Where Data Security and Value of Data Meet in the Cloud - Practical advice for cloud data security Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com
Ulf Mattsson, Protegrity CTO Cloud Security Alliance (CSA) PCI Security Standards Council IFIP Cloud & Virtualization SIGs Encryption Task Force Tokenization Task Force WG 11.3 Data and Application Security International Federation for Information Processing ISACA ISSA (Information Systems Audit and Control Association) (Information Systems Security Association) 2
Agenda The New Enterprise Paradigm Cloud computing, IoT and the disappearing perimeter Data is the new currency Rethinking Data Security for a Boundless World The new wave of challenges to security and productivity Seamless, boundless security framework data flow Maximize data utility & minimizing risk finding the right balance New Security Solutions, Technologies and Techniques Data-centric security technologies Data security and utility outside the enterprise Cloud data security in context to the enterprise Best Practices 3
Enterprises Losing Ground Against Cyber-attacks Verizon Data Breach Investigations Report Enterprises are losing ground in the fight against persistent cyber-attacks We simply cannot catch the bad guys until it is too late. This picture is not improving Verizon reports concluded that less than 14% of breaches are detected by internal monitoring tools JP Morgan Chase data breach Hackers were in the bank s network for months undetected Network configuration errors are inevitable, even at the larges banks We need a new approach to data security 4
High-profile Cyber Attacks 49% recommended Database security 40% of budget still on Network security only 19% to database security Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification 5
The Perimeter-less World 6
Integration with Outside World Big data projects in 2015 Integration with the outside world Security prevents big data from becoming a prevalent enterprise computing platform 3 rd party products are helping 26 billion devices on the Internet of Things by 2020 (Gartner) www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowlypermeate-the-borders-of-the-enterprise.html wikipedia.org 7
They re Tracking When You Turn Off the Lights Sensors to capture data on environmental conditions including sound volume, wind and carbon-dioxide levels, as well as behavioral data such as pedestrian traffic flow 8 Source: Wall Street Journal
Security Threats of Connected Medical Devices The Department of Homeland Security investigating Two dozen cases of suspected cyber security flaws in medical devices that could be exploited by hackers Can be detrimental to the patient, creating problems such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity Keep medical data stored encrypted PricewaterhouseCoopers study $30bn annual cost hit to the US healthcare system due to inadequate medical-device interoperability www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connectedmedical-devices# 9
CHALLENGE How can I Secure the Perimeter-less Enterprise? 10
Cloud Computing 11
12 What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing?
Data Security Holding Back Cloud Projects Source: Cloud Adoption Practices & Priorities Survey Report January 2015 13
Security of Data in Cloud at Board-level Source: Cloud Adoption Practices & Priorities Survey Report January 2015 14
15 Threat Vector Inheritance
Public Cloud Source: Wired.com 16
New Technologies to Secure Cloud Data 17
Data-Centric Protection Increases Security in Cloud Computing Rather than making the protection platform based, the security is applied directly to the data Protecting the data wherever it goes, in any environment Cloud environments by nature have more access points and cannot be disconnected Data-centric protection reduces the reliance on controlling the high number of access points 18
Simplify Operations and Compliance in the Cloud Key Challenges Storing and/or processing data in the cloud increases the risks of noncompliance through unapproved access and data breach Service providers will limit their liabilities to potential data breaches that may be taken for granted on-premises Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015 019
Simplify Operations and Compliance in the Cloud Recommendations Simplify audits & address data residency and compliance issues by applying encryption or tokenization and access controls. Digitally shred sensitive data at its end of life by deleting the encryption keys or tokens Understand that protecting sensitive data in cloud-based software as a service (SaaS) applications may require trading off security and functionality Assess each encryption solution by following the data to understand when data appears in clear text, where keys are made available and stored, and who has access to the keys Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015 020
Security Gateway Deployment Hybrid Cloud Corporate Network Cloud Gateway Public Cloud Client System Private Cloud Security Officer Enterprise Security Administrator Out-sourced 021
Security Gateway Deployment Hybrid Cloud Corporate Network Private Cloud Public Cloud Client System Cloud Gateway Security Officer Enterprise Security Administrator Out-sourced 022
Security Gateway Searchable Encryption Corporate Network Client System Query re-write Cloud Gateway RDBMS Security Officer Enterprise Security Administrator Order preserving encryption 023
Security Gateway Search & Indexing Corporate Network Client System Query re-write Cloud Gateway Index RDBMS Index Security Officer Enterprise Security Administrator 024
Cloud Gateway - Requirements Adjusted Protection Data Protection Methods Scalability Storage Security Transparency System without data protection Weak Encryption (1:1 mapping) Searchable Gateway Index (IV) Vaultless Tokenization Partial Encryption Data Type Preservation Encryption Strong Encryption (AES CBC, IV) Best Worst 25
Comparing Data Protection Methods 26
Risk Adjusted Storage Data Leaking Formats Computational Usefulness H L I I I I Strong-encryption Truncation Sort-order-preserving-encryption Indexing Data Leakage 27
Balancing Data Security & Utility Classification of Sensitive Data Granular Protection of Sensitive Data Value Preserving Encoding Leaking Leaking Sensitive Sensitive Data? Index Data Data? 28
Risk Adjusted Data Leakage Trust H Index Leaking Sensitive Data Index Sort Order Preserving Encryption Algorithms Leaking Sensitive Data Index NOT Leaking Index Data L Sensitive Data In-house Out-sourced Elasticity 29
Reduction of Pain with New Protection Techniques Pain & TCO Input Value: 3872 3789 1620 3675 High Strong Encryption Output: AES, 3DES!@#$%a^.,mhu7///&*B()_+!@ Format Preserving Encryption DTP, FPE 8278 2789 2990 2789 Format Preserving Vault-based Tokenization Greatly reduced Key Management 8278 2789 2990 2789 Low Vaultless Tokenization No Vault 8278 2789 2990 2789 1970 2000 2005 2010 30
What is Data Tokenization? 31
Data Tokenization Replacing The Data Source: plus.google.com 32
Tokenization Research Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Tokenization users had 50% fewer security-related incidents than tokenization non-users Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/ 33
Fine Grained Data Security Methods Tokenization and Encryption are Different Encryption Tokenization Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY 34
Speed of Fine Grained Protection Methods Transactions per second* 10 000 000-1 000 000-100 000-10 000-1 000-100 - I I I I Vault-based Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization *: Speed will depend on the configuration 35
Significantly Different Tokenization Approaches Vault-based Vaultless Property Dynamic Pre-generated 36
Examples of Protected Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted 37 Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification
How Should I Secure Different Data? Use Case Simple Encryption of Files PII Tokenization of Fields Card Holder Data PCI Personally Identifiable Information Complex Protected Health Information PHI I Un-structured I Structured Type of Data 38
Example of Cross Border Data-centric Security Data sources Data Warehouse In Italy Complete policy-enforced deidentification of sensitive data across all bank entities
How to Balance Risk and Data Access 40
Risk Adjusted Data Security Access Controls High - User Productivity and Creativity Risk Exposure Low - Access to Sensitive Data in Clear I I Low Access to Data High Access to Data 41
Risk Adjusted Data Security Tokenized Data High - User Productivity and Creativity Low - Risk Exposure Access to Tokenized Data I I Low Access to Data High Access to Data 42
Risk Adjusted Data Security Selective Masking Cost Example: 16 digit credit card number High - Risk Exposure Cost of Application Changes Low - I I I All-16-clear Only-middle-6-hidden All-16-hidden 43
Fine Grained Security: Securing Fields Production Systems Encryption of fields Reversible Policy Control (authorized / Unauthorized Access) Lacks Integration Transparency Complex Key Management Example:!@#$%a^.,mhu7///&*B()_+!@ Non-Production Systems Masking of fields Not reversible No Policy, Everyone can access the data Integrates Transparently No Complex Key Management Example: 0389 3778 3652 0038 44
Fine Grained Security: Tokenization of Fields Production Systems Tokenization (Pseudonymization) No Complex Key Management Business Intelligence Example: 0389 3778 3652 0038 Reversible Policy Control (Authorized / Unauthorized Access) Not Reversible Integrates Transparently Non-Production Systems 45
Data Centric Audit and Protection (DCAP) Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act By 2018, data-centric audit and protection strategies will replace disparate siloed data security governance approaches in 25% of large enterprises, up from less than 5% today Source: Gartner Market Guide for Data Centric Audit and Protection (DCAP), Nov 21 2014 046
Data Centric Audit and Protection (DCAP) Centrally managed security policy Across unstructured and structured silos Classify data, control access and monitoring Protection encryption, tokenization and masking Segregation of duties application users and privileged users Auditing and reporting Source: Gartner Market Guide for Data Centric Audit and Protection (DCAP), Nov 21 2014 047
Central Management Policy Deployment Application Protector Database Protector Security Office / Security Team EDW Protector Enterprise Security Administrator Policy Big Data Protector Protection Servers IBM Mainframe Protectors File Protector File Protector Gateway Audit Log Cloud Gateway Inline Gateway 48
Enterprise Data Security Policy What What is the sensitive data that needs to be protected. How How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc. Who Who should have access to sensitive data and who should not. Security access control. When When should sensitive data access be granted to those who have access. Day of week, time of day. Where Where is the sensitive data stored? This will be where the policy is enforced. Audit Audit authorized or un-authorized access to sensitive data. 49
Central Management Audit Log Collection Application Protector Database Protector Audit Log Security Office / Security Team EDW Protector Audit Log Audit Log Enterprise Security Administrator Big Data Protector IBM Mainframe Protectors Audit Log Audit Log File Protector Audit Log Audit Log File Protector Gateway Audit Log Audit Log Audit Log Cloud Gateway Inline Gateway Protection Servers 50
Summary The biggest challenge in this new paradigm Cloud and an interconnected world Merging data security with data value and productivity What s required? Seamless, boundless security framework data flow Maximize data utility & Minimizing risk finding the right balance Value-preserving data-centric security methods How to keep track of your data and monitor data access outside the enterprise Best practices for protecting data and privacy in the perimeter-less enterprise. What New Data Security Technologies are Available for Cloud? How can Cloud Data Security work in Context to the Enterprise? 51
Thank you! Questions? Please contact us for more information www.protegrity.com Ulf.Mattsson@protegrity.com