Where Data Security and Value of Data

Meet in the Cloud

Ulf MattssonCTO, Protegrity

Ulf.Mattsson@protegrity.com

BrightTALK webinar January 14 2015

Cloud Security Alliance (CSA)

PCI Security Standards Council

• Cloud & Virtualization SIGs

• Encryption Task Force

• Tokenization Task Force

IFIP

Ulf Mattsson, Protegrity CTO

• WG 11.3 Data and Application Security

• International Federation for Information Processing

ISACA

• (Information Systems Audit and Control Association)

ISSA

• (Information Systems Security Association)

2

The New Enterprise Paradigm• Cloud computing, IoT and the disappearing perimeter

• Data is the new currency

Rethinking Data Security for a Boundless World• The new wave of challenges to security and productivity

• Seamless, boundless security framework – data flow

• Maximize data utility & minimizing risk – finding the right balance

Agenda

• Maximize data utility & minimizing risk – finding the right balance

New Security Solutions, Technologies and Techniques• Data-centric security technologies

• Data security and utility outside the enterprise

• Cloud data security in context to the enterprise

Best Practices

3

Verizon Data Breach Investigations Report

• Enterprises are losing ground in the fight against persistent cyber-attacks

• We simply cannot catch the bad guys until it is too late. This picture is not improving

• Verizon reports concluded that less than 14% of breaches are detected by internal

Enterprises Losing Ground Against Cyber-attacks

of breaches are detected by internal monitoring tools

JP Morgan Chase data breach

• Hackers were in the bank’s network for months undetected

• Network configuration errors are inevitable, even at the larges banks

We need a new approach to data security

4

High -profile Cyber Attacks

49% recommended Database security

40% of budget still on Network security

5

40% only

19% to database security

Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification

ThePerimeter -less

6

Perimeter -less World

Big data projects in 2015

• Integration with the outside world

Security prevents big data from becoming a prevalent enterprise computing

Integration with Outside World

26 billion devices on the Internet of Things by

2020 (Gartner)

7

www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowly-permeate-the-borders-of-the-enterprise.html

enterprise computing platform

• 3rd party products are helping

wikipedia.org

They’re Tracking When You Turn Off the Lights

8 Source: Wall Street Journal

Sensors to capture data on environmental conditions including sound volume, wind and carbon-dioxide levels, as well as behavioral data such as pedestrian

traffic flow

The Department of Homeland Security investigating

• Two dozen cases of suspected cyber security flaws in medical devices that could be exploited by hackers

• Can be detrimental to the patient, creating problems such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity

Security Threats of Connected Medical Devices

deadly jolt of electricity

• Keep medical data stored encrypted

PricewaterhouseCoopers study

• $30bn annual cost hit to the US healthcare system due to inadequate medical-device interoperability

9

www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connected-medical-devices#

CHALLENGEHow can I Secure the

10

Secure thePerimeter -less

Enterprise?

CloudComputing Computing

11

What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing?

12

Security of Data in Cloud at Board -level

13

Source: Cloud Adoption Practices & Priorities Survey Report January 2015

Data Security Holding Back Cloud Projects

14

Source: Cloud Adoption Practices & Priorities Survey Report January 2015

Threat Vector Inheritance

15

Public Cloud

16

Source: Wired.com

New Technologies to Secure

17

to Secure Cloud Data

Rather than making the protection platform based, the security is applied directly to the data

Protecting the data wherever it goes, in any environment

Data-Centric Protection Increases Security in Cloud Computing

Cloud environments by nature have more access points and cannot be disconnected

Data-centric protection reduces the reliance on controlling the high number of access points

18

Corporate Network

Security Gateway Deployment – Hybrid Cloud

ClientSystem

Public CloudCloud Gateway

Private Cloud

019

EnterpriseSecurity

AdministratorSecurity Officer

Out-sourced

Corporate Network Corporate Network

Security Gateway Deployment – Hybrid Cloud

ClientSystem

Private Cloud Public Cloud

CloudGateway

020

EnterpriseSecurity

AdministratorSecurity Officer

Gateway

Out-sourced

Corporate Network

ClientSystem Cloud

Gateway

Security Gateway – Searchable Encryption

RDBMSQuery

re-write

021

EnterpriseSecurity

AdministratorSecurity Officer

Order preserving encryption

Corporate Network

ClientSystem

CloudGateway

Security Gateway – Search & Indexing

RDBMSQuery

re-write

022

EnterpriseSecurity

AdministratorSecurity Officer

IndexIndex

Cloud Gateway - Requirements Adjusted Protection

Data Protection Methods Scalability Storage Security Tr ansparency

System without data protection

Weak Encryption (1:1 mapping)

Searchable Gateway Index (IV)

Vaultless Tokenization

Partial EncryptionPartial Encryption

Data Type Preservation Encryption

Strong Encryption (AES CBC, IV)

Best Worst

23

Comparing Data Protection Data Protection

Methods

24

Computational Usefulness

Risk Adjusted Storage – Data Leaking Formats

H

25

Data

Leakage

Strong-encryption Truncation Sort-order-pres erving-encryption Indexing

L

I I I I

Balancing Data Security & Utility

Value

Preserving

Classification of Sensitive Data

Granular Protection of Sensitive Data

26

Index Data

Leaking

Sensitive

Data ?

Encoding

Leaking

Sensitive

Data ?

Risk Adjusted Data Leakage

Index

Trust

HIndex

Leaking

Sensitive

Data

Sort Order Preserving

Encryption Algorithms

Leaking Sensitive

Data

27

Index Data

ElasticityOut-sourcedIn-house

L

Index NOT

Leaking

Sensitive

Data

Reduction of Pain with New Protection Techniques

High

Pain& TCO

Strong Encryption Output:AES, 3DES

Format Preserving EncryptionDTP, FPE

Input Value: 3872 3789 1620 3675

!@#$%a^.,mhu7///&*B()_+!@

8278 2789 2990 2789

28

1970 2000 2005 2010

Low

Vault-based Tokenization

Vaultless Tokenization

8278 2789 2990 2789

Format Preserving

Greatly reduced Key Management

No Vault

8278 2789 2990 2789

What is Data Tokenization?

29

Data Tokenization?

Data Tokenization – Replacing The Data

30

Source: plus.google.com

Fine Grained Data Security Methods

Tokenization and Encryption are Different

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

TokenizationEncryption

31

Cryptographic keys

Code books

Index tokens

Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

10 000 000 -

1 000 000 -

100 000 -

10 000 -

Transactions per second*

Speed of Fine Grained Protection Methods

10 000 -

1 000 -

100 -I

Format

Preserving

Encryption

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration

32

Significantly Different Tokenization Approaches

Property Dynamic Pre-generated

Vault-based Vaultless

33

Examples of Protected DataField Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusoj

Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA

Date of Birth 12/25/1966 01/02/1966

Telephone 760-278-3389 760-389-2289

E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org

SSN 076-39-2778 076-28-3390

CC Number 3678 2289 3907 3378 3846 2290 3371 3378

Business URL www.surferdude.com www.sheyinctao.com

Fingerprint Encrypted

Photo Encrypted

X-Ray Encrypted

Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities

Protection methods can be equally applied to the actual data, but not needed with de-identification

34

Use

Case

How Should I Secure Different Data?

Simple –PCI

PII

Encryption

of Files

CardHolder Data

Tokenization of Fields

Personally Identifiable Information

Type of

DataI

Structured

I

Un-structured

Complex – PHI

ProtectedHealth

Information

35

Personally Identifiable Information

Example of Cross Border Data-centric Security

Data sources

Data

WarehouseWarehouse

In Italy

Complete policy-enforced de-identification of sensitive data

across all bank entities

How to Balance

Risk and Risk and

Data Access37

High -

Risk Adjusted Data Security – Access Controls

Risk Exposure

User Productivity and Creativity

38

Access to Sensitive Data in

Clear

Low Access to Data High Access to Data

Low -

I I

High -

Risk Adjusted Data Security – Tokenized Data

User Productivity and Creativity

39

Access to

Tokenized Data

Low Access to Data High Access to Data

Low -

I I

Risk Exposure

Cost of Application

Changes

High -

Risk Adjusted Data Security – Selective Masking

Risk Exposure

Cost Example: 16 digit credit card number

40

All-16-clear Only-middle-6-hidden All-16-hidden

Low -

I I I

Fine Grained Security: Securing Fields

Production SystemsEncryption of fields• Reversible• Policy Control (authorized / Unauthorized Access)• Lacks Integration Transparency• Complex Key Management• Example: !@#$%a^.,mhu7///&*B()_+!@

41

Non-Production SystemsMasking of fields• Not reversible• No Policy, Everyone can access the data• Integrates Transparently• No Complex Key Management• Example: 0389 3778 3652 0038

Fine Grained Security: Tokenization of Fields

Production Systems

Tokenization (Pseudonymization)

• No Complex Key Management• Business Intelligence• Example: 0389 3778 3652 0038

42

Non-Production Systems

• Reversible • Policy Control (Authorized / Unauthorized Access)

• Not Reversible• Integrates Transparently

Data–Centric Audit and Protection (DCAP)

Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act

By 2018, data-centric audit and protection strategies will replace disparate siloed data security governance approaches in 25% of large enterprises, up from less

043

Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014

approaches in 25% of large enterprises, up from less than 5% today

Confidential

Centrally managed security policy

Across unstructured and structured silos

Classify data, control access and monitoring

Protection – encryption, tokenization and masking

Segregation of duties – application users and privileged

Data–Centric Audit and Protection (DCAP)

044

Segregation of duties – application users and privileged

users

Auditing and reporting

Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014

Confidential

Centralized Policy Management - ExampleApplication

RDBMS

MPP

AuditLog

AuditLog

AuditLog

EnterpriseSecurity

Administrator

PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy

Cloud

Security Officer

AuditLog

AuditLog

AuditLog

45

File Servers

Big Data

Gateway Servers

HP NonStopBase24

IBM Mainframe Protector

AuditLog

AuditLog Audit

Log

AuditLog

Protection Servers

AuditLog

AuditLog

Enterprise Data Security Policy

What is the sensitive data that needs to be protected.

How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.

Who should have access to sensitive data and who should not. Security access control.

What

Who

How

46

When should sensitive data access be granted to those who have access. Day of week, time of day.

Where is the sensitive data stored? This will be where the policy is enforced.

Audit authorized or un-authorized access to sensitive data.

When

Where

Audit

The biggest challenge in this new paradigm• Cloud and an interconnected world

• Merging data security with data value and productivity

What’s required?• Seamless, boundless security framework – data flow

• Maximize data utility & Minimizing risk – finding the right balance

Value-preserving data-centric security methods

Summary

Value-preserving data-centric security methods• How to keep track of your data and monitor data access outside the enterprise

• Best practices for protecting data and privacy in the perimeter-less enterprise.

What New Data Security Technologies are Available for Cloud?

How can Cloud Data Security work in Context to the Enterprise?

47

Thank you!Thank you!

Questions?

Please contact us for more information

www.protegrity.com

Ulf.Mattsson@protegrity.com