isaca how innovation can bridge the gap between privacy and regulations
DESCRIPTION
ISACA presentation on how Innovation can Bridge the Gap between Privacy and Regulations - HIPAA, PCI, Privacy Laws in different countriesTRANSCRIPT
ISACA - How Innovation can Bridge the Gap between Privacy and Regulations
Ulf Mattsson, CTO
Protegrity
ulf.mattsson AT protegrity.com
2
• 20 years with IBM – Research & Development & Global Services
• Inventor – Encryption, Tokenization & Intrusion Prevention
• Involvement– PCI Security Standards Council (PCI SSC)– American National Standards Institute (ANSI) X9
• Encryption & Tokenization
– International Federation for Information Processing
• IFIP WG 11.3 Data and Application Security
– ISACA New York Metro chapter
Ulf Mattsson, CTO Protegrity
3
Bridging the gap between privacy and regulations
Threats and regulations are changing
How are international regulations changing?
My Data used to be under my control in my computer within in my organization
My Data is NOT under my control and NOT in my
computer and NOT within in my organization
My Data is NOT under my control and NOT in my
computer and NOT within in my organization and NOT in a known country/location
My Data is NOT in a known server/node/location
My Data is NOT known
My Data is NOT in a compliant country
My Data can be compliant to international regulations
The Evolution of Data Security
Methods
14
• Coarse Grained Security– Access Controls– Volume Encryption– File Encryption
• Fine Grained Security– Access Controls– Field Encryption (AES & )– Masking– Tokenization– Vaultless Tokenization
Evolution of Data Security Methods
15
Time
Use of Enabling Technologies
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
1%
18%
30%
21%
28%
7%
22%
91%
47%
35%
39%
28%
29%
23%
Evaluating Current Use
16
Old and flawed:Minimal access levels so people can only carry out their jobs
Access Control
17
AccessPrivilege
Level
Risk
IHigh
ILow
High –
Low –
Applying the protection profile to the content of
data fields allows for a wider range of authority options
18
AccessPrivilege
Level
Risk
IHigh
ILow
High –
Low –
Old:Minimal access levels – Least
Privilege to avoid high risks
New:Much greater
flexibility and lower risk in data accessibility
How the New Approach is Different
19
Reduction of Pain with New Protection Techniques
20
1970 2000 2005 2010
High
Low
Pain& TCO
Strong Encryption Output:AES, 3DES
Format Preserving EncryptionDTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault
8278 2789 2990 2789
Fine Grained Security: Encryption of Fields
21
Production Systems
Encryption of fields• Reversible• Policy Control (authorized / Unauthorized Access)• Lacks Integration Transparency• Complex Key Management• Example:
!@#$%a^.,mhu7///&*B()_+!@
Non-Production Systems
Fine Grained Security: Masking of Fields
22
Non-Production SystemsMasking of fields• Not reversible• No Policy, Everyone can access the data• Integrates Transparently• No Complex Key Management• Example: 0389 3778 3652 0038
Production Systems
Fine Grained Security: Tokenization of Fields
23
Production Systems
Non-Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management• Business Intelligence• Example: 0389 3778 3652 0038
• Reversible • Policy Control (Authorized / Unauthorized Access)
• Not Reversible• Integrates Transparently
Fine Grained Data Security Methods
24
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
Fine Grained Data Security Methods
25
Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Static.
High Availability, Disaster Recovery
Complex, expensive replication required.
No replication required.
Distribution Practically impossible to distribute geographically.
Easy to deploy at different geographically distributed locations.
Reliability Prone to collisions. No collisions.
Performance, Latency, and
Scalability
Will adversely impact performance & scalability.
Little or no latency. Fastest industry tokenization.
Vault-based vs. Vaultless Tokenization
• PCI DSS 3.0– Split knowledge and dual control
• PCI SSC Tokenization Task Force– Tokenization and use of HSM
• Card Brands – Visa, MC, AMEX …– Tokens with control vectors
• ANSI X9– Tokenization and use of HSM
The Future of Tokenization
26
I
Format
Preserving
Encryption
Security of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
27
High
Low
Security Level
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
28
Risk Adjusted Data Protection
Data Security Methods Performance Storage Security Transparency
System without data protection
Monitoring + Blocking + Obfuscation
Data Type Preservation Encryption
Strong Encryption
Vaultless Tokenization
Hashing
Anonymisation
BestWorst
29
There is always a trade-off between security and usability.
30
DataDe-
Identification
• The solution to protecting Identifiable data is to properly de-identify it.
• Redact the information – remove it.• The identifiable portion of the record is de-identified with
any number of protection methods such as masking, tokenization, encryption, redacting (removed), etc.
• The method used will depend on your use case and the reason that you are de-identifying the data.
What is de-identification of identifiable data?
31
Personally Identifiable Information Health Information / Financial Information
Personally Identifiable Information Health Information / Financial Information
Identifiable Sensitive InformationField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address [email protected] [email protected] 076-39-2778 937-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual healthcare data, but not needed with de-identification
32
De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address [email protected] [email protected] 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data, but not needed with de-identification
33
Type of Data
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple –
Complex –
PCI
PHI
PII
Encryption of Files
CardHolder
Data
Tokenization of Fields
ProtectedHealth
Information
34
Personally Identifiable Information
Research Brief
Tokenization Gets Traction
• Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption
• Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data
• Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization non-users
35Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
• The business intelligence exposed through Vaultless Tokenization can allow many users and processes to perform job functions on protected data
• Extreme flexibility in data de-identification can allow responsible data monetization
• Data remains secure throughout data flows, and can maintain a one-to-one relationship with the original data for analytic processes
Vaultless Tokenization & Data Insight
36
Use Cases for Coarse & Fine
Grained Security
37
Off-shoring & Outsourcing
• Business Process Outsourcing (BPO)– Business Processes
• E.g. Loans, Mortgages, Call Centre, Claims Processing, ERP, etc.
– Application Development• Need to de-identify Data for Testing and Development
• Off-Shoring– Same as Outsourcing, but data is sent for business
functions (like call center, etc.) off-shore.
• Laws governing your ability to send real data to 3rd parties are already restrictive, and becoming more so
• Penalties for infringement are growing more severe• Risk of data breaches and data theft is increased
Privacy Impacts BPO & Offshore Business Solutions
39
• Major Bank in EU wants to centralise EDW operations in a single country and therefore send customer data from country A to country B. Privacy Laws in country A prohibit this.
• Private Bank in Europe wants to offshore Finance Operations. Privacy Law prohibits transfer of citizen data to India.
• Retail Bank in Scandinavia wants to offshore Customer Services. Privacy law prevents transfer of citizen data to the Far East.
Examples
40
Case Studies
Protegrity Use Case: UniCredit
CHALLENGES The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.
Case Study - Large US Chain Store
Reduced cost50 % shorter PCI audit
Quick deploymentMinimal application changes
98 % application transparentTop performancePerformance better than encryptionStronger security
43
Case Study: Large Chain StoreWhy? Reduce compliance cost by 50%
– 50 million Credit Cards, 700 million daily transactions
– Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization
– End-to-End Tokens: Started with the D/W and expanding to stores
– Lower maintenance cost – don’t have to apply all 12 requirements
– Better security – able to eliminate several business and daily reports
– Quick deployment• Minimal application changes• 98 % application transparent
44
Protegrity Summary
• Proven enterprise data security software and innovation leader
– Sole focus on the protection of data– Patented Technology, Continuing to Drive
Innovation
• Cross-industry applicability– Retail, Hospitality, Travel and
Transportation– Financial Services, Insurance, Banking– Healthcare– Telecommunications, Media and
Entertainment– Manufacturing and Government
45
Please contact us for more information