SlideShare a Scribd company logo

Practical advice for cloud data protection ulf mattsson - oracle nyoug sep 2014

Ulf Mattsson, profile picture
Ulf Mattsson

The document discusses practical advice for cloud data protection, highlighting concerns such as data loss, insecure interfaces, and lack of confidence in cloud services. It emphasizes the need for robust data security measures, including encryption, tokenization, and data anonymization, to ensure sensitive information is protected throughout its lifecycle in the cloud. The content also outlines the various cloud computing models and governance, risk management, and compliance considerations relevant to organizations adopting cloud solutions.

Technology
1 of 51
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Practical Advice for Cloud Data Protection Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com
Ulf Mattsson, Protegrity CTO Cloud Security Alliance (CSA) PCI Security Standards Council • Cloud & Virtualization SIGs • Encryption Task Force • Tokenization Task Force ANSI X9 • American National Standard for Financial Services IFIP WG 11.3 Data and Application Security • International Federation for Information Processing ISACA (Information Systems Audit and Control Association) ISSA (Information Systems Security Association) 2
Security - We Are Losing Ground “It’s clear the bad guys are winning at a faster rate than the good guys 3 are winning, and we’ve got to solve that.” - 2014 Verizon Data Breach Investigations Report Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening
Security - We Are Losing Ground – Cloud is Next “…Even though security is improving, things are getting worse faster, so 4 we're losing ground even as we improve.” - Security expert Bruce Schneier Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
Key Topics What are the Concerns with Cloud? What is the Guidance for Cloud Data Security? What New Data Security Technologies are Available for Cloud? How can Cloud Data Security work in Context to the Enterprise? What are the Common Use Cases? How can Search and Indexing be Performed? 5
What are the Concerns with Cloud? 6
What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing? 7
Sensitive Data in the Cloud 8 Of organizations currently (or plan to) transfer sensitive/confidential data to the cloud in the next 24 mo.
Lack of Cloud Confidence 9 Number of survey respondents that either agree or are unsure that the cloud services used by their organization are NOT thoroughly vetted for security.
Stopped or Slowed Adoption Source: The State of Cloud Security 10 Blue: Most recent data
Data Loss & Insecure Interfaces Number of Cloud Vulnerability Incidents by Threat Category 11
What is Cloud Computing? Computing as a Service: • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS) Delivered Internally or Externally to the Enterprise: • Public • Private • Community • Hybrid 12
Public Cloud 13
Public Cloud 14
Private Cloud Outsourced Private Cloud 15 On-site Private Cloud
On-site Community Cloud 16
Outsourced Community Cloud 17
Hybrid Cloud 18
Software as a Service (SaaS) Typically web accessed internet-based applications (“on-demand software”) Platform as a Service (PaaS) An internet-based computing platform and solution stack. Facilitates deployment of Service Orchestration Applications Databases Storage 19 applications at much lower cost and complexity Infrastructure as a Service (IaaS) Delivers computer infrastructure (typically a virtualized environment) along with raw storage and networking built-in
The Conceptual Reference Model 20
Governance, Risk Management and Compliance 21
Trust vs. Elasticity Corporate Network Trust Private Cloud 022 Elasticity Public Cloud
Public Cloud – No Control 23 Consumers have no control over security once data is inside the public cloud. Completely reliant on provider for application and storage security.
Private Cloud – Limited Control Outsourced Private Cloud Consumer has limited capability to manage security within outsourced 24 On-site Private Cloud IaaS private cloud.
Threat Vector Inheritance 25
Virtualization Concerns in Cloud Virtual machine guest hardening Hypervisor security Inter-VM attacks and blind spots Performance concerns Operational complexity from VM sprawl Instant-on gaps Virtual machine encryption Data comingling Virtual machine data destruction Virtual machine image tampering In-motion virtual machines 26
27
Mapping the Cloud Model to Security Control & Compliance AAAApppppppplllliiiiccccaaaattttiiiioooonnnnssss DDDDaaaattttaaaa 28
Governance, Risk Management and Compliance 29
Data Protection Solutions 30
Cloud Gateways Provide Enterprise Control Cloud Encryption Gateways • SaaS encryption Cloud Security Gateways • Policy enforcement Cloud Access Security Brokers (CASBs) Cloud Services Brokerage (CSB) Secure Email Gateways Secure Web gateway 31
Public Cloud Gateway – SaaS Example Cloud 032 Gateway
Security Gateway Deployment – Application Example Corporate Network Backend System Cloud Gateway External Service 033 Enterprise Security Administrator Security Officer
Example of Cloud Security Gateway Features High-Performance Gateway Architecture Enterprise-extensible platform Tokenization and encryption Enterprise-grade key management Flexible policy controls • File or Field Security • Advanced function & usability preservation Comprehensive activity monitoring & reporting Support for internal, remote & mobile users Multiple deployment options 34
Security Gateway Deployment – Database Example Corporate Network Backend System Cloud Gateway RDBMS 035 Enterprise Security Administrator Security Officer
Security Gateway Deployment – Indexing Corporate Network Backend System Cloud Gateway RDBMS Query re-write 036 Enterprise Security Administrator Security Officer Index Index
Security Gateway Deployment – Search Corporate Network Backend System Cloud Gateway RDBMS Query re-write 037 Enterprise Security Administrator Security Officer Order preserving encryption
Where is Encryption Applied to Protect Data in Cloud? 38
How Data-Centric Protection Increases Security in Cloud Computing and Virtualization Rather than making the protection platform based, the security is applied directly to the data, protecting it wherever it goes, in any environment Cloud environments by nature have more access points and cannot be disconnected – data-centric protection reduces the reliance on controlling the high number of access points 39
Encryption Guidance from CSA Encrypting the transfer of data to the cloud does not ensure the data is protected in the cloud Once data arrives in the cloud, it should remain protected both at rest and in use Do not forget to protect files that are often overlooked, but which frequently include sensitive information • Log files and metadata can be avenues for data leakage Encrypt using sufficiently durable encryption strengths (such as AES-256) Use open, validated formats and avoid proprietary encryption formats wherever possible 40
CSA: Look at Alternatives to Encryption Data Anonymization and De-identification • This is where (for example) Personally Identifiable Information (PII) and Sensitive are stripped before processing. Utilizing access controls built into the database 41
De-identification / Anonymization Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 42
Data Tokenization De-identification / Pseudonomization / Anonymization Replaces real data with fake data – “Tokens” Data is protected before it goes to the cloud Benefits: • Eliminates data residency issues • Data remains usable in applications without modification • Vaultless tokenization • No data replication/collision issues, • High scalability 43
Significantly Different Tokenization Approaches Vault-based Vaultless Property Dynamic Pre-generated 44
Risk Adjusted Protection Data Protection Methods Scalability Storage Security Transparency System without data protection Weak Encryption (1:1 mapping) Searchable Gateway Index (IV) Vault-less Tokenization Vault-based Tokenization Partial Encryption Data Type Preservation Encryption Strong Encryption (AES CBC, IV) Best Worst 45
Use Case - Commercial Information and Business Insight Company The company received trade files from customers daily, containing sensitive Card Holder Data (CHD), making them subject to Payment Card Industry Data Security Standard (PCI DSS) regulations. 46
Use Case - Increasing Pressure from International Data Protection Regulations
Enterprise Data Security Policy What is the sensitive data that needs to be protected. How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc. Who should have access to sensitive data and who should not. Security access control. Roles & Users What How Who 48 When should sensitive data access be granted to those who have access. Day of week, time of day. Where is the sensitive data stored? This will be where the policy is enforced. Audit authorized or un-authorized access to sensitive data. When Where Audit
Centralized Policy Management - Example Application RDBMS MPP Audit Log Audit Log Audit Log Enterprise Security Administrator Policy Cloud Security Officer Audit Log Audit Log Audit Log 49 File Servers Big Data Gateway Servers HP NonStop Base24 IBM Mainframe Protector Audit Log Audit Log Audit Log Audit Log Protection Servers Audit Log Audit Log
Summary What are the Concerns with Cloud? How is Cloud Computing Defined? What is the Guidance for Cloud Data Security? What New Data Security Technologies are Available for Cloud? 50 How can Cloud Data Security work in Context to the Enterprise?
Thank you! Questions? Please contact us for more information www.protegrity.com Ulf.Mattsson@protegrity.com

More Related Content

PDF
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Ulf Mattsson
 
PDF
Cloud data governance, risk management and compliance ny metro joint cyber...
Ulf Mattsson
 
PDF
Cloud Computing
sahil lalwani
 
PDF
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
PDF
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Ulf Mattsson
 
PDF
ISSA: Cloud data security
Ulf Mattsson
 
PDF
Security and Audit for Big Data
Nicolas Morales
 
PPTX
Cloud security - Auditing and Compliance
Josh Tullo
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Ulf Mattsson
 
Cloud data governance, risk management and compliance ny metro joint cyber...
Ulf Mattsson
 
Cloud Computing
sahil lalwani
 
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Ulf Mattsson
 
ISSA: Cloud data security
Ulf Mattsson
 
Security and Audit for Big Data
Nicolas Morales
 
Cloud security - Auditing and Compliance
Josh Tullo
 

What's hot (20)

PPTX
Data Driven Security in SSAS
Mike Duffy
 
PDF
br-security-connected-top-5-trends
Christopher Bennett
 
PDF
ISACA Houston Texas Chapter 2010
Ulf Mattsson
 
PDF
How the latest trends in data security can help your data protection strategy...
Ulf Mattsson
 
PPTX
Data Loss Prevention
dj1arry
 
PDF
Where data security and value of data meet in the cloud ulf mattsson
Ulf Mattsson
 
DOCX
Office 365 data loss prevention
ssuser1eca7d
 
PPTX
Symantec Data Loss Prevention 9
Ariel Martin Beliera
 
PDF
Data loss prevention by using MRSH-v2 algorithm
IJECEIAES
 
PDF
DLP Executive Overview
Kim Jensen
 
PPT
DLP
saurabh.sood
 
PPTX
Securing data today and in the future - Oracle NYC
Ulf Mattsson
 
PDF
The past, present, and future of big data security
Ulf Mattsson
 
PPTX
Global Azure Bootcamp 216 - Azure Rights Management
Riwut Libinuko
 
PDF
Data leakage prevention EN Final
Zdravko Stoychev, CISM, CRISC
 
PPTX
Technology Overview - Symantec Data Loss Prevention (DLP)
Iftikhar Ali Iqbal
 
PPTX
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
Phil Agcaoili
 
PPTX
Big Data and Security - Where are we now? (2015)
Peter Wood
 
PDF
Cyber security basics for law firms
Robert Westmacott
 
PPTX
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
Data Driven Security in SSAS
Mike Duffy
 
br-security-connected-top-5-trends
Christopher Bennett
 
ISACA Houston Texas Chapter 2010
Ulf Mattsson
 
How the latest trends in data security can help your data protection strategy...
Ulf Mattsson
 
Data Loss Prevention
dj1arry
 
Where data security and value of data meet in the cloud ulf mattsson
Ulf Mattsson
 
Office 365 data loss prevention
ssuser1eca7d
 
Symantec Data Loss Prevention 9
Ariel Martin Beliera
 
Data loss prevention by using MRSH-v2 algorithm
IJECEIAES
 
DLP Executive Overview
Kim Jensen
 
DLP
saurabh.sood
 
Securing data today and in the future - Oracle NYC
Ulf Mattsson
 
The past, present, and future of big data security
Ulf Mattsson
 
Global Azure Bootcamp 216 - Azure Rights Management
Riwut Libinuko
 
Data leakage prevention EN Final
Zdravko Stoychev, CISM, CRISC
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Iftikhar Ali Iqbal
 
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
Phil Agcaoili
 
Big Data and Security - Where are we now? (2015)
Peter Wood
 
Cyber security basics for law firms
Robert Westmacott
 
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
Ad

Similar to Practical advice for cloud data protection ulf mattsson - oracle nyoug sep 2014 (20)

PDF
Where data security and value of data meet in the cloud brighttalk webinar ...
Ulf Mattsson
 
PPTX
Practical advice for cloud data protection ulf mattsson - jun 2014
Ulf Mattsson
 
PDF
Where Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
 
PPTX
The day when 3rd party security providers disappear into cloud bright talk se...
Ulf Mattsson
 
PPTX
Cloud Security By Dr. Anton Ravindran
GSTF
 
PPTX
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Ulf Mattsson
 
PDF
Lecture27 cc-security2
Ankit Gupta
 
PPT
28_Security-Privacy-inxssudusd_Cloud.ppt
ajinkyajagtap23
 
PPT
28_Security-Privacy-in_Cloud_AND_real.ppt
kyogesh5
 
PDF
Isaca new delhi india - privacy and big data
Ulf Mattsson
 
PDF
Isaca new delhi india privacy and big data
Ulf Mattsson
 
PDF
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
PPTX
Governance and Security in Cloud and Mobile Apps
Michael Scheidell
 
PPTX
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Netskope
 
PPTX
Lss implementing cyber security in the cloud, and from the cloud-feb14
L S Subramanian
 
PDF
Aes based secured framework for cloud databases
IJARIIT
 
PPTX
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
PPTX
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
PDF
Whitepaper: Security of the Cloud
CloudSmartz
 
PDF
Security of the Cloud
Epoch Universal, Inc.
 
Where data security and value of data meet in the cloud brighttalk webinar ...
Ulf Mattsson
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Ulf Mattsson
 
Where Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
 
The day when 3rd party security providers disappear into cloud bright talk se...
Ulf Mattsson
 
Cloud Security By Dr. Anton Ravindran
GSTF
 
Infragard atlanta ulf mattsson - cloud security - regulations and data prot...
Ulf Mattsson
 
Lecture27 cc-security2
Ankit Gupta
 
28_Security-Privacy-inxssudusd_Cloud.ppt
ajinkyajagtap23
 
28_Security-Privacy-in_Cloud_AND_real.ppt
kyogesh5
 
Isaca new delhi india - privacy and big data
Ulf Mattsson
 
Isaca new delhi india privacy and big data
Ulf Mattsson
 
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
Governance and Security in Cloud and Mobile Apps
Michael Scheidell
 
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Netskope
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
L S Subramanian
 
Aes based secured framework for cloud databases
IJARIIT
 
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
Whitepaper: Security of the Cloud
CloudSmartz
 
Security of the Cloud
Epoch Universal, Inc.
 
Ad

More from Ulf Mattsson (20)

PPTX
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
PPTX
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
PPTX
Book
Ulf Mattsson
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
PPTX
Qubit conference-new-york-2021
Ulf Mattsson
 
PDF
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
PDF
Data encryption and tokenization for international unicode
Ulf Mattsson
 
PPTX
The future of data security and blockchain
Ulf Mattsson
 
PPTX
New technologies for data protection
Ulf Mattsson
 
PPTX
GDPR and evolving international privacy regulations
Ulf Mattsson
 
PPTX
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
PPTX
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
PPTX
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
PPTX
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
PPTX
What is tokenization in blockchain?
Ulf Mattsson
 
PPTX
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
PPTX
Unlock the potential of data security 2020
Ulf Mattsson
 
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
Book
Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Qubit conference-new-york-2021
Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
Data encryption and tokenization for international unicode
Ulf Mattsson
 
The future of data security and blockchain
Ulf Mattsson
 
New technologies for data protection
Ulf Mattsson
 
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
What is tokenization in blockchain?
Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
Unlock the potential of data security 2020
Ulf Mattsson
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
KodekX | Application Modernization Development
KodekX
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
KodekX | Application Modernization Development
KodekX
 

Practical advice for cloud data protection ulf mattsson - oracle nyoug sep 2014

  • 1. Practical Advice for Cloud Data Protection Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com
  • 2. Ulf Mattsson, Protegrity CTO Cloud Security Alliance (CSA) PCI Security Standards Council • Cloud & Virtualization SIGs • Encryption Task Force • Tokenization Task Force ANSI X9 • American National Standard for Financial Services IFIP WG 11.3 Data and Application Security • International Federation for Information Processing ISACA (Information Systems Audit and Control Association) ISSA (Information Systems Security Association) 2
  • 3. Security - We Are Losing Ground “It’s clear the bad guys are winning at a faster rate than the good guys 3 are winning, and we’ve got to solve that.” - 2014 Verizon Data Breach Investigations Report Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening
  • 4. Security - We Are Losing Ground – Cloud is Next “…Even though security is improving, things are getting worse faster, so 4 we're losing ground even as we improve.” - Security expert Bruce Schneier Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
  • 5. Key Topics What are the Concerns with Cloud? What is the Guidance for Cloud Data Security? What New Data Security Technologies are Available for Cloud? How can Cloud Data Security work in Context to the Enterprise? What are the Common Use Cases? How can Search and Indexing be Performed? 5
  • 6. What are the Concerns with Cloud? 6
  • 7. What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing? 7
  • 8. Sensitive Data in the Cloud 8 Of organizations currently (or plan to) transfer sensitive/confidential data to the cloud in the next 24 mo.
  • 9. Lack of Cloud Confidence 9 Number of survey respondents that either agree or are unsure that the cloud services used by their organization are NOT thoroughly vetted for security.
  • 10. Stopped or Slowed Adoption Source: The State of Cloud Security 10 Blue: Most recent data
  • 11. Data Loss & Insecure Interfaces Number of Cloud Vulnerability Incidents by Threat Category 11
  • 12. What is Cloud Computing? Computing as a Service: • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS) Delivered Internally or Externally to the Enterprise: • Public • Private • Community • Hybrid 12
  • 15. Private Cloud Outsourced Private Cloud 15 On-site Private Cloud
  • 19. Software as a Service (SaaS) Typically web accessed internet-based applications (“on-demand software”) Platform as a Service (PaaS) An internet-based computing platform and solution stack. Facilitates deployment of Service Orchestration Applications Databases Storage 19 applications at much lower cost and complexity Infrastructure as a Service (IaaS) Delivers computer infrastructure (typically a virtualized environment) along with raw storage and networking built-in
  • 21. Governance, Risk Management and Compliance 21
  • 22. Trust vs. Elasticity Corporate Network Trust Private Cloud 022 Elasticity Public Cloud
  • 23. Public Cloud – No Control 23 Consumers have no control over security once data is inside the public cloud. Completely reliant on provider for application and storage security.
  • 24. Private Cloud – Limited Control Outsourced Private Cloud Consumer has limited capability to manage security within outsourced 24 On-site Private Cloud IaaS private cloud.
  • 26. Virtualization Concerns in Cloud Virtual machine guest hardening Hypervisor security Inter-VM attacks and blind spots Performance concerns Operational complexity from VM sprawl Instant-on gaps Virtual machine encryption Data comingling Virtual machine data destruction Virtual machine image tampering In-motion virtual machines 26
  • 27. 27
  • 28. Mapping the Cloud Model to Security Control & Compliance AAAApppppppplllliiiiccccaaaattttiiiioooonnnnssss DDDDaaaattttaaaa 28
  • 29. Governance, Risk Management and Compliance 29
  • 31. Cloud Gateways Provide Enterprise Control Cloud Encryption Gateways • SaaS encryption Cloud Security Gateways • Policy enforcement Cloud Access Security Brokers (CASBs) Cloud Services Brokerage (CSB) Secure Email Gateways Secure Web gateway 31
  • 32. Public Cloud Gateway – SaaS Example Cloud 032 Gateway
  • 33. Security Gateway Deployment – Application Example Corporate Network Backend System Cloud Gateway External Service 033 Enterprise Security Administrator Security Officer
  • 34. Example of Cloud Security Gateway Features High-Performance Gateway Architecture Enterprise-extensible platform Tokenization and encryption Enterprise-grade key management Flexible policy controls • File or Field Security • Advanced function & usability preservation Comprehensive activity monitoring & reporting Support for internal, remote & mobile users Multiple deployment options 34
  • 35. Security Gateway Deployment – Database Example Corporate Network Backend System Cloud Gateway RDBMS 035 Enterprise Security Administrator Security Officer
  • 36. Security Gateway Deployment – Indexing Corporate Network Backend System Cloud Gateway RDBMS Query re-write 036 Enterprise Security Administrator Security Officer Index Index
  • 37. Security Gateway Deployment – Search Corporate Network Backend System Cloud Gateway RDBMS Query re-write 037 Enterprise Security Administrator Security Officer Order preserving encryption
  • 38. Where is Encryption Applied to Protect Data in Cloud? 38
  • 39. How Data-Centric Protection Increases Security in Cloud Computing and Virtualization Rather than making the protection platform based, the security is applied directly to the data, protecting it wherever it goes, in any environment Cloud environments by nature have more access points and cannot be disconnected – data-centric protection reduces the reliance on controlling the high number of access points 39
  • 40. Encryption Guidance from CSA Encrypting the transfer of data to the cloud does not ensure the data is protected in the cloud Once data arrives in the cloud, it should remain protected both at rest and in use Do not forget to protect files that are often overlooked, but which frequently include sensitive information • Log files and metadata can be avenues for data leakage Encrypt using sufficiently durable encryption strengths (such as AES-256) Use open, validated formats and avoid proprietary encryption formats wherever possible 40
  • 41. CSA: Look at Alternatives to Encryption Data Anonymization and De-identification • This is where (for example) Personally Identifiable Information (PII) and Sensitive are stripped before processing. Utilizing access controls built into the database 41
  • 42. De-identification / Anonymization Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 42
  • 43. Data Tokenization De-identification / Pseudonomization / Anonymization Replaces real data with fake data – “Tokens” Data is protected before it goes to the cloud Benefits: • Eliminates data residency issues • Data remains usable in applications without modification • Vaultless tokenization • No data replication/collision issues, • High scalability 43
  • 44. Significantly Different Tokenization Approaches Vault-based Vaultless Property Dynamic Pre-generated 44
  • 45. Risk Adjusted Protection Data Protection Methods Scalability Storage Security Transparency System without data protection Weak Encryption (1:1 mapping) Searchable Gateway Index (IV) Vault-less Tokenization Vault-based Tokenization Partial Encryption Data Type Preservation Encryption Strong Encryption (AES CBC, IV) Best Worst 45
  • 46. Use Case - Commercial Information and Business Insight Company The company received trade files from customers daily, containing sensitive Card Holder Data (CHD), making them subject to Payment Card Industry Data Security Standard (PCI DSS) regulations. 46
  • 47. Use Case - Increasing Pressure from International Data Protection Regulations
  • 48. Enterprise Data Security Policy What is the sensitive data that needs to be protected. How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc. Who should have access to sensitive data and who should not. Security access control. Roles & Users What How Who 48 When should sensitive data access be granted to those who have access. Day of week, time of day. Where is the sensitive data stored? This will be where the policy is enforced. Audit authorized or un-authorized access to sensitive data. When Where Audit
  • 49. Centralized Policy Management - Example Application RDBMS MPP Audit Log Audit Log Audit Log Enterprise Security Administrator Policy Cloud Security Officer Audit Log Audit Log Audit Log 49 File Servers Big Data Gateway Servers HP NonStop Base24 IBM Mainframe Protector Audit Log Audit Log Audit Log Audit Log Protection Servers Audit Log Audit Log
  • 50. Summary What are the Concerns with Cloud? How is Cloud Computing Defined? What is the Guidance for Cloud Data Security? What New Data Security Technologies are Available for Cloud? 50 How can Cloud Data Security work in Context to the Enterprise?
  • 51. Thank you! Questions? Please contact us for more information www.protegrity.com Ulf.Mattsson@protegrity.com