SlideShare a Scribd company logo

ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson

Download as PPTX, PDF
Ulf Mattsson
Ulf Mattsson
TechnologyBusiness
1 of 75
Understanding Your Data Flow Using Tokenization to Secure Data Ulf Mattsson CTO Protegrity 1
2
03
Ulf Mattsson, CTO Protegrity • 20 years with IBM Development & Global Services • Started Protegrity 1994 • Inventor of 22 patents – Encryption and Tokenization • Member of – PCI Security Standards Council (PCI SSC) – American National Standards Institute (ANSI) X9 – International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security – ISACA (Information Systems Audit and Control Association) – Information Systems Security Association (ISSA) – Cloud Security Alliance (CSA) 4
Session topics • Discuss threats against data • Review solutions for securing data – Evaluate different options for data tokenization and encryption • Review case studies – Discuss how to stay out of scope for PCI DSS • Review data protection cost efficiency – Introduce a business risk approach • Discuss cloud and outsourced environments 5
THIEVES ARE STEALING OUR DATA! 6
Albert Gonzalez 20 Years In US Federal Prison US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS •Breach expenses $140M Source: http://en.wikipedia.org/wiki/Albert_Gonzalez Source: http://www.youtube.com/user/ProtegrityUSA 7
What about Breaches & PCI? Was Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study 8
WHAT TYPES OF DATA ARE UNDER ATTACK NOW? 9
What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Payment card numbers/data Unknown (specific type is not known) Medical records Medical Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Sensitive organizational data (reports, plans, etc.) Authentication credentials… 0 20 40 60 80 100 %120 By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 10
Today “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 11
Growing Threat of “hacktivism” by Groups such as Anonymous Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous 12
Let’s Review Some Major Recent Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Attack Type, Time and Impact $ Source: IBM 2012 Security Breaches Trend and Risk Report 13
The Sony Breach & Cloud • Lost 100 million passwords and personal details stored in clear • Spent $171 million related to the data breach • Sony's stock price has fallen 40 percent • For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony • Attack via SQL Injection 14
SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report 15
WHAT IS SQL INJECTION? 16
What is an SQL Injection Attack? SQL Command Injected Application Data Store 17
WHO IS THE NEXT TARGET? 18
New Industry Groups are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 % By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 19
The Changing Threat Landscape  Some issues have stayed constant:  Threat landscape continues to gain sophistication  Attackers will always be a step ahead of the defenders  We are fighting highly organized, well-funded crime syndicates and nations  Move from detective to preventative controls needed Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 21
WHERE IS DATA LOST? 22
What Assets are Compromised? Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter People Payment card (credit, debit, etc.) Offline data Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 23
Hacking and Malware are Leading Threat Action Categories Hacking Social Misuse Environmental 0 50 100 % 150 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 24
Thieves Are Attacking the Data Flow Application Application 025
THIS IS A CATCH 22! 26
Thieves Can't Steal What's Not There: Fake Data Application Application ???-??-???? 27
HOW CAN WE SECURE THE DATA FLOW? 28
Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems 29
WHAT HAS THE INDUSTRY DONE TO SECURE DATA? 30
What Has The Industry Done? Total Cost of Ownership Total Cost of 1. System Integration Ownership 2. Performance Impact 3. Key Management Strong Encryption: High - 4. Policy Management 3DES, AES … 5. Reporting 6. Paper Handling Format Preserving Encryption: 7. Compliance Audit FPE, DTP … 8. … Basic Tokenization Vaultless Tokenization Low - I I I I Time 1970 2000 2005 2010 31
Case Study: Large Chain Store Why? Reduce compliance cost by 50% – 50 million Credit Cards, 700 million daily transactions – Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization – End-to-End Tokens: Started with the D/W and expanding to stores – Lower maintenance cost – don’t have to apply all 12 requirements – Better security – able to eliminate several business and daily reports – Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization” 32
HOW CAN WE POSITION DIFFERENT SECURITY OPTIONS? 33
Speed of Different Protection Methods Transactions per second 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Speed will depend on the configuration Tokenization Encryption Standard Tokenization 34
WHAT IS VAULT-LESS DATA TOKENIZATION? 35
Different Tokenization Approaches Basic Tokenization Vault-less Tokenization* Footprint Large, Expanding. Small, Static. High Availability, Complex, expensive No replication required. Disaster Recovery replication required. Distribution Practically impossible to Easy to deploy at different distribute geographically. geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability. tokenization. Scalability Extendibility Practically impossible. Unlimited Tokenization Capability. *: Validated by 3rd party experts 36
HOW IMPORTANT IS COST? 37
Impact of Different Protection Methods Intrusiveness (to Applications and Databases) Encryption Standard Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Strong Encryption - !@#$%a^.,mhu7///&*B()_+!@ Data Type & Format Alpha - aVdSaH 1F4hJ 1D3a Tokenizing or Encoding Numeric - 666666 777777 8888 Formatted Encryption Partial - 123456 777777 1234 Clear Text Data - 123456 123456 1234 Data I Length Original 38
WHEN CAN I USE TOKENIZATION? 39
How Should I Secure Different Data? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected Health Complex - Information Type of I I Data Un-structured Structured 40
Tokenizing Different Types of Data Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date E-mail Ulf.mattsson@protegrit empo.snaugs@svtiensnni Alpha Numeric, Address y.com .snk delimiters in input preserved SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed 41
ANY TOKENIZATION GUIDELINES? 42
Tokenization Guidelines, Visa Token Generation Token Types Single Use Multi Use Token Token Algorithm Known strong and Key Reversible algorithm  No Unique Sequence Number   One way Hash Secret per Secret per Irreversible Function transaction merchant Randomly generated value   43
Tokenization vs. Encryption Encryption Tokenization Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY 44
HOW SECURE IS ENCRYPTION? 45
Many Broken Algorithms
KEYS EVERYWHERE! 47
PCI DSS : Tokenization and Encryption are Different If the token is mathematically derived from the original PAN through the use of an encryption algorithm and cryptographic key No Scope Reduction 48
TOKENS ARE RANDOM 49
Tokenization and “PCI Out Of Scope” De-tokenization No Available? Random Number Yes Tokens? No: Yes FPE Isolated from Card Holder Data Yes Environment? No Out of Scope No Scope Scope Reduction Reduction Source: http://www.securosis.com 50
Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI • Get rid of unwanted paper copies • No need to rewrite/redevelop or restructure business applications • A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow • Better understanding of business flow • Opportunity to clean up a few business oddities 51
Evaluating Encryption & Tokenization Database Database Basic Vaultless Area Criteria File Column Tokenization Tokenization Encryption Encryption Availability Scalability Latency CPU Consumption Data Flow Protection Compliance Scoping Security Key Management Data Collisions Separation of Duties Best
Case Studies: Retail Customer 1: Why? Three major concerns solved – Performance Challenge; Initial tokenization – Vendor Lock-In: What if we want to switch payment processor – Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe – Tokens on the mainframe to avoid compensating controls 53
WHAT IS THE CURRENT USE OF ENABLING TECHNOLOGIES? 54
Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating 55
Is Data Masking Secure? Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - System I I I I Type Test / dev Integration Trouble Production testing shooting 56
Data Tokens = Lower Risk Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - Data Tokens System I I I I Type Test / dev Integration Trouble Production testing shooting 57
CAN SECURITY HELP CREATIVITY? 58
Old Security = Less Creativity Risk High Traditional Access Control Low Access I I Right Level Less More Source: InformationWeek Aug 15, 2011 59
New Data Security = More Creativity Risk High Traditional Access Control New: Creativity Happens At the edge Low Data Tokens Access I I Right Level Less More Source: InformationWeek Aug 15, 2011 60
WHAT IS THE IMPACT ON RISK MANAGEMENT? 61
Choose Your Defenses Cost Cost of Aversion – Expected Losses Protection of Data from the Risk Total Cost Optimal Risk Protection I I Option Data Monitoring Lockdown 62
DATA SECURITY ADVANCES ARE CHANGING THE BALANCE 63
Matching Data Protection with Risk Level Risk Level Solution Data Risk Field Level Tokenization, str High Risk ong encryption Credit Card Number 25 (16-25) Social Security Number 20 Email Address 20 Monitoring, Customer Name 12 Medium Risk masking, format Secret Formula 10 (6-15) controlling Employee Name 9 encryption Employee Health Record 6 Zip Code 3 Low Risk Monitoring (1-5) 64
SEPARATION OF DUTIES! 65
Security of Different Protection Methods Security Level High Low I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization 66
HOW CAN I SECURE DATA IN CLOUD? 67
Risks with Cloud Computing Handing over sensitive data to a third… Threat of data breach or loss Weakening of corporate network… Uptime/business continuity Financial strength of the cloud… Inability to customize applications 0 10 20 30 40 50 60 70 % Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study 68
PCI & Cloud • The PCI council's security caution over virtualization is justified, because virtualized environments are susceptible to types of attacks not seen in any other environment – Bob Russo, general manager of the PCI Security Standards Council
Amazon’s PCI Compliance • PCI-DSS 2.0 doesn't address multi-tenancy concerns • You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesn't do this for you -- it's something you need to implement yourself; including key management, rotation, logging, etc. • If you deploy a server instance in EC2 it still needs to be assessed by your QSA • Your organization's assessment scope isn't necessarily reduced • It might be when you move to something like a tokenization service where you reduce your handling of PAN data Source: securosis.com 070
Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems 71
Why Tokenization? Why Tokenization 1. No Masking 2. No Encryption 3. No Key Management Why Vaultless Tokenization $ 1. Lower Cost / TCO 2. Better 3. Faster 72
Conclusion • Organizations need to understand their data flow and current security technologies – Determine most significant security exposures – Target budgets toward addressing the most critical issues – Strengthen security and compliance profiles • Achieve the right balance between business needs and security demands – I increasingly important as companies are changing their security strategies to better protect sensitive data – Following continuing attacks 73
About Protegrity • Proven enterprise data security software and innovation leader – Sole focus on the protection of data – Patented Technology, Continuing to Drive Innovation • Growth driven by compliance and risk management – PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI (Protected Health Information) – US State and Foreign Privacy Laws, Breach Notification Laws • Cross-industry applicability – Retail, Hospitality, Travel and Transportation – Financial Services, Insurance, Banking – Healthcare, Telecommunications, Media and Entertainment – Manufacturing and Government 74
Thank you! Q&A ulf.mattsson@protegrity.com www.protegrity.com 203-326-7200 75

Recommended

Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data securityUlf Mattsson
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 

Recommended

Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data securityUlf Mattsson
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonUlf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Ulf Mattsson
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020Ulf Mattsson
 
100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022Temok IT Services
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Brian Bissett
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperMartin Ruubel
 
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...Martin Ruubel
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computingsahil lalwani
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Martin Ruubel
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf Mattsson
 

More Related Content

What's hot

Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonUlf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Ulf Mattsson
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020Ulf Mattsson
 
100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022Temok IT Services
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Brian Bissett
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperMartin Ruubel
 
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...Martin Ruubel
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Martin Ruubel
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 

What's hot (20)

Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloud
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyoug
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020
 
100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
 
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...
 

Similar to ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson

ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf Mattsson
 
Choosing the Right Data Security Solution
Choosing the Right Data Security SolutionChoosing the Right Data Security Solution
Choosing the Right Data Security SolutionProtegrity
 
Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6Ulf Mattsson
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceUlf Mattsson
 
Cacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalCacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalUlf Mattsson
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect stormUlf Mattsson
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonUlf Mattsson
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachUlf Mattsson
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaIBM Danmark
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insightsgotopaz
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Ivanti threat thursday deck october v2
Ivanti threat thursday deck october v2Ivanti threat thursday deck october v2
Ivanti threat thursday deck october v2Ivanti
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data securityKeith Braswell
 

Similar to ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson (20)

ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare version
 
Choosing the Right Data Security Solution
Choosing the Right Data Security SolutionChoosing the Right Data Security Solution
Choosing the Right Data Security Solution
 
Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and Compliance
 
Cacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalCacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 final
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect storm
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breach
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insights
 
Apresentação Allen ES
Apresentação Allen ESApresentação Allen ES
Apresentação Allen ES
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
 
Ivanti threat thursday deck october v2
Ivanti threat thursday deck october v2Ivanti threat thursday deck october v2
Ivanti threat thursday deck october v2
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
 

More from Ulf Mattsson

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesUlf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeUlf Mattsson
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchainUlf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonUlf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 

More from Ulf Mattsson (20)

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
Book
BookBook
Book
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson

  • 1. Understanding Your Data Flow Using Tokenization to Secure Data Ulf Mattsson CTO Protegrity 1
  • 2. 2
  • 3. 03
  • 4. Ulf Mattsson, CTO Protegrity • 20 years with IBM Development & Global Services • Started Protegrity 1994 • Inventor of 22 patents – Encryption and Tokenization • Member of – PCI Security Standards Council (PCI SSC) – American National Standards Institute (ANSI) X9 – International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security – ISACA (Information Systems Audit and Control Association) – Information Systems Security Association (ISSA) – Cloud Security Alliance (CSA) 4
  • 5. Session topics • Discuss threats against data • Review solutions for securing data – Evaluate different options for data tokenization and encryption • Review case studies – Discuss how to stay out of scope for PCI DSS • Review data protection cost efficiency – Introduce a business risk approach • Discuss cloud and outsourced environments 5
  • 6. THIEVES ARE STEALING OUR DATA! 6
  • 7. Albert Gonzalez 20 Years In US Federal Prison US Federal indictments: 1. Dave & Busters 2. TJ Maxx 3. Heartland HPS •Breach expenses $140M Source: http://en.wikipedia.org/wiki/Albert_Gonzalez Source: http://www.youtube.com/user/ProtegrityUSA 7
  • 8. What about Breaches & PCI? Was Data Protected? 9: Restrict physical access to cardholder data 5: Use and regularly update anti-virus software 4: Encrypt transmission of cardholder data 2: Do not use vendor-supplied defaults for security parameters 12: Maintain a policy that addresses information security 1: Install and maintain a firewall configuration to protect data 8: Assign a unique ID to each person with computer access 6: Develop and maintain secure systems and applications 10: Track and monitor all access to network resources and data 11: Regularly test security systems and processes 7: Restrict access to data by business need-to-know 3: Protect Stored Data % 0 10 20 30 40 50 60 70 80 90 100 Based on post-breach reviews. Relevant Organizations in Compliance with PCI DSS. Verizon Study 8
  • 9. WHAT TYPES OF DATA ARE UNDER ATTACK NOW? 9
  • 10. What Data is Compromised? Personal information (Name, SS#, Addr, etc.) Payment card numbers/data Unknown (specific type is not known) Medical records Medical Classified information Trade secrets Copyrighted/Trademarked material System information (config, svcs, sw, etc.) Bank account numbers/data Sensitive organizational data (reports, plans, etc.) Authentication credentials… 0 20 40 60 80 100 %120 By percent of records. Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 10
  • 11. Today “Hacktivism” is Dominating Activist group Organized criminal group Relative or acquaintance of employee Former employee (no longer had access) Unaffiliated person(s) Unknown 0 10 20 30 40 50 60 70 % By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 11
  • 12. Growing Threat of “hacktivism” by Groups such as Anonymous Attacks by Anonymous include • 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous 12
  • 13. Let’s Review Some Major Recent Breaches April 2011 May 2011 Jun 2011 Jul 2011 Aug 2011 Attack Type, Time and Impact $ Source: IBM 2012 Security Breaches Trend and Risk Report 13
  • 14. The Sony Breach & Cloud • Lost 100 million passwords and personal details stored in clear • Spent $171 million related to the data breach • Sony's stock price has fallen 40 percent • For three pennies an hour, hackers can rent Amazon.com to wage cyber attacks such as the one that crippled Sony • Attack via SQL Injection 14
  • 15. SQL Injection Attacks are Increasing 25,000 20,000 15,000 10,000 5,000 Q1 2011 Q2 2011 Q3 2011 Source: IBM 2012 Security Breaches Trend and Risk Report 15
  • 16. WHAT IS SQL INJECTION? 16
  • 17. What is an SQL Injection Attack? SQL Command Injected Application Data Store 17
  • 18. WHO IS THE NEXT TARGET? 18
  • 19. New Industry Groups are Targets Accommodation and Food Services Retail Trade Finance and Insurance Health Care and Social Assistance Other Information 0 10 20 30 40 50 60 % By percent of breaches Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 19
  • 20. The Changing Threat Landscape  Some issues have stayed constant:  Threat landscape continues to gain sophistication  Attackers will always be a step ahead of the defenders  We are fighting highly organized, well-funded crime syndicates and nations  Move from detective to preventative controls needed Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
  • 21. How are Breaches Discovered? Notified by law enforcement Third-party fraud detection (e.g., CPP) Reported by customer/partner affected Brag or blackmail by perpetrator Unknown Witnessed and/or reported by employee Other(s) Internal fraud detection mechanism Financial audit and reconciliation process Log analysis and/or review process Unusual system behavior or performance 0 10 20 30 40 50 60 70 % By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 21
  • 22. WHERE IS DATA LOST? 22
  • 23. What Assets are Compromised? Database server Web/application server Desktop/Workstation Mail server Call Center Staff People Remote Access server Laptop/Netbook File server Pay at the Pump terminal User devices Cashier/Teller/Waiter People Payment card (credit, debit, etc.) Offline data Regular employee/end-user People Automated Teller Machine (ATM) POS terminal User devices POS server (store controller) 0 20 40 60 80 100 % 120 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 23
  • 24. Hacking and Malware are Leading Threat Action Categories Hacking Social Misuse Environmental 0 50 100 % 150 By percent of records Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/ 24
  • 25. Thieves Are Attacking the Data Flow Application Application 025
  • 26. THIS IS A CATCH 22! 26
  • 27. Thieves Can't Steal What's Not There: Fake Data Application Application ???-??-???? 27
  • 28. HOW CAN WE SECURE THE DATA FLOW? 28
  • 29. Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems 29
  • 30. WHAT HAS THE INDUSTRY DONE TO SECURE DATA? 30
  • 31. What Has The Industry Done? Total Cost of Ownership Total Cost of 1. System Integration Ownership 2. Performance Impact 3. Key Management Strong Encryption: High - 4. Policy Management 3DES, AES … 5. Reporting 6. Paper Handling Format Preserving Encryption: 7. Compliance Audit FPE, DTP … 8. … Basic Tokenization Vaultless Tokenization Low - I I I I Time 1970 2000 2005 2010 31
  • 32. Case Study: Large Chain Store Why? Reduce compliance cost by 50% – 50 million Credit Cards, 700 million daily transactions – Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization – End-to-End Tokens: Started with the D/W and expanding to stores – Lower maintenance cost – don’t have to apply all 12 requirements – Better security – able to eliminate several business and daily reports – Qualified Security Assessors had no issues • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization” 32
  • 33. HOW CAN WE POSITION DIFFERENT SECURITY OPTIONS? 33
  • 34. Speed of Different Protection Methods Transactions per second 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Speed will depend on the configuration Tokenization Encryption Standard Tokenization 34
  • 35. WHAT IS VAULT-LESS DATA TOKENIZATION? 35
  • 36. Different Tokenization Approaches Basic Tokenization Vault-less Tokenization* Footprint Large, Expanding. Small, Static. High Availability, Complex, expensive No replication required. Disaster Recovery replication required. Distribution Practically impossible to Easy to deploy at different distribute geographically. geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Will adversely impact Little or no latency. Fastest industry Latency, and performance & scalability. tokenization. Scalability Extendibility Practically impossible. Unlimited Tokenization Capability. *: Validated by 3rd party experts 36
  • 37. HOW IMPORTANT IS COST? 37
  • 38. Impact of Different Protection Methods Intrusiveness (to Applications and Databases) Encryption Standard Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&* Strong Encryption - !@#$%a^.,mhu7///&*B()_+!@ Data Type & Format Alpha - aVdSaH 1F4hJ 1D3a Tokenizing or Encoding Numeric - 666666 777777 8888 Formatted Encryption Partial - 123456 777777 1234 Clear Text Data - 123456 123456 1234 Data I Length Original 38
  • 39. WHEN CAN I USE TOKENIZATION? 39
  • 40. How Should I Secure Different Data? File Field Encryption Tokenization Use Case Card Simple - PII Holder PCI Data PHI Protected Health Complex - Information Type of I I Data Un-structured Structured 40
  • 41. Tokenizing Different Types of Data Type of Data Input Token Comment Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date E-mail Ulf.mattsson@protegrit empo.snaugs@svtiensnni Alpha Numeric, Address y.com .snk delimiters in input preserved SSN delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed 41
  • 42. ANY TOKENIZATION GUIDELINES? 42
  • 43. Tokenization Guidelines, Visa Token Generation Token Types Single Use Multi Use Token Token Algorithm Known strong and Key Reversible algorithm  No Unique Sequence Number   One way Hash Secret per Secret per Irreversible Function transaction merchant Randomly generated value   43
  • 44. Tokenization vs. Encryption Encryption Tokenization Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY 44
  • 45. HOW SECURE IS ENCRYPTION? 45
  • 47. KEYS EVERYWHERE! 47
  • 48. PCI DSS : Tokenization and Encryption are Different If the token is mathematically derived from the original PAN through the use of an encryption algorithm and cryptographic key No Scope Reduction 48
  • 49. TOKENS ARE RANDOM 49
  • 50. Tokenization and “PCI Out Of Scope” De-tokenization No Available? Random Number Yes Tokens? No: Yes FPE Isolated from Card Holder Data Yes Environment? No Out of Scope No Scope Scope Reduction Reduction Source: http://www.securosis.com 50
  • 51. Case Study: Energy Industry Why? Reduce PCI Scope • Best way to handle legacy, we got most of it out of PCI • Get rid of unwanted paper copies • No need to rewrite/redevelop or restructure business applications • A VERY efficient way of PCI Reduction of Scope • Better understanding of your data flow • Better understanding of business flow • Opportunity to clean up a few business oddities 51
  • 52. Evaluating Encryption & Tokenization Database Database Basic Vaultless Area Criteria File Column Tokenization Tokenization Encryption Encryption Availability Scalability Latency CPU Consumption Data Flow Protection Compliance Scoping Security Key Management Data Collisions Separation of Duties Best
  • 53. Case Studies: Retail Customer 1: Why? Three major concerns solved – Performance Challenge; Initial tokenization – Vendor Lock-In: What if we want to switch payment processor – Extensive Enterprise End-to-End Credit Card Data Protection Customer 2: Why? Desired single vendor to provide data protection – Combined use of tokenization and encryption – Looking to expand tokens beyond CCN to PII Customer 3: Why? Remove compensating controls from the mainframe – Tokens on the mainframe to avoid compensating controls 53
  • 54. WHAT IS THE CURRENT USE OF ENABLING TECHNOLOGIES? 54
  • 55. Use of Enabling Technologies Access controls 1% 91% Database activity monitoring 18% 47% Database encryption 30% 35% Backup / Archive encryption 21% 39% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 23% Evaluating 55
  • 56. Is Data Masking Secure? Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - System I I I I Type Test / dev Integration Trouble Production testing shooting 56
  • 57. Data Tokens = Lower Risk Risk Data at rest Data display High – Masking Masking Exposure: Exposure: Data is only Data in clear obfuscated before masking Low - Data Tokens System I I I I Type Test / dev Integration Trouble Production testing shooting 57
  • 58. CAN SECURITY HELP CREATIVITY? 58
  • 59. Old Security = Less Creativity Risk High Traditional Access Control Low Access I I Right Level Less More Source: InformationWeek Aug 15, 2011 59
  • 60. New Data Security = More Creativity Risk High Traditional Access Control New: Creativity Happens At the edge Low Data Tokens Access I I Right Level Less More Source: InformationWeek Aug 15, 2011 60
  • 61. WHAT IS THE IMPACT ON RISK MANAGEMENT? 61
  • 62. Choose Your Defenses Cost Cost of Aversion – Expected Losses Protection of Data from the Risk Total Cost Optimal Risk Protection I I Option Data Monitoring Lockdown 62
  • 63. DATA SECURITY ADVANCES ARE CHANGING THE BALANCE 63
  • 64. Matching Data Protection with Risk Level Risk Level Solution Data Risk Field Level Tokenization, str High Risk ong encryption Credit Card Number 25 (16-25) Social Security Number 20 Email Address 20 Monitoring, Customer Name 12 Medium Risk masking, format Secret Formula 10 (6-15) controlling Employee Name 9 encryption Employee Health Record 6 Zip Code 3 Low Risk Monitoring (1-5) 64
  • 65. SEPARATION OF DUTIES! 65
  • 66. Security of Different Protection Methods Security Level High Low I I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization 66
  • 67. HOW CAN I SECURE DATA IN CLOUD? 67
  • 68. Risks with Cloud Computing Handing over sensitive data to a third… Threat of data breach or loss Weakening of corporate network… Uptime/business continuity Financial strength of the cloud… Inability to customize applications 0 10 20 30 40 50 60 70 % Source: The evolving role of IT managers and CIOs Findings from the 2010 IBM Global IT Risk Study 68
  • 69. PCI & Cloud • The PCI council's security caution over virtualization is justified, because virtualized environments are susceptible to types of attacks not seen in any other environment – Bob Russo, general manager of the PCI Security Standards Council
  • 70. Amazon’s PCI Compliance • PCI-DSS 2.0 doesn't address multi-tenancy concerns • You can store PAN data on S3, but it still needs to be encrypted in accordance with PCI-DSS requirements • Amazon doesn't do this for you -- it's something you need to implement yourself; including key management, rotation, logging, etc. • If you deploy a server instance in EC2 it still needs to be assessed by your QSA • Your organization's assessment scope isn't necessarily reduced • It might be when you move to something like a tokenization service where you reduce your handling of PAN data Source: securosis.com 070
  • 71. Securing The Data Flow with Tokenization Retail Bank Store Payment 9999 9999 Corporate Network Systems 71
  • 72. Why Tokenization? Why Tokenization 1. No Masking 2. No Encryption 3. No Key Management Why Vaultless Tokenization $ 1. Lower Cost / TCO 2. Better 3. Faster 72
  • 73. Conclusion • Organizations need to understand their data flow and current security technologies – Determine most significant security exposures – Target budgets toward addressing the most critical issues – Strengthen security and compliance profiles • Achieve the right balance between business needs and security demands – I increasingly important as companies are changing their security strategies to better protect sensitive data – Following continuing attacks 73
  • 74. About Protegrity • Proven enterprise data security software and innovation leader – Sole focus on the protection of data – Patented Technology, Continuing to Drive Innovation • Growth driven by compliance and risk management – PCI (Payment Card Industry), PII (Personally Identifiable Information), PHI (Protected Health Information) – US State and Foreign Privacy Laws, Breach Notification Laws • Cross-industry applicability – Retail, Hospitality, Travel and Transportation – Financial Services, Insurance, Banking – Healthcare, Telecommunications, Media and Entertainment – Manufacturing and Government 74
  • 75. Thank you! Q&A ulf.mattsson@protegrity.com www.protegrity.com 203-326-7200 75

Editor's Notes

  1. CACS 2012 NYM 2012
  2. CACS 2012 NYM 2012
  3. Used at NYM 2011 ISACACACS 2012
  4. CACS 2012 NYM 2012
  5. CACS 2012 NYM 2012
  6. CACS 2012 NYM 2012
  7. CACS 2012 NYM 2012