The Realities of Data Security and Compliance: Compliance Security Ulf Mattsson, CTO, Protegrity Ulf.mattsson @ protegrity.com
Bio - A Passion for Sailing and International Travel 2
Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents Encryption and Intrusion Prevention Co-founder of Protegrity (Data Security) Received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Google and other leading companies Research member of the International Federation for Information Processing g( (IFIP) WG 11.3 Data and Application Security Member of PCI Security Standards Council American National Standards d Institute t (ANSI) X9 Information Systems Audit and Control Association (ISACA) Information Systems Security Association (ISSA) Institute of Electrical and Electronics Engineers (IEEE) 3
Articles ISACA New York Metro Chapter 4
5
Agenda Review trends in data security threats Present case studies - protecting PCI and PII data Position different data security options Discuss how to protect the entire data flow Present a risk adjusted approach to data security Discuss data security in cloud environments 6
2010 Data Breach Investigations Report 1. Six years, 900+ breaches, and over 900 million compromised records 2. The majority of cases have not yet been disclosed and may never be 3. Over half of the breaches occurred outside the U.S. Online Data is Compromised Most Frequently: % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 7
PCI DSS 1.2 - Making Data Unreadable Encrypted Data (PCI DSS) SSL Public Network? Encrypted Data (PCI DSS) OS File System Storage System Data At Rest (PCI DSS) 8
PCI DSS 1.2 - Making Data Unreadable Encrypted Data (PCI DSS) SS SL Public Network Attacker Clear Text Data Application Database Private Network Clear Text Data Encrypted Data (PCI DSS) OS File System Storage System Data At Rest (PCI DSS) 9
Threat Action Categories Compromised records 1. 90 % lost in highly sophisticated attacks 2. Hacking and Malware are more dominant Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 10
Industry Groups Represented by Percent of Breaches Financial Services Hospitality Retail Manufactoring Tech Services Government Business Services 0 5 10 15 20 25 30 35 % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 11
Data Compromised Most Frequently Payment card data/numbers Bank account data/numbers Personal information National security data Intellectual property Sensitive organizational data Autentication credentials Monetary assets/funds 0 20 40 60 80 100 % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 12
The Changing Threat Landscape - Forrester Aug, 2010 Some issues have stayed constant: 1. Threat landscape continues to gain sophistication 2. Attackers will always be a step ahead of the defenders d Different motivation, methods and tools today: We're fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed: Several layers of security to address more significant areas of risks Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2 13
Patching Software vs. Locking Down Data User Attacker Software Patching Application Database OS File System Storage System Not a Single Intrusion Exploited a Patchable Vulnerability Backup Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 14
Case Studies Retail Environments Point of Sale E-Commerce Branch Office Aggregation Information in the wild Short lifecycle / High risk Temporary information Short lifecycle / High risk Operations Analysis Archive Operating information Typically 1 or more year lifecycle Decision making information Typically multi-year lifecycle High volume database analysis Wide internal audience with privileges Archive Typically multi-year lifecycle 15 : Encryption service
Case Studies Retail Environments Study #1 Major US Retailer PCI/PII/PHI Data 1. Transparency to exiting applications 2. Central key management 3. Ensuring performance on the mainframe 4. Protect the flow of sensitive information From thousands of stores, Back office systems and Data warehouse Study #2 Major US Retailer PCI Data 1. Reduced cost TCO 2. Reduced attack surface 3. Transparency to exiting applications 4. Central key management 5. Protect the flow of sensitive credit card information From thousands of stores, Back office systems and Data warehouse 16
Case Study #1 PCI & Application Transparency Retail Store File Encryption: &*%#@(*% Encrypted Card Data Windows, UNIX, Linux, Mainframe z/os Encrypted Data Files Central HQ Y&SFD%))S( Encrypted Card Data Database Encryption: DB2 (zos, iseries), Oracle, SQL Server : Encryption service 17
Case Study #1: Granularity of Reporting and Separation of Duties User / Client 3 rd Party Database Encryption Database Native Encryption OS File System Encryption User Access Patient Health Record x Read a xxx DBA Read b xxx z Write c xxx Possible DBA manipulation User Access Patient Health Record z Write c xxx User Acces s Patient Possible DBA manipulation Health Data Record Health Data File Complete Log No Read Log Database Process Read?? PHI002 No 0001 Information Database On User Process Read?? PHI002 0001 or Record Database Process Write?? PHI002 0001 18 : Encryption service
Case Study #2 PCI, Reduce Cost and Attack Surface Retail Store Data Entry Tokenization Server Tokens Y&SFD%))S( Encrypted Card Data Retail Store Data Servers $ Tokens DataTokens HQ Applications & Databases 19 : Encryption service
Tokenization in a Cloud Environment Data Entry Tokenization Server Cloud And Virtualized Environments Y&SFD%))S( Encrypted Card Data Data Token Partner Communication 20 : Encryption service
Best Practices from Visa Best Practices for Token Generation Token type Single Use Multi Use Algorithm and key Known strong algorithm ANSI or ISO approved algorithm One way irreversible function Unique q number sequence OK OK Hashing Secret per transaction Secret per merchant Randomly generated value OK OK 21
Matching Data Protection Solutions with Risk Level Example: Data Field Risk Level Risk Level Low Risk (1-5) High Risk (16-25) Solution Monitor Credit Card Number 25 Social Security Number 20 Monitor, mask, CVV (Card Verification) 20 At Risk access control Customer Name 12 (6-15) limits, format Secret Formula 10 control encryption Employee Name 9 Employee Health Record 6 Zip Code 3 Tokenization, strong encryption 22
Choose Your Defenses Different Approaches Web Application Firewall Database Columns Applications Database Activity Monitoring Data Loss Prevention Database Activity Monitoring Data Files Database Log Files Database Server Encryption/Tokenization 23
Choose Your Defenses Cost Effective PCI Firewalls Encryption/Tokenization for data at rest Anti-virus & anti-malware solution Encryption for data in motion Access governance systems Identity & access management systems Correlation or event management systems Web application firewalls (WAF) Endpoint encryption solution Data loss prevention systems (DLP) Intrusion detection or prevention systems Database scanning and monitoring (DAM) ID & credentialing system DAM DLP WAF 0 10 20 30 40 50 60 70 80 90 Source: 2009 PCI DSS Compliance Survey, Ponemon Institute : Encryption service 24
Choose Your Defenses Positioning of Alternatives Evaluation Criteria i Database Protection Approach Monitoring, Blocking, Masking Formatted Field Encryption Database Column Encryption* Distributed Tokenization (new)* Central Tokenization (old)* Database File Encryption* Performance Storage Availability Transparency Security * Compliant to PCI DSS 1.2 for making PAN unreadable Best Worst 25
Making Data Unreadable Encryption vs. Tokenization Evaluation Criteria i Protection ti Method Area Scalability Security Impact Availability Latency CPU Consumption Data Flow Protection Compliance Key Management Randomness Separation of Duties Database Database Centralized Distributed File Column Tokenization Tokenization Encryption Encryption (old) (new) Best 26 Worst
Evaluating Different Tokenization Solutions Evaluation Criteria Hosted/Outsourced On-premises Area Criteria Central Distributed Central Distributed (old) (new) (old) (new) Operational Needs Availability Scalability Performance Data Types Security Identifiable - PII Cardholder - PCI Separation Compliance Scope Best Worst ost 27
Data Protection Challenges Actual protection ti is not the challenge Management of solutions Key management Security policy Auditing and reporting Minimizing impact on business operations Transparency Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time 28
Sample Enterprise Data Protection Model File System Protector Policy Audit Log Database Protector Application Protector Enterprise Data Security Administrator i t Tokenization Server Secure Archive : Encryption service 29
Please contact us for more information Ulf Mattsson ulf.mattsson@protegrity.com Sal Arena Sal.arena@protegrity.com 30