how the latest trends in data security can help your data protection strategy bright talk - ulf...

11

How the Latest Trends in Data Security Can Help Your Data

Protection StrategyUlf Mattsson, Chief Technology Officer, Compliance Engineering

umattsson@complianceengineers.comwww.complianceengineers.com

2

Ulf MattssonInventor of more than 25 US PatentsIndustry InvolvementPCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs

IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security

CSA - Cloud Security AllianceANSI - American National Standards Institute• ANSI X9 Tokenization Work Group

NIST - National Institute of Standards and Technology• NIST Big Data Working Group

User Groups• Security: ISSA & ISACA• Databases: IBM & Oracle

3

My work with PCI DSS StandardsPayment Card Industry Security Standards Council (PCI SSC)1. PCI SSC Tokenization Task Force2. PCI SSC Encryption Task Force3. PCI SSC Point to Point Encryption Task Force4. PCI SSC Risk Assessment SIG5. PCI SSC eCommerce SIG6. PCI SSC Cloud SIG7. PCI SSC Virtualization SIG8. PCI SSC Pre-Authorization SIG9. PCI SSC Scoping SIG Working Group10. PCI SSC 2013 – 2014 Tokenization Task Force

4

Where We Are Now and

Where are Things Headed?

5

Not Knowing Where Sensitive

Data Is

6

• The Dilemma for CISO, CIO, CFO, CEO, and Board • Where are my most valuable data asset? • Who Has Access to it? • Is it Secure? • Insider/External Threats? • Am I Compliant?• What is/has been the Financial Cost?• Am I Adhering to Best Practices? How Do I Compare to My Peers? • Can I Automate the Lifecycle of Data Security?

The Security & Compliance Issue

7

Not Knowing Where Sensitive Data Is

Source: The State of Data Security Intelligence, Ponemon Institute, 2015

8

FS-ISAC* Summit about

“Know Your Data”

*: FS-ISAC is the leading ISAC in the security area

9

FS-ISAC Summit about “Know Your Data”• Encryption at rest has become the new norm • However, that’s not sufficient• Visibility into how and where it flows during the course

of normal business is critical

Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit

10

Are You Ready for the

New Requirements of PCI-DSS V3.2?

11

Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage

Discovery Results Supporting Compliance1. Limiting data storage amount and retention time to that which is required

for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored

cardholder data that exceeds defined retention.

Old PCI DSS Requirement 3.1

12

• PCI DSS v2 did not have data flow in the 12 requirements, but mentioned it in “Scope of Assessment for Compliance with PCI DSS Requirements.”

• PCI DSS v3.1 added data flow into a requirement.• PCI DSS v3.2 added data discovery into a requirement.

New PCI DSS 3.2 Standard – Data Discovery

Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers

1313

Example of A Discovery

Process

Scoping Asset Classification

Job Scan DefinitionScanningAnalysis

ReportingRemediation

PCI DSS 3.2 Requirement - Discovery

14

• IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable.

• Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents.

• By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 20% in 2015.

Shift in Cybersecurity Investment

Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016

15

Growing Information Security Outsourcing

The information security market is estimated to have grown 13.9% in revenue in 2015

with the IT security outsourcing segment recording the fastest growth (25%).

Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update

16

HybridData Discovery

Example

17

Discovery Deployment Example

Example of Customer Provisioning:• Virtual host to load Software or Appliance• User ID with “Read Only” Access• Firewall Access

ApplianceDiscoveryAdmin

18

Example - Discovery Scanning Job Status List

19

STEP 4:The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface

Discovery Process (Step 4) – Scanning Job Lists

Discover all sensitive PII – Not just PCI data

20

On Premise Data Discovery

Example

21

Example of On Premise Solution Scan

22

Example of On Premise Discovery Asset Management

23

24

Time

Total Cost of OwnershipStrong Encryption: 3DES, AES …

I2010I1970

How did Data Security Evolve 1970 - 2010?

I2005I2000

Type Preserving Encryption:FPE, DTP …Tokenization in Memory

High -

Low -

25

Type ofData

Use Case

IStructured

How Should I Secure Different Data?

IUn-structured

Simple -

Complex -

PCIPHI

PII

FileEncryptionCard

Holder Data

FieldTokenization / Encryption

ProtectedHealth

Information

25

26

Time

Total Cost of OwnershipStrong Encryption: 3DES, AES …

I2010I1970

Data Centric Security - What is Next?

I2005I2000

Type Preserving Encryption:FPE, DTP …Tokenization in Memory

High -

Low -I2016

27

FPE Gets NIST Stamp of Approval

28

NIST - Increasing Relevance

Crypto Modules

PCI DSSPayment Card Industry Data Security Standard

Hardware & Software Security Modules

NIST Federal Information Processing Standard FIPS 140

NIST Special Publication 800-57

AESAdvanced Encryption Standard

NIST U.S. FIPS PUB 197

FPEFormat Preserving Encryption

NIST Special Publication 800-38G

HIPAAHIPAA/HITECH/BREACH-NOTIFICATION

NIST SP 800-111

29

Need for Masking StandardsMany of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory. There are no widely accepted standards for testing the effectiveness of a de-identification process or gauging the utility lost as a result ofde-identification.

30

Defines Minimum Security Requirements

31

Cloud & Big Data

Do we know our sensitive

data?

Big Data

PublicCloud

32

Encryption Usage - Mature vs. Immature Companies

Source: Ponemon - Encryption Application Trends Study • June 2016

Less u

se of e

ncrypt

ion

Do we know our sensitive

data?

Big Data

PublicCloud

33

Memory Based Tokenization

Type Preserving Encryption

Database Encryption

2016 -

2010 -2008 -

2004 -2002 -2000 -1998 -

Platform

Masking

Feature

Big Data

Cloud

History of Securing Sensitive Data - Examples

34

• Rather than making the protection platform based, the security is applied directly to the data, protecting it wherever it goes, in any environment

• Cloud environments by nature have more access points and cannot be disconnected

• Data-centric protection reduces the reliance on controlling the high number of access points

Data-Centric Protection Increases Security

35

Cloud Providers Not Becoming Security Vendors• There is great demand for security providers that can offer

orchestration of security policy and controls that span not just multicloud environments but also extend to on-premises infrastructure

• Customers are starting to realize that the responsibility for mitigating risks associated with user behavior lies with them and not the CSP — driving them to evaluate a strategy that allows for incident detection, response and remediation capabilities in cloud environments

Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016

36

Protect Sensitive Cloud Data - ExampleInternal Network

Administrator

AttackerRemote

User

InternalUser

Cloud Gateway

Public Cloud

Each sensitive field is protectedEach

authorized field is in clear

Each sensitive field is protected

Data encryption, tokenization or masking of fields or files (at transit and rest)

37

Securing Big Data - Examples

• Volume encryption in Hadoop• Hbase, Pig, Hive, Flume and Scope using protection API• MapReduce using protection API• File and folder encryption in HDFS• Export de-identified data

Import de-identified data

Export identifiable data

Export audit for reporting

Data protection at

database, application,

file

Or in a staging area

HDFS (Hadoop Distributed File System)

Pig (Data Flow) Hive (SQL) SqoopETL Tools BI Reporting RDBMS

MapReduce(Job Scheduling/Execution System)

OS File System

Big Data

Data encryption, tokenization or masking of fields or files (at transit and rest)

38

Are You Ready for PCI DSS 3.2 Requirement –Security Control Failures?

39

PCI DSS 3.2 – Security Control FailuresPCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to detect and report on failures of critical security control systems. PCI Security Standards Council CTO Troy Leach explained• “without formal processes to detect and alert to critical security control

failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data from the cardholder data environment.”

• “While this is a new requirement only for service providers, we encourage all organizations to evaluate the merit of this control for their unique environment and adopt as good security hygiene.”

40

MSSP - Managed Security Service Provider

• SOC – Security Operations Center

• Security monitoring• Firewall integration /

management• Vulnerability scanning• SIEM - Security Incident &

Event Monitoring and management

MTSS - Managed Tool Security Service

• Professional Services that applies best practices & expert analysis of your security tools

• Customized alarms and reports through SaaS

• Provides overall security tools management and monitoring

• Ticketing, Resolution & Reporting• Ensure availability of security

tools• License analysis

Examples of Security Outsourcing Models

WHO IS MONITORING YOUR MSSP?

41

Benefits of Managed Tool Security Services

Meet, then exceed industry compliance requirementsExternal and Internal Documentation support

Reduced burden of tools support and troubleshooting Ability to perform job function more effectively

Tools adequately support security operationsEffectively DETECT – BLOCK - RESPOND

Security Engineering

Security Operations Center

Compliance & Privacy Officer

42

Benefits of Managed Tool Security Service Security controls in place and functioning.Prepared to address information security when it becomes a Boardroom Issue

Visibility to measure ROIConfidence in reduced risk of data loss, damaged share price, stolen IP, etc.

Ability to produce a positive return on capital investments in tools.Cost reduction in (people, licenses, maintenance, etc.)Reduced risk of breach and associated costs (financial, reputational, regulatory losses)

43

Example - Managed Tool Security Service

API

MTSS

ManagementEnvironment

44

Managed Tools Security Services - Example

45

I think it is Time to Re-think our

Security ProcessCONFIDENTIAL 45

46

Critical Data Asset Discovery and Protection

MitigateTriage

SOC

Data Centric

4747

About Compliance Engineering

48

SOCTools 24/7 Eyes on Glass (EoG) monitoring, Security Operations Center (SOC)

Managed Tools Security Service

Software as a Service (SaaS) data discovery solution

Security Tools and Integrated Services

Discovery

Security Toolsand

Integrated Services

49

Compliance Assessments • PCI DSS & PA Gap• HIPAA (2013 HITECH)• SSAE 16-SOC 2&3*• GLBA, SOX• FCRA, FISMA• SB 1385, ISO 27XXX• Security Posture Assessments (based on industry best practices)• BCP & DRP (SMB market)

Professional Security Services• Security Architecture • Engineering/Operations• Staff Augmentation• Penetration Testing• Platform Baseline Hardening (M/F, Unix, Teradata, i-Series, BYOD, Windows)• IDM/IAM/PAM architecture• SIEM design, operation and implementation• eGRC Readiness & Deployment

E Security & Vendor Products• Data Discovery• Managed Tools Security Service• Data Loss Protection • SIEM & Logging • Identity and Access Management• EndPoint Protection• Network Security Devices• Encryption• Unified Threat• Multi-factor Authentication

Managed Security Services• MSSP/SOC • SIEM 365• Data Center SOC• IDM/IAM Security Administration• Healthcare Infrastructure Solutions (2013 3rd Qtr.• Vulnerability Scans• Penetration Testing

Samples of Our Services

5050

Ulf Mattsson, Chief Technology Officer, Compliance Engineeringumattsson@complianceengineers.com

www.complianceengineers.com

51

How the Latest Trends in Data Security Can Help Your Data Protection Strategy - Ulf Mattsson Jul 12 2016