Title Data-Centric security and HP NonStop-centric ecosystems A breakthrough strategy for neutralizing sensitive data against advanced threats and attacks Andrew Price, XYPRO Technology Corporation Mark Bower, Voltage Security 1
Title Agenda Common challenges in handling sensitive data The state of the nation 2014 data breach impact Data is the new perimeter Infrastructure-centric Security vs. Data-centric Security Example Complexity in security payment data flows Data-centric security Technology and Standards Practical Applications and Use Cases Summary 2
Title Your Speakers today Mark Bower VP Product Management & Solutions Andrew Price VP Technology 3
Title Common Problems of Sensitive Data handling Our regulator or auditor will not sign off on privacy compliance for PCI, HITECH, FTC. Privacy and regulations prevent our business using the full potential of data Our CISO cannot say yes until sensitive data is neutralized from breach risk We move sensitive data to and from Enterprise systems and the warehouse to HP NonStop, so need to protect data endto-end We cannot put this live data in the cloud or Hadoop due to breach risks and data residency issues Image http://pixabay.com/en/portrait-child-hands-317041/ 5
Title The State of the Nation Data breach costs 6
Title The State of the Nation Data breach costs Compliance is important, but not the end-game in neutralizing breach risks. 7
Title Infrastructure Security vs. Data-centric Security A new approach to neutralizing breach risks 8
Title Data goes everywhere data is the new perimeter Data from Devices, Sensors, and Applications Transaction Processors Offshore Test and Dev Cloud Applications & Services SaaS PaaS Enterprise Data Systems Partner Data Systems Big Data Analytics in the Cloud Big Data Analytics in Hadoop Amazon AWS 9
Title Attack Trends vs. Protection Strategy Effectiveness Data-centric Security Fields and Objects Data stays protected in use, in motion, and at rest Traditional infrastructure level protection: Disk, File Data at rest in disks or files when powered off or in backup Data-centric security protects data over its lifecycle vs. broad threats. Infrastructure-centric solutions only protect from physical threats (e.g. VLE) Graph source: Verizon Data Breach Report 2014 10
Title Infrastructure Security Creates Expoitable Gaps Data & Applications Middleware/Network Databases Data is in the clear in this part of the stack File Systems OS Reads & writes disk Sectors Storage Disk sectors encrypted 11
Data Security Coverage End-to-end Data Protection Title IT Security vs. Data-centric Security Threats to Data Traditional IT Infrastructure Security Data Ecosystem Security Gaps Voltage Datacentric Security Data & Applications Credential Compromise Authentication Management Security Gap Traffic Interceptors SSL/TLS/Firewalls Middleware/Network Security Gap SQL Injection, Malware Database Encryption Databases Security Gap Malware, Insiders SSL/TLS/Firewalls File Systems Security Gap Malware, Insiders Disk encryption Storage 12
Title A common problem: Securing card data in payments processing A frequently attacked ecosystem by advanced malware 13
Title Card Data Flows in the Payments Ecosystem 14
Title Card Data Risks in the Merchant Ecosystem POS malware risk Insider risk Server malware risk Network sniffing Skimming risk 15
Title A Card Present Flow A threat and risk view Merchant Acquirer Payment Card Readers Point of Sale (POS) Retail Store IT Authorization Gateway Issuing Bank & Merchant Banks Pre-card read skimming Fake readers POS and Server Malware Memory Scrapers Insiders Outsourced Operations Server Malware Insiders Server Malware Insiders 16
Title Traditional Encryption and Payment Capture Unprotected Track 2* ; 6 PAN 4 = Add l Data (EXP, SVC) Disc. Data V? LC C V Card data, structure, special codes, PVV, CVV, parameters 6 bit encoding limited space in 37 characters 3DES or AES-CBC Traditional Encryption applied to track data -breaks the track format. Implementation requires costly key management and key injection. Traditional Encryption* ; &69809*(&^15jIOwom^iqlge- 013oP{135)&k24 i3h87qnlboday&(t*@o2p 28{O3dyei$1U12??? Traditional Encryption breaks structure, size, and encoding. Requires decryption everywhere PAN or part of it is needed. Makes it difficult to retrofit encryption to existing IT the POS, Switch, Merchant IT etc. 17
Title Traditional Encryption and Payment Processing Card Networks PAN:7412 3456 7890 0000 Payment Capture Payment Authorization Settlement Processes Logs, Reports, & Backups Customer Service Application PAN:7412 3456 7890 0000 8juYE%UkFa2345^WFLE 8juYE%UkFa2345^WFLE 8juYE%UkFa2345^WFLE PAN:XXXX XXXX XXXX 0000 Live Data Capture Credit Card Primary Account Number (PAN) Traditional Encryption Requires Database Schema and Application Re-engineering Traditional Key Management adds complexity and cost Requires Decryption of whole encrypted PAN, even if we only need last 4 digits 18
Title Data-centric security Technology and Standards Practical Encryption and Tokenization without friction 19
Title Voltage Format-Preserving Encryption (FPE) FPE AES- FF1 mode Regular AES-CBS mode Credit Card 122105278 674301068 12210527882757234 8juYE%UkFa2345^WFLE First Name: Gunther Last Name: Robertson DOB: 20-07-1966 SSN: 934-72-2356 First Name: Uywjlqo Last Name: Muwruwwbp SSN: 298-24-2356 DOB: 18-06-1972 Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW aasiuahjw2%quifiwuybw3 Oiuqwriuweuwr%oIUOw1@ Standard, proven mode of AES (NIST SP800-38G Draft Standard) High performance, minimal impact. Encrypt at capture. Data stays protected, most apps can run on encrypted data. Fit into existing systems, protocols, schemas any data Protect live data in applications & databases, business process or transactions Create de-identified data for test, cloud apps, outsourcers 20 20
Title Secure Stateless Tokenization Credit Card 7412 3456 7890 0000 Tax ID 934-72-2356 Secure Stateless Tokenization 7412 3487 8346 0000 774-96-2356 Regular Tokenization 7412 3456 7890 0000 7412 3487 8346 0000 934-72-235 774-96-2356 Disassociates live data using a fully functional data surrogate a token Retain the value of the data for business uses e.g. First 6, last 4 digits of credit card Reduce PCI Scope more than any other approach Eliminates the costly token database sync problem Proven security, cryptanalyzed and published High performance, lower cost, simpler to deploy and manage 21
Title Traditional vs. Stateless Key Management Traditional Key Management Keys need to be stored, and recovered Requires endpoint protection, staffing Manual controls Complex to scale and operate Stateless Key Management Cornerstone of simplicity and scalability Keys are derived dynamically for all uses No key database to store, sync & back-up No data loss issues Enables high-performance data protection that scales 22
Title Magnetic stripe track data and data-centric security Unprotected Track 2* ; 6 PAN 4 = Add l Data (EXP, SVC) Disc. Data V? LC C V Card data, structure, special codes, PVV, CVV, parameters 6 bit encoding limited space in 37 characters Data Security using NIST SP-800-38G based Format-Preserving Encryption. Dynamic Keys with IEEE 1363.3 IBE technology Protected data works and flows unimpeded neutralized, but compatible. FPE Encryption* C ; 6 Secure 4 = Add l Data (EXP, SVC) Secure V? LC V * Illustration simplified. Shows Track 2 only. Track 2 PAN also protected in implementation FPE protects sensitive fields, preserves Track encoding, leaves first 6, last 4. Data still functions in POS, but is neutral. Only host can decrypt. Makes it simple to retrofit encryption to existing IT the POS, Switch, Merchant IT etc. 23
Title Data-centric Security and Payment Processing Card Networks PAN:7412 3456 7890 0000 De-Tokenize Decrypt & Tokenize Payment Capture Payment Authorization Settlement Processes Logs, Reports, & Backups Customer Service Application 7412 8724 9002 0000 7412 3487 8346 0000 7412 3487 8346 0000 7412 3487 8346 0000 7412 3487 8346 0000 Live Data Encrypted in Secure Reader end-toend to Payment Authorization Host SST Tokenized PAN Data used throughout. No Live Data in internal processes or systems Last 4 Digits already available without change 24
Title Data-centric Security for any sensitive data Data secured during capture Selective Live data elements available to trusted users under policy control Data secure in storage Data stays secure in transit Data stays secure in low-trust processes analytics, cloud, test, development etc 25
Title Data-centric Security Standards & Validation ~30 Patents Encryption, Key Management, Tokenization 26
Title Consequences of not using Standards or Proofs of Security FTC 2014 Report on FTC Investigations FTC attention has regularly focused on data encryption. In more than half (27) of the cases requiring privacy or data security programs, the FTC addressed the defendant s encryption protocols, which if noted it should have been compatible with industry standards. https://www.privacyassociation.org/media/pdf/resource_center/ftc-whitepaper_v4.pdf Impact: ValueClick fined $2.9m for deception, contract with ebay cancelled for proprietary encryption failures. http://www.ftc.gov/sites/default/files/documents/cases/2008/03/080317complaint.pdf http://www.ftc.gov/news-events/press-releases/2008/03/valueclick-pay-29-million-settle-ftc-charges 27
Title Practical Data-centric security 28
Title Example - Production Applications Thales HSM Voltage SecureData Key Management, Encryption, Tokenization, Policy Control & Audit fpe.protect(ssn) fpe.access(ssn) Web Form New Account Application Mainframe Database Logs, Reports, & Backups Customer Service Application SSN:022-37-2773 SSN:734-81-9292 SSN:734-81-9292 SSN:734-81-9292 SSN:XXX-XX-2773 Live Data Capture Format-Preserved Encrypted or SST Tokenized Data Policy based redaction on de-tokenize or decrypt (C) 2014 Voltage Security, Inc. All Rights Reserved 29
Title Example: Data-centric security for Hadoop Thales HSM Voltage SecureData Key Management, Encryption, Tokenization, Policy Control & Audit Landing Zone Data Warehouse Data Sources ETL HDFS Batch Sqoop Map Reduce Flume Sqoop Map Reduce Hive BI Applications + more Storage Encryption + more The goal is to protect (encrypt or tokenize) sensitive data before it gets stored in HDFS. Doing so as early as possible in the data flow path reduces the exposure of data and improves the compliance stance. (C) 2014 Voltage Security, Inc. All Rights Reserved 30
Title Example: Cloud Data Protection (e.g. Azure, AWS) Enterprise Data Center Credit Card Fraud Analysis Processing App ETL Tools Semi Trusted User Partial Access Trusted Users e.g. Fraud Analysts - Full Access 31
Title Neutralizing a breach attackers get nothing sensitive Live Data De-identified & Protected Data in storage, in motion, in use. Trusted Applications Permitted Access Untrusted Application Partial or restricted access Business Applications, Data stores and Processes Production, Test, and Analytics Custom Applications Production Databases, Test & Dev Payment Data ETL & Data Integration Suites 3 rd Party Applications Teradata & Hadoop HP Nonstop Applications & Databases Cloud Broker Gateways Mainframe Applications & Databases Web/Cloud Applications 32
Title Establishing a data-centric security strategy Best practices in neutralizing breach risks 33
Title Five Critical Best Practices for Data-centric Security To be effective, a data-centric security strategy must 1. Be unified across mission critical platforms: HP NonStop, IBM z/os, Teradata, Hadoop, cloud and enterprise systems, Payment devices, applications, and data stores 2. Minimize the exposure of live data to only trusted systems or users 3. Utilize standards-based and proven data protection technology for compliance 4. Enable centralized control of key management, tokenization encryption, audit, and reporting 5. Enable the business process without friction at global scale. 34
Title Voltage SecureData Use Case Examples Success in neutralizing advanced threats 35
Title Success at a Global Acquirer Risk reduction & compliance Top Global Internet Payment Processor Competitive driver, compliance & risk reduction End to End Encryption for e-commerce data Tokenization for post payment capture internal, and to merchants Critical Requirements Global solution high scale, high volume Scale to >500,000 merchants & ~ 50% of internet e-commerce volume Mixed HP NonStop, Stratus and Unix Platforms Solution & Benefits Data-centric security for all payments transactions reduced threats PCI Scope Reduction for merchants and payment acquirer Reduced merchant and processor PCI costs - $millions in cost savings 36
Title Top US retailer Data-centric security for payments, enterprise Risk concern from large industry breaches Thousands of stores, US-wide to de-risk Complex infrastructure and payment flows Enterprise-wide data-centric security vision: Payments from store card reader device to HP NonStop Switch reduce risk and PCI scope Enterprise data security Personal data protection for compliance and risk reduction Hadoop data security for enabling analytics sensitive data de-identified for analytic use Success with HP NonStop Live on 85,000 Terminals to mitigate advanced threats in the POS With a unified data-centric strategic security platform in place to meet broad risk reduction duties 37
Title Data-centric security ROI ~87% Compliance Cost Saving Annual Cost ($US) PCI Compliance net cost Data-centric security investment $1.2m $0.70m Investment $800K over 5 years Phased in data-centric approach Cost Saving over 5 years > $4.25m 3-4 month audit to <2 weeks ~0.1 FTE Per Datacenter Multiple Applications Mission Critical and Open Systems, Travel, Banking, Insurance Multi-state Retail Locations $350k $150k $150k 2009 2010 2011 2012 2013 38
Title Summary 39
Title Secure Data can go everywhere without increased risk Data from Devices, Sensors, and Applications Transaction Processors Offshore Test and Dev Cloud Applications & Services SaaS PaaS Enterprise Data Systems Partner Data Systems Big Data Analytics in the Cloud Big Data Analytics in Hadoop Amazon AWS 40
Title Conclusion Data-centric security provides a new approach to protect and de-identify data to neutralize data breaches Infrastructure security is just not enough vs todays threats Data-centric technology can enable HP NonStop with Provider powerful, stateless methods for data de-identification and protection from a single platform. Provide consistent data protection within and between data environments and devices beyond HP NonStop Offer scalable, high-performance solutions that have been broadly adopted across the industry and in standards To reduce compliance costs, breach impact, and enable data processing without risk 41