Tokenization on the Node - Data Protection for Security and Compliance

1,879 views

Published on

2011 San Diego Teradata PARTNERS Conference

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,879
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
62
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • a storyNeuroscientists have found the brain gets bored easilypresentations include demonstrations, video clips, and other speakers. All of theelements are planned and collected well before the slides are created.
  • a storyNeuroscientists have found the brain gets bored easilypresentations include demonstrations, video clips, and other speakers. All of theelements are planned and collected well before the slides are created.
  • a storyNeuroscientists have found the brain gets bored easilypresentations include demonstrations, video clips, and other speakers. All of theelements are planned and collected well before the slides are created.
  • a storyNeuroscientists have found the brain gets bored easilypresentations include demonstrations, video clips, and other speakers. All of theelements are planned and collected well before the slides are created.
  • *Sixty-four percent of this center pertains to the direct and indirect costs associated with enabling security technologies.Table 1 summarizes the total, average, median, maximum and minimum compliance costs for each of the six activity centers defined in our cost framework in Part IV. Please note that these cost statistics are defined for a 12-month period. Data security represents the largest cost center for the benchmark sample, while policy represents the smallest.
  • *Sixty-four percent of this center pertains to the direct and indirect costs associated with enabling security technologies.Table 1 summarizes the total, average, median, maximum and minimum compliance costs for each of the six activity centers defined in our cost framework in Part IV. Please note that these cost statistics are defined for a 12-month period. Data security represents the largest cost center for the benchmark sample, while policy represents the smallest.
  • 40 "Risk management" is just another term for the cost-benefit tradeoff associated with any security decision.Protecting data according to risk enables organizations to determine their most significantsecurity exposures, target their budgets towards addressing the most critical issues,strengthen their security and compliance profile, and achieve the right balance betweenbusiness needs and security demands. As discussed earlier, a report by the Ponemon Institute, a privacy andinformation management research firm, found that data breach incidents cost $202 per compromisedrecord in 2008, with an average total per-incident costs of $6.65 million.All security spend figures produced by government and private research firms indicate that enterprisescan put strong security into place for about 10% the average cost of a breach. You can find the rightbalance between cost and security by doing a risk analysis.
  • *Sixty-four percent of this center pertains to the direct and indirect costs associated with enabling security technologies.Table 1 summarizes the total, average, median, maximum and minimum compliance costs for each of the six activity centers defined in our cost framework in Part IV. Please note that these cost statistics are defined for a 12-month period. Data security represents the largest cost center for the benchmark sample, while policy represents the smallest.
  • 40 "Risk management" is just another term for the cost-benefit tradeoff associated with any security decision.Protecting data according to risk enables organizations to determine their most significantsecurity exposures, target their budgets towards addressing the most critical issues,strengthen their security and compliance profile, and achieve the right balance betweenbusiness needs and security demands. As discussed earlier, a report by the Ponemon Institute, a privacy andinformation management research firm, found that data breach incidents cost $202 per compromisedrecord in 2008, with an average total per-incident costs of $6.65 million.All security spend figures produced by government and private research firms indicate that enterprisescan put strong security into place for about 10% the average cost of a breach. You can find the rightbalance between cost and security by doing a risk analysis.
  • 40 "Risk management" is just another term for the cost-benefit tradeoff associated with any security decision.Protecting data according to risk enables organizations to determine their most significantsecurity exposures, target their budgets towards addressing the most critical issues,strengthen their security and compliance profile, and achieve the right balance betweenbusiness needs and security demands. As discussed earlier, a report by the Ponemon Institute, a privacy andinformation management research firm, found that data breach incidents cost $202 per compromisedrecord in 2008, with an average total per-incident costs of $6.65 million.All security spend figures produced by government and private research firms indicate that enterprisescan put strong security into place for about 10% the average cost of a breach. You can find the rightbalance between cost and security by doing a risk analysis.
  • 40 "Risk management" is just another term for the cost-benefit tradeoff associated with any security decision.Protecting data according to risk enables organizations to determine their most significantsecurity exposures, target their budgets towards addressing the most critical issues,strengthen their security and compliance profile, and achieve the right balance betweenbusiness needs and security demands. As discussed earlier, a report by the Ponemon Institute, a privacy andinformation management research firm, found that data breach incidents cost $202 per compromisedrecord in 2008, with an average total per-incident costs of $6.65 million.All security spend figures produced by government and private research firms indicate that enterprisescan put strong security into place for about 10% the average cost of a breach. You can find the rightbalance between cost and security by doing a risk analysis.
  • Tokenization on the Node - Data Protection for Security and Compliance

    1. 1. Ulf Mattsson, CTOProtegrity
    2. 2. What Is Tokenization on the Node ?2
    3. 3. 3
    4. 4. Teradata and Protegrity • Strategic partnership since 2004 • Advocated solution for data protection on Teradata Databases • Proven parallel and scalable data protection for Teradata MPP platforms • Collaboration on forward-looking roadmaps – New and advanced data protection options – Integration with new Teradata Database features – Seamless operation on large data warehouse systems • World-class customers4
    5. 5. Protegrity Data Protection for Teradata • A comprehensive data protection solution for Teradata Databases – Provides additional separation of duties through a separate Security Manager interface for creation and maintenance of security policies – Includes a patented key management system for secure key generation and protection of keys when stored – Supports multiple data protection options including strong encryption and tokenization – Supports multiple cryptographic algorithms and key strengths – Automates the process of converting clear text data to cipher text5
    6. 6. Protegrity Data Protection for Teradata • A comprehensive data protection solution for Teradata Databases – Provides additional access controls to protect sensitive information (even DBC can not see unencrypted data unless specifically authorized by the Security Manager) – Includes additional auditing separate from database audit logs (such as the Access Log) – Designed to fully exploit Teradata Database parallelism and scalability – Enterprise-wide solution that works with most major databases and operating systems (not just Teradata)6
    7. 7. Select Protegrity Customers Select Protegrity Customers7
    8. 8. Data Breaches Gone Mad - Learn how to Secure your Data Warehouse Straight Away! www.protegrity.com8
    9. 9. Who Are The Hackers and What Are They Doing?9
    10. 10. Some of you have already met Yuri. Source: http://www.youtube.com/user/ProtegrityUSA 1010
    11. 11. Last year he and his “anonymous” friends hacked AT&T. Source: http://www.youtube.com/user/ProtegrityUSA 1111
    12. 12. This year they hacked Sony and boughtBMW M5s. Source: http://www.youtube.com/user/ProtegrityUSA
    13. 13. • Data including passwords and personal details were stored in clear text • Attacks were not coordinated and not advanced • Majority of attacks were SQL Injection dumps and Distributed Denial of Service (DDoS)13
    14. 14. Next month Yuri plans to hit a major telco with the keys provided by a disgruntled employee. Source: http://www.youtube.com/user/ProtegrityUSA14
    15. 15. Then Yuri is going to buy a private jet. Source: http://www.youtube.com/user/ProtegrityUSA15
    16. 16. Hospitality Retail Financial Services Government Tech Services Manufacturing Transportation Media Healthcare Business Services 0 10 20 30 40 50 % *: Number of breaches Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS16
    17. 17. Source: Trustwave Global Security Report 201117
    18. 18. So how does Yuri do it? Source: http://www.youtube.com/user/ProtegrityUSA18
    19. 19. Hacking Malware Physical Error Misuse Social 0 20 40 60 80 100 % *: Number of records Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS19
    20. 20. “Usually, I just need one disgruntled employee. Just one.” Source: http://www.youtube.com/user/ProtegrityUSA20
    21. 21. • Attackers stole information about SecurID two-factor authentication • 60 different types of customized malware • Advanced Persistent Threat (APT) malware tied to a network in Shanghai • A tool written by a Chinese hacker 10 years ago21
    22. 22. Third party fraud detection Notified by law enforcement Reported by customer/partner… Unusual system behavior Reported by employee Internal security audit or scan Internal fraud detection Brag or blackmail by perpetrator Third party monitoring service 0 10 20 30 40 50 % *: Number of breaches Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS22
    23. 23. Why Should I Care?23
    24. 24. • Some issues have stayed constant: • Threat landscape continues to gain sophistication • Attackers will always be a step ahead of the defenders • Different motivation, methods and tools today: • We are fighting highly organized, well-funded crime syndicates and nations • Move from detective to preventative controls needed Source: Forrester and http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=224
    25. 25. How Can We Secure The Sensitive Data Flow?25
    26. 26. We Need To Protect The Data Flow : Enforcement point Unprotected sensitive information: Protected sensitive information26
    27. 27. What Has Industry Done To Protect Itself?27
    28. 28. What is Cost Effective Data Protection? Firewalls Encryption/Tokenization for data at rest Anti-virus & anti-malware solution Encryption for data in motion Access governance systems Identity & access management systems Correlation or event management systems Web application firewalls (WAF) WAF Endpoint encryption solution Data loss prevention systems (DLP) DLP Intrusion detection or prevention systems Database scanning and monitoring (DAM) DAM ID & credentialing system 0 10 20 30 40 50 60 70 80 90 % Source: PCI DSS Compliance Survey, Ponemon Institute28
    29. 29. Can New Data Security Help Creativity? Risk Traditional High – Access Control Old and flawed: Minimal access New: levels so people Creativity can only carry Happens out their jobs At the edge Low - Data Tokens Access I I Right Level Low High Source: InformationWeek Aug 15, 201129
    30. 30. What has Industry Done To Protect Databases?30
    31. 31. How Did Data Security Evolve? Year Event Memory Data Tokenization introduced as a fully distributed 2010 model Centralized Data Tokenization introduced with hosted payment service DTP (Data Type Preserving encryption) used by in commercial 2005 databases Attack on SHA-1 hash announced DES was withdrawn AES (Advance Encryption Standard) accepted as a FIPS-approved 2001 algorithm 1988 IBM AS/400 used tokenization in shadow files 1975 DES (Data Encryption Standard) draft submitted by IBM 1900 BC Cryptography used in Egypt31
    32. 32. How Can We Limit Changes to Applications? Intrusiveness (to Applications and Databases) Encryption Standard Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Strong Encryption - !@#$%a^.,mhu7/////&*B()_+!@ Alpha - aVdSaH 1F4hJ 1D3a Encoding Tokenizing or Numeric - 666666 777777 8888 Formatted Encryption Partial - 123456 777777 1234 Clear Text Data - 123456 123456 1234 Data I Length Original32
    33. 33. What Is The Next Step In Data Protection? The Promise Of A Better World33
    34. 34. Replace Sensitive Data With Fake Data Data Random number Token34
    35. 35. Replace Sensitive Data With Data Tokens Tokenization De-tokenization Applications & Databases Unprotected sensitive information: : Data Token Protected sensitive information:35
    36. 36. Yuri Hates Tokens!36
    37. 37. What is Tokenization and What is the Benefit? • Tokenization – Tokenization is process that replaces sensitive data in systems with inert data called tokens which have no value to the thief – Tokens resemble the original data in data type and length • Benefit – Greatly improved transparency to systems and processes that need to be protected • Result – Reduced remediation – Reduced need for key management – Reduce the points of attacks – Reduce the PCI DSS audit costs for retail scenarios37
    38. 38. Tokens For PCI, PII & PHI38
    39. 39. Tokens Can Be More Flexible Than Encryption Type of Data Input Token Comment Token Properties Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date E-mail Address ulf.mattsson@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric, delimiters in input preserved SSN Delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed39
    40. 40. What Is The Impact On Performance And Scalability40
    41. 41. Speed of Different Protection Methods Transactions per second (16 digits) 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I I Basic Format Data AES CBC Modern Data Preserving Type Encryption Data Tokenization Encryption Preservation Standard Tokenization Encryption41 *: Speed will depend on the configuration
    42. 42. Security of Different Protection Methods Security Level High Low I I I I I Basic Format Data AES CBC Modern Data Preserving Type Encryption Data Tokenization Encryption Preservation Standard Tokenization Encryption42 *: Speed will depend on the configuration
    43. 43. Data Protection Methods The next step in data protection; Tokenization Data Protection Methods Performance Storage Security Transparency System without data protection Monitoring + Blocking + Masking Data Type Preservation Strong Encryption Tokenization Hashing Best Worst43
    44. 44. How does Tokenization on Teradata Work?44
    45. 45. The Bottleneck when Using Old Basic Tokenization Large footprint becomes larger Clique Replication becomes more complex Solution may be unmanageable and expensive Node AMP Token Server AMP Protegrity Agent AMP AMP Node AMP AMP Protegrity Agent AMP AMP Credit Card Social Security Passport Number Number Number45
    46. 46. Modern Tokenization for Teradata Architecture Small footprint Clique Small static token tables High availability Node High scalability Tokenization AMP Operations High performance Protegrity AMP Agent No replication required AMP AMP No chance of collisions Node Tokenization AMP Protegrity Operations AMP Agent AMP AMP46
    47. 47. The World’s Smallest & Fastest Tokenizer47
    48. 48. Performance Comparison • Basic Tokenization – 5 tokens per second (outsourced) – 5000 tokens per second (in-house) • Modern Tokenization – 200,000 tokens per second (Protegrity) • Single commodity server with 10 connections. • Will grow linearly with additional servers and/or connections – 9,000,000+ tokenizations per second (Protegrity /Teradata)48
    49. 49. What Is The Customer Experience?49
    50. 50. Tokenization Case Studies Customer 1: Extensive enterprise End-to-End credit card data protection switching to Protegrity Tokenization • Performance Challenge: Initial tokenization • Vendor Lock-In: What if we want to switch payment processor? • Performance Challenge: Operational tokenization (SLAs) Customer 2: Desired single vendor to provide data protection including tokenization • Combined use of tokenization and encryption • Looking to expand tokens beyond CCN to PII Customer 3: Reduce compliance cost. 50 million Credit Cards, 700 million daily transactions • Performance Challenge: Initial tokenization • End-to-End Tokens: Started with the EDW and expanding to stores50
    51. 51. Case Study – Large Chain Store Faster PCI audit • Half that time • Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization Lower maintenance cost • Do not have to apply all 12 requirements of PCI DSS to every system Better security • Ability to eliminate several business processes such as generating daily reports for data requests and access Strong performance • Rapid processing rate for initial tokenization • Sub-second transaction SLA51
    52. 52. How does Protegrity on Teradata Work?52
    53. 53. Protegrity Data Protection for Teradata Clique Enterprise Security Administrator (ESA) Policy Enforcement Node Agent (UDF / UDT) Data Protection Audit Logs Log Proxy AMP Server Operations Policy AMP Policy Deployment Management Server AMP Protected Data PEP Server AMP Key Management Node Data Protection AMP Operations Audit AMP Management AMP PEP Server AMP53
    54. 54. Protegrity in the ETL Process Sources Transformation Targets SQL Server Protegrity Policy Role Based DB2 Access Control ETL Platform Original Value Informatica No Access Teradata Load Data Stage Processes Teradata Token AS/400 • Cleansing Mask • Integration EDW • Transformation Hash Test Data Mainframe Oracle54
    55. 55. Data Masking is Not Effective55
    56. 56. Data Masking is Not Secure Risk Data at rest Data display Masking Masking High – Exposure: Exposure: Data in clear Data is only before masking obfuscated Low - Data Tokens System I I I I Type Test / dev Integration Trouble Production testing shooting56
    57. 57. Who Is Protegrity?57
    58. 58. Why Protegrity? • Protegrity’s Tokenization allows compliance across: – PCI – PII – PHI • Innovative: Pushing data protection with industry leading innovation such as out patented database protection system and the Protegrity Tokenization • Proven: Proven platform currently protects the worlds largest companies • Experienced: Experienced staff will be there with support along the way to complete data protection58
    59. 59. How To Securing The Sensitive Data Flow Secure Collection POS e-commerce Branch Audit Secure Log Distribution Tokenization Policy Database Protector Security Administrator Application Protector File System Protector59
    60. 60. How Will This Improve My Life?60
    61. 61. Why Tokenization? 1. No masking needed 2. No encryption/decryption when using 3. No key management across enterprise61
    62. 62. Why Modern Tokenization? 1. Better – small footprint 2. Faster – high performance 3. Lower total cost of ownership62
    63. 63. Tokenization Differentiators Basic Tokenization Modern Tokenization Footprint Large, Expanding Small, Static High Availability, Complex, expensive No replication required Disaster Recovery replication required Distribution Practically impossible to Easy to deploy at different geographically distribute geographically distributed locations Reliability Prone to collisions No collisions Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability tokenization Scalability Extendibility Practically impossible Unlimited Tokenization Capability63
    64. 64. Thank you! Q&A ulf.mattsson@protegrity.com Got Tokens? Meet Yuri at the Protegrity booth #20164

    ×