encryption and tokenization: friend or foe?
DESCRIPTION
As one of the industry’s leading experts on both encryption and tokenization, Gary Palgon, CISSP, revisits this intriguing topic and addresses the effect of current issues on these technologies. For the full webinar please visit: http://liaison.com/resource-center/webinars?commid=79123TRANSCRIPT
@LiaisonTech
Encryption & Tokenization: Friend or Foe?
@LiaisonTech
What we’ll discuss
• Encryption and Key Management• Tokenization• Myths and Truths• Case Study - Reducing PCI DSS Scope• Friend or Foe?• Questions and Answers
@LiaisonTech
Encryption and Key Management
@LiaisonTech
Approaching data security in the enterprise
• “If you don’t need the data, don’t store it.”• “If you need to maintain the data, secure it.”• “Compliance does not equal security.”
• Safe Harbors– Render data useless to those who should not have access– If data is compromised that is rendered useless, you don’t have
to let consumers (or the media ) know
@LiaisonTech
Multiple approaches to solutions
@LiaisonTech
Encryption
• How granular? Field, column, table, database• Where are the keys stored?• What happens when data leaves the database?
• Does the application have to be changed?
• What external components are used?
• Integration options – interfaces, languages
• Field within a file?
• Entire file?• Directory of files?
Database Encryption
Application Encryption
File
Encryption
@LiaisonTech
Descoping of encrypted data in transit
PaymentProcessor
PaymentSwitch / GatewayPoint of Sale
Public Key Encryption
Network
In Scope for PCI DSSOut of Scope PCI DSS
Verification guidance will be key checklist for implementation
Key Management
@LiaisonTech
Key Management
• Must address entire key management lifecycle• Generate, distribute, expire, rotate, revoke, destroy• How do you activate keys and how many keys can be
used?• Where are the keys stored? (active and archived)
• Must have dual control of keys• Users can never have direct access to keys• User-level information must be available for key use
• Must log all administration functions pertaining to keys, users
• Must log all end user events (encrypt, decrypt) • Integration with security information and event
management (SIEM) systems
Key Lifecycle Mgmt
Roles-Based Admin and
Control
Event
Logging
@LiaisonTech
End to End Encryption (& P2PE and FPE)
• Public key encryption at Point of Interaction (POI) with private key decryption at payment gateway or payment processor
• Keys are not available elsewhere for decryption
• Referred to as Point-to-Point Encryption by PCI SSC and End-to-Middle Encryption by Gartner (E2E Encryption is ultimate goal, but not realistic)
• Format Preserving Encryption is use case where cipher text fits within original data space (doesn’t require expanding field size)
@LiaisonTech
Scoping of End to End Encryption
PaymentProcessor
PaymentSwitch / Gateway
Point of Sale
Public Key Encryption
Network
Firewall
In Scope for PCI DSS
Out of Scope PCI DSS Must determine where tokenization takes place if also being utilized (example later)
Key Management
Chip/PIN
Corporate Applications
TBD
@LiaisonTech
What kind of token are we talking about?
• It’s NOT the same as ‘token’ used for two-factor authentication
• It’s not the ‘token’ used for lexical analysis (creating a programming language)
• In data security, it’s a surrogate value which is substituted for the actual data (e.g. credit card) while the actual data is encrypted and stored elsewhere
@LiaisonTech
Centralized data vault
• Protected data vault where sensitive data is encrypted and stored– Reduces the footprint
where sensitive data is located
– Eliminates points of risk
– Simplifies security management
Key Manager
Token Manager
Data Vault
@LiaisonTech
Tokens not derived from data
• Original data values cannot be mathematically derived from tokens– Tokens can be safely passed to databases,
applications, mobile devices, etc.• Solves the age-old problem of data for
development and testing!
@LiaisonTech
Format Preserving Tokenization
Tokens can be formatted to:
• Preserve the format (length and data type)
• Preserve a number of leading and trailing characters
• Mask a portion of the token when a full value is not needed or desirable
Tokens that maintain the length and format of the original data don’t required applications to be modified.
3752 5712250 3125
Original data
3752 5712250 3125
Original data
3752 5712250 3125
Original data
3752 X4mbAdLQ 3125head body tail
3752 4333906 3125head body tail
3752 ******* 3125head body tail
@LiaisonTech
Reduces PCI DSS audit scope
• Formatted tokens can be used wherever masked credit card information is required
• Therefore systems are removed from PCI DSS scope wherever tokenized data suffices
3752 5712250 3125 3752 4333906 3125
USING TOKENUSING CREDIT CARD NUMBER
Determines card type –
standard, private label, gift card
Last 4 digits retain confirmation info
Determines card type – standard, private label, gift card
Last 4 digits retain confirmation number
@LiaisonTech
Tokens are surrogates for masked data - SSN
• Formatted tokens can be used wherever masked personally identifiable information is required
“What are the last 4 digits of your Social Security Number?”
• Therefore wherever tokenized data suffices, risk is reduced
375-57-2125 433-39-2125
USING TOKENSOCIAL SECURITY NUMBER
Last 4 digits retain confirmation
info
@LiaisonTech
1:1 token / data relationship
18
• Same token value is consistent for same data across entire enterprise; maintains referential integrity across applications
• Data analysis can be performed using token – e.g. data warehouse
Transaction: 1
CC#: 3752 5712250 3125
Item: Paper
Item: Stapler
Item: Staples
Transaction: 2
CC#: 3752 5712250 3125
Item: Paper
Item: Notebook
Item: Staples
Transaction: 1
CC#: 3716 4136820 3125
Item: Paper
Item: Stapler
Item: Staples
Transaction: 2
CC#: 3716 4136820 3125
Item: Paper
Item: Notebook
Item: Staples
Before using credit card number After using token
@LiaisonTech
Token / data relationship: 1 to many
• Some situations may dictate that you do NOT want a 1:1 token relationship for obfuscation purposes
• E.g. salary– $65,000 is always seen as $65,000 today– If token = 18903, then anywhere 18903 is found, it
equates to $65,000– In tokenized world, multiple tokens could be mapped to
$65,000
• Business drivers and requirements will drive business use
@LiaisonTech
Centralized key management
• Control over who accesses sensitive data
• Rotate keys without having to decrypt and re-encrypt old data, and no system downtime
• Keys are distributed to token server, not throughout enterprise
@LiaisonTech
Tokenization
• Central, protected data vault• Shrink footprint where data is stored• Prevent unauthorized access to sensitive data• Centralized key management
• Maintain length and format of original data• Strict 1 to 1 relationship between tokens and data• Use different token formats for different data types• Wide database support for storage of sensitive data
• Browser-based UI for system administration and policy management
• Syslog-compliant logging of all encrypt, decrypt and key management events – integrate with SIEM
Enhanced Security
Flexibility & Control
Ease of Management
@LiaisonTech
Tokenization process: obtain credit card
3752 5712250 3125
Token Server
Data Vault
@LiaisonTech
Tokenization process: obtain credit card
3752 5712250 3125
Token Server
Data Vault
&1y*13JhM)7N56^$90
Ciphertext
in data vault
@LiaisonTech
Tokenization process: obtain credit card
3752 5712250 3125
Token Server
Data Vault
&1y*13JhM)7N56^$90
3752 4333906 3125
Loss Prevention
@LiaisonTech
Tokenization Myths & Truths
@LiaisonTech
Tokenization myths
• It doesn’t require encryption• It’s a silver bullet for all use cases• It’s an immature technology• There are no companies using it in production• Concrete examples for reducing scope do not exist
@LiaisonTech
Tokenization truths
• It still uses encryption and key management– Though all cipher text is stored centrally
• There’s a right place for tokenization– Credit cards and other sensitive information is a perfect use– Scanned documents would use encryption share key management
with tokenization
• Tokenization has been around for 5 years– It has gone mainstream over the last 2 years– Standards are in-development
• Tokenization IS in production– Many companies use it including many Liaison customers
• Concrete examples for reducing scope DO exist– Will share one today
@LiaisonTech
Use Case: Reducing scope for PCI
@LiaisonTech
Before: order flow without tokenization
80+ systems in PCI DSS scope
Corporate Applications
3752 5712250 3125
Corporate Applications
Corporate Applications
3752 5712250 3125
3752 5712250 3125
Web Order Entry
Phone Order Entry
Mail Order Entry
3752 5712250 3125
3752 5712250 3125
Order Processing
3752 5712250 3125
@LiaisonTech
3752 5712250 3125
After: order flow with tokenization
Corporate Applications
3752 5712250 3125
Corporate Applications
Corporate Applications
3752 5712250 3125
3752 5712250 3125
Web Order Entry
Phone Order Entry
Mail Order Entry
Order Processing
Credit Card Entry Hub
Data Vault
&1y*13JhM)7N56^$90
Token Server
@LiaisonTech
3752 5712250 3125
After: order flow with tokenization
Corporate Applications
3752 5712250 3125
Corporate Applications
Corporate Applications
3752 5712250 3125
3752 5712250 3125
Web Order Entry
Phone Order Entry
Mail Order Entry
Order Processing
Credit Card Entry Hub
Data Vault
&1y*13JhM)7N56^$90
Token Server
8 systems in PCI DSS scope
Out of Scope
@LiaisonTech
3752 5712250 3125
After: order flow with tokenization
Corporate Applications
3752 5712250 3125
Corporate Applications
Corporate Applications
3752 5712250 3125
3752 5712250 3125
Web Order Entry
Phone Order Entry
Mail Order Entry
Order Processing
Credit Card Entry Hub
Data Vault
&1y*13JhM)7N56^$90
Token Server
Out of Scope PCI DSS
In Scope for PCI DSS
@LiaisonTech
Combining P2PE and Tokenization
PaymentProcessor
PaymentSwitch / Gateway
Point of Sale
Public Key Encryption
Network
Firewall
In Scope for PCI DSS
Out of Scope PCI DSS
Key Management
Chip/PIN
Corporate Applications
Tokenization
1 2 3
POS Application
Must determine where tokenization takes place
@LiaisonTech
Combining P2PE and tokenization
• Considerations– Encrypted values cannot be used with referential integrity (like
tokens) since salt values must be different • Each POS cannot generate the same cipher-text for a given credit
card as it would require the same input ‘salt’ at every POS– VISA data field encryption best practice requires different keys
for each POS
• Best descoping cases include the use of multiple emerging technologies – EMV, encryption, tokenization, others…
@LiaisonTech
Encryption and tokenization: friend or foe
Encryption Tokenization
@LiaisonTech
Encryption and tokenization: friends
Encryption Tokenization
@LiaisonTech
QU
ES
TIO
NS
?
• Solutions
• Cloud EAI / Data Transformation• Cloud B2B Integration Services• TaaS, Data Security • SaaS Master Data Management • Web based, Hosted EDI
• Multinational
• Global headquarters in Atlanta• European offices in Finland,
Netherlands, Sweden, UK• More than 7000 customers
worldwide in over 46 countries
AB
OU
T L
IAIS
ON
39
Thank you
For more information visit: liaison.com/resource-center/white-papers