Document 187442

Data Breaches Gone Mad
Learn how to Secure your Data Warehouse
Straight Away!
Wednesday September 28th, 2011
Martin Willcox
Director Product & Solutions Marketing
Teradata Europe, Middle East & Africa
Ulf Mattsson
CTO Protegrity
The Tokenization Experts
Some of you have already met Yuri.
protegrity
4
4
Source: http://www.youtube.com/user/ProtegrityUSA
Last year he and his
“anonymous” friends hacked
AT&T.
protegrity
5
5
Source: http://www.youtube.com/user/ProtegrityUSA
•
•
Security vulnerability in a Website used by iPad customers
100,000 e-mail addresses and iPad identification numbers were
exposed, including:
• New York Mayor
• FBI and NASA
• US Departments of Defense
• Executives from Google,
Microsoft, Amazon and
Goldman Sachs
Source 2010: http://news.cnet.com/8301-27080_3-20007417-245.html#ixzz1Y9IW9a7o
protegrity
6
This year they hacked Sony and bought
BMW M5s.
protegrity
7
Source: http://www.youtube.com/user/ProtegrityUSA
8
•
Data including
passwords and personal
details were stored in
clear text
•
Attacks were not
coordinated and not
advanced
•
Majority of attacks
were SQL Injection
dumps and Distributed
Denial of Service (DDoS)
protegrity
Next month Yuri plans to hit a
major telco with the keys
provided by a disgruntled
employee.
protegrity
9
Source: http://www.youtube.com/user/ProtegrityUSA
Then Yuri is going to buy a
private jet.
protegrity
10
Source: http://www.youtube.com/user/ProtegrityUSA
Hospitality
Retail
Financial Services
Government
Tech Services
Manufacturing
Transportation
Media
Healthcare
Business Services
0
10
20
30
40
50 %
*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
11
protegrity
Source: Trustwave Global Security Report 2011
12
protegrity
So how does Yuri do it?
protegrity
13
Source: http://www.youtube.com/user/ProtegrityUSA
Hacking
Malware
Physical
Error
Misuse
Social
0
20
40
60
80
100
%
*: Number of records
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
protegrity
14
“Usually, I just
need one
disgruntled
employee.
Just one.”
protegrity
15
Source: http://www.youtube.com/user/ProtegrityUSA
•
•
•
•
Attackers stole information about SecurID
two-factor authentication
60 different types of customized malware
Advanced Persistent Threat (APT) malware
tied to a network in Shanghai
A tool written by a Chinese hacker 10 years
ago
protegrity
16
Third party fraud detection
Notified by law enforcement
Reported by customer/partner…
Unusual system behavior
Reported by employee
Internal security audit or scan
Internal fraud detection
Brag or blackmail by perpetrator
Third party monitoring service
*: Number of breaches
0
10
20
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
17
30
40
50 %
protegrity
•
Some issues have stayed constant:
•
•
•
Threat landscape continues to gain sophistication
Attackers will always be a step ahead of the defenders
Different motivation, methods and tools today:
•
•
We are fighting highly organized, well-funded
crime syndicates and nations
Move from detective to preventative controls needed
Source: Forrester and http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
protegrity
18
Payment card data
Personal information
Usernames, passwords
Intellectual property
Bank account data
Medical records
Classified information
System information
Sensitive organizational data
0
20
40
*: Number of records
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
19
60
80 100 120 %
protegrity
20
Firewalls
Encryption/Tokenization for data at…
Anti-virus & anti-malware solution
Encryption for data in motion
Access governance systems
Identity & access management systems
Correlation or event management…
Web application firewalls (WAF)
Endpoint encryption solution
Data loss prevention systems (DLP)
Intrusion detection or prevention…
Database scanning and monitoring…
ID & credentialing system
0
WAF
Client encryption
DLP
IDS
DAM
10 20 30 40 50 60 70 80 90 %
*: Cost effective solutions for PCI DSS. Source: PCI DSS Compliance Survey, Ponemon Institute
protegrity
20
protegrity
21
Jim Browning
Senior Security Engineer
Teradata Labs
Teradata – Protegrity Partnership
•
Strategic partnership since 2004
•
Advocated solution for data protection on Teradata Databases
•
Design and development of Protegrity data security platform for Teradata
•
Proven parallel and scalable data protection for Teradata MPP platforms
•
Collaboration on forward-looking roadmaps
–
–
–
•
23
New and advanced data protection options
Integration with new Teradata Database features
Seamless operation on large data warehouse systems
World-class customers
Teradata – Protegrity Customers by Industry
Manufacturing
Telecommunications
Utilities
Retail
Transportation
Government
Healthcare
Financial
24
Types of Data Requiring Protection
•
Credit Card Information
–
–
–
•
Consumer Financial Data
–
–
25
Social Security Numbers
Tax Identifiers
Drivers License Numbers
Date of Birth
Account Numbers
PINs
Protected Health Information
–
–
•
Personal Identifying Information
–
–
–
–
•
Credit Card Numbers (PAN)
Service Codes
Expiration Dates
•
Corporate Financial Data
–
•
Identifiable Patient Data
Medical Record Numbers
Non-public Information
Human Resources Data
–
–
Payroll Information
Performance Ratings
•
Customer and Prospect Data
•
Trade Secrets and Intellectual
Property
Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata
Databases
– Provides additional separation of duties through a separate
Security Manager interface for creation and maintenance of
security policies
– Includes a patented key management system for secure key
generation and protection of keys when stored
– Supports multiple data protection options including strong
encryption and tokenization
– Supports multiple cryptographic algorithms and key strengths
– Automates the process of converting clear text data to cipher text
26
Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata
Databases
– Provides additional access controls to protect sensitive information
(even DBC can not see unencrypted data unless specifically
authorized by the Security Manager)
– Includes additional auditing separate from database audit logs
(such as the Access Log)
– Designed to fully exploit Teradata Database parallelism and
scalability
– Enterprise-wide solution that works with most major databases and
operating systems (not just Teradata)
27
Protegrity Data Protection for Teradata
Architecture
Clique
Enterprise Security
Administrator (ESA)
Policy
Management
Policy
Log Proxy
Server
Deployment
Server
PEP
Server
Data Protection
Operations
Audit Logs
AMP
Data Protection
Operations
Node
AMP
AMP
AMP
AMP
Key
Management
Node
Audit
Management
PEP
Server
28
Policy Enforcement
Agent
(UDF / UDT)
AMP
AMP
AMP
Protected Data
Data Protection Methods
Strong Encryption
AES(128,256) / 3DES
DTP2
Data Type Preserving Encryption 2
Hashing
HMAC SHA-1
DAM
Data Activity Monitoring
29
Strong Encryption
• Symmetric encryption
• Encrypted value can be used in database for
joins, etc.
Data Type Preserving Encryption 2
• Preserves the data type and length of a
protected column
Hashing
• One way… can not be decrypted
• Hashed value can be used in database for
joins
Data Activity Monitoring (DAM)
• Monitors access to sensitive columns
without encrypting or hashing
• Can be used as a compensating control
Masking
Masking
Tokenization
Tokenization
• Replaces sensitive characters in a string of
data to render the data secure
• Customizable mask patterns
• Provides inert values that can replace
sensitive data in databases
• Can be used as a compensating control
Data Protection Considerations
• Performance
• Storage
• Security
• Transparency
30
Data Protection Methods
Data Protection Methods
Performance
Storage
Security
Transparency
System without data protection
Monitoring + Blocking + Masking
Format Controlling Encryption
Strong Encryption
Tokenization
Hashing
Best
31
Worst
Replace Sensitive Data With Fake Data
=
Random number
32
Data
Token
Replace Sensitive Data with Fake Data
De-tokenization
Tokenization
Applications & Databases
: Data Token
33
Unprotected sensitive information:
Protected sensitive information:
What is Tokenization and What is the Benefit?
Tokenization
• Tokenization is process that replaces sensitive data in systems
with inert data called tokens which have no value to the thief
• Tokens resemble the original data in data type and length
Benefit
• Greatly improved transparency to systems and processes that
need to be protected
Result
• Reduced remediation
• Reduced need for key management
• Reduce the points of attacks
• Reduce the PCI DSS audit costs for retail scenarios
34
Complexity when Using Basic Tokenization
Large footprint becomes larger
Clique
Replication becomes more complex
Solution may be unmanageable and expensive
Node
AMP
Protegrity
Agent
Token Server
AMP
AMP
AMP
Node
AMP
Protegrity
Agent
AMP
AMP
AMP
Credit Card
Number
35
Social Security
Number
Passport
Number
Protegrity Tokenization for Teradata Architecture
Clique
Small footprint
Node
Protegrity
Agent
Small static token tables
Tokenization
Operations
AMP
High availability
AMP
High scalability
AMP
High performance
AMP
No replication required
No chance of collisions
Node
Protegrity
Agent
Tokenization
Operations
AMP
AMP
AMP
AMP
36
Performance Comparison
Basic Tokenization
• 5 tokens per second (outsourced)
• 5000 tokens per second (in-house)
Protegrity Tokenization
• 200,000 tokens per second (Protegrity)
• Single commodity server with 10 connections.
• Will grow linearly with additional servers and/or connections
• 9,000,000+ tokenizations per second (Protegrity /Teradata)
37
Protegrity Tokenization Differentiators
Basic Tokenization
38
Protegrity Tokenization
Footprint
Large, Expanding
Small, Static
High Availability,
Disaster Recovery
Complex, expensive
replication required
No replication required
Distribution
Practically impossible to
distribute geographically
Easy to deploy at different geographically
distributed locations
Reliability
Prone to collisions
No collisions
Performance,
Latency, and
Scalability
Will adversely impact
performance & scalability
Little or no latency. Fastest industry
tokenization
Extendibility
Practically impossible
Unlimited Tokenization Capability
Why Tokenization?
No masking needed
No encryption/decryption when using
No key management across enterprise
Why Protegrity Tokenization?
Better – small footprint
Faster – high performance
Lower total cost of ownership
39
Flexibility for Different Forms of Data
Type of Data
Input
Token
Comment
Token Properties
40
Credit Card
3872 3789 1620 3675
8278 2789 2990 2789
Numeric
Medical ID
29M2009ID
497HF390D
Alpha-Numeric
Date
10/30/1955
12/25/2034
Date
E-mail Address
ulf.mattsson@protegrity.com
empo.snaugs@svtiensnni.snk
Alpha Numeric, delimiters
in input preserved
SSN Delimiters
075-67-2278
287-38-2567
Numeric, delimiters in
input
Credit Card
3872 3789 1620 3675
8278 2789 2990 3675
Numeric, Last 4 digits
exposed
Tokenization Case Studies
Customer 1: Extensive enterprise End-to-End credit card data
protection switching to Protegrity Tokenization
•
Performance Challenge: Initial tokenization
•
Vendor Lock-In: What if we want to switch payment processor?
•
Performance Challenge: Operational tokenization (SLAs)
Customer 2: Desired single vendor to provide data protection
including
tokenization
•
Combined use of tokenization and encryption
•
Looking to expand tokens beyond CCN to PII
Customer 3: Reduce compliance cost. 50 million Credit Cards, 700
million daily transactions
41
•
Performance Challenge: Initial tokenization
•
End-to-End Tokens: Started with the EDW and expanding to stores
Case Study – Large Chain Store
By segmenting cardholder data with tokenization, a
regional chain of 1,500 local convenience stores is reducing
its PCI audit from seven to three months
“We planned on 30 days to tokenize our 30 million card
numbers. With Protegrity Tokenization the whole process
took about 90 minutes”
Qualified Security Assessors had no issues with the
effective segmentation provided by Tokenization
• “With encryption, implementations can spawn dozens of
questions”
• “There were no such challenges with tokenization”
42
Case Study – Large Chain Store
Faster PCI audit
• Half that time
Lower maintenance cost
• Do not have to apply all 12 requirements of PCI DSS
to every system
Better security
• Ability to eliminate several business processes such as generating
daily reports for data requests and access
Strong performance
• Rapid processing rate for initial tokenization
• Sub-second transaction SLA
43
Protegrity in the ETL Process
Sources
Transformation
Targets
SQL
Server
ETL Platform
AS/400
Mainframe
Oracle
44
• Cleansing
• Integration
• Transformation
Teradata Load
Processes
Informatica
Data Stage
Teradata
EDW
Protegrity Policy Role Based
Access Control
DB2
Original Value
No Access
Token
Mask
Hash
Test Data
Protegrity Data Security Platform in Action
Secure
Collection
Secure
Distribution
Audit
Log
POS
e-commerce Branch
Tokenization
Policy
Database
Protector
Security
Administrator
Application
Protector
File System
Protector
45
Why Protegrity?
Protegrity’s Tokenization allows compliance across:
• PCI
• PII
• PHI
Innovative: Pushing data protection with industry leading innovation
such as out patented database protection system and the Protegrity
Tokenization
Proven: Proven platform currently protects the worlds largest
companies
Experienced: Experienced staff will be there with support along the
way to complete data protection
46
Q&A
Contacts:
Protegrity:
Teradata:
elaine.evans@protegrity.com
simona.firmo@teradata.com
Thank you!
Data Breaches Gone Mad
Learn how to Secure your Data Warehouse Straight Away!