Ken Smith Twitter: @ken5m1th Enterprise Security Consultant CISSP CISA GCIH QSA We‟ve secretly replaced your sensitive information with useless data. SOURCE Boston 20 April, 2011
Ken Smith
Twitter: @ken5m1thEnterprise Security Consultant
CISSP CISA GCIH QSA
We‟ve secretly replaced your sensitive information with useless data.
SOURCE Boston
20 April, 2011
What‟s so appealing about tokenization?
How it works
Tokenization types
Misconceptions and vendor FUD
How to screw it up
How to do it well
Implementation process
The future
The Holy Grail
2
Easy to implement
One size fits all
Your data security concerns go away
Compliance is easy once implemented
3
Easy to implement
One size fits all
Your data security concerns go away
Compliance is easy once implemented
4
*According to fairies and unicorns
It addresses the major issues with encryption
5
Source: xkcd.com
It addresses the major issues with encryption
6
Image source: www.jakeludington.com
It addresses the major issues with encryption
7
Manage access controls for data and keys
Encrypt whenever data is at rest
Encrypt whenever data is in transit
Secure key generation and distribution
Records retention and destruction
Manage all compliance requirements◦ PCI DSS
◦ Mass 93H/201CMR17.00
◦ All other state notification laws
◦ HIPAA
8
Protect the tokenized data according to it‟s new data classification (not sensitive)
9
1. Sensitive data gathered
2. Sensitive data encrypted and stored in highly protected vault
3. Token value created and returned back to original systems/databases
10
• Credit card #
• SSN
• Other
Sensitive Data
• Encryption
• Key mgmt
• Token DB
Tokenizing
Process • Replacement
value
• Not sensitive
Token
11
Tokenize at authorization
Tokenize during clearing
Onsite vault
Offsite vault
Pay page
Hosted shopping cart
Tokenize after settlement
Format preserving
12
13
14
15
16
17
18
19
20
21
22
23
24
Tokenization is always better than encryption
Offload to a third-party and it‟s no longer your problem
PCI DSS scope will always be reduced or eliminated
It‟s always simple to implement
25
The apps that tokenize the data can also de-tokenize
Many users still need/use the sensitive data
Put everything on the same system/network
Co-mingling tokens with sensitive data
Implementing because it‟s a cool buzzword
26
The apps that call the tokenization process should not have ability to de-tokenize, access decryption keys, access stored sensitive data even in encrypted form
Encrypted data stored in a segmented and highly secured „vault‟
Standard users should not have the ability to de-tokenize data – the token value is good enough
Users that need to de-tokenize data should use an out-of-band method
If using third-party offsite solution, remove yourself from the transaction
27
Evaluate your requirements
Pick a product
Implement product
All of your information security challenges have been solved!
28
* In rainbow and unicorn land
First, ask the following questions:◦ 1. Do you really need to store the data?
◦ 2. Are you really really sure?
◦ 3. And the last time that happened was…...?
◦ 4. I know, I know…. but do you need the whole number?
29
Define your requirements
Clearly define the scope
Investigate all potential solutions
Redefine your requirements
Redefine the scope
Evaluation/POC
Implement solution
Constantly monitor product effectiveness
Continue to assess risk as usual
30
Important component of data protection
Improvements to deployment models
Moving closer to the point of data capture
Cloud adoption will drive the need
Employed to protect other types of data
Fewer companies managing their own encryption solutions
31
Encrypted data stored in highly secure „vault‟
Most of your business can function with only the token value
Sensitive data checks in, doesn‟t check out
Access method is “out of band”
32
A step up from encrypting data Get rid of data you don‟t really need Removes the crown jewels Can be used to protect different types of data Multiple flavors to choose from App should tokenize, not de-tokenize The Holy Grail is possible (e-Commerce) Thank you!
Ken Smith◦ [email protected]◦ http://twitter.com/ken5m1th◦ http://post.ksm1th.com◦ http://www.linkedin.com/in/1ksmith
33