Myths & Realities of Data Security & Compliance: The Risk-based Data. Ulf Mattsson, CTO, Protegrity

Transcription

1 Myths & Realities of Data Security & Compliance: The Risk-based Data Protection Solution Ulf Mattsson, CTO, Protegrity

2 Ulf Mattsson 20 years with IBM Development, Manufacturing & Services Inventor of 21 patents Co-founder of Protegrity (Data Security Management) Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security American National Standards Institute (ANSI) X9 Information Systems Audit and Control Association (ISACA) Information Systems Security Association (ISSA) Institute of Electrical and Electronics Engineers (IEEE) The World Scientific and Engineering Academy and Society for Computer Security (WSEAS) Object Management Group (OMG) CORBA Security Service

3 Description This session will review data protection methods that enable organizations to achieve the right balance between cost, performance, usability, compliance demands, and real-world security needs. This session will also guide you through a process for developing, deploying, and managing a risk-adjusted data security plan. March 2010

4

5

6 Topics Review current/evolving data security risks Explore the methods that enable organizations to achieve the right balance between cost, performance, usability, compliance demands and real-world security needs Develop a risk adjusted methodology for securing data and evaluating security solutions Review real world examples: protecting PCI, PII and MNPI (Material Non-Public Information) data throughout its entire lifecycle Other topics? Q&A Review real world examples for IBM, Microsoft & Oracle

7 Protect Sensitive Data PCI & Customer Data Credit & Loyalty cards Banking/mortgage data Customer profiles Prospect information Company Data Salary / bonus HR data Corporate secrets Financial results PII Social security number Drivers license number Private account numbers Date of birth Health Records Insurance claims Medical records Prescriptions Billing information

8 Data Protection Challenges Actual protection is not the challenge Management of solutions Key management Security policy Auditing and reporting Minimizing impact on business operations Transparency Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time

9 Developing a Risk-adjusted Data Protection Plan Know Your Data Find Your Data Understand Your Enemy Understand the New Options in Data Protection Deploy Defenses Crunch the Numbers

10 The Gartner 2010 CyberThreat Landscape

11 Data Security Remains Important for Most Source: Forrester, 2009

12 Know Your Data Identify High Risk Data Begin by determining the risk profile of all relevant data collected and stored Data that is resalable for a profit Value of the information to your organization Anticipated cost of its exposure Data Field Risk Level Credit Card Number 25 Social Security Number 20 CVV 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3

13 Understand Your Enemy & Data Attacks Breaches attributed to insiders are much larger than those caused by outsiders The type of asset compromised most frequently is online data, not laptops or backups: Source: Verizon Business Data Breach Investigations Report (2008 and 2009)

14 Market Drivers for Deeper Data Security Brand damage Staying out of the headlines Damage to credibility Regulatory mandates PCI Country/Provincial/State Privacy Laws Sarbanes-Oxley HIPAA Cost of recovery and fixes - Forrester Research gives a cost range of $90-$305 per record Increasing liability and insurance

15 Information Security Breaches In the U.S., 2005 was the year of the security breach Followed by 2006, 2007, 2008 and Since 2005, over 1,000 information security breaches Choice Point - Card Systems Bank of America - Boston Globe Lexis Nexis - Veterans Administration Heartland Payment Systems - TJX Over 236 million potentially affected Over 40 U.S. jurisdictions have security breach notification laws California SB 1386 started the trend New federal breach notification law for health information Numerous federal bills

16 State Security Breach Notification Laws Generally, the duty to notify arises when unencrypted computerized personal information was acquired or accessed by an unauthorized person Personal information is an individual s name, combined with: SSN Driver s license or state ID card number Account, credit or debit card number, along with password or access code But state laws differ: Computerized v. paper data Definition of PII Notification to state agencies Notification to CRAs Timing of individual notification Harm threshold Contents of notification letter

17 Federal Breach Notification Law The HITECH Act has changed the federal breach notification landscape HHS and FTC have promulgated breach notification rules pursuant to HITECH Act requirements The HITECH Act requires HIPAA covered entities to: notify individuals whose unsecured protected health information in any format has been, or is reasonably believed to have been accessed, acquired or disclosed as a result of a breach Business associates are responsible for notifying covered entities of a breach

18 Recent FTC Enforcement Actions Federal Trade Commission (FTC) enforcement authority: Section 5 of the FTC Act Most FTC privacy enforcement actions result from security breaches Card Systems, Petco, ChoicePoint, Tower Records, DSW, Barnes & Noble.com, BJ s Wholesale Club, Guess.com Inc., CVS, Caremark, Genica Corporation Division of Privacy and Identity Protection Enforcement trends

19 Costs of Non-Compliance with PCI Costs of non-compliance can be significant Card brands fine merchant banks, and costs are passed through to merchants by contract Possible fines of $5,000 to $25,000 per month for Level 1 and 2 merchants that have not validated compliance In the event of a security breach, possible fines of up to $500,000 per incident plus associated costs

20 Avoiding Breach Notification HHS issued guidance on April 17, 2009 setting forth an exhaustive list of what technologies and methodologies will render PHI secure. HHS provided additional guidance on August 24, Technologies and Methodologies that will render PHI secure: Encryption. Destruction. Nothing else will render your PHI secure. In most recent guidance, HHS: Rejected access controls, such as firewalls, as a method for securing PHI.

21 Understand Your Enemy Probability of Attacks Higher Probability What is the Probability of Different Attacks on Data? Errors and Omissions Lost Backups, In Transit RECENT ATTACKS Application User (e.g. SQL Injection) SQL Users Network or Application/RAM Sniffer Valid User for the Server (e.g. Stack Overflow, data sets) Application Developer, Valid User for Data Source: IBM Silicon Valley Lab(2009) Administrator Higher Complexity

22 Dataset Comparison Data Type Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team

23 Targeted Threat Growth

24 Choose Your Defenses Data Entry Where is data exposed to attacks? Data System Application Database File System Storage (Disk) Backup (Tape) RECENT ATTACKS SNIFFER ATTACK SQL INJECTION MALWARE / TROJAN DATABASE ATTACK FILE ATTACK MEDIA ATTACK ATTACKERS Authorized/ Un-authorized Users Database Admin System Admin HW Service People Contractors Unprotected sensitive information: Protected sensitive information

25 Granular Reporting for Compliance & Better Security Security Admin Application / Database Server Application Monitoring of Column and User Database File System Security Admin Application / Database Server Application NO Monitoring of Column and User Database File System

26 Top 15 Threat Action Types 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team

27 Common Vulnerabilities in E-Commerce Security

28 Top 15 Threat Action Types Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team

29 Data Level Attacks on the Enterprise Data Flow MALWARE / TROJAN DBA ATTACK Endpoint Internet Serve r DMZ Load Balancing Enterprise Apps TRUSTED SEGMENT DB Server SAN, NAS, Tape TRANSACTIONS Internal Users NW Wireless Proxy FW IDS/ IPS Web Apps Proxy FW Network Devices Proxy FW Server SQL INJECTION SNIFFER ATTACK MEDIA ATTACK OS ADMIN FILE ATTACK

30 Addressing Data Protection Challenges Full mapping of sensitive data flow Where is the data Where does it need to be Identify what data is needed for processing in which applications What are the performance SLAs Understand the impact of changing/removing data Will it break legacy systems Address PCI, strategize for the larger security issue

31 Protecting the Data Flow - Example

32 Top 6 threat action types - Mitigation Encryption of data in transit Token or Point-to-point encryption (E2EE) Monitoring And blocking Abuse of resources Token, Point-to-point encryption (E2EE) or File protection Infected systems Monitoring And blocking Collect usernames and passwords Specially crafted SQL statements Web Application Firewall Known usernames and passwords Monitoring And blocking Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team

33 Example of Secure Login One Time Password

34 Positioning Different Data Protection Approaches

35 Data Protection Challenges Actual protection is not the challenge Management of solutions Key management Reporting Policy Minimizing impact on business operations Performance v. security Minimizing impact (and costs) Changes to applications Impact on downstream systems Time

36 The Goal: Good, Cost Effective Security The goal is to deliver a solution that is a balance between security, cost, and impact on the current business processes and user community Security plan - short term, long term, ongoing How much is good enough Security versus compliance Good Security = Compliance Compliance Good Security

37 Choose Your Defenses Different Approaches

38 Choose Your Defenses Cost Effective PCI Encryption 74% WAF 55% DLP 43% DAM 18% Source: 2009 PCI DSS Compliance Survey, Ponemon Institute

39 Choose Your Defenses Find the Balance Cost Cost of Aversion Protection of Data Total Cost Optimal Risk Expected Losses from the Risk I Active Protection I Passive Protection Risk Level

40 Evaluation Criteria Performance Impact on operations - end users, data processing windows Storage Impact on data storage requirements Security & Separation of Duties How secure Is the data at rest Impact on data access separation of duties Transparency Changes to application(s) Impact on supporting utilities and processes

41 Choose Your Defenses - Operational Impact Passive Database Protection Approaches Database Protection Approach Web Application Firewall Performance Storage Security Transparency Separation of Duties Data Loss Prevention Database Activity Monitoring Database Log Mining Best Worst Source: 2009 Protegrity Survey

42 Choose Your Defenses - Operational Impact Active Database Protection Approaches Database Protection Approach Application Protection - API Performance Storage Security Transparency Separation of Duties Column Level Encryption; FCE, AES, 3DES Column Level Replacement; Tokens Tablespace - Datafile Protection Best Worst Source: 2009 Protegrity Survey

43 Choose Your Defenses Example Encryption Collection Point of Sale E-Commerce Branch Office Information in the wild - Short lifecycle / High risk Aggregation Temporary information - Short lifecycle / High risk Operations Operating information - Typically 1 or more year lifecycle -Broad and diverse computing and database environment Data Token Analysis Decision making information - Typically multi-year lifecycle - Homogeneous environment - High volume database analysis Archive Archive -Typically multi-year lifecycle -Preserving the ability to retrieve the data in the future is important

44 Choose Your Defenses New Methods Format Controlling Encryption Example of Encrypted format: Key Manager Application Databases Data Tokenization Example of Token format: Token Server Key Manager Application Databases Token

45 Newer Data Protection Options Format Controlling Encryption (FCE)

46 What Is FCE? Where did it come from? Before 2000 Different approaches, some are based on block ciphers (AES, 3DES ) Before 2005 Used to protect data in transit within enterprises What exactly is it? Secret key encryption algorithm operating in a new mode Cipher text output can be restricted to same as input code page some only supports numeric data The new modes are not approved by NIST

47 FCE Selling Points Ease of deployment -- limits the database schema changes that are required. Reduces changes to downstream systems Applicability to data in transit provides a strict/known data format that can be used for interchange Storage space does not require expanded storage Test data partial protection Outsourced environments & virtual servers

48 FCE Considerations Unproven level of security makes significant alterations to the standard AES algorithm Encryption overhead significant CPU consumption is required to execute the cipher Key management is not able to attach a key ID, making key rotation more complex - SSN Some implementations only support certain data (based on data size, type, etc.) Support for big iron systems is not portable across encodings (ASCII, EBCDIC) Transparency some applications need full clear text

49 FCE Use Cases Suitable for lower risk data Compliance to NIST standard not needed Distributed environments Protection of the data flow Added performance overhead can be accepted Key rollover not needed transient data Support available for data size, type, etc. Point to point protection if big iron mixed with Unix or Windows Possible to modify applications that need full clear text or database plug-in available

50 Applications are Sensitive to the Data Format Data Type Bin Data Binary (Hash) - Binary (Encryption) - No Applications Few Applications Alphanum (FCE, Token) - Many Applications Increased intrusiveness: - Application changes Text Data Numeric (FCE, Token) - Most Applications - Limitations in functionality - Limitations in data search - Performance issues Numeric (Clear Text) - All Applications I Original I Longer Data Field Length This is a generalized example

51 Newer Data Protection Options Data Tokenization

52 What Is Data Tokenization? Where did it come from? Found in Vatican archives dating from the 1300s In 1988 IBM introduced the Application System/400 with shadow files to preserve data length In 2005 vendors introduced tokenization of account numbers What exactly is it? It IS NOT an encryption algorithm or logarithm. It generates a random replacement value which can be used to retrieve the actual data later (via a lookup) Still requires strong encryption to protect the lookup table(s)

53 Tokenization Selling Points Provides an alternative to masking in production, test and outsourced environments Limits schema changes that are required. Reduces impact on downstream systems Can be optimized to preserve pieces of the actual data in-place smart tokens Greatly simplifies key management and key rotation tasks Centrally managed, protected reduced exposure Enables strong separation of duties Renders data out of scope for PCI

54 Tokenization Considerations Transparency not transparent to downstream systems that require the original data Performance & availability imposes significant overhead from the initial tokenization operation and from subsequent lookups Performance & availability imposes significant overhead if token server is remote or outsourced Security vulnerabilities of the tokens themselves randomness and possibility of collisions Security vulnerabilities typical in in-house developed systems exposing patterns and attack surfaces

55 Tokenization Use Cases Suitable for high risk data payment card data When compliance to NIST standard needed Long life-cycle data Key rollover easy to manage Centralized environments Suitable data size, type, etc. Support for big iron mixed with Unix or Windows Possible to modify the few applications that need full clear text or database plug-in available

56 Tokenization Users Show Significantly Better Results

57

58 A Central Token Solution Token Server Customer Application Customer Application Customer Application

59 A Distributed Token Solution Token Server Customer Application Customer Application Token Token Server Server Customer Application Customer Application

60 An Integrated Token Solution Customer Application Customer Application Token Server Customer Application Customer Application Token Server

61 Evaluating Different Tokenization Implementations Evaluation Area Hosted/Outsourced On-site/On-premises Evaluating Different Tokenization Implementations Area Criteria Central (old) Distributed Central (old) Distributed Integrated Operati onal Needs Pricing Model Data Types Security Availability Scalability Performance Per Server Per Transaction Identifiable - PII Cardholder - PCI Separation Compliance Scope Best Worst

62 A Central Token Solution vs. A Distributed Token Solution Dynamic Random Token Table Central Dynamic Token Table Customer Application Customer Application Customer Application Customer Application Static Random Static Static Token Random Random Static Table Token Token Random Table Table Token Table Distributed Static Distributed Token Tables Static Token Tables Static Random Static Static Token Random Random Static Table Token Token Random Table Table Token Table Distributed Static Distributed Token Tables Static Token Tables Customer Application Customer Application Customer Application Customer Application

63 A Distributed Token Solution An Integrated Token Solution Static Random Static Token Static Random Token Static Table Random Token Table Random Table Token Table Distributed Static Distributed Token Tables Static Token Tables Customer Application Customer Application Static Random Token Static Static Table Random Token Random Table Token Table Customer Application Customer Application Static Token Tables Integrated with Pep-Server Static Random Static Token Static Random Token Static Table Random Token Table Random Table Token Table Distributed Static Distributed Token Tables Static Token Tables Customer Application Customer Application Static Random Token Static Static Table Random Token Random Table Token Table Static Token Tables Integrated with PepServer Customer Application Customer Application

64 Choose Your Defenses Strengths & Weakness * * * Best Worst * Compliant to PCI DSS 1.2 for making PAN unreadable Source: 2009 Protegrity Survey

65 An Enterprise View of Different Protection Options Evaluation Criteria Strong Encryption Formatted Encryption Token Disconnected environments Distributed environments Performance impact when loading data Transparent to applications Expanded storage size Transparent to databases schema Long life-cycle data Unix or Windows mixed with big iron (EBCDIC) Easy re-keying of data in a data flow High risk data Security - compliance to PCI, NIST Best Worst

66 Deploy Defenses Matching Data Protection Solutions with Risk Level Data Field Risk Level Credit Card Number 25 Social Security Number 20 CVV 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3 Risk Level Low Risk (1-5) At Risk (6-15) High Risk (16-25) Solution Monitor Monitor, mask, access control limits, format control encryption Replacement, strong encryption

67 Data Protection Implementation Layers System Layer Performance Transparency Security Application Database File System Topology Performance Scalability Security Local Service Remote Service Best Worst

68 Crunch the Numbers Conclusion Risk-adjusted data security plans are cost effective Switching focus to a holistic view rather than security silo methodology Understanding of where data resides usually results in a project to reduce the number of places where sensitive data is stored Protect the remaining sensitive data with a comprehensive data protection solution

69 Managing encryption keys across different platforms

70 Deployment Applications RACF DB2 Files Encryption Solution ICSF Hardware Security Module Mainframe z/os DB2 UDB Informix Central Key Manager System i Hardware Security Module Oracle

71 Example - Centralized Data Protection Approach Secure Archive Secure Storage Database Protector Secure Distribution File System Protector Policy & Key Creation Policy Secure Usage Enterprise Data Security Administrator Audit Log Secure Collection Application Protector Auditing & Reporting Big Iron Protector

72 Protegrity Value Proposition Protegrity delivers, application, database, file protectors across all major enterprise platforms. Protegrity s Risk Adjusted Data Security Platform continuously secures data throughout its lifecycle. Underlying foundation for the platform includes comprehensive data security policy, key management, and audit reporting. Enables customers to achieve data security compliance (PCI, HIPAA, PEPIDA, SOX and Federal & State Privacy Laws)

73 Protegrity and PCI Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data. 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. Maintain an information security policy. 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security

74 Enterprise Reporting Flexibility Protegrity Data Protection Database Protector Application Protector File Protector Collect Audit Logs Audit Log Attributes ID Date Severity User Title Description Type Product Product Version Server Server IP Server Port Additional Info Access Data Store Policy Data Element Operation Count Error Code OS User SCID Vendor Row ID Session ID Request ID Vendor Type Reporting Choices Reporting Options Forensics Standard Reports Compliance Reports Custom Reports Export Logs

75 Summary Report on Daily Monitored Security Events

76 Please contact us for more information Ulf Mattsson Phone ulf.mattsson@protegrity.com

77 A Source of Information about PCI Research