Data Breaches Gone Mad

Learn how to Secure your Data Warehouse Learn how to Secure your Data Warehouse

Straight Away!

Wednesday September 28th, 2011

Martin WillcoxDirector Product & Solutions MarketingTeradata Europe, Middle East & Africa

Ulf MattssonUlf Mattsson

CTO Protegrity

The Tokenization Experts

Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.Some of you have already met Yuri.

4

protegrity4 Source: http://www.youtube.com/user/ProtegrityUSA

Last Last Last Last Last Last Last Last year year year year year year year year he and his he and his he and his he and his he and his he and his he and his he and his “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked “anonymous” friends hacked AT&T. AT&T. AT&T. AT&T. AT&T. AT&T. AT&T. AT&T.

5

protegrity5 Source: http://www.youtube.com/user/ProtegrityUSA

• Security vulnerability in a Website used by iPad customers

• 100,000 e-mail addresses and iPad identification numbers were

exposed, including:

• New York Mayor

• FBI and NASA

• US Departments of Defense • US Departments of Defense

• Executives from Google,

Microsoft, Amazon and

Goldman Sachs

Source 2010: http://news.cnet.com/8301-27080_3-20007417-245.html#ixzz1Y9IW9a7o

protegrity6

This year they hacked This year they hacked This year they hacked This year they hacked This year they hacked This year they hacked This year they hacked This year they hacked Sony and Sony and Sony and Sony and Sony and Sony and Sony and Sony and boughtboughtboughtboughtboughtboughtboughtboughtBMW M5s.BMW M5s.BMW M5s.BMW M5s.BMW M5s.BMW M5s.BMW M5s.BMW M5s.

protegrity7 Source: http://www.youtube.com/user/ProtegrityUSA

• Data including

passwords and personal

details were stored in

clear text

• Attacks were not • Attacks were not

coordinated and not

advanced

• Majority of attacks

were SQL Injection

dumps and Distributed

Denial of Service (DDoS)protegrity

8

Next Next Next Next Next Next Next Next month month month month month month month month Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a Yuri plans to hit a major telco with the keys major telco with the keys major telco with the keys major telco with the keys major telco with the keys major telco with the keys major telco with the keys major telco with the keys provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled provided by a disgruntled employee.employee.employee.employee.employee.employee.employee.employee.

protegrity9 Source: http://www.youtube.com/user/ProtegrityUSA

Then Then Then Then Then Then Then Then Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a Yuri is going to buy a private jet.private jet.private jet.private jet.private jet.private jet.private jet.private jet.

protegrity10 Source: http://www.youtube.com/user/ProtegrityUSA

Manufacturing

Tech Services

Government

Financial Services

Retail

Hospitality

*: Number of breaches

Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS

0 10 20 30 40 50

Business Services

Healthcare

Media

Transportation

Manufacturing

%

protegrity11

Source: Trustwave Global Security Report 2011 protegrity12

So how So how So how So how So how So how So how So how does does does does does does does does Yuri do it?Yuri do it?Yuri do it?Yuri do it?Yuri do it?Yuri do it?Yuri do it?Yuri do it?

protegrity13 Source: http://www.youtube.com/user/ProtegrityUSA

Error

Physical

Malware

Hacking

%0 20 40 60 80 100

Social

Misuse

Error

*: Number of records

Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS

protegrity14

“Usually, I just “Usually, I just “Usually, I just “Usually, I just “Usually, I just “Usually, I just “Usually, I just “Usually, I just need one need one need one need one need one need one need one need one disgruntled disgruntled disgruntled disgruntled disgruntled disgruntled disgruntled disgruntled employee. employee. employee. employee. employee. employee. employee. employee. Just Just Just Just Just Just Just Just one.”one.”one.”one.”one.”one.”one.”one.”

protegrity15 Source: http://www.youtube.com/user/ProtegrityUSA

• Attackers stole information about SecurID

two-factor authentication

• 60 different types of customized malware

• Advanced Persistent Threat (APT) malware

tied to a network in Shanghaitied to a network in Shanghai

• A tool written by a Chinese hacker 10 years

ago

protegrity16

Internal security audit or scan

Reported by employee

Unusual system behavior

Reported by customer/partner …

Notified by law enforcement

Third party fraud detection

%0 10 20 30 40 50

Third party monitoring service

Brag or blackmail by perpetrator

Internal fraud detection

Internal security audit or scan

*: Number of breaches

Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS

protegrity17

• Some issues have stayed constant:

• Threat landscape continues to gain sophistication

• Attackers will always be a step ahead of the defenders

• Different motivation, methods and tools today: • Different motivation, methods and tools today:

• We are fighting highly organized, well-funded

crime syndicates and nations

• Move from detective to preventative controls needed

Source: Forrester and http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2

protegrity18

Medical records

Bank account data

Intellectual property

Usernames, passwords

Personal information

Payment card data

0 20 40 60 80 100 120

Sensitive organizational data

System information

Classified information

Medical records

%*: Number of records

Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS

protegrity19

Web application firewalls (WAF)

Correlation or event management …

Identity & access management systems

Access governance systems

Encryption for data in motion

Anti-virus & anti-malware solution

Encryption/Tokenization for data at …

Firewalls

WAF

20

*: Cost effective solutions for PCI DSS. Source: PCI DSS Compliance Survey, Ponemon Institute

0 10 20 30 40 50 60 70 80 90

ID & credentialing system

Database scanning and monitoring …

Intrusion detection or prevention …

Data loss prevention systems (DLP)

Endpoint encryption solution

Web application firewalls (WAF) WAF

DLP

DAM

%

Client encryption

IDS

protegrity20

protegrity21

Jim BrowningSenior Security EngineerTeradata Labs

Teradata – Protegrity Partnership

• Strategic partnership since 2004

• Advocated solution for data protection on Teradata Databases• Advocated solution for data protection on Teradata Databases

• Design and development of Protegrity data security platform for Teradata

• Proven parallel and scalable data protection for Teradata MPP platforms

• Collaboration on forward-looking roadmaps

– New and advanced data protection options– Integration with new Teradata Database features– Seamless operation on large data warehouse systems

• World-class customers

23

Teradata – Protegrity Customers by Industry

Retail

Government

Transportation

Utilities

Manufacturing Telecommunications

Financial

Healthcare

Government

24

Types of Data Requiring Protection

• Credit Card Information– Credit Card Numbers (PAN)– Service Codes– Expiration Dates

• Personal Identifying Information– Social Security Numbers– Tax Identifiers

• Protected Health Information– Identifiable Patient Data– Medical Record Numbers

• Corporate Financial Data– Non-public Information

• Human Resources Data– Tax Identifiers– Drivers License Numbers– Date of Birth

• Consumer Financial Data– Account Numbers– PINs

• Human Resources Data– Payroll Information– Performance Ratings

• Customer and Prospect Data

• Trade Secrets and Intellectual Property

25

Protegrity Data Protection for Teradata

• A comprehensive data protection solution for Teradata Databases

– Provides additional separation of duties through a separate Security Manager interface for creation and maintenance of security policies

– Includes a patented key management system for secure key – Includes a patented key management system for secure key generation and protection of keys when stored

– Supports multiple data protection options including strong encryption and tokenization

– Supports multiple cryptographic algorithms and key strengths– Automates the process of converting clear text data to cipher text

26

Protegrity Data Protection for Teradata

• A comprehensive data protection solution for Teradata Databases

– Provides additional access controls to protect sensitive information (even DBC can not see unencrypted data unless specifically authorized by the Security Manager)

– Includes additional auditing separate from database audit logs – Includes additional auditing separate from database audit logs (such as the Access Log)

– Designed to fully exploit Teradata Database parallelism and scalability

– Enterprise-wide solution that works with most major databases and operating systems (not just Teradata)

27

Protegrity Data Protection for TeradataArchitecture

Clique

Policy Enforcement Agent

(UDF / UDT)

Node

PEP Server

DeploymentServer

Log ProxyServer

Dat

a P

rote

ctio

nO

pera

tions

AMP

AMP

AMP

AMP

Audit Logs

Policy

Enterprise Security Administrator (ESA)

Policy Management

Protected Data

Node

PEP Server

Dat

a P

rote

ctio

n

AMP

Dat

a P

rote

ctio

nO

pera

tions

AMP

AMP

AMP

AMP

Key Management

Audit Management

28

Strong EncryptionAES(128,256) / 3DES

Strong Encryption• Symmetric encryption• Encrypted value can be used in database for joins, etc.

HashingHMAC SHA-1

Hashing• One way… can not be decrypted• Hashed value can be used in database for

DTP2Data Type Preserving Encryption 2

Data Type Preserving Encryption 2• Preserves the data type and length of a protected column

Data Protection Methods

HMAC SHA-1 • Hashed value can be used in database for joins

DAMData Activity Monitoring

Data Activity Monitoring (DAM)• Monitors access to sensitive columns without encrypting or hashing

• Can be used as a compensating control

Tokenization• Provides inert values that can replace sensitive data in databases

• Can be used as a compensating control

Tokenization

MaskingMasking• Replaces sensitive characters in a string of data to render the data secure

• Customizable mask patterns

29

Data Protection Considerations

• Performance

• Storage

• Security

• Transparency

30

Data Protection Methods

Data Protection Methods Performance Storage Security Transparency

System without data protection

Monitoring + Blocking + Masking

Format Controlling Encryption

Strong Encryption

Tokenization

Hashing

Best Worst

31

Replace Sensitive Data With Fake Data

=

32

Data TokenRandom number

=

Replace Sensitive Data with Fake Data

De-tokenizationTokenization

Applications & Databases

: Data TokenProtected sensitive information:Protected sensitive information:Protected sensitive information:Protected sensitive information:

Unprotected sensitive information:Unprotected sensitive information:Unprotected sensitive information:Unprotected sensitive information:

De-tokenizationTokenization

33

What is Tokenization and What is the Benefit?

Tokenization

• Tokenization is process that replaces sensitive data in systems with inert data called tokens which have no value to the thief

• Tokens resemble the original data in data type and length

Benefit

• Greatly improved transparency to systems and processes that need to be protectedneed to be protected

Result

• Reduced remediation

• Reduced need for key management

• Reduce the points of attacks

• Reduce the PCI DSS audit costs for retail scenarios

34

Token Server

Clique

Node

Protegrity Agent

AMP

AMP

AMP

AMP

Complexity when Using Basic TokenizationLarge footprint becomes larger

Replication becomes more complex

Solution may be unmanageable and expensive

Node

Protegrity Agent

AMP

AMP

AMP

AMP

Credit CardNumber

Social Security Number

PassportNumber

35

Protegrity Tokenization for Teradata Architecture

Clique

Node

Protegrity Agent

AMP

AMP

AMP

AMP

TokenizationOperations

Small footprint

Small static token tables

High availability

High scalability

High performance

No replication required

Node

Protegrity Agent

AMP

AMP

AMP

AMP

TokenizationOperations

No replication required

No chance of collisions

36

Performance Comparison

Basic Tokenization

• 5 tokens per second (outsourced)

• 5000 tokens per second (in-house)

Protegrity Tokenization

• 200,000 tokens per second (Protegrity)

• Single commodity server with 10 connections.

• Will grow linearly with additional servers and/or connections

• 9,000,000+ tokenizations per second (Protegrity /Teradata)

37

Protegrity Tokenization Differentiators

Basic Tokenization Protegrity Tokenization

Footprint Large, Expanding Small, Static

High Availability,

Disaster Recovery

Complex, expensive

replication required

No replication required

Distribution Practically impossible to

distribute geographically

Easy to deploy at different geographically

distributed locations

Reliability Prone to collisions No collisions

Performance,

Latency, and

Scalability

Will adversely impact

performance & scalability

Little or no latency. Fastest industry

tokenization

Extendibility Practically impossible Unlimited Tokenization Capability

38

Why Tokenization?

No masking needed

No encryption/decryption when using

No key management across enterprise

Why Protegrity Tokenization?

39

Better – small footprint

Faster – high performance

Lower total cost of ownership

Why Protegrity Tokenization?

Flexibility for Different Forms of Data

Type of Data Input Token Comment

Token Properties

Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric

Medical ID 29M2009ID 497HF390D Alpha-Numeric

Date 10/30/1955 12/25/2034 Date

E-mail Address ulf.mattsson@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric, delimiters in input preservedin input preserved

SSN Delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input

Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed

40

Tokenization Case Studies

Customer 1: Extensive enterprise End-to-End credit card data protection switching to Protegrity Tokenization

• Performance Challenge: Initial tokenization

• Vendor Lock-In: What if we want to switch payment processor?

• Performance Challenge: Operational tokenization (SLAs)

Customer 2: Desired single vendor to provide data protection including tokenization

• Combined use of tokenization and encryption

• Looking to expand tokens beyond CCN to PII

Customer 3: Reduce compliance cost. 50 million Credit Cards, 700 million daily transactions

• Performance Challenge: Initial tokenization

• End-to-End Tokens: Started with the EDW and expanding to stores

41

Case Study – Large Chain Store

By segmenting cardholder data with tokenization, a regional chain of 1,500 local convenience stores is reducing its PCI audit from seven to three months

“We planned on 30 days to tokenize our 30 million card numbers. With Protegrity Tokenization the whole process took about 90 minutes”

Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization

• “With encryption, implementations can spawn dozens of questions”

• “There were no such challenges with tokenization”

42

Faster PCI audit • Half that time

Lower maintenance cost • Do not have to apply all 12 requirements of PCI DSS to every system

Case Study – Large Chain Store

Better security • Ability to eliminate several business processes such as generating daily reports for data requests and access

Strong performance • Rapid processing rate for initial tokenization

• Sub-second transaction SLA

43

Protegrity in the ETL Process

SQL Server

ETL PlatformInformaticaData Stage

Sources TargetsTransformation

DB2

Original ValueNo Access

Protegrity P

olicy Role B

ased A

ccess Control

Data Stage

• Cleansing• Integration• Transformation

Teradata

EDW

Teradata Load P

rocesses

AS/400

No AccessTokenMaskHash

Protegrity P

olicy Role B

ased A

ccess Control

Test Data

Oracle

Mainframe

44

Protegrity Data Security Platform in Action

Database Protector

TokenizationSecure

Distribution

AuditLog

Policy

Secure Collection POS e-commerce Branch

45

File System Protector

Application Protector

Security Administrator

Why Protegrity?

Protegrity’s Tokenization allows compliance across:

• PCI

• PII

• PHI

Innovative: Pushing data protection with industry leading innovation such as out patented database protection system and the Protegrity

46

such as out patented database protection system and the Protegrity Tokenization

Proven: Proven platform currently protects the worlds largest companies

Experienced: Experienced staff will be there with support along the way to complete data protection

Q&A

Contacts:

Protegrity: elaine.evans@protegrity.com

Teradata: simona.firmo@teradata.com

Thank you!

Data Breaches Gone Mad

Learn how to Secure your Data Warehouse Straight Away!

Thank you!