Date post: | 14-Jul-2015 |
Category: |
Technology |
Upload: | ulf-mattsson |
View: | 136 times |
Download: | 2 times |
Where Data Security and Value of Data
Meet in the Cloud
Ulf MattssonCTO, Protegrity
BrightTALK webinar January 14 2015
Cloud Security Alliance (CSA)
PCI Security Standards Council
• Cloud & Virtualization SIGs
• Encryption Task Force
• Tokenization Task Force
IFIP
Ulf Mattsson, Protegrity CTO
• WG 11.3 Data and Application Security
• International Federation for Information Processing
ISACA
• (Information Systems Audit and Control Association)
ISSA
• (Information Systems Security Association)
2
The New Enterprise Paradigm• Cloud computing, IoT and the disappearing perimeter
• Data is the new currency
Rethinking Data Security for a Boundless World• The new wave of challenges to security and productivity
• Seamless, boundless security framework – data flow
• Maximize data utility & minimizing risk – finding the right balance
Agenda
• Maximize data utility & minimizing risk – finding the right balance
New Security Solutions, Technologies and Techniques• Data-centric security technologies
• Data security and utility outside the enterprise
• Cloud data security in context to the enterprise
Best Practices
3
Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight against persistent cyber-attacks
• We simply cannot catch the bad guys until it is too late. This picture is not improving
• Verizon reports concluded that less than 14% of breaches are detected by internal
Enterprises Losing Ground Against Cyber-attacks
of breaches are detected by internal monitoring tools
JP Morgan Chase data breach
• Hackers were in the bank’s network for months undetected
• Network configuration errors are inevitable, even at the larges banks
We need a new approach to data security
4
High -profile Cyber Attacks
49% recommended Database security
40% of budget still on Network security
5
40% only
19% to database security
Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification
ThePerimeter -less
6
Perimeter -less World
Big data projects in 2015
• Integration with the outside world
Security prevents big data from becoming a prevalent enterprise computing
Integration with Outside World
26 billion devices on the Internet of Things by
2020 (Gartner)
7
www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowly-permeate-the-borders-of-the-enterprise.html
enterprise computing platform
• 3rd party products are helping
wikipedia.org
They’re Tracking When You Turn Off the Lights
8 Source: Wall Street Journal
Sensors to capture data on environmental conditions including sound volume, wind and carbon-dioxide levels, as well as behavioral data such as pedestrian
traffic flow
The Department of Homeland Security investigating
• Two dozen cases of suspected cyber security flaws in medical devices that could be exploited by hackers
• Can be detrimental to the patient, creating problems such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity
Security Threats of Connected Medical Devices
deadly jolt of electricity
• Keep medical data stored encrypted
PricewaterhouseCoopers study
• $30bn annual cost hit to the US healthcare system due to inadequate medical-device interoperability
9
www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connected-medical-devices#
CHALLENGEHow can I Secure the
10
Secure thePerimeter -less
Enterprise?
CloudComputing Computing
11
What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing?
12
Security of Data in Cloud at Board -level
13
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
Data Security Holding Back Cloud Projects
14
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
Threat Vector Inheritance
15
Public Cloud
16
Source: Wired.com
New Technologies to Secure
17
to Secure Cloud Data
Rather than making the protection platform based, the security is applied directly to the data
Protecting the data wherever it goes, in any environment
Data-Centric Protection Increases Security in Cloud Computing
Cloud environments by nature have more access points and cannot be disconnected
Data-centric protection reduces the reliance on controlling the high number of access points
18
Corporate Network
Security Gateway Deployment – Hybrid Cloud
ClientSystem
Public CloudCloud Gateway
Private Cloud
019
EnterpriseSecurity
AdministratorSecurity Officer
Out-sourced
Corporate Network Corporate Network
Security Gateway Deployment – Hybrid Cloud
ClientSystem
Private Cloud Public Cloud
CloudGateway
020
EnterpriseSecurity
AdministratorSecurity Officer
Gateway
Out-sourced
Corporate Network
ClientSystem Cloud
Gateway
Security Gateway – Searchable Encryption
RDBMSQuery
re-write
021
EnterpriseSecurity
AdministratorSecurity Officer
Order preserving encryption
Corporate Network
ClientSystem
CloudGateway
Security Gateway – Search & Indexing
RDBMSQuery
re-write
022
EnterpriseSecurity
AdministratorSecurity Officer
IndexIndex
Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods Scalability Storage Security Tr ansparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial EncryptionPartial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
23
Comparing Data Protection Data Protection
Methods
24
Computational Usefulness
Risk Adjusted Storage – Data Leaking Formats
H
25
Data
Leakage
Strong-encryption Truncation Sort-order-pres erving-encryption Indexing
L
I I I I
Balancing Data Security & Utility
Value
Preserving
Classification of Sensitive Data
Granular Protection of Sensitive Data
26
Index Data
Leaking
Sensitive
Data ?
Encoding
Leaking
Sensitive
Data ?
Risk Adjusted Data Leakage
Index
Trust
HIndex
Leaking
Sensitive
Data
Sort Order Preserving
Encryption Algorithms
Leaking Sensitive
Data
27
Index Data
ElasticityOut-sourcedIn-house
L
Index NOT
Leaking
Sensitive
Data
Reduction of Pain with New Protection Techniques
High
Pain& TCO
Strong Encryption Output:AES, 3DES
Format Preserving EncryptionDTP, FPE
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
28
1970 2000 2005 2010
Low
Vault-based Tokenization
Vaultless Tokenization
8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault
8278 2789 2990 2789
What is Data Tokenization?
29
Data Tokenization?
Data Tokenization – Replacing The Data
30
Source: plus.google.com
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
31
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Fine Grained Protection Methods
10 000 -
1 000 -
100 -I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
32
Significantly Different Tokenization Approaches
Property Dynamic Pre-generated
Vault-based Vaultless
33
Examples of Protected DataField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data, but not needed with de-identification
34
Use
Case
How Should I Secure Different Data?
Simple –PCI
PII
Encryption
of Files
CardHolder Data
Tokenization of Fields
Personally Identifiable Information
Type of
DataI
Structured
I
Un-structured
Complex – PHI
ProtectedHealth
Information
35
Personally Identifiable Information
Example of Cross Border Data-centric Security
Data sources
Data
WarehouseWarehouse
In Italy
Complete policy-enforced de-identification of sensitive data
across all bank entities
How to Balance
Risk and Risk and
Data Access37
High -
Risk Adjusted Data Security – Access Controls
Risk Exposure
User Productivity and Creativity
38
Access to Sensitive Data in
Clear
Low Access to Data High Access to Data
Low -
I I
High -
Risk Adjusted Data Security – Tokenized Data
User Productivity and Creativity
39
Access to
Tokenized Data
Low Access to Data High Access to Data
Low -
I I
Risk Exposure
Cost of Application
Changes
High -
Risk Adjusted Data Security – Selective Masking
Risk Exposure
Cost Example: 16 digit credit card number
40
All-16-clear Only-middle-6-hidden All-16-hidden
Low -
I I I
Fine Grained Security: Securing Fields
Production SystemsEncryption of fields• Reversible• Policy Control (authorized / Unauthorized Access)• Lacks Integration Transparency• Complex Key Management• Example: !@#$%a^.,mhu7///&*B()_+!@
41
Non-Production SystemsMasking of fields• Not reversible• No Policy, Everyone can access the data• Integrates Transparently• No Complex Key Management• Example: 0389 3778 3652 0038
Fine Grained Security: Tokenization of Fields
Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management• Business Intelligence• Example: 0389 3778 3652 0038
42
Non-Production Systems
• Reversible • Policy Control (Authorized / Unauthorized Access)
• Not Reversible• Integrates Transparently
Data–Centric Audit and Protection (DCAP)
Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act
By 2018, data-centric audit and protection strategies will replace disparate siloed data security governance approaches in 25% of large enterprises, up from less
043
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
approaches in 25% of large enterprises, up from less than 5% today
Confidential
Centrally managed security policy
Across unstructured and structured silos
Classify data, control access and monitoring
Protection – encryption, tokenization and masking
Segregation of duties – application users and privileged
Data–Centric Audit and Protection (DCAP)
044
Segregation of duties – application users and privileged
users
Auditing and reporting
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
Confidential
Centralized Policy Management - ExampleApplication
RDBMS
MPP
AuditLog
AuditLog
AuditLog
EnterpriseSecurity
Administrator
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
Cloud
Security Officer
AuditLog
AuditLog
AuditLog
45
File Servers
Big Data
Gateway Servers
HP NonStopBase24
IBM Mainframe Protector
AuditLog
AuditLog Audit
Log
AuditLog
Protection Servers
AuditLog
AuditLog
Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who should have access to sensitive data and who should not. Security access control.
What
Who
How
46
When should sensitive data access be granted to those who have access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced.
Audit authorized or un-authorized access to sensitive data.
When
Where
Audit
The biggest challenge in this new paradigm• Cloud and an interconnected world
• Merging data security with data value and productivity
What’s required?• Seamless, boundless security framework – data flow
• Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
Summary
Value-preserving data-centric security methods• How to keep track of your data and monitor data access outside the enterprise
• Best practices for protecting data and privacy in the perimeter-less enterprise.
What New Data Security Technologies are Available for Cloud?
How can Cloud Data Security work in Context to the Enterprise?
47
Thank you!Thank you!
Questions?
Please contact us for more information
www.protegrity.com