Evaluating Tokenization Systems
|
|
- Debra Jefferson
- 5 years ago
- Views:
Transcription
1 White Paper Security Evaluating Tokenization Systems
2 Table of Contents page Abstract: Evaluating Tokenization Systems... 1 The Tokenization Model... 1 Risks and Attacks... 2 Attack 1: Guess Secret Data... 3 Attack 2: Predict Random Mapping... 3 Attack 3: Subvert Access Control Rules... 4 Attack 4: Subvert Tokenization Isolation... 5 Conclusion... 5
3 Tokenization is an approach to securing structured data (usually PAN or other regulated payment data) by mapping sensitive data items to random values that share some characteristics with the original data. Abstract: Evaluating Tokenization Systems This white paper provides a general model for tokenization systems that encompasses database, table, and encryption-based models. This model is used to examine the potential attacks against tokenization systems and the effect of various design decisions on risk and compliance exposure. The design decisions used in the Micro Focus Voltage Secure Stateless Tokenization (SST) system are also evaluated in this model. The Tokenization Model Tokenization is an approach to securing structured data (usually PAN or other regulated payment data) by mapping sensitive data items to random values that share some characteristics with the original data. By doing this, many existing applications can use the random token value without risk of exposing the original values, often with accompanying reduction in regulatory costs. To accomplish either risk or regulatory/ audit reduction, the token values must not leak data to an attacker, even in situations where the attacker might have multiple token/pan pairs or other artifacts of a data breach. This is done by creating a random mapping from a PAN to a token, based on some secret data that is denied to the attacker. The abstract diagram shows the architecture of a credible tokenization system. Secret Data Random Mapper Access Control Rules PAN Data Token Applications Figure 1. Tokenization Model This model has a few important features: 1. The tokenization system is isolated from the application. This enables control over which applications can tokenize and detokenize data. Access to the tokenization system is controlled with a set of access control rules. 1
4 White Paper Evaluating Tokenization Systems 2. The tokenization system specifically isolates some secret data. This secret data is the basis for the token mapping. The secret data must be large enough to not be guessable by the attacker. 3. The tokenization system contains a procedure for using the secret data to create a random mapping from PAN to token values. This is critical both for security and for PCI compliance. In the case of a database tokenization system, the secret data is the database containing the PAN to token mapping, and the random mapper is the function that creates a random token and inserts the mapping. Encryption-based tokenization uses a cryptographic key as the secret data, and a format-preserving encryption function to generate tokens. Table-driven tokenization (such as Voltage SST) systems use a pregenerated table as the secret data and use some function over the table and PAN to generate the token. Note that in the case of table-driven and encryption-based tokenization systems, it is imperative that the random mapping function creates a mapping that is provably indistinguishable from the random map created by a database system. Failure to do this yields potentially predictable tokens, and exposes the user to regulatory risk, as X9 and PCI appear to be moving to adopt this requirement for all tokenization systems. The design criteria around mapping functions will be examined in Attack 2: Predict Random Mapping. Risks and Attacks Given this model, we can examine the universe of possible attacks available to someone looking to extract PAN data from a system using tokens, and why various design criteria are important: Encryption-based tokenization uses a cryptographic key as the secret data, and a formatpreserving encryption function to generate tokens. Table-driven tokenization (such as Voltage SST) systems use a pregenerated table as the secret data and use some function over the table and PAN to generate the token. By examining each attack in detail, we can assess the requirements that arise from that class of attack and measure the strength of various systems against those attacks. By examining each attack in detail, we can assess the requirements that arise from that class of attack and measure the strength of various systems against those attacks. Attack 2 Predict random mapping Secret Data Random Mapper Access Control Rules Attack 1 Guess secret data Attack 3 Subvert access rules Attack 4 Subvert isolation of tokenization system PAN Data Token Applications Figure 2. Risks and Attacks 2
5 Attack 1: Guess Secret Data Description Given a set of token and PAN values, an attacker might choose to try to guess the secret data used to generate the mapping and then use this data to detokenize other tokens that had been extracted in a data breach. Requirements In general, this is the least likely route of attack against a realistic token system. Credible encryption-based systems utilize at least 128 bits of entropy in the key, which is regarded as essentially impossible to bruteforce guess. For table-based systems, they must use at least 128 bits of entropy in table creation. Voltage SST The SST system uses megabits of entropy to create the initial mapping table, and also utilizes a 128-bit AES operation, making a guessing attack extremely infeasible. Attack 2: Predict Random Mapping Description The attacker might use characteristics of the mapping function to distinguish it from a random function and use these characteristics to reverse token mappings or reduce the number of digits that they need to guess. This attack also has regulatory consequences, in that the discovery of regularities in the mapping might cause the application system to be regarded as being within PCI scope. To quote the PCI Tokenization Guidelines: Whichever generation method is used, the recovery of the original PAN must not be computationally feasible knowing only the token or a number of tokens. This is true for both single-use and multi-use tokens. Additionally, access to multiple token-to-pan pairs should not allow the ability to predict or determine other PAN values from knowledge of only tokens. Tokens should have no value if compromised or stolen, and should be unusable to an attacker if a system storing only tokens is compromised. Setting the bar at creating mapping procedures that are indistinguishable from perfectly random mappings allows use of these procedures without fear that some future attack will enable reversing the mapping process, and also that the mapping procedure does not allow amplifying attacks where the knowledge of a few token-pan pairs enables discovery of PAN information from other tokens. Insisting on provable security also ensures that as standards evolve, there is a clear justification for use of that function. 3
6 White Paper Evaluating Tokenization Systems Requirements This is a realistic attack, both technically (in that algorithmic failures are fairly common in the security world) and from an audit perspective (in that the customer must be able to demonstrate the lack of this weakness to standards set by X9.119 and future PCI standards).one of the main difficulties with this attack is that it is impossible to simply test a bad mapping function might appear random to the naked eye, but actually have important weaknesses. To meet the tokenization guideline above, a table or encryption-based system must be provably secure, meaning that there is some demonstration that an attacker with PAN-token pairs cannot distinguish any regularity in the mapping function. Simple examination or review is insufficient. The Voltage design was a collaboration between Voltage, Phil Rogaway from UC Davis, and Seth Terashima from Portland State University, and is backed by a full proof that it is indistinguishable from a random permutation. Voltage Secure Stateless Tokenization The Voltage SST system uses two established techniques for building conventional block ciphers (Feistel networks and Liskov-Rivest-Wagner tweaking), repurposing them as methods of using a fixed random table to construct a provably secure random mapping based on a fixed-size table. The Voltage design was a collaboration between Voltage, Phil Rogaway from UC Davis, and Seth Terashima from Portland State University, and is backed by a full proof that it is indistinguishable from a random permutation. Attack 3: Subvert Access Control Rules Description An attacker might attempt to reverse token mappings by acting as the application or by finding a misconfiguration that allows unauthorized processes to call the detokenization function. Requirements This attack is independent of any specific tokenization method. The system must support strong authentication of the application and also logging and monitoring, to allow behavioral detection of this type of attack. Voltage SST The Voltage SST system allows strong shared secret or PKI-based authentication for application authentication, in addition to IP restrictions. The tokenization processes are separated (which also has a bearing on Attack 4 below) and all tokenization/detokenization operations generate system log events, which can be consumed by existing SEIM systems. 4
7 Attack 4: Subvert Tokenization Isolation Description An attacker might break into the system that is using tokens and attempt to sidestep the isolation used to protect the secret data. If the secret data used to perform tokenization is breached, this leads directly to the attacker either having live PAN-to-token mappings (in the database case) or the data that allows them to construct those mappings (in the encryption or table case). In the table and database case, we consider the case where the secret data is partially breached. Requirements The application and tokenization system MUST NOT share memory space. The point of a tokenization system is to prevent attackers that gain access to applications from getting access to sensitive data. If the tokenization system shares the core secret data in the same memory space as the application, there is no way to establish that a successfully exploited application didn t leak that secret, and hence the data needed to reverse token mappings. Voltage SST The Voltage SST system is designed so that the tokenization table is kept either in a physically separated box (in the case where the application is using the SOA API server) or in a hardware-isolated process, as in the case of Voltage SecureData z/protect where the application calls a separate process to perform tokenization operations. Conclusion Given the rapid pace of innovation in this area, it is critical that evaluators insist to see true mathematical security proofs and do not settle for qualitative statements made by vendors or third parties. 5
8 Additional contact information and office locations: a H 06/ Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.
Data Protection and PCI Scope Reduction for Today s Businesses
White Paper Security Data Protection and PCI Scope Reduction for Today s Businesses Micro Focus Secure Stateless Tokenization Table of Contents page Introduction... 1 Limitations of Traditional Tokenization
More informationMainframe Data Protection in an Age of Big Data, Mobile, and Cloud Computing
White Paper Security Mainframe Data Protection in an Age of Big Data, Mobile, and Cloud Computing Table of Contents page The Imperative for Data-Centric Security... 1 Heightened Threats and Compliance
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationPAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) Table of Contents Introduction 03 Who is affected by PCI DSS? 05 Why should my organization comply 06 with PCI DSS? Email security requirements 08
More informationComplying with PCI DSS 3.0
New PCI DSS standards are designed to help organizations keep credit card information secure, but can cause expensive implementation challenges. The F5 PCI DSS 3.0 solution allows organizations to protect
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationWHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs
ENSURING SECURITY WITH OPEN APIs Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs The security features that banks must build into their financial solutions
More informationRSA Solution Brief. The RSA Solution for Cloud Security and Compliance
The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance enables enduser organizations and service providers to orchestrate and visualize the security of their
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationDissecting NIST Digital Identity Guidelines
Dissecting NIST 800-63 Digital Identity Guidelines KEY CONSIDERATIONS FOR SELECTING THE RIGHT MULTIFACTOR AUTHENTICATION Embracing Compliance More and more business is being conducted digitally whether
More informationProtegrity Vaultless Tokenization
Protegrity Vaultless Tokenization Protegrity Vaultless Tokenization employs a patent-pending approach to tokenization that improves security and efficiency by eliminating the need for a token vault. By
More informationCASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer
CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer v1.0 December 2017 pci-dss@cryptosense.com 1 Contents 1. Introduction 3 2. Technical and Procedural Requirements 3 3. Requirements
More informationSecurity Requirements for Crypto Devices
Security Requirements for Crypto Devices Version 1.0 02 May 2018 Controller of Certifying Authorities Ministry of Electronics and Information Technology 1 Document Control Document Name Security Requirements
More informationRSA Timing Attack. Chen Yang Eric Hsieh Xiaoxi Liu. Advised by: Vinnie Hu
RSA Timing Attack Chen Yang Eric Hsieh Xiaoxi Liu Advised by: Vinnie Hu Abstract The Rivest, Shamir Adleman (RSA) public key cryptosystem is the industry standard for protecting both the confidentiality
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationTransaction Security Challenges & Solutions
Transaction Security Challenges & Solutions A REPORT FROM NEWNET COMMUNICATION TECHNOLOGIES, LLC Copyright NewNet Communication Technologies, LLC. 700 East Butterfield Road, Suite 350, Lombard, IL 60148
More informationHPE SecureData with Hyper FPE and Hyper SST
HPE SecureData with Hyper FPE and Hyper SST HPE Security Data Security May 19, 2016 Hewlett Packard Enterprise Four transformational areas Transform to a hybrid infrastructure Protect your digital enterprise
More informationDataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.
Submitted by SPYRUS, Inc. Contents DT5000 and DT6000 Technology Overview...2 Why DT5000 and DT6000 Encryption Is Different...3 Why DT5000 and DT6000 Encryption Is Different - Summary...4 XTS-AES Sector-Based
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationIs Your Payment Card Data Secure Enough?
January 2018 Is Your Payment Card Data Secure Enough? 2018 KUBRA Is Your Payment Card Data Secure Enough? Payment Security Matters In 2007, TJX Companies (which includes TJ Maxx, HomeSense, and Marshalls)
More informationWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control SESSION ID: CDS-T11 Sheung-Chi NG Senior Security Consulting Manager, APAC SafeNet, Inc. Cloud and Virtualization Are Change the
More informationIT infrastructure layers requiring Privileged Identity Management
White Paper IT infrastructure layers requiring Privileged Identity Management Abstract Much of today s IT infrastructure is structured as different layers of devices (virtual and physical) and applications.
More informationThe Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an
Solution Overview Cisco ACI and AlgoSec Solution: Enhanced Security Policy Visibility and Change, Risk, and Compliance Management With the integration of AlgoSec into the Cisco Application Centric Infrastructure
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationRSA DISTRIBUTED CREDENTIAL PROTECTION
RSA DISTRIBUTED CREDENTIAL PROTECTION There is a security weakness lurking in many of today s best designed systems a primary point of compromise. Think about your own IT operations. Chances are that by
More informationOracle Data Masking and Subsetting
Oracle Data Masking and Subsetting Frequently Asked Questions (FAQ) S E P T E M B E R 2 0 1 6 Product Overview Q: What is Data Masking and Subsetting? A: Data Masking or Static Data Masking is the process
More informationSOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE
HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE PREPARATION FOR GDPR IS ESSENTIAL The EU GDPR imposes interrelated obligations for organizations handling
More informationAN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP
AN IPSWITCH WHITEPAPER The Definitive Guide to Secure FTP The Importance of File Transfer Are you concerned with the security of file transfer processes in your company? According to a survey of IT pros
More information6 Vulnerabilities of the Retail Payment Ecosystem
6 Vulnerabilities of the Retail Payment Ecosystem FINANCIAL INSTITUTION PAYMENT GATEWAY DATABASES POINT OF SALE POINT OF INTERACTION SOFTWARE VENDOR Table of Contents 4 7 8 11 12 14 16 18 Intercepting
More informationBusiness Technology Briefing: Fear of Flying, And How You Can Overcome It
Business Technology Briefing: Fear of Flying, And How You Can Overcome It Joseph Tobloski Senior Director for Data & Platforms R&D Accenture Technology Labs Fear of Flying And How You Can Overcome It May
More informationPKI Credentialing Handbook
PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key
More informationFundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring
Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.
More informationSafeNet Authentication Client
SafeNet Authentication Client Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto and/or its subsidiaries who shall have and keep the
More informationHosted Secure Tokenization Module
Hosted Secure Tokenization Module Agenda Tokenization Definition Tokenization Explained Tokenization Benefits Ultra Infrastructure Diagram Ultra Token Management Ultra Benefits Ultra Performance Ultra
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationSECURE DATA EXCHANGE
POLICY-DRIVEN SOLUTIONS FOR SECURE DATA EXCHANGE Sending and receiving data is a fundamental part of daily business for nearly every organization. Companies need to share financial transaction details,
More informationClearing the Path to PCI DSS Version 2.0 Compliance
White Paper Secure Configuration Manager Sentinel Change Guardian Clearing the Path to PCI DSS Version 2.0 Compliance Table of Contents Streamlining Processes for Protecting Cardholder Data... 1 PCI DSS
More informationP2_L8 - Hashes Page 1
P2_L8 - Hashes Page 1 Reference: Computer Security by Stallings and Brown, Chapter 21 In this lesson, we will first introduce the birthday paradox and apply it to decide the length of hash, in order to
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationSecuring Your Most Sensitive Data
Software-Defined Access Securing Your Most Sensitive Data Company Overview Digital Growth Means Digital Threats Digital technologies offer organizations unprecedented opportunities to innovate their way
More informationExam : Title : ASAM Advanced Security for Account Managers Exam. Version : Demo
Exam : 646-578 Title : ASAM Advanced Security for Account Managers Exam Version : Demo 1. When do you align customer business requirements with the needed solution functionality? A. when preparing for
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationhidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION
HID ActivOne USER FRIENDLY STRONG AUTHENTICATION We understand IT security is one of the TOUGHEST business challenges today. HID Global is your trusted partner in the fight against data breach due to misused
More informationSECURING DEVICES IN THE INTERNET OF THINGS
SECURING DEVICES IN THE INTERNET OF THINGS WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY Security breaches at the device level in the Internet of Things (IoT) can have severe consequences, including
More informationEvolution of Cyber Attacks
Update from the PCI Security Standards Council Troy Leach, CTO, PCI Security Standards Council Evolution of Cyber Attacks Viruses Worms Trojan Horses Custom Malware Advanced Persistent Threats 1 Modern
More informationIBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly
2016 IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly Today s Agenda Introductions Regulations on IBM i Conducting the Study The State of IBM i Security Study Questions and Answers
More information1-7 Attacks on Cryptosystems
1-7 Attacks on Cryptosystems In the present era, not only business but almost all the aspects of human life are driven by information. Hence, it has become imperative to protect useful information from
More informationBusiness white paper Data Protection and PCI Scope Reduction for Today s Businesses
Business white paper Data Protection and PCI Scope Reduction for Today s Businesses HPE Secure Stateless Tokenization Business white paper Page 2 Table of contents 2 Introduction 3 Limitations of Traditional
More informationThe Identity-Based Encryption Advantage
White Paper Security The Identity-Based Encryption Advantage Table of Contents page Introduction... 1 Six Requirements for Enterprise Key Management... 1 Traditional Approaches to Key Management... 2 Public
More informationOracle Database Security Assessment Tool
Oracle Database Security Assessment Tool With data breaches growing every day along with the evolving set of data protection and privacy regulations, protecting business sensitive and regulated data is
More informationComprehensive Database Security
Comprehensive Database Security Safeguard against internal and external threats In today s enterprises, databases house some of the most highly sensitive, tightly regulated data the very data that is sought
More informationPart 11 Compliance SOP
1.0 Commercial in Confidence 16-Aug-2006 1 of 14 Part 11 Compliance SOP Document No: SOP_0130 Prepared by: David Brown Date: 16-Aug-2006 Version: 1.0 1.0 Commercial in Confidence 16-Aug-2006 2 of 14 Document
More informationPCI DSS and the VNC SDK
RealVNC Limited 2016. 1 What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) compliance is mandated by many major credit card companies, including Visa, MasterCard, American Express,
More informationFireMon Security manager
FireMon Security manager Regain control of firewalls with comprehensive firewall management The enterprise network is a complex machine. New network segments, new hosts and zero-day vulnerabilities are
More informationTitle: Planning AWS Platform Security Assessment?
Title: Planning AWS Platform Security Assessment? Name: Rajib Das IOU: Cyber Security Practices TCS Emp ID: 231462 Introduction Now-a-days most of the customers are working in AWS platform or planning
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationProtecting Your Data in the Cloud. Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com
Protecting Your Data in the Cloud Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents Encryption and
More informationExample Architectures for Data Security and the GDPR
White Paper Example Architectures for Data Security and the GDPR Use Cases for Application of Pseudonymization and Encryption to Protect Data Table of Contents Introduction... 3 Technology Considerations
More informationModern Database Architectures Demand Modern Data Security Measures
Forrester Opportunity Snapshot: A Custom Study Commissioned By Imperva January 2018 Modern Database Architectures Demand Modern Data Security Measures GET STARTED Introduction The fast-paced, ever-changing
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationComputers and Security
The contents of this Supporting Material document have been prepared from the Eight units of study texts for the course M150: Date, Computing and Information, produced by The Open University, UK. Copyright
More informationSecure Government Computing Initiatives & SecureZIP
Secure Government Computing Initiatives & SecureZIP T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents Introduction FIPS 140 and SecureZIP Ensuring Software is FIPS 140 Compliant FIPS
More informationProduct Brief. Circles of Trust.
Product Brief Circles of Trust www.cryptomill.com product overview Circles of Trust is an enterprise security software system that eliminates the risks associated with data breaches from a hacker attack
More informationMcAfee MVISION Cloud. Data Security for the Cloud Era
McAfee MVISION Cloud Data Security for the Cloud Era McAfee MVISION Cloud protects data where it lives today, with a solution that was built natively in the cloud, for the cloud. It s cloud-native data
More informationSoftware Vulnerability Assessment & Secure Storage
Software Vulnerability Assessment & Secure Storage 1 Software Vulnerability Assessment Vulnerability assessment is the process of identifying flaws that reside in an OS, application software or devices
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationTiger Scheme QST/CTM Standard
Tiger Scheme QST/CTM Standard Title Tiger Scheme Qualified Security Tester Team Member Standard Version 1.2 Status Public Release Date 21 st June 2011 Author Professor Andrew Blyth (Tiger Technical Panel)
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationSECURING DEVICES IN THE INTERNET OF THINGS
SECURING DEVICES IN THE INTERNET OF THINGS EXECUTIVE SUMMARY Security breaches at the device level in the Internet of Things (IoT) can have severe consequences, including steep financial losses, damage
More informationPCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing
PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing 1 WhiteHat Security Application Security Company Leader in the Gartner Magic Quadrant Headquartered in Santa Clara, CA 320+
More informationISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo
ISC2 Exam Questions CISSP Certified Information Systems Security Professional (CISSP) Version:Demo 1. How can a forensic specialist exclude from examination a large percentage of operating system files
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationINTRODUCTION TO CLOAKWARE/TRS TECHNOLOGY
INTRODUCTION TO CLOAKWARE/TRS TECHNOLOGY VERSION 2.2 OCTOBER 2001 SUMMARY Software is easy to tamper with and reverse engineer so unprotected software deployed on malicious hosts can t be trusted by corporations
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 12.16 EB7178 DATA SECURITY Table of Contents 2 Data Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationMobile Data Security Essentials for Your Changing, Growing Workforce
Mobile Data Security Essentials for Your Changing, Growing Workforce White Paper February 2007 CREDANT Technologies Security Solutions White Paper YOUR DYNAMIC MOBILE ENVIRONMENT As the number and diversity
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationSecurity analysis and assessment of threats in European signalling systems?
Security analysis and assessment of threats in European signalling systems? New Challenges in Railway Operations Dr. Thomas Störtkuhl, Dr. Kai Wollenweber TÜV SÜD Rail Copenhagen, 20 November 2014 Slide
More informationDisk Encryption Buyers Guide
Briefing Paper Disk Encryption Buyers Guide Why not all solutions are the same and how to choose the one that s right for you.com CommercialSector Introduction We have written this guide to help you understand
More informationSimplify PCI Compliance
WHITE PAPER Simplify PCI Compliance An Affordable, Easy-to-Implement Approach Using Secure SD-WAN For most retailers, the technology burden of maintaining PCI compliance can be overwhelming. Hundreds of
More informationMessage Authentication and Hash function
Message Authentication and Hash function Concept and Example 1 Approaches for Message Authentication Encryption protects message against passive attack, while Message Authentication protects against active
More informationThe GDPR data just got personal
GDPR QUICK REFERENCE GUIDE The GDPR data just got personal What it is, what it means and how it affects you The GDPR is a gamechanger for organizations holding, and protecting, personal, identifiable data
More informationWhite Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection
White Paper The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection February, 2017 Introduction The North American Electric Reliability Corporation (NERC) maintains
More informationThe Dropbox Problem: It s Worse than You Think
The Dropbox Problem: It s Worse than You Think The Dropbox Problem: It s Worse than You Think Overview The unsanctioned use of consumer-oriented file sharing services in business is a growing issue. It
More informationOracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero
Oracle Security Products and Their Relationship to EBS Presented By: Christopher Carriero 1 Agenda Confidential Data in Corporate Systems Sensitive Data in the Oracle EBS What Are the Oracle Security Products
More informationRequirements for ARRL Logbook of the World Trusted Partners
Requirements for ARRL Logbook of the World Trusted Partners The purpose of this document is to resolve some security issues concerning the interaction of third-party web sites with LoTW. Some sites have
More informationPCI DSS and VNC Connect
VNC Connect security whitepaper PCI DSS and VNC Connect Version 1.2 VNC Connect security whitepaper Contents What is PCI DSS?... 3 How does VNC Connect enable PCI compliance?... 4 Build and maintain a
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationSecurity for an age of zero trust
Security for an age of zero trust A Two-factor authentication: Security for an age of zero trust shift in the information security paradigm is well underway. In 2010, Forrester Research proposed the idea
More informationSite Data Protection (SDP) Program Update
Advanced Payments October 9, 2006 Site Data Protection (SDP) Program Update Agenda Security Landscape PCI Security Standards Council SDP Program October 9, 2006 SDP Program Update 2 Security Landscape
More informationChoosing the Right Security Assessment
A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding
More informationForeScout ControlFabric TM Architecture
ForeScout ControlFabric TM Architecture IMPROVE MULTI-VENDOR SOLUTION EFFECTIVENESS, RESPONSE AND WORKFLOW AUTOMATION THROUGH COLLABORATION WITH INDUSTRY-LEADING TECHNOLOGY PARTNERS. The Challenge 50%
More informationSecure Development Guide
Secure Development Guide Oracle Health Sciences InForm 6.1.1 Part number: E72493-01 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationWHITEPAPER. Security overview. podio.com
WHITEPAPER Security overview Podio security White Paper 2 Podio, a cloud service brought to you by Citrix, provides a secure collaborative work platform for team and project management. Podio features
More informationWhat is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS
What is HIPPA/PCI? In this digital era, where every bit of information pertaining to individuals has gone digital and is stored in digital form somewhere or the other, there is a need protect the individuals
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More information