Ulf mattsson webinar jun 7 2012 slideshare version
1. Choosing the Right Data Security Solution
Ulf Mattsson, CTO
Protegrity
June 7th, 2012
2. Ulf Mattsson, CTO Protegrity
20 years with IBM Research & Development and
Global Services
Started Protegrity in 1994 (Data Security)
Inventor of 25 patents – Encryption and
Tokenization
Member of
• PCI Security Standards Council (PCI SSC)
• American National Standards Institute (ANSI) X9
• International Federation for Information Processing
(IFIP) WG 11.3 Data and Application Security
• ISACA , ISSA and Cloud Security Alliance (CSA)
2
3. Agenda
Data Breaches
Data Protection Trends
Encryption versus Tokenization
Vault-based Tokenization versus Vaultless
Tokenization
Case studies
Summary
03
5. Albert Gonzalez: 20 Years In US Federal Prison
US Federal indictments:
1. Dave & Busters
2. TJ Maxx
3. Heartland HPS
• $140M in breach
expenses
Source: http://en.wikipedia.org/wiki/Albert_Gonzalez
Source: http://www.youtube.com/user/ProtegrityUSA
5
6. What about Breaches & PCI? Was Data Protected?
9: Restrict physical access to cardholder data
5: Use and regularly update anti-virus software
4: Encrypt transmission of cardholder data
2: Do not use vendor-supplied defaults for security
parameters
12: Maintain a policy that addresses information security
1: Install and maintain a firewall configuration to protect
data
8: Assign a unique ID to each person with computer
access
6: Develop and maintain secure systems and
applications
10: Track and monitor all access to network resources
and data
11: Regularly test security systems and processes
7: Restrict access to data by business need-to-know
3: Protect Stored Data
%
0 10 20 30 40 50 60 70 80 90 100
Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study
6
8. What Data is Compromised?
Personal information (Name, SS#, Addr, etc.)
Payment card numbers/data
Unknown (specific type is not known)
Medical records Medical
Classified information
Trade secrets
Copyrighted/Trademarked material
System information (config, svcs, sw, etc.)
Bank account numbers/data
Authentication credentials…
0 20 40 60 80 100 %120
By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
8
9. Today “Hacktivism” is Dominating
Activist group
Organized criminal group
Relative or acquaintance of employee
Former employee (no longer had access)
Unaffiliated person(s)
Unknown
0 10 20 30 40 50 60 70
%
By percent of records
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
9
10. Growing Threat of “hacktivism”
Attacks by Anonymous include
• 2012: CIA and Interpol
• 2011: Sony, Stratfor and HBGary
Federal
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous
10
11. Some Major Data Breaches
April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011
Time
Impact $
Attack
Type
Source: IBM 2012 Security Breaches Trend and Risk Report
11
12. The Sony Breach & The Cloud
Lost 100 million passwords and personal
details stored in clear
Spent $171 million related to the data breach
Sony's stock price has fallen 40 percent
For three pennies an hour, hackers can rent
Amazon.com to wage cyber attacks such as
the one that crippled Sony
Attack via SQL Injection
12
13. SQL Injection Attacks are Increasing
25,000
20,000
15,000
10,000
5,000
Q1 2011 Q2 2011 Q3 2011
Source: IBM 2012 Security Breaches Trend and Risk Report
13
15. What is SQL Injection?
SQL Command Injected
Application
Data
Store
15
16. New Industry Groups are Targets
Accommodation and Food Services
Retail Trade
Finance and Insurance
Health Care and Social Assistance
Other
Information
0 10 20 30 40 50 60 %
By percent of breaches
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
16
17. The Changing Threat Landscape
Some issues have stayed constant:
• Threat landscape continues to gain sophistication
• Attackers will always be a step ahead of the defenders
We are fighting highly organized, well-funded crime
syndicates and nations
Move from detective to preventative controls
needed
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
17
18. How are Breaches Discovered?
Notified by law enforcement
Third-party fraud detection (e.g., CPP)
Reported by customer/partner affected
Brag or blackmail by perpetrator
Unknown
Witnessed and/or reported by employee
Other(s)
Internal fraud detection mechanism
Financial audit and reconciliation process
Log analysis and/or review process
Unusual system behavior or performance
0 10 20 30 40 50 60 70 %
By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
18
20. What Assets are Compromised?
Database server
Web/application server
Desktop/Workstation
Mail server
Call Center Staff People
Remote Access server
Laptop/Netbook
File server
Pay at the Pump terminal User devices
Cashier/Teller/Waiter People
Payment card (credit, debit, etc.) Offline…
Regular employee/end-user People
Automated Teller Machine (ATM)
POS terminal User devices
POS server (store controller)
0 20 40 60 80 100 % 120
By percent of records
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
20
21. Hacking and Malware are Leading
Threat Action Categories
Hacking
Malware
Social
Physical
Misuse
Error
Environmental
0 50 100 % 150
By percent of records
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
21
31. Miniaturization of the Tokenization Server
Evolution
Vault-less
Tokenization
Server
Vault-based Tokenization Server
31
32. Protegrity Tokenization Differentiators
Vault-based Tokenization Vaultless Tokenization
Footprint Large, Expanding. Small, Static.
High Availability, Complex, expensive No replication required.
Disaster Recovery replication required.
Distribution Practically impossible to Easy to deploy at different
distribute geographically. geographically distributed
locations.
Reliability Prone to collisions. No collisions.
Performance, Will adversely impact Little or no latency. Fastest industry
Latency, and performance & scalability. tokenization.
Scalability
Extendibility Practically impossible. Unlimited Tokenization Capability.
32
33. External Validation for Protegrity Vaultless Tokenization
“The Protegrity tokenization scheme offers excellent security, since it is
based on fully randomized tables. This is a fully distributed tokenization
approach with no need for synchronization and there is no risk for
collisions.“
Prof. Dr. Ir. Bart Preneel
Katholieke University Leuven, Belgium *
Bart Preneel is a Belgian cryptographer and cryptanalyst.
He is a professor at Katholieke Universiteit Leuven, president
of the International Association for Cryptologic Research
* The Katholieke University Leuven in Belgium is where Advanced Encryption Standard (AES) was invented.
33
35. Speed of Different Protection Methods
Transactions per second
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
I I I I
Basic Format AES CBC Vaultless
Data Preserving Encryption Data
Speed will depend on
Tokenization Encryption Standard Tokenization
the configuration
35
36. Security of Different Protection Methods
Security Level
High
Low
I I I I
Basic Format AES CBC Vaultless
Data Preserving Encryption Data
Tokenization Encryption Standard Tokenization
36
38. Case Study: Large Chain Store
Why? Reduce compliance cost by 50%
• 50 million Credit Cards, 700 million daily transactions
• Performance Challenge: 30 days with Basic to 90 minutes with
Vaultless Tokenization
• End-to-End Tokens: Started with the D/W and expanding to
stores
• Lower maintenance cost – don’t have to apply all 12 requirements
• Better security – able to eliminate several business and daily
reports
• Qualified Security Assessors had no issues
• “With encryption, implementations can spawn dozens of questions”
• “There were no such challenges with tokenization”
38
39. Case Study: Energy Industry
Why? Reduce PCI Scope
• Best way to handle legacy, we got most of it out of PCI
– Get rid of unwanted paper copies
– No need to rewrite/redevelop or restructure
business applications
– A VERY efficient way of PCI Reduction of Scope
• Better understanding of your data flow
– Better understanding of business flow
– Opportunity to clean up a few business oddities
39
40. Case Studies: Retail
Customer 1: Why? Three major concerns solved
• Performance Challenge; Initial tokenization
• Vendor Lock-In: What if we want to switch payment
processor
• Extensive Enterprise End-to-End Credit Card Data
Protection
Customer 2: Why? Desired single vendor to provide data
protection
• Combined use of tokenization and encryption
• Looking to expand tokens beyond CCN to PII
Customer 3: Why? Remove compensating controls from the
mainframe
• Tokens on the mainframe to avoid compensating controls
40
43. Tokenization and “PCI Out Of Scope”
De-tokenization
No Available?
Yes
Random Number
Tokens? No:
FPE
Yes
Isolated from
Card Holder Data
Yes Environment? No
Out of Scope No Scope
Scope Reduction Reduction
Source: http://www.securosis.com
43
45. How Should I Secure Different Data?
File Field
Encryption Tokenization
Use
Case
Card
Simple - PII Holder PCI
Data
PHI
Protected
Health
Complex - Information
Type of
I I
Data
Un-structured Structured
45
46. Flexibility in Token Format Controls
Type of Data Input Token Comment
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed
Credit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposed
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date - multiple date formats
E-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric
SSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in input
Invalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will fail
Binary 0x010203 0x123296910112
Alphanumeric Position to place alpha is
5105 1051 0510 5100 8278 2789 299A 2781
Indicator configurable
Decimal 123.45 9842.56 Non length preserving
Deliver a different token to different
Merchant 1: 8278 2789 2990 2789
Multi-Merchant 3872 3789 1620 3675 merchant based on the same credit
Merchant 2: 9302 8999 2662 6345
card number.
47. What are the benefits of Tokenization?
Reduces complexity of key management.
Reduces the number of hacker targets.
What are the benefits of Tokenisation?
Reduces the remediation for protecting systems.
Reduces the cost of PCI Compliance.
Additional benefits with Protegrity Vaultless Tokenization
Infinitely Scalable
Fastest tokenization method in the world
Simplicity and Security: No replication, No collisions
Flexible and easy to deploy and distribute
Lower Total Cost of Ownership than Basic Tokenization
49. About Protegrity
Proven enterprise data security software and innovation leader
• Sole focus on the protection of data
• Patented Technology, Continuing to Drive Innovation
Growth driven by compliance and risk management
• PCI (Payment Card Industry)
• PII (Personally Identifiable Information)
• PHI (Protected Health Information) – HIPAA
• State and Foreign Privacy Laws, Breach Notification Laws
• Requirements to eliminate the threat of data breach and non-compliance
Cross-industry applicability
• Retail, Hospitality, Travel and Transportation
• Financial Services, Insurance and Banking
• Healthcare, Telecommunications, Media and Entertainment
• Manufacturing and Government
49
50. What are Industry Analyst’s Saying?
“Protegrity has a comprehensive approach to a range of data security problems, while
most vendors only have one stovepipe solution with no coherent strategy.”
- Scott Crawford, EMA
“I’m really impressed that you’ve expanded your Tokenization solution to include PII
and HIPAA. I haven’t seen this from other vendors. It’s really nice to see that
vendors are driving innovation, before there’s a big demand from customers.”
- Derek Brink, Aberdeen
“Tokenizing payment data holds the promise of improving security while reducing
auditing costs, generating great demand amongst the merchant
community. Tokenization is a simple technology with a clear value proposition.”
- Adrian Lane, Analyst and CTO, Securosis
“Protegrity’s approach to tokenization is very elegant and it’s clear your solution is
very fast and flexible.”
– A leading Industry Analyst Firm
50
51. Summary
Optimal support of complex enterprise requirements
• Heterogeneous platform supports all operating systems and
databases
• Flexible protectors (Database, Application, File)
• Risk Adjusted Data Protection offers the options for protection data
with the appropriate strength.
• Built-in Key Management
• Consistent Enterprise policy enforcement and audit logging
Innovative
• Pushing data protection with industry leading
Proven
• Proven platform currently protects the worlds largest companies
Experienced
• Experienced staff will be there with support along the way to complete data
protection
51
52. Questions and Answers
Elaine Evans
Protegrity Marketing
elaine.evans@protegrity.com
www.protegrity.com