Webcast title :
Emerging Application and Data Protection for Cloud
Description :
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Learn about Data Protection solutions for enterprise.
Learn about the new trends in Data Masking, Tokenization and Encryption.
Learn about new Standards for masking from ISO and NIST.
Learn about the new API Economy and how to control access to sensitive data — both on-premises, and in public and private clouds.
7. 7
Verizon: Worry Only About the Major Breach Patterns
Source: Verizon Data Breach Investigations Report
7
Application
Attacks
Percentage (blue bar), and
count
of breaches per pattern.
The gray line represents the
percentage of breaches from
13. 13
Source: Gartner
Coding security directly
into APIs has the following
disadvantages:
■ Violates separation of
duties.
■ Makes code more
complex and fragile.
■ Adds extra maintenance
burden.
■ Is unlikely to cover all
aspects that are required
in a full API security policy.
■ Not reusable.
■ Not visible to security
teams.
Security for Microservices
15. 15
Source: Gartner
Apply policies to APIs
(for example, using
an API gateway) but
avoid situations
where each API has
a unique security
policy
Instead, leverage a
reusable set of
policies that are
applied to APIs based
on their
categorization.
Abstract any specific
API characteristics
(such as URL path)
from the policies
themselves
Products Delivering API Security
19. 19
Category iOS Android
Apple
Pay
Android
Pay
Google
Pay
Non-PCI
data CVV Drop-in UI
Field Formatting/
Validation
Tokenize
directly
from device
Vendor 1 Payment
Processor
YES YES YES YES YES YES YES
Vendor 2 Data Security
Platform
YES YES YES YES YES
Vendor 3 NG Payment
Processor
YES YES YES YES YES YES YES
Vendor 4 NG Payment
Processor
YES YES YES YES YES YES YES YES YES
Vendor 5 Payments
API
YES YES YES YES
Vendor 6 Payment
Processor
YES YES YES YES YES YES YES
Source: TokenEx
Mobile SDK Vendors
20. 20
There methods to keep mobile data secure:
• Apps running natively on iOS or Android that collect payment data can use any of the standard RSA encryption libraries to locally encrypt sensitive data on the device and
then subsequently tokenize the encrypted value from the organization’s mobile application server.
• Developers can use a mobile SDK to tokenize within a native iOS or Android application. The mobile SDK can be configured to capture the CVV in addition to tokenizing
the PAN.
• A mobile device can use a WebView to display the (CVV) iFrame hosted on the organization’s web server.
Source: TokenEx
Data Security in Native and Mobile Applications
21. 21
The iFrame (inline frame) provides our customer significant flexibility to secure their payment checkout page while
keeping the look and feel of the overall web site design.
But rather than redirecting every element on the checkout page to Token servers, the customer simply places HTML
iFrame code on their checkout page so that all data entered within that iFrame is directed to Token servers.
• Customer can supply custom CSS and regex validation CVV
• Supports non-PCI data
• Can be used by mobile devices
• For e-commerce merchants, can lower their PCI scope to an SAQ A
Source: Gartner
The iFrame (inline frame)
22. 22
iFrame based functionality on the market:
UI
Option
Field
Only
Non
PCI
CVV
only
CVV
Retention
Format
Field
Basic
Validation
Real
Time
Distinguishable
Tokens Blur
Multiple
iFrames CSS
3DS
Int
Alt
Acceptance
Vendor 1 YES YES YES 24hr YES YES YES YES YES YES YES
Vendor 2 YES YES 20min YES YES YES YES YES YES
Vendor 3 YES YES NA NA YES YES YES YES YES
Vendor 4 YES YES YES NA YES YES YES YES YES YES YES YES
Vendor 5 YES YES YES YES YES YES YES YES YES YES YES YES
Source: TokenEx
iFrame and Vendors
E-Commerce Focus
25. 25
Pseudonymisation Under the GDPR
Within the text of the GDPR, there are multiple references to
pseudonymisation as an appropriate mechanism for protecting personal
data.
Pseudonymisation—replacing identifying or sensitive data with
pseudonyms, is synonymous with tokenization—replacing identifying or
sensitive data with tokens.
Article 4 – Definitions
• (1) ‘personal data’ means any information relating to an identified
or identifiable natural person (‘data subject’); …such as a name, an
identification number, location data, an online identifier…
• (5) ‘pseudonymisation’ means the processing personal data in such
a manner that the data can no longer be attributed to a specific
data subject without the use of additional information, provided that
such additional information is kept separately…
What is Personal Data according to GDPR?
26. 26
Example of Cross Border Data-centric Security
Data sources
Data
Warehouse
In Italy
Complete policy-enforced de-
identification of sensitive data
across all bank entities
29. 29
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
30. 30
What is the difference?
• Encryption - A data security measure using mathematic algorithms to generate rule-based values in place of original data
• Tokenization - A data security measure using mathematic algorithms to generate randomized values in place of original data
Encryption alone is not a full solution
• With encryption, sensitive data remains in business systems. With tokenization, sensitive data is removed completely from business systems and
securely vaulted.
Tokens are versatile
• Format-preserving tokens can be utilized where masked information is required
Encryption vs Tokenization
31. 31
Examples of Protected Data
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays and
discharges, clinical, billing, etc.
Financial Services Consumer Products and
activities
Protection methods can be equally applied
to the actual data, but not needed with de-
identification
37. 37
Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information
38. 38
Reduction of Pain with Different Protection Techniques
1970 2000 2005 2010
High
Low
Pain
& TCO
Strong Encryption Output:
AES, 3DES
Format Preserving Encryption
DTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key
Management
No Vault
8278 2789 2990 2789
Year
40. 40
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Local Speed of Fine Grained Protection Algorithms
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
41. 41
On Premise tokenization
• Limited PCI DSS scope reduction - must still maintain a
CDE with PCI data
• Higher risk – sensitive data still resident in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from the
environment
• Platform-focused security
• Lower associated costs – cyber insurance, PCI audit,
maintenance
Total Cost and Risk of Tokenization
42. 42
D E S C O P I N G A N
E C O M M E R C E
S O L U T I O N
A PCI SAQ A contains 22 controls compared to more than 300 for the full PCI DSS
• Use a hosted iFrame or payments page provided by a validated service provider to capture and tokenize CHD
• Do not transmit, process or store CHD via any other acceptance channel and utilize payment services of
tokenization provider to process transactions
Minimize Cost of PCI Tokenization
53. 53
#3 Self-Sovereign Identity (SSI)
YOU
CONNECTION
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
Source: Sovrin.org
The Sovrin Network is the first public-permissioned blockchain designed as a global public utility exclusively to
support self-sovereign identity and verifiable claims. Recent advancements in blockchain technology now allow
every public key to have its own address, which is called a decentralized identifier (DID).
54. 54
#3 Self-Sovereign Identity (SSI)
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
DIGITAL
WALLET
CONNECTION
GET CREDENTIAL
SHOW CREDENTIAL
1 DIDs
2 DKMS
3 DID AUTH
4
Verifiable
Credentials
Source: Sovrin.org
61. 61
A Data Security API Platform Example
3rd-Party Ingress
Batch
Mobile
eCommerce Payment Support
Token Formats
Vaulting
Token Lifecycle
3rd-Party EgressWeb Services
P2PE Encryption Cost Structure
Data Security
Platform
62. 62
Software Development - Collaboration, open communication, and secure coding are the foundations of
a web development process. Software development services range from hosting and system
architecture, to cloud migration and CRM integrations.
Enterprise Web Design - Designs that build powerful brands and reliable user experiences, putting your
company in the right direction.
Managed Services and DevOps - Consider adding resources or new skillsets to your development team.
We are able to seamlessly integrate with your developers and help you meet your goals. Rely on an
ongoing partnership with Atlantic BT to run lean.
Security - Integrating applications and databases to address threats by combining compliance,
responsiveness, and engineering without sacrificing usability and agility.
Cloud Services - Migrating to the cloud, or you are simply looking for a managed services provider,
Atlantic BT has a custom solution. Work in regulated spaces like government, healthcare, and higher
education. We build scalable hosting solutions from the ground up.
eCommerce - From building new eCommerce websites to Magento 2 upgrades, we have helped many
stores grow their online revenue.
Digital Marketing - Data-driven digital marketing process involves auditing and analyzing results in order
to develop a strategy that works best for you. We go beyond traditional key performance indicators like
click-through rates and traffic.
Source: atlanticbt.com
Work with Leaders in Website and Technology Development: