Where Data Security and Value of Data Meet in the Cloud
- Practical advice for cloud data security
Ulf Mattsson CTO, Protegrity
Cloud Security Alliance (CSA)
PCI Security Standards Council
•
Cloud & Virtualization SIGs
•
Encryption Task Force
•
Tokenization Task Force
IFIP
Ulf Mattsson, Protegrity CTO
•
WG 11.3 Data and Application Security
•
International Federation for Information Processing
ISACA
•
(Information Systems Audit and Control Association)
ISSA
The New Enterprise Paradigm
• Cloud computing, IoT and the disappearing perimeter
• Data is the new currency
Rethinking Data Security for a Boundless World
• The new wave of challenges to security and productivity• Seamless, boundless security framework – data flow
• Maximize data utility & minimizing risk – finding the right balance
Agenda
• Maximize data utility & minimizing risk – finding the right balance
New Security Solutions, Technologies and Techniques
• Data-centric security technologies• Data security and utility outside the enterprise
• Cloud data security in context to the enterprise
Verizon Data Breach Investigations Report
•
Enterprises are losing ground in the fight
against persistent cyber-attacks
•
We simply cannot catch the bad guys until it is
too late. This picture is not improving
•
Verizon reports concluded that less than 14%
of breaches are detected by internal
Enterprises Losing Ground Against Cyber-attacks
of breaches are detected by internal
monitoring tools
JP Morgan Chase data breach
•
Hackers were in the bank’s network for months
undetected
•
Network configuration errors are inevitable,
even at the larges banks
High-profile Cyber Attacks
49%
recommended Database security
40%
of budget still on Network security
40%
only
19%
to database security
Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification
The
Perimeter-less
Perimeter-less
Big data projects in 2015
•
Integration with the
outside world
Security prevents big data
from becoming a prevalent
enterprise computing
Integration with Outside World
26 billion devices on the
Internet of Things by
2020 (Gartner)
www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowly-permeate-the-borders-of-the-enterprise.htmlenterprise computing
platform
•
3
rdparty products are
helping
They’re Tracking When You Turn Off the Lights
Sensors to capture data on environmental conditions including sound volume,
wind and carbon-dioxide levels, as well as behavioral data such as pedestrian
The Department of Homeland Security investigating
•
Two dozen cases of suspected cyber security flaws in
medical devices that could be exploited by hackers
•
Can be detrimental to the patient, creating problems
such as instructing an infusion pump to overdose a
patient with drugs, or forcing a heart implant to deliver a
deadly jolt of electricity
Security Threats of Connected Medical Devices
deadly jolt of electricity
•
Keep medical data stored encrypted
PricewaterhouseCoopers study
•
$30bn annual cost hit to the US healthcare system due
to inadequate medical-device interoperability
www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connected-medical-devices#
CHALLENGE
How can I
Secure the
Secure the
Perimeter-less
Enterprise?
Cloud
Computing
Computing
What Is Your No. 1 Issue Slowing
Data Security Holding Back Cloud Projects
Security of Data in Cloud at Board-level
Public Cloud
New Technologies
to Secure
to Secure
Cloud Data
Rather than making the protection platform based,
the security is applied directly to the data
Protecting the data wherever it goes, in any
environment
Data-Centric Protection Increases
Security in Cloud Computing
Cloud environments by nature have more access
points and cannot be disconnected
Data-centric protection reduces the reliance on
controlling the high number of access points
Key Challenges
Storing and/or processing data in the cloud increases the risks
of noncompliance through unapproved access and data
breach
Service providers will limit their liabilities to potential data
breaches that may be taken for granted on-premises
Simplify Operations and Compliance in the Cloud
breaches that may be taken for granted on-premises
Recommendations
Simplify audits & address data residency and compliance issues
by applying encryption or tokenization and access controls.
Digitally shred sensitive data at its end of life by deleting the
encryption keys or tokens
Understand that protecting sensitive data in cloud-based
Simplify Operations and Compliance in the Cloud
Understand that protecting sensitive data in cloud-based
software as a service (SaaS) applications may require trading off
security and functionality
Assess each encryption solution by following the data to
understand when data appears in clear text, where keys are
made available and stored, and who has access to the keys
Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015Corporate Network
Security Gateway Deployment – Hybrid Cloud
Client
System
Public Cloud Cloud Gateway Private Cloud Enterprise Security Administrator Security Officer Out-sourcedCorporate Network
Corporate Network
Security Gateway Deployment – Hybrid Cloud
Client
System
Private Cloud Public Cloud Cloud Gateway Enterprise Security Administrator Security Officer Gateway Out-sourcedCorporate Network
Client
System
Cloud
Gateway
Security Gateway – Searchable Encryption
RDBMS Query re-write Enterprise Security Administrator Security Officer Order preserving encryption
Corporate Network
Client
System
Cloud
Gateway
Security Gateway – Search & Indexing
RDBMS Query re-write Enterprise Security Administrator Security Officer Index Index
Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods Scalability Storage Security Transparency
System without data protection Weak Encryption (1:1 mapping) Searchable Gateway Index (IV) Vaultless Tokenization
Partial Encryption Partial Encryption
Data Type Preservation Encryption Strong Encryption (AES CBC, IV)
Comparing
Data Protection
Data Protection
Computational Usefulness
Risk Adjusted Storage – Data Leaking Formats
H
Data Leakage Strong-encryption Truncation Sort-order-preserving-encryption Indexing
L
Balancing Data Security & Utility
Value Preserving Classification of Sensitive Data Granular Protection of Sensitive DataIndex
Data
Leaking Sensitive Data ? Encoding Leaking Sensitive Data ?Risk Adjusted Data Leakage
Index
Trust H Index Leaking Sensitive DataSort Order Preserving Encryption Algorithms Leaking Sensitive Data
Index
Data
Elasticity Out-sourced In-house L Index NOT Leaking Sensitive DataReduction of Pain with New Protection Techniques
High Pain & TCO
Strong Encryption Output:
AES, 3DES
Format Preserving Encryption DTP, FPE Input Value: 3872 3789 1620 3675 !@#$%a^.,mhu7///&*B()_+!@ 8278 2789 2990 2789 1970 2000 2005 2010 Low Vault-based Tokenization Vaultless Tokenization 8278 2789 2990 2789 Format Preserving
Greatly reduced Key Management
No Vault
What is
Data Tokenization?
Data Tokenization?
Data Tokenization – Replacing The Data
Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for protecting sensitive data over
encryption
Nearly half of the respondents (47%) are currently
using tokenization for something other than cardholder
data
Tokenization users had 50% fewer security-related
incidents than tokenization non-users
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach
Cipher System
Code System
Cryptographic algorithms
Cryptographic keys
Tokenization
Encryption
Cryptographic keys
Code books
Index tokens
10 000 000
1 000 000
100 000
10 000
-Transactions per second*
Speed of Fine Grained Protection Methods
10 000
1 000
100
-I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data TokenizationSignificantly Different Tokenization Approaches
Property Dynamic Pre-generated
Examples of Protected Data
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products
Protection methods can be equally applied to the actual data, but not needed with de-identification
Use
Case
How Should I Secure Different Data?
Simple –
PCI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Personally Identifiable Information
Type of
Data
I
Structured
I
Un-structured
Complex –
PHI
Protected
Health
Information
Example of Cross Border Data-centric Security
Data sources
Data
Warehouse
Warehouse
In Italy
Complete policy-enforced de-identification of sensitive data
How to Balance
Risk and
Risk and
High
-Risk Adjusted Data Security – Access Controls
Risk Exposure
User Productivity and Creativity
Access to Sensitive Data in
Clear Low Access to Data High Access to Data
Low
High
-Risk Adjusted Data Security – Tokenized Data
User Productivity and Creativity
Access to Tokenized Data Low Access to Data High Access to Data
Low
-I -I
Cost of Application
Changes High
-Risk Adjusted Data Security – Selective Masking
Risk Exposure
Cost Example: 16 digit credit card number
All-16-clear Only-middle-6-hidden All-16-hidden Low
Fine Grained Security: Securing Fields
Production Systems
Encryption of fields
• Reversible
• Policy Control (authorized / Unauthorized Access) • Lacks Integration Transparency
• Complex Key Management
• Example: !@#$%a^.,mhu7///&*B()_+!@
Non-Production Systems
Masking of fields
• Not reversible
• No Policy, Everyone can access the data • Integrates Transparently
• No Complex Key Management • Example: 0389 3778 3652 0038
Fine Grained Security: Tokenization of Fields
Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management • Business Intelligence
• Example: 0389 3778 3652 0038
Non-Production Systems
• Reversible
• Policy Control (Authorized / Unauthorized Access) • Not Reversible
Data–Centric Audit and Protection (DCAP)
Organizations that have not developed data-centric
security policies to coordinate management processes
and security controls across data silos need to act
By 2018, data-centric audit and protection strategies
will replace disparate siloed data security governance
approaches in 25% of large enterprises, up from less
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
approaches in 25% of large enterprises, up from less
than 5% today
Centrally managed security policy
Across unstructured and structured silos
Classify data, control access and monitoring
Protection – encryption, tokenization and masking
Segregation of duties – application users and privileged
Data–Centric Audit and Protection (DCAP)
Segregation of duties – application users and privileged
users
Auditing and reporting
Central Management – Policy Deployment
Application Protector Database Protector EDWProtector EnterpriseSecurity
Administrator Policy Policy Policy Policy Policy Policy Policy Policy Policy Security Office / Security Team Audit Log File Protector Big Data Protector Cloud Gateway Inline Gateway Protection Servers IBM Mainframe Protectors Policy Policy Policy Policy Policy Policy Policy Policy Policy File Protector Gateway
Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who should have access to sensitive data and who should not. Security access control.
What
Who How
When should sensitive data access be granted to those who have access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced.
Audit authorized or un-authorized access to sensitive data.
When Where
Audit Log Audit Log Audit Log
Central Management – Audit Log Collection
Application Protector
Database Protector
EDW
Protector EnterpriseSecurity
Administrator Security Office / Security Team Audit Log Audit Log Audit Log Log Audit Log Audit Log Audit Log Audit Log File Protector Big Data Protector Cloud Gateway Inline Gateway Protection Servers IBM Mainframe
Protectors File Protector
The biggest challenge in this new paradigm
• Cloud and an interconnected world• Merging data security with data value and productivity
What’s required?
• Seamless, boundless security framework – data flow
• Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
Summary
Value-preserving data-centric security methods
• How to keep track of your data and monitor data access outside the enterprise
• Best practices for protecting data and privacy in the perimeter-less enterprise.