7. Online Data Under Attack – Not Laptops or Backup Slide source: Verizon Business 2008 Data Breach Investigations Report Breaches attributed to insiders are much larger than those caused by outsiders The type of asset compromised most frequently is online data:
8. Source: 2009 Data Breach Investigations Supplemental Report, Verizon Top 15 Threat Action Types % of Records % of Breaches
9. The Gartner 2010 CyberThreat Landscape The danger of advanced persistent threats (APTs) to enterprises.
10. File System Data Entry Database Storage Application Attacks at Different System Layers Backup DATABASE ATTACK MALWARE / TROJAN FILE ATTACK SQL INJECTION MEDIA ATTACK … SNIFFER ATTACK Network Authorized/ Un-authorized Users HW Service Contractors Vendors Database Admin System Admin … “ The perimeter is gone – need for new security approaches”
11.
12.
13.
14.
15.
16. Case Study 1: Goal – PCI Compliance & Application Transparency File Encryption: Windows Database Encryption: DB2 (zOS, iSeries), Oracle, SQL Server Applications Retail Store Applications FTP File Decryption Central HQ Location File Encryption: Windows, UNIX, Linux, zOS Credit Card Entry : Encryption service
17. Case Study 2: Goal – Addressing Advanced Attacks & PCI DSS Application Application FTP Database Encryption: DB2, SQL Server File Encryption: Windows, UNIX, zOS Retail Store Central HQ Location Credit Card Entry Application Application Encryption : Encryption service End-to-End-Encryption (E2EE)
18.
19. Data Loading (Batch) 1 000 000 – 100 000 - 10 000 – 1 000 – Encryption Topology Rows Decrypted / s (100 bytes) z/OS Hardware Crypto - CPACF (All Operations) Queries (Data Warehouse & OLTP) Column Encryption Performance - Different Topologies I Network Attached Encryption (SW/HW) I Local Encryption (SW/HW)
20. Evaluation of Encryption Options for DB2 on z/OS Best Worst Encryption Interface Performance PCI DSS Security Transparency API UDF DB2 V8 UDF DB2 V9 - Fieldproc Editproc
21. Choose Your Defenses – Newer Data Security Approaches Application Databases Key Manager Format Controlling Encryption Token Server Token Data Tokenization Example of Token format: 1234 1234 1234 4560 Application Databases Key Manager Example of Encrypted format: 111-22- 1013 : Encryption service
22.
23.
24.
25.
26. New Tokenization Approach - Distributed Servers Security Management Customer Application Token Server Customer Application Customer Application Token Server Customer Application Token Server
27. 200 000 – 100 000 – 10 000 – 1000 – 5 – Tokenization Topology PAN Tokenization (per second) New Distributed Tokenization Approach (per deployed token server) Different Tokenization Approaches - Performance I New Old Centralized Tokenization Approach (enterprise total) I Old Outsourced On-site On-site
28. Evaluating Different Tokenization Solutions Best Worst Evaluating Different Tokenization Implementations Evaluation Area Hosted/Outsourced On-site/On-premises Area Criteria Central (old) Distributed Central (old) Distributed Integrated Operational Needs Availability Scalability Performance Pricing Model Per Server Per Transaction Data Types Identifiable - PII Cardholder - PCI Security Separation Compliance Scope
29. 0 123456 777777 1234 123456 123456 1234 aVdSaH gF4fJh sDla !@#$%a^&*B()_+!@4#$2%p^&* How to not Break the Data Format Hashing - Binary Encryption - Alpha Encoding - Encoding - Partial Encoding - Clear Text - Data Field Length Protection Method !@#$%a^&*B()_+!@ 666666 777777 8888 Tokenizing or Formatted Encryption Length and Type Changed Type Changed CCN / PAN
30. Different Security Options for Data Fields Best Worst Evaluation Criteria Strong Encryption Formatted Encryption New Distributed Tokenization Old Central Tokenization Disconnected environments Distributed environments Performance impact – data loading Transparent to applications Expanded storage size Transparent to database schema Long life-cycle data Unix or Windows &“big iron” Re-keying of data in a data flow High risk data Compliance to PCI, NIST
31. Matching Data Protection Solutions with Risk Level Risk Level Solution Monitor Monitor, mask, access control limits, format control encryption Tokenization, strong encryption Low Risk (1-5) At Risk (6-15) High Risk (16-25) Data Field Risk Level Credit Card Number 25 Social Security Number 20 CVV 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3
32. Choose Your Defenses – A Balanced Approach Database Server Database Activity Monitoring / Data Loss Prevention Web Application Firewall Database Files Database Log Files Applications Database Columns Database Activity Monitoring
33. Source: 2009 PCI DSS Compliance Survey, Ponemon Institute Cost Effective Technology for PCI DSS Encryption 74% WAF 55% DLP 43% DAM 18%
34. Best Worst Choose Your Defenses – Positioning of Alternatives Database Protection Approach Performance Storage Availability Transparency Security Monitoring, Blocking, Masking Column Level Formatted Encryption Column Level Strong Encryption Distributed Tokenization Central Tokenization Database File Encryption
35. Use Case –Data Protection in Cloud Environments Cloud Environment Data Token Encryption User Security Administrator Encryption Token
36. Use Case – Data Protection in Test/Dev Environments Test Environment Production Environment Security Administrator Data Tokenization Formatted Encryption Masking Encryption Token
37.
38.
39.
40. Protegrity Data Security Management Database Protector Secure Distribution Audit Log Secure Archive Secure Collection Enterprise Data Security Administrator Broad Platform Support File System Protector Policy Application Protector Tokenization Server
41.
42. Beyond PCI – A Cost Effective Approach to Data Protection Ulf Mattsson CTO Protegrity [email_address] August 5, 2010 Session 7192
Hinweis der Redaktion
Protegrity Questions From a strict compliance standpoint, what is your view on the requirements regarding storage of tokens within the same RDBMS vs. storing the tokens in a separate and distinct system (e.g. an appliance)? Can you compare and contrast the different ways of delivering tokenization; for example, as a add-on to payment processing services vs. as an in-house enterprise solution for the data center? (Even if you have it externally, you are still responsible for that data) What is your estimate of the size and growth rate of the token marketplace? How many inquiries are you getting about tokenization? Who are the leaders in the token marketplace in your opinion? Is there a Forrester Wave for this?
ULF
Performance Impact on operations - end users, data processing windows Storage Impact on data storage requirements Security How secure Is the data at rest Impact on data access – separation of duties Transparency Changes to application(s) Impact on supporting utilities and processes
ULF
These are particular use cases where you should “watch out”. It does not capture ALL of criteria and use cases
53 Lets go back to our Example of Data with different Risk Levels WE can now Pick a Risk Value, and map it to the most Cost-Effective solution from a Risk management Perspective. The key thing to remember here is that one size security solutions are never the best fit. The strongest protection for high risk data will be strong encryption (or tokenization) of individual data fields. . The risk levels here will depend on value of the data, data volumes, the servers, connectivity, physical security, HR aspects, geography, compensating controls and other issues.
39 Source: 2009 PCI DSS Compliance Survey, Ponemon Institute According to the report, only 18% considered database scanning and monitoring highly cost effective for PCI DSS compliance -- ranking 15 out of 18 security technologies surveyed . In fact, almost half (49%) gave DAM a low rating for cost effectiveness in enabling PCI DSS compliance . Database activity monitoring had its roots in inspection of SQL traffic for indications of data loss. However, most database access is through an application path which has its own security mechanisms. The DAM market was hyped well ahead of actual customer requirements and well beyond the track record of early entrants to the space. Security technology needs to evolve into the infrastructure to be effective and efficient. New security concepts are often necessarily layered on existing infrastructures to lessen side-effects on applications while the security technology and administration procedures mature. However, over time selective capabilities such as database activity monitoring should be assimilated into database systems and application designs to improve performance and reduce overhead costs.
This slide includes the original animation.
Protection of data from acquisition to deletion Defense in depth