Securing Data Today. Ulf Mattsson CTO Protegrity ulf.mattsson [at] protegrity.com

Transcription

1 Securing Data Today and in the Future Ulf Mattsson CTO Protegrity ulf.mattsson [at] protegrity.com

2 Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents Encryption and Tokenization Co-founder of Protegrity (Data Security) Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security Member of Cloud Security Alliance (CSA) PCI Security Standards Council (PCI SSC) American National Standards Institute (ANSI) X9 Information Systems Security Association (ISSA) Information Systems Audit and Control Association (ISACA) 2

3 3 ISACA Articles Data Security & Compliance

4 4 04

5 Agenda Trends in data breaches Companies are reevaluating how they protect data Understand the flow of data Review different options for data protection More granular approaches to secure data Cost efficiency and Scalability Compliance and out of scope aspects Case study in data protection Data protection in cloud and outsourced environments 5

6 Best Source of Incident Data It is fascinating that the top threat events in both 2010 and 2011 are the same and involve external agents hacking and installing malware to compromise the confidentiality and integrity of servers. Source: 2011 Data Breach Investigations Report, Verizon Business RISK team Source: Securosis, 6

7 Data Breaches Mainly Online Data Records 900+ breaches 900+ million compromised records: % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 7

8 Compromised Data Types - # Records Payment card data Personal information Usernames, passwords Intellectual property Bank account data Medical records Classified information System information Sensitive organizational data % 120 Source: Data Breach Investigations Report, Verizon Business RISK team and USSS 8

9 Industry Groups Represented - # Breaches Hospitality Retail Financial Services Government Tech Services Manufacturing Transportation Media Healthcare Business Services % 50 Source: Data Breach Investigations Report, Verizon Business RISK team and USSS 9

10 Breach Discovery Methods - # Breaches Third party fraud detection Notified by law enforcement Reported by customer/partner Unusual system behavior Reported by employee Internal security audit or scan Internal fraud detection Brag or blackmail by perpetrator Third party monitoring service % Source: Data Breach Investigations Report, Verizon Business RISK team and USSS 10

11 Threat Action Categories by Percent of Breaches Source: Data Breach Investigations Report, Verizon Business RISK team and USSS 11

12 The Changing Threat Landscape Some issues have stayed constant: Threat landscape continues to gain sophistication Attackers will always be a step ahead of the defenders We're fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed: Several layers of security to address more significant areas of risks Source: 12

13 Some Data is Extremely Sensitive Be very careful with data that is extremely sensitive and attracts powerful attackers RSA Example - The implications are serious because RSA's technology underpins the security of some of the world's most closely guarded data RSA makes small security devices that supply constantly changing numbers that are used as secondary passwords for accessing corporate networks and If the attacker managed to steal the codes that determine which numbers appear on the tokens, that information could be used to perform mass infiltrations if the attacker already has other information about the targets 13

14 Some Data is Extremely Sensitive Be careful when allowing keys or seed material to be escrowed Ask if there really is a backdoor to the encryption system (RSA) Audit the hosting company and validate the security of their environment. Ask how the data is protected on disk, network and in memory. APT (Advanced Persistent Threat) is not dead It is increasing Memory is sniffed (RAM scrapers) More granular data security It's important to use different encryption keys for different data Give them only the information they really needed Trust should not by the policy. Do not trust administrators, database, network Applications or users 14

15 Insider Crime Bank of America Gets Hit Twice An employee theft of bank customer data Names, addresses, social security numbers, driver s license numbers, birth dates, addresses, mother s maiden names, PINs and account balances Selling it to crooks Used information to order new checks and money transfers Consumer fears over lost data and ID crime is a major problem for all banks 15

16 Example of How the Problem is Occurring PCI DSS Encrypt Data on Public Networks (PCI DSS) SSL Public Network Attacker Clear Text Data Application Private Network Clear Text Data Database Encrypt Data At Rest (PCI DSS) OS File System Storage System 16 Source: PCI Security Standards Council

17 Data Security Today is a Catch-22 We need to protect both data and the business processes that rely on that data Enterprises are currently on their own in deciding how to apply emerging technologies for PCI data protection Data Tokenization - an evolving technology How to reduce PCI audit scope and exposure to data 17

18 Cost Effective PCI DSS Firewalls Encryption/Tokenization for data at rest Anti-virus & anti-malware solution Encryption for data in motion Access governance systems Identity & access management systems Correlation or event management systems Web application firewalls (WAF) Endpoint encryption solution Data loss prevention systems (DLP) Intrusion detection or prevention systems Database scanning and monitoring (DAM) ID & credentialing system DAM DLP WAF Encryption/Tokenization % Source: 2009 PCI DSS Compliance Survey, Ponemon Institute 18

19 What is Tokenization and what is the Benefit? Tokenization Benefit Result Tokenization is process that replaces sensitive data in systems with inert data called tokens which have no value to the thief. Tokens resemble the original data in data type and length Greatly improved transparency to systems and processes that need to be protected Reduced remediation Reduced need for key management Reduce the points of attacks Reduce the PCI DSS audit costs for retail scenarios 19

20 Current, Planned Use of Enabling Technologies Access controls 1% 91% 5% Database activity monitoring 18% 47% 16% Database encryption 30% 35% 10% Backup / Archive encryption 21% 39% 4% Data masking 28% 28% 7% Application-level encryption 7% 29% 7% Tokenization 22% 23% 13% Evaluating Current Use Planned Use <12 Months 20

21 Current Use of Enabling Technologies, by Maturity Class 21

22 Protecting the Data Flow - Example Unprotected sensitive information: 22 Protected sensitive information : Enforcement point

23 PCI DSS - Ways to Render the PAN* Unreadable Two-way cryptography with associated key management processes One-way cryptographic hash functions Index tokens and pads Truncation (or masking xxxxxx xxxxxx 6781) * PAN: Primary Account Number (Credit Card Number) 23

24 Securing Data Fields Impact of Different Methods Intrusiveness (to Applications and Databases) Hashing - Strong Encryption -!@#$%a^///&*b()..,,,gft_+!@4#$2%p^&*!@#$%a^.,mhu7/////&*b()_+!@ Standard Encryption Encoding Alpha - Numeric - Partial - avdsah 1F4hJ 1D3a Tokenizing or Formatted Encryption Clear Text Original Data I I Original Longer Data Length 24

25 Positioning Different Protection Options Evaluation Criteria Strong Encryption Formatted Encryption Data Tokens Security & Compliance Total Cost of Ownership Use of Encoded Data Best Worst 25

26 Risk Management and PCI Security Aspects Different data security methods and algorithms Policy enforcement implemented at different system layers Data Security Method Hashing Formatted Encryption Strong Encryption Data Tokenization System Layer Application Database Column Database File Storage Device Best Worst 26

27 Risk Management and PCI Security Aspects Integration at different system layers Different data security methods and algorithms Data Security Method Hashing Formatted Encryption Strong Encryption Data Tokenization System Layer Application Database Column Database File Storage Device : N/A Best Worst 27

28 Token Flexibility for Different Categories of Data Type of Data Input Token Comment Token Properties Credit Card Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/ /25/2034 Date Address Alpha Numeric, delimiters in input preserved SSN delimiters Numeric, delimiters in input Credit Card Numeric, Last 4 digits exposed Policy Masking Credit Card clear, encrypted, tokenized at rest ## #### #### Presentation Mask: Expose 1 st 6 digits 28

29 Tokenization Use Case Example A leading retail chain 1500 locations in the U.S. market Simplify PCI Compliance 98% of Use Cases out of audit scope Ease of install (had 18 PCI initiatives at one time) Tokenization solution was implemented in 2 weeks Reduced PCI Audit from 7 months to 3 months No 3rd Party code modifications Proved to be the best performance option 700,000 transactions per days 50 million card holder data records Conversion took 90 minutes (plan was 30 days) Next step tokenization server at 1500 locations 29

30 30

31 31 The Cloud A Public Parking Garage

32 Amazon Cloud & PCI DSS Just because AWS is certified doesn't mean you are You still need to deploy a PCI compliant application/service and anything on AWS is still within your assessment scope PCI-DSS 2.0 doesn't address multi-tenancy concerns You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements Amazon doesn't do this for you You need to implement key management, rotation, logging, etc. If you deploy a server instance in EC2 it still needs to be assessed by your QSA (PCI auditor) Organization's assessment scope isn't necessarily reduced Tokenization can reduce your handling of PAN data Source: Securosis, 32

33 Risks Associated with Cloud Computing Handing over sensitive data to a third party Threat of data breach or loss Weakening of corporate network security Uptime/business continuity Financial strength of the cloud computing provider Inability to customize applications % Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study 33

34 34 Guidance on Cloud Security Best Source

35 Must Pass Security Before Entering The Cloud User Security Check Point Secured data Cloud Unprotected sensitive information: Protected sensitive information 35

36 Data Tokenization Reducing the Attack Surface Applications & Databases : Data Token 36 Unprotected sensitive information: Protected sensitive information

37 Different Approaches for Tokenization Traditional Tokenization Dynamic Model or Pre-Generated Model 5 tokens per second tokenizations per second Next Generation Tokenization Memory-tokenization 200,000-9,000,000+ tokenizations per second The tokenization scheme offers excellent security, since it is based on fully randomized tables. * This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions. * *: Prof. Dr. Ir. Bart Preneel, Katholieke University Leuven, Belgium 37

38 Evaluating Encryption & Tokenization Approaches Evaluation Criteria Encryption Tokenization Area Impact Database File Encryption Database Column Encryption Traditional Tokenization Memory Tokenization Availability Scalability Latency CPU Consumption Data Flow Protection Compliance Scoping Security Key Management Data Collisions Separation of Duties 38 Best Worst

39 Data Protection Challenges The actual protection of the data is not the challenge Centralized solutions are needed to managed complex security requirements Based on Security Policies with Transparent Key management Many methods to secure the data Auditing, Monitoring and Reporting Solutions that minimize the impact on business operations Highest level of performance and transparency Rapid Deployment Affordable with low TCO Enable & Maintaining compliance 39

40 Best Practices - Data Security Management File System Protector Policy Audit Log Database Protector Application Protector Enterprise Data Security Administrator Tokenization Server Secure Archive : Enforcement point 40

41 About Protegrity Proven enterprise data security software and innovation leader Sole focus on the protection of data Patented Technology, Continuing to Drive Innovation Growth driven by compliance and risk management PCI (Payment Card Industry) PII (Personally Identifiable Information) PHI (Protected Health Information) HIPAA State and Foreign Privacy Laws, Breach Notification Laws High Cost of Information Breach ($4.8m average cost), immeasurable costs of brand damage, loss of customers Requirements to eliminate the threat of data breach and non-compliance Cross-industry applicability Retail, Hospitality, Travel and Transportation Financial Services, Insurance, Banking Healthcare Telecommunications, Media and Entertainment Manufacturing and Government 41

42 Please contact me for more information ulf.mattsson [at] protegrity.com