tokenization on the node - data protection for security and compliance
DESCRIPTION
2011 San Diego Teradata PARTNERS ConferenceTRANSCRIPT
Tokenization on the Node - Data Protection for Security and Compliance
Ulf Mattsson, CTO
Protegrity
2
What Is Tokenization on the Node ?
3
• Strategic partnership since 2004
• Advocated solution for data protection on Teradata Databases
• Proven parallel and scalable data protection for Teradata MPP platforms
• Collaboration on forward-looking roadmaps– New and advanced data protection options– Integration with new Teradata Database features– Seamless operation on large data warehouse systems
• World-class customers
4
Teradata and Protegrity
Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata Databases– Provides additional separation of duties through a separate
Security Manager interface for creation and maintenance of security policies
– Includes a patented key management system for secure key generation and protection of keys when stored
– Supports multiple data protection options including strong encryption and tokenization
– Supports multiple cryptographic algorithms and key strengths– Automates the process of converting clear text data to cipher text
5
Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata Databases– Provides additional access controls to protect sensitive information
(even DBC can not see unencrypted data unless specifically authorized by the Security Manager)
– Includes additional auditing separate from database audit logs (such as the Access Log)
– Designed to fully exploit Teradata Database parallelism and scalability– Enterprise-wide solution that works with most major databases and
operating systems (not just Teradata)
6
Select Protegrity Customers
Select Protegrity Customers
7
Data Breaches Gone Mad - Learn how to Secure your Data Warehouse Straight Away!
8
www.protegrity.com
Who Are The Hackers and What Are They Doing?
9
Some of you have already met Yuri.
10Source: http://www.youtube.com/user/ProtegrityUSA
10
Last year he and his “anonymous” friends hacked AT&T.
11Source: http://www.youtube.com/user/ProtegrityUSA
11
This year they hacked Sony and boughtBMW M5s.
Source: http://www.youtube.com/user/ProtegrityUSA
• Data including passwords and personal details were stored in clear text
• Attacks were not coordinated and not advanced
• Majority of attacks were SQL Injection dumps and Distributed Denial of Service (DDoS)
The Sony Breach
13
Next month Yuri plans to hit a major telco with the keys provided by a disgruntled employee.
Source: http://www.youtube.com/user/ProtegrityUSA14
Then Yuri is going to buy a private jet.
Source: http://www.youtube.com/user/ProtegrityUSA15
*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
Business ServicesHealthcare
MediaTransportationManufacturingTech Services
GovernmentFinancial Services
RetailHospitality
0 5 10 15 20 25 30 35 40 45 %
Who Is The Next Target For Yuri?*
16
Source: Trustwave Global Security Report 2011
Where is Yuri?
17
So how does Yuri do it?
Source: http://www.youtube.com/user/ProtegrityUSA18
%
SocialMisuse
ErrorPhysicalMalwareHacking
0 20 40 60 80 100
*: Number of records
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
What Attack Methods Did Yuri Use?*
19
“Usually, I just need one disgruntled employee. Just one.”
Source: http://www.youtube.com/user/ProtegrityUSA20
• Attackers stole information about SecurID two-factor authentication
• 60 different types of customized malware • Advanced Persistent Threat (APT) malware
tied to a network in Shanghai• A tool written by a Chinese hacker 10 years
ago
The Attack On RSA Security
21
%
Third party monitoring service
Brag or blackmail by perpetrator
Internal fraud detection
Internal security audit or scan
Reported by employee
Unusual system behavior
Reported by customer/partner effected
Notified by law enforcement
Third party fraud detection
0 10 20 30 40 50*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
Do You Know If Yuri Hacked You?*
22
Why Should I Care?
23
• Some issues have stayed constant:• Threat landscape continues to gain sophistication • Attackers will always be a step ahead of the defenders
• Different motivation, methods and tools today: • We are fighting highly organized, well-funded
crime syndicates and nations• Move from detective to preventative controls needed
Source: Forrester and http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
Yuri Changed The Threat Landscape
24
25
How Can We Secure The Sensitive Data
Flow?
We Need To Protect The Data Flow
Protected sensitive information
Unprotected sensitive information:
: Enforcement point
26
What Has Industry Done
To Protect Itself?
27
Source: PCI DSS Compliance Survey, Ponemon Institute
ID & credentialing system
Database scanning and monitoring (DAM)
Intrusion detection or prevention systems
Data loss prevention systems (DLP)
Endpoint encryption solution
Web application firewalls (WAF)
Correlation or event management systems
Identity & access management systems
Access governance systems
Encryption for data in motion
Anti-virus & anti-malware solution
Encryption/Tokenization for data at rest
Firewalls
0 10 20 30 40 50 60 70 80 90
WAF
DLP
DAM
%
What is Cost Effective Data Protection?
28
AccessRight Level
Risk
Data Tokens
TraditionalAccessControl
IHigh
ILow
High –
Low -
Old and flawed:Minimal access levels so people can only carry out their jobs
New:CreativityHappens
At the edge
Source: InformationWeek Aug 15, 2011
Can New Data Security Help Creativity?
29
What has Industry Done To
Protect Databases?
30
How Did Data Security Evolve?
Year Event
2010 Memory Data Tokenization introduced as a fully distributed model
2005
Centralized Data Tokenization introduced with hosted payment service
DTP (Data Type Preserving encryption) used by in commercial databases
Attack on SHA-1 hash announcedDES was withdrawn
2001 AES (Advance Encryption Standard) accepted as a FIPS-approved algorithm
1988 IBM AS/400 used tokenization in shadow files1975 DES (Data Encryption Standard) draft submitted by IBM
1900 BC Cryptography used in Egypt
31
123456 777777 1234
123456 123456 1234
aVdSaH 1F4hJ 1D3a
!@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing -
Strong Encryption -
Alpha -
Numeric -
Partial -
Clear Text Data -
Intrusiveness (to Applications and Databases)
I
Original
!@#$%a^.,mhu7/////&*B()_+!@
666666 777777 8888Tokenizing or
FormattedEncryption
Data
Length
Sta
ndar
dE
ncry
ptio
n
How Can We Limit Changes to Applications?E
ncod
ing
32
What Is The Next Step In Data Protection?
The Promise Of A Better World
33
Replace Sensitive Data With Fake Data
34
1234 5678 1234 5678
Random number
DataToken
Applications & Databases
: Data TokenProtected sensitive
information:
Unprotected sensitive information:
De-tokenization Tokenization
35
Replace Sensitive Data With Data Tokens
Yuri Hates Tokens!
36
What is Tokenization and What is the Benefit?
• Tokenization– Tokenization is process that replaces sensitive data in systems with inert
data called tokens which have no value to the thief– Tokens resemble the original data in data type and length
• Benefit– Greatly improved transparency to systems and processes that need to be
protected• Result
– Reduced remediation– Reduced need for key management– Reduce the points of attacks– Reduce the PCI DSS audit costs for retail scenarios
37
Tokens For PCI, PII & PHI
38
Tokens Can Be More Flexible Than Encryption
Type of Data Input Token Comment
Token Properties
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date
E-mail Address [email protected] [email protected] Alpha Numeric, delimiters in input preserved
SSN Delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed
39
What Is The Impact On Performance And Scalability
40
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second (16 digits)
I
Format
Preserving
Encryption
Speed of Different Protection Methods
I
Data
Type
Preservation
I
Modern
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
Encryption
*: Speed will depend on the configuration41
I
Format
Preserving
Encryption
I
Data
Type
Preservation
I
Modern
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
High
Low
Security
Level
Encryption
*: Speed will depend on the configuration42
Security of Different Protection Methods
Data Protection Methods
Data Protection Methods Performance Storage Security Transparency
System without data protection
Monitoring + Blocking + Masking
Data Type Preservation
Strong Encryption
Tokenization
Hashing
Best Worst
43
The next step in data protection; Tokenization
How does Tokenization on Teradata Work?
44
Token Server
Clique
Node
Node
Protegrity Agent
Protegrity Agent
AMP
AMP
AMP
AMP
AMP
AMP
AMP
AMP
The Bottleneck when Using Old Basic Tokenization
Credit CardNumber
Social Security Number
PassportNumber
Large footprint becomes larger
Replication becomes more complex
Solution may be unmanageable and expensive
45
Modern Tokenization for Teradata Architecture
Clique
Node
Node
Protegrity Agent
Protegrity Agent
AMP
AMP
AMP
AMP
AMP
AMP
AMP
AMP
TokenizationOperations
TokenizationOperations
Small footprint
Small static token tables
High availability
High scalability
High performance
No replication required
No chance of collisions
46
The World’s
Smallest & Fastest Tokenizer
47
Performance Comparison
• Basic Tokenization– 5 tokens per second (outsourced)– 5000 tokens per second (in-house)
• Modern Tokenization– 200,000 tokens per second (Protegrity)
• Single commodity server with 10 connections.• Will grow linearly with additional servers and/or connections
– 9,000,000+ tokenizations per second (Protegrity /Teradata)
48
What Is The Customer
Experience?
49
Tokenization Case Studies
Customer 1: Extensive enterprise End-to-End credit card data protection switching to Protegrity Tokenization• Performance Challenge: Initial tokenization• Vendor Lock-In: What if we want to switch payment processor?• Performance Challenge: Operational tokenization (SLAs)
Customer 2: Desired single vendor to provide data protection including tokenization• Combined use of tokenization and encryption • Looking to expand tokens beyond CCN to PII
Customer 3: Reduce compliance cost. 50 million Credit Cards, 700 million daily transactions• Performance Challenge: Initial tokenization • End-to-End Tokens: Started with the EDW and expanding to stores
50
Faster PCI audit • Half that time• Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization
Lower maintenance cost • Do not have to apply all 12 requirements of PCI DSS
to every system
Better security • Ability to eliminate several business processes such as generating daily reports for data requests and
access
Strong performance • Rapid processing rate for initial tokenization• Sub-second transaction SLA
51
Case Study – Large Chain Store
How does Protegrity on Teradata Work?
52
Protegrity Data Protection for TeradataClique
Policy Enforcement Agent
(UDF / UDT)
Node
Node
PEP Server
DeploymentServer
PEP Server
Log ProxyServer
Da
ta P
rote
ctio
nO
pe
ratio
ns
AMP
AMP
AMP
AMP
Da
ta P
rote
ctio
nO
pe
ratio
ns
AMP
AMP
AMP
AMP
Audit Logs
Policy
Enterprise Security Administrator (ESA)Enterprise Security Administrator (ESA)
Policy Management
Policy Management
Key Management
Key Management
Audit Management
Audit Management
Protected Data
53
Protegrity in the ETL Process
SQL Server
ETL PlatformInformaticaData Stage
• Cleansing• Integration• Transformation
Sources TargetsTransformation
Teradata
EDW
Teradata Load P
rocessesAS/400
DB2
Original ValueNo AccessTokenMaskHash
Proteg
rity Policy R
ole B
ase
d A
ccess Control
Test Data
Oracle
Mainframe
54
Data Masking is Not
Effective
55
SystemType
Risk
Data Tokens
Data display Masking
IProduction
ITest / dev
Data Masking is Not Secure
High –
Low -
Data at rest Masking
IIntegration
testing
ITrouble
shooting
Exposure:Data in clear
before masking
Exposure:Data is only obfuscated
56
Who Is
Protegrity?
57
Why Protegrity?
• Protegrity’s Tokenization allows compliance across:
– PCI– PII– PHI
• Innovative: Pushing data protection with industry leading innovation such as out patented database protection system and the Protegrity Tokenization
• Proven: Proven platform currently protects the worlds largest companies• Experienced: Experienced staff will be there with support along the way
to complete data protection
58
59
Database Protector
File System Protector
Tokenization
Application Protector
Security Administrator
SSL Channel
Secure Distribution
AuditLog
Policy
Secure Collection POS e-commerce Branch
How To Securing The Sensitive Data Flow
60
How Will This Improve My Life?
61
Why Tokenization?
1. No masking needed
2. No encryption/decryption when using
3. No key management across enterprise
62
Why Modern Tokenization?
1. Better – small footprint
2. Faster – high performance
3. Lower total cost of ownership
Tokenization Differentiators
Basic Tokenization Modern TokenizationFootprint Large, Expanding Small, Static
High Availability, Disaster Recovery
Complex, expensive replication required
No replication required
Distribution Practically impossible to distribute geographically
Easy to deploy at different geographically distributed locations
Reliability Prone to collisions No collisions
Performance, Latency, and Scalability
Will adversely impact performance & scalability
Little or no latency. Fastest industry tokenization
Extendibility Practically impossible Unlimited Tokenization Capability
63
Thank you!
Got Tokens?Meet Yuri at the
Protegrity booth #201
64