where data security and value of data meet in the cloud brighttalk webinar january 14 2015
TRANSCRIPT
![Page 1: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/1.jpg)
Where Data Security and Value of Data
Meet in the Cloud
Ulf MattssonCTO, Protegrity
BrightTALK webinar January 14 2015
![Page 2: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/2.jpg)
Cloud Security Alliance (CSA)
PCI Security Standards Council
• Cloud & Virtualization SIGs
• Encryption Task Force
• Tokenization Task Force
IFIP
Ulf Mattsson, Protegrity CTO
• WG 11.3 Data and Application Security
• International Federation for Information Processing
ISACA
• (Information Systems Audit and Control Association)
ISSA
• (Information Systems Security Association)
2
![Page 3: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/3.jpg)
The New Enterprise Paradigm• Cloud computing, IoT and the disappearing perimeter
• Data is the new currency
Rethinking Data Security for a Boundless World• The new wave of challenges to security and productivity
• Seamless, boundless security framework – data flow
• Maximize data utility & minimizing risk – finding the right balance
Agenda
• Maximize data utility & minimizing risk – finding the right balance
New Security Solutions, Technologies and Techniques• Data-centric security technologies
• Data security and utility outside the enterprise
• Cloud data security in context to the enterprise
Best Practices
3
![Page 4: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/4.jpg)
Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight against persistent cyber-attacks
• We simply cannot catch the bad guys until it is too late. This picture is not improving
• Verizon reports concluded that less than 14% of breaches are detected by internal
Enterprises Losing Ground Against Cyber-attacks
of breaches are detected by internal monitoring tools
JP Morgan Chase data breach
• Hackers were in the bank’s network for months undetected
• Network configuration errors are inevitable, even at the larges banks
We need a new approach to data security
4
![Page 5: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/5.jpg)
High -profile Cyber Attacks
49% recommended Database security
40% of budget still on Network security
5
40% only
19% to database security
Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification
![Page 6: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/6.jpg)
ThePerimeter -less
6
Perimeter -less World
![Page 7: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/7.jpg)
Big data projects in 2015
• Integration with the outside world
Security prevents big data from becoming a prevalent enterprise computing
Integration with Outside World
26 billion devices on the Internet of Things by
2020 (Gartner)
7
www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowly-permeate-the-borders-of-the-enterprise.html
enterprise computing platform
• 3rd party products are helping
wikipedia.org
![Page 8: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/8.jpg)
They’re Tracking When You Turn Off the Lights
8 Source: Wall Street Journal
Sensors to capture data on environmental conditions including sound volume, wind and carbon-dioxide levels, as well as behavioral data such as pedestrian
traffic flow
![Page 9: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/9.jpg)
The Department of Homeland Security investigating
• Two dozen cases of suspected cyber security flaws in medical devices that could be exploited by hackers
• Can be detrimental to the patient, creating problems such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity
Security Threats of Connected Medical Devices
deadly jolt of electricity
• Keep medical data stored encrypted
PricewaterhouseCoopers study
• $30bn annual cost hit to the US healthcare system due to inadequate medical-device interoperability
9
www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connected-medical-devices#
![Page 10: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/10.jpg)
CHALLENGEHow can I Secure the
10
Secure thePerimeter -less
Enterprise?
![Page 11: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/11.jpg)
CloudComputing Computing
11
![Page 12: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/12.jpg)
What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing?
12
![Page 13: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/13.jpg)
Security of Data in Cloud at Board -level
13
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
![Page 14: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/14.jpg)
Data Security Holding Back Cloud Projects
14
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
![Page 15: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/15.jpg)
Threat Vector Inheritance
15
![Page 16: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/16.jpg)
Public Cloud
16
Source: Wired.com
![Page 17: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/17.jpg)
New Technologies to Secure
17
to Secure Cloud Data
![Page 18: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/18.jpg)
Rather than making the protection platform based, the security is applied directly to the data
Protecting the data wherever it goes, in any environment
Data-Centric Protection Increases Security in Cloud Computing
Cloud environments by nature have more access points and cannot be disconnected
Data-centric protection reduces the reliance on controlling the high number of access points
18
![Page 19: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/19.jpg)
Corporate Network
Security Gateway Deployment – Hybrid Cloud
ClientSystem
Public CloudCloud Gateway
Private Cloud
019
EnterpriseSecurity
AdministratorSecurity Officer
Out-sourced
![Page 20: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/20.jpg)
Corporate Network Corporate Network
Security Gateway Deployment – Hybrid Cloud
ClientSystem
Private Cloud Public Cloud
CloudGateway
020
EnterpriseSecurity
AdministratorSecurity Officer
Gateway
Out-sourced
![Page 21: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/21.jpg)
Corporate Network
ClientSystem Cloud
Gateway
Security Gateway – Searchable Encryption
RDBMSQuery
re-write
021
EnterpriseSecurity
AdministratorSecurity Officer
Order preserving encryption
![Page 22: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/22.jpg)
Corporate Network
ClientSystem
CloudGateway
Security Gateway – Search & Indexing
RDBMSQuery
re-write
022
EnterpriseSecurity
AdministratorSecurity Officer
IndexIndex
![Page 23: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/23.jpg)
Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods Scalability Storage Security Tr ansparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial EncryptionPartial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
23
![Page 24: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/24.jpg)
Comparing Data Protection Data Protection
Methods
24
![Page 25: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/25.jpg)
Computational Usefulness
Risk Adjusted Storage – Data Leaking Formats
H
25
Data
Leakage
Strong-encryption Truncation Sort-order-pres erving-encryption Indexing
L
I I I I
![Page 26: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/26.jpg)
Balancing Data Security & Utility
Value
Preserving
Classification of Sensitive Data
Granular Protection of Sensitive Data
26
Index Data
Leaking
Sensitive
Data ?
Encoding
Leaking
Sensitive
Data ?
![Page 27: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/27.jpg)
Risk Adjusted Data Leakage
Index
Trust
HIndex
Leaking
Sensitive
Data
Sort Order Preserving
Encryption Algorithms
Leaking Sensitive
Data
27
Index Data
ElasticityOut-sourcedIn-house
L
Index NOT
Leaking
Sensitive
Data
![Page 28: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/28.jpg)
Reduction of Pain with New Protection Techniques
High
Pain& TCO
Strong Encryption Output:AES, 3DES
Format Preserving EncryptionDTP, FPE
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
28
1970 2000 2005 2010
Low
Vault-based Tokenization
Vaultless Tokenization
8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault
8278 2789 2990 2789
![Page 29: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/29.jpg)
What is Data Tokenization?
29
Data Tokenization?
![Page 30: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/30.jpg)
Data Tokenization – Replacing The Data
30
Source: plus.google.com
![Page 31: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/31.jpg)
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
31
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
![Page 32: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/32.jpg)
10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Fine Grained Protection Methods
10 000 -
1 000 -
100 -I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
32
![Page 33: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/33.jpg)
Significantly Different Tokenization Approaches
Property Dynamic Pre-generated
Vault-based Vaultless
33
![Page 34: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/34.jpg)
Examples of Protected DataField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data, but not needed with de-identification
34
![Page 35: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/35.jpg)
Use
Case
How Should I Secure Different Data?
Simple –PCI
PII
Encryption
of Files
CardHolder Data
Tokenization of Fields
Personally Identifiable Information
Type of
DataI
Structured
I
Un-structured
Complex – PHI
ProtectedHealth
Information
35
Personally Identifiable Information
![Page 36: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/36.jpg)
Example of Cross Border Data-centric Security
Data sources
Data
WarehouseWarehouse
In Italy
Complete policy-enforced de-identification of sensitive data
across all bank entities
![Page 37: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/37.jpg)
How to Balance
Risk and Risk and
Data Access37
![Page 38: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/38.jpg)
High -
Risk Adjusted Data Security – Access Controls
Risk Exposure
User Productivity and Creativity
38
Access to Sensitive Data in
Clear
Low Access to Data High Access to Data
Low -
I I
![Page 39: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/39.jpg)
High -
Risk Adjusted Data Security – Tokenized Data
User Productivity and Creativity
39
Access to
Tokenized Data
Low Access to Data High Access to Data
Low -
I I
Risk Exposure
![Page 40: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/40.jpg)
Cost of Application
Changes
High -
Risk Adjusted Data Security – Selective Masking
Risk Exposure
Cost Example: 16 digit credit card number
40
All-16-clear Only-middle-6-hidden All-16-hidden
Low -
I I I
![Page 41: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/41.jpg)
Fine Grained Security: Securing Fields
Production SystemsEncryption of fields• Reversible• Policy Control (authorized / Unauthorized Access)• Lacks Integration Transparency• Complex Key Management• Example: !@#$%a^.,mhu7///&*B()_+!@
41
Non-Production SystemsMasking of fields• Not reversible• No Policy, Everyone can access the data• Integrates Transparently• No Complex Key Management• Example: 0389 3778 3652 0038
![Page 42: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/42.jpg)
Fine Grained Security: Tokenization of Fields
Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management• Business Intelligence• Example: 0389 3778 3652 0038
42
Non-Production Systems
• Reversible • Policy Control (Authorized / Unauthorized Access)
• Not Reversible• Integrates Transparently
![Page 43: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/43.jpg)
Data–Centric Audit and Protection (DCAP)
Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act
By 2018, data-centric audit and protection strategies will replace disparate siloed data security governance approaches in 25% of large enterprises, up from less
043
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
approaches in 25% of large enterprises, up from less than 5% today
Confidential
![Page 44: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/44.jpg)
Centrally managed security policy
Across unstructured and structured silos
Classify data, control access and monitoring
Protection – encryption, tokenization and masking
Segregation of duties – application users and privileged
Data–Centric Audit and Protection (DCAP)
044
Segregation of duties – application users and privileged
users
Auditing and reporting
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
Confidential
![Page 45: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/45.jpg)
Centralized Policy Management - ExampleApplication
RDBMS
MPP
AuditLog
AuditLog
AuditLog
EnterpriseSecurity
Administrator
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
Cloud
Security Officer
AuditLog
AuditLog
AuditLog
45
File Servers
Big Data
Gateway Servers
HP NonStopBase24
IBM Mainframe Protector
AuditLog
AuditLog Audit
Log
AuditLog
Protection Servers
AuditLog
AuditLog
![Page 46: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/46.jpg)
Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who should have access to sensitive data and who should not. Security access control.
What
Who
How
46
When should sensitive data access be granted to those who have access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced.
Audit authorized or un-authorized access to sensitive data.
When
Where
Audit
![Page 47: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/47.jpg)
The biggest challenge in this new paradigm• Cloud and an interconnected world
• Merging data security with data value and productivity
What’s required?• Seamless, boundless security framework – data flow
• Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
Summary
Value-preserving data-centric security methods• How to keep track of your data and monitor data access outside the enterprise
• Best practices for protecting data and privacy in the perimeter-less enterprise.
What New Data Security Technologies are Available for Cloud?
How can Cloud Data Security work in Context to the Enterprise?
47
![Page 48: Where data security and value of data meet in the cloud brighttalk webinar january 14 2015](https://reader030.vdocuments.site/reader030/viewer/2022032420/55a4e33e1a28abef648b45c7/html5/thumbnails/48.jpg)
Thank you!Thank you!
Questions?
Please contact us for more information
www.protegrity.com