Data Breaches Gone Mad Learn how to Secure your Data Warehouse Straight Away! Wednesday September 28th, 2011 Martin Willcox Director Product & Solutions Marketing Teradata Europe, Middle East & Africa Ulf Mattsson CTO Protegrity The Tokenization Experts Some of you have already met Yuri. protegrity 4 4 Source: http://www.youtube.com/user/ProtegrityUSA Last year he and his “anonymous” friends hacked AT&T. protegrity 5 5 Source: http://www.youtube.com/user/ProtegrityUSA • • Security vulnerability in a Website used by iPad customers 100,000 e-mail addresses and iPad identification numbers were exposed, including: • New York Mayor • FBI and NASA • US Departments of Defense • Executives from Google, Microsoft, Amazon and Goldman Sachs Source 2010: http://news.cnet.com/8301-27080_3-20007417-245.html#ixzz1Y9IW9a7o protegrity 6 This year they hacked Sony and bought BMW M5s. protegrity 7 Source: http://www.youtube.com/user/ProtegrityUSA 8 • Data including passwords and personal details were stored in clear text • Attacks were not coordinated and not advanced • Majority of attacks were SQL Injection dumps and Distributed Denial of Service (DDoS) protegrity Next month Yuri plans to hit a major telco with the keys provided by a disgruntled employee. protegrity 9 Source: http://www.youtube.com/user/ProtegrityUSA Then Yuri is going to buy a private jet. protegrity 10 Source: http://www.youtube.com/user/ProtegrityUSA Hospitality Retail Financial Services Government Tech Services Manufacturing Transportation Media Healthcare Business Services 0 10 20 30 40 50 % *: Number of breaches Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS 11 protegrity Source: Trustwave Global Security Report 2011 12 protegrity So how does Yuri do it? protegrity 13 Source: http://www.youtube.com/user/ProtegrityUSA Hacking Malware Physical Error Misuse Social 0 20 40 60 80 100 % *: Number of records Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS protegrity 14 “Usually, I just need one disgruntled employee. Just one.” protegrity 15 Source: http://www.youtube.com/user/ProtegrityUSA • • • • Attackers stole information about SecurID two-factor authentication 60 different types of customized malware Advanced Persistent Threat (APT) malware tied to a network in Shanghai A tool written by a Chinese hacker 10 years ago protegrity 16 Third party fraud detection Notified by law enforcement Reported by customer/partner… Unusual system behavior Reported by employee Internal security audit or scan Internal fraud detection Brag or blackmail by perpetrator Third party monitoring service *: Number of breaches 0 10 20 Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS 17 30 40 50 % protegrity • Some issues have stayed constant: • • • Threat landscape continues to gain sophistication Attackers will always be a step ahead of the defenders Different motivation, methods and tools today: • • We are fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed Source: Forrester and http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2 protegrity 18 Payment card data Personal information Usernames, passwords Intellectual property Bank account data Medical records Classified information System information Sensitive organizational data 0 20 40 *: Number of records Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS 19 60 80 100 120 % protegrity 20 Firewalls Encryption/Tokenization for data at… Anti-virus & anti-malware solution Encryption for data in motion Access governance systems Identity & access management systems Correlation or event management… Web application firewalls (WAF) Endpoint encryption solution Data loss prevention systems (DLP) Intrusion detection or prevention… Database scanning and monitoring… ID & credentialing system 0 WAF Client encryption DLP IDS DAM 10 20 30 40 50 60 70 80 90 % *: Cost effective solutions for PCI DSS. Source: PCI DSS Compliance Survey, Ponemon Institute protegrity 20 protegrity 21 Jim Browning Senior Security Engineer Teradata Labs Teradata – Protegrity Partnership • Strategic partnership since 2004 • Advocated solution for data protection on Teradata Databases • Design and development of Protegrity data security platform for Teradata • Proven parallel and scalable data protection for Teradata MPP platforms • Collaboration on forward-looking roadmaps – – – • 23 New and advanced data protection options Integration with new Teradata Database features Seamless operation on large data warehouse systems World-class customers Teradata – Protegrity Customers by Industry Manufacturing Telecommunications Utilities Retail Transportation Government Healthcare Financial 24 Types of Data Requiring Protection • Credit Card Information – – – • Consumer Financial Data – – 25 Social Security Numbers Tax Identifiers Drivers License Numbers Date of Birth Account Numbers PINs Protected Health Information – – • Personal Identifying Information – – – – • Credit Card Numbers (PAN) Service Codes Expiration Dates • Corporate Financial Data – • Identifiable Patient Data Medical Record Numbers Non-public Information Human Resources Data – – Payroll Information Performance Ratings • Customer and Prospect Data • Trade Secrets and Intellectual Property Protegrity Data Protection for Teradata • A comprehensive data protection solution for Teradata Databases – Provides additional separation of duties through a separate Security Manager interface for creation and maintenance of security policies – Includes a patented key management system for secure key generation and protection of keys when stored – Supports multiple data protection options including strong encryption and tokenization – Supports multiple cryptographic algorithms and key strengths – Automates the process of converting clear text data to cipher text 26 Protegrity Data Protection for Teradata • A comprehensive data protection solution for Teradata Databases – Provides additional access controls to protect sensitive information (even DBC can not see unencrypted data unless specifically authorized by the Security Manager) – Includes additional auditing separate from database audit logs (such as the Access Log) – Designed to fully exploit Teradata Database parallelism and scalability – Enterprise-wide solution that works with most major databases and operating systems (not just Teradata) 27 Protegrity Data Protection for Teradata Architecture Clique Enterprise Security Administrator (ESA) Policy Management Policy Log Proxy Server Deployment Server PEP Server Data Protection Operations Audit Logs AMP Data Protection Operations Node AMP AMP AMP AMP Key Management Node Audit Management PEP Server 28 Policy Enforcement Agent (UDF / UDT) AMP AMP AMP Protected Data Data Protection Methods Strong Encryption AES(128,256) / 3DES DTP2 Data Type Preserving Encryption 2 Hashing HMAC SHA-1 DAM Data Activity Monitoring 29 Strong Encryption • Symmetric encryption • Encrypted value can be used in database for joins, etc. Data Type Preserving Encryption 2 • Preserves the data type and length of a protected column Hashing • One way… can not be decrypted • Hashed value can be used in database for joins Data Activity Monitoring (DAM) • Monitors access to sensitive columns without encrypting or hashing • Can be used as a compensating control Masking Masking Tokenization Tokenization • Replaces sensitive characters in a string of data to render the data secure • Customizable mask patterns • Provides inert values that can replace sensitive data in databases • Can be used as a compensating control Data Protection Considerations • Performance • Storage • Security • Transparency 30 Data Protection Methods Data Protection Methods Performance Storage Security Transparency System without data protection Monitoring + Blocking + Masking Format Controlling Encryption Strong Encryption Tokenization Hashing Best 31 Worst Replace Sensitive Data With Fake Data = Random number 32 Data Token Replace Sensitive Data with Fake Data De-tokenization Tokenization Applications & Databases : Data Token 33 Unprotected sensitive information: Protected sensitive information: What is Tokenization and What is the Benefit? Tokenization • Tokenization is process that replaces sensitive data in systems with inert data called tokens which have no value to the thief • Tokens resemble the original data in data type and length Benefit • Greatly improved transparency to systems and processes that need to be protected Result • Reduced remediation • Reduced need for key management • Reduce the points of attacks • Reduce the PCI DSS audit costs for retail scenarios 34 Complexity when Using Basic Tokenization Large footprint becomes larger Clique Replication becomes more complex Solution may be unmanageable and expensive Node AMP Protegrity Agent Token Server AMP AMP AMP Node AMP Protegrity Agent AMP AMP AMP Credit Card Number 35 Social Security Number Passport Number Protegrity Tokenization for Teradata Architecture Clique Small footprint Node Protegrity Agent Small static token tables Tokenization Operations AMP High availability AMP High scalability AMP High performance AMP No replication required No chance of collisions Node Protegrity Agent Tokenization Operations AMP AMP AMP AMP 36 Performance Comparison Basic Tokenization • 5 tokens per second (outsourced) • 5000 tokens per second (in-house) Protegrity Tokenization • 200,000 tokens per second (Protegrity) • Single commodity server with 10 connections. • Will grow linearly with additional servers and/or connections • 9,000,000+ tokenizations per second (Protegrity /Teradata) 37 Protegrity Tokenization Differentiators Basic Tokenization 38 Protegrity Tokenization Footprint Large, Expanding Small, Static High Availability, Disaster Recovery Complex, expensive replication required No replication required Distribution Practically impossible to distribute geographically Easy to deploy at different geographically distributed locations Reliability Prone to collisions No collisions Performance, Latency, and Scalability Will adversely impact performance & scalability Little or no latency. Fastest industry tokenization Extendibility Practically impossible Unlimited Tokenization Capability Why Tokenization? No masking needed No encryption/decryption when using No key management across enterprise Why Protegrity Tokenization? Better – small footprint Faster – high performance Lower total cost of ownership 39 Flexibility for Different Forms of Data Type of Data Input Token Comment Token Properties 40 Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric Medical ID 29M2009ID 497HF390D Alpha-Numeric Date 10/30/1955 12/25/2034 Date E-mail Address [email protected] [email protected] Alpha Numeric, delimiters in input preserved SSN Delimiters 075-67-2278 287-38-2567 Numeric, delimiters in input Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits exposed Tokenization Case Studies Customer 1: Extensive enterprise End-to-End credit card data protection switching to Protegrity Tokenization • Performance Challenge: Initial tokenization • Vendor Lock-In: What if we want to switch payment processor? • Performance Challenge: Operational tokenization (SLAs) Customer 2: Desired single vendor to provide data protection including tokenization • Combined use of tokenization and encryption • Looking to expand tokens beyond CCN to PII Customer 3: Reduce compliance cost. 50 million Credit Cards, 700 million daily transactions 41 • Performance Challenge: Initial tokenization • End-to-End Tokens: Started with the EDW and expanding to stores Case Study – Large Chain Store By segmenting cardholder data with tokenization, a regional chain of 1,500 local convenience stores is reducing its PCI audit from seven to three months “We planned on 30 days to tokenize our 30 million card numbers. With Protegrity Tokenization the whole process took about 90 minutes” Qualified Security Assessors had no issues with the effective segmentation provided by Tokenization • “With encryption, implementations can spawn dozens of questions” • “There were no such challenges with tokenization” 42 Case Study – Large Chain Store Faster PCI audit • Half that time Lower maintenance cost • Do not have to apply all 12 requirements of PCI DSS to every system Better security • Ability to eliminate several business processes such as generating daily reports for data requests and access Strong performance • Rapid processing rate for initial tokenization • Sub-second transaction SLA 43 Protegrity in the ETL Process Sources Transformation Targets SQL Server ETL Platform AS/400 Mainframe Oracle 44 • Cleansing • Integration • Transformation Teradata Load Processes Informatica Data Stage Teradata EDW Protegrity Policy Role Based Access Control DB2 Original Value No Access Token Mask Hash Test Data Protegrity Data Security Platform in Action Secure Collection Secure Distribution Audit Log POS e-commerce Branch Tokenization Policy Database Protector Security Administrator Application Protector File System Protector 45 Why Protegrity? Protegrity’s Tokenization allows compliance across: • PCI • PII • PHI Innovative: Pushing data protection with industry leading innovation such as out patented database protection system and the Protegrity Tokenization Proven: Proven platform currently protects the worlds largest companies Experienced: Experienced staff will be there with support along the way to complete data protection 46 Q&A Contacts: Protegrity: Teradata: [email protected] [email protected] Thank you! Data Breaches Gone Mad Learn how to Secure your Data Warehouse Straight Away!
© Copyright 2018