isaca na cacs 2012 orlando session 414 ulf mattsson
DESCRIPTION
TRANSCRIPT
![Page 1: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/1.jpg)
Understanding Your Data Flow
Using Tokenization to Secure Data
Ulf MattssonCTO Protegrity
1
![Page 2: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/2.jpg)
2
![Page 3: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/3.jpg)
03
![Page 4: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/4.jpg)
4
• 20 years with IBM Development & Global Services
• Started Protegrity 1994• Inventor of 22 patents – Encryption and
Tokenization• Member of
– PCI Security Standards Council (PCI SSC)– American National Standards Institute (ANSI) X9– International Federation for Information Processing (IFIP)
WG 11.3 Data and Application Security– ISACA (Information Systems Audit and Control
Association)– Information Systems Security Association (ISSA)– Cloud Security Alliance (CSA)
Ulf Mattsson, CTO Protegrity
![Page 5: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/5.jpg)
Session topics
• Discuss threats against data• Review solutions for securing data
– Evaluate different options for data tokenization and encryption
• Review case studies – Discuss how to stay out of scope for PCI DSS
• Review data protection cost efficiency– Introduce a business risk approach
• Discuss cloud and outsourced environments
5
![Page 6: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/6.jpg)
THIEVES ARE STEALING OUR DATA!
6
![Page 7: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/7.jpg)
Albert Gonzalez20 Years In US Federal Prison
7Source: http://www.youtube.com/user/ProtegrityUSA
US Federal indictments:
1. Dave & Busters 2. TJ Maxx 3. Heartland HPS
• Breach expenses $140M
Source: http://en.wikipedia.org/wiki/Albert_Gonzalez
![Page 8: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/8.jpg)
8
What about Breaches & PCI? Was Data Protected?
Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study
%3: Protect Stored Data
7: Restrict access to data by business need-to-know
11: Regularly test security systems and processes
10: Track and monitor all access to network resources and data
6: Develop and maintain secure systems and applications
8: Assign a unique ID to each person with computer access
1: Install and maintain a firewall configuration to protect data
12: Maintain a policy that addresses information security
2: Do not use vendor-supplied defaults for security parameters
4: Encrypt transmission of cardholder data
5: Use and regularly update anti-virus software
9: Restrict physical access to cardholder data
0 10 20 30 40 50 60 70 80 90 100
![Page 9: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/9.jpg)
WHAT TYPES OF DATA ARE UNDER ATTACK
NOW?
9
![Page 10: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/10.jpg)
10
What Data is Compromised?
By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
Authentication credentials (usernames, pwds, etc.)
Sensitive organizational data (reports, plans, etc.)
Bank account numbers/data
System information (config, svcs, sw, etc.)
Copyrighted/Trademarked material
Trade secrets
Classified information
Medical records Medical
Unknown (specific type is not known)
Payment card numbers/data
Personal information (Name, SS#, Addr, etc.)
0 20 40 60 80 100 120%
![Page 11: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/11.jpg)
11
Today “Hacktivism” is Dominating
Unknown
Unaffiliated person(s)
Former employee (no longer had access)
Relative or acquaintance of employee
Organized criminal group
Activist group
0 10 20 30 40 50 60 70
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
![Page 12: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/12.jpg)
12
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous
Growing Threat of “hacktivism” by Groups such as Anonymous
Attacks by Anonymous include• 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal
![Page 13: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/13.jpg)
April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011
13
Attack Type, Time and
Impact $
Source: IBM 2012 Security Breaches Trend and Risk Report
Let’s Review Some Major Recent Breaches
![Page 14: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/14.jpg)
• Lost 100 million passwords and personal details stored in clear
• Spent $171 million related to the data breach • Sony's stock price has fallen 40 percent • For three pennies an hour, hackers can rent
Amazon.com to wage cyber attacks such as the one that crippled Sony
• Attack via SQL Injection
14
The Sony Breach & Cloud
![Page 15: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/15.jpg)
Q1 2011 Q2 2011 Q3 2011
15
SQL Injection Attacks are Increasing
25,000
20,000
15,000
10,000
5,000
Source: IBM 2012 Security Breaches Trend and Risk Report
![Page 16: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/16.jpg)
WHAT IS SQL INJECTION?
16
![Page 17: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/17.jpg)
What is an SQL Injection Attack?
Application
SQL Command Injected
Data Store
17
![Page 18: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/18.jpg)
WHO IS THE NEXT TARGET?
18
![Page 19: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/19.jpg)
19
New Industry Groups are Targets
Information
Other
Health Care and Social Assistance
Finance and Insurance
Retail Trade
Accommodation and Food Services
0 10 20 30 40 50 60
By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
![Page 20: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/20.jpg)
The Changing Threat Landscape
Some issues have stayed constant:
Threat landscape continues to gain sophistication Attackers will always be a step ahead of the defenders
We are fighting highly organized, well-funded crime syndicates and nations
Move from detective to preventative controls needed
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
![Page 21: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/21.jpg)
21
How are Breaches Discovered?
Unusual system behavior or performance
Log analysis and/or review process
Financial audit and reconciliation process
Internal fraud detection mechanism
Other(s)
Witnessed and/or reported by employee
Unknown
Brag or blackmail by perpetrator
Reported by customer/partner affected
Third-party fraud detection (e.g., CPP)
Notified by law enforcement
0 10 20 30 40 50 60 70
By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
![Page 22: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/22.jpg)
WHERE IS DATA LOST?
22
![Page 23: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/23.jpg)
23
What Assets are Compromised?
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
POS server (store controller)POS terminal User devices
Automated Teller Machine (ATM) Regular employee/end-user People
Payment card (credit, debit, etc.) Offline dataCashier/Teller/Waiter People
Pay at the Pump terminal User devicesFile server
Laptop/Netbook Remote Access server
Call Center Staff People Mail server
Desktop/Workstation Web/application server
Database server
0 20 40 60 80 100 120%
![Page 24: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/24.jpg)
24
Threat Action Categories
EnvironmentalError
MisusePhysical
SocialMalwareHacking
0 20 40 60 80 100 120
By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
Hacking and Malware are Leading
![Page 25: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/25.jpg)
Thieves Are Attacking the Data Flow
025
Application Application
![Page 26: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/26.jpg)
THIS IS A CATCH 22!
26
![Page 27: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/27.jpg)
Thieves Can't Steal What's Not There:Fake Data
Application Application
???-??-????
27
![Page 28: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/28.jpg)
HOW CAN WE SECURE THE DATA FLOW?
28
![Page 29: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/29.jpg)
Securing The Data Flow with Tokenization
RetailStore
Bank
Payment
Network
9999 9999
Corporate
Systems
29
![Page 30: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/30.jpg)
WHAT HAS THE INDUSTRY
DONE TO SECURE DATA?
30
![Page 31: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/31.jpg)
Time
Total Cost of Ownership
Total Cost of Ownership1. System Integration2. Performance Impact3. Key Management4. Policy Management5. Reporting6. Paper Handling7. Compliance Audit8. …
Strong Encryption: 3DES, AES …
I2010
I1970
What Has The Industry Done?
I2005
I2000
Format Preserving Encryption: FPE, DTP …
Basic Tokenization
Vaultless Tokenization
High -
Low -
31
![Page 32: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/32.jpg)
Case Study: Large Chain Store
Why? Reduce compliance cost by 50%– 50 million Credit Cards, 700 million daily transactions
– Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization
– End-to-End Tokens: Started with the D/W and expanding to stores
– Lower maintenance cost – don’t have to apply all 12 requirements
– Better security – able to eliminate several business and daily reports
– Qualified Security Assessors had no issues
• “With encryption, implementations can spawn dozens of questions”
• “There were no such challenges with tokenization”
32
![Page 33: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/33.jpg)
HOW CAN WE POSITION
DIFFERENT SECURITY OPTIONS?
33
![Page 34: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/34.jpg)
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second
I
Format
Preserving
Encryption
Speed of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
TokenizationSpeed will depend on
the configuration
34
![Page 35: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/35.jpg)
WHAT IS VAULT-LESS
DATA TOKENIZATION?
35
![Page 36: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/36.jpg)
Different Tokenization Approaches
Basic Tokenization Vault-less Tokenization*Footprint Large, Expanding. Small, Static.
High Availability, Disaster Recovery
Complex, expensive replication required.
No replication required.
Distribution Practically impossible to distribute geographically.
Easy to deploy at different geographically distributed locations.
Reliability Prone to collisions. No collisions.
Performance, Latency, and Scalability
Will adversely impact performance & scalability.
Little or no latency. Fastest industry tokenization.
Extendibility Practically impossible. Unlimited Tokenization Capability.
*: Validated by 3rd party experts
36
![Page 37: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/37.jpg)
HOW IMPORTANT IS COST?
37
![Page 38: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/38.jpg)
123456 777777 1234
123456 123456 1234
aVdSaH 1F4hJ 1D3a
!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing -
Strong Encryption -
Alpha -
Numeric -
Partial -
Clear Text Data -
Intrusiveness (to Applications and Databases)
I
Original
!@#$%a^.,mhu7///&*B()_+!@
666666 777777 8888Tokenizing or
FormattedEncryption
Data
Length
Stan
dard
Encr
yptio
n
Enco
ding
38
Dat
a Ty
pe &
For
mat
Impact of Different Protection Methods
![Page 39: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/39.jpg)
WHEN CAN I USE
TOKENIZATION?
39
![Page 40: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/40.jpg)
Type of Data
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple -
Complex -
PCI
PHI
PII
FileEncryption
CardHolder
Data
FieldTokenization
ProtectedHealth
Information
40
Personally Identifiable Information
![Page 41: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/41.jpg)
Tokenizing Different Types of Data
Type of Data Input Token Comment
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date
E-mail Address
Alpha Numeric, delimiters in input preserved
SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed
41
![Page 42: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/42.jpg)
ANY TOKENIZATION GUIDELINES?
42
![Page 43: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/43.jpg)
43
Token Generation Token Types
Single Use Token
Multi Use Token
Algorithm and Key Reversible
Known strong algorithm
One way Irreversible Function
Unique Sequence Number
Hash
Randomly generated value
Secret per transaction
Secret per merchant
Tokenization Guidelines, Visa
No
![Page 44: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/44.jpg)
Tokenization vs. Encryption
44
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
![Page 45: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/45.jpg)
HOW SECURE IS ENCRYPTION?
45
![Page 46: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/46.jpg)
Many Broken Algorithms
![Page 47: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/47.jpg)
KEYS EVERYWHERE!
47
![Page 48: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/48.jpg)
PCI DSS : Tokenization and Encryption are Different
48
No Scope Reduction
If the token is mathematically
derived from the original PAN
through the use of an encryption algorithm and
cryptographic key
![Page 49: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/49.jpg)
TOKENS ARE RANDOM
49
![Page 50: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/50.jpg)
50
Source: http://www.securosis.com
Tokenization and “PCI Out Of Scope”
De-tokenization Available?
Random Number Tokens?
Isolated from Card Holder Data
Environment?
Out of Scope
Scope Reduction
No Scope Reduction
No
No:FPE
Yes
Yes
Yes No
![Page 51: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/51.jpg)
Case Study: Energy Industry
Why? Reduce PCI Scope• Best way to handle legacy, we got most of it out of PCI• Get rid of unwanted paper copies• No need to rewrite/redevelop or restructure business
applications• A VERY efficient way of PCI Reduction of Scope• Better understanding of your data flow• Better understanding of business flow• Opportunity to clean up a few business oddities
51
![Page 52: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/52.jpg)
Best
Area CriteriaDatabase
File Encryption
DatabaseColumn
Encryption
BasicTokenization
VaultlessTokenization
Scalability
Availability
Latency
CPU Consumption
Security
Data Flow Protection
Compliance Scoping
Key Management
Data Collisions
Separation of Duties
Evaluating Encryption & Tokenization
![Page 53: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/53.jpg)
Case Studies: Retail
Customer 1: Why? Three major concerns solved– Performance Challenge; Initial tokenization– Vendor Lock-In: What if we want to switch payment processor– Extensive Enterprise End-to-End Credit Card Data Protection
Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII
Customer 3: Why? Remove compensating controls from the mainframe– Tokens on the mainframe to avoid compensating controls
53
![Page 54: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/54.jpg)
WHAT IS THE CURRENT USE
OF ENABLING TECHNOLOGIES?
54
![Page 55: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/55.jpg)
Use of Enabling Technologies
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
1%
18%
30%
21%
28%
7%
22%
91%
47%
35%
39%
28%
29%
23%
Evaluating Current Use
55
![Page 56: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/56.jpg)
SystemType
Risk
Data display Masking
IProduction
ITest / dev
High –
Low -
Data at rest Masking
IIntegration
testing
ITrouble
shooting
Exposure:Data in clear
before masking
Exposure:Data is only obfuscated
56
Is Data Masking Secure?
![Page 57: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/57.jpg)
SystemType
Risk
Data TokensI
ProductionI
Test / dev
Data Tokens = Lower Risk
High –
Low -
IIntegration
testing
ITrouble
shooting
57
Data display Masking
Data at rest Masking
Exposure:Data in clear
before masking
Exposure:Data is only obfuscated
![Page 58: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/58.jpg)
CAN SECURITY HELP CREATIVITY?
58
![Page 59: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/59.jpg)
AccessRight Level
Risk
TraditionalAccessControl
IMore
ILess
High
Low
Source: InformationWeek Aug 15, 2011
Old Security = Less Creativity
59
![Page 60: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/60.jpg)
AccessRight Level
Risk
TraditionalAccessControl
IMore
ILess
High
Low
Source: InformationWeek Aug 15, 2011
New Data Security = More Creativity
60
Data Tokens
New:CreativityHappens
At the edge
![Page 61: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/61.jpg)
WHAT IS THE IMPACT ON RISK MANAGEMENT?
61
![Page 62: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/62.jpg)
ProtectionOption
Cost
OptimalRisk
Expected Losses from the Risk
Cost of Aversion – Protection of Data
Total Cost
IMonitoring
IData
Lockdown
Choose Your Defenses
62
![Page 63: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/63.jpg)
DATA SECURITY ADVANCES ARE
CHANGING THE BALANCE
63
![Page 64: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/64.jpg)
Matching Data Protection with Risk Level
Risk Level Solution
Monitoring
Monitoring, masking, format
controlling encryption
Tokenization, strong
encryption
Low Risk (1-5)
Medium Risk (6-15)
High Risk (16-25)
Data Field
Risk Level
Credit Card Number 25Social Security Number 20
Email Address 20Customer Name 12Secret Formula 10
Employee Name 9Employee Health Record 6
Zip Code 3
64
![Page 65: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/65.jpg)
SEPARATION OF DUTIES!
65
![Page 66: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/66.jpg)
I
Format
Preserving
Encryption
Security of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
66
High
Low
Security Level
![Page 67: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/67.jpg)
HOW CAN I SECURE DATA IN
CLOUD?
67
![Page 68: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/68.jpg)
Risks with Cloud Computing
Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study
Inability to customize applications
Financial strength of the cloud computing provider
Uptime/business continuity
Weakening of corporate network security
Threat of data breach or loss
Handing over sensitive data to a third party
0 10 20 30 40 50 60 70%
68
![Page 69: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/69.jpg)
PCI & Cloud
• The PCI council's security caution over virtualization is justified, because virtualized environments are susceptible to types of attacks not seen in any other environment– Bob Russo, general manager of the PCI Security
Standards Council
![Page 70: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/70.jpg)
Amazon’s PCI Compliance
• PCI-DSS 2.0 doesn't address multi-tenancy concerns
• You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesn't do this for you -- it's something you need to
implement yourself; including key management, rotation, logging, etc.
• If you deploy a server instance in EC2 it still needs to be assessed by your QSA
• Your organization's assessment scope isn't necessarily reduced• It might be when you move to something like a tokenization
service where you reduce your handling of PAN dataSource: securosis.com
070
![Page 71: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/71.jpg)
Securing The Data Flow with Tokenization
RetailStore
Bank
Payment
Network
9999 9999
Corporate
Systems
71
![Page 72: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/72.jpg)
Why Tokenization?
Why Tokenization 1. No Masking2. No Encryption3. No Key Management
Why Vaultless Tokenization1. Lower Cost / TCO2. Better 3. Faster
$
72
![Page 73: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/73.jpg)
Conclusion
• Organizations need to understand their data flow and current security technologies
– Determine most significant security exposures– Target budgets toward addressing the most critical
issues– Strengthen security and compliance profiles
• Achieve the right balance between business needs and security demands
– I increasingly important as companies are changing their security strategies to better protect sensitive data
– Following continuing attacks
73
![Page 74: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/74.jpg)
About Protegrity
• Proven enterprise data security software and innovation leader – Sole focus on the protection of data– Patented Technology, Continuing to Drive Innovation
• Growth driven by compliance and risk management– PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI
(Protected Health Information)– US State and Foreign Privacy Laws, Breach Notification Laws
• Cross-industry applicability– Retail, Hospitality, Travel and Transportation– Financial Services, Insurance, Banking– Healthcare, Telecommunications, Media and Entertainment– Manufacturing and Government
74
![Page 75: ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson](https://reader038.vdocuments.site/reader038/viewer/2022102922/54b71a804a7959177f8b45ad/html5/thumbnails/75.jpg)
Thank you!
www.protegrity.com 203-326-7200
75