Practical advice for cloud data protection ulf mattsson - jun 2014
-
Upload
ulf-mattsson -
Category
Technology
-
view
147 -
download
2
description
Transcript of Practical advice for cloud data protection ulf mattsson - jun 2014
Member of PCI Security Standards Council:
• Tokenization Task Force
• Encryption Task Force
• Point to Point Encryption Task Force
• Risk Assessment SIG
• eCommerce SIG
• Cloud SIG
• Virtualization SIG
• Pre-Authorization SIG
• Scoping SIG
Ulf Mattsson, Protegrity CTO
2
Issues with Cloud
Computing3
4
5
6
7
8
9
10
11
12
13
14
15
16
Who do You Trust?
17
18
19
20
21
22
23
24
What is Cloud Computing?
25
Infrastructure as a Service (IaaS), delivers computer infrastructure (typically a platform virtualization environment) as a service, along with raw storage and networking
Software as a service (SaaS), sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud
Platform as a service (PaaS), is the delivery of a computing platform and solution stack as a service
What Is Cloud Computing? Service Models?
26
27
28
29
30
31
32
Cloud Services
33
34
Software as a service (SaaS), sometimes referred to as on-demand software
Platform as a service (PaaS), is the delivery of a computing platform and solution stack
Infrastructure as a Service (IaaS), delivers computer infrastructure along with raw storage and networking
Service Orchestration
35
36
PCI and Cloud
Security37
38
Control shared across different service models
39
40
41
42
043
External Validation of Tokenization
“The xxx tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.“
Prof. Dr. Ir. Bart PreneelKatholieke University Leuven, Belgium
where Advanced Encryption Standard (AES) was invented
C. Matthew Curtin, CISSPFounder, Interhack Corporation
Ohio State Universitywho broke the U.S. Government's Data Encryption Standard (DES)
“Token is not mathematically derived from its input.“ and “None of the attacks that we have identified have a factor of work that is less than that of a brute-force attack.”
Cloud SecurityModel
44
45
46
47
48
49
50
51
52
53
Cloud SecurityIssues
54
55
56
57
ADDITIONAL THREATS INDUCERS• Multi-tenancy at an Application Level
EXAMPLES OF THREATS • A different tenant using the same SAAS
infrastructure gains access to another tenants data through the web layer vulnerabilities (a privilege escalation)
TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT
ADDITIONAL TESTING CATEGORIES• Multi-Tenancy Testing (an extension of privilege
escalation)
Threat Vector Inheritance - SAAS
58
ADDITIONAL THREATS INDUCERS• Multi-tenancy at a Platform level
EXAMPLES OF THREATS • A different tenant using the same infrastructure
gains access to another tenants data through the web layer vulnerabilities (a privilege escalation)
TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT
ADDITIONAL TESTING CATEGORIES• Multi-Tenancy Testing (an extension of privilege
escalation)
Threat Vector Inheritance - PAAS
59
ADDITIONAL THREATS INDUCERS• Multi-tenancy at an Infrastructure Level
EXAMPLES OF THREATS • Deficiencies in virtualization security (improper
implementation of VM zoning, segregation leading to inter VM attacks across multiple IAAS tenants)
TRADITIONAL SECURITY TESTING CATEGORIES STILL RELEVANT
• Traditional Infrastructure Vulnerability Assessment
ADDITIONAL TESTING CATEGORIES• Inter VM Security / Vulnerability Testing
Threat Vector Inheritance - IAAS
60
Encrypting the transfer of data to the cloud does not ensure the data is protected in the cloud.
Once data arrives in the cloud, it should remain protected both at rest and in use.
Do not forget to protect files that are often overlooked, but which frequently include sensitive information.
Log files and metadata can be avenues for data leakage.
Encrypt using sufficiently durable encryption strengths (such as AES-256
Use open, validated formats and avoid proprietary encryption formats wherever possible.
Encryption
61
Tokenization. • This is where public cloud service can be
integrated/paired with a private cloud that stores sensitive data.
• The data sent to the public cloud is altered and would contain a reference to the data residing in the private cloud.
Data Anonymization• This is where (for example) Personally
Identifiable Information (PII) and Sensitive are stripped before processing.
Utilizing access controls built into the database
Alternative Approaches to Encryption
62
Access Management
63
Virtual machine guest hardening
Hypervisor security
Inter-VM attacks and blind spots
Performance concerns
Operational complexity from VM sprawl
Instant-on gaps
Virtual machine encryption
Data comingling
Virtual machine data destruction
Virtual machine image tampering
In-motion virtual machines
VIRTUALIZATION
64
Virtual machine guest hardening
Hypervisor security
Inter-VM attacks and blind spots
Performance concerns
Operational complexity from VM sprawl
Instant-on gaps
Virtual machine encryption
Data comingling
Virtual machine data destruction
Virtual machine image tampering
In-motion virtual machines
VIRTUALIZATIONHypervisor Architecture Concerns
65
66
67
Cloud SecuritySolutions
68
69
70
71
72
73
Encryption in Cloud Computing
74
It’s 11 p.m. Do you know where your data is?
Secure Web gateway
Cloud Encryption Gateways
Cloud Security Gateways
Secure Email Gateways
Cloud Access Security Brokers (CASBs)
Cloud Services Brokerage (CSB)
Gartner - Cloud & Gateways
75
Cloud Gateway Benefits
Eliminates the threat of third parties exposing your sensitive information
Delivers a secure and uncompromised SaaS user experience
Ensures data integrity and availability
Eases cloud adoption process and acceptance
Eliminates data residency concerns and requirements
Product is transparent and has close to 0% overhead impact
Identifies malicious activity and proves compliance to third parties and detailed audit trails
Simplifies compliance requirements
Ability to outsource a portion of your IT security requirements
077
078
Inline Gateway Deployment
079
Clienthttp(s)
GatewayServer
EnterpriseSecurity
Administrator Security Officer
Corporate Network
CDE
Inline Gateway Deployment – Use Case #1
080
Clienthttp(s)
GatewayServer
EnterpriseSecurity
Administrator Security Officer
Corporate Network
CDE
Inline Gateway Deployment – Use Case #2
081
BackendSystem
http(s)Gateway
ExternalService
EnterpriseSecurity
AdministratorSecurity Officer
TURNING THE TIDE
82
What new technologies and techniques can be used to prevent future attacks?
Coarse Grained Security• Access Controls
• Volume Encryption
• File Encryption
Fine Grained Security• Access Controls
• Field Encryption
• Masking
• Tokenization
• Vaultless Tokenization
Evolution of Data Security Methods
83
Evolution
Evolution of Protection Techniques
84
Evolution
High
Low
Total Cost of Ownership
Strong Encryption (e.g. AES, 3DES)!@#$%a^.,mhu7///&*B()_+!@
Format/Type Preserving Encryption (e.g. DTP, FPE)8278 2789 2990 2789
Vault-based Tokenization8278 2789 2990 2789
Vault-less Tokenization8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault
Data length expands and type changes
Data stored in the clear3872 3789 1620 3675
AccessPrivilege
Level
Risk
IHigh
ILow
High –
Low –
Old:Minimal access levels – Least
Privilege to avoid high risks
New :Much greater
flexibility and lower risk in data accessibility
The New Fine Grained Data Security
85
Increased Creativity
Fine Grained (Field-Level)
Sensitive Data Security allows for a Wider and
Deeper Range of Authority Options
86
Format Flexibility - PII
Description Input Token
SSN, numeric 075672278 287382567
SSN, delimiters in input 075-67-2278 287-38-2567
SSN, last 4 digits exposed 075-67-2278 591-20-2278
Date, Multiple date formats 10/30/1955 12/25/2034
Year part exposed 10/30/1955 04/02/1955
Month part exposed 10/30/1955 10/17/3417
Range as a differentiator 10/30/1955 09/26/4741
Datetime 10/30/1955 07:32:59.243 12/25/2034 12:05:47.243
Email domain exposed [email protected] [email protected]
Name Yuri Gagarin A4kq nhHOwtG
Telephone (203)550-9985 (203)371-2076
Format Flexibility – Credit Card
Description Input Token
Numeric 3872 3789 1620 3675 8278 2789 2990 2789
Numeric, Last 4 digits exposed (12x4) 3872 3789 1620 3675 1507 4402 1958 3675
Numeric, First 6 last 4 digits exposed (6x6x4) 3872 3789 1620 3675 3872 3789 2990 3675
Alpha-Numeric, Digits exposed (4x8x4) 3872 3789 1620 3675 3872 qN4e 5yPx 3675
Luhn check will fail 3872 3789 1620 3675 7508 1538 4200 9532
Alphabetic indication is a configurable position 3872 3789 1620 3675 9530 4800 323A 6871
Invalid Card Type 3872 3789 1620 3675 2991 1350 6123 4837
Different token for the same credit card number based on merchants, clients or source identifier
3872 3789 1620 3675ID1: 8278 2789 2990 2789ID2: 9302 8999 2662 6345
Including non-conflicting combinations of the above
Format Flexibility - Other
Description Input Token
Free text, non length preserved, up to 2k the dog jumped over the lazy fox Eem JqM A4ksIX nhuH OUG zEQT RxV
Decimal 123.45 9842.56
Binary, up to 2k 0x010203 0x123296910112
All printable characters ~`’;/!Üñ╗▓╟╚τ }╗æƺe2!⥿*&½
Lower ASCII abcdefghijklmnopqrstuvwxyz F7}yGN6/5&kc!h1?eUt^EcriT-
Protegrity Tokenization Differentiators
90
Protegrity Tokenization Traditional Tokenization
Footprint Small, Static. Large, Expanding.
High Availability, Disaster Recovery
No replication required. Complex, expensive replication required.
Distribution Easy to deploy at different geographically distributed locations.
Practically impossible to distribute geographically.
Reliability No collisions. Prone to collisions.
Performance, Latency, and Scalability
Little or no latency. Fastest industry tokenization.
Will adversely impact performance & scalability.
Extendibility Unlimited Tokenization Capability. Practically impossible.
Fine Grained Data Security Methods
91
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
TokenizationEncryption
Different Tokenization Approaches
92
Property Dynamic Pre-generated Vaultless
Vault-based
I
Format
Preserving
Encryption
Security of Fine Grained Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
93
High
Low
Security Level
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Fine Grained Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
94
Tokenization Research
Tokenization Gets TractionAberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption
Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data
Tokenization users had 50% fewer security-related incidents than tokenization non-users
95
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
Type of Data
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple –
Complex –
PCI
PHI
PII
Encryption of Files
CardHolder
Data
Tokenization of Fields
ProtectedHealth
Information
96
Personally Identifiable Information
Use Case: Protect PII Data Cross Border
CHALLENGES The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.
Centralized Policy Management
98
Application
File Servers
RDBMS
Big Data
Gateway Servers
Protection Servers
MPP
HP NonStop Base24
IBM Mainframe Protector
Security OfficerAuditLog
AuditLog
AuditLog
AuditLog Audit
LogAuditLog
AuditLog
AuditLog
AuditLog
EnterpriseSecurity
Administrator
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
Enterprise Data Security Policy
99
What is the sensitive data that needs to be protected. Data Element.
How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who should have access to sensitive data and who should not. Security access control. Roles & Members.
When should sensitive data access be granted to those who have access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced. At the protector.
Audit authorized or un-authorized access to sensitive data. Optional audit of protect/unprotect.
What
Who
When
Where
How
Audit
Enterprise Data Security Platform
100
Enterprise Security Administrator (ESA)• Central Point of Data Security Policy Management
• Deployed as Soft Appliance • Hardened, High Availability, Backup & Restore
Gateway & Protection Servers• Deployed as Soft Appliance • Hardened, High Availability, Backup & Restore
Data Protectors• Enforcing data security policy close to the data store• Heterogeneous Coverage:
• AIX, HPUX, Linux, Solaris, Windows, z/OS• Teradata, Oracle, Netezza, Pivotal, DB2, UDB, SSQL• Hadoop – Cloudera, Hortonworks, Pivotal,
BigInsights, mapR, etc.• Web Services, C/C++, Java, .NET, Cobol
Application
File Servers
RDBMS
Big Data
Gateway Servers
Protection Servers
EnterpriseSecurity
Administrator
MPP
HP NonStop Base24
IBM Mainframe Protector
Enterprise Platform Versatility
PolicyEnforcement
Point
Thank you!
Questions?
Please contact us for more information
www.protegrity.com
To Request A Copy of the Presentation
Email: [email protected]