Upload
ulf-mattsson
View
111
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Cloud, Cross-Border, Off-Shoring, Outsourcing, Privacy, Sensitive Data
Citation preview
Cross-Border - Off-Shoring and Outsourcing Privacy Sensitive Data
Ulf Mattsson , CTO
Protegrity
ulf.mattsson AT protegrity.com
20 years with IBM • Research & Development & Global Services
Inventor • Encryption, Tokenization & Intrusion Prevention
Involvement
Ulf Mattsson, CTO Protegrity
2
• PCI Security Standards Council (PCI SSC)
• American National Standards Institute (ANSI) X9
• Encryption & Tokenization
• International Federation for Information Processing• IFIP WG 11.3 Data and Application Security
• ISACA New York Metro chapter
3
Cloud
4
Services usually provided by a third party
• Can be virtual, public, private, or hybrid
Increasing adoption – up 12% from 2012*
Often an outsourced solution, sometimes cross-border
Allows for greater accessibility of data and low overhead
Cloud Services
*Source: GigaOM
Cloud Services and Models
Source: NIST, CSA
Drivers for Data Security
7
Data Security
Regulations & Laws
• Payment Card Industry Data Security Standard (PCI DSS)
• National Privacy Laws
• Cross-Border & Outsourcing Privacy Laws
Expanding Threat Landscape
• Hackers & APT
Drivers for Data Security
• Hackers & APT
• Internal Threats & Rogue Privileged Users
• Excessive Privilege or Security Negligence
Sensitive Data Insight & Usability
• Unprotected Sensitive or Restricted Data is Unusable for Marketing, Monetization, Outsourcing, etc.
Vulnerabilities in Emerging Technologies
8
Regulations & LawsLaws
PCI DSS
9
Founded in 2006, comprised of four major credit card brands
Each card brand enforcement program issues fines, fees and schedule deadlines
• Visa's Cardholder Information Security Program (CISP)http://www.visa.com/cisp
PCI Data Security Standards Council
• MasterCard's Site Data Protection (SDP) programhttp://www.mastercard.com/us/sdp/index.html
• Discover's Discover Information Security and Compliance (DISC) programhttp://www.discovernetwork.com/fraudsecurity/disc.html
• American Express Data Security Operating Policy (DSOP)http://www.americanexpress.com/datasecurity
10
PCI DSS Build and maintain a secure network.
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data. 3. Protect stored data4. Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a vulnerability management program.
5. Use and regularly update anti-virus software6. Develop and maintain secure systems and
applicationsapplications
Implement strong access control measures.
7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer
access9. Restrict physical access to cardholder data
Regularly monitor and test networks.
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy.
12. Maintain a policy that addresses information security
11
Protection of cardholder data in memory
Clarification of key management dual control and split knowledge
Recommendations on making PCI DSS business-as-usual and best practices
PCI DSS 3.0
Security policy and operational procedures added
Increased password strength
New requirements for point-of-sale terminal security
More robust requirements for penetration testing
12
Relevant to all sensitive data that is outsourced t o cloud
1. Clients retain responsibility for the data they put in the cloud
2. Public-cloud providers often have multiple data centers, which may often be in multiple countries or regions
3. The client may not know the location of their data, or the data may
PCI DSS Cloud Guidelines
3. The client may not know the location of their data, or the data may exist in one or more of several locations at any particular time
4. A client may have little or no visibility into the controls
5. In a public-cloud environment, one client’s data is typically stored with data belonging to multiple other clients. This makes a public cloud an attractive target for attackers
13
Regulations & LawsLaws
National Privacy Laws
14
National Privacy Laws - USA
1. Names
2. All geographical subdivisions smaller than a State
3. All elements of dates (except year) related to individual
4. Phone numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators
Heath Information Portability and Accountability Ac t – HIPAA
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
15
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger prints
17. Full face photographic images
18. Any other unique identifying number
Privacy Laws
54 International Privacy Laws
30 United States Privacy Laws
16
Information Technology Act – 2000 (IT Act)• Requires that the corporate body and Data Processor
implement reasonable security practices and standards
• IS/ISO/IEC 27001 requirements recognized
Information Technology Act – 2008 (Amended IT Act)• Damages for negligence and wrongful gain or loss
• Criminal punishment for disclosing Sensitive Personal
National Privacy Laws - India
• Criminal punishment for disclosing Sensitive Personal Information (SPI)
India Privacy Law – 2011• Expanded definition of SPI to passwords, financial data,
health data, medical treatment records, and more
Right to Privacy Bill – 2013 (Proposed)• Increased jail terms & fines for disclosure of SPI
• Addresses data handled for foreign clients
17
Regulations & Laws
Cross-Border & Outsourcing Laws
18
The laws of the sending country apply to data sent across international borders, including outsourced operations
• i.e. National Privacy Laws
APEC Cross-Border Privacy Laws
• Non-binding privacy enforcement in Asia-Pacific region
Cross-Border & Outsourcing Laws
• Non-binding privacy enforcement in Asia-Pacific region
19
Expanding Threat Landscape
Cyber Criminals Cost India USD 4 Billion
21
Source: Symantec 2013
22
23
http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf
Sensitive Data Insight &
24
Insight & Usability
Vulnerabilities in Emerging
25
in Emerging Technologies
Holes in Big Data…
26
Source: Gartner
Many Ways to Hack Big Data
MapReduce(Job Scheduling/Execution System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Avr
o (S
eria
lizat
ion)
Zoo
keep
er (
Coo
rdin
atio
n)
Hackers
UnvettedApplications
OrAd Hoc
Processes
Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase
27
HDFS(Hadoop Distributed File System)
Hbase (Column DB)
Avr
o (S
eria
lizat
ion)
Zoo
keep
er (
Coo
rdin
atio
n)
PrivilegedUsers
The Insider Threat
28
Big Data and Cloud environments are designed for access and deep insight into vast data pools
Data can monetized not only by marketing analytics, but through sale or use by a third party
The more accessible and usable the data is, the
Sensitive Data Insight & Usability
The more accessible and usable the data is, the greater this ROI benefit can be
Security concerns and regulations are often viewed as opponents to data insight
29
Big Data (Hadoop) was designed for data access, not security
Security in a read-only environment introduces new challenges
Massive scalability and performance requirements
Big Data Vulnerabilities and Concerns
Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear
Transparency and data insight are required for ROI on Big Data
30
Public cloud security is often not visible to the client, but client is still responsible for security
Greater access to shared data sets by more users creates additional points of vulnerability
Data redundancy for high availability, often across multiple data centers, increases vulnerability
Cloud Vulnerabilities and Concerns
multiple data centers, increases vulnerability
Virtualization can create numerous security issues
Transparency and data insight are required for ROI
31
How do you lock this?
DataDe-Identification
32
De-Identification
The solution to protecting Identifiable data is to properly de-identify it.
Redact the information – remove it.
What is de-identification of identifiable data?
Personally Identifiable Information Health Information / Financial Information
Personally Identifiable Information Health Information / Financial Information�
Redact the information – remove it.
The identifiable portion of the record is de-identified with any number of protection methods such as masking, tokenization, encryption, redacting (removed), etc.
The method used will depend on your use case and the reason that you are de-identifying the data.
33
Identifiable Sensitive InformationField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 937-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual healthcare data, but not needed with de-identification
34
De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data, but not needed with de-identification
35
Use
Case
How Should I Secure Different Data?
Simple –PCI
PII
Encryption
of Files
CardHolder Data
Tokenization of Fields
Personally Identifiable Information
Type of
DataI
Structured
I
Un-structured
Complex – PHI
ProtectedHealth
Information
36
Personally Identifiable Information
Research Brief
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption
Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data
Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization non-users
37 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
The business intelligence exposed through Vaultless Tokenization can allow many users and processes to perform job functions on protected data
Extreme flexibility in data de-identification can allow responsible data monetization
Vaultless Tokenization & Data Insight
Data remains secure throughout data flows, and can maintain a one-to-one relationship with the original data for analytic processes
38
Use Cases for Coarse & Fine Coarse & Fine
Grained Security
39
Off-shoring & OutsourcingOutsourcing
Business Process Outsourcing (BPO)
• Business Processes
• E.g. Loans, Mortgages, Call Centre, Claims Processing, ERP, etc.
• Application Development
• Need to de-identify Data for Testing and Development
Off-Shoring
Privacy Impacts BPO & Offshore Business Solutions
• Same as Outsourcing, but data is sent for business functions (like call center, etc.) off-shore.
Laws governing your ability to send real data to 3rd parties are already restrictive, and becoming more so
Penalties for infringement are growing more severe
Risk of data breaches and data theft is increased
41
Major Bank in EU wants to centralise EDW operations in a single country and therefore send customer data from country A to country B. Privacy Laws in country A prohibit this.
Private Bank in Europe wants to offshore Finance
Examples
Private Bank in Europe wants to offshore Finance Operations. Privacy Law prohibits transfer of citizen data to India.
Retail Bank in Scandinavia wants to offshore Customer Services. Privacy law prevents transfer of citizen data to the Far East.
42
Case Studies
Protegrity Use Case: UniCredit
CHALLENGES The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.
Case Study - Large US Chain Store
Reduced cost
• 50 % shorter PCI audit
Quick deployment
• Minimal application changes
• 98 % application transparent
Top performanceTop performance
• Performance better than encryption
Stronger security
45
Case Study: Large Chain Store
Why? Reduce compliance cost by 50%• 50 million Credit Cards, 700 million daily transactions
• Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization
• End-to-End Tokens: Started with the D/W and expanding to stores
• Lower maintenance cost – don’t have to apply all 12 requirements
• Better security – able to eliminate several business and daily reports
• Quick deployment
• Minimal application changes
• 98 % application transparent
46