Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Practical advice for cloud data protection ulf mattsson - jun 2014
1. Practical Advice for Cloud Data Protection
Ulf Mattsson
CTO, Protegrity
Ulf.Mattsson@protegrity.com
2. Member of PCI Security Standards Council:
• Tokenization Task Force
• Encryption Task Force
• Point to Point Encryption Task Force
• Risk Assessment SIG
• eCommerce SIG
• Cloud SIG
• Virtualization SIG
• Pre-Authorization SIG
• Scoping SIG
Ulf Mattsson, Protegrity CTO
2
26. Infrastructure as a Service (IaaS), delivers computer
infrastructure (typically a platform virtualization
environment) as a service, along with raw storage and
networking
Software as a service (SaaS), sometimes referred to
as "on-demand software," is a software delivery model
in which software and its associated data are hosted
centrally (typically in the (Internet) cloud
Platform as a service (PaaS), is the delivery of a
computing platform and solution stack as a service
What Is Cloud Computing? Service Models?
26
34. 34
Software as a service (SaaS),
sometimes referred to as on-
demand software
Platform as a service (PaaS),
is the delivery of a computing
platform and solution stack
Infrastructure as a Service
(IaaS), delivers computer
infrastructure along with raw
storage and networking
Service Orchestration
43. 043
External Validation of Tokenization
“The xxx tokenization scheme offers excellent
security, since it is based on fully randomized
tables. This is a fully distributed tokenization
approach with no need for synchronization and
there is no risk for collisions.“ Prof. Dr. Ir. Bart Preneel
Katholieke University Leuven, Belgium
where Advanced Encryption Standard (AES) was invented
C. Matthew Curtin, CISSP
Founder, Interhack Corporation
Ohio State University
who broke the U.S. Government's Data Encryption Standard (DES)
“Token is not mathematically derived from its
input.“ and “None of the attacks that we have
identified have a factor of work that is less than
that of a brute-force attack.”
58. ADDITIONAL THREATS INDUCERS
• Multi-tenancy at an Application Level
EXAMPLES OF THREATS
• A different tenant using the same SAAS infrastructure gains
access to another tenants data through the web layer
vulnerabilities (a privilege escalation)
TRADITIONAL SECURITY TESTING CATEGORIES
STILL RELEVANT
ADDITIONAL TESTING CATEGORIES
• Multi-Tenancy Testing (an extension of privilege escalation)
Threat Vector Inheritance - SAAS
58
59. ADDITIONAL THREATS INDUCERS
• Multi-tenancy at a Platform level
EXAMPLES OF THREATS
• A different tenant using the same infrastructure gains
access to another tenants data through the web layer
vulnerabilities (a privilege escalation)
TRADITIONAL SECURITY TESTING CATEGORIES
STILL RELEVANT
ADDITIONAL TESTING CATEGORIES
• Multi-Tenancy Testing (an extension of privilege
escalation)
Threat Vector Inheritance - PAAS
59
60. ADDITIONAL THREATS INDUCERS
• Multi-tenancy at an Infrastructure Level
EXAMPLES OF THREATS
• Deficiencies in virtualization security (improper
implementation of VM zoning, segregation leading to inter
VM attacks across multiple IAAS tenants)
TRADITIONAL SECURITY TESTING CATEGORIES
STILL RELEVANT
• Traditional Infrastructure Vulnerability Assessment
ADDITIONAL TESTING CATEGORIES
• Inter VM Security / Vulnerability Testing
Threat Vector Inheritance - IAAS
60
61. Encrypting the transfer of data to the cloud does not
ensure the data is protected in the cloud.
Once data arrives in the cloud, it should remain
protected both at rest and in use.
Do not forget to protect files that are often overlooked,
but which frequently include sensitive information.
Log files and metadata can be avenues for data
leakage.
Encrypt using sufficiently durable encryption strengths
(such as AES-256
Use open, validated formats and avoid proprietary
encryption formats wherever possible.
Encryption
61
62. Tokenization.
• This is where public cloud service can be
integrated/paired with a private cloud that stores
sensitive data.
• The data sent to the public cloud is altered and would
contain a reference to the data residing in the private
cloud.
Data Anonymization
• This is where (for example) Personally Identifiable
Information (PII) and Sensitive are stripped before
processing.
Utilizing access controls built into the database
Alternative Approaches to Encryption
62
76. Cloud Gateway Benefits
Eliminates the threat of third parties exposing your sensitive information
Delivers a secure and uncompromised SaaS user experience
Ensures data integrity and availability
Eases cloud adoption process and acceptance
Eliminates data residency concerns and requirements
Product is transparent and has close to 0% overhead impact
Identifies malicious activity and proves compliance to third parties and
detailed audit trails
Simplifies compliance requirements
Ability to outsource a portion of your IT security requirements
87. Format Flexibility - PII
Description Input Token
SSN, numeric 075672278 287382567
SSN, delimiters in input 075-67-2278 287-38-2567
SSN, last 4 digits exposed 075-67-2278 591-20-2278
Date, Multiple date formats 10/30/1955 12/25/2034
Year part exposed 10/30/1955 04/02/1955
Month part exposed 10/30/1955 10/17/3417
Range as a differentiator 10/30/1955 09/26/4741
Datetime 10/30/1955 07:32:59.243 12/25/2034 12:05:47.243
Email domain exposed yuri.gagarin@protegrity.com empo.snaugs@protegrity.com
Name Yuri Gagarin A4kq nhHOwtG
Telephone (203)550-9985 (203)371-2076
88. Format Flexibility – Credit Card
Description Input Token
Numeric 3872 3789 1620 3675 8278 2789 2990 2789
Numeric, Last 4 digits exposed (12x4) 3872 3789 1620 3675 1507 4402 1958 3675
Numeric, First 6 last 4 digits exposed (6x6x4) 3872 3789 1620 3675 3872 3789 2990 3675
Alpha-Numeric, Digits exposed (4x8x4) 3872 3789 1620 3675 3872 qN4e 5yPx 3675
Luhn check will fail 3872 3789 1620 3675 7508 1538 4200 9532
Alphabetic indication is a configurable position 3872 3789 1620 3675 9530 4800 323A 6871
Invalid Card Type 3872 3789 1620 3675 2991 1350 6123 4837
Different token for the same credit card number based on
merchants, clients or source identifier
3872 3789 1620 3675
ID1: 8278 2789 2990 2789
ID2: 9302 8999 2662 6345
Including non-conflicting combinations of the above
89. Format Flexibility - Other
Description Input Token
Free text, non length preserved, up to 2k the dog jumped over the lazy fox Eem JqM A4ksIX nhuH OUG zEQT RxV
Decimal 123.45 9842.56
Binary, up to 2k 0x010203 0x123296910112
All printable characters ~`’;/!Üñ╗▓╟╚τ }╗æƺe2!⥿*&½
Lower ASCII abcdefghijklmnopqrstuvwxyz F7}yGN6/5&kc!h1?eUt^EcriT-
90. Protegrity Tokenization Differentiators
90
Protegrity Tokenization Traditional Tokenization
Footprint Small, Static. Large, Expanding.
High Availability,
Disaster Recovery
No replication required. Complex, expensive replication
required.
Distribution Easy to deploy at different
geographically distributed
locations.
Practically impossible to distribute
geographically.
Reliability No collisions. Prone to collisions.
Performance, Latency,
and Scalability
Little or no latency. Fastest
industry tokenization.
Will adversely impact performance
& scalability.
Extendibility Unlimited Tokenization Capability. Practically impossible.
91. Fine Grained Data Security Methods
91
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
TokenizationEncryption
94. 10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Fine Grained Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
94
95. Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for protecting sensitive data over
encryption
Nearly half of the respondents (47%) are currently
using tokenization for something other than cardholder
data
Tokenization users had 50% fewer security-related
incidents than tokenization non-users
95
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
96. Type of
Data
Use
Case
I
Structured
How Should I Secure Different Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
96
Personally Identifiable Information
97. Use Case: Protect PII Data Cross Border
CHALLENGES
The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers,
birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming
source data from various European banking entities, and existing data within those systems, which would be
consolidated at the Italian HQ.
99. Enterprise Data Security Policy
99
What is the sensitive data that needs to be protected. Data Element.
How you want to protect and present sensitive data. There are
several methods for protecting sensitive data. Encryption,
tokenization, monitoring, etc.
Who should have access to sensitive data and who should not.
Security access control. Roles & Members.
When should sensitive data access be granted to those who have
access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy is
enforced. At the protector.
Audit authorized or un-authorized access to sensitive data. Optional
audit of protect/unprotect.
What
Who
When
Where
How
Audit
100. Enterprise Data Security Platform
100
Enterprise Security Administrator (ESA)
• Central Point of Data Security Policy Management
• Deployed as Soft Appliance
• Hardened, High Availability, Backup & Restore
Gateway & Protection Servers
• Deployed as Soft Appliance
• Hardened, High Availability, Backup & Restore
Data Protectors
• Enforcing data security policy close to the data store
• Heterogeneous Coverage:
• AIX, HPUX, Linux, Solaris, Windows, z/OS
• Teradata, Oracle, Netezza, Pivotal, DB2, UDB, SSQL
• Hadoop – Cloudera, Hortonworks, Pivotal, BigInsights,
mapR, etc.
• Web Services, C/C++, Java, .NET, Cobol
Application
File Servers
RDBMS
Big Data
Gateway
Servers
Protection
Servers
Enterprise
Security
Administrator
MPP
HP NonStop
Base24
IBM Mainframe
Protector
102. Thank you!
Questions?
Please contact us for more information
www.protegrity.com
Ulf.Mattsson@protegrity.com
To Request A Copy of the Presentation
Email: info@protegrity.com