The Security Issue Data Marketing 2013 Conference Presented by:

Transcription

1 The Security Issue Data Marketing 2013 Conference Presented by: Phil Sewell, Canadian Regional Director

2 About Voltage Security Mission: Data-centric security to combat advanced security threats inside and outside the cloud easy to use and easy to manage Founded: June 2002 Origins: DARPA funded research at Stanford University Proven Leader: Global scale data-centric security solutions Unique innovations: Identity Based Encryption (IBE) Format Preserving Encryption (FPE) Secure Stateless Tokenization (SST) Page-Integrated Encryption (PIE) Headquarters: Cupertino, CA, USA. Customers: 1,000+ Enterprises 150,000+ SMBs on Voltage Cloud Leader in OEM encryption Top credit card companies, payment processors, world s largest retailers, Telco's, Fortune 25 banks, insurance, healthcare networks, government Analyst Leadership Recognition: Gartner, Forrester, Burton IT1, Mercator, Hurwitz 2

3 The Business of Data Has Changed Today s reality requires data to be accessed anywhere, anytime, for any purpose More and more data is being moved into the cloud and consolidated into big data repositories This change will drive more business agility and more value How do you SECURELY use and move data across the enterprise and with customers and partners? 3

4 Taming the Explosion in Data Optimizing Time-to-Insight Exabytes per month % of the data in the world today has been created in the last two years alone * - IBM Parabolic growth in data created and consumed* - Cisco The explosion in data fuels growth and agility But time to data value is gated by risk and compliance Attacks to data are here to stay, and big data means a big target Balancing data access and data security is critical 4

5 New Risks: Cloud computing, Big Data and mobile applications The business boundary no longer exists No Business Boundaries data is the new perimeter Customers Backup CRM Trading Distributed Staff Employees Payments Billing Treasury Partners Warehouse Mortgage Test and Development Big Data Analytics Databases Applications 5

6 Can IT use encryption to protect sensitive data? 6

7 Yes, but traditional IT approach to encryption has major issues Businesses need to assume hackers will gain access to data Container & Pipe Encryption only protects data at rest or in transit No persistent data protection Leaves security gaps Exploitable SQL Injection, Malware Data goes everywhere Data needs to be protected at the data level 24/7 7

8 Yes, but traditional IT approach to encryption has major issues Businesses need to assume hackers will gain access to data Container & Pipe Encryption only protects data at rest or in transit No persistent data protection Leaves security gaps Exploitable SQL Injection, Malware Data goes everywhere Data needs to be protected at the data level 24/7 Compliance does not equal security 8

9 What new data protection challenges does your organization face? Expanding data warehouses? Big Data / Hadoop? Outsourcing to 3 rd parties? Cloud Services? Proliferation of mobile devices? BYOD? 9

10 Two new data marketing tools with similar challenges Cloud Services Traditional encryption not portable to cloud = new risks of data breach Untrusted systems / commodity servers Data residency Risks with sharing data Discontinuous protection Risks with 3 rd party compliance Big Data Traditional encryption not suitable for big data = new risks of data breach Untrusted systems / commodity servers Data residency Risks with sharing data Risks of data concentration / market position / corporate compliance Security and compliance issues are stopping Cloud and Big Data projects 10

11 A New Protection Paradigm is Needed Retain the business value of the original sensitive data Enables and supports business processes with least impact Sensitive data is protected from the point of creation across full lifecycle 11

12 The data-centric approach Protect data from new threats Encrypt once, stay protected From capture In storage In transit, In use Until needed by trusted applications Structured and unstructured data , file, fields, transactions If attackers get the encrypted data, its worthless 12

13 Traditional IT Security vs. Data-centric security Why is data-centric approach important? Traditional IT Infrastructure Security Authentication Data & Applications SSL/TLS/Firewalls Transparent Database Encryption (TDE), triggers SSL/TLS/Firewalls Data Security Coverage Security Gap Middleware Security Gap Databases Security Gap File Systems Data Security Coverage Data-Centric Security Top down: Application-layer data protection provides seamless end-to-end data security Encrypt once, persistently protect from point of capture: in storage, in transit, in use Disk encryption Security Gap Storage If attacked, data has no value 13

14 Traditional IT Security vs. Data-centric security Why is data-centric approach important? Traditional IT Infrastructure Security Authentication SSL/TLS/Firewalls Data & Applications Security Gap Middleware More keys More secure Less computation Application aware Transparent Database Encryption (TDE), triggers SSL/TLS/Firewalls Security Gap Databases Security Gap File Systems Disk encryption Security Gap Storage Less keys Less secure More computation Transparent 14

15 That makes sense, why doesn t everyone do this? 15

16 Data structure, value, and meaning Take a simple Tax ID. It s more than just a number. It has a format and structure It has value in being unique It s parts have value e.g. last 4 digits 16

17 Traditional encryption reduces value in the data Tax ID AES-CBC Encrypted Tax ID ue28w&=209gx32f*52 Secure but incompatible Changes format of data requires schema changes Changes size of field increases storage Imposes overhead decrypt/encrypt cycles 17

18 Format-Preserving Encryption (FPE) FPE Regular AES Tax ID Ija&3k24kQarotugDF2390^32 PII: address 8juYE%Uks&dDFa2345^WFLSDGhbsd735 Supports data of any format Encrypts all or part of a value e.g., last 4 digits of SSN preserved Preserves referential integrity NIST FFX Mode AES - NIST SP800-38G 18

19 Data-Centric Security at Work Live Data De-identified & Protected Data Trusted Applications Permitted Access Untrusted Application Partial or restricted access Protect live data, yet retain data format, structure, and business value when protected 19

20 Data-Centric Security at Work Live Data De-identified & Protected Data Trusted Applications Permitted Access Untrusted Application Partial or restricted access Protect live data, yet retain data format, structure, and business value when protected 20

21 But don t I have to worry about who is managing the encryption keys? 1. Retain control over data and residency of live information 2. Eliminate need to store keys in the cloud legal discovery and risk 3. Ability to locate key management in different geographies 4. Locate key management in-cloud or on premise 5. Integrate with Federated or Enterprise Authentication & Authorization systems Stateless designs reduce traditional static key management cost and risks and enable simpler key management for the cloud. 21

22 Key management for enabling cloud services 1. Retain control over data and residency of live information 2. Eliminate need to store keys in the cloud legal discovery and risk 3. Ability to locate key management in different geographies 4. Locate key management in-cloud or on premise 5. Integrate with Federated or Enterprise Authentication & Authorization systems Stateless designs reduce traditional static key management cost and risks and enable simpler key management for the cloud. 22

23 Data centric approach enables new data marketing tools Cloud Services Reduced risk of data breach Portability and choice Support for data residency Enables the safe sharing of data Continuous protection Control and compliance Reduced time to market Big Data Reduced risk of data breach Portability and choice Support for data residency Enables the safe sharing of data Reduced risks of data concentration / market position / corporate compliance Control and compliance Reduced time to market Data-centric security enables Cloud and Big Data projects 23

24 Voltage Data-Centric Security Protects and Enables Meet Compliance Regulations Mitigate Data Threats / Breaches Enable Business Agility Control Sensitive Data Access Protect Enterprise & Cloud Data Validation & Proofs of Security 24

25 Thank you Phil Sewell (416) (416) Voltage Security