Isaca e symposium understanding your data flow jul 6

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.

Ulf Mattsson, CTO Protegrity

Understanding Your Data Flow: Using Tokenization to Secure Data

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2

Welcome• Type in questions using the Ask A Question button

• All audio is streamed over your computer– Having technical issues? Click the ? button

• Click the Attachments button to find a printable copy of this presentation.

• After viewing the webinar, ISACA Members may earn 1 CPE credit. – Find a link to the CPE Quiz on the Attachments button. – Once you pass the quiz, you will receive a printable CPE

Certificate.

• Question or suggestion? Email them to [email protected]

mailto:[email protected]


Ulf Mattsson, CTO Protegrity

• 20 years with IBM Research & Development and Global Services

• Started Protegrity in 1994 (Data Security)• Inventor of 25 patents – Encryption and

Tokenization• Member of

– PCI Security Standards Council (PCI SSC)– American National Standards Institute (ANSI) X9– International Federation for Information Processing

(IFIP) WG 11.3 Data and Application Security

– ISACA , ISSA and Cloud Security Alliance (CSA)


Agenda

• Trends in Data Breaches & Data Protection• Encryption Versus Tokenization• Cloud Environments• PCI DSS Trends• Case Studies • Risk Management


DATA IS

UNDER ATTACK


Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous

A Growing Threat

Attacks by Anonymous include• CIA, Interpol, Sony, Stratfor and

HBGary Federal

http://www.verizonbusiness.com/Products/security/dbir/

http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous

http://en.wikipedia.org/wiki/File:Anonymous_at_Scientology_in_Los_Angeles.jpg


“Hacktivism” is Dominating

Unknown

Unaffiliated person(s)

Former employee (no longer had access)

Relative or acquaintance of employee

Organized criminal group

Activist group

0 10 20 30 40 50 60 70

By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

%


What Data is Compromised?

By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

Payment card numbers/data

Authentication credentials (usernames, pwds, etc.)

Sensitive organizational data (reports, plans, etc.)

Bank account numbers/data

System information (config, svcs, sw, etc.)

Copyrighted/Trademarked material

Trade secrets

Classified information

Medical records

Unknown (specific type is not known)

Personal information (Name, SS#, Addr, etc.)

0 20 40 60 80 100 120%


By John Fontana | June 19, 2012

A class action suit against LinkedIn claiming that violation of its own privacy policies and user agreements

allowed hackers to steal 6.46 million passwords.

LinkedIn: Class Action Suit

http://www.zdnet.com/search?q=john+fontana


April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011Time

Impact $

Source: IBM 2012 Security Breaches Trend and Risk Report

Other Major Data Breaches

Attack Type


• Lost 100 million passwords and personal details stored in clear

• Spent $171 million related to the data breach

• Sony's stock price has fallen 40 percent • For three pennies an hour, hackers can rent

Amazon.com to wage cyber attacks such as the one that crippled Sony

• Attack via SQL Injection

The Sony Breach


Application

SQL Command Injected

Data Store

What is SQL Injection?

http://en.wikipedia.org/wiki/File:Anonymous_at_Scientology_in_Los_Angeles.jpg


Q1 2011 Q2 2011 Q3 2011

SQL Injection Increasing

25,000

20,000

15,000

10,000

5,000

Source: IBM 2012 Security Breaches Trend and Risk Report


New Industries are Targets

Information

Other

Health Care and Social Assistance

Finance and Insurance

Retail Trade

Accommodation and Food Services

0 10 20 30 40 50 60

By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/


• Some issues have stayed constant:– Threat landscape continues to gain

sophistication – Attackers will always be a step ahead of the

defenders • We are fighting highly organized, well-funded crime

syndicates and nations• Move from detective to preventative controls needed

Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2

The Changing Threat Landscape


How are Breaches Discovered?

Unusual system behavior or performance

Log analysis and/or review process

Financial audit and reconciliation process

Internal fraud detection mechanism

Other(s)

Witnessed and/or reported by employee

Unknown

Brag or blackmail by perpetrator

Reported by customer/partner affected

Third-party fraud detection (e.g., CPP)

Notified by law enforcement

0 10 20 30 40 50 60 70

By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/

%


Assets Compromised


POS server (store controller)POS terminal User devices

Automated Teller Machine (ATM) Regular employee/end-user People

Payment card (credit, debit, etc.) Offline dataCashier/Teller/Waiter People

Pay at the Pump terminal User devicesFile server

Laptop/Netbook Remote Access server

Call Center Staff People Mail server

Desktop/Workstation Web/application server

Database server

0 20 40 60 80 100 120%


Threat Action Categories

EnvironmentalError

MisusePhysical

SocialMalwareHacking

0 20 40 60 80 100 120


%

Hacking and Malware


PCI DSSCOMPLIANCE

19


Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study

%3: Protect Stored Data

7: Restrict access to data by business need-to-know

11: Regularly test security systems and processes

10: Track and monitor all access to network resources and data

6: Develop and maintain secure systems and applications

8: Assign a unique ID to each person with computer access

1: Install and maintain a firewall configuration to protect data

12: Maintain a policy that addresses information security

2: Do not use vendor-supplied defaults for security parameters

4: Encrypt transmission of cardholder data

5: Use and regularly update anti-virus software

9: Restrict physical access to cardholder data

0 10 20 30 40 50 60 70 80 90 100

Was PCI Data Protected?


Amazon’s PCI Compliance

• PCI-DSS 2.0 doesn't address multi-tenancy concerns

• You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesn't do this for you -- it's something you need to

implement yourself; including key management, rotation, logging, etc.

• If you deploy a server instance in EC2 it still needs to be assessed by your QSA

• Your organization's assessment scope isn't necessarily reduced• It might be when you move to something like a tokenization service

where you reduce your handling of PAN data

Source: securosis.com


WHAT HAS THE INDUSTRY

DONE TO SECURE DATA?

22


Use of Enabling Technologies

Access controls

Database activity monitoring

Database encryption

Backup / Archive encryption

Data masking

Application-level encryption

Tokenization

1%

18%

30%

21%

28%

7%

22%

91%

47%

35%

39%

28%

29%

23%

Evaluating Current Use


Tokenization vs. Encryption

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

Code books

Index tokens

Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

TokenizationEncryption


How can we Secure The Data Flow?

RetailStore

Bank

Payment

Network

Corporate

Systems


1970 2000 2005 2010

High

Low

Total CostOf Ownership

Strong EncryptionAES, 3DES

Format Preserving EncryptionDTP, FPE

Vault-based Tokenization

Vaultless Tokenization

Input Value: 3872 3789 1620 3675

!@#$%a^.,mhu7///&*B()_+!@

8278 2789 2990 2789

8278 2789 2990 2789

Format Preserving

Greatly reduced Key Management

No Vault8278 2789 2990 2789

What Has The Industry Done?


WHAT IS THE DIFFERENCE

BETWEENVAULT-BASED AND

VAULTLESS TOKENIZATION?


We Started with Vault-Based Tokenization …


Issues with Vault-based Tokenization

Foot

prin

t is

Lar

ge

and

Exp

andi

ng

Reliability

issues –

Prone to

collisions

Distribution is

Practically impossible

High Availability

and Disaster Recovery

is complex, expensive

replication required

Adversely impact

latency, performance

& scalability


Vault-based Tokenization Server

Vault-lessTokenization

Server

Evolution

Goal: Miniaturization of the Tokenization Server

https://www.google.com/imgres?imgurl=http://homes.esat.kuleuven.be/~preneel/bartpreneel_small.jpg&imgrefurl=http://homes.esat.kuleuven.be/~preneel/&h=162&w=136&sz=7&tbnid=4Jmk-QwjNLB98M&tbnh=0&tbnw=0&zoom=1&usg=__V13QX8kmc-r2VHlYhRdLGdlG_5M=&docid=znQd2jmlf5WUnM&sa=X&ei=SPjJT9HiKemJ6wGk1eEJ&ved=0CJMBENUX

https://www.google.com/imgres?imgurl=http://homes.esat.kuleuven.be/~preneel/bartpreneel_small.jpg&imgrefurl=http://homes.esat.kuleuven.be/~preneel/&h=162&w=136&sz=7&tbnid=4Jmk-QwjNLB98M&tbnh=0&tbnw=0&zoom=1&usg=__V13QX8kmc-r2VHlYhRdLGdlG_5M=&docid=znQd2jmlf5WUnM&sa=X&ei=SPjJT9HiKemJ6wGk1eEJ&ved=0CJMBENUX


Tokenization Differentiators

Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Static.

High Availability, Disaster Recovery

Complex, expensive replication required.

No replication required.

Distribution Practically impossible to distribute geographically.

Easy to deploy at different geographically distributed locations.

Reliability Prone to collisions. No collisions.

Performance, Latency, and Scalability

Will adversely impact performance & scalability.

Little or no latency. Fastest industry tokenization.

Extendibility Practically impossible. Unlimited Tokenization Capability.


External Validation of Vaultless Tokenization

“The Vaultless tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization

approach with no need for synchronization and there is no risk for collisions.“

Prof. Dr. Ir. Bart PreneelKatholieke University Leuven, Belgium *

* The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.

Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, president

of the International Association for Cryptologic Research


SPEED&

SECURITY


10 000 000 -

1 000 000 -

100 000 -

10 000 -

1 000 -

100 -

Transactions per second*

I

Format

Preserving

Encryption

Speed of Different Protection Methods

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration


I

Format

Preserving

Encryption

Security of Different Protection Methods

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

High

Low

Security Level


CASE STUDIES-

VAULTLESS TOKENIZATION

36


Case Study: Large Chain Store

Why? Reduce compliance cost by 50%– 50 million Credit Cards, 700 million daily transactions

– Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization

– End-to-End Tokens: Started with the D/W and expanding to stores

– Lower maintenance cost – don’t have to apply all 12 requirements

– Better security – able to eliminate several business and daily reports

– Qualified Security Assessors had no issues

• “With encryption, implementations can spawn dozens of questions”

• “There were no such challenges with tokenization”


Case Studies: Retail

Customer 1: Why? Three major concerns solved– Performance Challenge; Initial tokenization– Vendor Lock-In: What if we want to switch payment

processor– Extensive Enterprise End-to-End Credit Card Data

Protection

Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII

Customer 3: Why? Remove compensating controls from the mainframe– Tokens on the mainframe to avoid compensating controls


PCI DSS&

OUT-OF-SCOPE

39


Tokenization and Encryption are Different


Source: http://www.securosis.com

Tokenization and “PCI Out Of Scope”

De-tokenization Available?

Random Number Tokens?

Isolated from Card Holder Data

Environment?

Out of Scope

Scope Reduction

No Scope Reduction

No

No:FPE

Yes

Yes

Yes No


BEYOND PCI

42


Type of Data

Use Case

IStructured

How Should I Secure Different Data?

IUn-structured

Simple -

Complex -

PCI

PHI

PII

FileEncryption

CardHolder

Data

FieldTokenization

ProtectedHealth

Information

Personally Identifiable Information


Flexibility in Token Format Controls

Type of Data Input Token Comment

Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric

Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed

Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed

Medical ID 29M2009ID 497HF390D Alpha-Numeric

Date 10/30/1955 12/25/2034 Date - multiple date formats

E-mail Address [email protected] [email protected] Alpha Numeric

SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input

Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail

Binary 0x010203 0x123296910112

Alphanumeric Indicator

5105 1051 0510 5100 8278 2789 299A 2781Position to place alpha is configurable

Decimal 123.45 9842.56 Non length preserving

Multi-Merchant 3872 3789 1620 3675Merchant 1: 8278 2789 2990 2789Merchant 2: 9302 8999 2662 6345

Deliver a different token to different merchant based on the same credit card number.


RISKMANAGEMENT


ProtectionOption

Cost

OptimalRisk

Expected Losses from the Risk

Cost of Aversion – Protection of Data

Total Cost

IMonitoring

IData

Lockdown

Choose Your Defenses


Matching Data Protection with Risk Level

Risk Level Solution

Monitoring

Monitoring, masking, format

controlling encryption

Tokenization, strong

encryption

Low Risk (1-5)

Medium Risk (6-15)

High Risk (16-25)

Data Field

Risk Level

Credit Card Number 25Social Security Number 20

Email Address 20Customer Name 12Secret Formula 10

Employee Name 9Employee Health Record 6

Zip Code 3


Summary

• Optimal support of complex enterprise requirements– Heterogeneous platform supports all operating systems and databases– Flexible protectors (Database, Application, File) – Risk Adjusted Data Protection offers the options for protection data with

the appropriate strength.– Built-in Key Management– Consistent Enterprise policy enforcement and audit logging

• Innovative– Pushing data protection with industry leading

• Proven– Proven platform currently protects the worlds largest companies

• Experienced– Experienced staff will be there with support along the way to complete data protection


Questions?


Thank you!

Ulf MattssonProtegrity CTOulf.mattsson AT protegrity.com

mailto:[email protected]

Technology

Isaca e symposium understanding your data flow jul 6