choosing the right data security solution
TRANSCRIPT
Choosing the Right Data Security Solution
Ulf Mattsson, CTO
Protegrity
ulf.mattsson AT protegrity.com
2
20 years with IBM Research & Development and
Global Services
Started Protegrity in 1994 (Data Security)
Inventor of 25 patents – Encryption and
Tokenization
Member of
• PCI Security Standards Council (PCI SSC)
• American National Standards Institute (ANSI) X9
• International Federation for Information Processing
(IFIP) WG 11.3 Data and Application Security
• ISACA , ISSA and Cloud Security Alliance (CSA)
Ulf Mattsson, CTO Protegrity
Agenda
Data Breaches
Data Protection Trends
Encryption versus Tokenization
Vault-based Tokenization versus Vaultless
Tokenization
Case studies
Summary
3
5
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous
A Growing Threat
Attacks by Anonymous include
• CIA, Interpol, Sony, Stratfor and
HBGary Federal
6
Today “Hacktivism” is Dominating
0 10 20 30 40 50 60 70
Unknown
Unaffiliated person(s)
Former employee (no longer had access)
Relative or acquaintance of employee
Organized criminal group
Activist group
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
7
What Data is Compromised?
By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
0 20 40 60 80 100 120
Payment card numbers/data
Authentication credentials (usernames, pwds, etc.)
Sensitive organizational data (reports, plans, etc.)
Bank account numbers/data
System information (config, svcs, sw, etc.)
Copyrighted/Trademarked material
Trade secrets
Classified information
Medical records
Unknown (specific type is not known)
Personal information (Name, SS#, Addr, etc.)
%
LinkedIn Hit with $5 Million Class Action Suit
By John Fontana | June 19, 2012
A class action suit against LinkedIn claiming that violation of its own
privacy policies and user agreements allowed hackers to steal 6.46
million passwords.
8
April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011
9
Time
Impact $
Source: IBM 2012 Security Breaches Trend and Risk Report
Some Major Data Breaches
Attack Type
Lost 100 million passwords and personal details stored in clear
Spent $171 million related to the data breach
Sony's stock price has fallen 40 percent
For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony
Attack via SQL Injection
10
The Sony Breach
Q1 2011 Q2 2011 Q3 2011
11
SQL Injection Attacks are Increasing
25,000
20,000
15,000
10,000
5,000
Source: IBM 2012 Security Breaches Trend and Risk Report
12
New Industry Groups are Targets
0 10 20 30 40 50 60
Information
Other
Health Care and Social Assistance
Finance and Insurance
Retail Trade
Accommodation and Food Services
By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
The Changing Threat Landscape
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
Some issues have stayed constant:
• Threat landscape continues to gain sophistication
• Attackers will always be a step ahead of the defenders
We are fighting highly organized, well-funded crime syndicates and nations
Move from detective to preventative controls needed
13
14
How are Breaches Discovered?
0 10 20 30 40 50 60 70
Unusual system behavior or performance
Log analysis and/or review process
Financial audit and reconciliation process
Internal fraud detection mechanism
Other(s)
Witnessed and/or reported by employee
Unknown
Brag or blackmail by perpetrator
Reported by customer/partner affected
Third-party fraud detection (e.g., CPP)
Notified by law enforcement
By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
15
What Assets are Compromised?
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
0 20 40 60 80 100 120
POS server (store controller)
POS terminal User devices
Automated Teller Machine (ATM)
Regular employee/end-user People
Payment card (credit, debit, etc.) Offline …
Cashier/Teller/Waiter People
Pay at the Pump terminal User devices
File server
Laptop/Netbook
Remote Access server
Call Center Staff People
Mail server
Desktop/Workstation
Web/application server
Database server
%
16
Threat Action Categories
0 50 100 150
Environmental
Error
Misuse
Physical
Social
Malware
Hacking
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
Hacking and Malware are Leading
Use of Enabling Technologies
1%
18%
30%
21%
28%
7%
22%
91%
47%
35%
39%
28%
29%
23%
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
Evaluating
18
20
1970 2000 2005 2010
High
Low
Total Cost
Of
Ownership
Strong Encryption
AES, 3DES
Format Preserving Encryption
DTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key
Management
No Vault
8278 2789 2990 2789
What Has The Industry Done?
Vault-based Tokenization Server
Vault-less
Tokenization
Server
Evolution
Goal: Miniaturization of the Tokenization Server
24
Tokenization Differentiators
Vault-based Tokenization Vaultless Tokenization
Footprint Large, Expanding. Small, Static.
High Availability, Disaster Recovery
Complex, expensive replication required.
No replication required.
Distribution Practically impossible to distribute geographically.
Easy to deploy at different geographically distributed locations.
Reliability Prone to collisions. No collisions.
Performance, Latency, and Scalability
Will adversely impact performance & scalability.
Little or no latency. Fastest industry tokenization.
Extendibility Practically impossible. Unlimited Tokenization Capability.
25
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
27
I
Format
Preserving
Encryption
Security of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
28
High
Low
Security Level
External Validation of Vaultless Tokenization
“The Vaultless tokenization scheme offers excellent security, since it is
based on fully randomized tables. This is a fully distributed tokenization
approach with no need for synchronization and there is no risk for
collisions.“
Prof. Dr. Ir. Bart Preneel
Katholieke University Leuven, Belgium *
* The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.
Bart Preneel is a Belgian cryptographer and cryptanalyst.
He is a professor at Katholieke Universiteit Leuven, president
of the International Association for Cryptologic Research
29
Case Study: Large Chain Store
Why? Reduce compliance cost by 50%
• 50 million Credit Cards, 700 million daily transactions
• Performance Challenge: 30 days with Basic to 90 minutes with
Vaultless Tokenization
• End-to-End Tokens: Started with the D/W and expanding to
stores
• Lower maintenance cost – don’t have to apply all 12 requirements
• Better security – able to eliminate several business and daily
reports
• Qualified Security Assessors had no issues
• “With encryption, implementations can spawn dozens of questions”
• “There were no such challenges with tokenization”
31
Case Studies: Retail
Customer 1: Why? Three major concerns solved
• Performance Challenge; Initial tokenization
• Vendor Lock-In: What if we want to switch payment processor
• Extensive Enterprise End-to-End Credit Card Data Protection
Customer 2: Why? Desired single vendor to provide data protection
• Combined use of tokenization and encryption
• Looking to expand tokens beyond CCN to PII
Customer 3: Why? Remove compensating controls from the mainframe
• Tokens on the mainframe to avoid compensating controls
32
33
What about Breaches & PCI? Was Data Protected?
Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study
%
0 10 20 30 40 50 60 70 80 90 100
3: Protect Stored Data
7: Restrict access to data by business need-to-know
11: Regularly test security systems and processes
10: Track and monitor all access to network resources and data
6: Develop and maintain secure systems and applications
8: Assign a unique ID to each person with computer access
1: Install and maintain a firewall configuration to protect data
12: Maintain a policy that addresses information security
2: Do not use vendor-supplied defaults for security parameters
4: Encrypt transmission of cardholder data
5: Use and regularly update anti-virus software
9: Restrict physical access to cardholder data
Type of Data
Use Case
I Structured
How Should I Secure Different Data?
I Un-structured
Simple -
Complex -
PCI
PHI
PII
File Encryption
Card
Holder
Data
Field
Tokenization
Protected
Health
Information
34
Flexibility in Token Format Controls
Type of Data Input Token Comment
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed
Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date - multiple date formats
E-mail Address [email protected] [email protected] Alpha Numeric
SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input
Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail
Binary 0x010203 0x123296910112
Alphanumeric
Indicator
5105 1051 0510 5100 8278 2789 299A 2781 Position to place alpha is
configurable
Decimal 123.45 9842.56 Non length preserving
Multi-Merchant 3872 3789 1620 3675 Merchant 1: 8278 2789 2990 2789
Merchant 2: 9302 8999 2662 6345
Deliver a different token to different
merchant based on the same credit
card number.
35
What are the benefits of Tokenisation?
What are the benefits of Tokenization?
Reduces complexity of key management
• Reduces the number of hacker targets
Reduces the remediation for protecting systems
• Reduces the cost of PCI Compliance
Additional benefits with Protegrity Vaultless Tokenization
Infinitely Scalable
• Fastest tokenization method in the world
Simplicity and Security: No replication, No collisions
Flexible and easy to deploy and distribute
• Lower Total Cost of Ownership than Vault-based Tokenization
36
About Protegrity
Proven enterprise data security software and innovation leader
• Sole focus on the protection of data
• Patented Technology, Continuing to Drive Innovation
Growth driven by compliance and risk management
• PCI (Payment Card Industry)
• PII (Personally Identifiable Information)
• PHI (Protected Health Information) – HIPAA
• State and Foreign Privacy Laws, Breach Notification Laws
Cross-industry applicability
• Retail, Hospitality, Travel and Transportation
• Financial Services, Insurance and Banking
• Healthcare, Telecommunications, Media and Entertainment
• Manufacturing and Government
37
Summary
38
Optimal support of complex enterprise requirements
• Heterogeneous platform supports all operating systems and
databases
• Flexible protectors (Database, Application, File)
• Risk Adjusted Data Protection offers the options for protection data
with the appropriate strength.
• Built-in Key Management
• Consistent Enterprise policy enforcement and audit logging
Innovative
• Pushing data protection with industry leading
Proven
• Proven platform currently protects the worlds largest companies
Experienced
• Experienced staff will be there with support along the way to complete data
protection