Securing data today and in the future - Oracle NYC

Securing Data Today and in the Future

Ulf MattssonCTO Protegrity

ulf . mattsson [at] protegrity . com

Ulf Mattsson

20 years with IBM Development & Global Services

Inventor of 22 patents – Encryption and Tokenization

Co-founder of Protegrity (Data Security)

Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security

Member of• Cloud Security Alliance (CSA)

• PCI Security Standards Council (PCI SSC)

• American National Standards Institute (ANSI) X9

• Information Systems Security Association (ISSA)

• Information Systems Audit and Control Association (ISACA)

03

04

Data Breaches

“It is fascinating that the top threat events in both 2010 and 2011 are the same

and involve external agents  hacking and installing malware to compromise the confidentiality and integrity of servers.”

Best Source of Incident Data

Source: 2011 Data Breach Investigations Report, Verizon Business RISK team

Source: Securosis, http://securosis.com/

900+ breaches

900+ million compromised records:

Data Breaches – Mainly Online Data Records

%

Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS

Compromised Data Types - # Records

Source: Data Breach Investigations Report, Verizon Business RISK team and USSS

Sensitive organizational data

System information

Classified information

Medical records

Bank account data

Intellectual property

Usernames, passwords

Personal information

Payment card data

0 20 40 60 80 100 120%

Source: Data Breach Investigations Report, Verizon Business RISK team and USSS

Industry Groups Represented - # Breaches

Business Services

Healthcare

Media

Transportation

Manufacturing

Tech Services

Government

Financial Services

Retail

Hospitality

0 5 10 15 20 25 30 35 40 45%

Breach Discovery Methods - # Breaches

Source: Data Breach Investigations Report, Verizon Business RISK team and USSS

%

Third party monitoring service

Brag or blackmail by perpetrator

Internal fraud detection

Internal security audit or scan

Reported by employee

Unusual system behavior

Reported by customer/partner effected

Notified by law enforcement

Third party fraud detection

0 5 10 15 20 25 30 35 40 45 50

010

PCI DSS

AttackerPublicNetwork

OS File System

Database

Storage System

Application

SS

LPrivate Network

Encrypt Data

At Rest(PCI DSS)

Clear Text Data

EncryptData onPublic

Networks(PCI DSS)

Clear Text Data

Example of How the Problem is Occurring – PCI DSS

Source: PCI Security Standards Council, 2011

PCI DSS - Ways to Render the PAN* Unreadable

Two-way cryptography with associated key management processes

One-way cryptographic hash functions

Index tokens and pads

Truncation (or masking – xxxxxx xxxxxx 6781)

* PAN: Primary Account Number (Credit Card Number)

Protecting the Data Flow - Example

Protected sensitive information

Unprotected sensitive information:

: Enforcement point

014

Use ofEnabling

Technologies

Current, Planned Use of Enabling Technologies

47%

35%

39%

28%

29%

23%

16%

10%

7%

7%

13%22%

7%

28%

21%

30%

18%

1% 91% 5%

4%

Access controls

Database activity monitoring

Database encryption

Backup / Archive encryption

Data masking

Application-level encryption

Tokenization

Evaluating Current Use Planned Use <12 Months

Current Use of Enabling Technologies, by Maturity Class

Positioning Different Protection Options

Evaluation Criteria Strong Encryption

Formatted Encryption

Data Tokens

Security & Compliance

Total Cost of Ownership

Use of Encoded Data

Best Worst

123456 777777 1234

123456 123456 1234

aVdSaH 1F4hJ 1D3a

!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing -

Strong Encryption -

Alpha -

Numeric -

Partial -

Clear Text -

Intrusiveness

(to Applications and Databases)

I

Original

I

Longer

!@#$%a^.,mhu7/////&*B()_+!@

666666 777777 8888Tokenizing or

FormattedEncryption

Data

Length

StandardEncryption

Securing Data Fields – Impact of Different Methods

Encoding

Original Data

Oracle Domain Index

020

DataTokenization

021

Cloud Environment

Application Database

Hiding Data in Plain Sight – Data Tokenization

Protected sensitive information:

Unprotected sensitive information:

4000 0012 3456 7899

40 12 3456 7890 7899

Y&SFD%))S(

Tokenization Gateway

Data Token

: Data Transformer

Token Flexibility for Different Categories of Data

Type of Data Input Token Comment

Token Properties

Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric

Medical ID 29M2009ID 497HF390D Alpha-Numeric

Date 10/30/1955 12/25/2034 Date

E-mail Address [email protected] [email protected] Alpha Numeric, delimiters in input preserved

SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input

Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed

Policy Masking

Credit Card 3872 3789 1620 3675 clear, encrypted, tokenized at rest3872 37## #### ####

Presentation Mask: Expose 1st 6 digits

1. Names2. Geographic subdivisions smaller than a state, including3. All elements of dates (e.g., date of birth, admission)4. Telephone numbers5. Fax numbers6. E-mail addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiary numbers10. Account numbers11. Certificate/license numbers12. Vehicle identifiers and serial numbers, including license plate

numbers13. Device identifiers and serial numbers14. Web universal locators (URLs)15. IP address numbers16. Biometric identifiers, including fingerprints and voice prints17. Full-face photographic images and any comparable images18. Other unique identifying numbers, characteristics or codes

Example: HIPAA – 18 Direct Identifiers

Visa Best Practices for Tokenization Version 1

Token Generation Token Types

Single Use Token Multi Use Token

Algorithm and Key Reversible

Known strong algorithm (NIST Approved)

One way Irreversible Function

Unique Sequence Number

Hash

Randomly generated value

-

Secret per transaction

Secret per merchant

Published July 14, 2010.

Tokenization Use Case Example

A leading retail chain• 1500 locations in the U.S. market

Simplify PCI Compliance• 98% of Use Cases out of audit scope

• Ease of install (had 18 PCI initiatives at one time)

Tokenization solution was implemented in 2 weeks • Reduced PCI Audit from 7 months to 3 months

• No 3rd Party code modifications

• Proved to be the best performance option

• 700,000 transactions per days

• 50 million card holder data records

• Conversion took 90 minutes (plan was 30 days)

• Next step – tokenization server at 1500 locations

Different Approaches for Tokenization

Traditional Tokenization• Dynamic Model or Pre-Generated Model

• 5 tokens per second - 5000 tokenizations per second

Next Generation Tokenization• Memory-tokenization

• 200,000 - 9,000,000+ tokenizations per second

• “The tokenization scheme offers excellent security, since it is based on fully randomized tables.” *

• “This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“ *

*: Prof. Dr. Ir. Bart Preneel, Katholieke University Leuven, Belgium

Tokenization SummaryTraditional Tokenization Memory Tokenization

Footprint Large, Expanding. The large and expanding footprint of Traditional Tokenization is it’s Achilles heal. It is the source of poor performance, scalability, and limitations on its expanded use.

Small, Static. The small static footprint is the enabling factor that delivers extreme performance, scalability, and expanded use.

High Availability, DR, and Distribution

Complex replication required. Deploying more than one token server for the purpose of high availability or scalability will require complex and expensive replication or synchronization between the servers.

No replication required. Any number of token servers can be deployed without the need for replication or synchronization between the servers. This delivers a simple, elegant, yet powerful solution.

Reliability Prone to collisions.The synchronization and replication required to support many deployed token servers is prone to collisions, a characteristic that severely limits the usability of traditional tokenization.

No collisions.Memory Tokenizations’ lack of need for replication or synchronization eliminates the potential for collisions .

Performance, Latency, and Scalability

Will adversely impact performance & scalability.The large footprint severely limits the ability to place the token server close to the data. The distance between the data and the token server creates latency that adversely effects performance and scalability to the extent that some use cases are not possible.

Little or no latency. Fastest industry tokenization.The small footprint enables the token server to be placed close to the data to reduce latency. When placed in-memory, it eliminates latency and delivers the fastest tokenization in the industry.

Extendibility Practically impossible. Based on all the issues inherent in Traditional Tokenization of a single data category, tokenizing more data categories may be impractical.

Unlimited Tokenization Capability.Memory Tokenization can be used to tokenize many data categories with minimal or no impact on footprint or performance.

028

Cloud

“Cloud – Like a Parking Garage”

Risks Associated with Cloud Computing

Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study

Inability to customize applications

Financial strength of the cloud computing provider

Uptime/business continuity

Weakening of corporate network security

Threat of data breach or loss

Handing over sensitive data to a third party

0 10 20 30 40 50 60 70 %

Amazon Cloud & PCI DSS

Just because AWS is certified doesn't mean you are • You still need to deploy a PCI compliant application/service

and anything on AWS is still within your assessment scope

PCI-DSS 2.0 doesn't address multi-tenancy concerns

You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements

• Amazon doesn't do this for you

• You need to implement key management, rotation, logging, etc.

If you deploy a server instance in EC2 it still needs to be assessed by your QSA (PCI auditor)

• Organization's assessment scope isn't necessarily reduced

Tokenization can reduce your handling of PAN dataSource: Securosis, http://securosis.com/

Guidance from Cloud Security Alliance

Security Check Point

User

“Pass Security Before Entering The Cloud”

Protected sensitive information

Unprotected sensitive information:

123456 999999 1234

123456 123456 1234

123456 123456 1234

Secured data

Cloud

Sensitive data

034

Cloud Environment

ApplicationDatabases

: Data Token

TokenizationGateway

Protected sensitive information

Unprotected sensitive information:

990-23-1013 4000 0012 3456 7899

123-45 -1013 40 12 3456 7890 7899

123-45 -1013 40 12 3456 7890 7899

Data Tokens in a Cloud Environment – Integration Example

035

Cloud Environment

Tokenization Gateway

ApplicationDatabases

: Data Token

TokenizationGateway

SecurityAdmin

User

Data Tokens in a Cloud Environment – Integration Example

Protected sensitive information

Unprotected sensitive information:

CloudEnvironment

User

TokenizationGateway

: Data Token

Application

User

Application

Database

Database

Protected sensitive information

Unprotected sensitive information:

Data Tokenization at the Gateway Layer

036

CloudEnvironment

User

Data Tokenization at the Gateway Layer

TokenizationGateway

Database

: Data Token

Application

User

Application

Database

Protected sensitive information

Unprotected sensitive information:037

Cloud

User

Data Tokenization at the Application Layer

Token Server

Database

SecurityAdmin

: Data Token

Application

Protected sensitive information

Unprotected sensitive information:038

Cloud

User

Data Tokenization at the Database Layer

Token Server

Database

SecurityAdmin

: Data Token

Application

Protected sensitive information

Unprotected sensitive information:039

Source: http://csrc.nist.gov/groups/SNS/cloud-computing/

IaaS

PaaS

SaaS

User

Securing Encryption Keys

An entity that uses a given key should not

be the entity that stores that key

Encryption Key Administration

EncryptionKeys

Cloud

040

041

Positioning ofEnabling

Technologies

Data Security Method

System Layer

Hashing Formatted Encryption

Strong Encryption

DataTokenization

Application

Database Column

Database File

Storage Device

Best Worst

Risk Management and PCI – Security Aspects

Different data security methods and algorithms Policy enforcement implemented at different system layers

Data Security Method

System Layer

Hashing Formatted Encryption

Strong Encryption

DataTokenization

Application

Database Column

Database File

Storage Device

Best Worst: N/A

Risk Management and PCI – Security Aspects

Integration at different system layers Different data security methods and algorithms

Evaluation Criteria Strong Field Encryption

Formatted Encryption

Tokenization(distributed)

Disconnected environments

Distributed environments

Performance impact when loading data

Transparent to applications

Expanded storage size

Transparent to databases schema

Long life-cycle data

Unix or Windows mixed with “big iron” (EBCDIC)

Easy re-keying of data in a data flow

High risk data

Security - compliance to PCI, NIST

Best Worst

Evaluating Field Encryption & Tokenization

Vendors/Products Providing Database Protection

Feature 3rd Party Oracle 9 Oracle 10 Oracle 11 IBM DB2 MS SQL

Database file encryption

Database column encryption

Column encryption adds 32-52 bytes (10.2.0.4, 11.1.0.7)

Formatted encryption

Data tokenization

Database activity monitoring

Multi vendor encryption

Data masking

Central key management

HSM support (11.1.0.7)

Re-key support (tablespace)

Best Worst

Column Encryption Solutions – Some Considerations

Area of Evaluation 3rd Party

Oracle 10 TDE

Oracle 11 TDE

Performance, manage UDT or views/triggers

Support for both encryption and replication

Support for Oracle Domain Index for fast search

Keys are local; re-encryption if moving A -> B

Separation of duties/key control vector

Encryption format specified

Data type support

Index support beyond equality comparison

HSM (hardware crypto) support (11.1.0.6 )

HSM password not stored in file

Automated and secure master key backup procedure

Keys exportable

Best Worst

Source: 2009 PCI DSS Compliance Survey, Ponemon Institute

Choose Your Defenses – Cost Effective PCI DSS

ID & credentialing system

Database scanning and monitoring (DAM)

Intrusion detection or prevention systems

Data loss prevention systems (DLP)

Endpoint encryption solution

Web application firewalls (WAF)

Correlation or event management systems

Identity & access management systems

Access governance systems

Encryption for data in motion

Anti-virus & anti-malware solution

Encryption/Tokenization for data at rest

Firewalls

0 10 20 30 40 50 60 70 80 90

WAF

DLP

DAM

%Encryption/Tokenization

Matching Data Protection Solutions with Risk Level

Risk Level Solution

Monitor

Monitor, mask, access control limits, format

control encryption

Replacement, strong

encryption

Low Risk (1-5)

At Risk (6-15)

High Risk (16-25)

Data Field

Risk Level

Credit Card Number 25Social Security Number 20

CVV 20Customer Name 12Secret Formula 10

Employee Name 9Employee Health Record 6

Zip Code 3

Deploy Defenses

RiskLevel

Cost

OptimalRisk

Expected Losses from the Risk

Cost of Aversion – Protection of Data

Total Cost

IWeak

Protection

IStrong

Protection

Choose Your Defenses – Total Cost of Ownership

X

Best Practices - Data Security Management

Database Protector

File System Protector

Policy

AuditLog

Secure Archive

Application Protector

Tokenization Server

EnterpriseData SecurityAdministrator

: Encryption service050

About Protegrity

Proven enterprise data security software and innovation leader • Sole focus on the protection of data

• Patented Technology, Continuing to Drive Innovation

Growth driven by compliance and risk management• PCI (Payment Card Industry)

• PII (Personally Identifiable Information)

• PHI (Protected Health Information) – HIPAA

• State and Foreign Privacy Laws, Breach Notification Laws

• High Cost of Information Breach ($4.8m average cost), immeasurable costs of brand damage , loss of customers

• Requirements to eliminate the threat of data breach and non-compliance

Cross-industry applicability• Retail, Hospitality, Travel and Transportation• Financial Services, Insurance, Banking• Healthcare• Telecommunications, Media and Entertainment• Manufacturing and Government

Please contact me for more information

Ulf Mattsson, CTO Protegrity

Ulf . Mattsson [at] protegrity . com