Securing Data Today and in the Future Ulf Mattsson CTO Protegrity ulf . mattsson [at] protegrity . com
May 17, 2015
Securing Data Today and in the Future
Ulf MattssonCTO Protegrity
ulf . mattsson [at] protegrity . com
Ulf Mattsson
20 years with IBM Development & Global Services
Inventor of 22 patents – Encryption and Tokenization
Co-founder of Protegrity (Data Security)
Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security
Member of• Cloud Security Alliance (CSA)
• PCI Security Standards Council (PCI SSC)
• American National Standards Institute (ANSI) X9
• Information Systems Security Association (ISSA)
• Information Systems Audit and Control Association (ISACA)
03
04
Data Breaches
“It is fascinating that the top threat events in both 2010 and 2011 are the same
and involve external agents hacking and installing malware to compromise the confidentiality and integrity of servers.”
Best Source of Incident Data
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team
Source: Securosis, http://securosis.com/
900+ breaches
900+ million compromised records:
Data Breaches – Mainly Online Data Records
%
Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS
Compromised Data Types - # Records
Source: Data Breach Investigations Report, Verizon Business RISK team and USSS
Sensitive organizational data
System information
Classified information
Medical records
Bank account data
Intellectual property
Usernames, passwords
Personal information
Payment card data
0 20 40 60 80 100 120%
Source: Data Breach Investigations Report, Verizon Business RISK team and USSS
Industry Groups Represented - # Breaches
Business Services
Healthcare
Media
Transportation
Manufacturing
Tech Services
Government
Financial Services
Retail
Hospitality
0 5 10 15 20 25 30 35 40 45%
Breach Discovery Methods - # Breaches
Source: Data Breach Investigations Report, Verizon Business RISK team and USSS
%
Third party monitoring service
Brag or blackmail by perpetrator
Internal fraud detection
Internal security audit or scan
Reported by employee
Unusual system behavior
Reported by customer/partner effected
Notified by law enforcement
Third party fraud detection
0 5 10 15 20 25 30 35 40 45 50
010
PCI DSS
AttackerPublicNetwork
OS File System
Database
Storage System
Application
SS
LPrivate Network
Encrypt Data
At Rest(PCI DSS)
Clear Text Data
EncryptData onPublic
Networks(PCI DSS)
Clear Text Data
Example of How the Problem is Occurring – PCI DSS
Source: PCI Security Standards Council, 2011
PCI DSS - Ways to Render the PAN* Unreadable
Two-way cryptography with associated key management processes
One-way cryptographic hash functions
Index tokens and pads
Truncation (or masking – xxxxxx xxxxxx 6781)
* PAN: Primary Account Number (Credit Card Number)
Protecting the Data Flow - Example
Protected sensitive information
Unprotected sensitive information:
: Enforcement point
014
Use ofEnabling
Technologies
Current, Planned Use of Enabling Technologies
47%
35%
39%
28%
29%
23%
16%
10%
7%
7%
13%22%
7%
28%
21%
30%
18%
1% 91% 5%
4%
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
Evaluating Current Use Planned Use <12 Months
Current Use of Enabling Technologies, by Maturity Class
Positioning Different Protection Options
Evaluation Criteria Strong Encryption
Formatted Encryption
Data Tokens
Security & Compliance
Total Cost of Ownership
Use of Encoded Data
Best Worst
123456 777777 1234
123456 123456 1234
aVdSaH 1F4hJ 1D3a
!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing -
Strong Encryption -
Alpha -
Numeric -
Partial -
Clear Text -
Intrusiveness
(to Applications and Databases)
I
Original
I
Longer
!@#$%a^.,mhu7/////&*B()_+!@
666666 777777 8888Tokenizing or
FormattedEncryption
Data
Length
StandardEncryption
Securing Data Fields – Impact of Different Methods
Encoding
Original Data
Oracle Domain Index
020
DataTokenization
021
Cloud Environment
Application Database
Hiding Data in Plain Sight – Data Tokenization
Protected sensitive information:
Unprotected sensitive information:
4000 0012 3456 7899
40 12 3456 7890 7899
Y&SFD%))S(
Tokenization Gateway
Data Token
: Data Transformer
Token Flexibility for Different Categories of Data
Type of Data Input Token Comment
Token Properties
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date
E-mail Address [email protected] [email protected] Alpha Numeric, delimiters in input preserved
SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed
Policy Masking
Credit Card 3872 3789 1620 3675 clear, encrypted, tokenized at rest3872 37## #### ####
Presentation Mask: Expose 1st 6 digits
1. Names2. Geographic subdivisions smaller than a state, including3. All elements of dates (e.g., date of birth, admission)4. Telephone numbers5. Fax numbers6. E-mail addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiary numbers10. Account numbers11. Certificate/license numbers12. Vehicle identifiers and serial numbers, including license plate
numbers13. Device identifiers and serial numbers14. Web universal locators (URLs)15. IP address numbers16. Biometric identifiers, including fingerprints and voice prints17. Full-face photographic images and any comparable images18. Other unique identifying numbers, characteristics or codes
Example: HIPAA – 18 Direct Identifiers
Visa Best Practices for Tokenization Version 1
Token Generation Token Types
Single Use Token Multi Use Token
Algorithm and Key Reversible
Known strong algorithm (NIST Approved)
One way Irreversible Function
Unique Sequence Number
Hash
Randomly generated value
-
Secret per transaction
Secret per merchant
Published July 14, 2010.
Tokenization Use Case Example
A leading retail chain• 1500 locations in the U.S. market
Simplify PCI Compliance• 98% of Use Cases out of audit scope
• Ease of install (had 18 PCI initiatives at one time)
Tokenization solution was implemented in 2 weeks • Reduced PCI Audit from 7 months to 3 months
• No 3rd Party code modifications
• Proved to be the best performance option
• 700,000 transactions per days
• 50 million card holder data records
• Conversion took 90 minutes (plan was 30 days)
• Next step – tokenization server at 1500 locations
Different Approaches for Tokenization
Traditional Tokenization• Dynamic Model or Pre-Generated Model
• 5 tokens per second - 5000 tokenizations per second
Next Generation Tokenization• Memory-tokenization
• 200,000 - 9,000,000+ tokenizations per second
• “The tokenization scheme offers excellent security, since it is based on fully randomized tables.” *
• “This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“ *
*: Prof. Dr. Ir. Bart Preneel, Katholieke University Leuven, Belgium
Tokenization SummaryTraditional Tokenization Memory Tokenization
Footprint Large, Expanding. The large and expanding footprint of Traditional Tokenization is it’s Achilles heal. It is the source of poor performance, scalability, and limitations on its expanded use.
Small, Static. The small static footprint is the enabling factor that delivers extreme performance, scalability, and expanded use.
High Availability, DR, and Distribution
Complex replication required. Deploying more than one token server for the purpose of high availability or scalability will require complex and expensive replication or synchronization between the servers.
No replication required. Any number of token servers can be deployed without the need for replication or synchronization between the servers. This delivers a simple, elegant, yet powerful solution.
Reliability Prone to collisions.The synchronization and replication required to support many deployed token servers is prone to collisions, a characteristic that severely limits the usability of traditional tokenization.
No collisions.Memory Tokenizations’ lack of need for replication or synchronization eliminates the potential for collisions .
Performance, Latency, and Scalability
Will adversely impact performance & scalability.The large footprint severely limits the ability to place the token server close to the data. The distance between the data and the token server creates latency that adversely effects performance and scalability to the extent that some use cases are not possible.
Little or no latency. Fastest industry tokenization.The small footprint enables the token server to be placed close to the data to reduce latency. When placed in-memory, it eliminates latency and delivers the fastest tokenization in the industry.
Extendibility Practically impossible. Based on all the issues inherent in Traditional Tokenization of a single data category, tokenizing more data categories may be impractical.
Unlimited Tokenization Capability.Memory Tokenization can be used to tokenize many data categories with minimal or no impact on footprint or performance.
028
Cloud
“Cloud – Like a Parking Garage”
Risks Associated with Cloud Computing
Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study
Inability to customize applications
Financial strength of the cloud computing provider
Uptime/business continuity
Weakening of corporate network security
Threat of data breach or loss
Handing over sensitive data to a third party
0 10 20 30 40 50 60 70 %
Amazon Cloud & PCI DSS
Just because AWS is certified doesn't mean you are • You still need to deploy a PCI compliant application/service
and anything on AWS is still within your assessment scope
PCI-DSS 2.0 doesn't address multi-tenancy concerns
You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements
• Amazon doesn't do this for you
• You need to implement key management, rotation, logging, etc.
If you deploy a server instance in EC2 it still needs to be assessed by your QSA (PCI auditor)
• Organization's assessment scope isn't necessarily reduced
Tokenization can reduce your handling of PAN dataSource: Securosis, http://securosis.com/
Guidance from Cloud Security Alliance
Security Check Point
User
“Pass Security Before Entering The Cloud”
Protected sensitive information
Unprotected sensitive information:
123456 999999 1234
123456 123456 1234
123456 123456 1234
Secured data
Cloud
Sensitive data
034
Cloud Environment
ApplicationDatabases
: Data Token
TokenizationGateway
Protected sensitive information
Unprotected sensitive information:
990-23-1013 4000 0012 3456 7899
123-45 -1013 40 12 3456 7890 7899
123-45 -1013 40 12 3456 7890 7899
Data Tokens in a Cloud Environment – Integration Example
035
Cloud Environment
Tokenization Gateway
ApplicationDatabases
: Data Token
TokenizationGateway
SecurityAdmin
User
Data Tokens in a Cloud Environment – Integration Example
Protected sensitive information
Unprotected sensitive information:
CloudEnvironment
User
TokenizationGateway
: Data Token
Application
User
Application
Database
Database
Protected sensitive information
Unprotected sensitive information:
Data Tokenization at the Gateway Layer
036
CloudEnvironment
User
Data Tokenization at the Gateway Layer
TokenizationGateway
Database
: Data Token
Application
User
Application
Database
Protected sensitive information
Unprotected sensitive information:037
Cloud
User
Data Tokenization at the Application Layer
Token Server
Database
SecurityAdmin
: Data Token
Application
Protected sensitive information
Unprotected sensitive information:038
Cloud
User
Data Tokenization at the Database Layer
Token Server
Database
SecurityAdmin
: Data Token
Application
Protected sensitive information
Unprotected sensitive information:039
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/
IaaS
PaaS
SaaS
User
Securing Encryption Keys
An entity that uses a given key should not
be the entity that stores that key
Encryption Key Administration
EncryptionKeys
Cloud
040
041
Positioning ofEnabling
Technologies
Data Security Method
System Layer
Hashing Formatted Encryption
Strong Encryption
DataTokenization
Application
Database Column
Database File
Storage Device
Best Worst
Risk Management and PCI – Security Aspects
Different data security methods and algorithms Policy enforcement implemented at different system layers
Data Security Method
System Layer
Hashing Formatted Encryption
Strong Encryption
DataTokenization
Application
Database Column
Database File
Storage Device
Best Worst: N/A
Risk Management and PCI – Security Aspects
Integration at different system layers Different data security methods and algorithms
Evaluation Criteria Strong Field Encryption
Formatted Encryption
Tokenization(distributed)
Disconnected environments
Distributed environments
Performance impact when loading data
Transparent to applications
Expanded storage size
Transparent to databases schema
Long life-cycle data
Unix or Windows mixed with “big iron” (EBCDIC)
Easy re-keying of data in a data flow
High risk data
Security - compliance to PCI, NIST
Best Worst
Evaluating Field Encryption & Tokenization
Vendors/Products Providing Database Protection
Feature 3rd Party Oracle 9 Oracle 10 Oracle 11 IBM DB2 MS SQL
Database file encryption
Database column encryption
Column encryption adds 32-52 bytes (10.2.0.4, 11.1.0.7)
Formatted encryption
Data tokenization
Database activity monitoring
Multi vendor encryption
Data masking
Central key management
HSM support (11.1.0.7)
Re-key support (tablespace)
Best Worst
Column Encryption Solutions – Some Considerations
Area of Evaluation 3rd Party
Oracle 10 TDE
Oracle 11 TDE
Performance, manage UDT or views/triggers
Support for both encryption and replication
Support for Oracle Domain Index for fast search
Keys are local; re-encryption if moving A -> B
Separation of duties/key control vector
Encryption format specified
Data type support
Index support beyond equality comparison
HSM (hardware crypto) support (11.1.0.6 )
HSM password not stored in file
Automated and secure master key backup procedure
Keys exportable
Best Worst
Source: 2009 PCI DSS Compliance Survey, Ponemon Institute
Choose Your Defenses – Cost Effective PCI DSS
ID & credentialing system
Database scanning and monitoring (DAM)
Intrusion detection or prevention systems
Data loss prevention systems (DLP)
Endpoint encryption solution
Web application firewalls (WAF)
Correlation or event management systems
Identity & access management systems
Access governance systems
Encryption for data in motion
Anti-virus & anti-malware solution
Encryption/Tokenization for data at rest
Firewalls
0 10 20 30 40 50 60 70 80 90
WAF
DLP
DAM
%Encryption/Tokenization
Matching Data Protection Solutions with Risk Level
Risk Level Solution
Monitor
Monitor, mask, access control limits, format
control encryption
Replacement, strong
encryption
Low Risk (1-5)
At Risk (6-15)
High Risk (16-25)
Data Field
Risk Level
Credit Card Number 25Social Security Number 20
CVV 20Customer Name 12Secret Formula 10
Employee Name 9Employee Health Record 6
Zip Code 3
Deploy Defenses
RiskLevel
Cost
OptimalRisk
Expected Losses from the Risk
Cost of Aversion – Protection of Data
Total Cost
IWeak
Protection
IStrong
Protection
Choose Your Defenses – Total Cost of Ownership
X
Best Practices - Data Security Management
Database Protector
File System Protector
Policy
AuditLog
Secure Archive
Application Protector
Tokenization Server
EnterpriseData SecurityAdministrator
: Encryption service050
About Protegrity
Proven enterprise data security software and innovation leader • Sole focus on the protection of data
• Patented Technology, Continuing to Drive Innovation
Growth driven by compliance and risk management• PCI (Payment Card Industry)
• PII (Personally Identifiable Information)
• PHI (Protected Health Information) – HIPAA
• State and Foreign Privacy Laws, Breach Notification Laws
• High Cost of Information Breach ($4.8m average cost), immeasurable costs of brand damage , loss of customers
• Requirements to eliminate the threat of data breach and non-compliance
Cross-industry applicability• Retail, Hospitality, Travel and Transportation• Financial Services, Insurance, Banking• Healthcare• Telecommunications, Media and Entertainment• Manufacturing and Government
Please contact me for more information
Ulf Mattsson, CTO Protegrity
Ulf . Mattsson [at] protegrity . com