Choosing the Right Data Security Solution

Ulf Mattsson, CTO

Protegrity

ulf.mattsson AT protegrity.com

2

20 years with IBM Research & Development and

Global Services

Started Protegrity in 1994 (Data Security)

Inventor of 25 patents – Encryption and

Tokenization

Member of

• PCI Security Standards Council (PCI SSC)

• American National Standards Institute (ANSI) X9

• International Federation for Information Processing

(IFIP) WG 11.3 Data and Application Security

• ISACA , ISSA and Cloud Security Alliance (CSA)

Ulf Mattsson, CTO Protegrity

Agenda

Data Breaches

Data Protection Trends

Encryption versus Tokenization

Vault-based Tokenization versus Vaultless

Tokenization

Case studies

Summary

3

4

5

Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous

A Growing Threat

Attacks by Anonymous include

• CIA, Interpol, Sony, Stratfor and

HBGary Federal

6

Today “Hacktivism” is Dominating

0 10 20 30 40 50 60 70

Unknown

Unaffiliated person(s)

Former employee (no longer had access)

Relative or acquaintance of employee

Organized criminal group

Activist group

By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

%

7

What Data is Compromised?

By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

0 20 40 60 80 100 120

Payment card numbers/data

Authentication credentials (usernames, pwds, etc.)

Sensitive organizational data (reports, plans, etc.)

Bank account numbers/data

System information (config, svcs, sw, etc.)

Copyrighted/Trademarked material

Trade secrets

Classified information

Medical records

Unknown (specific type is not known)

Personal information (Name, SS#, Addr, etc.)

%

LinkedIn Hit with $5 Million Class Action Suit

By John Fontana | June 19, 2012

A class action suit against LinkedIn claiming that violation of its own

privacy policies and user agreements allowed hackers to steal 6.46

million passwords.

8

April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011

9

Time

Impact $

Source: IBM 2012 Security Breaches Trend and Risk Report

Some Major Data Breaches

Attack Type

Lost 100 million passwords and personal details stored in clear

Spent $171 million related to the data breach

Sony's stock price has fallen 40 percent

For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony

Attack via SQL Injection

10

The Sony Breach

Q1 2011 Q2 2011 Q3 2011

11

SQL Injection Attacks are Increasing

25,000

20,000

15,000

10,000

5,000

Source: IBM 2012 Security Breaches Trend and Risk Report

12

New Industry Groups are Targets

0 10 20 30 40 50 60

Information

Other

Health Care and Social Assistance

Finance and Insurance

Retail Trade

Accommodation and Food Services

By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

%

The Changing Threat Landscape

Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2

Some issues have stayed constant:

• Threat landscape continues to gain sophistication

• Attackers will always be a step ahead of the defenders

We are fighting highly organized, well-funded crime syndicates and nations

Move from detective to preventative controls needed

13

14

How are Breaches Discovered?

0 10 20 30 40 50 60 70

Unusual system behavior or performance

Log analysis and/or review process

Financial audit and reconciliation process

Internal fraud detection mechanism

Other(s)

Witnessed and/or reported by employee

Unknown

Brag or blackmail by perpetrator

Reported by customer/partner affected

Third-party fraud detection (e.g., CPP)

Notified by law enforcement

By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

%

15

What Assets are Compromised?

By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

0 20 40 60 80 100 120

POS server (store controller)

POS terminal User devices

Automated Teller Machine (ATM)

Regular employee/end-user People

Payment card (credit, debit, etc.) Offline …

Cashier/Teller/Waiter People

Pay at the Pump terminal User devices

File server

Laptop/Netbook

Remote Access server

Call Center Staff People

Mail server

Desktop/Workstation

Web/application server

Database server

%

16

Threat Action Categories

0 50 100 150

Environmental

Error

Misuse

Physical

Social

Malware

Hacking

By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

%

Hacking and Malware are Leading

17

Use of Enabling Technologies

1%

18%

30%

21%

28%

7%

22%

91%

47%

35%

39%

28%

29%

23%

Access controls

Database activity monitoring

Database encryption

Backup / Archive encryption

Data masking

Application-level encryption

Tokenization

Evaluating

18

How can we Secure The Data Flow?

Retail

Store Bank

Payment

Network

9999 9999 Corporate

Systems

19

20

1970 2000 2005 2010

High

Low

Total Cost

Of

Ownership

Strong Encryption

AES, 3DES

Format Preserving Encryption

DTP, FPE

Vault-based Tokenization

Vaultless Tokenization

Input Value: 3872 3789 1620 3675

!@#$%a^.,mhu7///&*B()_+!@

8278 2789 2990 2789

8278 2789 2990 2789

Format Preserving

Greatly reduced Key

Management

No Vault

8278 2789 2990 2789

What Has The Industry Done?

21

22

We Started with Vault-Based Tokenization …

Issues with Vault-based Tokenization

23

Vault-based Tokenization Server

Vault-less

Tokenization

Server

Evolution

Goal: Miniaturization of the Tokenization Server

24

Tokenization Differentiators

Vault-based Tokenization Vaultless Tokenization

Footprint Large, Expanding. Small, Static.

High Availability, Disaster Recovery

Complex, expensive replication required.

No replication required.

Distribution Practically impossible to distribute geographically.

Easy to deploy at different geographically distributed locations.

Reliability Prone to collisions. No collisions.

Performance, Latency, and Scalability

Will adversely impact performance & scalability.

Little or no latency. Fastest industry tokenization.

Extendibility Practically impossible. Unlimited Tokenization Capability.

25

26

10 000 000 -

1 000 000 -

100 000 -

10 000 -

1 000 -

100 -

Transactions per second*

I

Format

Preserving

Encryption

Speed of Different Protection Methods

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration

27

I

Format

Preserving

Encryption

Security of Different Protection Methods

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

28

High

Low

Security Level

External Validation of Vaultless Tokenization

“The Vaultless tokenization scheme offers excellent security, since it is

based on fully randomized tables. This is a fully distributed tokenization

approach with no need for synchronization and there is no risk for

collisions.“

Prof. Dr. Ir. Bart Preneel

Katholieke University Leuven, Belgium *

* The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.

Bart Preneel is a Belgian cryptographer and cryptanalyst.

He is a professor at Katholieke Universiteit Leuven, president

of the International Association for Cryptologic Research

29

30

Case Study: Large Chain Store

Why? Reduce compliance cost by 50%

• 50 million Credit Cards, 700 million daily transactions

• Performance Challenge: 30 days with Basic to 90 minutes with

Vaultless Tokenization

• End-to-End Tokens: Started with the D/W and expanding to

stores

• Lower maintenance cost – don’t have to apply all 12 requirements

• Better security – able to eliminate several business and daily

reports

• Qualified Security Assessors had no issues

• “With encryption, implementations can spawn dozens of questions”

• “There were no such challenges with tokenization”

31

Case Studies: Retail

Customer 1: Why? Three major concerns solved

• Performance Challenge; Initial tokenization

• Vendor Lock-In: What if we want to switch payment processor

• Extensive Enterprise End-to-End Credit Card Data Protection

Customer 2: Why? Desired single vendor to provide data protection

• Combined use of tokenization and encryption

• Looking to expand tokens beyond CCN to PII

Customer 3: Why? Remove compensating controls from the mainframe

• Tokens on the mainframe to avoid compensating controls

32

33

What about Breaches & PCI? Was Data Protected?

Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study

%

0 10 20 30 40 50 60 70 80 90 100

3: Protect Stored Data

7: Restrict access to data by business need-to-know

11: Regularly test security systems and processes

10: Track and monitor all access to network resources and data

6: Develop and maintain secure systems and applications

8: Assign a unique ID to each person with computer access

1: Install and maintain a firewall configuration to protect data

12: Maintain a policy that addresses information security

2: Do not use vendor-supplied defaults for security parameters

4: Encrypt transmission of cardholder data

5: Use and regularly update anti-virus software

9: Restrict physical access to cardholder data

Type of Data

Use Case

I Structured

How Should I Secure Different Data?

I Un-structured

Simple -

Complex -

PCI

PHI

PII

File Encryption

Card

Holder

Data

Field

Tokenization

Protected

Health

Information

34

Flexibility in Token Format Controls

Type of Data Input Token Comment

Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric

Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed

Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed

Medical ID 29M2009ID 497HF390D Alpha-Numeric

Date 10/30/1955 12/25/2034 Date - multiple date formats

E-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric

SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input

Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail

Binary 0x010203 0x123296910112

Alphanumeric

Indicator

5105 1051 0510 5100 8278 2789 299A 2781 Position to place alpha is

configurable

Decimal 123.45 9842.56 Non length preserving

Multi-Merchant 3872 3789 1620 3675 Merchant 1: 8278 2789 2990 2789

Merchant 2: 9302 8999 2662 6345

Deliver a different token to different

merchant based on the same credit

card number.

35

What are the benefits of Tokenisation?

What are the benefits of Tokenization?

Reduces complexity of key management

• Reduces the number of hacker targets

Reduces the remediation for protecting systems

• Reduces the cost of PCI Compliance

Additional benefits with Protegrity Vaultless Tokenization

Infinitely Scalable

• Fastest tokenization method in the world

Simplicity and Security: No replication, No collisions

Flexible and easy to deploy and distribute

• Lower Total Cost of Ownership than Vault-based Tokenization

36

About Protegrity

Proven enterprise data security software and innovation leader

• Sole focus on the protection of data

• Patented Technology, Continuing to Drive Innovation

Growth driven by compliance and risk management

• PCI (Payment Card Industry)

• PII (Personally Identifiable Information)

• PHI (Protected Health Information) – HIPAA

• State and Foreign Privacy Laws, Breach Notification Laws

Cross-industry applicability

• Retail, Hospitality, Travel and Transportation

• Financial Services, Insurance and Banking

• Healthcare, Telecommunications, Media and Entertainment

• Manufacturing and Government

37

Summary

38

Optimal support of complex enterprise requirements

• Heterogeneous platform supports all operating systems and

databases

• Flexible protectors (Database, Application, File)

• Risk Adjusted Data Protection offers the options for protection data

with the appropriate strength.

• Built-in Key Management

• Consistent Enterprise policy enforcement and audit logging

Innovative

• Pushing data protection with industry leading

Proven

• Proven platform currently protects the worlds largest companies

Experienced

• Experienced staff will be there with support along the way to complete data

protection

Questions and Answers

Elaine Evans

Protegrity Marketing

elaine.evans AT protegrity.com

www.protegrity.com

Ulf Mattsson

Protegrity CTO

ulf.mattsson AT protegrity.com