The Security Issue Data Marketing 2013 Conference Presented by:

(1)

The Security Issue

Data Marketing 2013 Conference

Phil Sewell, Canadian Regional Director

(2)

About Voltage Security

• Mission: Data-centric security to combat

advanced security threats inside and

outside the cloud – easy to use and easy

to manage

• Founded: June 2002

• Origins: DARPA funded research at

Stanford University

• Proven Leader: Global scale data-centric

security solutions

• Unique innovations:

– Identity Based Encryption (IBE)

– Format Preserving Encryption (FPE)

– Secure Stateless Tokenization (SST)

– Page-Integrated Encryption (PIE)

• Headquarters: Cupertino, CA, USA.

Customers:

• 1,000+ Enterprises

• 150,000+ SMBs on Voltage Cloud • Leader in OEM email encryption Top credit card companies, payment processors, world’s largest retailers, Telco's, Fortune 25 banks, insurance, healthcare networks, government

Analyst Leadership Recognition:

Gartner, Forrester, Burton IT1, Mercator, Hurwitz

(3)

The Business of Data Has Changed

Today’s reality requires data to be

accessed anywhere, anytime, for any

purpose

More and more data is being moved

into the cloud and consolidated into

big data repositories

This change will drive more business

agility and more value

(4)

Taming the Explosion in Data

Optimizing Time-to-Insight

• The explosion in data fuels growth and agility

– But time to data value is gated by risk and compliance

• Attacks to data are here to stay, and big data means a big target

• Balancing data access and data security is critical

4

“90% of the data in the world today has been created in the last two years alone”* - IBM

Parabolic growth in data created and consumed* - Cisco 0 10 20 30 40 50 60 70 80 2000 2005 2010 2015 E xa by te s pe r m ont h

(5)

New Risks: Cloud computing, Big Data and mobile applications

The business boundary no longer exists

No Business Boundaries – data is the new perimeter

CRM Billing Test and Trading Treasury Backup Employees Partners Customers Payments Distributed Staff

(6)

Can IT use encryption to protect sensitive data ?

(7)

Yes, but traditional IT approach to encryption has

major issues

– Businesses need to assume

hackers will gain access to data

• “Container & Pipe” Encryption only protects data at rest or in transit • No persistent data protection • Leaves security gaps

• Exploitable – SQL Injection, Malware

– Data goes everywhere

• Data needs to be protected – at the data level 24/7

(8)

Yes, but traditional IT approach to encryption has

major issues

– Businesses need to assume

hackers will gain access to data

• “Container & Pipe” Encryption only protects data at rest or in transit • No persistent data protection • Leaves security gaps

• Exploitable – SQL Injection, Malware

– Data goes everywhere

• Data needs to be protected – at the data level 24/7

– Compliance does not equal

security

(9)

What new data protection challenges does

your organization face ?

Cloud

Services ?

Big Data / Hadoop ?

Expanding data

warehouses ?

Proliferation of mobile

devices ? BYOD ?

Outsourcing to

3

rd

_{parties ?}

(10)

Two new data marketing tools with similar

challenges

Cloud

Services

• Traditional encryption not portable to cloud = new risks of data breach

• Untrusted systems / commodity servers

• Data residency

• Risks with sharing data

• Discontinuous protection

• Risks with 3rd_{party compliance}

Big Data

• Traditional encryption not suitable for big data = new risks of data breach

• Untrusted systems / commodity servers

• Data residency

• Risks with sharing data

• Risks of data concentration / market position / corporate compliance

Security and compliance issues are

stopping Cloud and Big Data projects

(11)

A New Protection Paradigm is Needed

• Retain the business value of

the original sensitive data

• Enables and supports business

processes with least impact

• Sensitive data is protected

from the point of creation

across full lifecycle

(12)

The data-centric approach

•

Protect data from new threats

•

Encrypt once, stay protected

– From capture – In storage – In transit, – In use

– Until needed by trusted applications

• Structured and unstructured data

– Email, file, fields, transactions

•

If attackers get the encrypted data,

its worthless

(13)

File Systems Databases Data & Applications

Traditional IT Security vs. Data-centric security

Why is data-centric approach important

?

Traditional IT Infrastructure Security

Transparent Database Encryption (TDE), triggers SSL/TLS/Firewalls Security Gap Security Gap Security Gap

Data Sec

urity

Cove

rage

SSL/TLS/Firewalls Authentication

Middleware Data-Centric Security

 Top down: Application-layer data protection provides seamless end-to-end data security  Encrypt once, persistently protect from point of capture: in storage, in transit, in use

Data Sec

urity

Cove

rage

(14)

Storage File Systems

Databases Data & Applications

Traditional IT Security vs. Data-centric security

Why is data-centric approach important ?

Traditional IT Infrastructure Security

Disk encryption Transparent Database Encryption (TDE), triggers SSL/TLS/Firewalls Security Gap Security Gap Security Gap Security Gap SSL/TLS/Firewalls Authentication Middleware • More keys • More secure • Less computation • Application aware • Less keys • Less secure • More computation • Transparent 14 Copyright 2013 Voltage Security

(15)

(16)

Data – structure, value, and meaning

Take a simple Tax ID. It’s more than just a number.

• It has a format and structure

• It has value in being unique

• It’s parts have value – e.g. last 4 digits

(17)

Traditional encryption reduces value in the data

• Changes format of data – requires schema changes

• Changes size of field – increases storage

934-72-2356

Tax ID

AES-CBC

_{uE28W&=209gX32F*52}

Encrypted Tax ID

(18)

• Supports data of any format

• Encrypts all or part of a value – e.g., last 4 digits of SSN preserved

• Preserves referential integrity

• NIST FFX Mode AES - NIST SP800-38G

Format-Preserving Encryption (FPE)

934-72-2356

Tax ID

Regular AES

FPE

8juYE%Uks&dDFa2345^WFLSDGhbsd735 6w72323998345kjhsd%!@#$ERG

298-24-

2356

Ija&3k24kQarotugDF2390^32

[email protected]

PII: email address

[email protected]

(19)

Data-Centric Security at Work

Trusted Applications – Permitted Access

Untrusted Application – Partial or restricted access

(20)

Data-Centric Security at Work

Trusted Applications – Permitted Access

Untrusted Application – Partial or restricted access

Live Data _{De-identified & Protected Data}

Protect live data, yet retain data format, structure, and

business value when protected

(21)

But don’t I have to worry about who is managing

the encryption keys ?

1. Retain control over data and residency of live information

2. Eliminate need to store keys in the cloud – legal discovery and risk

3. Ability to locate key management in different geographies

4. Locate key management in-cloud or on premise

5. Integrate with Federated or Enterprise Authentication & Authorization systems

Stateless designs reduce traditional static key management cost and risks and enable simpler key management for the cloud.

(22)

Key management for enabling cloud services

1. Retain control over data and residency of live information

2. Eliminate need to store keys in the cloud – legal discovery and risk

3. Ability to locate key management in different geographies

4. Locate key management in-cloud or on premise

5. Integrate with Federated or Enterprise Authentication & Authorization systems

Stateless designs reduce traditional static key management cost and risks and enable simpler key management for the cloud.

(23)

Data centric approach enables new data marketing

tools

Cloud

Services

• Reduced risk of data breach

• Portability and choice

• Support for data residency

• Enables the safe sharing of data

• Continuous protection

• Control and compliance

• Reduced time to market

Big Data

• Reduced risk of data breach

• Portability and choice

• Support for data residency

• Enables the safe sharing of data

• Reduced risks of data concentration / market position / corporate compliance

• Control and compliance

(24)

Voltage Data-Centric Security Protects and Enables

Meet Compliance Regulations

Mitigate Data Threats / Breaches

Enable Business Agility

Control Sensitive Data Access

Protect Enterprise & Cloud Data

Validation & Proofs of Security

(25)

Thank you

Phil Sewell (416) 482-1209