Published on February 27, 2014
Enterprise Data Protection Understanding Your Options and Strategies Ulf Mattsson CTO Protegrity Ulf.mattsson AT protegrity.com
Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents – Encryption and Intrusion Prevention Co-founder of Protegrity (Data Security) Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security Member of PCI Security Standards Council (PCI SSC) American National Standards Institute (ANSI) X9 Information Systems Audit and Control Association (ISACA) Cloud Security Alliance (CSA) Information Systems Security Association (ISSA) 02
ISACA Articles – Data Security
Topics Review the changing threat landscape Present different options for data security for PCI DSS Review a case study Show how to protect the entire data flow Discuss how to protect against advanced attacks Show how to balance performance and security with different approaches to tokenization and encryption Review security enforcement at the application level, database level, file level and storage level 05
The Changing Threat Landscape Some issues have stayed constant: Threat landscape continues to gain sophistication Attackers will always be a step ahead of the defenders We're fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed: Several layers of security to address more significant areas of risks Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2 06
2010 Data Breach Investigations Report Six years, 900+ breaches, and over 900 million compromised records Over half of the breaches occurred outside of the U.S. Online Data is Compromised Most Frequently: % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 07
Threat Action Categories 90 % of compromised records lost in highly sophisticated attacks Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 08
Payment Card Industry Data Security Standard (PCI DSS) The PCI Security Standards Council is an open global forum American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc The PCI standard consists of a set of 12 rules Four ways to render the PAN (credit card number) unreadable Two-way cryptography with associated key management processes Truncation One-way cryptographic hash functions Index tokens and pads Source: https://www.pcisecuritystandards.org/organization_info/index.php 09
PCI Encryption Rules Attacker SSL Encrypted Data (PCI DSS) Public Network Private Network Application Clear Text Data Clear Text Data Database Encrypted Data (PCI DSS) OS File System Storage System Data At Rest (PCI DSS) Not Enough to Encrypt Pipes & Files 010
Protecting the Data Flow - Example : Enforcement point Unprotected sensitive information: Protected sensitive information 011
Current, Planned Use of Enabling Technologies Strong interest in database encryption, data masking, tokenization Access controls Database activity monitoring Database encryption Backup / Archive encryption Data masking 18% 47% 30% 35% 21% 16% 10% 39% 4% 28% Application-level encryption Tokenization 91% 5% 1% 28% 7% 7% 22% Evaluating 29% 7% 23% Current Use 13% Planned Use <12 Months 012
Data Security Today is a Catch-22 We need to protect both data and the business processes that rely on that data Enterprises are currently on their own in deciding how to apply emerging technologies for PCI data protection Data Tokenization - an evolving technology How to reduce PCI audit scope and exposure to data 013
Hiding Data in Plain Sight – Data Tokenization Data Entry Y&SFD%))S( 400000 123456 7899 Tokenization Server Data Token 400000 222222 7899 Application Databases 014
Retail Scenario with Tokenization Authorization Stores Stores Token Servers Aggregating Hub for Store Channel Token Servers Settlement Loss Prevention Analysis - EDW ERP Settlement : Integration point 015
Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance By segmenting cardholder data with tokenization, a regional chain of 1,500 local convenience stores is reducing its PCI audit from seven to three months “ We planned on 30 days to tokenize our 30 million card numbers. With Protegrity Tokenization, the whole process took about 90 minutes” 016
Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization “With encryption, implementations can spawn dozens of questions” “There were no such challenges with tokenization” 017
Case Study - Large Chain Store Uses Tokenization to Simplify PCI Compliance Faster PCI audit – half that time Lower maintenance cost – don’t have to apply all 12 requirements of PCI DSS to every system Better security – able to eliminate several business processes such as generating daily reports for data requests and access Strong performance – rapid processing rate for initial tokenization, sub-second transaction SLA 018
Field Encryption & Tokenization – Data Formats Intrusiveness (to Applications and Databases) Hashing Strong Encryption Alpha - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Standard Encryption !@#$%a^.,mhu7/////&*B()_+!@ aVdSaH 1F4hJ 1D3a Numeric - 666666 777777 8888 Partial - 123456 777777 1234 Clear Text Data - Tokenizing or Formatted Encryption 123456 123456 1234 Encoding Data I I Original Longer Length 019
Risk Management and PCI – Security Aspects Different data security methods and algorithms Policy enforcement implemented at different system layers Data Security Method Hashing Formatted Encryption Strong Encryption Data Tokenization System Layer Application Database Column Database File Storage Device Best Worst 020
Risk Management and PCI – Security Aspects Integration at different system layers Different data security methods and algorithms Data Security Method Hashing Formatted Encryption Strong Encryption Data Tokenization System Layer Application Database Column Database File Storage Device : N/A Best Worst 021
A Distributed Tokenization Approach Large companies may need to utilize the tokenization services for locations throughout the world. How do you deliver tokenization to many locations without the impact of latency? Customer Application Token Server Customer Application Customer Application Token Token Server Server Customer Application 022
Distributed Approach to Generate Random Tokens Random Static Lookup Tables 288910 288910 28891 088910 2 288910 1,000,000 max entries 288910 288910 28891 088910 2 288910 1,000,000 max entries Application Application Application Application Multi-Use Tokens Random Static Lookup Tables Remains the same size no matter the number of unique tokens Example: 50 million = 2 million tokens Performance: 200,000 tokens per second on a commodity standard dual core machine 023
Evaluating Encryption & Tokenization Approaches Evaluation Criteria Area Impact Encryption Database File Encryption Database Column Encryption Tokenization Centralized Tokenization (old) Distributed Tokenization (new) Availability Scalability Latency CPU Consumption Data Flow Protection Compliance Scoping Security Key Management Randomness Separation of Duties Best Worst 024
Evaluating Field Encryption & Distributed Tokenization Evaluation Criteria Strong Field Encryption Formatted Encryption Distributed Tokenization Disconnected environments Distributed environments Performance impact when loading data Transparent to applications Expanded storage size Transparent to databases schema Long life-cycle data Unix or Windows mixed with “big iron” (EBCDIC) Easy re-keying of data in a data flow High risk data Security - compliance to PCI, NIST Best Worst 025
Best Practices for Tokenization Token Generation Token Types Single Use Token Algorithm and Key Reversible Known strong algorithm Multi Use Token - Unique Sequence Number One way Irreversible Function Hash Secret per transaction Secret per merchant Randomly generated value Published July 14, 2010. 026
Comments on Visa’s Tokenization Best Practices Visa recommendations should be simply to use a random number If the output is not generated by a mathematical function applied to the input, it cannot be reversed to regenerate the original PAN data The only way to discover PAN data from a real token is a (reverse) lookup in the token server database The odds are that if you are saddled with PCI-DSS responsibilities, you will not write your own 'home-grown' token servers 027
What Makes a “Secure Tokenization” Algorithm? Ask vendors what their token-generating algorithms are Be sure to analyze anything other than strong random number generators for security. 028
Strong Cryptography - PCI DSS Glossary Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices See NIST (National Institute of Standards and Technology, US) Special Publications 029
NIST Proposed Encryption Modes Appearance of a mode in this list does not constitute endorsement or approval by NIST 1. FCEM Format Controlling Encryption Mode U. Mattsson 2. FFX Format-preserving Feistel-based Encryption Mode M. Bellare, P. Rogaway, T. Spies 3. … http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html 030
Data Protection Challenges Actual protection is not the challenge Management of solutions Key management Security policy Auditing, Monitoring and reporting Minimizing impact on business operations Transparency Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time 031
Best Practices - Data Security Management File System Protector Policy Database Protector Audit Log Application Protector Enterprise Data Security Administrator Secure Archive Tokenization Server : Enforcement point 032
Privacy - More lax in US than in the E.U. European Union United States European Union Data Privacy Directive 95/46/EC - protection and movement of personally identifiable information between E.U. member countries and to outside Rules are primarily state-by-state. Firms are responsible for protecting PII data and also for managing its transfer to others by monitoring compliance of recipients Once the data has been yielded to a company, the company is largely free to use it as it wishes, subject to local state regulations. Medical records are no different from other E.U. citizen’s personal information because a degree of data protection is already afforded. Concern over medical records privacy may increase with the push to reduce health care costs through greater automation. 033
Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit. 034
In the Case Study, Tokenization was yielding some benefits for the retailer: Please select ALL relevant options from below: Faster PCI audit Effective segmentation of cardholder data environments Lower maintenance cost Better security Strong performance ALL is the correct answer 035
What Makes a “Secure Tokenization” Algorithm according to Gartner research? Please select ONE option from below: Hashing algorithms Encryption algorithms Random values Howegrown algorithms “Random values“ is the correct answer 036
The PCI standard consists of how many rules? Please select ONE option from below: 6 8 12 16 12 is the correct answer 037
The PCI standard allows how many different ways to render the PAN (Credit Card Number) unreadable? Please select ONE option from below: 2 3 4 5 6 4 is the correct answer 038
Enterprise Data Protection; ... Understanding your options ... Data loss prevention tools: Understanding your options.
Consider the following potential benefits of options: • You can protect stock ... understanding of stock options and ... strategies are described in a ...
Enterprise Encryption Strategies for Data Protection Take Careful ... encryption strategy is key for enterprises. ... understanding your data, ...
... are one of the most important parameters of a disaster recovery or data protection ... Viable strategy options would ... Understanding RPO and RTO;
... we’ll have a range of options to help enterprises protect ... Lastly on data protection in Windows 10 ... the net KEEP YOU WINDOWS 7 IT IS ...
Trust that your data is protected to meet any service level across all consumption models with EMC data protection solutions.
2 Data Center Strategies ... or a hybrid strategy of options. Data Center Landscape ... this model might be the right fit for your strategy.
A business model articulates the logic and provides data and other ... understanding business design options as well as ... enjoying protection of ...
Cyber Threat Analysis IBM i2 Enterprise Insight Analysis helps protect your enterprise and fortify your cybersecurity strategy with ...
COMPETITIVE STRATEGY AND ... Small and midsized enterprises which understand their ... building on awareness and understanding of current strategies ...