42
Session 7192 Beyond PCI – A Cost Effective Approach to Data Protection Ulf Mattsson CTO Protegrity [email protected] August 5, 2010 Session 7192 1

IBM Share Conference 2010, Boston, Ulf Mattsson

  • View
    1.775

  • Download
    3

Embed Size (px)

DESCRIPTION

IBM Share Conference 2010, Boston, Ulf Mattsson

Citation preview

Page 1: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Beyond PCI – A Cost Effective Approach to Data Protection

Ulf MattssonCTO [email protected]

August 5, 2010Session 7192

1

Page 2: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Ulf Mattsson• 20 years with IBM Software Development

• Received US Green Card ‘EB 11 – Individual of Extraordinary Ability’ endorsed by IBM Research

• Inventor of 21 Patents• Encryption Key Management, Policy Driven Data Encryption, Distributed

Tokenization and Intrusion Prevention

• Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security

• Created the Architecture of the Protegrity Database Security Technology

• Received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Google, Cisco, Ingres and other leading companies

Page 3: IBM Share Conference 2010, Boston, Ulf Mattsson

03

Page 4: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192 04

September 23, 2009

Page 5: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

http://www.knowpci.com

Source of Information about PCI Research

5

Page 6: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Agenda

• Review trends in data security threats

• Present case studies - protecting PCI and PII data

• Position different data security options

• Discuss how to protect the entire data flow

• Present a risk adjusted approach to data security

• Discuss data security in cloud and test environments

6

Page 7: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Online Data Under Attack – Not Laptops or Backup

Slide source: Verizon Business 2008 Data Breach Investigations Report

Breaches attributed to insiders are much larger than those caused by outsiders

The type of asset compromised most frequently is online data:

7

Page 8: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Source: 2009 Data Breach Investigations Supplemental Report, Verizon

Top 15 Threat Action Types

8

% of Records

% of Breaches

Page 9: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

The Gartner 2010 CyberThreat Landscape

The danger of advanced persistent threats (APTs) to enterprises.

Page 10: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

File System

Data Entry

Database

Storage

Application

Attacks at Different System Layers

Backup

DATABASE ATTACK

MALWARE / TROJAN

FILE ATTACK

SQL INJECTION

MEDIA ATTACK…

SNIFFER ATTACK

10

Network

Authorized/ Un-authorized

Users

HW Service

Contractors

Vendors

Database Admin

System Admin

“The perimeter is gone – need for new security approaches”

Page 11: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

PCI DSS - Payment Card Industry Data Security Standard

11

• Applies to all organizations that hold, process, or exchange cardholder information

• A worldwide information security standard defined by the Payment Card Industry Security Standards Council (formed in 2004)

• Began as five different programs: • Visa Card Information Security Program, MasterCard Site Data

Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program.

• 12 requirements for compliance, organized into six logically related groups, which are called "control objectives."

Page 12: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

PCI DSS # 3, 6, 7, 10 & 12

Build and maintain a secure network.

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data. 3. Protect stored data4. Encrypt transmission of cardholder data

and sensitive information across public networks

Maintain a vulnerability management program.

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement strong access control measures.

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor and test networks.

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy.

12. Maintain a policy that addresses information security

12

Page 13: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

PCI DSS #3 & 4 – Protect Cardholder Data

• 3.4 Render PAN, at minimum, unreadable anywhere it is stored by using any of the following approaches:• One-way hashes based on strong cryptography• Truncation• Index tokens and pads (pads must be securely stored)• Strong cryptography with associated key-management processes and procedures

• 4.1 Use strong cryptography to safeguard sensitive cardholder data during transmission over open, public networks.

• Comments – Cost effective compliance• Encrypted PAN is always “in PCI scope”• Tokens can be “out of PCI scope”

Page 14: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

‘Information in the wild’•Short lifecycle / High risk•Databases often found at collection points

Temporary information •Short lifecycle / High risk•Use the transition to re-key the locks

Operating information•Typically 1 or more year lifecycle•Broad and diverse computing and database environment

Decision making information•Typically multi-year lifecycle•High volume database analysis•Wide internal audience with privileges

Archive•Typically multi-year lifecycle•Preserving the ability to retrieve the data in the future is important

Aggregation

Operations

Analysis

Archive

14

Point of Sale

E-Commerce

Branch Office

Case Studies – Retail Environments

: Encryption service

Page 15: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Case Studies – PCI DSS Compliance

Case study #1: US Retailer

• Transparent to exiting applications• Protect the flow of sensitive credit card information

• From thousands of stores, Back office systems and Data warehouse

• Central key management • Ensuring performance on the mainframe

Case study #2: US Retailer• Protection against advanced attacks• Protect the flow of sensitive credit card information

• From thousands of stores, Back office systems and Data warehouse

• Central key management

015

Page 16: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Case Study 1: Goal – PCI Compliance & Application Transparency

FileEncryption:Windows

DatabaseEncryption:

DB2 (zOS, iSeries),Oracle,

SQL Server

Applications

RetailStore

Applications FTP

FileDecryption

Central HQ Location

FileEncryption:Windows,

UNIX,Linux, zOS

Credit CardEntry

: Encryption service

Page 17: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Case Study 2: Goal – Addressing Advanced Attacks & PCI DSS

Application

Application FTP

DatabaseEncryption:

DB2,SQL Server

FileEncryption:Windows,

UNIX,zOS

RetailStore Central HQ Location

Credit CardEntry

Application Application

Encryption

: Encryption service

End-to-End-Encryption (E2EE)

Page 18: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

UDFVIEW

CPACF (CCF)

EDITPROCICSF

CPACF

EDITPROC

FIELDPROC

Encryption Topologies – Mainframe Example

: Encryption service * : 20 bytes

Local Encryption

Remote Encryption

TCP/IPUDFVIEW

Mainframe(z/OS)

DB2

DB2

DB2

DB2

User Defined Function

Integrated Cryptographic Services Facility

CP Assist for Cryptographic

Function

Key Server

Crypto Server

1Micro-second*

1Micro-second*

1000 Micro-seconds*

1Micro-second*

Page 19: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Data Loading (Batch)

1 000 000 –

100 000 -

10 000 –

1 000 –Encryption

Topology

Rows Decrypted / s (100 bytes)

z/OS

Hardware

Crypto - CPACF

(All Operations)

Queries (Data Warehouse & OLTP)

Column Encryption Performance - Different Topologies

I

Network Attached

Encryption (SW/HW)

I

Local Encryption (SW/HW)

19

Page 20: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Evaluation of Encryption Options for DB2 on z/OS

Encryption Interface

Performance PCI DSS Security Transparency

API

UDF DB2 V8

UDF DB2 V9 -

Fieldproc

Editproc

Best Worst

20

Page 21: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Application Databases

Choose Your Defenses – Newer Data Security Approaches

Key Manager

Format Controlling Encryption

Token Server

Token

Data Tokenization

Example of Token format:

1234 1234 1234 4560

Application Databases

Key Manager

Example of Encrypted format:

111-22-1013

21

: Encryption service

Page 22: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

What Is Formatted Encryption?

• Where did it come from?• Before 2000 – Different approaches, some are

based on block ciphers (AES, 3DES …)• Before 2005 – Used to protect data in transit within

enterprises

• What exactly is it?• Secret key encryption algorithm operating in a new

mode• Cipher text output can be restricted to same as

input code page – some only supports numeric data

• The new modes are not approved by NIST

22

Page 23: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Formatted Encryption - Considerations

• Unproven level of security – makes significant alterations to the standard AES algorithm

• Encryption overhead – significant CPU consumption is required to execute the cipher

• Key management – is not able to attach a key ID, making key rotation more complex - SSN

• Some implementations only support certain data (based on data size, type, etc.)

• Support for “big iron” systems – is not portable across encodings (ASCII, EBCDIC)

• Transparency – some applications need full clear text

Page 24: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

What Is Data Tokenization?

• Where did it come from?• Found in Vatican archives dating from the 1300s• In 1988 IBM introduced the Application System/400

with shadow files to preserve data length • In 2005 vendors introduced tokenization of account

numbers

• What exactly is it?• It IS NOT an encryption algorithm or logarithm. • It generates a random replacement value which can

be used to retrieve the actual data later (via a lookup)• Still requires strong encryption to protect the lookup

table(s)

24

Page 25: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Central Tokenization - Considerations

• Transparency – not transparent to downstream systems that require the original data

• Performance & availability• Imposes significant overhead from the initial tokenization

operation and from subsequent lookups• Imposes significant overhead if token server is remote or

outsourced

• Security • Vulnerabilities of the tokens themselves – randomness

and possibility of collisions• Vulnerabilities typical in in-house developed systems –

exposing patterns and attack surfaces

Page 26: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

New Tokenization Approach - Distributed Servers

Customer Application

TokenServer

Customer Application

Customer Application

Token Server

Customer Application

TokenServer

SecurityManagement

Page 27: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

200 000 –

100 000 –

10 000 –

1000 –

5 – Tokenization

Topology

PAN Tokenization

(per second) New Distributed

Tokenization Approach

(per deployed token server)

Different Tokenization Approaches - Performance

I

New

27

Old Centralized

Tokenization Approach

(enterprise total)

I

Old

Outsourced

On-site

On-site

Page 28: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Evaluating Different TokenizationSolutions

Best Worst

Evaluating Different Tokenization Implementations

Evaluation Area Hosted/Outsourced On-site/On-premises

Area Criteria Central (old) Distributed Central (old) Distributed Integrated

Operational

Needs

Availability

Scalability

Performance

PricingModel

Per Server

Per Transaction

DataTypes

Identifiable - PII

Cardholder - PCI

SecuritySeparation

Compliance Scope

Page 29: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192 029

123456 777777 1234

123456 123456 1234

aVdSaH gF4fJh sDla

!@#$%a^&*B()_+!@4#$2%p^&*

How to not Break the Data Format

Hashing -

Binary Encryption -

Alpha Encoding -

Encoding -

Partial Encoding -

Clear Text - Data Field

Length

Protection Method

!@#$%a^&*B()_+!@

666666 777777 8888Tokenizing

orFormatted Encryption

Length and Type Changed

Type Changed

CCN / PAN

Page 30: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Different Security Options for Data Fields

Evaluation Criteria Strong Encryption

Formatted Encryption

New DistributedTokenization

Old Central

Tokenization

Disconnected environments

Distributed environments

Performance impact – data loading

Transparent to applications

Expanded storage size

Transparent to database schema

Long life-cycle data

Unix or Windows &“big iron”

Re-keying of data in a data flow

High risk data

Compliance to PCI, NIST

Best Worst

Page 31: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Matching Data Protection Solutions with Risk Level

Risk Level Solution

Monitor

Monitor, mask, access control limits, format control encryption

Tokenization, strong encryption

Low Risk (1-5)

At Risk (6-15)

High Risk (16-25)

Data Field

Risk Level

Credit Card Number 25Social Security Number 20

CVV 20Customer Name 12Secret Formula 10Employee Name 9

Employee Health Record 6Zip Code 3

31

Page 32: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Database Server

Database Activity

Monitoring /Data Loss Prevention

Web Application Firewall

DatabaseFiles

Database Log Files

Applications

DatabaseColumns

Database Activity

Monitoring

Choose Your Defenses – A Balanced Approach

32

Page 33: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Source: 2009 PCI DSS Compliance Survey, Ponemon Institute

Cost Effective Technology for PCI DSS

Encryption 74%WAF 55%

DLP 43%

DAM 18%

Page 34: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Database Protection Approach

Performance Storage Availability Transparency Security

Monitoring, Blocking, Masking

Column Level Formatted Encryption

Column Level Strong Encryption

Distributed Tokenization

Central Tokenization

Database File Encryption

Best Worst

Choose Your Defenses – Positioning of Alternatives

34

Page 35: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Use Case –Data Protection in Cloud Environments

Cloud Environment

35

Data Token

Encryption

User

Security Administrator

EncryptionToken

Page 36: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Use Case – Data Protection in Test/Dev Environments

36

Test Environment

Production EnvironmentSecurity

Administrator

Data Tokenization

Formatted Encryption

Masking

EncryptionToken

Page 37: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Data Protection Challenges

• Actual protection is not the challenge

• Management of solutions• Key management• Security policy• Auditing and reporting

• Minimizing impact on business operations• Transparency• Performance vs. security

• Minimizing the cost implications

• Maintaining compliance

• Implementation Time

Page 38: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Central Manager for:•Encryption keys•Security policy•Reporting

HardwareSecurity

RACFApplications

DB2 z/OS

Files

ICSFEncryption

Solution Mainframe z/OS

DB2 LUW

Informix

System i

Other

HardwareSecurity

38

Single Point of Control for Data Encryption

API

: Encryption service

Page 39: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Summary

• New threats to data & new regulations

• New “best practices” for data protection

• New approaches for data protection

• Protect the data flow

• Risk-adjusted approach to data security

• Centralized key management, policy and reporting

39

Page 40: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Protegrity Data Security Management

Database Protector

File System Protector

Policy

Secure Distribution

AuditLog

Secure Archive

Secure Collection

Application Protector

Tokenization Server

EnterpriseData SecurityAdministrator

Broad Platform Support

Page 41: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Protegrity Corporate Overview

• Enterprise Data Security Management

• Founded 1996

• 300+ customers

• Market leader in PCI DSS & PII data security

• 14 patents granted/issued

• Global reach - 60% NA, 30% EMEA, 10% Asia

41

Page 42: IBM Share Conference 2010, Boston, Ulf Mattsson

Session 7192

Beyond PCI – A Cost Effective Approach to Data Protection

Ulf MattssonCTO [email protected]

August 5, 2010Session 7192

42