• No results found

Where Data Security and Value of Data Meet in the Cloud

N/A
N/A
Protected

Academic year: 2021

Share "Where Data Security and Value of Data Meet in the Cloud"

Copied!
52
0
0

Loading.... (view fulltext now)

Full text

(1)

Where Data Security and Value of Data Meet in the Cloud

- Practical advice for cloud data security

Ulf Mattsson CTO, Protegrity

(2)

Cloud Security Alliance (CSA)

PCI Security Standards Council

Cloud & Virtualization SIGs

Encryption Task Force

Tokenization Task Force

IFIP

Ulf Mattsson, Protegrity CTO

WG 11.3 Data and Application Security

International Federation for Information Processing

ISACA

(Information Systems Audit and Control Association)

ISSA

(3)

The New Enterprise Paradigm

• Cloud computing, IoT and the disappearing perimeter

• Data is the new currency

Rethinking Data Security for a Boundless World

• The new wave of challenges to security and productivity

• Seamless, boundless security framework – data flow

• Maximize data utility & minimizing risk – finding the right balance

Agenda

• Maximize data utility & minimizing risk – finding the right balance

New Security Solutions, Technologies and Techniques

• Data-centric security technologies

• Data security and utility outside the enterprise

• Cloud data security in context to the enterprise

(4)

Verizon Data Breach Investigations Report

Enterprises are losing ground in the fight

against persistent cyber-attacks

We simply cannot catch the bad guys until it is

too late. This picture is not improving

Verizon reports concluded that less than 14%

of breaches are detected by internal

Enterprises Losing Ground Against Cyber-attacks

of breaches are detected by internal

monitoring tools

JP Morgan Chase data breach

Hackers were in the bank’s network for months

undetected

Network configuration errors are inevitable,

even at the larges banks

(5)

High-profile Cyber Attacks

49%

recommended Database security

40%

of budget still on Network security

40%

only

19%

to database security

Conclusion: Organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification

(6)

The

Perimeter-less

Perimeter-less

(7)

Big data projects in 2015

Integration with the

outside world

Security prevents big data

from becoming a prevalent

enterprise computing

Integration with Outside World

26 billion devices on the

Internet of Things by

2020 (Gartner)

www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowly-permeate-the-borders-of-the-enterprise.html

enterprise computing

platform

3

rd

party products are

helping

(8)

They’re Tracking When You Turn Off the Lights

Sensors to capture data on environmental conditions including sound volume,

wind and carbon-dioxide levels, as well as behavioral data such as pedestrian

(9)

The Department of Homeland Security investigating

Two dozen cases of suspected cyber security flaws in

medical devices that could be exploited by hackers

Can be detrimental to the patient, creating problems

such as instructing an infusion pump to overdose a

patient with drugs, or forcing a heart implant to deliver a

deadly jolt of electricity

Security Threats of Connected Medical Devices

deadly jolt of electricity

Keep medical data stored encrypted

PricewaterhouseCoopers study

$30bn annual cost hit to the US healthcare system due

to inadequate medical-device interoperability

www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connected-medical-devices#

(10)

CHALLENGE

How can I

Secure the

Secure the

Perimeter-less

Enterprise?

(11)

Cloud

Computing

Computing

(12)

What Is Your No. 1 Issue Slowing

(13)

Data Security Holding Back Cloud Projects

(14)

Security of Data in Cloud at Board-level

(15)
(16)

Public Cloud

(17)

New Technologies

to Secure

to Secure

Cloud Data

(18)

Rather than making the protection platform based,

the security is applied directly to the data

Protecting the data wherever it goes, in any

environment

Data-Centric Protection Increases

Security in Cloud Computing

Cloud environments by nature have more access

points and cannot be disconnected

Data-centric protection reduces the reliance on

controlling the high number of access points

(19)

Key Challenges

Storing and/or processing data in the cloud increases the risks

of noncompliance through unapproved access and data

breach

Service providers will limit their liabilities to potential data

breaches that may be taken for granted on-premises

Simplify Operations and Compliance in the Cloud

breaches that may be taken for granted on-premises

(20)

Recommendations

Simplify audits & address data residency and compliance issues

by applying encryption or tokenization and access controls.

Digitally shred sensitive data at its end of life by deleting the

encryption keys or tokens

Understand that protecting sensitive data in cloud-based

Simplify Operations and Compliance in the Cloud

Understand that protecting sensitive data in cloud-based

software as a service (SaaS) applications may require trading off

security and functionality

Assess each encryption solution by following the data to

understand when data appears in clear text, where keys are

made available and stored, and who has access to the keys

Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015

(21)

Corporate Network

Security Gateway Deployment – Hybrid Cloud

Client

System

Public Cloud Cloud Gateway Private Cloud Enterprise Security Administrator Security Officer Out-sourced

(22)

Corporate Network

Corporate Network

Security Gateway Deployment – Hybrid Cloud

Client

System

Private Cloud Public Cloud Cloud Gateway Enterprise Security Administrator Security Officer Gateway Out-sourced

(23)

Corporate Network

Client

System

Cloud

Gateway

Security Gateway – Searchable Encryption

RDBMS Query re-write Enterprise Security Administrator Security Officer Order preserving encryption

(24)

Corporate Network

Client

System

Cloud

Gateway

Security Gateway – Search & Indexing

RDBMS Query re-write Enterprise Security Administrator Security Officer Index Index

(25)

Cloud Gateway - Requirements Adjusted Protection

Data Protection Methods Scalability Storage Security Transparency

System without data protection Weak Encryption (1:1 mapping) Searchable Gateway Index (IV) Vaultless Tokenization

Partial Encryption Partial Encryption

Data Type Preservation Encryption Strong Encryption (AES CBC, IV)

(26)

Comparing

Data Protection

Data Protection

(27)

Computational Usefulness

Risk Adjusted Storage – Data Leaking Formats

H

Data Leakage Strong-encryption Truncation Sort-order-preserving-encryption Indexing

L

(28)

Balancing Data Security & Utility

Value Preserving Classification of Sensitive Data Granular Protection of Sensitive Data

Index

Data

Leaking Sensitive Data ? Encoding Leaking Sensitive Data ?

(29)

Risk Adjusted Data Leakage

Index

Trust H Index Leaking Sensitive Data

Sort Order Preserving Encryption Algorithms Leaking Sensitive Data

Index

Data

Elasticity Out-sourced In-house L Index NOT Leaking Sensitive Data

(30)

Reduction of Pain with New Protection Techniques

High Pain & TCO

Strong Encryption Output:

AES, 3DES

Format Preserving Encryption DTP, FPE Input Value: 3872 3789 1620 3675 !@#$%a^.,mhu7///&*B()_+!@ 8278 2789 2990 2789 1970 2000 2005 2010 Low Vault-based Tokenization Vaultless Tokenization 8278 2789 2990 2789 Format Preserving

Greatly reduced Key Management

No Vault

(31)

What is

Data Tokenization?

Data Tokenization?

(32)

Data Tokenization – Replacing The Data

(33)

Tokenization Research

Tokenization Gets Traction

Aberdeen has seen a steady increase in enterprise

use of tokenization for protecting sensitive data over

encryption

Nearly half of the respondents (47%) are currently

using tokenization for something other than cardholder

data

Tokenization users had 50% fewer security-related

incidents than tokenization non-users

(34)

Fine Grained Data Security Methods

Tokenization and Encryption are Different

Used Approach

Cipher System

Code System

Cryptographic algorithms

Cryptographic keys

Tokenization

Encryption

Cryptographic keys

Code books

Index tokens

(35)

10 000 000

1 000 000

100 000

10 000

-Transactions per second*

Speed of Fine Grained Protection Methods

10 000

1 000

100

-I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization

(36)

Significantly Different Tokenization Approaches

Property Dynamic Pre-generated

(37)

Examples of Protected Data

Field Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusoj

Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA

Date of Birth 12/25/1966 01/02/1966

Telephone 760-278-3389 760-389-2289

E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org

SSN 076-39-2778 076-28-3390

CC Number 3678 2289 3907 3378 3846 2290 3371 3378

Business URL www.surferdude.com www.sheyinctao.com

Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products

Protection methods can be equally applied to the actual data, but not needed with de-identification

(38)

Use

Case

How Should I Secure Different Data?

Simple –

PCI

PII

Encryption

of Files

Card

Holder

Data

Tokenization

of Fields

Personally Identifiable Information

Type of

Data

I

Structured

I

Un-structured

Complex –

PHI

Protected

Health

Information

(39)

Example of Cross Border Data-centric Security

Data sources

Data

Warehouse

Warehouse

In Italy

Complete policy-enforced de-identification of sensitive data

(40)

How to Balance

Risk and

Risk and

(41)

High

-Risk Adjusted Data Security – Access Controls

Risk Exposure

User Productivity and Creativity

Access to Sensitive Data in

Clear Low Access to Data High Access to Data

Low

(42)

High

-Risk Adjusted Data Security – Tokenized Data

User Productivity and Creativity

Access to Tokenized Data Low Access to Data High Access to Data

Low

-I -I

(43)

Cost of Application

Changes High

-Risk Adjusted Data Security – Selective Masking

Risk Exposure

Cost Example: 16 digit credit card number

All-16-clear Only-middle-6-hidden All-16-hidden Low

(44)

Fine Grained Security: Securing Fields

Production Systems

Encryption of fields

• Reversible

• Policy Control (authorized / Unauthorized Access) • Lacks Integration Transparency

• Complex Key Management

• Example: !@#$%a^.,mhu7///&*B()_+!@

Non-Production Systems

Masking of fields

• Not reversible

• No Policy, Everyone can access the data • Integrates Transparently

• No Complex Key Management • Example: 0389 3778 3652 0038

(45)

Fine Grained Security: Tokenization of Fields

Production Systems

Tokenization (Pseudonymization)

• No Complex Key Management • Business Intelligence

• Example: 0389 3778 3652 0038

Non-Production Systems

• Reversible

• Policy Control (Authorized / Unauthorized Access) • Not Reversible

(46)

Data–Centric Audit and Protection (DCAP)

Organizations that have not developed data-centric

security policies to coordinate management processes

and security controls across data silos need to act

By 2018, data-centric audit and protection strategies

will replace disparate siloed data security governance

approaches in 25% of large enterprises, up from less

Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014

approaches in 25% of large enterprises, up from less

than 5% today

(47)

Centrally managed security policy

Across unstructured and structured silos

Classify data, control access and monitoring

Protection – encryption, tokenization and masking

Segregation of duties – application users and privileged

Data–Centric Audit and Protection (DCAP)

Segregation of duties – application users and privileged

users

Auditing and reporting

(48)

Central Management – Policy Deployment

Application Protector Database Protector EDW

Protector EnterpriseSecurity

Administrator Policy Policy Policy Policy Policy Policy Policy Policy Policy Security Office / Security Team Audit Log File Protector Big Data Protector Cloud Gateway Inline Gateway Protection Servers IBM Mainframe Protectors Policy Policy Policy Policy Policy Policy Policy Policy Policy File Protector Gateway

(49)

Enterprise Data Security Policy

What is the sensitive data that needs to be protected.

How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.

Who should have access to sensitive data and who should not. Security access control.

What

Who How

When should sensitive data access be granted to those who have access. Day of week, time of day.

Where is the sensitive data stored? This will be where the policy is enforced.

Audit authorized or un-authorized access to sensitive data.

When Where

(50)

Audit Log Audit Log Audit Log

Central Management – Audit Log Collection

Application Protector

Database Protector

EDW

Protector EnterpriseSecurity

Administrator Security Office / Security Team Audit Log Audit Log Audit Log Log Audit Log Audit Log Audit Log Audit Log File Protector Big Data Protector Cloud Gateway Inline Gateway Protection Servers IBM Mainframe

Protectors File Protector

(51)

The biggest challenge in this new paradigm

• Cloud and an interconnected world

• Merging data security with data value and productivity

What’s required?

• Seamless, boundless security framework – data flow

• Maximize data utility & Minimizing risk – finding the right balance

Value-preserving data-centric security methods

Summary

Value-preserving data-centric security methods

• How to keep track of your data and monitor data access outside the enterprise

• Best practices for protecting data and privacy in the perimeter-less enterprise.

What New Data Security Technologies are Available for Cloud?

How can Cloud Data Security work in Context to the Enterprise?

(52)

Thank you!

Thank you!

Questions?

Please contact us for more information

www.protegrity.com

References

Related documents

Document Destruction Policy Wolf's Information Security Policy includes sections on Data Classification and Retention, and File Security and Disposal... • Onsite versus offsite

Figure 13 shows Websense Content Gateway and Websense Data Security Suite deployed with Websense Web filtering components (including Policy Broker, Policy Server, Filtering

When the fields of the Form(s) for a step are defined, a default page template is generated by Bonita Open Solution and linked with an html file that directs how the Form is to be

and I experience no condemnation today is that all our sins have been punished and condemned, but in the body of another — in the body of Jesus Christ. WHAT IT MEANS TO OVERCOME THE

Outsourcery implements an internal IT Code of Conduct that all employees must adhere to so as to ensure security and integrity of software, systems, hardware and data, in line with

3.2 - General ventilation system concepts Ventilation systems installed underground are linked to a small number of basic operating principles, irrespective of the tunnel excavation

 If possible, leading a healthy lifestyle such as not smoking, eating healthily, taking regular exercise, etc, can help to reduce the chance of developing associated diseases such as

West of England Academic Health Science Network – 10 June 2015 – Patient Flow Six coaches will be trained (clinicians and managers) and assisted to redesign clinical pathway of