Title: Where Data Security and Data Value Meet in the Cloud
Abstract:
The biggest challenge in this new paradigm of the cloud and an interconnected world, is merging data security with data value and productivity. What’s required is a seamless, boundless security framework to maximize data utility while minimizing risk. In this webinar, you’ll learn about value-preserving data-centric security methods, how to keep track of your data and monitor data access outside the enterprise, and best practices for protecting data and privacy in the perimeter-less enterprise.
BrightTALK webinar, January 14, 2014
Where data security and value of data meet in the cloud ulf mattsson
1. Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
CTO, Protegrity
Ulf.Mattsson@protegrity.com
2. Cloud Security Alliance (CSA)
PCI Security Standards Council
• Cloud & Virtualization SIGs
• Encryption Task Force
• Tokenization Task Force
Ulf Mattsson, Protegrity CTO
ANSI X9
• American National Standard for Financial Services
IFIP WG 11.3 Data and Application Security
• International Federation for Information Processing
ISACA (Information Systems Audit and Control Association)
ISSA (Information Systems Security Association)
2
3. The biggest challenge in this new paradigm
• Cloud and an interconnected world
• Merging data security with data value and productivity
What’s required?
• Seamless, boundless security framework – data flow
• Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
Agenda
Value-preserving data-centric security methods
• How to keep track of your data and monitor data access outside the enterprise
• Best practices for protecting data and privacy in the perimeter-less enterprise.
What New Data Security Technologies are Available for Cloud?
How can Cloud Data Security work in Context to the Enterprise?
3
9. Generated a 3.8% increase in the PayPal conversion
rate, the proportion of online visitors who make a
Analytics Improving Customer Experience
9
Source: Forbes
rate, the proportion of online visitors who make a
purchase.
Overall Average Order Value (AOV) rose 2.4% when the
PayPal button was moved to the top of the page.
4.03% increase in overall revenue, a more than $600,000
increase over a nine-week period.
11. Sensitive Data in the Cloud
11
Of organizations currently (or plan to) transfer
sensitive/confidential data to the cloud in the next
24 mo.
12. Lack of Cloud Confidence
12
Number of survey respondents that either agree or are unsure
that the cloud services used by their organization are
NOT thoroughly vetted for security.
17. Computing as a Service:
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
What is Cloud Computing?
Delivered Internally or Externally to the Enterprise:
• Public
• Private
• Community
• Hybrid
17
22. Trust
Risk Adjusted Computation – Location Awareness
Corporate
Network
Private Cloud
Private Cloud
H
Processing Cost
H
22
Elasticity
Out-sourcedIn-house
Public Cloud
L L
33. Rather than making the protection platform based,
the security is applied directly to the data,
protecting it wherever it goes, in any environment
How Data-Centric Protection Increases
Security in Cloud Computing and Virtualization
Cloud environments by nature have more access
points and cannot be disconnected – data-centric
protection reduces the reliance on controlling the
high number of access points
33
35. Value-preserving data-centric
security methods
• How to keep track of your data and
monitor data access outside the
enterpriseenterprise
• Best practices for protecting data and
privacy in the perimeter-less enterprise.
• What New Data Security Technologies
are Available for Cloud?
35
41. Data Centric Security – Risk Adjusted Data Leakage
Index
Trust
H
Index
Leaking
Sensitive
Data
Sort Order Preserving
Encryption Algorithms
Leaking Sensitive
Data
41
Index Data
Elasticity
Out-sourcedIn-house
L
Index NOT
Leaking
Sensitive
Data
42. Data Centric Security – Balance Security & Value
Value
Preserving
Classification of
Sensitive Data
Granular Protection
of Sensitive Data
42
Index Data
Leaking
Sensitive
Data ?
Encoding
Leaking
Sensitive
Data ?
44. Data Tokenization – More Than Wrapping The Data
44
Source: Interestingengineering.com
Source: plus.google.com
45. De-identification / Anonymization
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
45
47. Cost of
Application
Changes
High -
Risk Adjusted Data Formats - Payment Card Data
Risk Exposure
Cost
47
All-16-clear Only-middle-6-hidden All-16-strongly-encrypted
Low -
I I I
49. High -
Risk Adjusted Data Security – Access to Data
Risk Exposure
User Productivity and
Creativity
49
Access to
Sensitive Data in
Clear
Low Access to Data High Access to Data
Low -
I I
50. High -
Risk Adjusted Data Security – Masked Data
User Productivity and
Creativity
50
Access to
Masked Data
Low Access to Data High Access to Data
Low -
I I
Risk Exposure
55. Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
55
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
56. Use
Case
How Should I Secure Different Data?
Simple – PCI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Personally Identifiable Information
Type of
Data
I
Structured
I
Un-structured
Complex – PHI
Protected
Health
Information
56
Personally Identifiable Information
58. Fine Grained Security: Encryption of Fields
Production Systems
Encryption of fields
• Reversible
• Policy Control (authorized / Unauthorized Access)
• Lacks Integration Transparency
• Complex Key Management
• Example: !@#$%a^.,mhu7///&*B()_+!@
58
Non-Production Systems
59. Fine Grained Security: Masking of Fields
Production Systems
59
Non-Production Systems
Masking of fields
• Not reversible
• No Policy, Everyone can access the data
• Integrates Transparently
• No Complex Key Management
• Example: 0389 3778 3652 0038
60. Fine Grained Security: Tokenization of Fields
Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management
• Business Intelligence
• Example: 0389 3778 3652 0038
60
Non-Production Systems
• Reversible
• Policy Control (Authorized / Unauthorized Access)
• Not Reversible
• Integrates Transparently
61. How can I
Secure the
Perimeter-less
61
Perimeter-less
Enterprise?
63. Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are several methods
for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who should have access to sensitive data and who should not. Security access
control. Roles & Users
What
Who
How
63
When should sensitive data access be granted to those who have access. Day
of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced.
Audit authorized or un-authorized access to sensitive data.
When
Where
Audit
64. The biggest challenge in this new paradigm
• Cloud and an interconnected world
• Merging data security with data value and productivity
What’s required?
• Seamless, boundless security framework – data flow
• Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
Summary
Value-preserving data-centric security methods
• How to keep track of your data and monitor data access outside the enterprise
• Best practices for protecting data and privacy in the perimeter-less enterprise.
What New Data Security Technologies are Available for Cloud?
How can Cloud Data Security work in Context to the Enterprise?
64