This document discusses choosing the most appropriate data security solution for an organization. It begins by introducing Ulf Mattsson, the CTO of Protegrity, who has over 20 years of experience in data security. It then discusses how data is increasingly under attack from highly organized criminal groups. The document examines different data security methods like encryption, tokenization, and data masking and how their security levels and costs can vary. It emphasizes that the optimal security solution depends on properly assessing risk levels for different types of data and systems. Tokenization is presented as a lower-cost solution that can help balance security and business needs like performance and creativity.
4. Ulf Mattsson, CTO Protegrity
• 20 years with IBM Research & Development and
Global Services
• Started Protegrity in 1994 (Data Security)
• Inventor of 25 patents – Encryption and
Tokenization
• Member of
– PCI Security Standards Council (PCI SSC)
– American National Standards Institute (ANSI) X9
– International Federation for Information Processing
(IFIP) WG 11.3 Data and Application Security
– ISACA , ISSA and Cloud Security Alliance (CSA)
4
6. Albert Gonzalez
20 Years In US Federal Prison
US Federal indictments:
1. Dave & Busters
2. TJ Maxx
3. Heartland HPS
•Breach expenses
$140M
Source: http://en.wikipedia.org/wiki/Albert_Gonzalez
6
7. What about Breaches & PCI?
Was Data Protected?
9: Restrict physical access to cardholder data
5: Use and regularly update anti-virus software
4: Encrypt transmission of cardholder data
2: Do not use vendor-supplied defaults for security parameters
12: Maintain a policy that addresses information security
1: Install and maintain a firewall configuration to protect data
8: Assign a unique ID to each person with computer access
6: Develop and maintain secure systems and applications
10: Track and monitor all access to network resources and data
11: Regularly test security systems and processes
7: Restrict access to data by business need-to-know
3: Protect Stored Data
%
0 10 20 30 40 50 60 70 80 90 100
Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study
7
9. What Data is Compromised?
Personal information (Name, SS#, Addr, etc.)
Payment card numbers/data
Unknown (specific type is not known)
Medical records Medical
Classified information
Trade secrets
Copyrighted/Trademarked material
System information (config, svcs, sw, etc.)
Bank account numbers/data
Sensitive organizational data (reports, plans, etc.)
Authentication credentials…
0 20 40 60 80 100 120 %
By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
9
10. Today “Hacktivism” is Dominating
Activist group
Organized criminal group
Relative or acquaintance of employee
Former employee (no longer had access)
Unaffiliated person(s)
Unknown
0 10 20 30 40 50 60 70 %
By percent of records
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
10
11. Growing Threat of “hacktivism” by
Groups such as Anonymous
Attacks by Anonymous include
• 2012: CIA and Interpol
• 2011: Sony, Stratfor and HBGary Federal
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous
11
12. Let’s Review Some Major Recent Breaches
April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011
Attack
Type,
Time
and
Impact
$
Source: IBM 2012 Security Breaches Trend and Risk Report
12
13. The Sony Breach & Cloud
• Lost 100 million passwords and personal details
stored in clear
• Spent $171 million related to the data breach
• Sony's stock price has fallen 40 percent
• For three pennies an hour, hackers can rent
Amazon.com to wage cyber attacks such as the
one that crippled Sony
• Attack via SQL Injection
13
14. SQL Injection Attacks are Increasing
25,000
20,000
15,000
10,000
5,000
Q1 2011 Q2 2011 Q3 2011
Source: IBM 2012 Security Breaches Trend and Risk Report
14
16. What is an SQL Injection Attack?
SQL Command Injected
Application
Data
Store
16
17. New Industry Groups are Targets
Accommodation and Food Services
Retail Trade
Finance and Insurance
Health Care and Social Assistance
Other
Information
0 10 20 30 40 50 60 %
By percent of breaches
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
17
18. The Changing Threat Landscape
Some issues have stayed constant:
Threat landscape continues to gain sophistication
Attackers will always be a step ahead of the defenders
We are fighting highly organized, well-funded crime
syndicates and nations
Move from detective to preventative controls needed
Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
19. How are Breaches Discovered?
Notified by law enforcement
Third-party fraud detection (e.g., CPP)
Reported by customer/partner affected
Brag or blackmail by perpetrator
Unknown
Witnessed and/or reported by employee
Other(s)
Internal fraud detection mechanism
Financial audit and reconciliation process
Log analysis and/or review process
Unusual system behavior or performance
0 10 20 30 40 50 60 70 %
By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
19
21. What Assets are Compromised?
Database server
Web/application server
Desktop/Workstation
Mail server
Call Center Staff People
Remote Access server
Laptop/Netbook
File server
Pay at the Pump terminal User devices
Cashier/Teller/Waiter People
Payment card (credit, debit, etc.) Offline data
Regular employee/end-user People
Automated Teller Machine (ATM)
POS terminal User devices
POS server (store controller)
0 20 40 60 80 100 %
120
By percent of records
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
21
22. Hacking and Malware are Leading
Threat Action Categories
Hacking
Social
Misuse
Environmental
0 50 100 150
%
By percent of records
Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
22
27. What Has The Industry Done?
Total Cost of Ownership
Total Cost of 1. System Integration
Ownership 2. Performance Impact
3. Key Management
Strong Encryption:
High - 4. Policy Management
3DES, AES …
5. Reporting
6. Paper Handling
Format Preserving Encryption: 7. Compliance Audit
FPE, DTP … 8. …
Basic Tokenization
Vaultless Tokenization
Low -
I I I I Time
1970 2000 2005 2010
27
28. Case Study: Large Chain Store
Why? Reduce compliance cost by 50%
– 50 million Credit Cards, 700 million daily transactions
– Performance Challenge: 30 days with Basic to 90 minutes with Vaultless
Tokenization
– End-to-End Tokens: Started with the D/W and expanding to stores
– Lower maintenance cost – don’t have to apply all 12 requirements
– Better security – able to eliminate several business and daily reports
– Qualified Security Assessors had no issues
• “With encryption, implementations can spawn dozens of questions”
• “There were no such challenges with tokenization”
28
29. Speed of Different Protection Methods
Transactions per second
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
I I I I
Basic Format AES CBC Vaultless
Data Preserving Encryption Data
Speed will depend on
the configuration Tokenization Encryption Standard Tokenization
29
30. Case Studies: Retail
Customer 1: Why? Three major concerns solved
– Performance Challenge; Initial tokenization
– Vendor Lock-In: What if we want to switch payment processor
– Extensive Enterprise End-to-End Credit Card Data Protection
Customer 2: Why? Desired single vendor to provide data
protection
– Combined use of tokenization and encryption
– Looking to expand tokens beyond CCN to PII
Customer 3: Why? Remove compensating controls from the
mainframe
– Tokens on the mainframe to avoid compensating controls
30
31. Impact of Different Protection Methods
Intrusiveness (to Applications and Databases)
Encryption
Standard
Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*
Strong Encryption - !@#$%a^.,mhu7///&*B()_+!@
Data Type & Format
Alpha - aVdSaH 1F4hJ 1D3a
Tokenizing or
Encoding
Numeric - 666666 777777 8888 Formatted
Encryption
Partial - 123456 777777 1234
Clear Text Data - 123456 123456 1234
Data
I
Length
Original
31
32. How Should I Secure Different Data?
File Field
Encryption Tokenization
Use
Case
Card
Simple - PII Holder PCI
Data
PHI
Protected
Health
Complex - Information
Type of
I I
Data
Un-structured Structured
32
34. PCI DSS : Tokenization and Encryption
are Different
34
35. Tokenization and “PCI Out Of Scope”
De-tokenization
No Available?
Random Number
Yes
Tokens?
No:
Yes FPE
Isolated from Card
Holder Data
Yes Environment? No
Out of Scope No Scope
Scope Reduction Reduction
Source: http://www.securosis.com
35
36. Case Study: Energy Industry
Why? Reduce PCI Scope
• Best way to handle legacy, we got most of it out of PCI
• Get rid of unwanted paper copies
• No need to rewrite/redevelop or restructure business
applications
• A VERY efficient way of PCI Reduction of Scope
• Better understanding of your data flow
• Better understanding of business flow
• Opportunity to clean up a few business oddities
36
38. Choose Your Defenses
Cost
Cost of Aversion – Expected Losses
Protection of Data from the Risk
Total Cost
Optimal
Risk
Protection
I I Option
Data Monitoring
Lockdown
38
39. Matching Data Protection with Risk Level
Risk Level Solution
Data Risk
Field Level Tokenization, str
High Risk
ong encryption
Credit Card Number 25 (16-25)
Social Security Number 20
Email Address 20 Monitoring,
Customer Name 12 Medium Risk masking, format
Secret Formula 10 (6-15) controlling
Employee Name 9 encryption
Employee Health Record 6
Zip Code 3 Low Risk Monitoring
(1-5)
39
40. Security of Different Protection Methods
Security Level
High
Low
I I I I
Basic Format AES CBC Vaultless
Data Preserving Encryption Data
Tokenization Encryption Standard Tokenization
40
42. Is Data Masking Secure?
Risk
Data at rest Data display
High –
Masking Masking
Exposure: Exposure:
Data is only Data in clear
obfuscated before masking
Low -
System
I I I I Type
Test / dev Integration Trouble Production
testing shooting
42
43. Data Tokens = Lower Risk
Risk
Data at rest Data display
High –
Masking Masking
Exposure: Exposure:
Data is only Data in clear
obfuscated before masking
Low - Data Tokens
System
I I I I Type
Test / dev Integration Trouble Production
testing shooting
43
45. Old Security = Less Creativity
Risk
High
Traditional
Access
Control
Low
Access
I I
Right Level
Less More
Source: InformationWeek Aug 15, 2011
45
46. New Data Security = More Creativity
Risk
High
Traditional
Access
Control New:
Creativity
Happens
At the edge
Low Data Tokens
Access
I I
Right Level
Less More
Source: InformationWeek Aug 15, 2011
46
47. About Protegrity
• Proven enterprise data security software and innovation leader
– Sole focus on the protection of data
– Patented Technology, Continuing to Drive Innovation
• Growth driven by compliance and risk management
– PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI
(Protected Health Information)
– US State and Foreign Privacy Laws, Breach Notification Laws
• Cross-industry applicability
– Retail, Hospitality, Travel and Transportation
– Financial Services, Insurance, Banking
– Healthcare, Telecommunications, Media and Entertainment
– Manufacturing and Government
47
48. Thank you!
Q&A
ulf.mattsson AT protegrity.com
www.protegrity.com
203-326-7200
48
Editor's Notes
Big change in this years Verizon reportWe are seeing more identity theftLess payment data theft