br />Store Location<br />
    62. 62. 058<br />Case 2b: From Encrypted Database to File & FTP<br />Point<br />Of Data<br />Acquisition<br />aVdSaH 1F4hJ5 1D3a<br />123456 123456 1234<br />Extraction<br />Application<br />Order<br />Application <br />FTP Application <br />aVdSaH 1F4hJ5 1D3a<br />Database<br />aVdSaH 1F4hJ5 1D3a<br />File <br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
    63. 63. 059<br />Case 2b: From Selectively Encrypted File to Encrypted Database<br />Network<br />123456 123456 1234<br />Application<br />aVdSaH 1F4hJ5 1D3a<br />aVdSaH 1F4hJ5 1D3a<br />FTP Application <br />Database<br />File<br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
    64. 64. Case 3: Goal – Addressing Advanced Attacks & PCI<br />Credit<br />Card<br />Entry<br />Continuously encrypted computing:<br /> protection of sensitive data fields<br />Authorization<br />Transaction<br />Online<br />Decrypting<br />Gateway<br />Encrypting<br />Gateway <br />Application <br />Application <br />Files<br />Databases<br />Local<br />Store Location<br />(Branch)<br />Financial<br />Institution<br />Central<br />HQ Location<br />
    65. 65. 061<br />Case 3: Gateway Encryption<br />Attacker<br />Attacker<br />Network<br />123456 123456 1234<br />123456 123456 1234<br />Encrypting Gateway<br />Decrypting Gateway<br />123456 777777 1234<br />123456 777777 1234<br />Applications <br />Database<br />File System<br />Storage (Disk)<br />Backup (Tape)<br />Protected sensitive information<br />Unprotected sensitive information:<br />
    66. 66. Determine Risk<br />Data Security Risk=Data Value * Exposure<br />062<br />Enables prioritization<br />Groups data for potential solutions<br />
    67. 67. Matching Data Protection Solutions with Risk Level<br />063<br />Risk<br />Solutions<br />Low Risk<br /> (1-5)<br />Monitor<br />Monitor, mask, access control limits, format control encryption<br />At Risk<br /> (6-15)<br />Replacement, strong encryption<br />High Risk<br /> (16-25)<br />
    68. 68. Matching Data Protection Solutions with Risk Level<br />064<br />Risk<br />Solutions<br />Low Risk<br /> (1-5)<br />Monitor<br />Monitor, mask, access control limits, format control encryption<br />At Risk<br /> (6-15)<br />Select risk-adjusted solutions for costing<br />Replacement, strong encryption<br />High Risk<br /> (16-25)<br />
    69. 69. Estimate Costs<br />Cost = Solution Cost + Operations Cost<br />Solution Cost = cost to license or develop, install and maintain<br />Operations Cost = cost to change applications, impact on downstream systems, meeting SLAs, user experience<br />065<br />
    70. 70. Operation Cost Factors<br />Performance<br />Impact on operations - end users, data processing windows<br />Storage<br />Impact on data storage requirements<br />Security<br />How secure Is the data at rest<br />Impact on data access – separation of duties<br />Transparency<br />Changes to application(s)<br />Impact on supporting utilities and processes <br />066<br />
    71. 71. Operation Cost Factors<br />Solution should be able to change with the environment<br />Progress from less to more secure solution, or the reverse<br />Add new defenses for future threats<br />Plug into existing infrastructure, integrate with other systems<br />067<br />
    72. 72. Data Security Management<br />An integral part of technical and business process<br />Security Policy<br />Centralized control of security policy<br />Consistent enforcement of protection<br />Separation of duties<br />Reporting and Auditing<br />Compliance reports<br />Organization wide security event reporting<br />Alerting<br />Integration with SIM/SEM <br />Key Management<br />068<br />
    73. 73. Cost Effective Data Protection<br />Uses Risk as an adjusting factor for determining a Data Protection strategy<br />Risk=Data Value*Exposure<br />Determines solutions that fit the risk level, then determines cost<br />Cost=Solution Cost + Operational Cost<br />Prepare for the future<br />069<br />
    74. 74. How to Protect the Data Flow Against Advanced Attacks<br />070<br />Point Of Data Acquisition<br />123456 123456 1234<br />Continuously protected data flow <br />Encrypt<br />123456 777777 1234<br />123456 777777 1234<br />123456 777777 1234<br />Decrypt<br />Decrypt<br />Payment<br />Authorization<br />Settlement &<br />Charge-back<br />Unprotected sensitive information:<br />123456 123456 1234<br />123456 123456 1234<br />Protected sensitive information<br />
    75. 75. How to Protect the Weak Links in your Data Flow<br />071<br />Review Risk & Determine Protection Approach<br /><ul><li>Analyze the Data Flow
    76. 76. Identify Assets and Assign Business Value to each
    77. 77. Identify Vulnerabilities for each Asset
    78. 78. Identify potential Attack Vectors & Attackers
    79. 79. Assess the Risk
    80. 80. Compliance Aspects
    81. 81. Select Data Protection Points & Protection Methods</li></ul>Assess Total Impact<br /><ul><li>Functionality Limitations
    82. 82. Performance & Scalability
    83. 83. Application Transparency
    84. 84. Platform Support & Development Life Cycle Support
    85. 85. Key Management, Administration & Reporting
    86. 86. Deployment Cost, Time & Risk</li></ul>Adjust<br />
    87. 87. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1330466<br />
    88. 88. 073<br />http://www.quest-pipelines.com/newsletter-v7/0706_C.htm<br />
    89. 89. http://www.net-security.org/dl/insecure/INSECURE-Mag-2.pdf<br />
    90. 90. Data Masking – One-way vs. Two-way<br />Data Quality & <br />Exposed Details<br />3rd Party<br />Interface<br />Testing<br />Data Entry<br />Partner<br />Interface<br />Fire<br />Fighting<br />High –<br />Low –<br />Two-Way<br />Masking<br />Two-Way<br />Masking<br />One-Way<br />Masking<br />One-Way<br />Masking<br />Information<br />Life Cycle<br /> I I I I I I I<br />Development Testing Staging Production Operational Analytics Archive<br />Protected sensitive information<br />Unprotected sensitive information:<br />075<br />
    91. 91. 076<br />
    92. 92. Separation of Duties (DBA)<br />Separation of Duties (DBA)<br />Database<br />Column<br />Encryption<br />Yes -<br />No -<br />No -<br />Database<br />Table<br />Encryption<br />Database<br />File<br />Encryption<br />Index<br />Protection<br />I<br />Yes<br />I<br />No<br />I<br />No<br />
    93. 93. The Goal: Good, Cost Effective Security<br />The goal is to deliver a solution that is a balance between security, cost, and impact on the current business processes and user community<br />Security plan - short term, long term, ongoing<br />How much is ‘good enough’<br />Security versus compliance<br />Good Security = Compliance<br />Compliance ≠ Good Security<br />078<br />
    94. 94. Risk Adjusted Data Protection<br />079<br />Assign value to your data<br />Assess exposure<br />Determine risk<br />Understand which Data Protection solutions are available to you<br />Estimate costs<br />Choose most cost effective method<br />
    95. 95. Assign Value to Your Data<br />080<br />Identify sensitive data<br />If available, utilize data classification project<br />Rank what is sensitive on its own (think PCI)<br />Consider what is sensitive in combination (think Privacy)<br />How valuable is the data to (1) your company and (2) to a thief<br />Corporate IP, Credit Card numbers, Personally Identifiable Information<br />Assign a numeric value: high=5, low=1<br />
    96. 96. Assess Exposure<br />Locate the sensitive data<br />Applications, databases, files, data transfers across internal and external networks<br />Location on network<br />Segmented<br />External or partner facing application<br />Access<br />How many users have access to the sensitive data?<br />Who is accessing sensitive data?<br />How much and how frequently data is being accessed?<br />Assign a numeric value: high=5, low=1<br />081<br />
    97. 97. Determine Risk<br />Data Security Risk=Data Value * Exposure<br />082<br />Enables prioritization<br />Groups data for potential solutions<br />
    98. 98. Example – Software Application<br />
    99. 99. Example - Attack by DBA<br />Skill & Effort Level<br />Attack<br />Vector 3<br />Programming -<br />OS level-<br />SQL-<br />Attack<br />Vector 2<br />Attack<br />Vector 1<br />Damage<br />Level<br />I<br />Key Dump<br />I<br />Data Dump<br />I<br />Data Leakage<br />
    100. 100. DMZ <br />TRUSTED SEGMENT<br />TRANSACTIONS<br />End-<br />point<br />Internal<br />Users<br />Enterprise<br />Apps<br />DB Server<br />Server<br />Load<br />Balancing<br />Internet<br />DB<br />NW<br />SAN,<br />NAS,<br />Tape<br />Proxy<br />FW<br />Proxy<br />FW<br />Proxy<br />FW<br />IDS/<br />IPS<br />Wire-<br />less<br />Network<br />Devices<br />Keys<br />Server<br />Members<br />Web Apps<br />Case Study - Data Security Vulnerability Points<br />Organization data security vulnerability points under study:<br />Endpoint security / desktop security / wireless security<br />Customer access to Organization via Web Applications<br />Web application development and access controls<br />Global bulk file transfer to/from member institutions<br />Corporate network infrastructure, including firewalls, IDS/IPS<br />XxxNet/YyyNet global infrastructure<br />Application-to-database access controls<br />Database management controls, including separation of duties<br />Key management systems<br />Customer premises HW/SW data protection (the XXX)<br />Protection of stored data in SAN, NAS and backup tapes<br />
    101. 101. Corporate Overview<br />Enterprise Data Security Management<br />Full services offering including consulting, training and support<br />Global reach<br />300+ customers<br />100% growth in each of last three years<br />Founded 1996<br />10 patents granted, 18 pending<br />86<br />
    102. 102. Protegrity Value Proposition<br />Protecting your data. Protecting your business.<br />Balancing business needs, operational performance, and the risk of data loss<br />Achieving security and compliance<br />87<br />
    103. 103. Protegrity and PCI<br />88<br />
    104. 104. Our Customers<br />Cross industry<br />Retailers<br />20% of the top 25 retailers<br />Financial institutions<br />Transportation <br />Global<br />60% in North America<br />30% EMEA<br />10% Asia<br />089<br />
    105. 105. The Protegrity Defiance© Suite<br />Data Protection System (DPS)<br />Encryption, monitoring, masking<br />Database, file and application level<br />Threat Management System (TMS)<br />Web application firewall<br />Enterprise Security Administrator<br />Security policy<br />Key management<br />Alerting, reporting, and auditing<br />90<br />
    106. 106. Protegrity Solutions<br />091<br />Protecting data<br />Protecting web applications<br />Managing data security<br />
    107. 107. Questions?<br />If you would like a copy of the slides, please email ulf.mattsson@protegrity.com<br />

    ×