Practical Advice for Cloud Data Protection

Ulf MattssonCTO, Protegrity

Ulf.Mattsson@protegrity.com

Member of PCI Security Standards Council:

• Tokenization Task Force

• Encryption Task Force

• Point to Point Encryption Task Force

• Risk Assessment SIG

• eCommerce SIG

• Cloud SIG

• Virtualization SIG

• Pre-Authorization SIG

• Scoping SIG

Ulf Mattsson, Protegrity CTO

2

Issues with Cloud

Computing3

4

5

6

7

8

9

10

11

12

13

14

15

16

Who do You Trust?

17

18

19

20

21

22

23

24

What is Cloud Computing?

25

Infrastructure as a Service (IaaS), delivers computer infrastructure (typically a platform virtualization environment) as a service, along with raw storage and networking

Software as a service (SaaS), sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud

Platform as a service (PaaS), is the delivery of a computing platform and solution stack as a service

What Is Cloud Computing? Service Models?

26

27

28

29

30

31

32

Cloud Services

33

34

Software as a service (SaaS), sometimes referred to as on-demand software

Platform as a service (PaaS), is the delivery of a computing platform and solution stack

Infrastructure as a Service (IaaS), delivers computer infrastructure along with raw storage and networking

Service Orchestration

35

36

PCI and Cloud

Security37

38

Control shared across different service models

39

40

41

42

043

External Validation of Tokenization

“The xxx tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“

Prof. Dr. Ir. Bart PreneelKatholieke University Leuven, Belgium

where Advanced Encryption Standard (AES) was invented

C. Matthew Curtin, CISSPFounder, Interhack Corporation

Ohio State Universitywho broke the U.S. Government's Data Encryption Standard (DES)

“Token is not mathematically derived from its input.“ and “None of the attacks that we have identified have a factor of work that is less than that of a brute-force attack.”

Cloud SecurityModel

44

45

46

47

48

49

50

51

52

53

Cloud SecurityIssues

54

55

56

57

ADDITIONAL THREATS INDUCERS• Multi-tenancy at an Application Level

EXAMPLES OF THREATS • A different tenant using the same SAAS

infrastructure gains access to another tenants data through the web layer vulnerabilities (a privilege escalation)

TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT

ADDITIONAL TESTING CATEGORIES• Multi-Tenancy Testing (an extension of privilege

escalation)

Threat Vector Inheritance - SAAS

58

ADDITIONAL THREATS INDUCERS• Multi-tenancy at a Platform level

EXAMPLES OF THREATS • A different tenant using the same infrastructure

gains access to another tenants data through the web layer vulnerabilities (a privilege escalation)

TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT

ADDITIONAL TESTING CATEGORIES• Multi-Tenancy Testing (an extension of privilege

escalation)

Threat Vector Inheritance - PAAS

59

ADDITIONAL THREATS INDUCERS• Multi-tenancy at an Infrastructure Level

EXAMPLES OF THREATS • Deficiencies in virtualization security (improper

implementation of VM zoning, segregation leading to inter VM attacks across multiple IAAS tenants)

TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT

• Traditional Infrastructure Vulnerability Assessment

ADDITIONAL TESTING CATEGORIES• Inter VM Security / Vulnerability Testing

Threat Vector Inheritance - IAAS

60

Encrypting the transfer of data to the cloud does not ensure the data is protected in the cloud.

Once data arrives in the cloud, it should remain protected both at rest and in use.

Do not forget to protect files that are often overlooked, but which frequently include sensitive information.

Log files and metadata can be avenues for data leakage.

Encrypt using sufficiently durable encryption strengths (such as AES-256

Use open, validated formats and avoid proprietary encryption formats wherever possible.

Encryption

61

Tokenization. • This is where public cloud service can be

integrated/paired with a private cloud that stores sensitive data.

• The data sent to the public cloud is altered and would contain a reference to the data residing in the private cloud.

Data Anonymization• This is where (for example) Personally

Identifiable Information (PII) and Sensitive are stripped before processing.

Utilizing access controls built into the database

Alternative Approaches to Encryption

62

Access Management

63

Virtual machine guest hardening

Hypervisor security

Inter-VM attacks and blind spots

Performance concerns

Operational complexity from VM sprawl

Instant-on gaps

Virtual machine encryption

Data comingling

Virtual machine data destruction

Virtual machine image tampering

In-motion virtual machines

VIRTUALIZATION

64

Virtual machine guest hardening

Hypervisor security

Inter-VM attacks and blind spots

Performance concerns

Operational complexity from VM sprawl

Instant-on gaps

Virtual machine encryption

Data comingling

Virtual machine data destruction

Virtual machine image tampering

In-motion virtual machines

VIRTUALIZATIONHypervisor Architecture Concerns

65

66

67

Cloud SecuritySolutions

68

69

70

71

72

73

Encryption in Cloud Computing

74

It’s 11 p.m. Do you know where your data is?

Secure Web gateway

Cloud Encryption Gateways

Cloud Security Gateways

Secure Email Gateways

Cloud Access Security Brokers (CASBs)

Cloud Services Brokerage (CSB)

Gartner - Cloud & Gateways

75

Cloud Gateway Benefits

Eliminates the threat of third parties exposing your sensitive information

Delivers a secure and uncompromised SaaS user experience

Ensures data integrity and availability

Eases cloud adoption process and acceptance

Eliminates data residency concerns and requirements

Product is transparent and has close to 0% overhead impact

Identifies malicious activity and proves compliance to third parties and detailed audit trails

Simplifies compliance requirements

Ability to outsource a portion of your IT security requirements

077

078

Inline Gateway Deployment

079

Clienthttp(s)

GatewayServer

EnterpriseSecurity

Administrator Security Officer

Corporate Network

CDE

Inline Gateway Deployment – Use Case #1

080

Clienthttp(s)

GatewayServer

EnterpriseSecurity

Administrator Security Officer

Corporate Network

CDE

Inline Gateway Deployment – Use Case #2

081

BackendSystem

http(s)Gateway

ExternalService

EnterpriseSecurity

AdministratorSecurity Officer

TURNING THE TIDE

82

What new technologies and techniques can be used to prevent future attacks?

Coarse Grained Security• Access Controls

• Volume Encryption

• File Encryption

Fine Grained Security• Access Controls

• Field Encryption

• Masking

• Tokenization

• Vaultless Tokenization

Evolution of Data Security Methods

83

Evolution

Evolution of Protection Techniques

84

Evolution

High

Low

Total Cost of Ownership

Strong Encryption (e.g. AES, 3DES)!@#$%a^.,mhu7///&*B()_+!@

Format/Type Preserving Encryption (e.g. DTP, FPE)8278 2789 2990 2789

Vault-based Tokenization8278 2789 2990 2789

Vault-less Tokenization8278 2789 2990 2789

Format Preserving

Greatly reduced Key Management

No Vault

Data length expands and type changes

Data stored in the clear3872 3789 1620 3675

AccessPrivilege

Level

Risk

IHigh

ILow

High –

Low –

Old:Minimal access levels – Least

Privilege to avoid high risks

New :Much greater

flexibility and lower risk in data accessibility

The New Fine Grained Data Security

85

Increased Creativity

Fine Grained (Field-Level)

Sensitive Data Security allows for a Wider and

Deeper Range of Authority Options

86

Format Flexibility - PII

Description Input Token

SSN, numeric 075672278 287382567

SSN, delimiters in input 075-67-2278 287-38-2567

SSN, last 4 digits exposed 075-67-2278 591-20-2278

Date, Multiple date formats 10/30/1955 12/25/2034

Year part exposed 10/30/1955 04/02/1955

Month part exposed 10/30/1955 10/17/3417

Range as a differentiator 10/30/1955 09/26/4741

Datetime 10/30/1955 07:32:59.243 12/25/2034 12:05:47.243

Email domain exposed yuri.gagarin@protegrity.com empo.snaugs@protegrity.com

Name Yuri Gagarin A4kq nhHOwtG

Telephone (203)550-9985 (203)371-2076

Format Flexibility – Credit Card

Description Input Token

Numeric 3872 3789 1620 3675 8278 2789 2990 2789

Numeric, Last 4 digits exposed (12x4) 3872 3789 1620 3675 1507 4402 1958 3675

Numeric, First 6 last 4 digits exposed (6x6x4) 3872 3789 1620 3675 3872 3789 2990 3675

Alpha-Numeric, Digits exposed (4x8x4) 3872 3789 1620 3675 3872 qN4e 5yPx 3675

Luhn check will fail 3872 3789 1620 3675 7508 1538 4200 9532

Alphabetic indication is a configurable position 3872 3789 1620 3675 9530 4800 323A 6871

Invalid Card Type 3872 3789 1620 3675 2991 1350 6123 4837

Different token for the same credit card number based on merchants, clients or source identifier

3872 3789 1620 3675ID1: 8278 2789 2990 2789ID2: 9302 8999 2662 6345

Including non-conflicting combinations of the above

Format Flexibility - Other

Description Input Token

Free text, non length preserved, up to 2k the dog jumped over the lazy fox Eem JqM A4ksIX nhuH OUG zEQT RxV

Decimal 123.45 9842.56

Binary, up to 2k 0x010203 0x123296910112

All printable characters ~`’;/!Üñ╗▓╟╚τ }╗æƺe2!⥿*&½

Lower ASCII abcdefghijklmnopqrstuvwxyz F7}yGN6/5&kc!h1?eUt^EcriT-

Protegrity Tokenization Differentiators

90

Protegrity Tokenization Traditional Tokenization

Footprint Small, Static. Large, Expanding.

High Availability, Disaster Recovery

No replication required. Complex, expensive replication required.

Distribution Easy to deploy at different geographically distributed locations.

Practically impossible to distribute geographically.

Reliability No collisions. Prone to collisions.

Performance, Latency, and Scalability

Little or no latency. Fastest industry tokenization.

Will adversely impact performance & scalability.

Extendibility Unlimited Tokenization Capability. Practically impossible.

Fine Grained Data Security Methods

91

Tokenization and Encryption are Different

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

Code books

Index tokens

TokenizationEncryption

Different Tokenization Approaches

92

Property Dynamic Pre-generated Vaultless

Vault-based

I

Format

Preserving

Encryption

Security of Fine Grained Protection Methods

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Basic

Data

Tokenization

93

High

Low

Security Level

10 000 000 -

1 000 000 -

100 000 -

10 000 -

1 000 -

100 -

Transactions per second*

I

Format

Preserving

Encryption

Speed of Fine Grained Protection Methods

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration

94

Tokenization Research

Tokenization Gets TractionAberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption

Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data

Tokenization users had 50% fewer security-related incidents than tokenization non-users

95

Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/

Type of Data

Use Case

IStructured

How Should I Secure Different Data?

IUn-structured

Simple –

Complex –

PCI

PHI

PII

Encryption of Files

CardHolder

Data

Tokenization of Fields

ProtectedHealth

Information

96

Personally Identifiable Information

Use Case: Protect PII Data Cross Border

CHALLENGES The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.

Centralized Policy Management

98

Application

File Servers

RDBMS

Big Data

Gateway Servers

Protection Servers

MPP

HP NonStop Base24

IBM Mainframe Protector

Security OfficerAuditLog

AuditLog

AuditLog

AuditLog Audit

LogAuditLog

AuditLog

AuditLog

AuditLog

EnterpriseSecurity

Administrator

PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy

Enterprise Data Security Policy

99

What is the sensitive data that needs to be protected. Data Element.

How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.

Who should have access to sensitive data and who should not. Security access control. Roles & Members.

When should sensitive data access be granted to those who have access. Day of week, time of day.

Where is the sensitive data stored? This will be where the policy is enforced. At the protector.

Audit authorized or un-authorized access to sensitive data. Optional audit of protect/unprotect.

What

Who

When

Where

How

Audit

Enterprise Data Security Platform

100

Enterprise Security Administrator (ESA)• Central Point of Data Security Policy Management

• Deployed as Soft Appliance • Hardened, High Availability, Backup & Restore

Gateway & Protection Servers• Deployed as Soft Appliance • Hardened, High Availability, Backup & Restore

Data Protectors• Enforcing data security policy close to the data store• Heterogeneous Coverage:

• AIX, HPUX, Linux, Solaris, Windows, z/OS• Teradata, Oracle, Netezza, Pivotal, DB2, UDB, SSQL• Hadoop – Cloudera, Hortonworks, Pivotal,

BigInsights, mapR, etc.• Web Services, C/C++, Java, .NET, Cobol

Application

File Servers

RDBMS

Big Data

Gateway Servers

Protection Servers

EnterpriseSecurity

Administrator

MPP

HP NonStop Base24

IBM Mainframe Protector

Enterprise Platform Versatility

PolicyEnforcement

Point

Thank you!

Questions?

Please contact us for more information

www.protegrity.com

Ulf.Mattsson@protegrity.com

To Request A Copy of the Presentation

Email: info@protegrity.com