Isaca e symposium understanding your data flow jul 6
-
Upload
ulf-mattsson -
Category
Technology
-
view
455 -
download
0
description
Transcript of Isaca e symposium understanding your data flow jul 6
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
Ulf Mattsson, CTO Protegrity
Understanding Your Data Flow: Using Tokenization to Secure Data
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2
Welcome• Type in questions using the Ask A Question button
• All audio is streamed over your computer– Having technical issues? Click the ? button
• Click the Attachments button to find a printable copy of this presentation.
• After viewing the webinar, ISACA Members may earn 1 CPE credit. – Find a link to the CPE Quiz on the Attachments button. – Once you pass the quiz, you will receive a printable CPE
Certificate.
• Question or suggestion? Email them to [email protected]
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 3
Ulf Mattsson, CTO Protegrity
• 20 years with IBM Research & Development and Global Services
• Started Protegrity in 1994 (Data Security)• Inventor of 25 patents – Encryption and
Tokenization• Member of
– PCI Security Standards Council (PCI SSC)– American National Standards Institute (ANSI) X9– International Federation for Information Processing
(IFIP) WG 11.3 Data and Application Security
– ISACA , ISSA and Cloud Security Alliance (CSA)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 4
Agenda
• Trends in Data Breaches & Data Protection• Encryption Versus Tokenization• Cloud Environments• PCI DSS Trends• Case Studies • Risk Management
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 5
DATA IS
UNDER ATTACK
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 6
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous
A Growing Threat
Attacks by Anonymous include• CIA, Interpol, Sony, Stratfor and
HBGary Federal
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 7
“Hacktivism” is Dominating
Unknown
Unaffiliated person(s)
Former employee (no longer had access)
Relative or acquaintance of employee
Organized criminal group
Activist group
0 10 20 30 40 50 60 70
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 8
What Data is Compromised?
By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
Payment card numbers/data
Authentication credentials (usernames, pwds, etc.)
Sensitive organizational data (reports, plans, etc.)
Bank account numbers/data
System information (config, svcs, sw, etc.)
Copyrighted/Trademarked material
Trade secrets
Classified information
Medical records
Unknown (specific type is not known)
Personal information (Name, SS#, Addr, etc.)
0 20 40 60 80 100 120%
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 9
By John Fontana | June 19, 2012
A class action suit against LinkedIn claiming that violation of its own privacy policies and user agreements
allowed hackers to steal 6.46 million passwords.
LinkedIn: Class Action Suit
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 10
April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011Time
Impact $
Source: IBM 2012 Security Breaches Trend and Risk Report
Other Major Data Breaches
Attack Type
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 11
• Lost 100 million passwords and personal details stored in clear
• Spent $171 million related to the data breach
• Sony's stock price has fallen 40 percent • For three pennies an hour, hackers can rent
Amazon.com to wage cyber attacks such as the one that crippled Sony
• Attack via SQL Injection
The Sony Breach
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 12
Application
SQL Command Injected
Data Store
What is SQL Injection?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 13
Q1 2011 Q2 2011 Q3 2011
SQL Injection Increasing
25,000
20,000
15,000
10,000
5,000
Source: IBM 2012 Security Breaches Trend and Risk Report
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 14
New Industries are Targets
Information
Other
Health Care and Social Assistance
Finance and Insurance
Retail Trade
Accommodation and Food Services
0 10 20 30 40 50 60
By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 15
• Some issues have stayed constant:– Threat landscape continues to gain
sophistication – Attackers will always be a step ahead of the
defenders • We are fighting highly organized, well-funded crime
syndicates and nations• Move from detective to preventative controls needed
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
The Changing Threat Landscape
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 1616
How are Breaches Discovered?
Unusual system behavior or performance
Log analysis and/or review process
Financial audit and reconciliation process
Internal fraud detection mechanism
Other(s)
Witnessed and/or reported by employee
Unknown
Brag or blackmail by perpetrator
Reported by customer/partner affected
Third-party fraud detection (e.g., CPP)
Notified by law enforcement
0 10 20 30 40 50 60 70
By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 17
Assets Compromised
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
POS server (store controller)POS terminal User devices
Automated Teller Machine (ATM) Regular employee/end-user People
Payment card (credit, debit, etc.) Offline dataCashier/Teller/Waiter People
Pay at the Pump terminal User devicesFile server
Laptop/Netbook Remote Access server
Call Center Staff People Mail server
Desktop/Workstation Web/application server
Database server
0 20 40 60 80 100 120%
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 18
Threat Action Categories
EnvironmentalError
MisusePhysical
SocialMalwareHacking
0 20 40 60 80 100 120
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
Hacking and Malware
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 19
PCI DSSCOMPLIANCE
19
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 20
Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study
%3: Protect Stored Data
7: Restrict access to data by business need-to-know
11: Regularly test security systems and processes
10: Track and monitor all access to network resources and data
6: Develop and maintain secure systems and applications
8: Assign a unique ID to each person with computer access
1: Install and maintain a firewall configuration to protect data
12: Maintain a policy that addresses information security
2: Do not use vendor-supplied defaults for security parameters
4: Encrypt transmission of cardholder data
5: Use and regularly update anti-virus software
9: Restrict physical access to cardholder data
0 10 20 30 40 50 60 70 80 90 100
Was PCI Data Protected?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 21
Amazon’s PCI Compliance
• PCI-DSS 2.0 doesn't address multi-tenancy concerns
• You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesn't do this for you -- it's something you need to
implement yourself; including key management, rotation, logging, etc.
• If you deploy a server instance in EC2 it still needs to be assessed by your QSA
• Your organization's assessment scope isn't necessarily reduced• It might be when you move to something like a tokenization service
where you reduce your handling of PAN data
Source: securosis.com
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 22
WHAT HAS THE INDUSTRY
DONE TO SECURE DATA?
22
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 23
Use of Enabling Technologies
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
1%
18%
30%
21%
28%
7%
22%
91%
47%
35%
39%
28%
29%
23%
Evaluating Current Use
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 24
Tokenization vs. Encryption
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 25
How can we Secure The Data Flow?
RetailStore
Bank
Payment
Network
Corporate
Systems
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 26
1970 2000 2005 2010
High
Low
Total CostOf Ownership
Strong EncryptionAES, 3DES
Format Preserving EncryptionDTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault8278 2789 2990 2789
What Has The Industry Done?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 27
WHAT IS THE DIFFERENCE
BETWEENVAULT-BASED AND
VAULTLESS TOKENIZATION?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2828
We Started with Vault-Based Tokenization …
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 29
Issues with Vault-based Tokenization
Foot
prin
t is
Lar
ge
and
Exp
andi
ng
Reliability
issues –
Prone to
collisions
Distribution is
Practically impossible
High Availability
and Disaster Recovery
is complex, expensive
replication required
Adversely impact
latency, performance
& scalability
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 30
Vault-based Tokenization Server
Vault-lessTokenization
Server
Evolution
Goal: Miniaturization of the Tokenization Server
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 31
Tokenization Differentiators
Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Static.
High Availability, Disaster Recovery
Complex, expensive replication required.
No replication required.
Distribution Practically impossible to distribute geographically.
Easy to deploy at different geographically distributed locations.
Reliability Prone to collisions. No collisions.
Performance, Latency, and Scalability
Will adversely impact performance & scalability.
Little or no latency. Fastest industry tokenization.
Extendibility Practically impossible. Unlimited Tokenization Capability.
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 32
External Validation of Vaultless Tokenization
“The Vaultless tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization
approach with no need for synchronization and there is no risk for collisions.“
Prof. Dr. Ir. Bart PreneelKatholieke University Leuven, Belgium *
* The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.
Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, president
of the International Association for Cryptologic Research
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 33
SPEED&
SECURITY
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 34
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 35
I
Format
Preserving
Encryption
Security of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
High
Low
Security Level
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 36
CASE STUDIES-
VAULTLESS TOKENIZATION
36
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 37
Case Study: Large Chain Store
Why? Reduce compliance cost by 50%– 50 million Credit Cards, 700 million daily transactions
– Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization
– End-to-End Tokens: Started with the D/W and expanding to stores
– Lower maintenance cost – don’t have to apply all 12 requirements
– Better security – able to eliminate several business and daily reports
– Qualified Security Assessors had no issues
• “With encryption, implementations can spawn dozens of questions”
• “There were no such challenges with tokenization”
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 38
Case Studies: Retail
Customer 1: Why? Three major concerns solved– Performance Challenge; Initial tokenization– Vendor Lock-In: What if we want to switch payment
processor– Extensive Enterprise End-to-End Credit Card Data
Protection
Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII
Customer 3: Why? Remove compensating controls from the mainframe– Tokens on the mainframe to avoid compensating controls
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 39
PCI DSS&
OUT-OF-SCOPE
39
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 40
Tokenization and Encryption are Different
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 41
Source: http://www.securosis.com
Tokenization and “PCI Out Of Scope”
De-tokenization Available?
Random Number Tokens?
Isolated from Card Holder Data
Environment?
Out of Scope
Scope Reduction
No Scope Reduction
No
No:FPE
Yes
Yes
Yes No
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 42
BEYOND PCI
42
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 43
Type of Data
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple -
Complex -
PCI
PHI
PII
FileEncryption
CardHolder
Data
FieldTokenization
ProtectedHealth
Information
Personally Identifiable Information
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 44
Flexibility in Token Format Controls
Type of Data Input Token Comment
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed
Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date - multiple date formats
E-mail Address [email protected] [email protected] Alpha Numeric
SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input
Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail
Binary 0x010203 0x123296910112
Alphanumeric Indicator
5105 1051 0510 5100 8278 2789 299A 2781Position to place alpha is configurable
Decimal 123.45 9842.56 Non length preserving
Multi-Merchant 3872 3789 1620 3675Merchant 1: 8278 2789 2990 2789Merchant 2: 9302 8999 2662 6345
Deliver a different token to different merchant based on the same credit card number.
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 45
RISKMANAGEMENT
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 46
ProtectionOption
Cost
OptimalRisk
Expected Losses from the Risk
Cost of Aversion – Protection of Data
Total Cost
IMonitoring
IData
Lockdown
Choose Your Defenses
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 47
Matching Data Protection with Risk Level
Risk Level Solution
Monitoring
Monitoring, masking, format
controlling encryption
Tokenization, strong
encryption
Low Risk (1-5)
Medium Risk (6-15)
High Risk (16-25)
Data Field
Risk Level
Credit Card Number 25Social Security Number 20
Email Address 20Customer Name 12Secret Formula 10
Employee Name 9Employee Health Record 6
Zip Code 3
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 48
Summary
• Optimal support of complex enterprise requirements– Heterogeneous platform supports all operating systems and databases– Flexible protectors (Database, Application, File) – Risk Adjusted Data Protection offers the options for protection data with
the appropriate strength.– Built-in Key Management– Consistent Enterprise policy enforcement and audit logging
• Innovative– Pushing data protection with industry leading
• Proven– Proven platform currently protects the worlds largest companies
• Experienced– Experienced staff will be there with support along the way to complete data protection
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 49
Questions?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 50
Thank you!
Ulf MattssonProtegrity CTOulf.mattsson AT protegrity.com