issa boston - pci and beyond: a cost effective approach to data protection
Post on 16-Apr-2017
1.231 Views
Preview:
TRANSCRIPT
01
Ulf MattssonChief Technology OfficerProtegrity Corporation
Ulf . mattsson at protegrity . com
02
http://www.knowpci.com
Source of Information about PCI Research
PCI Requirements and Data Protection Options
Advanced Attacks on Cardholder Data
PCI Requirements
Data Protection Options
Data Protection Use Cases
A Risks Adjusted Data Protection Approach
Appendix: PCI Research and Resources
Enterprise Data Flow – Cardholder Data• ‘Information in the wild’
- Short lifecycle / High risk
• Temporary information - Short lifecycle / High risk
• Operating information- Typically 1 or more year lifecycle- Broad and diverse computing and database environment
• Decision making information- Typically multi-year lifecycle- Homogeneous computing environment- High volume database analysis
• Archive -Typically multi-year lifecycle -Preserving the ability to retrieve the data in the future is important
POS e-commerce Branch
Aggregation
Operations
Analysis
Archive
Collection
06
07
NW
DMZ
Web Apps
TRUSTED SEGMENT
Server
Inte
rnet Load
Balancing
ProxyFW
ProxyFW
EnterpriseApps
NetworkDevices
Server
SAN,NAS,Tape
InternalUsers
DB Server
ProxyFW
TRANSACTIONS
IDS/IPS
End-point
Wire-less
DBA ATTACK
MALWARE /TROJAN
OS ADMINFILE ATTACK
SQL INJECTION
MEDIA ATTACK
SNIFFER ATTACK
Data Level Attacks on the Enterprise Data Flow
Data Protection Challenges
Actual protection is not the challengeManagement of solutions
• Key management• Reporting• Policy
Minimizing impact on business operations• Performance v. security
Minimizing impact (and costs)• Changes to applications• Impact on downstream systems
Time
8
Addressing Data Protection Challenges
Full mapping of sensitive data flow• Where is the data• Where does it need to be
Identify what data is needed for processing in which applications
• What are the performance SLAsUnderstand the impact of changing/removing data
• Will it break legacy systemsAddress PCI, strategize for the larger security issue
The Goal: Good, Cost Effective Security
The goal is to deliver a solution that is a balance between security, cost, and impact on the current business processes and user community
Security plan - short term, long term, ongoingHow much is ‘good enough’Security versus compliance
• Good Security = Compliance• Compliance ≠ Good Security
010
PCI DSS 1.2 Applicability Information & PII Aspects
11
Discussion of Data Protection for PCI DSSBuild and maintain a secure network.
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data. 3. Protect stored data4. Encrypt transmission of cardholder data
and sensitive information across public networks
Maintain a vulnerability management program.
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement strong access control measures.
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks.
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy.
12. Maintain a policy that addresses information security
12
PCI – Compensating Controls
13
Data Protection Layers
Data Protection - Wrapping• How sensitive data is rendered unreadable
Data Access Control - Path• How the data is presented to the end user and/or
application
014
Data Protection Options
Data Stored As• Clear – actual value is readable• Hash – unreadable, not reversible• Encrypted – unreadable, reversible, binary/text• Replacement value (tokens) – unreadable, reversible
Partial encryption/replacement – unreadable, reversible
015
Data in the ClearControl the Access Path
• Reporting and alerting• Display masking• Data usage control
Advantages• Low impact on existing applications• Performance• Time to deploy
Considerations• Underlying data exposed• Discover breach after the fact• PCI aspects
016
HashNon – reversible
• Strong protection if …• Keyed hash (HMAC) or salt
Advantages• None really for PCI and PII data
Considerations• Size and type• Transparency• Key rotation for keyed hash
017
Traditional Strong EncryptionIndustry Standard
• Algorithms & modes - AES CBC, 3DES CBC …• Approved by NIST (National Institute of
Standards and Technology) Advantages
• Widely deployed• Compatibility• Performance
Considerations• Storage and type• Transparency to applications• Key rotation
018
Format Controlling Encryption (FCE)
Newer Data Protection Options
Application Databases(e.g. Marketing, Loss Prevention, POS)
FCE Security Model
Example of Formatted Encryption
1234 1234 1234 4560
Key ManagerOriginal Credit Card Number
What Is FCE?Where did it come from?• Before 2000 – Different approaches, some are based
on block ciphers (AES, 3DES …)• Before 2005 – Used to protect data in transit within
enterprises What exactly is it?• Secret key encryption algorithm operating in a new
mode• Cipher text output can be restricted to same as input
code page – some only supports numeric data• The new modes are not approved by NIST
FCE Selling Points
Ease of deployment -- limits the database schema changes that are required. Reduces changes to downstream systemsApplicability to data in transit – provides a strict/known data format that can be used for interchangeStorage space – does not require expanded storageTest data – partial protectionOutsourced environments & virtual servers
FCE Considerations
Unproven level of security – makes significant alterations to the standard AES algorithmEncryption overhead – significant CPU consumption is required to execute the cipherKey management – is not able to attach a key ID, making key rotation more complex - SSNSome implementations only support certain data (based on data size, type, etc.)Support for “big iron” systems – is not portable across encodings (ASCII, EBCDIC)Transparency – some applications need full clear text
FCE Use CasesSuitable for lower risk dataCompliance to NIST standard not neededDistributed environmentsProtection of the data flowAdded performance overhead can be accepted Key rollover not needed – transient dataSupport available for data size, type, etc.Point to point protection if “big iron” mixed with Unix or WindowsPossible to modify applications that need full clear text – or database plug-in available
025
Text Data
Applications are Sensitive to the Data Format
Binary (Hash) -
Binary (Encryption) -
Alphanum (FCE, Token) -
Numeric (FCE, Token) -
Numeric (Clear Text) -
DataField
Length
Data Type
IOriginal
ILonger
All Applications
Most Applications
Many Applications
Few Applications
No Applications
This is a generalized example
Increased intrusiveness:
- Application changes- Limitations in functionality- Limitations in data search- Performance issues
BinData
Tokenization
Newer Data Protection Options
Token Server
$%.>/$&#Cipher TextToken
Key Manager
Tokenization Data Security Model
Example of Token format:1234 1234 1234 4560
ApplicationDatabases
(e.g. Marketing, Loss Prevention, POS)
Original Credit Card Number
What Is Data Tokenization?
Where did it come from?• Found in Vatican archives dating from the 1300s• In 1988 IBM introduced the Application System/400 with
shadow files to preserve data length • In 2005 vendors introduced tokenization of account
numbersWhat exactly is it?• It IS NOT an encryption algorithm or logarithm. • It generates a random replacement value which can be
used to retrieve the actual data later (via a lookup)• Still requires strong encryption to protect the lookup
table(s)
Tokenization Selling PointsProvides an alternative to masking – in production, test and outsourced environmentsLimits schema changes that are required. Reduces impact on downstream systemsCan be optimized to preserve pieces of the actual data in-place – smart tokens Greatly simplifies key management and key rotation tasksCentrally managed, protected – reduced exposureEnables strong separation of dutiesRenders data out of scope for PCI
Tokenization ConsiderationsTransparency – not transparent to downstream systems that require the original dataPerformance & availability – imposes significant overhead from the initial tokenization operation and from subsequent lookupsPerformance & availability – imposes significant overhead if token server is remote or outsourced Security vulnerabilities of the tokens themselves – randomness and possibility of collisionsSecurity vulnerabilities typical in in-house developed systems – exposing patterns and attack surfaces
Suitable for high risk data – payment card dataWhen compliance to NIST standard neededLong life-cycle dataKey rollover – easy to manageCentralized environmentsSuitable data size, type, etc.Support for “big iron” mixed with Unix or WindowsPossible to modify the few applications that need full clear text – or database plug-in available
Tokenization Use Cases
Evaluation CriteriaPerformance
• Impact on operations - end users, data processing windows
Storage• Impact on data storage requirements
Security• How secure Is the data at rest• Impact on data access – separation of duties
Transparency• Changes to application(s)• Impact on supporting utilities and processes
032
Evaluating Data Protection Options
Storage Performance Storage Security Transparency
Clear
Strong Encryption
Format Controlling Encryption
Token
Hash
033
Best Worst
Enterprise View of Different Protection Options
Evaluation Criteria Strong Encryption
Formatted Encryption
Token
Disconnected environments
Distributed environments
Performance impact when loading data
Transparent to applications
Expanded storage size
Transparent to databases schema
Long life-cycle data
Unix or Windows mixed with “big iron” (EBCDIC)
Easy re-keying of data in a data flow
High risk data
Security - compliance to PCI, NIST
034
Application Transparency – Encryption, Tokens & Hashing
High
Low
Database
Operation
Transparency level
Hashing
Smart Tokens
Database Encryption
I
Look-up
I
Range
Search
I
Process
Clear-values
Data Protection Options-
Use Cases
036
Token Server$%.>/
$&#Cipher TextToken
Key Manager
Data Protection Options in the EnterpriseApplication Databases
(CCN, SSN …)
Strong EncryptionKjh3409)(*&@$%^&
Formatted Encryption1234 1234 1234 4560
Token1234 1234 1234 4560
037
Partial Encryption/Tokenizing - Example
Application
Application
ApplicationApplicationApplicationApplicationApplication
ApplicationApplicationApplicationApplicationApplicationApplicationApplicationApplicationApplication
Few applications• Full clear data
Many applications/tools • Moving data aroundSome applications
• Partial clear data
Decryption
123456 777777 1234
Data Protection Options – 3 Use Cases
Application 3
Application 2
Application 1
Can use stored protected value:
1234 1234 1234 4560Or
Kjh3409)(*&@$%^&
Need partial Informationin clear:
1234 1234 1234 4560
Need full Informationin clear:
55 49 9437 0789 4560
039
Token Server
$%.>/$&#Cipher TextToken
Key Manager
ApplicationDatabases
(CCN, SSN …)
Application 3
Application 2
Application 1
Strong EncryptionKjh3409)(*&@$%^&
Formatted Encryption1234 1234 1234 4560
Token1234 1234 1234 4560
Can use stored protected value:
1234 1234 1234 4560Or
Kjh3409)(*&@$%^&
Need partial Informationin clear:
1234 1234 1234 4560
Need full Informationin clear:
55 49 9437 0789 4560
Token Cipher 040
How will different Protection Options Impact Applications?
Type of Application Strong Encryption
Formatted Encryption
Token
Can operate on the stored protected value (few)
Need partial information in clear (many)
Need full clear text information (few)
041
Application Impact with Different Protection OptionsTransparency
Type of Application Strong Encryption
Formatted Encryption
Token
Can operate on the stored protected value (few)
Need partial information in clear (many)
Need full clear text information (few)
Security
Type of Application Strong Encryption
Formatted Encryption
Token
Can operate on the stored protected value (few)
Need partial information in clear (many)
Need full clear text information (few)
042
Application Impact with Different Protection Options
Performance and scalability
Type of Application Strong Encryption
Formatted Encryption
Token
Can operate on the stored protected value (few)
Need partial information in clear (many)
Need full clear text information (few)
Availability
Token Server
$%.>/$&#Cipher TextToken
Key Manager
Data Protection in the Enterprise – Implementation Example
Can use stored protected value:
1234 1234 1234 4560
Need partial Informationin clear:
1234 1234 1234 4560
Need full Informationin clear:
55 49 9437 0789 4560
POS e-commerce Branch
Aggregation
Operations
Analysis
Archive
Collection
Token Cipher
043
Data Protection Implementation Layers
Data Protection Options are not mutually exclusiveData Protection Layers
• Application • Database• File System
Data Protection Topologies• Remote services• Local service
Data Security Management• Central management of keys, policy and
reporting044
045
File System
Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
123456 123456 1234
123456 123456 1234
DataEntry
File System
@$%$^D&^YTOIUO*^
Database Database
Backup (Tape)
Storage (Disk)
Data Protection Implementation - Enforcement Points
Application Application Application
Generalization: Encryption at Different System Layers
EncryptionLayer
Ease of Deployment
(Transparency)
IApplication
Layer
High
LowI
Database Layer
IFile System
Layer
Separation of Duties
(Security Level)
IStorage Layer
SAN/NAS…
Topology Performance Scalability Security
Local Service
Remote Service
047
Data Protection Implementation Layers
System Layer Performance Transparency Security
Application
Database
File System
Best Worst
Data Loading (Batch)
10 000 000 –
1 000 000 –
100 000 –
10 000 –
1 000 –EncryptionTopology
Rows Per Second
Data WarehousePlatforms
MainframePlatforms
Unix Platforms
Windows Platforms
Queries (Data Warehouse & OLTP)
Column Encryption Performance - Different Topologies
INetwork Attached
Encryption (SW/HW)
ILocal
Encryption (SW/HW)
A Few Comments on PCI Compliance
Formatted encryption is NOT for PCI• When PCI refers to encryption, it must be
“strong”• PCI provides high-level examples of what
constitutes strong encryption, then refers to NIST for more details
• NIST publishes a list of acceptable ciphers and operating modes
• NIST has been considering new operating modes related to formatted encryption since 2000
Tokenization• PCI refers to this as an “index pad”• The pad needs to be protected with strong
encryption
Main Takeaways
Formatted encryption and tokenization are two very different techniquesThey are good solutions for particular use casesEnterprises should carefully evaluate these techniques against their use cases, adjusting for factors such as risk, cost, and compliance
050
Central Key Manager
Data Protection and Encryption in the Enterprise
HardwareSecurity Module
RACFApplications
DB2
Files
ICSFEncryptionSolution
Mainframe z/OS
DB2 UDB
Informix
System i
Oracle…
HardwareSecurity Module
Integrated Cryptographic Service Facility (ISCF) Resource Access Control Facility (RACF)
052
CPACF - CP Assist for Cryptographic Functions
CP = Central Processor
Vendors Providing Encryption on IBM Mainframe
Supported Feature Vendor A
Vendor B
Vendor C
Vendor D
Native
Column level encryption (fieldproc)
Row level encryption using (editproc)
Application API (VSAM and more)
Encryption utility for flat files
Direct CPACF hardware (not ICSF or LE)
Formatted encryption(FCE)
RACF security control
Local caching/storing of keys
Enterprise Key Management
Cross platform solution
053
Best Worst
Data Protection and Encryption on z/OS – PCI DSS
HardwareSecurity Module
RACFApplications
DB2
Files
ICSF
EncryptionSolution
API
Fieldproc,Editproc,
UDF
Utility
Mainframe z/OS
Evaluation of Encryption Options for DB2 on z/OS
Encryption Interface
Performance PCI DSS Security Transparency
API
UDF DB2 V7 & V8
UDF DB2 V9
Fieldproc
Editproc
055
Best Worst
Central Key Manager
Application CryptoSolution
Mainframe z/OS DB2
File
CryptoSolutionApplication
File
File
Windows,Unix,Linux,iSeries
…
Field Encryption – Protecting the Data Flow
Encrypt
Decrypt
Application
Fields
Fields
Central Key Manager
Application
File
CryptoSolution
Mainframe z/OS
Utility
DB2
File
CryptoSolution
Application
Database
File
Windows,Unix,Linux,iSeries
…
Transparent Encryption – No Application ChangesEncrypt
Encrypt
Decrypt
Fields
Fields
Fields
Main Takeaways
DB2 for z/OS has good data protection options. Often data and use cases may require additional protection options, including better protection granularity
• Data protection approaches – transparency vs. security
• Different topologies for data protection solutions – performance, scalability and availability
• Enterprise management – keys, policy and reporting
Enterprises should carefully evaluate these techniques against their use cases, adjusting for factors such as risk, cost, and compliance
058
Vendors Providing Data Protection
Supported Feature Vendor A
Vendor B
Vendor C
Vendor D
IBM
WAF – SQL injection
Formatted encryption
Data tokenization
DB integrated tokenization
Database Activity Monitoring
059
Best Worst
Protecting Data in the Enterprise Data Flow
Passive Approaches +
Active Approaches =
End-To-End Protection
Protecting Data in the Enterprise Data Flow
Database Server
Database Activity Monitoring /
Data Loss Prevention
Web Application Firewall
TablespaceDatafiles
Database Log Files
Applications
DatabaseColumns
Database Activity
Monitoring
Passive ApproachesActive ApproachesPassive Approaches and Active Approaches = End-To-End Protection
Passive Data Protection Approaches
Web Application Firewall• Protects against malicious attacks by inspecting
application trafficData Loss Prevention
• Tags and monitors movement of sensitive assets• Protects against the unintentional outbound leakage of
sensitive assetsDatabase Activity Monitoring
• Inspects , monitors, and reports database traffic into and out of databases
• Can block malicious activity; seldom used due to false positives
Database Log Mining• Mines log files that are created by databases for good
or bad activity
Active Data Protection ApproachesApplication Protection
• Utilizes crypto APIs to protect sensitive assets in applications
• This approach helps you protect data as it enters your business systems
Column Level Protection• Protects data inside the database at the column
level• Can be deployed in a transparent approach to
minimizes changes to your environment• Considered to be the most secure approach to
protect sensitive assetsDatabase file protection
• Protects the data by encrypting the entire database file
Passive Database Protection Approaches
Database Protection Approach
Performance Storage Security Transparency Separation of Duties
Web Application Firewall
Data Loss Prevention
Database Activity Monitoring
Database Log Mining
Best Worst
Operational Impact Profile
Active Database Protection Approaches
Database Protection Approach
Performance Storage Security Transparency Separation of Duties
Application Protection - API
Column Level Encryption; FCE, AES, 3DES
Column Level Replacement; Tokens
Tablespace - Datafile Protection
Best Worst
Operational Impact Profile
Risk Adjusted Data Protection
066
Assign value to your dataAssess exposureDetermine riskUnderstand which Data Protection solutions are available to youEstimate costsChoose most cost effective method
Assign Value to Your Data
067
Identify sensitive data• If available, utilize data classification project• Rank what is sensitive on its own (think PCI)• Consider what is sensitive in combination (think
Privacy)How valuable is the data to (1) your company and (2) to a thief
• Corporate IP, Credit Card numbers, Personally Identifiable Information
Assign a numeric value: high=5, low=1
Assess Exposure and ProbabilityLocate the sensitive data
• Applications, databases, files, data transfers across internal and external networks
Location on network• Segmented• External or partner facing application
Access• How many users have access to the sensitive data?• Who is accessing sensitive data?• How much and how frequently data is being
accessed?Assign a numeric value: high=5, low=1
068
Determine “Risk” – A Simplified Model
Data Security Risk=Data Value * Exposure
069
Data Field Value Exposure Risk LevelCredit Card Number 5 5 25Social Security Number 5 4 20CVV 5 4 20Customer Name 3 4 12Secret Formula 5 2 10Employee Name 3 3 9Employee Health Record 3 2 6Zip Code 1 3 3
Enables prioritizationGroups data for potential solutions
Matching Data Protection Solutions with Risk Level
070
Risk Solutions
Monitor
Monitor, mask, access control limits, format control encryptionReplacement, strong encryption
Low Risk (1-5)
At Risk (6-15)
High Risk (16-25)
Data Field Risk LevelCredit Card Number 25Social Security Number 20CVV 20Customer Name 12Secret Formula 10Employee Name 9Employee Health Record 6Zip Code 3
Select risk-adjusted solutions for costing
Estimate Costs
Cost = Solution Cost + Operations CostSolution Cost = cost to license or develop, install and maintainOperations Cost = cost to change applications, impact on downstream systems, meeting SLAs, user experience
071
Operation Cost Factors
Performance• Impact on operations - end users, data
processing windowsStorage
• Impact on data storage requirementsSecurity
• How secure Is the data at rest• Impact on data access – separation of duties
Transparency• Changes to application(s)• Impact on supporting utilities and processes
072
Operation Cost Factors
Solution should be able to change with the environment
• Progress from less to more secure solution, or the reverse
• Add new defenses for future threats• Plug into existing infrastructure, integrate with
other systems
073
How to Protect the Weak Links in your Data Flow
074
Review Risk & Determine Protection Approach
• Analyze the Data Flow• Identify Assets and Assign Business Value to each• Identify Vulnerabilities for each Asset• Identify potential Attack Vectors & Attackers• Assess the Risk• Compliance Aspects• Select Data Protection Points & Protection Methods
Assess Total Impact• Functionality Limitations• Performance & Scalability• Application Transparency• Platform Support & Development Life Cycle Support• Key Management, Administration & Reporting• Deployment Cost, Time & Risk
Adjust
Cost Effective Data Protection
Uses Risk as an adjusting factor for determining a Data Protection strategyRisk=Data Value*ExposureDetermines solutions that fit the risk level, then determines costCost=Solution Cost + Operational CostPrepare for the future
075
Use of production data in a test systemProduction data is in many cases needed to ensure quality in system testing Key data fields that can be used to identify an individual or corporation need to be cleansed to depersonalize the informationCleansed data needs to be easily restored (for downstream systems and feeding systems), at least in the early stages of implementation
• This requires two-way processing. The restoration process should be limited to situations for which there is no alternative to using production data (interface testing with a third party or for firefighting situations, for example).Authorization to use this process must be limited and controlled. In some situations, business rules must be maintained during any cleansing operation (addresses for processing, dates of birth for age processing, names for gender distinction). There should also be the ability to set parameters, or to select or identify fields to be scrambled, based on a combination of business rules. A solution must be based on secure encryption, robust key management, separation of duties, and auditing.076
077
Data Masking – One-way vs. Two-way
InformationLife Cycle
I I I I I I IDevelopment Testing Staging Production Operational Analytics Archive
High –
Low –
Data Quality & Exposed Details
Protected sensitive information
Unprotected sensitive information:
PartnerInterface
Data Entry3rd PartyInterfaceTesting
FireFighting
Two-WayMaskingTwo-Way
Masking
One-WayMasking
One-WayMasking
Business Value vs. Ease of Compliance
I I I I Deleting Data Masking One-way Masking-Two-Way Clear Data
Ease of Compliance
High
Low
BusinessValue
Lost Data Reusable Data
SimpleMasking
Hashing
Tokenizing
Encryption
Data Security Management
An integral part of technical and business processSecurity Policy
• Centralized control of security policy• Consistent enforcement of protection• Separation of duties
Reporting and Auditing• Compliance reports• Organization wide security event reporting• Alerting• Integration with SIM/SEM
Key Management079
Central Management of Security Policy,
Reporting,Encryption Keys, And Data Tokens
Managing Data Security in the Enterprise
Mainframe z/OS
DB2 UDB
Informix
iSeries
Oracle,SQL Server
…
How about Native Database Encryption?Advantages
• Available from most database vendors • Enables you to get started quickly
Disadvantages• Mostly non-transparent solutions • Some vendors do not protect the Data Encryption
Keys well enough• Lack of secure interoperability between instances
of the same vendor• No secure interoperability with databases from
other vendors• No centralization of policy, key management, and
audit reporting
http://www.net-security.org/dl/insecure/INSECURE-Mag-2.pdf
Protecting the Data Flow:Case Studies
083
WebApps
Polling Server
Partners(Financial
Institutions)
Data Protection in the Enterprise Data Flow
Archive
HQ
Branches/Stores
Store Back OfficePoints of collection
T-Logs,Journals
Store Back Office
ApplicationsStoreDB
RetailLocales
Multiplexing Platform
ERP
`
Manager
$%&# $%&#$%&# $%&#
$%&#
$%&#
Policy
$%^& *@K$
7ks##@
PolicyPolicyPolicyPolicyPolicyPolicy
Log
Log Log
Log
Reports
Collection
Aggregation
Operations
Tactical
Detailed Analytical
Focused / Summary Analytical
Active Access / Alerting
Analytics
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1144290
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1051481
Case StudiesOne of the most widely recognized credit and debit card brands in the world
• Their volume of data is in the multiple billions of rows and needed a solution that would not degrade performance.
Major financial institution • Protecting high-worth clients financial information.• Central key management and separation of duties were of the utmost
importance. One of the world largest retailers
• Protecting the flow of sensitive credit card information from the store, through to back office systems and into the data warehouse and storage.
• The central key management and ability to support thousands of stores was critical for this success.
• Transparent to exiting applications. • Protect sensitive information in their Teradata data warehouse. iSeries
(AS/400), zSeries (mainframe), Oracle and MS SQL Server, and to protect files that reside across platforms including Unix and z/Series.
087
Case 1: Goal – PCI Compliance & Application Transparency
FileEncryptionWindows
DatabaseEncryption:
DB2 (zOS, iSeries),Oracle,
SQL Server
Application
LocalStore Location
(Branch)
Application
FTP
FileEncryption
Central HQ Location
FileEncryption:Windows,
UNIX,Linux,zOS
FinancialInstitution
CreditCardEntry
SettlementBatch
089
Case 1: File Encryption & FTP
File System (Memory)
POS Application
FTPApplication
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
@$%$^D&^YTOIUO*^
123456 123456 1234
@$%$^D&^YTOIUO*^
123456 123456 1234
Attacker
CreditCardEntry
Attacker
090
Case 1: From Encrypted File to Encrypted Database
Database
Application
FTP Application
Network
Protected sensitive information
Unprotected sensitive information:
123456 123456 1234
Attacker
Attacker
@$%$^D&^YTOIUO*^
@$%$^D&^YTOIUO*^
123456 123456 1234
FileFile
Case 2a: Goal – Addressing Advanced Attacks & PCI
Application
LocalStore Location
(Branch)
Application FTP
Central HQ Location
FinancialInstitution
CreditCardEntry
SettlementFTP
ApplicationEncryption
Decryption
Continuously encrypted computing:
protection of sensitive data fields
FileEncryptionWindows
DatabaseEncryption:
DB2Oracle
SQL Server
FileEncryption:Windows,
UNIX,Linux,zOS
092
Case 2a: Application Encryption to Encrypted DatabasePoint
Of DataAcquisition
File System
Database
POSApplication Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
123456 777777 1234
123456 123456 1234
Case 2b: Goal – Addressing Advanced Attacks & PCI
Application
LocalStore Location
Application
FTP
Central HQ Location
CreditCardEntry
Continuously encrypted computing:
protection of sensitive data fields
DatabaseEncryption:
DB2 zOS
DatabaseEncryption:SQL Server
094
Case 2b: From Encrypted Database to File & FTP
File
ExtractionApplication FTP Application
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
PointOf Data
Acquisition
OrderApplication
aVdSaH 1F4hJ5 1D3a
123456 123456 1234
Database aVdSaH 1F4hJ5 1D3a
aVdSaH 1F4hJ5 1D3a
095
Case 2b: From Selectively Encrypted File to Encrypted Database
File
Database
Application
FTP Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
123456 123456 1234
aVdSaH 1F4hJ5 1D3aaVdSaH 1F4hJ5 1D3a
Case 3: Goal – Addressing Advanced Attacks & PCI
Application
LocalStore Location
(Branch)
CentralHQ Location
FinancialInstitution
CreditCardEntry
AuthorizationTransaction Online
DecryptingGateway
Continuously encrypted computing:
protection of sensitive data fields
EncryptingGateway Application
DatabasesFiles
097
Case 3: Gateway Encryption
File System
Database
Encrypting Gateway
Applications
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
123456 777777 1234
123456 123456 1234
123456 777777 1234
123456 123456 1234
Attacker
Decrypting Gateway
Attacker
098 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=940287
Different ‘Tokenizing’ Approaches & Topologies
ASPCentralTokenizer
On-siteLocalTokenizer
Token&
EncryptedCCN
Token&
EncryptedCCN
Home Office / HQ
Branch Office / Stores
Outsourced / ASP
On-siteCentralTokenizer
Token&
EncryptedCCN
AlgorithmicTokenizer
‘Encryption’Algorithm
Application
Token
CCN
123456 123456 1234
ABCDEF GHIJKL 1234
Network
Network
`
Token
How to Protect the Data Flow Against Advanced Attacks
0100
Point Of Data Acquisition
PaymentAuthorizatio
n
Settlement &Charge-back
123456 777777 1234
123456 123456 1234
Continuously protected data flow
Encrypt
123456 123456 1234
123456 777777 1234
Decrypt
123456 123456 1234
123456 777777 1234
Decrypt
Protected sensitive information
Unprotected sensitive information:
How to Protect the Data Flow Against Advanced Attacks
0101
Point Of Data Acquisition
PaymentAuthorizatio
n
Settlement &Charge-back
123456 777777 1234
123456 123456 1234
Continuously protected data flow
Encrypt
123456 123456 1234
123456 777777 1234
Decrypt
123456 123456 1234
123456 777777 1234
Decrypt
Protected sensitive information
Unprotected sensitive information:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1330466
0103 http://www.quest-pipelines.com/newsletter-v7/0706_C.htm
0104
Protegrity Solutions
0105
Protecting dataProtecting web
applicationsManaging data security
Data Security ManagementAn integral part of technical and business processSecurity Policy
• Centralized control of security policy• Consistent enforcement of protection• Separation of duties
Reporting and Auditing• Compliance reports• Organization wide security event reporting• Alerting• Integration with SIM/SEM
Key Management
0106
The Protegrity Defiance© Suite
Data Protection System (DPS)• Encryption, monitoring, masking• Database, file and application level
Threat Management System (TMS)• Web application firewall
Enterprise Security Administrator• Security policy• Key management• Alerting, reporting, and auditing
107
Questions?
If you would like a copy of the slides, please email
ulf.mattsson@protegrity.com
0109
APPENDIX
Current Discussion of Data Protection for PCI DSS
110
PCI SSC is currently studying the effect on the standard by different technologies (i.e. End to end encryption, tokenization, chip and pin etc.)
• Bob Russo (GM) & PCI SSC is currently are working in Europe with the European Payment Council (EPC) .
Protegrity:Participating Organization
https://www.pcisecuritystandards.org
PCI Security Standards Council about Data in TransitThe PCI Security Standards Council (https://www.pcisecuritystandards.org/) manages the PCI DSS standards
• End-to-end encryption is likely to be a central focus as the council seeks input on how this might best be achieved in the payment-card environment through different technologies.
• If that is accomplished, it might result in a decidedly new PCI standard in the future for card-data protection, PCI Security Standards Council says in http://www.networkworld.com/news/2008/100108-pci-credit-card.html?page=2 .
• "Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally," PCI Security Standards Council says.
"But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging.
• Maybe you wouldn’t have to do that. So we'll be looking at that in 2009." 0111
the PCI Knowledge Base (www.KnowPCI.com)
-Based on Over 450 Hours of 100% Anonymous Interviews
– Not a Survey
0113
The Major Features of the PCI Knowledge Base (www.KnowPCI.com)
YOU WON’T SEE THE “KNOWLEDGE BASE” UNTIL YOU ARE LOGGED IN
WE HOST A WEEKLY PCI RESEACH WEBINAR SERIES
LATEST PCI NEWS FEEDS
IT IS FREE TO REGISTER
SEARCH OUR DATABASE OF OVER 3000 BEST PRACTICES FROM MERCHANTS, PCI ASSESSORS, BANKS, CARD PROCESSORS AND MANY OTHERS.
ASK QUESTIONS OF PEERS AND ASSESSORS IN OUR FREE PCI DISCUSSION FORUMS
INTERACT WITH OUR PANEL OF 85+ PCI EXPERTS
PURCHASE OUR LATEST RESEARCH REPORTS & TREND ANALYSIS
WE’VE CONDUCTED 300 HOURS OF ANONYMOUS INTERVIEWS AND HAVE 1800+ MEMBERS
Based on Over 450 Hours of 100% Anonymous Interviews – Not a Survey
F1000 Retailers
SME Retailers
QSAs
Payment Processors
Banks
Retail Consultants
IT Providers
E-Comm Retailers
Hospitality
Other Merchants
Interviews with retailers focus on best practices, experiences, QSA and vendor feedback, budgets and priorities.
Interviews with QSAs, consultants and IT providers focused on vulnerabilities, risks and technology adoption trends.
Source: PCI Knowledge Base, July 2009
450+Hours
Why is Tokenization Such a Hot Issue for PCI Compliance?Lowers Security Cost – Tokenization reduces or eliminates “sensitive” data from your systems. The less data you have to protect, the less it costs to secure it.
Reduces Compliance Scope – Only systems that store, process or transmit cardholder data are in PCI scope. By eliminating card data from most or all of your systems, the number of systems that have to be assessed and secured is greatly reduced.
Lowers Breach Risk – Tokenization replaces data that has “black market” value with data that has no value. If thieves know that you have no valuable data, they have no reason to try to break into your systems.
Source: PCI Knowledge Base, July 2009
Why is Tokenization Such a Hot Issue
for PCI Compliance?
Source: PCI Knowledge Base, July 2009
Secure Data Storage, Mgmt & Retrieval
BUYER 1
ISO /Processor
AcquiringBank
Multi-Channel Issues: Is One Tokenization Solution Possible?
PaymentGateway
(Virtual)POS
CallCenter
ShoppingCart
BUYER 2 BUYER 3
FRONT OFFICE APPLICATIONS
GL / AR / AP LossPrevention
SalesAudit
BACK OFFICE APPLICATIONS
PAYMENT PROCESSING
“Real” Data “Fake” Data
Source: PCI Knowledge Base, July 2009
Proving Tokenization Works: Is it Being Used Beyond Pilots / Trials?
3%10%15%
5%15%20% 20%
35%40% 45%
25%10%
27%15%15%
0%
20%
40%
60%
80%
100%
Enterprise POS Trial Considering No Plans Unaware
Jun-08 Dec-08 Jun-09
Since June 2008, our interview data has shown a major shift in how merchants, payment processors and PCI assessors view tokenization.
In our anonymous discussions, we find that more merchants are aware of tokenization, and most are now planning to implement it, or at least considering tokenization.
Source: PCI Knowledge Base, July 2009
Cost: How to Compare Tokenization Costs vs PCI Compliance Costs?
Encryption
Source: PCI Knowledge Base, May 2009
PW Vaulting
Access Controls
Logging
PaymentTerminal
Encryption
PW Vaulting
Access Controls
Logging
POSServer
Encryption
PW Vaulting
Access Controls
Logging
PollingServer
E2E Encryption & Enterprise Key Management, A Needed, but Complex Dependency
Encryption
PW Vaulting
Access Controls
Logging
WebStore
Encryption
PW Vaulting
Access Controls
Logging
CallCenter
Encryption
PW Vaulting
Access Controls
Logging
FraudMgmt
ISSUE: The cost savings due to tokenization vs the cost of all PCI controls, not just encryption.
Temp FTP
ISSUE: E2E encryption will also reduce costs long term, but the up front costs are likely to be higher
Token Options: How and When Can Tokens be Generated & Managed?
Source: PCI Knowledge Base, July 2009
E-CommerceWeb Host
Call CenterApplications
In-StorePOS Apps
Most Webor POS
ApplicationsProcessor
Token Mgmt
Card #
Token
Card #
Token
OPTION #2
ERPApplication
HospitalityApplications
Card #
Token
IndustryToken Mgmt
OPTION #1
OPTION #3
Token
Token
The best token generation & management may vary depending on business needs. Hospitality has different transaction timeframes than most retail, for example.
Example: Homegrown tokenization
Vendor Decisions: How to Choose Among the Tokenization Options?
Source: PCI Knowledge Base, January 2009
ISSUE: How to best reduce the number of data repositories and ensure that “encrypt / decrypt / re-encrypt” cycles are eliminated, so the
vulnerabilities can be eliminated or reduced?
Payment Terminal
Card Swipe
POS Terminalw/Payment SW
Store Serverw/Payment SW
In-House PaymentGateway /
Switch
ISSUE: Who is best positioned to manage end-to-end encryption?
PED / POSVendors
(Encrypt from Swipe to Acquirer)
CorporationsHomegrown tokens (e.g.,
Hashes)
Processors(Outsourced
Payment MgmtSolutions)
Encryption SW
Encryption & Key Mgmt SW that generates
tokens
Getting the Most Value from Tokenization SolutionsScalability: The more data repositories and systems that store,
process or transmit cardholder (or other confidential) data, the more value you will receive from tokenization. Consider these examples:
E-CommerceWebsite
Call CenterApplications
In-StorePOS Apps
OperationsApplications
Fraud / LossPrevention
Sales AuditSystem
Single ChannelSingle App
POS + MOTO Sales Channels+ Some Tracking Apps
Multi-Channel Business + Internal Data Stores + Service Providers for Sales Analysis, etc.
Value added:1. Data Mgmt2. Reduce Risk3. Part of data outsourcing
Value added:1. Reduces data redundancy2. Reduces unauthorized access by employees3. May be homegrown
Value added:1. Major PCI scope and cost reductions2. Identifies risky data flows & processes3. Offered as a service by processors or other third parties
SMEs Mid-Tier Merchants F1000 Level Merchants
Source: PCI Knowledge Base, July 2009MOTO = Mail Order / Telephone Order
Integrating Tokenization: How to Make it “Part of” Applications?
ISSUE: The average Level 1 or large Level 2 merchant has 4-6 different encryption systems. Complete replacement is not an option for most of them, and enterprise-wide encryption can cost > $1M
ISSUE: The movement of card data among systems creates dozens of different intermediate processes & data stores, greatly increasing risk, and process re-design can take years.
ISSUE: The debit & credit settlement process often means that ERP, CRM and SCM apps are in PCI scope, and rewriting them is far more costly than PCI compliance.
Source: PCI Knowledge Base, May 2009
Why Keep Card Data at All? When to Outsource Payment Processing
1%30%
85%
20%35%
15%
55%
34%
0%25%
15% 0%0%
20%
40%
60%
80%
100%
Now FullyOutsourced
Partial Outsourced ConsideringOutsourcing
No Plans toOutsource
F1000sSMEsE-Comms
One of the biggest changes we have seen in the last year is the growth in the consideration of outsourcing. Mostly, this is among firms that have been running their own payment gateway across their divisions.
Source: PCI Knowledge Base, May 2009
Adopt “Secure Tokenization” to Remove Card Data But Retain Analytics
85%
15%
40%
10%0%
20%
40%
60%
80%
100%
F1000 SME
Potential AdoptionUse as of 4Q08
A few leading retailers are using secure tokenization systems. But some of the first generation tools and in-house projects are not sufficiently secure and will need to be replaced before they will pass.
Source: PCI Knowledge Base, January 2009
Current vs Potential Use of Secure Tokenization
Best Practice Description
Use “secure” tokenization tools or services to create a centralized, encrypted repository of card data and use surrogate and/or partially masked data to validate transaction records for sales audit and marketing analysis. How tokens are created and managed is key to this best practice.
Level of Investment
$5,000 – 40,000 in SW licensing and increased transaction costs.
Potential Savings
$10,000 – 100,000 in reduced assessment costs and security control cost avoidance costs.
Best forF1000 retailers who cannot segment networks and have card data throughout the enterprise.
Primary Dept Owner
IT Infrastructure, with support from CFO on switching processors.
PCI Reqmts Met
3, 4
The Bottom Line: Tokenization is an Enterprise Strategy1. Tokenization is a strategy when it is applied as a way to centralize
and improve the management of confidential data, enterprise-wide.
2. Tokenization’s value is not in the “substitution” process but in the management of confidential data.
3. Tokenization drives the discovery (and removal) of confidential data from potentially hundreds or thousands of files and DBs across the enterprise.
4. Tokenization has tactical value for PCI compliance, because it can greatly reduce the scope of PCI assessment as well as PCI compliance costs.
5. Tokenization, at an enterprise level, must not impact system and process performance by making “real” data retrieval impossible or cumbersome.
6. Tokenization as an enterprise strategy must be capable of supporting a multi-channel sales and service environment.
7. Tokenization does not necessarily require that confidential data be removed from all enterprise systems, but the fewer systems that contain this data, the lower the risk.
8. Tokenization providers must be thoroughly vetted, both technically and as service providers, as they become mission critical partners.
Data Breach Survey, Ponemon Institue, 2006
Source: PCI Knowledge Base, July 2009
0128
0129
PCI Research
0130
0131
0132
0133
0134
0135
0136
0137
0138
0139
Data Protection Formats
0140
0141
123456 777777 1234
123456 123456 1234
aVdSaH 1F4hJ5 1D3a
!@#$%a^&*B()_+!@4#$2%p^&*
Text Data
Preserving the Data Format
Hash -
Encryption -
Alphanumeric –
Encoding –
Partial Enc–
Clear Text - DataField
Length
Data Type
IOriginalLength
ILonger
!@#$%a^&*B()_+!@
This is a generalized example
666666 777777 8888 Token /Encoding
BinaryData
Numeric
Field Level Data Protection Methods vs. Time
Time
Plain Hash
(SHA-1 on CCN)
High
Medium
Tokenized Data
ProtectionLevel
Strong Encryption
(AES CBC)
Keyed Hash
(HMAC)
Format Controlling
Encryption
(AES FCE)
Key
Rotation
Format Controlling Encryption vs. Time
Time
High
Medium
Tokenized Data
ProtectionLevel
AES FCE
(numeric & IV)
AES FCE
(alphanumeric & fix IV)
Field Level Data Protection Methods vs. Time
Time
High
Medium
Tokenized Data
ProtectionLevel
AES ECB
AES CBC (rotating IV)
AES CBC (fix IV, short data)
AES CBC (fix IV, long data)
Application Transparency
High
Low
Security
Level
Transparency level
Plain Hash
(SHA-2)
Key basedHash
(HMAC)
Tokens
DatabaseFile Encryption
SmartTokens
3rd Party DatabaseColumn Encryption
Native DatabaseColumn Encryption
PCI DSS
Testing Procedures
PCI 3.1 Keep cardholder data storage to a minimum.
147
PCI 3.2 Do not store sensitive authentication data
148
PCI 3.3 Mask PAN when displayed
149
PCI 3.4 Render PAN unreadable anywhere it is stored
150
PCI 3.5 Protect cryptographic keys
151
PCI 3.6 Fully document and implement all key-managementprocesses and procedures
152
top related