ISACA - How Innovation can Bridge the Gap between Privacy and Regulations

Ulf Mattsson, CTO

Protegrity

ulf.mattsson AT protegrity.com

2

• 20 years with IBM – Research & Development & Global Services

• Inventor – Encryption, Tokenization & Intrusion Prevention

• Involvement– PCI Security Standards Council (PCI SSC)– American National Standards Institute (ANSI) X9

• Encryption & Tokenization

– International Federation for Information Processing

• IFIP WG 11.3 Data and Application Security

– ISACA New York Metro chapter

Ulf Mattsson, CTO Protegrity

3

Bridging the gap between privacy and regulations

Threats and regulations are changing

How are international regulations changing?

My Data used to be under my control in my computer within in my organization

My Data is NOT under my control and NOT in my

computer and NOT within in my organization

My Data is NOT under my control and NOT in my

computer and NOT within in my organization and NOT in a known country/location

My Data is NOT in a known server/node/location

My Data is NOT known

My Data is NOT in a compliant country

My Data can be compliant to international regulations

The Evolution of Data Security

Methods

14

• Coarse Grained Security– Access Controls– Volume Encryption– File Encryption

• Fine Grained Security– Access Controls– Field Encryption (AES & )– Masking– Tokenization– Vaultless Tokenization

Evolution of Data Security Methods

15

Time

Use of Enabling Technologies

Access controls

Database activity monitoring

Database encryption

Backup / Archive encryption

Data masking

Application-level encryption

Tokenization

1%

18%

30%

21%

28%

7%

22%

91%

47%

35%

39%

28%

29%

23%

Evaluating Current Use

16

Old and flawed:Minimal access levels so people can only carry out their jobs

Access Control

17

AccessPrivilege

Level

Risk

IHigh

ILow

High –

Low –

Applying the protection profile to the content of

data fields allows for a wider range of authority options

18

AccessPrivilege

Level

Risk

IHigh

ILow

High –

Low –

Old:Minimal access levels – Least

Privilege to avoid high risks

New:Much greater

flexibility and lower risk in data accessibility

How the New Approach is Different

19

Reduction of Pain with New Protection Techniques

20

1970 2000 2005 2010

High

Low

Pain& TCO

Strong Encryption Output:AES, 3DES

Format Preserving EncryptionDTP, FPE

Vault-based Tokenization

Vaultless Tokenization

Input Value: 3872 3789 1620 3675

!@#$%a^.,mhu7///&*B()_+!@

8278 2789 2990 2789

8278 2789 2990 2789

Format Preserving

Greatly reduced Key Management

No Vault

8278 2789 2990 2789

Fine Grained Security: Encryption of Fields

21

Production Systems

Encryption of fields• Reversible• Policy Control (authorized / Unauthorized Access)• Lacks Integration Transparency• Complex Key Management• Example:

!@#$%a^.,mhu7///&*B()_+!@

Non-Production Systems

Fine Grained Security: Masking of Fields

22

Non-Production SystemsMasking of fields• Not reversible• No Policy, Everyone can access the data• Integrates Transparently• No Complex Key Management• Example: 0389 3778 3652 0038

Production Systems

Fine Grained Security: Tokenization of Fields

23

Production Systems

Non-Production Systems

Tokenization (Pseudonymization)

• No Complex Key Management• Business Intelligence• Example: 0389 3778 3652 0038

• Reversible • Policy Control (Authorized / Unauthorized Access)

• Not Reversible• Integrates Transparently

Fine Grained Data Security Methods

24

Tokenization and Encryption are Different

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

Code books

Index tokens

Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

TokenizationEncryption

Fine Grained Data Security Methods

25

Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Static.

High Availability, Disaster Recovery

Complex, expensive replication required.

No replication required.

Distribution Practically impossible to distribute geographically.

Easy to deploy at different geographically distributed locations.

Reliability Prone to collisions. No collisions.

Performance, Latency, and

Scalability

Will adversely impact performance & scalability.

Little or no latency. Fastest industry tokenization.

Vault-based vs. Vaultless Tokenization

• PCI DSS 3.0– Split knowledge and dual control

• PCI SSC Tokenization Task Force– Tokenization and use of HSM

• Card Brands – Visa, MC, AMEX …– Tokens with control vectors

• ANSI X9– Tokenization and use of HSM

The Future of Tokenization

26

I

Format

Preserving

Encryption

Security of Different Protection Methods

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Basic

Data

Tokenization

27

High

Low

Security Level

10 000 000 -

1 000 000 -

100 000 -

10 000 -

1 000 -

100 -

Transactions per second*

I

Format

Preserving

Encryption

Speed of Different Protection Methods

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration

28

Risk Adjusted Data Protection

Data Security Methods Performance Storage Security Transparency

System without data protection

Monitoring + Blocking + Obfuscation

Data Type Preservation Encryption

Strong Encryption

Vaultless Tokenization

Hashing

Anonymisation

BestWorst

29

There is always a trade-off between security and usability.

30

DataDe-

Identification

• The solution to protecting Identifiable data is to properly de-identify it.

• Redact the information – remove it.• The identifiable portion of the record is de-identified with

any number of protection methods such as masking, tokenization, encryption, redacting (removed), etc.

• The method used will depend on your use case and the reason that you are de-identifying the data.

What is de-identification of identifiable data?

31

Personally Identifiable Information Health Information / Financial Information

Personally Identifiable Information Health Information / Financial Information

Identifiable Sensitive InformationField Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.orgSSN 076-39-2778 937-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint Encrypted

Photo Encrypted

X-Ray Encrypted

Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities

Protection methods can be equally applied to the actual healthcare data, but not needed with de-identification

32

De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.orgSSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint Encrypted

Photo Encrypted

X-Ray Encrypted

Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities

Protection methods can be equally applied to the actual data, but not needed with de-identification

33

Type of Data

Use Case

IStructured

How Should I Secure Different Data?

IUn-structured

Simple –

Complex –

PCI

PHI

PII

Encryption of Files

CardHolder

Data

Tokenization of Fields

ProtectedHealth

Information

34

Personally Identifiable Information

Research Brief

Tokenization Gets Traction

• Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption

• Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data

• Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization non-users

35Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC

• The business intelligence exposed through Vaultless Tokenization can allow many users and processes to perform job functions on protected data

• Extreme flexibility in data de-identification can allow responsible data monetization

• Data remains secure throughout data flows, and can maintain a one-to-one relationship with the original data for analytic processes

Vaultless Tokenization & Data Insight

36

Use Cases for Coarse & Fine

Grained Security

37

Off-shoring & Outsourcing

• Business Process Outsourcing (BPO)– Business Processes

• E.g. Loans, Mortgages, Call Centre, Claims Processing, ERP, etc.

– Application Development• Need to de-identify Data for Testing and Development

• Off-Shoring– Same as Outsourcing, but data is sent for business

functions (like call center, etc.) off-shore.

• Laws governing your ability to send real data to 3rd parties are already restrictive, and becoming more so

• Penalties for infringement are growing more severe• Risk of data breaches and data theft is increased

Privacy Impacts BPO & Offshore Business Solutions

39

• Major Bank in EU wants to centralise EDW operations in a single country and therefore send customer data from country A to country B. Privacy Laws in country A prohibit this.

• Private Bank in Europe wants to offshore Finance Operations. Privacy Law prohibits transfer of citizen data to India.

• Retail Bank in Scandinavia wants to offshore Customer Services. Privacy law prevents transfer of citizen data to the Far East.

Examples

40

Case Studies

Protegrity Use Case: UniCredit

CHALLENGES The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.

Case Study - Large US Chain Store

Reduced cost50 % shorter PCI audit

Quick deploymentMinimal application changes

98 % application transparentTop performancePerformance better than encryptionStronger security

43

Case Study: Large Chain StoreWhy? Reduce compliance cost by 50%

– 50 million Credit Cards, 700 million daily transactions

– Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization

– End-to-End Tokens: Started with the D/W and expanding to stores

– Lower maintenance cost – don’t have to apply all 12 requirements

– Better security – able to eliminate several business and daily reports

– Quick deployment• Minimal application changes• 98 % application transparent

44

Protegrity Summary

• Proven enterprise data security software and innovation leader

– Sole focus on the protection of data– Patented Technology, Continuing to Drive

Innovation

• Cross-industry applicability– Retail, Hospitality, Travel and

Transportation– Financial Services, Insurance, Banking– Healthcare– Telecommunications, Media and

Entertainment– Manufacturing and Government

45

Please contact us for more information

Ulf.Mattsson@protegrity.com

Info@protegrity.com