Data Breaches Gone Mad - Teradata · PDF fileadvanced • Majority of attacks were SQL ......
-
Upload
phungkhuong -
Category
Documents
-
view
227 -
download
2
Transcript of Data Breaches Gone Mad - Teradata · PDF fileadvanced • Majority of attacks were SQL ......
Data Breaches Gone Mad
Learn how to Secure your Data Warehouse Learn how to Secure your Data Warehouse
Straight Away!
Wednesday September 28th, 2011
Martin WillcoxDirector Product & Solutions MarketingTeradata Europe, Middle East & Africa
Ulf MattssonUlf Mattsson
CTO Protegrity
The Tokenization Experts
Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.
4
protegrity4 Source: http://www.youtube.com/user/ProtegrityUSA
Last Last Last Last Last Last Last Last year year year year year year year year he and his he and his he and his he and his he and his he and his he and his he and his “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked AT&T. AT&T. AT&T. AT&T. AT&T. AT&T. AT&T. AT&T.
5
protegrity5 Source: http://www.youtube.com/user/ProtegrityUSA
• Security vulnerability in a Website used by iPad customers
• 100,000 e-mail addresses and iPad identification numbers were
exposed, including:
• New York Mayor
• FBI and NASA
• US Departments of Defense • US Departments of Defense
• Executives from Google,
Microsoft, Amazon and
Goldman Sachs
Source 2010: http://news.cnet.com/8301-27080_3-20007417-245.html#ixzz1Y9IW9a7o
protegrity6
This year they hacked This year they hacked This year they hacked This year they hacked This year they hacked This year they hacked This year they hacked This year they hacked Sony and Sony and Sony and Sony and Sony and Sony and Sony and Sony and boughtboughtboughtboughtboughtboughtboughtboughtBMW M5s.BMW M5s.BMW M5s.BMW M5s.BMW M5s.BMW M5s.BMW M5s.BMW M5s.
protegrity7 Source: http://www.youtube.com/user/ProtegrityUSA
• Data including
passwords and personal
details were stored in
clear text
• Attacks were not • Attacks were not
coordinated and not
advanced
• Majority of attacks
were SQL Injection
dumps and Distributed
Denial of Service (DDoS)protegrity
8
Next Next Next Next Next Next Next Next month month month month month month month month Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a major telco with the keys major telco with the keys major telco with the keys major telco with the keys major telco with the keys major telco with the keys major telco with the keys major telco with the keys provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled employee.employee.employee.employee.employee.employee.employee.employee.
protegrity9 Source: http://www.youtube.com/user/ProtegrityUSA
Then Then Then Then Then Then Then Then Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a private jet.private jet.private jet.private jet.private jet.private jet.private jet.private jet.
protegrity10 Source: http://www.youtube.com/user/ProtegrityUSA
Manufacturing
Tech Services
Government
Financial Services
Retail
Hospitality
*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
0 10 20 30 40 50
Business Services
Healthcare
Media
Transportation
Manufacturing
%
protegrity11
Source: Trustwave Global Security Report 2011 protegrity12
So how So how So how So how So how So how So how So how does does does does does does does does Yuri do it?Yuri do it?Yuri do it?Yuri do it?Yuri do it?Yuri do it?Yuri do it?Yuri do it?
protegrity13 Source: http://www.youtube.com/user/ProtegrityUSA
Error
Physical
Malware
Hacking
%0 20 40 60 80 100
Social
Misuse
Error
*: Number of records
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
protegrity14
“Usually, I just “Usually, I just “Usually, I just “Usually, I just “Usually, I just “Usually, I just “Usually, I just “Usually, I just need one need one need one need one need one need one need one need one disgruntled disgruntled disgruntled disgruntled disgruntled disgruntled disgruntled disgruntled employee. employee. employee. employee. employee. employee. employee. employee. Just Just Just Just Just Just Just Just one.”one.”one.”one.”one.”one.”one.”one.”
protegrity15 Source: http://www.youtube.com/user/ProtegrityUSA
• Attackers stole information about SecurID
two-factor authentication
• 60 different types of customized malware
• Advanced Persistent Threat (APT) malware
tied to a network in Shanghaitied to a network in Shanghai
• A tool written by a Chinese hacker 10 years
ago
protegrity16
Internal security audit or scan
Reported by employee
Unusual system behavior
Reported by customer/partner …
Notified by law enforcement
Third party fraud detection
%0 10 20 30 40 50
Third party monitoring service
Brag or blackmail by perpetrator
Internal fraud detection
Internal security audit or scan
*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
protegrity17
• Some issues have stayed constant:
• Threat landscape continues to gain sophistication
• Attackers will always be a step ahead of the defenders
• Different motivation, methods and tools today: • Different motivation, methods and tools today:
• We are fighting highly organized, well-funded
crime syndicates and nations
• Move from detective to preventative controls needed
Source: Forrester and http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
protegrity18
Medical records
Bank account data
Intellectual property
Usernames, passwords
Personal information
Payment card data
0 20 40 60 80 100 120
Sensitive organizational data
System information
Classified information
Medical records
%*: Number of records
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
protegrity19
Web application firewalls (WAF)
Correlation or event management …
Identity & access management systems
Access governance systems
Encryption for data in motion
Anti-virus & anti-malware solution
Encryption/Tokenization for data at …
Firewalls
WAF
20
*: Cost effective solutions for PCI DSS. Source: PCI DSS Compliance Survey, Ponemon Institute
0 10 20 30 40 50 60 70 80 90
ID & credentialing system
Database scanning and monitoring …
Intrusion detection or prevention …
Data loss prevention systems (DLP)
Endpoint encryption solution
Web application firewalls (WAF) WAF
DLP
DAM
%
Client encryption
IDS
protegrity20
protegrity21
Jim BrowningSenior Security EngineerTeradata Labs
Teradata – Protegrity Partnership
• Strategic partnership since 2004
• Advocated solution for data protection on Teradata Databases• Advocated solution for data protection on Teradata Databases
• Design and development of Protegrity data security platform for Teradata
• Proven parallel and scalable data protection for Teradata MPP platforms
• Collaboration on forward-looking roadmaps
– New and advanced data protection options– Integration with new Teradata Database features– Seamless operation on large data warehouse systems
• World-class customers
23
Teradata – Protegrity Customers by Industry
Retail
Government
Transportation
Utilities
Manufacturing Telecommunications
Financial
Healthcare
Government
24
Types of Data Requiring Protection
• Credit Card Information– Credit Card Numbers (PAN)– Service Codes– Expiration Dates
• Personal Identifying Information– Social Security Numbers– Tax Identifiers
• Protected Health Information– Identifiable Patient Data– Medical Record Numbers
• Corporate Financial Data– Non-public Information
• Human Resources Data– Tax Identifiers– Drivers License Numbers– Date of Birth
• Consumer Financial Data– Account Numbers– PINs
• Human Resources Data– Payroll Information– Performance Ratings
• Customer and Prospect Data
• Trade Secrets and Intellectual Property
25
Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata Databases
– Provides additional separation of duties through a separate Security Manager interface for creation and maintenance of security policies
– Includes a patented key management system for secure key – Includes a patented key management system for secure key generation and protection of keys when stored
– Supports multiple data protection options including strong encryption and tokenization
– Supports multiple cryptographic algorithms and key strengths– Automates the process of converting clear text data to cipher text
26
Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata Databases
– Provides additional access controls to protect sensitive information (even DBC can not see unencrypted data unless specifically authorized by the Security Manager)
– Includes additional auditing separate from database audit logs – Includes additional auditing separate from database audit logs (such as the Access Log)
– Designed to fully exploit Teradata Database parallelism and scalability
– Enterprise-wide solution that works with most major databases and operating systems (not just Teradata)
27
Protegrity Data Protection for TeradataArchitecture
Clique
Policy Enforcement Agent
(UDF / UDT)
Node
PEP Server
DeploymentServer
Log ProxyServer
Dat
a P
rote
ctio
nO
pera
tions
AMP
AMP
AMP
AMP
Audit Logs
Policy
Enterprise Security Administrator (ESA)
Policy Management
Protected Data
Node
PEP Server
Dat
a P
rote
ctio
n
AMP
Dat
a P
rote
ctio
nO
pera
tions
AMP
AMP
AMP
AMP
Key Management
Audit Management
28
Strong EncryptionAES(128,256) / 3DES
Strong Encryption• Symmetric encryption• Encrypted value can be used in database for joins, etc.
HashingHMAC SHA-1
Hashing• One way… can not be decrypted• Hashed value can be used in database for
DTP2Data Type Preserving Encryption 2
Data Type Preserving Encryption 2• Preserves the data type and length of a protected column
Data Protection Methods
HMAC SHA-1 • Hashed value can be used in database for joins
DAMData Activity Monitoring
Data Activity Monitoring (DAM)• Monitors access to sensitive columns without encrypting or hashing
• Can be used as a compensating control
Tokenization• Provides inert values that can replace sensitive data in databases
• Can be used as a compensating control
Tokenization
MaskingMasking• Replaces sensitive characters in a string of data to render the data secure
• Customizable mask patterns
29
Data Protection Considerations
• Performance
• Storage
• Security
• Transparency
30
Data Protection Methods
Data Protection Methods Performance Storage Security Transparency
System without data protection
Monitoring + Blocking + Masking
Format Controlling Encryption
Strong Encryption
Tokenization
Hashing
Best Worst
31
Replace Sensitive Data With Fake Data
=
32
Data TokenRandom number
=
Replace Sensitive Data with Fake Data
De-tokenizationTokenization
Applications & Databases
: Data TokenProtected sensitive information:Protected sensitive information:Protected sensitive information:Protected sensitive information:
Unprotected sensitive information:Unprotected sensitive information:Unprotected sensitive information:Unprotected sensitive information:
De-tokenizationTokenization
33
What is Tokenization and What is the Benefit?
Tokenization
• Tokenization is process that replaces sensitive data in systems with inert data called tokens which have no value to the thief
• Tokens resemble the original data in data type and length
Benefit
• Greatly improved transparency to systems and processes that need to be protectedneed to be protected
Result
• Reduced remediation
• Reduced need for key management
• Reduce the points of attacks
• Reduce the PCI DSS audit costs for retail scenarios
34
Token Server
Clique
Node
Protegrity Agent
AMP
AMP
AMP
AMP
Complexity when Using Basic TokenizationLarge footprint becomes larger
Replication becomes more complex
Solution may be unmanageable and expensive
Node
Protegrity Agent
AMP
AMP
AMP
AMP
Credit CardNumber
Social Security Number
PassportNumber
35
Protegrity Tokenization for Teradata Architecture
Clique
Node
Protegrity Agent
AMP
AMP
AMP
AMP
TokenizationOperations
Small footprint
Small static token tables
High availability
High scalability
High performance
No replication required
Node
Protegrity Agent
AMP
AMP
AMP
AMP
TokenizationOperations
No replication required
No chance of collisions
36
Performance Comparison
Basic Tokenization
• 5 tokens per second (outsourced)
• 5000 tokens per second (in-house)
Protegrity Tokenization
• 200,000 tokens per second (Protegrity)
• Single commodity server with 10 connections.
• Will grow linearly with additional servers and/or connections
• 9,000,000+ tokenizations per second (Protegrity /Teradata)
37
Protegrity Tokenization Differentiators
Basic Tokenization Protegrity Tokenization
Footprint Large, Expanding Small, Static
High Availability,
Disaster Recovery
Complex, expensive
replication required
No replication required
Distribution Practically impossible to
distribute geographically
Easy to deploy at different geographically
distributed locations
Reliability Prone to collisions No collisions
Performance,
Latency, and
Scalability
Will adversely impact
performance & scalability
Little or no latency. Fastest industry
tokenization
Extendibility Practically impossible Unlimited Tokenization Capability
38
Why Tokenization?
No masking needed
No encryption/decryption when using
No key management across enterprise
Why Protegrity Tokenization?
39
Better – small footprint
Faster – high performance
Lower total cost of ownership
Why Protegrity Tokenization?
Flexibility for Different Forms of Data
Type of Data Input Token Comment
Token Properties
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date
E-mail Address [email protected] [email protected] Alpha Numeric, delimiters in input preservedin input preserved
SSN Delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed
40
Tokenization Case Studies
Customer 1: Extensive enterprise End-to-End credit card data protection switching to Protegrity Tokenization
• Performance Challenge: Initial tokenization
• Vendor Lock-In: What if we want to switch payment processor?
• Performance Challenge: Operational tokenization (SLAs)
Customer 2: Desired single vendor to provide data protection including tokenization
• Combined use of tokenization and encryption
• Looking to expand tokens beyond CCN to PII
Customer 3: Reduce compliance cost. 50 million Credit Cards, 700 million daily transactions
• Performance Challenge: Initial tokenization
• End-to-End Tokens: Started with the EDW and expanding to stores
41
Case Study – Large Chain Store
By segmenting cardholder data with tokenization, a regional chain of 1,500 local convenience stores is reducing its PCI audit from seven to three months
“We planned on 30 days to tokenize our 30 million card numbers. With Protegrity Tokenization the whole process took about 90 minutes”
Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization
• “With encryption, implementations can spawn dozens of questions”
• “There were no such challenges with tokenization”
42
Faster PCI audit • Half that time
Lower maintenance cost • Do not have to apply all 12 requirements of PCI DSS to every system
Case Study – Large Chain Store
Better security • Ability to eliminate several business processes such as generating daily reports for data requests and access
Strong performance • Rapid processing rate for initial tokenization
• Sub-second transaction SLA
43
Protegrity in the ETL Process
SQL Server
ETL PlatformInformaticaData Stage
Sources TargetsTransformation
DB2
Original ValueNo Access
Protegrity P
olicy Role B
ased A
ccess Control
Data Stage
• Cleansing• Integration• Transformation
Teradata
EDW
Teradata Load P
rocesses
AS/400
No AccessTokenMaskHash
Protegrity P
olicy Role B
ased A
ccess Control
Test Data
Oracle
Mainframe
44
Protegrity Data Security Platform in Action
Database Protector
TokenizationSecure
Distribution
AuditLog
Policy
Secure Collection POS e-commerce Branch
45
File System Protector
Application Protector
Security Administrator
Why Protegrity?
Protegrity’s Tokenization allows compliance across:
• PCI
• PII
• PHI
Innovative: Pushing data protection with industry leading innovation such as out patented database protection system and the Protegrity
46
such as out patented database protection system and the Protegrity Tokenization
Proven: Proven platform currently protects the worlds largest companies
Experienced: Experienced staff will be there with support along the way to complete data protection
Thank you!
Data Breaches Gone Mad
Learn how to Secure your Data Warehouse Straight Away!
Thank you!