Title: Where Data Security and Data Value Meet in the Cloud Abstract: The biggest challenge in this new paradigm of the cloud and an interconnected world, is merging data security with data value and productivity. What’s required is a seamless, boundless security framework to maximize data utility while minimizing risk. In this webinar, you’ll learn about value-preserving data-centric security methods, how to keep track of your data and monitor data access outside the enterprise, and best practices for protecting data and privacy in the perimeter-less enterprise. BrightTALK webinar, January 14, 2014

1. Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
CTO, Protegrity
Ulf.Mattsson@protegrity.com

2. Cloud Security Alliance (CSA)
PCI Security Standards Council
• Cloud & Virtualization SIGs
• Encryption Task Force
• Tokenization Task Force
Ulf Mattsson, Protegrity CTO
ANSI X9
• American National Standard for Financial Services
IFIP WG 11.3 Data and Application Security
• International Federation for Information Processing
ISACA (Information Systems Audit and Control Association)
ISSA (Information Systems Security Association)
2

3. The biggest challenge in this new paradigm
• Cloud and an interconnected world
• Merging data security with data value and productivity
What’s required?
• Seamless, boundless security framework – data flow
• Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
Agenda
Value-preserving data-centric security methods
• How to keep track of your data and monitor data access outside the enterprise
• Best practices for protecting data and privacy in the perimeter-less enterprise.
What New Data Security Technologies are Available for Cloud?
How can Cloud Data Security work in Context to the Enterprise?
3

4. The
Interconnected
4
World

5. Safe Integration - International Data Protection

6. Interconnection of Embedded Computing Devices
6
http://en.wikipedia.org/wiki/Internet_of_Things

7. They’re Tracking When You Turn Off the Lights
7
Source: Wall Street Journal

8. What is
The
8
The
New Currency?

9. Generated a 3.8% increase in the PayPal conversion
rate, the proportion of online visitors who make a
Analytics Improving Customer Experience
9
Source: Forbes
rate, the proportion of online visitors who make a
purchase.
Overall Average Order Value (AOV) rose 2.4% when the
PayPal button was moved to the top of the page.
4.03% increase in overall revenue, a more than $600,000
increase over a nine-week period.

10. Is Cloud
Secure?
10
Secure?

11. Sensitive Data in the Cloud
11
Of organizations currently (or plan to) transfer
sensitive/confidential data to the cloud in the next
24 mo.

12. Lack of Cloud Confidence
12
Number of survey respondents that either agree or are unsure
that the cloud services used by their organization are
NOT thoroughly vetted for security.

13. Chinese government cyberattack against iCloud
13

14. What Is Your No. 1 Issue Slowing
Adoption of Public Cloud Computing?
14

15. Threat Vector Inheritance
15

16. What about
Responsibilities
16
Responsibilities
in Cloud?

17. Computing as a Service:
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
What is Cloud Computing?
Delivered Internally or Externally to the Enterprise:
• Public
• Private
• Community
• Hybrid
17

18. Public Cloud
18
Source: Wired.com

19. 19

20. What’s required?
• Seamless, boundless security
framework
• Balance data utility & risk• Balance data utility & risk
20

21. Hybrid Cloud
Flexibility
21
Flexibility

22. Trust
Risk Adjusted Computation – Location Awareness
Corporate
Network
Private Cloud
Private Cloud
H
Processing Cost
H
22
Elasticity
Out-sourcedIn-house
Public Cloud
L L

23. Interconnected Enterprise & Cloud
?
023
?

24. Can
Cloud Computing
24
Cloud Computing
be Secure?

25. Cloud Gateway
Security Gateway Deployment – Application Example
Client
System
Public Cloud
025
Enterprise
Security
Administrator
Security Officer
Out-sourced

26. Corporate Network
Security Gateway Deployment – Hybrid Cloud
Client
System
Public Cloud
Cloud Gateway
Private Cloud
026
Enterprise
Security
Administrator
Security Officer
Out-sourced

27. Corporate NetworkCorporate Network
Security Gateway Deployment – Hybrid Cloud
Client
System
Private Cloud Public Cloud
Cloud
Gateway
027
Enterprise
Security
Administrator
Security Officer
Gateway
Out-sourced

28. Where to put the Key
to the Front Door?
28
to the Front Door?

29. Trust, Elasticity dimensions and system components
Trust
Trusted Domain
(Corporate)
ClientClientClientClient
Protocol
Gateway
Security
Agent
29
Elasticity
ApplicationApplicationApplicationApplication
ServerServerServerServer
ApplicationApplicationApplicationApplication
DatabaseDatabaseDatabaseDatabase
Untrusted
Domain
(Public cloud)
Out-sourcedIn-house

30. Trust, Elasticity dimensions and system components
Trust
Trusted Domain
(Corporate)
ClientClientClientClient Protocol
Gateway
Security
Agent
30
Elasticity
Semi-trusted Domain
(Private cloud)
ApplicationApplicationApplicationApplication
ServerServerServerServer
Agent
ApplicationApplicationApplicationApplication
DatabaseDatabaseDatabaseDatabase
Untrusted
Domain
(Public cloud)
Out-sourcedIn-house

31. Trust, Elasticity dimensions and system components
Trust
Trusted Domain
(Corporate)
ClientClientClientClient Protocol
Gateway
Security
31
Elasticity
Semi-trusted Domain
(Private cloud)
ApplicationApplicationApplicationApplication
ServerServerServerServer
Security
Agent
ApplicationApplicationApplicationApplication
DatabaseDatabaseDatabaseDatabase
Untrusted
Domain
(Public
cloud)
Out-sourcedIn-house

32. The Trend
in
32
in
Data Protection

33. Rather than making the protection platform based,
the security is applied directly to the data,
protecting it wherever it goes, in any environment
How Data-Centric Protection Increases
Security in Cloud Computing and Virtualization
Cloud environments by nature have more access
points and cannot be disconnected – data-centric
protection reduces the reliance on controlling the
high number of access points
33

34. How to Balance
Risk and
34
Risk and
Data Access

35. Value-preserving data-centric
security methods
• How to keep track of your data and
monitor data access outside the
enterpriseenterprise
• Best practices for protecting data and
privacy in the perimeter-less enterprise.
• What New Data Security Technologies
are Available for Cloud?
35

36. Computational
Value
Risk Adjusted Storage – Data Leaking Formats
H
36
Data
Leakage
Strong-encryption Truncation Sort-order-preserving-encryption Indexing
L
I I I I

37. Corporate Network
Security Gateway Deployment – Database Example
Client
System
Cloud
Gateway
RDBMS
037
Enterprise
Security
Administrator
Security Officer

38. Should I Allow
Data Leakage?
38
Data Leakage?

39. Corporate Network
Client
System Cloud
Gateway
Security Gateway – Searchable Encryption
RDBMS
Query
re-write
039
Enterprise
Security
Administrator
Security Officer
Order preserving
encryption

40. Corporate Network
Client
System
Cloud
Gateway
Security Gateway – Search & Indexing
RDBMS
Query
re-write
040
Enterprise
Security
Administrator
Security Officer
IndexIndex

41. Data Centric Security – Risk Adjusted Data Leakage
Index
Trust
H
Index
Leaking
Sensitive
Data
Sort Order Preserving
Encryption Algorithms
Leaking Sensitive
Data
41
Index Data
Elasticity
Out-sourcedIn-house
L
Index NOT
Leaking
Sensitive
Data

42. Data Centric Security – Balance Security & Value
Value
Preserving
Classification of
Sensitive Data
Granular Protection
of Sensitive Data
42
Index Data
Leaking
Sensitive
Data ?
Encoding
Leaking
Sensitive
Data ?

43. What is
Data Tokenization?
43
Data Tokenization?

44. Data Tokenization – More Than Wrapping The Data
44
Source: Interestingengineering.com
Source: plus.google.com

45. De-identification / Anonymization
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
45

46. How Granular
Should DataShould Data
Security be?
46

47. Cost of
Application
Changes
High -
Risk Adjusted Data Formats - Payment Card Data
Risk Exposure
Cost
47
All-16-clear Only-middle-6-hidden All-16-strongly-encrypted
Low -
I I I

48. Can Security
Improve
48
Improve
User Productivity?

49. High -
Risk Adjusted Data Security – Access to Data
Risk Exposure
User Productivity and
Creativity
49
Access to
Sensitive Data in
Clear
Low Access to Data High Access to Data
Low -
I I

50. High -
Risk Adjusted Data Security – Masked Data
User Productivity and
Creativity
50
Access to
Masked Data
Low Access to Data High Access to Data
Low -
I I
Risk Exposure

51. What is
Cost-effectiveness
51
Cost-effectiveness
of
Data Protection?

52. Reduction of Pain with New Protection Techniques
High
Pain
& TCO
Strong Encryption Output:
AES, 3DES
Format Preserving Encryption
DTP, FPE
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
52
1970 2000 2005 2010
Low
Vault-based Tokenization
Vaultless Tokenization
8278 2789 2990 2789
Format Preserving
Greatly reduced Key
Management
No Vault
8278 2789 2990 2789

53. Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods Scalability Storage Security Transparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
VaultlessTokenization
Partial EncryptionPartial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
53

54. Significantly Different Tokenization Approaches
Property Dynamic Pre-generated
Vault-based Vaultless
54

55. Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
55
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

56. Use
Case
How Should I Secure Different Data?
Simple – PCI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Personally Identifiable Information
Type of
Data
I
Structured
I
Un-structured
Complex – PHI
Protected
Health
Information
56
Personally Identifiable Information

57. How can I
Secure Data
in Production
57
in Production
and Test?

58. Fine Grained Security: Encryption of Fields
Production Systems
Encryption of fields
• Reversible
• Policy Control (authorized / Unauthorized Access)
• Lacks Integration Transparency
• Complex Key Management
• Example: !@#$%a^.,mhu7///&*B()_+!@
58
Non-Production Systems

59. Fine Grained Security: Masking of Fields
Production Systems
59
Non-Production Systems
Masking of fields
• Not reversible
• No Policy, Everyone can access the data
• Integrates Transparently
• No Complex Key Management
• Example: 0389 3778 3652 0038

60. Fine Grained Security: Tokenization of Fields
Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management
• Business Intelligence
• Example: 0389 3778 3652 0038
60
Non-Production Systems
• Reversible
• Policy Control (Authorized / Unauthorized Access)
• Not Reversible
• Integrates Transparently

61. How can I
Secure the
Perimeter-less
61
Perimeter-less
Enterprise?

62. Centralized Policy Management - Example
Application
RDBMS
MPP
Audit
Log
Audit
Log
Audit
Log
Enterprise
Security
Administrator
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
Cloud
Security Officer
Audit
Log
Audit
Log
Audit
Log
62
File Servers
Big Data
Gateway
Servers
HP NonStop
Base24
IBM Mainframe
Protector
Audit
Log
Audit
Log Audit
Log
Audit
Log
Protection
Servers
Audit
Log
Audit
Log

63. Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are several methods
for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who should have access to sensitive data and who should not. Security access
control. Roles & Users
What
Who
How
63
When should sensitive data access be granted to those who have access. Day
of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced.
Audit authorized or un-authorized access to sensitive data.
When
Where
Audit

64. The biggest challenge in this new paradigm
• Cloud and an interconnected world
• Merging data security with data value and productivity
What’s required?
• Seamless, boundless security framework – data flow
• Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
Summary
Value-preserving data-centric security methods
• How to keep track of your data and monitor data access outside the enterprise
• Best practices for protecting data and privacy in the perimeter-less enterprise.
What New Data Security Technologies are Available for Cloud?
How can Cloud Data Security work in Context to the Enterprise?
64

65. Thank you!Thank you!
Questions?
Please contact us for more information
www.protegrity.com
Ulf.Mattsson@protegrity.com