where data security and value of data meet in the cloud
TRANSCRIPT
Where Data Security and Value of Data Meet in the C loud- Practical advice for cloud data security
Ulf MattssonCTO, Protegrity
Cloud Security Alliance (CSA)
PCI Security Standards Council • Cloud & Virtualization SIGs
• Encryption Task Force
• Tokenization Task Force
Ulf Mattsson, Protegrity CTO
ANSI X9• American National Standards Institute
IFIP • WG 11.3 Data and Application Security
• International Federation for Information Processing
2
Involvement in Payment Card Industry Data Security Standard:
1. PCI SSC Tokenization Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
Ulf Mattsson, Protegrity CTO
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group 2
10. PCI SSC 2014 Tokenization Task Force (TkTF).
3
The New Enterprise Paradigm• Cloud computing, IoT and the disappearing perimeter
• Data is the new currency
Rethinking Data Security for a Boundless World• The new wave of challenges to security and productivity
• Seamless, boundless security framework – data flow
• Maximize data utility & minimizing risk – finding the right balance
Agenda
• Maximize data utility & minimizing risk – finding the right balance
New Security Solutions, Technologies and Techniques• Data-centric security technologies
• Data security and utility outside the enterprise
• Cloud data security in context to the enterprise
Best Practices
5
Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight against persistent cyber-attacks
• We simply cannot catch the bad guys until it is too late. This picture is not improving
• Verizon reports concluded that less than 14% of breaches are detected by internal
Enterprises Losing Ground Against Cyber-attacks
of breaches are detected by internal monitoring tools
JP Morgan Chase data breach
• Hackers were in the bank’s network for months undetected
• Network configuration errors are inevitable, even at the larges banks
We need a new approach to data security
6
High -profile Cyber Attacks
49% recommended Database security
40% of budget still on Network security
7
40% only
19% to database security
Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification
Big data projects in 2015
• Integration with the outside world
Security prevents big data from becoming a prevalent enterprise computing
Integration with Outside World
26 billion devices on the Internet of Things by
2020 (Gartner)
9
www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowly-permeate-the-borders-of-the-enterprise.html
enterprise computing platform
• 3rd party products are helping
wikipedia.org
Data Security Holding Back Cloud Projects
13
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
Security of Data in Cloud at Board -level
14
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
Rather than making the protection platform based, the security is applied directly to the data
Protecting the data wherever it goes, in any environment
Data-Centric Protection Increases Security in Cloud Computing
Cloud environments by nature have more access points and cannot be disconnected
Data-centric protection reduces the reliance on controlling the high number of access points
17
Key Challenges
Storing and/or processing data in the cloud increases the risks
of noncompliance through unapproved access and data
breach
Service providers will limit their liabilities to potential data
breaches that may be taken for granted on-premises
Simplify Operations and Compliance in the Cloud
018
breaches that may be taken for granted on-premises
Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015
Recommendations
Simplify audits & address data residency and compliance issues
by applying encryption or tokenization and access controls.
Digitally shred sensitive data at its end of life by deleting the
encryption keys or tokens
Understand that protecting sensitive data in cloud-based
Simplify Operations and Compliance in the Cloud
019
Understand that protecting sensitive data in cloud-based
software as a service (SaaS) applications may require trading off
security and functionality
Assess each encryption solution by following the data to
understand when data appears in clear text, where keys are
made available and stored, and who has access to the keys
Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015
Corporate Network
Security Gateway Deployment – Hybrid Cloud
ClientSystem
Public CloudCloud Gateway
Private Cloud
020
EnterpriseSecurity
AdministratorSecurity Officer
Out-sourced
Corporate Network Corporate Network
Security Gateway Deployment – Hybrid Cloud
ClientSystem
Private Cloud Public Cloud
CloudGateway
021
EnterpriseSecurity
AdministratorSecurity Officer
Gateway
Out-sourced
Corporate Network
ClientSystem Cloud
Gateway
Security Gateway – Searchable Encryption
RDBMSQuery
re-write
022
EnterpriseSecurity
AdministratorSecurity Officer
Order preserving encryption
Corporate Network
ClientSystem
CloudGateway
Security Gateway – Search & Indexing
RDBMSQuery
re-write
023
EnterpriseSecurity
AdministratorSecurity Officer
IndexIndex
Computational Usefulness
Risk Adjusted Storage – Data Leaking Formats
H
25
Data
Leakage
Strong-encryption Truncation Sort-order-pres erving-encryption Indexing
L
I I I I
Balancing Data Security & Utility
Value
Preserving
Classification of Sensitive Data
Granular Protection of Sensitive Data
26
Index Data
Leaking
Sensitive
Data ?
Encoding
Leaking
Sensitive
Data ?
Risk Adjusted Data Leakage
Index
Trust
HIndex
Leaking
Sensitive
Data
Sort Order Preserving
Encryption Algorithms
Leaking Sensitive
Data
27
Index Data
ElasticityOut-sourcedIn-house
L
Index NOT
Leaking
Sensitive
Data
Reduction of Pain with New Protection Techniques
High
Pain& TCO
Strong Encryption Output:AES, 3DES
Format Preserving EncryptionDTP, FPE
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
28
1970 2000 2005 2010
Low
Vault-based Tokenization
Vaultless Tokenization
8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault
8278 2789 2990 2789
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
30
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption
Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data
Tokenization users had 50% fewer security-related incidents than tokenization non-users
31
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Fine Grained Protection Methods
10 000 -
1 000 -
100 -I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
32
Significantly Different Tokenization Approaches
Property Dynamic Pre-generated
Vault-based Vaultless
33
Examples of Protected DataField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data, but not needed with de-identification
34
Use
Case
How Should I Secure Different Data?
Simple –PCI
PII
Encryption
of Files
CardHolder Data
Tokenization of Fields
Personally Identifiable Information
Type of
DataI
Structured
I
Un-structured
Complex – PHI
ProtectedHealth
Information
35
Personally Identifiable Information
High -
Risk Adjusted Data Security – Access Controls
Risk Exposure
User Productivity and Creativity
37
Access to Sensitive Data in
Clear
Low Access to Data High Access to Data
Low -
I I
High -
Risk Adjusted Data Security – Tokenized Data
User Productivity and Creativity
38
Access to
Tokenized Data
Low Access to Data High Access to Data
Low -
I I
Risk Exposure
Cost of Application
Changes
High -
Risk Adjusted Data Security – Selective Masking
Risk Exposure
Cost Example: 16 digit credit card number
39
All-16-clear Only-middle-6-hidden All-16-hidden
Low -
I I I
Fine Grained Security: Securing Fields
Production SystemsEncryption of fields• Reversible• Policy Control (authorized / Unauthorized Access)• Lacks Integration Transparency• Complex Key Management• Example: !@#$%a^.,mhu7///&*B()_+!@
40
Non-Production SystemsMasking of fields• Not reversible• No Policy, Everyone can access the data• Integrates Transparently• No Complex Key Management• Example: 0389 3778 3652 0038
Fine Grained Security: Tokenization of Fields
Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management• Business Intelligence• Example: 0389 3778 3652 0038
41
Non-Production Systems
• Reversible • Policy Control (Authorized / Unauthorized Access)
• Not Reversible• Integrates Transparently
Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods Scalability Storage Security Tr ansparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial EncryptionPartial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
42
Data–Centric Audit and Protection (DCAP)
Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act
By 2018, data-centric audit and protection strategies will replace disparate siloed data security governance approaches in 25% of large enterprises, up from less
043
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
approaches in 25% of large enterprises, up from less than 5% today
Centrally managed security policy
Across unstructured and structured silos
Classify data, control access and monitoring
Protection – encryption, tokenization and masking
Segregation of duties – application users and privileged
Data–Centric Audit and Protection (DCAP)
044
Segregation of duties – application users and privileged
users
Auditing and reporting
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
Central Management – Policy DeploymentApplication Protector
Database Protector
EDW Protector
EnterpriseSecurity
Administrator
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
Security Office / Security Team
AuditLog
45
File Protector
Big Data Protector
Cloud Gateway
Inline Gateway
Protection Servers
IBM Mainframe Protectors
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
File Protector Gateway
Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who should have access to sensitive data and who should not. Security access control.
What
Who
How
46
When should sensitive data access be granted to those who have access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced.
Audit authorized or un-authorized access to sensitive data.
When
Where
Audit
AuditLog
AuditLog
AuditLog
Central Management – Audit Log CollectionApplication Protector
Database Protector
EDW Protector
EnterpriseSecurity
Administrator
Security Office / Security Team
AuditLog
AuditLog
AuditLog
Log
AuditLog
AuditLog
AuditLog
AuditLog
47
File Protector
Big Data Protector
Cloud Gateway
Inline Gateway
Protection Servers
IBM Mainframe Protectors File Protector
Gateway
The biggest challenge in this new paradigm• Cloud and an interconnected world
• Merging data security with data value and productivity
What’s required?• Seamless, boundless security framework – data flow
• Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
Summary
Value-preserving data-centric security methods• How to keep track of your data and monitor data access outside the enterprise
• Best practices for protecting data and privacy in the perimeter-less enterprise.
What New Data Security Technologies are Available for Cloud?
How can Cloud Data Security work in Context to the Enterprise?
48
Thank you!Thank you!
Questions?
Please contact us for more information
www.protegrity.com