1. Practical Advice for Cloud Data Protection
Ulf Mattsson
CTO, Protegrity
Ulf.Mattsson@protegrity.com

2. Member of PCI Security Standards Council:
• Tokenization Task Force
• Encryption Task Force
• Point to Point Encryption Task Force
• Risk Assessment SIG
• eCommerce SIG
• Cloud SIG
• Virtualization SIG
• Pre-Authorization SIG
• Scoping SIG
Ulf Mattsson, Protegrity CTO
2

3. Issues with
Cloud
Computing
3

4. 4

5. 5

6. 6

7. 7

8. 8

9. 9

10. 10

11. 11

12. 12

13. 13

14. 14

15. 15

16. 16

17. Who do You
Trust?
17

18. 18

19. 19

20. 20

21. 21

22. 22

23. 23

24. 24

25. What is Cloud
Computing?
25

26. Infrastructure as a Service (IaaS), delivers computer
infrastructure (typically a platform virtualization
environment) as a service, along with raw storage and
networking
Software as a service (SaaS), sometimes referred to
as "on-demand software," is a software delivery model
in which software and its associated data are hosted
centrally (typically in the (Internet) cloud
Platform as a service (PaaS), is the delivery of a
computing platform and solution stack as a service
What Is Cloud Computing? Service Models?
26

27. 27

28. 28

29. 29

30. 30

31. 31

32. 32

33. Cloud
Services
33

34. 34
Software as a service (SaaS),
sometimes referred to as on-
demand software
Platform as a service (PaaS),
is the delivery of a computing
platform and solution stack
Infrastructure as a Service
(IaaS), delivers computer
infrastructure along with raw
storage and networking
Service Orchestration

35. 35

36. 36

37. PCI and
Cloud Security
37

38. 38

39. Control shared across different service models
39

40. 40

41. 41

42. 42

43. 043
External Validation of Tokenization
“The xxx tokenization scheme offers excellent
security, since it is based on fully randomized
tables. This is a fully distributed tokenization
approach with no need for synchronization and
there is no risk for collisions.“ Prof. Dr. Ir. Bart Preneel
Katholieke University Leuven, Belgium
where Advanced Encryption Standard (AES) was invented
C. Matthew Curtin, CISSP
Founder, Interhack Corporation
Ohio State University
who broke the U.S. Government's Data Encryption Standard (DES)
“Token is not mathematically derived from its
input.“ and “None of the attacks that we have
identified have a factor of work that is less than
that of a brute-force attack.”

44. Cloud Security
Model
44

45. 45

46. 46

47. 47

48. 48

49. 49

50. 50

51. 51

52. 52

53. 53

54. Cloud Security
Issues
54

55. 55

56. 56

57. 57

58. ADDITIONAL THREATS INDUCERS
• Multi-tenancy at an Application Level
EXAMPLES OF THREATS
• A different tenant using the same SAAS infrastructure gains
access to another tenants data through the web layer
vulnerabilities (a privilege escalation)
TRADITIONAL SECURITY TESTING CATEGORIES
STILL RELEVANT
ADDITIONAL TESTING CATEGORIES
• Multi-Tenancy Testing (an extension of privilege escalation)
Threat Vector Inheritance - SAAS
58

59. ADDITIONAL THREATS INDUCERS
• Multi-tenancy at a Platform level
EXAMPLES OF THREATS
• A different tenant using the same infrastructure gains
access to another tenants data through the web layer
vulnerabilities (a privilege escalation)
TRADITIONAL SECURITY TESTING CATEGORIES
STILL RELEVANT
ADDITIONAL TESTING CATEGORIES
• Multi-Tenancy Testing (an extension of privilege
escalation)
Threat Vector Inheritance - PAAS
59

60. ADDITIONAL THREATS INDUCERS
• Multi-tenancy at an Infrastructure Level
EXAMPLES OF THREATS
• Deficiencies in virtualization security (improper
implementation of VM zoning, segregation leading to inter
VM attacks across multiple IAAS tenants)
TRADITIONAL SECURITY TESTING CATEGORIES
STILL RELEVANT
• Traditional Infrastructure Vulnerability Assessment
ADDITIONAL TESTING CATEGORIES
• Inter VM Security / Vulnerability Testing
Threat Vector Inheritance - IAAS
60

61. Encrypting the transfer of data to the cloud does not
ensure the data is protected in the cloud.
Once data arrives in the cloud, it should remain
protected both at rest and in use.
Do not forget to protect files that are often overlooked,
but which frequently include sensitive information.
Log files and metadata can be avenues for data
leakage.
Encrypt using sufficiently durable encryption strengths
(such as AES-256
Use open, validated formats and avoid proprietary
encryption formats wherever possible.
Encryption
61

62. Tokenization.
• This is where public cloud service can be
integrated/paired with a private cloud that stores
sensitive data.
• The data sent to the public cloud is altered and would
contain a reference to the data residing in the private
cloud.
Data Anonymization
• This is where (for example) Personally Identifiable
Information (PII) and Sensitive are stripped before
processing.
Utilizing access controls built into the database
Alternative Approaches to Encryption
62

63. Access Management
63

64. Virtual machine guest hardening
Hypervisor security
Inter-VM attacks and blind spots
Performance concerns
Operational complexity from VM sprawl
Instant-on gaps
Virtual machine encryption
Data comingling
Virtual machine data destruction
Virtual machine image tampering
In-motion virtual machines
VIRTUALIZATION
64

65. Virtual machine guest hardening
Hypervisor security
Inter-VM attacks and blind spots
Performance concerns
Operational complexity from VM sprawl
Instant-on gaps
Virtual machine encryption
Data comingling
Virtual machine data destruction
Virtual machine image tampering
In-motion virtual machines
VIRTUALIZATION
Hypervisor Architecture Concerns
65

66. 66

67. 67

68. Cloud Security
Solutions
68

69. 69

70. 70

71. 71

72. 72

73. 73
Encryption in Cloud Computing

74. 74
It’s 11 p.m. Do you know where your data is?

75. Secure Web gateway
Cloud Encryption Gateways
Cloud Security Gateways
Secure Email Gateways
Cloud Access Security Brokers (CASBs)
Cloud Services Brokerage (CSB)
Gartner - Cloud & Gateways
75

76. Cloud Gateway Benefits
Eliminates the threat of third parties exposing your sensitive information
Delivers a secure and uncompromised SaaS user experience
Ensures data integrity and availability
Eases cloud adoption process and acceptance
Eliminates data residency concerns and requirements
Product is transparent and has close to 0% overhead impact
Identifies malicious activity and proves compliance to third parties and
detailed audit trails
Simplifies compliance requirements
Ability to outsource a portion of your IT security requirements

77. 077

78. 078

79. Inline Gateway Deployment
079
Client
http(s)
Gateway
Server
Enterprise
Security
Administrator Security Officer

80. Corporate Network
CDE
Inline Gateway Deployment – Use Case #1
080
Client
http(s)
Gateway
Server
Enterprise
Security
Administrator Security Officer

81. Corporate Network
CDE
Inline Gateway Deployment – Use Case #2
081
Backend
System
http(s)
Gateway
External
Service
Enterprise
Security
Administrator
Security Officer

82. TURNING THE TIDE
82
What new technologies and techniques can be used to
prevent future attacks?

83. Coarse Grained Security
• Access Controls
• Volume Encryption
• File Encryption
Fine Grained Security
• Access Controls
• Field Encryption
• Masking
• Tokenization
• Vaultless Tokenization
Evolution of Data Security Methods
83
Evolution

84. Evolution of Protection Techniques
84
Evolution
High
Low
Total Cost of
Ownership
Strong Encryption (e.g. AES, 3DES)
!@#$%a^.,mhu7///&*B()_+!@
Format/Type Preserving Encryption (e.g. DTP, FPE)
8278 2789 2990 2789
Vault-based Tokenization
8278 2789 2990 2789
Vault-less Tokenization
8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault
Data length expands and type changes
Data stored in the clear
3872 3789 1620 3675

85. Access
Privilege
Level
Risk
I
High
I
Low
High –
Low –
Old:
Minimal access
levels – Least
Privilege to avoid
high risks
New :
Much greater
flexibility and
lower risk in data
accessibility
The New Fine Grained Data Security
85

86. Fine Grained (Field-Level)
Sensitive Data Security
allows for a Wider and
Deeper Range
of Authority Options
86

87. Format Flexibility - PII
Description Input Token
SSN, numeric 075672278 287382567
SSN, delimiters in input 075-67-2278 287-38-2567
SSN, last 4 digits exposed 075-67-2278 591-20-2278
Date, Multiple date formats 10/30/1955 12/25/2034
Year part exposed 10/30/1955 04/02/1955
Month part exposed 10/30/1955 10/17/3417
Range as a differentiator 10/30/1955 09/26/4741
Datetime 10/30/1955 07:32:59.243 12/25/2034 12:05:47.243
Email domain exposed yuri.gagarin@protegrity.com empo.snaugs@protegrity.com
Name Yuri Gagarin A4kq nhHOwtG
Telephone (203)550-9985 (203)371-2076

88. Format Flexibility – Credit Card
Description Input Token
Numeric 3872 3789 1620 3675 8278 2789 2990 2789
Numeric, Last 4 digits exposed (12x4) 3872 3789 1620 3675 1507 4402 1958 3675
Numeric, First 6 last 4 digits exposed (6x6x4) 3872 3789 1620 3675 3872 3789 2990 3675
Alpha-Numeric, Digits exposed (4x8x4) 3872 3789 1620 3675 3872 qN4e 5yPx 3675
Luhn check will fail 3872 3789 1620 3675 7508 1538 4200 9532
Alphabetic indication is a configurable position 3872 3789 1620 3675 9530 4800 323A 6871
Invalid Card Type 3872 3789 1620 3675 2991 1350 6123 4837
Different token for the same credit card number based on
merchants, clients or source identifier
3872 3789 1620 3675
ID1: 8278 2789 2990 2789
ID2: 9302 8999 2662 6345
Including non-conflicting combinations of the above

89. Format Flexibility - Other
Description Input Token
Free text, non length preserved, up to 2k the dog jumped over the lazy fox Eem JqM A4ksIX nhuH OUG zEQT RxV
Decimal 123.45 9842.56
Binary, up to 2k 0x010203 0x123296910112
All printable characters ~`’;/!Üñ╗▓╟╚τ }╗æƺe2!⥿*&½
Lower ASCII abcdefghijklmnopqrstuvwxyz F7}yGN6/5&kc!h1?eUt^EcriT-

90. Protegrity Tokenization Differentiators
90
Protegrity Tokenization Traditional Tokenization
Footprint Small, Static. Large, Expanding.
High Availability,
Disaster Recovery
No replication required. Complex, expensive replication
required.
Distribution Easy to deploy at different
geographically distributed
locations.
Practically impossible to distribute
geographically.
Reliability No collisions. Prone to collisions.
Performance, Latency,
and Scalability
Little or no latency. Fastest
industry tokenization.
Will adversely impact performance
& scalability.
Extendibility Unlimited Tokenization Capability. Practically impossible.

91. Fine Grained Data Security Methods
91
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
TokenizationEncryption

92. Different Tokenization Approaches
92
Property Dynamic Pre-generated Vaultless
Vault-based

93. I
Format
Preserving
Encryption
Security of Fine Grained Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
93
High
Low
Security Level

94. 10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Fine Grained Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
94

95. Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for protecting sensitive data over
encryption
Nearly half of the respondents (47%) are currently
using tokenization for something other than cardholder
data
Tokenization users had 50% fewer security-related
incidents than tokenization non-users
95
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/

96. Type of
Data
Use
Case
I
Structured
How Should I Secure Different Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
96
Personally Identifiable Information

97. Use Case: Protect PII Data Cross Border
CHALLENGES
The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers,
birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming
source data from various European banking entities, and existing data within those systems, which would be
consolidated at the Italian HQ.

98. Centralized Policy Management
98
Application
File Servers
RDBMS
Big Data
Gateway
Servers
Protection
Servers
MPP
HP NonStop
Base24
IBM Mainframe
Protector
Security Officer
Audit
Log
Audit
Log
Audit
Log
Audit
Log Audit
Log
Audit
Log
Audit
Log
Audit
Log
Audit
Log
Enterprise
Security
Administrator
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy

99. Enterprise Data Security Policy
99
What is the sensitive data that needs to be protected. Data Element.
How you want to protect and present sensitive data. There are
several methods for protecting sensitive data. Encryption,
tokenization, monitoring, etc.
Who should have access to sensitive data and who should not.
Security access control. Roles & Members.
When should sensitive data access be granted to those who have
access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy is
enforced. At the protector.
Audit authorized or un-authorized access to sensitive data. Optional
audit of protect/unprotect.
What
Who
When
Where
How
Audit

100. Enterprise Data Security Platform
100
Enterprise Security Administrator (ESA)
• Central Point of Data Security Policy Management
• Deployed as Soft Appliance
• Hardened, High Availability, Backup & Restore
Gateway & Protection Servers
• Deployed as Soft Appliance
• Hardened, High Availability, Backup & Restore
Data Protectors
• Enforcing data security policy close to the data store
• Heterogeneous Coverage:
• AIX, HPUX, Linux, Solaris, Windows, z/OS
• Teradata, Oracle, Netezza, Pivotal, DB2, UDB, SSQL
• Hadoop – Cloudera, Hortonworks, Pivotal, BigInsights,
mapR, etc.
• Web Services, C/C++, Java, .NET, Cobol
Application
File Servers
RDBMS
Big Data
Gateway
Servers
Protection
Servers
Enterprise
Security
Administrator
MPP
HP NonStop
Base24
IBM Mainframe
Protector

101. Enterprise Platform Versatility
Policy
Enforcement
Point

102. Thank you!
Questions?
Please contact us for more information
www.protegrity.com
Ulf.Mattsson@protegrity.com
To Request A Copy of the Presentation
Email: info@protegrity.com