Data-centric Security for HP NonStop and Enterprise-wide Environments

Transcription

1 Data-centric Security for HP NonStop and Enterprise-wide Environments Ernie Tarbox, Voltage Security 2014 Voltage Security, Inc. All Rights Reserved 1

2 Title Agenda Part 1 this morning Common challenges in handling sensitive data Why breaches happen Data-centric security, technology & uses Common Attacks Neutralized, Payments Processing example Part 2 this afternoon A deployment walk-though HP NonStop, IBM z/os, Open Systems and Data Warehouse Practical Applications and Use Cases Payments, Sensitive Personal Data and Enterprise Data Summary 2014 Voltage Security, Inc. All Rights Reserved 2

3 Title About Voltage Security Leading experts in data-centric security Data Encryption and Tokenization - easy and simple even for complex cases Neutralize breach risks, minimize compliance costs, and mitigate advanced threats Enterprise, cloud systems, healthcare, retail, analytics and payment processors. Enabling industry leaders to secure data without friction Over 1,100 Enterprises around the world >68 Million people s data protected by Voltage Secur Top US and EU Healthcare networks and providers 7 of the 10 top U.S. banks, 6 of 8 Top Processors Trillions of transactions secured by Voltage SecureData Leading new standards and trust in proven data protection For Financial Services, Payments, Retail, Healthcare, Telecoms, and Government. 3

4 Title The State of the Nation Data breach costs 2014 Voltage Security, Inc. All Rights Reserved 4

5 Title The State of the Nation Data breach costs Compliance is important, but not the end-game in neutralizing breach risks Voltage Security, Inc. All Rights Reserved 5

6 Title Attack Trends vs. Protection Strategy Effectiveness Data-centric Security Fields & Objects Any databases, any data, anywhere Data in use, in motion, and at rest Traditional infrastructure level protection: Disk, File Data at rest only Data-centric security protects data over its lifecycle vs. broad threats. Data at rest only solutions only protect from physical threats Graph source: Verizon Data Breach Report

7 Title Example Data at Rest Security Data & Applications POS Malware can steal data in the clear in memory Middleware/Network Databases Data is in the clear in this part of the IT Stack File Systems OS Reads & writes disk Sectors Storage Disk storage encrypted 2014 Voltage Security, Inc. All Rights Reserved 7

8 Data Security Coverage End-to-end Data Protection Title IT Security vs. Data-centric Security Threats to Data Traditional IT Infrastructure Security Data Ecosystem Security Gaps Voltage Datacentric Security Data & Applications Credential Compromise Authentication Management Security Gap Traffic Interceptors SSL/TLS/Firewalls Middleware Security Gap SQL Injection, Malware Database Encryption Databases Security Gap Malware, Insiders SSL/TLS/Firewalls File Systems Security Gap Malware, Insiders Disk encryption Storage

9 Title Without data security live data exposed in gaps So how do we eliminate exploitable security gaps across complex data processes? Name SS# Credit Card # Street Address Customer ID James Potter Farland Avenue G Ryan Johnson Grant Street S Carrie Young Cambridge Court B Brent Warner Middleville Road G Anna Berman Hamilton Drive S Live data at risk in storage, memory and in use Business Applications, Data stores and Processes Custom Applications Production Databases & Files Payment Devices ETL & Data Integration Suites 3 rd Party Applications Teradata & Hadoop Mainframe Applications & Databases Cloud Broker Gateways Cloud & Web Applications 9

10 An introduction to data-centric security

11 Title Five Critical Best Practices for Data-centric Security To be effective, a data-centric security strategy must 1. Be unified across mission critical platforms: HP NonStop, IBM z/os, Teradata, Hadoop, cloud and enterprise systems, Payment devices, applications, and data stores 2. Minimize the exposure of live data to only trusted systems or users 3. Utilize standards-based and proven data protection technology for compliance 4. Enable centralized control of key management, tokenization, encryption, audit, and reporting 5. Enable the business process without friction at global scale. 11

12 Title Voltage Data-Centric Security Technologies Format-Preserving Encryption (FPE) Secure Stateless Tokenization (SST) Page-Integrated Encryption (PIE) First Name: Gunther Last Name: Robertson DOB: SSN: Live Data Protects structured data while maintaining functional and analytic integrity of the data High-octane tokenization performance without database management headaches Extends end-to-end protection to browser, through and beyond the SSL tunnel Minimizes implementation time while maximizing data value Ija&3k24kQotugDF2390^32 0OWioNu2(*872weWaasIUah jw2%quifiwuybw3 Traditional Encryption First Name: Uywjlqo Last Name: Muwruwwbp DOB: SSN: Voltage FPE 12

13 Title Data Protection with FPE and SST Name SS# Credit Card # Street Address Customer ID James Potter Farland Avenue G Ryan Johnson Grant Street S Carrie Young Cambridge Court B Brent Warner Middleville Road G Anna Berman Hamilton Drive S FPE FPE SST FPE FPE Name SS# Credit Card # Street Address Customer ID Kwfdv Cqvzgk Ykzbpoi Clpppn S Veks Iounrfo Cmxto Osfalu B Pdnme Wntob Zejojtbbx Pqkag G Eskfw Gzhqlv Saicbmeayqw Yotv G Jsfk Tbluhm Wbbhalhs Ueyzg B Preserve referential integrity across databases and analytic data sets Preserve Data format, logical relationships in the data to preserve analytic meaning Selective, policy controlled encryption/decryption, tokenization, de-tokenization. Enables Data Protection and Data De-identification from one framework Can be used to generate test data for QA, training, analytics, and live production systems 13

14 Title Data-centric Security Standards & Validation ~30 Patents Encryption, Key Management, Tokenization

15 Title Remember this diagram? Name SS# Credit Card # Street Address Customer ID James Potter Farland Avenue G Ryan Johnson Grant Street S Carrie Young Cambridge Court B Brent Warner Middleville Road G Anna Berman Hamilton Drive S Live data at risk in storage, memory and in use Business Applications, Data stores and Processes Custom Applications Production Databases & Files Payment Devices ETL & Data Integration Suites 3 rd Party Applications Teradata & Hadoop Mainframe Applications & Databases Cloud Broker Gateways Cloud & Web Applications 15

16 Title Neutralizing data attackers get nothing sensitive Name SS# Credit Card ## Street Address Customer ID Kwfdv James Potter Cqvzgk Ykzbpoi Farland Avenue Clpppn G S Veks Ryan Iounrfo Johnson Cmxto Grant Street Osfalu B S Pdnme Carrie Young Wntob Zejojtbbx Cambridge Pqkag Court G B Eskfw Brent Warner Gzhqlv Saicbmeayqw Middleville Road Yotv G G Jsfk Anna Tbluhm Berman Wbbhalhs Hamilton Drive Ueyzg B S Live data at risk in storage, memory and Live data is neutralized in use yet still useful Business Applications, Data stores and Processes Custom Applications Production Databases & Files Payment Devices ETL & Data Integration Suites 3 rd Party Applications Teradata & Hadoop Mainframe Applications & Databases Cloud Broker Gateways Cloud & Web Applications 16

17 Data-centric security a common example payment processing and capture

18 Title Example: Data-centric security for Payments Voltage SecureData Enabled Secure Hardware Card Reading Device Voltage SecureData Enabled Payment Host in Merchant or 3rd Party Datacenter Encrypt Track or EMV Card Data instantly on card read/swipe. Point of Sale (POS) Store Retail IT Secure Payment Host Card Data Decrypted Tokenized PAN returned Issuing Bank & Merchant Bank Network End-to-end Device to Host Secure Transactions POS and Retail IT never see live data Encrypted data in transit, Tokenized data in storage If data in the POS or Retail Store IT is attacked, attack gives nothing of value Use standard ISO type transaction messages Host & Terminal Keys frequently rotated automatically reduces exposure to one device if key compromised Only secure card reader hardware and Secure Payment Host process live data

19 Title Example - Data-centric Security and Card Processing Card Networks PAN: De-Tokenize Decrypt & Tokenize Payment Capture Payment Authorization Settlement Processes Logs, Reports, & Backups Customer Service Application Live Data Encrypted in Secure Reader end-toend to Payment Authorization Host SST Tokenized PAN Data used throughout. No Live Data in internal processes or systems Last 4 Digits already available without change 19

20 Neutralizing Title Data in the POS and Store in Large Retail Top US Retailer Risk concern over payment data Thousands of stores across North America Sophisticated POS and Store infrastructure data flows Mag Stripe, EMV, and non-traditional payments Enterprise-wide data-centric security vision: Neutralize Payment data in POS and Store Neutralize Data in Enterprise systems Neutralize data security for enabling Hadoop Solution Components Voltage SecureData Payments, Web and Enterprise In-house Deployment Mission Critical Platforms, Hadoop, Ingenico Readers Success No live data in retail stores Rapidly deployed US-wide stores to mitigate advanced threats in the POS & simplify PCI 3.0 Compliance While enabling the data-driven business Unified data-centric security platform to meet broad risk needs Hadoop, Enterprise, e-commerce, cloud Voltage Security, Inc. All Rights Reserved 20

21 Title Summary - Reducing Breach Risks & compliance costs Removing cardholder data from high-threat environments is the leading approach to reduce breach risks The technology today makes this simpler than ever before Simple for merchants to implement, and low cost to operate or consume Can be deployed quickly to retail, enterprise, and payment processing ecosystems Provides an effective method to mitigate data breach risk caused by advanced threats and insiders Data-centric solutions have proven ROI with cost and risk reduction, and may significantly reduce PCI scope. Enabling re-investment for growth reducing compliance costs while reducing risk. Proven in the largest data-security deployments in the world 21

22 Title Q&A