straight talk on data tokenization for pci & cloud
Post on 08-Jun-2015
1.519 Views
Preview:
TRANSCRIPT
1
Straight Talk on Data Tokenization for PCI & Cloud
Presented by:
Andy ThuraiIntel® Application Security & Identity Products
PAN Data Tokens
2
Tokenization and PCI
• Tokenization: replacing a valuable piece of information with a surrogate value, or token- In a PCI context, replacing PAN data with random number
strings• Why tokens?
- Reduce PCI scope, cost of PCI compliance- Increase security
3
Does it Apply to Me?
“ PCI DSS compliance includes merchants and service providers who ACCEPT, CAPTURE, STORE, TRANSMIT or PROCESS credit and debit card data.”
PCI DSS 2.0 standards became effective on
January 1st. Is your organization prepared?
4
The Case for Tokenization
• Replace PAN with (random) number - token
• Use that random number EVERYWHERE in your environment
• Keep PAN and reference to token
5
Tokenization Use Cases
• PCI scope without tokenization- Everything is in PCI scope
6
Tokenization Use Cases
• Tokenization replaces primary account number (PAN) data with surrogate value, or “token” • Token engine and vault in scope, but post-payment
applications may be out of scope
7
Tokenization Use Cases
• Tokenization can be outsourced: processor
8
Tokenization Use Cases
• Tokenization can be outsourced: 3rd party
9
Tokenization
• Construction- Tokens should be random
• Options - Single- or multi-use - Format preserving (characteristics of a PAN) - Lifetime
• Tokenization is not encryption - Encryption is reversible, tokens are not- Encryption has a role in token vault
10
Tokenization and PCI Council
• Tokens can reduce scope• “The level of PCI DSS scope
reduction offered by a tokenization solution will also need to be carefully evaluated for each implementation.”
• “High-value” tokens may be in scope, e.g.:• Used as a payment instrument”• Initiate a transaction
11
Tokenization and PCI Council
• What does it mean?- Guidance is, well, guidance- Tokenization can reduce PCI scope- High-value tokens require additional controls- High-value tokens used to initiate a transaction might be in
scope• Remember
- Token engine and vault always in scope- Access to token vault must be restricted
12
Implementing Tokenization: Options
Tokenization Option Advantages Disadvantages
Internal, Home Grown Control Security a core strength?Time and cost to implement
Internal, Package ControlFlexibility Time to implementExpertise/functionality
Cost
3rd Party, Processor Easy implementation Good PCI scope reduction
CostLimited flexibility Compatibility with appsVendor lock-in
3rd Party, Token Vendor Easy implementation Good PCI scope reduction
CostCompatibility with appsVendor lock-inBusiness risk (12.8)
13
Implementing Tokenization: Options
• Third-party solutions appeal to smaller (L3, L4) merchants- Ease - Cost
• Internal hosting appropriate for larger (L1, L2) merchants and service providers- Control- Technical capabilities
14
Implementing Tokenization: Security
• The tokenization security tradeoff - Tokens are secure, but…- Any breach of token vault could be devastating
• Protecting the token vault - Restricting and authenticating users and access- Segmenting network to isolate out of scope systems- Ensuring physical security- Managing PAN encryption and key management
15
External Tokenization:• BIG Vision!• Solves BIG Problems!• Involves processors, brands,
3rd parties
Example: Cybersource/VISA model
Internal Tokenization: • Easier to Implement • Solves URGENT Problems!• Only involves YOUR
organization
Example:
Internal vs. External Tokenization
16
Intel Application Security and Identity Products
• Review of what is available today• On-premise software, hardware or virtual machines for
• (1) Lightweight ESB, transformation, integration• (2) Edge Security – Perimeter defense, Cloud API management,
authentication, throttling, metering, auditing• (3) Tokenization – PCI DSS, format preserving tokenization for service
calls, documents, files and databases
17
Data Tokenization for Cloud or PCI
Tokenization enables faster searching for data vs encryption
18
Expressway PCI Scope Reduction with Internal Tokenization
Retail / Card Swipe / Chip Reader / Keypad
Store Server
Payment Applications
Customer Data WarehouseInternet
CRM Applications
Order Processing Applications
Hosted Payment Gateways
PaymentProcessors
Reduced or Removed PCI Scope
Point of SaleEnvironment
(POS)
Merchant Data Center
Point of Sale Environment PCI Scope
Complete Merchant PCI Scope
19
Manual Invoice Processing
Merchant Data Center
BPM System
Goal: E-Commerce Order Processing
Problem: Exception cases require manual review, bringing additional systems into scope
Solution: Internal tokenization
Invoice with
Credit Card NumberWeb Server
E-CommerceWebsite
PaymentApplication
PaymentProcessor
Supply Chain App
Manual review of invoice and re-entry
Order Exception
Supply Chain App
AdditionalPost-Payment Applications
Portal Data Store
…
PCI Scope
20
Manual Invoice Processing
Merchant Data Center
BPM System
Goal: E-Commerce Order Processing
Problem: Exception cases require manual review, bringing additional systems into scope
Solution: Internal tokenization
Invoice with
Credit Card NumberWeb Server
E-CommerceWebsite
PaymentApplication
PaymentProcessor
Supply Chain App
Manual review of invoice and re-entry
Order Exception
Supply Chain App
AdditionalPost-Payment Applications
Portal Data Store
…
PCI Scope
21
Financial Statement Processor
Service ProviderData Center
Goal: Bill Processing, Consolidation, Printing
Problem: Non-payment processing applications contain PAN information, increasing scoping costs
Solution: Internal tokenization
IBM WebSphere Middleware
PCI Scope
CustomerBilling Information
Large Data Feeds with PAN
Data
ConnectedDatabases
App. Portals
Invoicing, Bill PaymentBank Statement Customization
and Consolidation
Bill Production and Printing
Customized Billsand Statements
Documentswith original PAN
data
22
Financial Statement Processor
Service ProviderData Center
Goal: Bill Processing, Consolidation, Printing
Problem: Non-payment processing applications contain PAN information, increasing scoping costs
Solution: Internal tokenization
Edge Security + Tokenization
PCI Scope
CustomerBilling Information
Large Data Feeds with PAN
Data
ConnectedDatabases
App. Portals
Invoicing, Bill PaymentBank Statement Customization
and Consolidation
Bill Production and Printing
Customized Billsand Statements
Documentswith original PAN
data
Data w/ Tokens
23
Typical Retail Architecture
Retail POS
Syndication Channels (Amazon)
Website
Browser
AuthZ Engine
Settlement
Engine
E-Commerce
Engine
24
Typical PCI DSS Scope
Retail POS
Syndication Channels (Amazon)
Website
Browser
AuthZ Engine
Settlement
Engine
E-Commerce
Engine
Legend:Outside of RetailerIn PCI DSS ScopeOut of PCI DSS Scope
25
Scope with Expressway Tokenization Broker
Retail POS
Syndication Channels (Amazon)
Website
Browser
AuthZ Engine
Settlement
Engine
E-Commerce
Engine
Legend:Outside of RetailerIn PCI DSS ScopeOut of PCI DSS Scope
26
Hardware or Software Broker• Tamper resistant appliance• Software on Linux AS5-64
Sample Tokenization Application• Token Exchange• Token Management
Secure Token Vault• HQSQL Starter Token Vault• Production Database
Schemas
Intel® Services Designer • Policy Design and Deployment• Token Exchange / Management
Actions
Web Interface • Policy Deployment & Monitoring
Intel® Expressway Tokenization Broker:Product Components
27
Addressing PCI DSS Requirements with Tokenization Broker
Requirement Intel® Expressway TokenizationBroker Capabilities
Build/ Maintain Secure Network
• Application-level security proxy & firewall.
Protect Cardholder Data• Protects credit card data stored at rest/ in transit . • Supports tokenization for reduced PCI scope.
Maintain VulnerabilityManagement Program
• Integrates with on-premise virus scanning servers• Reduces threat of malicious attachments.
Implement Strong AccessControl Measures
• Supports strong access control.• Integrates with existing identity management investments.• Improves physical security for tokenization through tamper-resistant form-factor.
Regularly Monitor & Test Networks
• Tracks, monitors & logs authorization requests from merchant to card processor. • Offers regular testing & alerts in case of server failures.
Maintain InformationSecurity Policy
• Maintains auditable security policies in hardened form-factor. • Allows for convenient review & change control.
Review our QSA Assessors Guide, which shows how Tokenization Broker addresses more than 200 PCI compliance requirements.
28
Intel® Expressway Tokenization Broker:Features & Benefits
• Flexible Software ApplianceForm Factor
• Secure Appliance Form Factor• Tokenization• Token Vault• Authentication & Access Control• High Performance, optimized
for Intel® Multi-Core
Feature Summary Benefit Summary
Reduce or remove payment applications and databases fromPCI scope
Own and manage PAN data on-premise with a secure hardware appliance
Easily Choose tokenization scheme appropriate for your business
High performance operation ensures low-latency document processing
Leverage existing Enterprise identity management investments
Avoid token migration challengesMinimize change to existing
applications compared to E2E Encryption
29
Download Eval
Data Sheet
PCI White Paper
E-mail: intelsoainfo@intel.com
For Additional Information, go to: www.intel.com/go/identity
Assessors Guide
30
Cloud Service Broker Capabilities
Technology Enablement
31Software and Services Group
Market Shifts to Brokers to Solve Cloud Consumption Complexity
• Apps• IdM • Legacy• Mobile
• SaaS, PaaS, IaaS• B2B• App Mashups
Private Cloud
Provider
Provider
Provider
Do-it-yourself IT and/or 3rd Party Consumption Models
3 Broker Types• Aggregation - Distributor/Solution Provider Unify access via service bundling
• Integration - System Integrator New functions via data/process integration
• Customization - ISV New functions via service enhancement
CSB is a role in which a company or other entity adds value to one or more cloud services on behalf of 1-n consumers of those services
IT Broker
Functions: Service API: Security/Governance, Billing, Integration, Support, Process
3rd Party Broker Service
Consumption
Public Cloud
Enterprise CSB PlatformCSB Platform
32
Specialty Focus on Cloud Access & Security Brokerage
Identity & Services Brokers
IT Private Cloud
IT Public/Hybrid
Cloud ProviderBundled
3rd PartyService
Access Platform Functions
Strong Auth• Adaptive• Client
aware• Soft token• Hard token• OOB
Signing
Enabling Technology
Access• SSO• Provisioning• XACML• STS Token
Mapping • IdM
Connectors
Data Security•
TokenizationPII, PHI, PAN• Encryption• DLP• SIEM• Logs-Data,
User, Apps
Gov & Integration• API Mgt• Edge Threats• Meter• Orchestrate• Transform• Protocol
Form Factor• Soft,
hardware, VM appliance
• Multi-tenant as-a service
• Mobile Browser & Native
Au
the
ntic
atio
n
Po
licy
En
forc
e
Fe
de
ratio
n
Au
thZ
Co
mp
lian
ce
Tra
nsp
ort
&
Orc
he
stra
te
IID
Co
nte
xt
ID I
nte
gra
tion
Cloud Security Platform
Intel & McAfee are CSB platform technology providers
33
Partner Apps & 3rd Party Brokers
External Enterprise Browser and Mobile
Applications
SaaS Applications
IaaS and PaaS Applications
Browser and MobileApplications
Departments 1-nEmployees,
Administrators
Apps, IDM andMiddleware
HTTP, REST
HTTP
HTTP, REST
HTTP, REST/SOAP
Identity Broker
Tenant #1
PII Tokenization
Tenant #2
API Mgt Tenant 3
Transform & OrchestrateTennant 4
IT Private Cloud “Broker”Supports “mix and match” of capabilities
per internal/external tenant
• Extends security policy to cloud• Complete visibility & audit• Enables aggregation of services• Protects PII data stored in cloud• Up-levels security posture of providers
with strong auth overlay
Trusted Internal Network
Strong Auth
M2M Service Call
Portal/Browser Request
Cloud Access Broker Vision: Example IT as a Broker
34
Enterprise
Use Model: Cloud Security Gateway & API Security
On premise applications
Service Clients Mobile Clients
SOAP/REST
• Perimeter Security
• Authentication• Quality of Service• Policy Control• API Versioning• Auditing
API/Service Proxy
See detailed back up for All Use Case Diagrams
35
Expressway provides API Security for vCloud
REST API Security
• SSL/TLS Termination• SOAP to REST
Mediation• Authentication • HTTP Inspection • Message Throttling• Audit Logging• API Masking• API Versioning • Strong Authentication• Code Injection
Protection• Threat detection / AV
scanning in OVF files
Non-vCloud Partner(SOAP)
Intel® Expressway can provide full API protection and mediation for vCloud
36
IdM or Active Directory
Portal Application
Enterprise
2. Local Authentication
Service Gateway
Private Cloud
3. Resource Request
1. Enterprise Portal Login
Amazon EC2 Storage
Public Cloud
4. AWS Credential Mapping and Data Retrieval
• Perimeter Security• Seamless User Experience• Preserve existing IDM investments• Abstract cloud providers• Data Control
The Gateway mediates access to publiccloud services
Hybrid Cloud Bursting (PaaS)Case Study
top related