Tokenisation: Reducing Data Security Risk

Similar documents
Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data

Oracle Database Vault

Choosing the level that works for you!

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

Using InterSystems IRIS Data Platform for Securely Storing Credit Card Data. Solution Guide

Tokenisation for PCI-DSS Compliance

PCI Compliance Whitepaper

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Have you updated your security lately?

Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization

Compliance in 5 Steps

GUIDE TO STAYING OUT OF PCI SCOPE

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

PCI DSS and the VNC SDK

Symmetric Key Services Markup Language Use Cases

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

XDU On the Road. John Nitti Vice President Worldwide Sales and Marketing

Bridging the Gap Between Privacy and Data Insight

Oracle Database 11g: Security Release 2

PCI Compliance Whitepaper

Oracle Database 11g: Security Release 2

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Protecting Your Data in the Cloud. Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com

Security Update PCI Compliance

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Information Security in Corporation

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Complete document security

Is Your Payment Card Data Secure Enough?

Safeguards on Personal Data Privacy.

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

MySQL Enterprise Security

What To Do When Your Data Winds Up Where It Shouldn t

Altius IT Policy Collection Compliance and Standards Matrix

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

Data Compromise Notice Procedure Summary and Guide

Summary Comparison of Current Data Security and Breach Notification Bills

Data Protection and PCI Scope Reduction for Today s Businesses

Segmentation, Compensating Controls and P2PE Summary

Webinar Tokenization 101

CCISO Blueprint v1. EC-Council

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Hot Topics in Privacy

Hot Topics in Privacy

Cyber Attack: Is Your Business at Risk?

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Securing Data at Rest Using Empress Database - the Ultimate Line of Defense. Empress Software Inc.

How to Dramatically Lower the Cost and Pain of the Yearly PCI DSS Audit

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

About MagTek. PIN Entry & Management

Transparent Solutions for Security and Compliance with Oracle Database 11g. An Oracle White Paper September 2008

PCI DSS and VNC Connect

Applying Oracle Technologies in PCI DSS certification process

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

LEARN HOW TO SECURE THE BREACH! SECURE THE BREACH: BREACH PREVENTION DOES NOT WORK A THREE-STEP APPROACH TO BOOST DATA PROTECTION

Trusted Optical Disc March 2008

Mobility Policy Bundle

Business white paper Data Protection and PCI Scope Reduction for Today s Businesses

Secure Messaging is far more than traditional encryption.

CipherCloud CASB+ Connector for ServiceNow

Is Your Compliance Strategy Putting Your Business at Risk?

I GOT ROBBED! HOW NYS AND THE US SHOULD PROTECT YOUR DATA ONLINE

Move Cyber Threats On To Another Target. Encrypt Everything, Everywhere. Imam Sheikh Director, Product Management Vormetric

Information Security Management in a Regulation Driven World

The Realities of Data Security and Compliance: Compliance Security

Beyond PCI A Cost Effective Approach to Data Protection

Ulf Mattsson CTO Protegrity ulf. mattsson AT protegrity. com

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Navigating the PCI DSS Challenge. 29 April 2011

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

SECURITY PRACTICES OVERVIEW

Cipherpost Pro is far more than traditional encryption.

Compliance and Privileged Password Management

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Enabling compliance with the PCI Data Security Standards December 2007

Altius IT Policy Collection Compliance and Standards Matrix

PCI DSS Illuminating the Grey 25 August Roger Greyling

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Projectplace: A Secure Project Collaboration Solution

PCI Compliance. What is it? Who uses it? Why is it important?

Compliance. Peter Oosthuizen Partner Service Team Leader

Laws and Regulations & Data Governance

PCI compliance the what and the why Executing through excellence

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

Encrypting PHI for HIPAA Compliance on IBM i. All trademarks and registered trademarks are the property of their respective owners.

COMPLETING THE PAYMENT SECURITY PUZZLE

efax Corporate for Independent Agent Offices

Cybersecurity in Higher Ed

Tracking and Reporting

Transcription:

Tokenisation: Reducing Data Security Risk OWASP Meeting September 3, 2009

Agenda Business Drivers for Data Protection Approaches to Data Security Tokenisation to reduce audit scope and lower risk Examples and Case Studies Questions

International Data Security Mandates Countries United Kingdom Companies Bill Data Protection Act European Union European Union Privacy Act (EUPA) Japan - Japanese Personal Information Act 2003 (JPIPA) Canada Personal Information Protection and Electronic Documents Act (PIPEDA) Industries Payment Card Industry Data Security Standard (PCI DSS) Code of Practice on Data Protection for the Insurance Sector (UK)

Many more if you do business in the U.S. Government Sarbanes Oxley Act Gramm Leach Bliley Bill Healthcare Insurance Portability & Accountability Act (HIPAA) Part 11 of the Title 21 Code of Federal Regulations California State Bill 1386 Industry Payment Card Industry Data Security Standard (PCI DSS) Healthcare Insurance Portability & Accountability Act (HIPAA) Company Secure FTP - Bank of America, BankOne AS2 - Walmart, Food Lion, McKesson 2009 nubridges, Inc. All 4 rights reserved worldwide.

Data Security impacts a wide range of sensitive data Payment Card Industry Data Security Standard (PCI DSS) Credit / Debit Card Numbers Other Personally Identifiable Information Passport Number Date/Place of Birth Postal or Email Address Telephone Numbers (home/mobile) Mother's Maiden Name Biometric Data Unique Electronic Number, Address, or Routing Code Telecommunication Id Information or Access Device Laws National Insurance Number Social Security Number Driver s License Number Bank Account Numbers etc. Healthcare Medical related information (Patient / Doctor, etc.)

Approaches to Data Security 6

Waves of Data Protection Investment First Wave: Secure the perimeter keep the bad guys out Second Wave: Encrypt laptops, tape drives and mobile devices Third Wave: Encrypt or tokenise specific data in databases and applications to neutralize breaches; pay more attention to internal threats 7 2009 nubridges, Inc. All 7 rights reserved worldwide.

Trend in securing sensitive data Boundary moving inward to the data itself 8

PCI DSS Driving Best Practices

PCI DSS 3.1 Minimise cardholder data storage 10

PCI DSS 3.4 Render PAN unreadable Options Hashing Truncation Tokens Strong cryptography 11

PCI DSS 3.5 Minimize key locations 12

PCI DSS 3.6 Rotate Keys Annually and secure the keys, know which keys are used for which data, run your business,. 13

Challenges of PCI DSS Compliance Store Card Holder Data (CHD) in fewest number of places Protect CHD wherever it is stored Store cryptographic keys in fewest number of places Rotate cryptographic keys at least annually 14

Tokenisation to reduce audit scope and lower risk

What kind of token are we talking about? It s not the same as the token used for two-factor authentication It s not the token used for lexical analysis in a programming language In data security, it s a surrogate value which is substituted for the actual data (e.g. credit card) while the actual data is encrypted and stored elsewhere.

Tokens act as data surrogates Tokens maintain the length and format of the original data After tokenisation - tokens now reside where sensitive data previously resided in the application infrastructure Input: sensitive data Output: token Input: token Output: sensitive data Limits or eliminates modifications to applications. 17

Format Preserving Tokenisation Tokens can be formatted to: Preserve the format (length and data type), and leading/trailing 3752 5712 2501 3125 3752 0000 0010 3125 Original data head body tail Preserve length but not data type, and leading/trailing 3752 5712 2501 3125 Original data 3752 X4mb AdLQ 3125 head body tail Mask a portion of the token when a full value is not needed or desirable (can t be subsequently translated back) 3752 5712 2501 3125 Original data 3752 **** **** 3125 head body tail Tokens generally maintain the length and format of the original data so that applications require little or no modification. 18

Centralised Data Vault Protected Data Vault where sensitive data is encrypted and stored Reduces the footprint where sensitive data is located Eliminates points of risk Simplifies security management 19

Tokenisation Model Point of Sale Point of Sale Point of Sale Token Manager Loss Prevention Human Resources Marketing Backup Backup Backup Tokens Keys Ciphertext Data Vault Ciphertext in data vault Customer Relationship Management

Tokens are surrogates for masked data Formatted tokens can be used wherever masked credit card information is required USING CREDIT CARD NUMBER USING TOKEN 3752 5712 2501 3125 3752 0000 0010 3125 Determines card type standard, private label, gift card Last 4 digits retain confirmation info Therefore wherever tokenised data suffices, risk is reduced 21

1:1 Token / Data Relationship Same token value is consistent for same data across entire enterprise; maintains referential integrity across applications Data analysis can be performed using token e.g. data warehouse Before using credit card number Transaction: 1 CC#: 3752 5712 2501 3125 Item: Paper Item: Stapler Item: Staples After using token Transaction: 1 CC#: 3716 0000 0010 3125 Item: Paper Item: Stapler Item: Staples Transaction: 2 CC#: 3752 5712 2501 3125 Item: Paper Item: Notebook Item: Staples Transaction: 2 CC#: 3716 0000 0010 3125 Item: Paper Item: Notebook Item: Staples 22

Tokens Not Derived from Data Original data values cannot be mathematically derived from tokens Tokens can be safely passed to databases, applications, mobile devices, etc. Token has no intrinsic value Solves the age-old problem of data for development and testing it can be the same as production! 23

Test systems use production tokens Production HR System Germany Outsourced Development India HR System HR System Production Data Vault Masked Data Vault Tokens Ciphertext 24

Centralised Key Management Control over who accesses sensitive data Rotate keys without having to decrypt and re-encrypt old data, and no system downtime Keys are distributed to token server, not throughout enterprise 25

Examples and Case Studies 26

Tokenisation Model Point of Sale Point of Sale Point of Sale Token Manager Loss Prevention Human Resources Marketing Backup Backup Backup Tokens Keys Ciphertext Data Vault Ciphertext in data vault Customer Relationship Management

Localised Encryption Model Point of Sale Point of Sale Point of Sale Human Resources Key Manager Loss Prevention Marketing Key and Ciphertext Backup Backup Backup Ciphertext is everywhere Customer Relationship Management

Hybrid Model Tokenization and Localised Encryption Hybrid architecture includes both Central and Local protection mechanisms working with the same Enterprise Key Management Database Level Encryption & Tokenisation Application Level Encryption Central Tokenisation Tokens Keys Cipher text

Before: Order Flow without Tokenisation 3752 5712 2501 3125 3752 5712 2501 3125 3752 5712 2501 3125 80+ systems in PCI DSS scope Order Processing 3752 5712 2501 3125 3752 5712 2501 3125 3752 5712 2501 3125

After: Order Flow with Tokenisation 3752 5712 2501 3125 Credit Card Entry Hub Out of Scope

Case Study 2: Order Flow with Tokenisation 3752 5712 2501 3125 3752 5712 2501 3125 3752 5712 2501 3125 3752 5712 2501 3125 3752 5712 2501 3125 nubridges Protect

Thank you! Questions? For more information, visit: http://nubridges.com/resource-center/ White Paper: Best Practices in Data Protection: Encryption, Key Management and Tokenization

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback