ISSA: Cloud data security

Next Generation Tokenization for Compliance and Cloud Data

Protection

Ulf MattssonCTO Protegrity

ulf . mattsson AT protegrity . com

Ulf Mattsson

20 years with IBM Development & Global Services

Inventor of 22 patents – Encryption and Tokenization

Co-founder of Protegrity (Data Security)

Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security

Member ofMember of

• PCI Security Standards Council (PCI SSC)

• American National Standards Institute (ANSI) X9

• Cloud Security Alliance (CSA)

• Information Systems Security Association (ISSA)

• Information Systems Audit and Control Association (ISACA)

02

ISSA Article, Dec 2010

PCI DSS & Visa USA – 10 Years

04

ISACA - Articles About Compliance

06

Data BreachesData Breaches

07

The Changing Threat Landscape (Aug, 2010)

Some issues have stayed constant:

1. Threat landscape continues to gain sophistication 2. Attackers will always be a step ahead of the defenders

Different motivation, methods and tools today:

• We're fighting highly organized, well-funded crime syndicates and nations

Move from detective to preventative controls needed:

• Several layers of security to address more significant areas of risks

Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2

08

Six years, 900+ breaches, and over 900 million compromised records

The majority of cases have not yet been disclosed and may never be

Over half of the breaches occurred outside of the U.S.

2010 Data Breach Investigations Report

Online Data is Compromised Most Frequently:Online Data is Compromised Most Frequently:

%

Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS

09

Compromised records 1. 90 % lost in highly sophisticated attacks2. Hacking and Malware are more dominant

Threat Action Categories

Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS

010

Patching Software vs. Locking Down Data

SoftwarePatching

User

Database

Application

Attacker

Not a Single Intrusion

ExploitedOS File System

Storage System

Backup

Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS

Exploiteda Patchable Vulnerability

Cloud SecurityCloud Security

012

No Confidence in Cloud Security (Oct 2010)

CSO Magazine Survey: Cloud Security Still a Struggle for Many Companies

A recent article written by Bill Brenner, senior editor at CSO Magazine, reveals that companies are still a bit scared of putting critical data in the cloud. Results from the 8th Annual Global Information Security Survey conducted by CSO, along with CIO and PriceWaterhouseCoopers, conducted by CSO, along with CIO and PriceWaterhouseCoopers, cites: 62% of companies have little to no confidence in their ability to secure any assets put in the cloud. Also, of the 49% of respondents who have ventured into cloud computing, 39% have major qualms about security.

013

Source, CSO. October, 2010 : http://www.csoonline.com/

Risks Associated with Cloud Computing

Uptime/business continuity

Weakening of corporate network security

Threat of data breach or loss

Handing over sensitive data to a third party

014

The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study

0 10 20 30 40 50 60 70

Inability to customize applications

Financial strength of the cloud computing provider

Uptime/business continuity

%

Cloud Computing to Fuel Security Market (Oct 2010)

1. "Concerns about cloud security have grown in the past year”

2. "In 2009, the fear was abstract: a general concern as there is with all new technologies when they're introduced ...

3. “Today, however, concerns are both more specific and more weighty”

4. “We see organizations placing a lot more scrutiny on cloud providers as to their controls and security processes; and they are more likely to defer adoption controls and security processes; and they are more likely to defer adoption because of security inadequacies than to go ahead despite them."

5. Opportunities in the cloud for vendors are data security, identity and access management, cloud governance, application security, and operational security.

http://www.eweek.com/c/a/Security/Forrester-Cloud-Computing-to-Fuel-Security-Market-170677/

015

What Amazon AWS’s PCI Compliance Means to You, Dec 7 2010

1. Just because AWS is certified doesn't mean you are. You still need to deploy a PCI compliant application/service and anything on AWS is still within your assessment scope.

2. The open question? PCI-DSS 2.0 doesn't address multi-tenancy concerns

3. AWS is certified as a service provider doesn't mean all cloud IaaS providers will be

4. You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements

5. Amazon doesn't do this for you -- it's something you need to implement yourself; including 5. Amazon doesn't do this for you -- it's something you need to implement yourself; including key management, rotation, logging, etc.

6. If you deploy a server instance in EC2 it still needs to be assessed by your QSA

7. What this certification really does is eliminate any doubts that you are allowed to deploy an in-scope PCI system on AWS

8. This is a big deal, but your organization's assessment scope isn't necessarily reduced

9. it might be when you move to something like a tokenization service where you reduce your handling of PAN data

securosis.com016

AttackerPublic

NetworkSS

LPrivate Network

Encrypted

Data

(PCI DSS)

Not Enough to Encrypt the Pipe & Files

OS File

System

Database

Storage

System

Application

Data

At Rest

(PCI DSS)

Clear Text Data

Encrypted

Data

(PCI DSS)

Clear Text

Data

017

Data Security Today is a Catch-22

We need to protect both data and the business processes that rely on that data

Enterprises are currently on their own in deciding how to apply emerging technologies for PCI data protection

Data Tokenization - an evolving technology

How to reduce PCI audit scope and exposure to dataHow to reduce PCI audit scope and exposure to data

018

EvaluatingOptionsOptions

019

Current, Planned Use of Enabling Technologies

Strong interest in database encryption, data masking, tokenization

47%

35%

39%

16%

10%

21%

30%

18%

1% 91% 5%

4%

Access controls

Database activity monitoring

Database encryption

Backup / Archive encryption 39%

28%

29%

23%

7%

7%

13%22%

7%

28%

21% 4%Backup / Archive encryption

Data masking

Application-level encryption

Tokenization

Evaluating Current Use Planned Use <12 Months

020

Choose Your Defenses – Cost Effective PCI DSS

Correlation or event management systems

Identity & access management systems

Access governance systems

Encryption for data in motion

Anti-virus & anti-malware solution

Encryption/Tokenization for data at rest

Firewalls

WAF

Source: 2009 PCI DSS Compliance Survey, Ponemon

Institute

0 10 20 30 40 50 60 70 80 90

ID & credentialing system

Database scanning and monitoring (DAM)

Intrusion detection or prevention systems

Data loss prevention systems (DLP)

Endpoint encryption solution

Web application firewalls (WAF) WAF

DLP

DAM

%Encryption/Tokenization

PCI DSS - Ways to Render the PAN Unreadable

Two-way cryptography with associated key management processes

One-way cryptographic hash functions

Index tokens and pads

Truncation (or masking – xxxxxx xxxxxx 6781)

22

!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing -

Strong Encryption -

Intrusiveness

(to Applications and Databases)

!@#$%a^.,mhu7/////&*B()_+!@

StandardEncryption

Evaluating Field Encryption & Tokenization

123456 777777 1234

123456 123456 1234

Alpha -

Partial -

Clear Text Data -

I

Original

I

Longer

Tokenizing orFormatted Encryption

Data

Length

Encoding123456 aBcdeF 1234

23

Protecting the Data Flow - Choose Your Defenses

Positioning Different Protection Options

Area Evaluation Criteria Strong Field

Encryption

Formatted

Encryption

Distributed

Token

Security

High risk data

Compliance to PCI, NIST

InitialCost

Transparent to applications

Expanded storage size

Transparent to databases schema

Performance impact when loading data

Operational Cost

Performance impact when loading data

Long life-cycle data

Unix or Windows mixed with “big iron” (EBCDIC)

Easy re-keying of data in a data flow

Disconnected environments

Distributed environments

25

Best Worst

SaaS

User

Securing Encryption Keys

An entity that uses a given key should not be the entity that stores that key

Encryption Key Administration

Source: http://csrc.nist.gov/groups/SNS/cloud-computing/

IaaS

PaaS

stores that key

EncryptionKeys

Cloud

026

Hiding Data in Plain Sight – Data Tokenization

400000 123456 7899

Y&SFD%))S( Tokenization

Server

Data Token

Data Entry

Application

Databases

400000 123456 7899

400000 222222 7899

027

Tokenization ServiceTokenization

User

Data Tokens

User User

123456 123456 1234123456 999999 1234123456 123456 1234

028

Service

ApplicationDatabases

: Data Token

Service

Protected sensitive information

Unprotected sensitive information:

123456 999999 1234 123456 999999 1234123456 999999 1234

Limit Exposure to Sensitive Data

Exposure

Development Testing Production

Data encoding:

1. Tokenization

2. Encryption

High -

Life

Cycle

Phase

to sensitive

data

I I I I I I I II

Low -

Aggregating

Hub for Store

Channel

StoresStoresAuthorization

Token

Servers

Token

Servers

PCI Case Study - Large Chain Store

Loss Prevention

Settlement

Analysis - EDWSettlement ERP

Servers

: Integration point

030

Case Study

Large Chain Store Uses Tokenization to Simplify PCI Compliance

By segmenting cardholder data with tokenization, a regional chain of 1,500 local convenience stores is reducing its PCI audit from seven to three months

“ We planned on 30 days to tokenize our 30 million “ We planned on 30 days to tokenize our 30 million card numbers. With Protegrity Tokenization, the whole process took about 90 minutes”

031

Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization

“With encryption, implementations can spawn dozens of questions”

Case Study

“There were no such challenges with tokenization”

032

Faster PCI audit – half that time

Lower maintenance cost – don’t have to apply all 12 requirements of PCI DSS to every system

Better security – able to eliminate several business processes such as generating daily reports for data requests and access

Case Study

requests and access

Strong performance – rapid processing rate for initial tokenization, sub-second transaction SLA

033

Ramon Krikken:

Ask vendors what their token-generating algorithms are

Be sure to analyze anything other than strong random number generators for security.

What Exactly Makes a “Secure Tokenization” Algorithm?

034

Visa recommendations should have been simply to use a random number

You should not write your own 'home-grown' token servers

Comments on Visa’s Tokenization Best Practices

035

Best Practices for Tokenization *

One way Irreversible Function**

Unique SequenceNumber

Hash

Randomly generated value

����

����

Secret per merchant

*: Published July 14, 2010

**: Multi-use tokens

036

Centralized vs. Distributed Tokenization

� � �

037

Large companies may need to utilize the tokenization

services for locations throughout the world

How do you deliver tokenization to many locations

without the impact of latency?

Different Approaches for Tokenization

Traditional Tokenization

• Dynamic Model

• Pre-Generated Model

Next Generation Tokenization: Protegrity Tokenization

38

Traditional Tokenization: Dynamic Model

Dynamic Token Lookup Tables

• Lookup tables are dynamic.

• They grow as more unique tokens are needed. Example: number of Credit Cards processed by a merchant.

• Table includes a hash value, a token, encrypted CCN and other administrative columns

• Large footprint. On the order of tens or

Application

Application

3904 2673 3950 59682837 3674 8590 2637

1234 5672 4098 55898473 2673 4890 7825

9940 3789 4457 12349473 2678 4567 8902

0094 6789 2201 37853892 3674 5896 9026

3789 2001 8943 22891234 5678 9012 3456

9920 2556 1678 22671667 2815 2678 2890

Token Encrypted CCN

• Large footprint. On the order of tens or hundreds of millions of CCNs

Performance

• 5 tokens per second (outsourced) to

• 5000 tokens per second (in-house)

Application

Application

39

3789 2001 8943 22891234 5678 9012 3456

5678 4459 2098 12670048 2536 4782 3748

0093 2678 1298 26789937 2456 2738 4665

9903 2890 3789 45679926 1452 8364 3784

2908 2567 1905 37850245 3678 5647 3957

Traditional Tokenization: Pre-generated Model

Pre-Generated Static Lookup Tables.

Assume that all possible combinations are pre-generated.

• Lookup tables are static

• Contain all possible combinations. Example: all social security numbers required to support a healthcare provider’s membership.

• Table includes a hash value, a token, encrypted SSN and other administrative

Application

Application

467 28 3905039 27 1789

478 39 2096567 38 2098

456 47 8765409 28 1234

768 56 0987489 37 2290

783 24 9906774 36 5578

009 38 2908667 27 1890

Token Encrypted SSN

encrypted SSN and other administrative columns

• Large footprint. On the order of tens or hundreds of millions of SSNs

• Pre-generation may be impractical due to the sheer size of all combinations (example; credit card)

Performance

• Improved performance by not having to do as many operations – dynamic tokenization and encryption.

Application

Application

40

783 24 9906774 36 5578

567 35 2341990 37 2289

009 48 3890774 37 2907

884 56 0098558 37 2908

467 28 9036667 49 2678

Additional Complexity with Additional Tokenization

Application

Application

Token Server Dynamic &

Pre-Generated Model

• Large footprint becomes

larger with the addition of

more data categories to

protect.

• Makes tokenizing additional

categories of data a major Application

Application

categories of data a major

challenge.

41

Credit Card

Number

Social

Security

Number

Passport

Number

Performance

Traditional Tokenization

• 5 tokens per second (outsourced)

• 5000 tokens per second (in-house)

Protegrity Tokenization

• 200,000 tokens per second (Protegrity)

• Single commodity server with 10 connections.

• Will grow linearly with additional servers and/or connections

• 9,000,000+ tokenizations per second (Protegrity /Teradata)

42

Area Impact

Database

File

Encryption

Database

Column

Encryption

Centralized

Tokenization

(old)

Distributed

Tokenization

(new)

Scalability

Availability

Latency

CPU Consumption

Evaluating Encryption & Tokenization Approaches

EncryptionEvaluation Criteria Tokenization

Best Worst

Security

Data Flow Protection

Compliance Scoping

Key Management

Randomness

Separation of Duties

043

Making Data Unreadable – Protection Methods (Pro’s & Con’s)

Evaluating Different Tokenization ImplementationsIO Interface Protection Method

System Layer Granularity AES/CBC,

AES/CTR

D

Formatted

Encryption

Data

Tokenization

Hashing Data

Masking

ApplicationColumn/Field

Record

Column

Database Table

Table Space

OS File IO Block

StorageSystem

IO Block

Best Worse

Tokenization Server Location

Tokenization Server Location

Evaluation Aspects Mainframe Remote

Area Criteria DB2 Work

Load

Manager

Separate

Address Space

In-house Out-sourced

Availability

Best Worst

Operational Latency

Performance

SecuritySeparation

PCI DSS Scope

Positioning Different Protection Options

Area Evaluation Criteria Strong

Encryption

Formatted

Encryption

Distributed

Tokenization

Security

High risk data

Compliance to PCI, NIST

InitialCost

Transparent to applications

Expanded storage size

Transparent to databases schema

Performance impact when loading data

Operational Cost

Performance impact when loading data

Long life-cycle data

Unix or Windows mixed with “big iron” (EBCDIC)

Easy re-keying of data in a data flow

Disconnected environments

Distributed environments

46

Best Worst

Positioning Different Protection Options

Evaluation Criteria Strong

Encryption

Formatted

Encryption

Tokens

Security & Compliance

Total Cost of Ownership

Use of Encoded Data

47

Best Worst

Applications

Data / Meta-data / Content

Mapping the Cloud to Compliance – PCI DSS

Compliance Model – PCI DSSCloud Service Models

SaaS – Software as a Service

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored data

4. Encrypt transmission of cardholder data and sensitive information across public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and

Source: http://csrc.nist.gov/groups/SNS/cloud-computing/

Hardware

Middleware

PaaS – Platform as a Service

IaaS – Infrastructure as a Service

048

6. Develop and maintain secure systems and applications

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security

Data Protection Challenges

Actual protection is not the challenge

Management of solutions

• Key management

• Security policy

• Auditing, Monitoring and reporting

Minimizing impact on business operations

• Transparency

049

• Transparency

• Performance vs. security

Minimizing the cost implications

Maintaining compliance

Implementation Time

Best Practices - Data Security Management

Database Protector

File System Protector

Policy

AuditLog

Secure Archive

Application Protector

Tokenization Server

EnterpriseData SecurityAdministrator

: Encryption service050

Who is Protegrity?

Proven enterprise data protection software leader since the late 90’s.

Business driven by compliance

• PCI (Payment Card Industry)

• PII (Personally Identifiable Information)

• PHI (Protected Health Information) – HIPAA

• State and Foreign Privacy Laws• State and Foreign Privacy Laws

Servicing many Industries

• Retail, Hospitality, Travel and Transportation

• Financial Services, Insurance, Banking

• Healthcare

• Telecommunications, Media and Entertainment

• Manufacturing and Government

51

Tokenization SummaryTraditional Tokenization Protegrity Tokenization

Footprint Large, Expanding.

The large and expanding footprint of Traditional

Tokenization is it’s Achilles heal. It is the source of

poor performance, scalability, and limitations on its

expanded use.

Small, Static.

The small static footprint is the enabling factor that

delivers extreme performance, scalability, and expanded

use.

High

Availability,

DR, and

Distribution

Complex replication required.

Deploying more than one token server for the

purpose of high availability or scalability will require

complex and expensive replication or

synchronization between the servers.

No replication required.

Any number of token servers can be deployed without

the need for replication or synchronization between the

servers. This delivers a simple, elegant, yet powerful

solution.

Reliability Prone to collisions.

The synchronization and replication required to

No collisions.

Protegrity Tokenizations’ lack of need for replication or

52

The synchronization and replication required to

support many deployed token servers is prone to

collisions, a characteristic that severely limits the

usability of traditional tokenization.

Protegrity Tokenizations’ lack of need for replication or

synchronization eliminates the potential for collisions .

Performance,

Latency, and

Scalability

Will adversely impact performance & scalability.

The large footprint severely limits the ability to place

the token server close to the data. The distance

between the data and the token server creates

latency that adversely effects performance and

scalability to the extent that some use cases are not

possible.

Little or no latency. Fastest industry tokenization.

The small footprint enables the token server to be

placed close to the data to reduce latency. When placed

in-memory, it eliminates latency and delivers the fastest

tokenization in the industry.

Extendibility Practically impossible.

Based on all the issues inherent in Traditional

Tokenization of a single data category, tokenizing

more data categories may be impractical.

Unlimited Tokenization Capability.

Protegrity Tokenization can be used to tokenize many

data categories with minimal or no impact on footprint

or performance.

Please contact me for more information

Ulf Mattsson

Ulf . Mattsson AT protegrity . com