issa: cloud data security
DESCRIPTION
Data security for cloudTRANSCRIPT
Next Generation Tokenization for Compliance and Cloud Data
Protection
Ulf MattssonCTO Protegrity
ulf . mattsson AT protegrity . com
Ulf Mattsson
20 years with IBM Development & Global Services
Inventor of 22 patents – Encryption and Tokenization
Co-founder of Protegrity (Data Security)
Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security
Member ofMember of
• PCI Security Standards Council (PCI SSC)
• American National Standards Institute (ANSI) X9
• Cloud Security Alliance (CSA)
• Information Systems Security Association (ISSA)
• Information Systems Audit and Control Association (ISACA)
02
ISSA Article, Dec 2010
PCI DSS & Visa USA – 10 Years
04
ISACA - Articles About Compliance
06
Data BreachesData Breaches
07
The Changing Threat Landscape (Aug, 2010)
Some issues have stayed constant:
1. Threat landscape continues to gain sophistication 2. Attackers will always be a step ahead of the defenders
Different motivation, methods and tools today:
• We're fighting highly organized, well-funded crime syndicates and nations
Move from detective to preventative controls needed:
• Several layers of security to address more significant areas of risks
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
08
Six years, 900+ breaches, and over 900 million compromised records
The majority of cases have not yet been disclosed and may never be
Over half of the breaches occurred outside of the U.S.
2010 Data Breach Investigations Report
Online Data is Compromised Most Frequently:Online Data is Compromised Most Frequently:
%
Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS
09
Compromised records 1. 90 % lost in highly sophisticated attacks2. Hacking and Malware are more dominant
Threat Action Categories
Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS
010
Patching Software vs. Locking Down Data
SoftwarePatching
User
Database
Application
Attacker
Not a Single Intrusion
ExploitedOS File System
Storage System
Backup
Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS
Exploiteda Patchable Vulnerability
Cloud SecurityCloud Security
012
No Confidence in Cloud Security (Oct 2010)
CSO Magazine Survey: Cloud Security Still a Struggle for Many Companies
A recent article written by Bill Brenner, senior editor at CSO Magazine, reveals that companies are still a bit scared of putting critical data in the cloud. Results from the 8th Annual Global Information Security Survey conducted by CSO, along with CIO and PriceWaterhouseCoopers, conducted by CSO, along with CIO and PriceWaterhouseCoopers, cites: 62% of companies have little to no confidence in their ability to secure any assets put in the cloud. Also, of the 49% of respondents who have ventured into cloud computing, 39% have major qualms about security.
013
Source, CSO. October, 2010 : http://www.csoonline.com/
Risks Associated with Cloud Computing
Uptime/business continuity
Weakening of corporate network security
Threat of data breach or loss
Handing over sensitive data to a third party
014
The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study
0 10 20 30 40 50 60 70
Inability to customize applications
Financial strength of the cloud computing provider
Uptime/business continuity
%
Cloud Computing to Fuel Security Market (Oct 2010)
1. "Concerns about cloud security have grown in the past year”
2. "In 2009, the fear was abstract: a general concern as there is with all new technologies when they're introduced ...
3. “Today, however, concerns are both more specific and more weighty”
4. “We see organizations placing a lot more scrutiny on cloud providers as to their controls and security processes; and they are more likely to defer adoption controls and security processes; and they are more likely to defer adoption because of security inadequacies than to go ahead despite them."
5. Opportunities in the cloud for vendors are data security, identity and access management, cloud governance, application security, and operational security.
http://www.eweek.com/c/a/Security/Forrester-Cloud-Computing-to-Fuel-Security-Market-170677/
015
What Amazon AWS’s PCI Compliance Means to You, Dec 7 2010
1. Just because AWS is certified doesn't mean you are. You still need to deploy a PCI compliant application/service and anything on AWS is still within your assessment scope.
2. The open question? PCI-DSS 2.0 doesn't address multi-tenancy concerns
3. AWS is certified as a service provider doesn't mean all cloud IaaS providers will be
4. You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements
5. Amazon doesn't do this for you -- it's something you need to implement yourself; including 5. Amazon doesn't do this for you -- it's something you need to implement yourself; including key management, rotation, logging, etc.
6. If you deploy a server instance in EC2 it still needs to be assessed by your QSA
7. What this certification really does is eliminate any doubts that you are allowed to deploy an in-scope PCI system on AWS
8. This is a big deal, but your organization's assessment scope isn't necessarily reduced
9. it might be when you move to something like a tokenization service where you reduce your handling of PAN data
securosis.com016
AttackerPublic
NetworkSS
LPrivate Network
Encrypted
Data
(PCI DSS)
Not Enough to Encrypt the Pipe & Files
OS File
System
Database
Storage
System
Application
Data
At Rest
(PCI DSS)
Clear Text Data
Encrypted
Data
(PCI DSS)
Clear Text
Data
017
Data Security Today is a Catch-22
We need to protect both data and the business processes that rely on that data
Enterprises are currently on their own in deciding how to apply emerging technologies for PCI data protection
Data Tokenization - an evolving technology
How to reduce PCI audit scope and exposure to dataHow to reduce PCI audit scope and exposure to data
018
EvaluatingOptionsOptions
019
Current, Planned Use of Enabling Technologies
Strong interest in database encryption, data masking, tokenization
47%
35%
39%
16%
10%
21%
30%
18%
1% 91% 5%
4%
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption 39%
28%
29%
23%
7%
7%
13%22%
7%
28%
21% 4%Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
Evaluating Current Use Planned Use <12 Months
020
Choose Your Defenses – Cost Effective PCI DSS
Correlation or event management systems
Identity & access management systems
Access governance systems
Encryption for data in motion
Anti-virus & anti-malware solution
Encryption/Tokenization for data at rest
Firewalls
WAF
Source: 2009 PCI DSS Compliance Survey, Ponemon
Institute
0 10 20 30 40 50 60 70 80 90
ID & credentialing system
Database scanning and monitoring (DAM)
Intrusion detection or prevention systems
Data loss prevention systems (DLP)
Endpoint encryption solution
Web application firewalls (WAF) WAF
DLP
DAM
%Encryption/Tokenization
PCI DSS - Ways to Render the PAN Unreadable
Two-way cryptography with associated key management processes
One-way cryptographic hash functions
Index tokens and pads
Truncation (or masking – xxxxxx xxxxxx 6781)
22
!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing -
Strong Encryption -
Intrusiveness
(to Applications and Databases)
!@#$%a^.,mhu7/////&*B()_+!@
StandardEncryption
Evaluating Field Encryption & Tokenization
123456 777777 1234
123456 123456 1234
Alpha -
Partial -
Clear Text Data -
I
Original
I
Longer
Tokenizing orFormatted Encryption
Data
Length
Encoding123456 aBcdeF 1234
23
Protecting the Data Flow - Choose Your Defenses
Positioning Different Protection Options
Area Evaluation Criteria Strong Field
Encryption
Formatted
Encryption
Distributed
Token
Security
High risk data
Compliance to PCI, NIST
InitialCost
Transparent to applications
Expanded storage size
Transparent to databases schema
Performance impact when loading data
Operational Cost
Performance impact when loading data
Long life-cycle data
Unix or Windows mixed with “big iron” (EBCDIC)
Easy re-keying of data in a data flow
Disconnected environments
Distributed environments
25
Best Worst
SaaS
User
Securing Encryption Keys
An entity that uses a given key should not be the entity that stores that key
Encryption Key Administration
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/
IaaS
PaaS
stores that key
EncryptionKeys
Cloud
026
Hiding Data in Plain Sight – Data Tokenization
400000 123456 7899
Y&SFD%))S( Tokenization
Server
Data Token
Data Entry
Application
Databases
400000 123456 7899
400000 222222 7899
027
Tokenization ServiceTokenization
User
Data Tokens
User User
123456 123456 1234123456 999999 1234123456 123456 1234
028
Service
ApplicationDatabases
: Data Token
Service
Protected sensitive information
Unprotected sensitive information:
123456 999999 1234 123456 999999 1234123456 999999 1234
Limit Exposure to Sensitive Data
Exposure
Development Testing Production
Data encoding:
1. Tokenization
2. Encryption
High -
Life
Cycle
Phase
to sensitive
data
I I I I I I I II
Low -
Aggregating
Hub for Store
Channel
StoresStoresAuthorization
Token
Servers
Token
Servers
PCI Case Study - Large Chain Store
Loss Prevention
Settlement
Analysis - EDWSettlement ERP
Servers
: Integration point
030
Case Study
Large Chain Store Uses Tokenization to Simplify PCI Compliance
By segmenting cardholder data with tokenization, a regional chain of 1,500 local convenience stores is reducing its PCI audit from seven to three months
“ We planned on 30 days to tokenize our 30 million “ We planned on 30 days to tokenize our 30 million card numbers. With Protegrity Tokenization, the whole process took about 90 minutes”
031
Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization
“With encryption, implementations can spawn dozens of questions”
Case Study
“There were no such challenges with tokenization”
032
Faster PCI audit – half that time
Lower maintenance cost – don’t have to apply all 12 requirements of PCI DSS to every system
Better security – able to eliminate several business processes such as generating daily reports for data requests and access
Case Study
requests and access
Strong performance – rapid processing rate for initial tokenization, sub-second transaction SLA
033
Ramon Krikken:
Ask vendors what their token-generating algorithms are
Be sure to analyze anything other than strong random number generators for security.
What Exactly Makes a “Secure Tokenization” Algorithm?
034
Visa recommendations should have been simply to use a random number
You should not write your own 'home-grown' token servers
Comments on Visa’s Tokenization Best Practices
035
Best Practices for Tokenization *
One way Irreversible Function**
Unique SequenceNumber
Hash
Randomly generated value
����
����
Secret per merchant
*: Published July 14, 2010
**: Multi-use tokens
036
Centralized vs. Distributed Tokenization
� � �
037
Large companies may need to utilize the tokenization
services for locations throughout the world
How do you deliver tokenization to many locations
without the impact of latency?
Different Approaches for Tokenization
Traditional Tokenization
• Dynamic Model
• Pre-Generated Model
Next Generation Tokenization: Protegrity Tokenization
38
Traditional Tokenization: Dynamic Model
Dynamic Token Lookup Tables
• Lookup tables are dynamic.
• They grow as more unique tokens are needed. Example: number of Credit Cards processed by a merchant.
• Table includes a hash value, a token, encrypted CCN and other administrative columns
• Large footprint. On the order of tens or
Application
Application
3904 2673 3950 59682837 3674 8590 2637
1234 5672 4098 55898473 2673 4890 7825
9940 3789 4457 12349473 2678 4567 8902
0094 6789 2201 37853892 3674 5896 9026
3789 2001 8943 22891234 5678 9012 3456
9920 2556 1678 22671667 2815 2678 2890
Token Encrypted CCN
• Large footprint. On the order of tens or hundreds of millions of CCNs
Performance
• 5 tokens per second (outsourced) to
• 5000 tokens per second (in-house)
Application
Application
39
3789 2001 8943 22891234 5678 9012 3456
5678 4459 2098 12670048 2536 4782 3748
0093 2678 1298 26789937 2456 2738 4665
9903 2890 3789 45679926 1452 8364 3784
2908 2567 1905 37850245 3678 5647 3957
Traditional Tokenization: Pre-generated Model
Pre-Generated Static Lookup Tables.
Assume that all possible combinations are pre-generated.
• Lookup tables are static
• Contain all possible combinations. Example: all social security numbers required to support a healthcare provider’s membership.
• Table includes a hash value, a token, encrypted SSN and other administrative
Application
Application
467 28 3905039 27 1789
478 39 2096567 38 2098
456 47 8765409 28 1234
768 56 0987489 37 2290
783 24 9906774 36 5578
009 38 2908667 27 1890
Token Encrypted SSN
encrypted SSN and other administrative columns
• Large footprint. On the order of tens or hundreds of millions of SSNs
• Pre-generation may be impractical due to the sheer size of all combinations (example; credit card)
Performance
• Improved performance by not having to do as many operations – dynamic tokenization and encryption.
Application
Application
40
783 24 9906774 36 5578
567 35 2341990 37 2289
009 48 3890774 37 2907
884 56 0098558 37 2908
467 28 9036667 49 2678
Additional Complexity with Additional Tokenization
Application
Application
Token Server Dynamic &
Pre-Generated Model
• Large footprint becomes
larger with the addition of
more data categories to
protect.
• Makes tokenizing additional
categories of data a major Application
Application
categories of data a major
challenge.
41
Credit Card
Number
Social
Security
Number
Passport
Number
Performance
Traditional Tokenization
• 5 tokens per second (outsourced)
• 5000 tokens per second (in-house)
Protegrity Tokenization
• 200,000 tokens per second (Protegrity)
• Single commodity server with 10 connections.
• Will grow linearly with additional servers and/or connections
• 9,000,000+ tokenizations per second (Protegrity /Teradata)
42
Area Impact
Database
File
Encryption
Database
Column
Encryption
Centralized
Tokenization
(old)
Distributed
Tokenization
(new)
Scalability
Availability
Latency
CPU Consumption
Evaluating Encryption & Tokenization Approaches
EncryptionEvaluation Criteria Tokenization
Best Worst
Security
Data Flow Protection
Compliance Scoping
Key Management
Randomness
Separation of Duties
043
Making Data Unreadable – Protection Methods (Pro’s & Con’s)
Evaluating Different Tokenization ImplementationsIO Interface Protection Method
System Layer Granularity AES/CBC,
AES/CTR
D
Formatted
Encryption
Data
Tokenization
Hashing Data
Masking
ApplicationColumn/Field
Record
Column
Database Table
Table Space
OS File IO Block
StorageSystem
IO Block
Best Worse
Tokenization Server Location
Tokenization Server Location
Evaluation Aspects Mainframe Remote
Area Criteria DB2 Work
Load
Manager
Separate
Address Space
In-house Out-sourced
Availability
Best Worst
Operational Latency
Performance
SecuritySeparation
PCI DSS Scope
Positioning Different Protection Options
Area Evaluation Criteria Strong
Encryption
Formatted
Encryption
Distributed
Tokenization
Security
High risk data
Compliance to PCI, NIST
InitialCost
Transparent to applications
Expanded storage size
Transparent to databases schema
Performance impact when loading data
Operational Cost
Performance impact when loading data
Long life-cycle data
Unix or Windows mixed with “big iron” (EBCDIC)
Easy re-keying of data in a data flow
Disconnected environments
Distributed environments
46
Best Worst
Positioning Different Protection Options
Evaluation Criteria Strong
Encryption
Formatted
Encryption
Tokens
Security & Compliance
Total Cost of Ownership
Use of Encoded Data
47
Best Worst
Applications
Data / Meta-data / Content
Mapping the Cloud to Compliance – PCI DSS
Compliance Model – PCI DSSCloud Service Models
SaaS – Software as a Service
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/
Hardware
Middleware
PaaS – Platform as a Service
IaaS – Infrastructure as a Service
048
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
Data Protection Challenges
Actual protection is not the challenge
Management of solutions
• Key management
• Security policy
• Auditing, Monitoring and reporting
Minimizing impact on business operations
• Transparency
049
• Transparency
• Performance vs. security
Minimizing the cost implications
Maintaining compliance
Implementation Time
Best Practices - Data Security Management
Database Protector
File System Protector
Policy
AuditLog
Secure Archive
Application Protector
Tokenization Server
EnterpriseData SecurityAdministrator
: Encryption service050
Who is Protegrity?
Proven enterprise data protection software leader since the late 90’s.
Business driven by compliance
• PCI (Payment Card Industry)
• PII (Personally Identifiable Information)
• PHI (Protected Health Information) – HIPAA
• State and Foreign Privacy Laws• State and Foreign Privacy Laws
Servicing many Industries
• Retail, Hospitality, Travel and Transportation
• Financial Services, Insurance, Banking
• Healthcare
• Telecommunications, Media and Entertainment
• Manufacturing and Government
51
Tokenization SummaryTraditional Tokenization Protegrity Tokenization
Footprint Large, Expanding.
The large and expanding footprint of Traditional
Tokenization is it’s Achilles heal. It is the source of
poor performance, scalability, and limitations on its
expanded use.
Small, Static.
The small static footprint is the enabling factor that
delivers extreme performance, scalability, and expanded
use.
High
Availability,
DR, and
Distribution
Complex replication required.
Deploying more than one token server for the
purpose of high availability or scalability will require
complex and expensive replication or
synchronization between the servers.
No replication required.
Any number of token servers can be deployed without
the need for replication or synchronization between the
servers. This delivers a simple, elegant, yet powerful
solution.
Reliability Prone to collisions.
The synchronization and replication required to
No collisions.
Protegrity Tokenizations’ lack of need for replication or
52
The synchronization and replication required to
support many deployed token servers is prone to
collisions, a characteristic that severely limits the
usability of traditional tokenization.
Protegrity Tokenizations’ lack of need for replication or
synchronization eliminates the potential for collisions .
Performance,
Latency, and
Scalability
Will adversely impact performance & scalability.
The large footprint severely limits the ability to place
the token server close to the data. The distance
between the data and the token server creates
latency that adversely effects performance and
scalability to the extent that some use cases are not
possible.
Little or no latency. Fastest industry tokenization.
The small footprint enables the token server to be
placed close to the data to reduce latency. When placed
in-memory, it eliminates latency and delivers the fastest
tokenization in the industry.
Extendibility Practically impossible.
Based on all the issues inherent in Traditional
Tokenization of a single data category, tokenizing
more data categories may be impractical.
Unlimited Tokenization Capability.
Protegrity Tokenization can be used to tokenize many
data categories with minimal or no impact on footprint
or performance.
Please contact me for more information
Ulf Mattsson
Ulf . Mattsson AT protegrity . com