Post on 12-Jan-2015
description
Choosing the Most Appropriate Data Security Solution
for an OrganizationUlf Mattsson, CTO Protegrity
2
4
• 20 years with IBM Research & Development and Global Services
• Started Protegrity in 1994 (Data Security)• Inventor of 25 patents – Encryption and
Tokenization• Member of
– PCI Security Standards Council (PCI SSC)– American National Standards Institute (ANSI) X9– International Federation for Information Processing
(IFIP) WG 11.3 Data and Application Security
– ISACA , ISSA and Cloud Security Alliance (CSA)
Ulf Mattsson, CTO Protegrity
WE KNOW THAT DATA IS
UNDER ATTACK …
5
Albert Gonzalez20 Years In US Federal Prison
6
US Federal indictments:
1. Dave & Busters 2. TJ Maxx 3. Heartland HPS• Breach expenses
$140M
Source: http://en.wikipedia.org/wiki/Albert_Gonzalez
7
What about Breaches & PCI? Was Data Protected?
Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study
%3: Protect Stored Data
7: Restrict access to data by business need-to-know
11: Regularly test security systems and processes
10: Track and monitor all access to network resources and data
6: Develop and maintain secure systems and applications
8: Assign a unique ID to each person with computer access
1: Install and maintain a firewall configuration to protect data
12: Maintain a policy that addresses information security
2: Do not use vendor-supplied defaults for security parameters
4: Encrypt transmission of cardholder data
5: Use and regularly update anti-virus software
9: Restrict physical access to cardholder data
0 10 20 30 40 50 60 70 80 90 100
WHAT TYPES OF DATA ARE UNDER ATTACK
NOW?
8
9
What Data is Compromised?
By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
Authentication credentials (usernames, pwds, etc.)
Sensitive organizational data (reports, plans, etc.)
Bank account numbers/data
System information (config, svcs, sw, etc.)
Copyrighted/Trademarked material
Trade secrets
Classified information
Medical records Medical
Unknown (specific type is not known)
Payment card numbers/data
Personal information (Name, SS#, Addr, etc.)
0 20 40 60 80 100 120 %
10
Today “Hacktivism” is Dominating
Unknown
Unaffiliated person(s)
Former employee (no longer had access)
Relative or acquaintance of employee
Organized criminal group
Activist group
0 10 20 30 40 50 60 70
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
11
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous
Growing Threat of “hacktivism” by Groups such as Anonymous
Attacks by Anonymous include• 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal
April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011
12
Attack Type, Time and
Impact $
Source: IBM 2012 Security Breaches Trend and Risk Report
Let’s Review Some Major Recent Breaches
• Lost 100 million passwords and personal details stored in clear
• Spent $171 million related to the data breach • Sony's stock price has fallen 40 percent • For three pennies an hour, hackers can rent
Amazon.com to wage cyber attacks such as the one that crippled Sony
• Attack via SQL Injection
13
The Sony Breach & Cloud
Q1 2011 Q2 2011 Q3 2011
14
SQL Injection Attacks are Increasing
25,000
20,000
15,000
10,000
5,000
Source: IBM 2012 Security Breaches Trend and Risk Report
WHAT IS SQL INJECTION?
15
What is an SQL Injection Attack?
Application
SQL Command Injected
Data Store
16
17
New Industry Groups are Targets
Information
Other
Health Care and Social Assistance
Finance and Insurance
Retail Trade
Accommodation and Food Services
0 10 20 30 40 50 60
By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
The Changing Threat Landscape
Some issues have stayed constant:
Threat landscape continues to gain sophistication Attackers will always be a step ahead of the defenders
We are fighting highly organized, well-funded crime syndicates and nations
Move from detective to preventative controls needed
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
19
How are Breaches Discovered?
Unusual system behavior or performance
Log analysis and/or review process
Financial audit and reconciliation process
Internal fraud detection mechanism
Other(s)
Witnessed and/or reported by employee
Unknown
Brag or blackmail by perpetrator
Reported by customer/partner affected
Third-party fraud detection (e.g., CPP)
Notified by law enforcement
0 10 20 30 40 50 60 70
By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
WHERE IS DATA LOST?
20
21
What Assets are Compromised?
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
POS server (store controller)POS terminal User devices
Automated Teller Machine (ATM) Regular employee/end-user People
Payment card (credit, debit, etc.) Offline dataCashier/Teller/Waiter People
Pay at the Pump terminal User devicesFile server
Laptop/Netbook Remote Access server
Call Center Staff People Mail server
Desktop/Workstation Web/application server
Database server
0 20 40 60 80 100 120%
22
Threat Action Categories
EnvironmentalError
MisusePhysical
SocialMalwareHacking
0 20 40 60 80 100 120
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
Hacking and Malware are Leading
%
Thieves Are Attacking the Data Flow
023
Application Application
THIS IS A CATCH 22!
24
Securing The Data Flow with Tokenization
RetailStore
Bank
Payment
Network
9999 9999
Corporate
Systems
25
WHAT HAS THE INDUSTRY
DONE TO SECURE DATA?
26
Time
Total Cost of Ownership
Total Cost of Ownership1. System Integration2. Performance Impact3. Key Management4. Policy Management5. Reporting6. Paper Handling7. Compliance Audit8. …
Strong Encryption: 3DES, AES …
I2010
I1970
What Has The Industry Done?
I2005
I2000
Format Preserving Encryption: FPE, DTP …
Basic Tokenization
Vaultless Tokenization
High -
Low -
27
Case Study: Large Chain Store
Why? Reduce compliance cost by 50%– 50 million Credit Cards, 700 million daily transactions
– Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization
– End-to-End Tokens: Started with the D/W and expanding to stores
– Lower maintenance cost – don’t have to apply all 12 requirements
– Better security – able to eliminate several business and daily reports
– Qualified Security Assessors had no issues
• “With encryption, implementations can spawn dozens of questions”
• “There were no such challenges with tokenization”
28
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second
I
Format
Preserving
Encryption
Speed of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
TokenizationSpeed will depend on
the configuration
29
Case Studies: Retail
Customer 1: Why? Three major concerns solved– Performance Challenge; Initial tokenization– Vendor Lock-In: What if we want to switch payment processor– Extensive Enterprise End-to-End Credit Card Data Protection
Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII
Customer 3: Why? Remove compensating controls from the mainframe– Tokens on the mainframe to avoid compensating controls
30
123456 777777 1234
123456 123456 1234
aVdSaH 1F4hJ 1D3a
!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing -
Strong Encryption -
Alpha -
Numeric -
Partial -
Clear Text Data -
Intrusiveness (to Applications and Databases)
I
Original
!@#$%a^.,mhu7///&*B()_+!@
666666 777777 8888Tokenizing or
FormattedEncryption
Data
Length
Stan
dard
Encr
yptio
n
Enco
ding
31
Dat
a Ty
pe &
For
mat
Impact of Different Protection Methods
Type of Data
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple -
Complex -
PCI
PHI
PII
FileEncryption
CardHolder
Data
FieldTokenization
ProtectedHealth
Information
32
Personally Identifiable Information
ANY TOKENIZATION GUIDELINES?
33
PCI DSS : Tokenization and Encryption are Different
34
35
Source: http://www.securosis.com
Tokenization and “PCI Out Of Scope”
De-tokenization Available?
Random Number Tokens?
Isolated from Card Holder Data
Environment?
Out of Scope
Scope Reduction
No Scope Reduction
No
No:FPE
Yes
Yes
Yes No
Case Study: Energy Industry
Why? Reduce PCI Scope• Best way to handle legacy, we got most of it out of PCI• Get rid of unwanted paper copies• No need to rewrite/redevelop or restructure business
applications• A VERY efficient way of PCI Reduction of Scope• Better understanding of your data flow• Better understanding of business flow• Opportunity to clean up a few business oddities
36
RISK MANAGEMENT
37
ProtectionOption
Cost
OptimalRisk
Expected Losses from the Risk
Cost of Aversion – Protection of Data
Total Cost
IMonitoring
IData
Lockdown
Choose Your Defenses
38
Matching Data Protection with Risk Level
Risk Level Solution
Monitoring
Monitoring, masking, format
controlling encryption
Tokenization, strong
encryption
Low Risk (1-5)
Medium Risk (6-15)
High Risk (16-25)
Data Field
Risk Level
Credit Card Number 25Social Security Number 20
Email Address 20Customer Name 12Secret Formula 10
Employee Name 9Employee Health Record 6
Zip Code 3
39
I
Format
Preserving
Encryption
Security of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
40
High
Low
Security Level
Use of Enabling Technologies
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
1%
18%
30%
21%
28%
7%
22%
91%
47%
35%
39%
28%
29%
23%
Evaluating Current Use
41
SystemType
Risk
Data display Masking
IProduction
ITest / dev
High –
Low -
Data at rest Masking
IIntegration
testing
ITrouble
shooting
Exposure:Data in clear
before masking
Exposure:Data is only obfuscated
42
Is Data Masking Secure?
SystemType
Risk
Data TokensI
ProductionI
Test / dev
Data Tokens = Lower Risk
High –
Low -
IIntegration
testing
ITrouble
shooting
43
Data display Masking
Data at rest Masking
Exposure:Data in clear
before masking
Exposure:Data is only obfuscated
CAN SECURITY HELP CREATIVITY?
44
AccessRight Level
Risk
TraditionalAccessControl
IMore
ILess
High
Low
Source: InformationWeek Aug 15, 2011
Old Security = Less Creativity
45
AccessRight Level
Risk
TraditionalAccessControl
IMore
ILess
High
Low
Source: InformationWeek Aug 15, 2011
New Data Security = More Creativity
46
Data Tokens
New:CreativityHappens
At the edge
About Protegrity
• Proven enterprise data security software and innovation leader – Sole focus on the protection of data– Patented Technology, Continuing to Drive Innovation
• Growth driven by compliance and risk management– PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI
(Protected Health Information)– US State and Foreign Privacy Laws, Breach Notification Laws
• Cross-industry applicability– Retail, Hospitality, Travel and Transportation– Financial Services, Insurance, Banking– Healthcare, Telecommunications, Media and Entertainment– Manufacturing and Government
47
Thank you!
Q&Aulf.mattsson AT protegrity.com
www.protegrity.com 203-326-7200
48