Where Data Security and Value of Data Meet in the C loud- Practical advice for cloud data security

Ulf MattssonCTO, Protegrity

Ulf.Mattsson@protegrity.com

Cloud Security Alliance (CSA)

PCI Security Standards Council • Cloud & Virtualization SIGs

• Encryption Task Force

• Tokenization Task Force

Ulf Mattsson, Protegrity CTO

ANSI X9• American National Standards Institute

IFIP • WG 11.3 Data and Application Security

• International Federation for Information Processing

2

Involvement in Payment Card Industry Data Security Standard:

1. PCI SSC Tokenization Task Force

2. PCI SSC Encryption Task Force

3. PCI SSC Point to Point Encryption Task Force

4. PCI SSC Risk Assessment SIG

5. PCI SSC eCommerce SIG

Ulf Mattsson, Protegrity CTO

5. PCI SSC eCommerce SIG

6. PCI SSC Cloud SIG

7. PCI SSC Virtualization SIG

8. PCI SSC Pre-Authorization SIG

9. PCI SSC Scoping SIG Working Group 2

10. PCI SSC 2014 Tokenization Task Force (TkTF).

3

4

The New Enterprise Paradigm• Cloud computing, IoT and the disappearing perimeter

• Data is the new currency

Rethinking Data Security for a Boundless World• The new wave of challenges to security and productivity

• Seamless, boundless security framework – data flow

• Maximize data utility & minimizing risk – finding the right balance

Agenda

• Maximize data utility & minimizing risk – finding the right balance

New Security Solutions, Technologies and Techniques• Data-centric security technologies

• Data security and utility outside the enterprise

• Cloud data security in context to the enterprise

Best Practices

5

Verizon Data Breach Investigations Report

• Enterprises are losing ground in the fight against persistent cyber-attacks

• We simply cannot catch the bad guys until it is too late. This picture is not improving

• Verizon reports concluded that less than 14% of breaches are detected by internal

Enterprises Losing Ground Against Cyber-attacks

of breaches are detected by internal monitoring tools

JP Morgan Chase data breach

• Hackers were in the bank’s network for months undetected

• Network configuration errors are inevitable, even at the larges banks

We need a new approach to data security

6

High -profile Cyber Attacks

49% recommended Database security

40% of budget still on Network security

7

40% only

19% to database security

Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification

ThePerimeter -less

8

Perimeter -less World

Big data projects in 2015

• Integration with the outside world

Security prevents big data from becoming a prevalent enterprise computing

Integration with Outside World

26 billion devices on the Internet of Things by

2020 (Gartner)

9

www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowly-permeate-the-borders-of-the-enterprise.html

enterprise computing platform

• 3rd party products are helping

wikipedia.org

CHALLENGEHow can I Secure the

10

Secure thePerimeter -less

Enterprise?

CloudComputing Computing

11

What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing?

12

Data Security Holding Back Cloud Projects

13

Source: Cloud Adoption Practices & Priorities Survey Report January 2015

Security of Data in Cloud at Board -level

14

Source: Cloud Adoption Practices & Priorities Survey Report January 2015

Threat Vector Inheritance

15

New Optionsto Secure

16

to Secure Cloud Data

Rather than making the protection platform based, the security is applied directly to the data

Protecting the data wherever it goes, in any environment

Data-Centric Protection Increases Security in Cloud Computing

Cloud environments by nature have more access points and cannot be disconnected

Data-centric protection reduces the reliance on controlling the high number of access points

17

Key Challenges

Storing and/or processing data in the cloud increases the risks

of noncompliance through unapproved access and data

breach

Service providers will limit their liabilities to potential data

breaches that may be taken for granted on-premises

Simplify Operations and Compliance in the Cloud

018

breaches that may be taken for granted on-premises

Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015

Recommendations

Simplify audits & address data residency and compliance issues

by applying encryption or tokenization and access controls.

Digitally shred sensitive data at its end of life by deleting the

encryption keys or tokens

Understand that protecting sensitive data in cloud-based

Simplify Operations and Compliance in the Cloud

019

Understand that protecting sensitive data in cloud-based

software as a service (SaaS) applications may require trading off

security and functionality

Assess each encryption solution by following the data to

understand when data appears in clear text, where keys are

made available and stored, and who has access to the keys

Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015

Corporate Network

Security Gateway Deployment – Hybrid Cloud

ClientSystem

Public CloudCloud Gateway

Private Cloud

020

EnterpriseSecurity

AdministratorSecurity Officer

Out-sourced

Corporate Network Corporate Network

Security Gateway Deployment – Hybrid Cloud

ClientSystem

Private Cloud Public Cloud

CloudGateway

021

EnterpriseSecurity

AdministratorSecurity Officer

Gateway

Out-sourced

Corporate Network

ClientSystem Cloud

Gateway

Security Gateway – Searchable Encryption

RDBMSQuery

re-write

022

EnterpriseSecurity

AdministratorSecurity Officer

Order preserving encryption

Corporate Network

ClientSystem

CloudGateway

Security Gateway – Search & Indexing

RDBMSQuery

re-write

023

EnterpriseSecurity

AdministratorSecurity Officer

IndexIndex

Comparing Data Protection Data Protection

Methods

24

Computational Usefulness

Risk Adjusted Storage – Data Leaking Formats

H

25

Data

Leakage

Strong-encryption Truncation Sort-order-pres erving-encryption Indexing

L

I I I I

Balancing Data Security & Utility

Value

Preserving

Classification of Sensitive Data

Granular Protection of Sensitive Data

26

Index Data

Leaking

Sensitive

Data ?

Encoding

Leaking

Sensitive

Data ?

Risk Adjusted Data Leakage

Index

Trust

HIndex

Leaking

Sensitive

Data

Sort Order Preserving

Encryption Algorithms

Leaking Sensitive

Data

27

Index Data

ElasticityOut-sourcedIn-house

L

Index NOT

Leaking

Sensitive

Data

Reduction of Pain with New Protection Techniques

High

Pain& TCO

Strong Encryption Output:AES, 3DES

Format Preserving EncryptionDTP, FPE

Input Value: 3872 3789 1620 3675

!@#$%a^.,mhu7///&*B()_+!@

8278 2789 2990 2789

28

1970 2000 2005 2010

Low

Vault-based Tokenization

Vaultless Tokenization

8278 2789 2990 2789

Format Preserving

Greatly reduced Key Management

No Vault

8278 2789 2990 2789

What is Data Tokenization?

29

Data Tokenization?

Fine Grained Data Security Methods

Tokenization and Encryption are Different

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

TokenizationEncryption

30

Cryptographic keys

Code books

Index tokens

Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

Tokenization Research

Tokenization Gets Traction

Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption

Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data

Tokenization users had 50% fewer security-related incidents than tokenization non-users

31

Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/

10 000 000 -

1 000 000 -

100 000 -

10 000 -

Transactions per second*

Speed of Fine Grained Protection Methods

10 000 -

1 000 -

100 -I

Format

Preserving

Encryption

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration

32

Significantly Different Tokenization Approaches

Property Dynamic Pre-generated

Vault-based Vaultless

33

Examples of Protected DataField Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusoj

Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA

Date of Birth 12/25/1966 01/02/1966

Telephone 760-278-3389 760-389-2289

E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org

SSN 076-39-2778 076-28-3390

CC Number 3678 2289 3907 3378 3846 2290 3371 3378

Business URL www.surferdude.com www.sheyinctao.com

Fingerprint Encrypted

Photo Encrypted

X-Ray Encrypted

Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities

Protection methods can be equally applied to the actual data, but not needed with de-identification

34

Use

Case

How Should I Secure Different Data?

Simple –PCI

PII

Encryption

of Files

CardHolder Data

Tokenization of Fields

Personally Identifiable Information

Type of

DataI

Structured

I

Un-structured

Complex – PHI

ProtectedHealth

Information

35

Personally Identifiable Information

How to Balance

Risk and Risk and

Data Access36

High -

Risk Adjusted Data Security – Access Controls

Risk Exposure

User Productivity and Creativity

37

Access to Sensitive Data in

Clear

Low Access to Data High Access to Data

Low -

I I

High -

Risk Adjusted Data Security – Tokenized Data

User Productivity and Creativity

38

Access to

Tokenized Data

Low Access to Data High Access to Data

Low -

I I

Risk Exposure

Cost of Application

Changes

High -

Risk Adjusted Data Security – Selective Masking

Risk Exposure

Cost Example: 16 digit credit card number

39

All-16-clear Only-middle-6-hidden All-16-hidden

Low -

I I I

Fine Grained Security: Securing Fields

Production SystemsEncryption of fields• Reversible• Policy Control (authorized / Unauthorized Access)• Lacks Integration Transparency• Complex Key Management• Example: !@#$%a^.,mhu7///&*B()_+!@

40

Non-Production SystemsMasking of fields• Not reversible• No Policy, Everyone can access the data• Integrates Transparently• No Complex Key Management• Example: 0389 3778 3652 0038

Fine Grained Security: Tokenization of Fields

Production Systems

Tokenization (Pseudonymization)

• No Complex Key Management• Business Intelligence• Example: 0389 3778 3652 0038

41

Non-Production Systems

• Reversible • Policy Control (Authorized / Unauthorized Access)

• Not Reversible• Integrates Transparently

Cloud Gateway - Requirements Adjusted Protection

Data Protection Methods Scalability Storage Security Tr ansparency

System without data protection

Weak Encryption (1:1 mapping)

Searchable Gateway Index (IV)

Vaultless Tokenization

Partial EncryptionPartial Encryption

Data Type Preservation Encryption

Strong Encryption (AES CBC, IV)

Best Worst

42

Data–Centric Audit and Protection (DCAP)

Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act

By 2018, data-centric audit and protection strategies will replace disparate siloed data security governance approaches in 25% of large enterprises, up from less

043

Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014

approaches in 25% of large enterprises, up from less than 5% today

Centrally managed security policy

Across unstructured and structured silos

Classify data, control access and monitoring

Protection – encryption, tokenization and masking

Segregation of duties – application users and privileged

Data–Centric Audit and Protection (DCAP)

044

Segregation of duties – application users and privileged

users

Auditing and reporting

Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014

Central Management – Policy DeploymentApplication Protector

Database Protector

EDW Protector

EnterpriseSecurity

Administrator

PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy

Security Office / Security Team

AuditLog

45

File Protector

Big Data Protector

Cloud Gateway

Inline Gateway

Protection Servers

IBM Mainframe Protectors

PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy

File Protector Gateway

Enterprise Data Security Policy

What is the sensitive data that needs to be protected.

How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.

Who should have access to sensitive data and who should not. Security access control.

What

Who

How

46

When should sensitive data access be granted to those who have access. Day of week, time of day.

Where is the sensitive data stored? This will be where the policy is enforced.

Audit authorized or un-authorized access to sensitive data.

When

Where

Audit

AuditLog

AuditLog

AuditLog

Central Management – Audit Log CollectionApplication Protector

Database Protector

EDW Protector

EnterpriseSecurity

Administrator

Security Office / Security Team

AuditLog

AuditLog

AuditLog

Log

AuditLog

AuditLog

AuditLog

AuditLog

47

File Protector

Big Data Protector

Cloud Gateway

Inline Gateway

Protection Servers

IBM Mainframe Protectors File Protector

Gateway

The biggest challenge in this new paradigm• Cloud and an interconnected world

• Merging data security with data value and productivity

What’s required?• Seamless, boundless security framework – data flow

• Maximize data utility & Minimizing risk – finding the right balance

Value-preserving data-centric security methods

Summary

Value-preserving data-centric security methods• How to keep track of your data and monitor data access outside the enterprise

• Best practices for protecting data and privacy in the perimeter-less enterprise.

What New Data Security Technologies are Available for Cloud?

How can Cloud Data Security work in Context to the Enterprise?

48

Thank you!Thank you!

Questions?

Please contact us for more information

www.protegrity.com

Ulf.Mattsson@protegrity.com

Brian.Samms@protegrity.com