Where Data Security and Value of Data Meet in the Cloud
1 like942 views
The document discusses the intersection of data security and the value of data in cloud computing, emphasizing the shift to data-centric security methods as organizations face increasing cyber threats. It highlights the importance of maximizing data utility while minimizing risks through new security technologies like encryption and tokenization. Additionally, it stresses the necessity of adapting security strategies to the evolving cloud environment to efficiently protect sensitive data against potential breaches.
Where Data Security and Value of Data Meet in the Cloud
- 1. Where Data Security and Value of Data Meet in the Cloud - Practical advice for cloud data security Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com
- 2. Cloud Security Alliance (CSA) PCI Security Standards Council • Cloud & Virtualization SIGs • Encryption Task Force • Tokenization Task Force Ulf Mattsson, Protegrity CTO ANSI X9 • American National Standards Institute IFIP • WG 11.3 Data and Application Security • International Federation for Information Processing 2
- 3. Involvement in Payment Card Industry Data Security Standard: 1. PCI SSC Tokenization Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG Ulf Mattsson, Protegrity CTO 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 2 10. PCI SSC 2014 Tokenization Task Force (TkTF). 3
- 4. 4
- 5. The New Enterprise Paradigm • Cloud computing, IoT and the disappearing perimeter • Data is the new currency Rethinking Data Security for a Boundless World • The new wave of challenges to security and productivity • Seamless, boundless security framework – data flow • Maximize data utility & minimizing risk – finding the right balance Agenda • Maximize data utility & minimizing risk – finding the right balance New Security Solutions, Technologies and Techniques • Data-centric security technologies • Data security and utility outside the enterprise • Cloud data security in context to the enterprise Best Practices 5
- 6. Verizon Data Breach Investigations Report • Enterprises are losing ground in the fight against persistent cyber-attacks • We simply cannot catch the bad guys until it is too late. This picture is not improving • Verizon reports concluded that less than 14% of breaches are detected by internal Enterprises Losing Ground Against Cyber-attacks of breaches are detected by internal monitoring tools JP Morgan Chase data breach • Hackers were in the bank’s network for months undetected • Network configuration errors are inevitable, even at the larges banks We need a new approach to data security 6
- 7. High-profile Cyber Attacks 49% recommended Database security 40% of budget still on Network security 7 40% only 19% to database security Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification
- 9. Big data projects in 2015 • Integration with the outside world Security prevents big data from becoming a prevalent enterprise computing Integration with Outside World 26 billion devices on the Internet of Things by 2020 (Gartner) 9 www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowly- permeate-the-borders-of-the-enterprise.html enterprise computing platform • 3rd party products are helping wikipedia.org
- 10. CHALLENGE How can I Secure the 10 Secure the Perimeter-less Enterprise?
- 12. What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing? 12
- 13. Data Security Holding Back Cloud Projects 13 Source: Cloud Adoption Practices & Priorities Survey Report January 2015
- 14. Security of Data in Cloud at Board-level 14 Source: Cloud Adoption Practices & Priorities Survey Report January 2015
- 16. New Options to Secure 16 to Secure Cloud Data
- 17. Rather than making the protection platform based, the security is applied directly to the data Protecting the data wherever it goes, in any environment Data-Centric Protection Increases Security in Cloud Computing Cloud environments by nature have more access points and cannot be disconnected Data-centric protection reduces the reliance on controlling the high number of access points 17
- 18. Key Challenges Storing and/or processing data in the cloud increases the risks of noncompliance through unapproved access and data breach Service providers will limit their liabilities to potential data breaches that may be taken for granted on-premises Simplify Operations and Compliance in the Cloud 018 breaches that may be taken for granted on-premises Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015
- 19. Recommendations Simplify audits & address data residency and compliance issues by applying encryption or tokenization and access controls. Digitally shred sensitive data at its end of life by deleting the encryption keys or tokens Understand that protecting sensitive data in cloud-based Simplify Operations and Compliance in the Cloud 019 Understand that protecting sensitive data in cloud-based software as a service (SaaS) applications may require trading off security and functionality Assess each encryption solution by following the data to understand when data appears in clear text, where keys are made available and stored, and who has access to the keys Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015
- 20. Corporate Network Security Gateway Deployment – Hybrid Cloud Client System Public Cloud Cloud Gateway Private Cloud 020 Enterprise Security Administrator Security Officer Out-sourced
- 21. Corporate NetworkCorporate Network Security Gateway Deployment – Hybrid Cloud Client System Private Cloud Public Cloud Cloud Gateway 021 Enterprise Security Administrator Security Officer Gateway Out-sourced
- 22. Corporate Network Client System Cloud Gateway Security Gateway – Searchable Encryption RDBMS Query re-write 022 Enterprise Security Administrator Security Officer Order preserving encryption
- 23. Corporate Network Client System Cloud Gateway Security Gateway – Search & Indexing RDBMS Query re-write 023 Enterprise Security Administrator Security Officer IndexIndex
- 25. Computational Usefulness Risk Adjusted Storage – Data Leaking Formats H 25 Data Leakage Strong-encryption Truncation Sort-order-preserving-encryption Indexing L I I I I
- 26. Balancing Data Security & Utility Value Preserving Classification of Sensitive Data Granular Protection of Sensitive Data 26 Index Data Leaking Sensitive Data ? Encoding Leaking Sensitive Data ?
- 27. Risk Adjusted Data Leakage Index Trust H Index Leaking Sensitive Data Sort Order Preserving Encryption Algorithms Leaking Sensitive Data 27 Index Data Elasticity Out-sourcedIn-house L Index NOT Leaking Sensitive Data
- 28. Reduction of Pain with New Protection Techniques High Pain & TCO Strong Encryption Output: AES, 3DES Format Preserving Encryption DTP, FPE Input Value: 3872 3789 1620 3675 !@#$%a^.,mhu7///&*B()_+!@ 8278 2789 2990 2789 28 1970 2000 2005 2010 Low Vault-based Tokenization Vaultless Tokenization 8278 2789 2990 2789 Format Preserving Greatly reduced Key Management No Vault 8278 2789 2990 2789
- 29. What is Data Tokenization? 29 Data Tokenization?
- 30. Fine Grained Data Security Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys TokenizationEncryption 30 Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
- 31. Tokenization Research Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Tokenization users had 50% fewer security-related incidents than tokenization non-users 31 Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
- 32. 10 000 000 - 1 000 000 - 100 000 - 10 000 - Transactions per second* Speed of Fine Grained Protection Methods 10 000 - 1 000 - 100 - I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 32
- 33. Significantly Different Tokenization Approaches Property Dynamic Pre-generated Vault-based Vaultless 33
- 34. Examples of Protected Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 34
- 35. Use Case How Should I Secure Different Data? Simple – PCI PII Encryption of Files Card Holder Data Tokenization of Fields Personally Identifiable Information Type of Data I Structured I Un-structured Complex – PHI Protected Health Information 35 Personally Identifiable Information
- 36. How to Balance Risk andRisk and Data Access 36
- 37. High - Risk Adjusted Data Security – Access Controls Risk Exposure User Productivity and Creativity 37 Access to Sensitive Data in Clear Low Access to Data High Access to Data Low - I I
- 38. High - Risk Adjusted Data Security – Tokenized Data User Productivity and Creativity 38 Access to Tokenized Data Low Access to Data High Access to Data Low - I I Risk Exposure
- 39. Cost of Application Changes High - Risk Adjusted Data Security – Selective Masking Risk Exposure Cost Example: 16 digit credit card number 39 All-16-clear Only-middle-6-hidden All-16-hidden Low - I I I
- 40. Fine Grained Security: Securing Fields Production Systems Encryption of fields • Reversible • Policy Control (authorized / Unauthorized Access) • Lacks Integration Transparency • Complex Key Management • Example: !@#$%a^.,mhu7///&*B()_+!@ 40 Non-Production Systems Masking of fields • Not reversible • No Policy, Everyone can access the data • Integrates Transparently • No Complex Key Management • Example: 0389 3778 3652 0038
- 41. Fine Grained Security: Tokenization of Fields Production Systems Tokenization (Pseudonymization) • No Complex Key Management • Business Intelligence • Example: 0389 3778 3652 0038 41 Non-Production Systems • Reversible • Policy Control (Authorized / Unauthorized Access) • Not Reversible • Integrates Transparently
- 42. Cloud Gateway - Requirements Adjusted Protection Data Protection Methods Scalability Storage Security Transparency System without data protection Weak Encryption (1:1 mapping) Searchable Gateway Index (IV) Vaultless Tokenization Partial EncryptionPartial Encryption Data Type Preservation Encryption Strong Encryption (AES CBC, IV) Best Worst 42
- 43. Data–Centric Audit and Protection (DCAP) Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act By 2018, data-centric audit and protection strategies will replace disparate siloed data security governance approaches in 25% of large enterprises, up from less 043 Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014 approaches in 25% of large enterprises, up from less than 5% today
- 44. Centrally managed security policy Across unstructured and structured silos Classify data, control access and monitoring Protection – encryption, tokenization and masking Segregation of duties – application users and privileged Data–Centric Audit and Protection (DCAP) 044 Segregation of duties – application users and privileged users Auditing and reporting Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
- 45. Central Management – Policy Deployment Application Protector Database Protector EDW Protector Enterprise Security Administrator PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy Security Office / Security Team Audit Log 45 File Protector Big Data Protector Cloud Gateway Inline Gateway Protection Servers IBM Mainframe Protectors PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy File Protector Gateway
- 46. Enterprise Data Security Policy What is the sensitive data that needs to be protected. How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc. Who should have access to sensitive data and who should not. Security access control. What Who How 46 When should sensitive data access be granted to those who have access. Day of week, time of day. Where is the sensitive data stored? This will be where the policy is enforced. Audit authorized or un-authorized access to sensitive data. When Where Audit
- 47. Audit Log Audit Log Audit Log Central Management – Audit Log Collection Application Protector Database Protector EDW Protector Enterprise Security Administrator Security Office / Security Team Audit Log Audit Log Audit Log Log Audit Log Audit Log Audit Log Audit Log 47 File Protector Big Data Protector Cloud Gateway Inline Gateway Protection Servers IBM Mainframe Protectors File Protector Gateway
- 48. The biggest challenge in this new paradigm • Cloud and an interconnected world • Merging data security with data value and productivity What’s required? • Seamless, boundless security framework – data flow • Maximize data utility & Minimizing risk – finding the right balance Value-preserving data-centric security methods Summary Value-preserving data-centric security methods • How to keep track of your data and monitor data access outside the enterprise • Best practices for protecting data and privacy in the perimeter-less enterprise. What New Data Security Technologies are Available for Cloud? How can Cloud Data Security work in Context to the Enterprise? 48
- 49. Thank you!Thank you! Questions? Please contact us for more information www.protegrity.com Ulf.Mattsson@protegrity.com Brian.Samms@protegrity.com