Download Where Data Security and Value of Data Meet in the

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Transcript
Where Data Security and Value of Data Meet in the Cloud
- Practical advice for cloud data security
Ulf Mattsson
CTO, Protegrity
[email protected]
Ulf Mattsson, Protegrity CTO
Cloud Security Alliance (CSA)
PCI Security Standards Council
• Cloud & Virtualization SIGs
• Encryption Task Force
• Tokenization Task Force
IFIP
• WG 11.3 Data and Application Security
• International Federation for Information Processing
ISACA
• (Information Systems Audit and Control Association)
ISSA
• (Information Systems Security Association)
2
Agenda
The New Enterprise Paradigm
•
Cloud computing, IoT and the disappearing perimeter
•
Data is the new currency
Rethinking Data Security for a Boundless World
•
The new wave of challenges to security and productivity
•
Seamless, boundless security framework – data flow
•
Maximize data utility & minimizing risk – finding the right balance
New Security Solutions, Technologies and Techniques
•
Data-centric security technologies
•
Data security and utility outside the enterprise
•
Cloud data security in context to the enterprise
Best Practices
3
Enterprises Losing Ground Against Cyber-attacks
Verizon Data Breach Investigations Report
• Enterprises are losing ground in the fight
against persistent cyber-attacks
• We simply cannot catch the bad guys until it is
too late. This picture is not improving
• Verizon reports concluded that less than 14%
of breaches are detected by internal
monitoring tools
JP Morgan Chase data breach
• Hackers were in the bank’s network for months
undetected
• Network configuration errors are inevitable,
even at the larges banks
We need a new approach to data security
4
High-profile Cyber Attacks
49% recommended Database security
40% of budget still on Network security
only
19% to database security
Conclusion: Organisations have traditionally spent money on network security and so it is
earmarked in the budget and requires no further justification
5
The
Perimeter-less
World
6
Integration with Outside World
Big data projects in 2015
• Integration with the
outside world
26 billion devices on the
Internet of Things by
2020 (Gartner)
Security prevents big data
from becoming a prevalent
enterprise computing
platform
• 3rd party products are
helping
www.infoworld.com/article/2866831/big-data/in-2015-big-data-will-slowlypermeate-the-borders-of-the-enterprise.html
wikipedia.org
7
They’re Tracking When You Turn Off the Lights
Sensors to capture data on environmental conditions including sound volume,
wind and carbon-dioxide levels, as well as behavioral data such as pedestrian
traffic flow
8
Source: Wall Street Journal
Security Threats of Connected Medical Devices
The Department of Homeland Security investigating
• Two dozen cases of suspected cyber security flaws in
medical devices that could be exploited by hackers
• Can be detrimental to the patient, creating problems
such as instructing an infusion pump to overdose a
patient with drugs, or forcing a heart implant to deliver a
deadly jolt of electricity
• Keep medical data stored encrypted
PricewaterhouseCoopers study
• $30bn annual cost hit to the US healthcare system due
to inadequate medical-device interoperability
www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connectedmedical-devices#
9
CHALLENGE
How can I
Secure the
Perimeter-less
Enterprise?
10
Cloud
Computing
11
What Is Your No. 1 Issue Slowing
Adoption of Public Cloud Computing?
12
Data Security Holding Back Cloud Projects
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
13
Security of Data in Cloud at Board-level
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
14
Threat Vector Inheritance
15
Public Cloud
Source: Wired.com
16
New Technologies
to Secure
Cloud Data
17
Data-Centric Protection Increases
Security in Cloud Computing
Rather than making the protection platform based,
the security is applied directly to the data
Protecting the data wherever it goes, in any
environment
Cloud environments by nature have more access
points and cannot be disconnected
Data-centric protection reduces the reliance on
controlling the high number of access points
18
Simplify Operations and Compliance in the Cloud
Key Challenges
Storing and/or processing data in the cloud increases the risks
of noncompliance through unapproved access and data
breach
Service providers will limit their liabilities to potential data
breaches that may be taken for granted on-premises
Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015
019
Simplify Operations and Compliance in the Cloud
Recommendations
Simplify audits & address data residency and compliance issues
by applying encryption or tokenization and access controls.
Digitally shred sensitive data at its end of life by deleting the
encryption keys or tokens
Understand that protecting sensitive data in cloud-based
software as a service (SaaS) applications may require trading off
security and functionality
Assess each encryption solution by following the data to
understand when data appears in clear text, where keys are
made available and stored, and who has access to the keys
Gartner: Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data, Jun 2015
020
Security Gateway Deployment – Hybrid Cloud
Corporate Network
Client
System
Public Cloud
Cloud Gateway
Private Cloud
Enterprise
Security
Administrator
Security Officer
Out-sourced
021
Security Gateway Deployment – Hybrid Cloud
Private Cloud
Corporate Network
Public Cloud
Client
System
Cloud
Gateway
Enterprise
Security
Administrator
Security Officer
Out-sourced
022
Security Gateway – Searchable Encryption
Corporate Network
Query
Client
System
Cloud
Gateway
Enterprise
Security
Administrator
Security Officer
023
RDBMS
re-write
Order preserving
encryption
Security Gateway – Search & Indexing
Corporate Network
Query
RDBMS
re-write
Client
System
Cloud
Gateway
Index
Enterprise
Security
Administrator
Security Officer
024
Index
Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods
Scalability
Storage
Security
Transparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best
25
Worst
Comparing
Data Protection
Methods
26
Risk Adjusted Storage – Data Leaking Formats
Computational
Usefulness
H
Data
L
Leakage
I
Strong-encryption
27
I
I
Truncation Sort-order-preserving-encryption
I
Indexing
Balancing Data Security & Utility
Classification of
Sensitive Data
Granular Protection
of Sensitive Data
Value
Preserving
Encoding
Leaking
Leaking
Sensitive
Sensitive
Data ?
Data ?
Index
28
Data
Risk Adjusted Data Leakage
Trust
Index
H
Index
Leaking
Sort Order Preserving
Sensitive
Encryption Algorithms
Data
Leaking Sensitive
Data
Index NOT
Index
Data
Leaking
Sensitive
L
Data
Elasticity
In-house
29
Out-sourced
Reduction of Pain with New Protection Techniques
Pain
& TCO
High
Input Value: 3872 3789 1620 3675
Strong Encryption Output: [email protected]#$%a^.,mhu7///&*B()[email protected]
AES, 3DES
Format Preserving Encryption
DTP, FPE
8278 2789 2990 2789
Format Preserving
Vault-based Tokenization
8278 2789 2990 2789
Greatly reduced Key
Management
Vaultless Tokenization
Low
No Vault
1970
30
2000
2005
2010
8278 2789 2990 2789
What is
Data Tokenization?
31
Data Tokenization – Replacing The Data
Source: plus.google.com
32
Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for protecting sensitive data over
encryption
Nearly half of the respondents (47%) are currently
using tokenization for something other than cardholder
data
Tokenization users had 50% fewer security-related
incidents than tokenization non-users
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
33
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach
Encryption
Tokenization
Cipher System
Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
34
Speed of Fine Grained Protection Methods
Transactions per second*
10 000 000 1 000 000 100 000 10 000 1 000 100 I
I
I
I
Vault-based
Format
AES CBC
Vaultless
Data
Preserving
Encryption
Data
Tokenization
Encryption
Standard
Tokenization
*: Speed will depend on the configuration
35
Significantly Different Tokenization Approaches
Vault-based
Property
36
Dynamic
Pre-generated
Vaultless
Examples of Protected Data
Field
Real Data
Tokenized / Pseudonymized
Name
Joe Smith
csu wusoj
Address
100 Main Street, Pleasantville, CA
476 srta coetse, cysieondusbak, CA
Date of Birth
12/25/1966
01/02/1966
Telephone
760-278-3389
760-389-2289
E-Mail Address
[email protected]
[email protected]
SSN
076-39-2778
076-28-3390
CC Number
3678 2289 3907 3378
3846 2290 3371 3378
Business URL
www.surferdude.com
www.sheyinctao.com
Fingerprint
Encrypted
Photo
Encrypted
X-Ray
Encrypted
Healthcare /
Financial
Services
37
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
How Should I Secure Different Data?
Use
Case
Encryption
of Files
Simple –
Tokenization
of Fields
Card
Holder
Data
PII
PCI
Personally Identifiable Information
Complex –
Protected
Health
Information
I
Un-structured
38
PHI
I
Structured
Type of
Data
Example of Cross Border Data-centric Security
Data sources
Data
Warehouse
In Italy
Complete policy-enforced deidentification of sensitive data
across all bank entities
How to Balance
Risk and
Data Access
40
Risk Adjusted Data Security – Access Controls
High -
User Productivity and
Creativity
Risk Exposure
Access to
Sensitive Data in
Clear
Low I
Low Access to Data
41
I
High Access to Data
Risk Adjusted Data Security – Tokenized Data
User Productivity and
Creativity
High -
Risk Exposure
Access to
Low -
Tokenized Data
I
Low Access to Data
42
I
High Access to Data
Risk Adjusted Data Security – Selective Masking
Cost
Example: 16 digit credit card number
High -
Risk Exposure
Cost of
Application
Changes
Low I
All-16-clear
43
I
Only-middle-6-hidden
I
All-16-hidden
Fine Grained Security: Securing Fields
Production Systems
Non-Production Systems
44
Encryption of fields
• Reversible
• Policy Control (authorized / Unauthorized Access)
• Lacks Integration Transparency
• Complex Key Management
• Example: [email protected]#$%a^.,mhu7///&*B()[email protected]
Masking of fields
• Not reversible
• No Policy, Everyone can access the data
• Integrates Transparently
• No Complex Key Management
• Example: 0389 3778 3652 0038
Fine Grained Security: Tokenization of Fields
Production Systems
Tokenization (Pseudonymization)
• No Complex Key Management
• Business Intelligence
• Example: 0389 3778 3652 0038
• Reversible
• Policy Control (Authorized / Unauthorized Access)
• Not Reversible
• Integrates Transparently
Non-Production Systems
45
Data–Centric Audit and Protection (DCAP)
Organizations that have not developed data-centric
security policies to coordinate management processes
and security controls across data silos need to act
By 2018, data-centric audit and protection strategies
will replace disparate siloed data security governance
approaches in 25% of large enterprises, up from less
than 5% today
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
046
Data–Centric Audit and Protection (DCAP)
Centrally managed security policy
Across unstructured and structured silos
Classify data, control access and monitoring
Protection – encryption, tokenization and masking
Segregation of duties – application users and privileged
users
Auditing and reporting
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
047
Central Management – Policy Deployment
Application
Protector
Database
Protector
Security Office /
Security Team
EDW
Protector
Enterprise
Security
Administrator
Policy
Big Data
Protector
Protection
Servers
Audit
Log
IBM Mainframe
Protectors
File
Protector
48
File Protector
Gateway
Cloud Gateway
Inline Gateway
Enterprise Data Security Policy
What
What is the sensitive data that needs to be protected.
How
How you want to protect and present sensitive data. There are several methods
for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who
Who should have access to sensitive data and who should not. Security access
control.
When
Where
Audit
49
When should sensitive data access be granted to those who have access. Day
of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced.
Audit authorized or un-authorized access to sensitive data.
Central Management – Audit Log Collection
Application
Protector
Database
Protector
EDW
Protector
Audit
Log
Security Office /
Security Team
Audit
Log
Enterprise
Security
Administrator
Audit
Log
Big Data
Protector
Audit
Log
Audit
Log
Audit
Log
Audit
Log
IBM Mainframe
Protectors
Audit
Log
File
Protector
50
Audit
Log
Audit
Log
File Protector
Gateway
Cloud Gateway
Inline Gateway
Protection
Servers
Summary
The biggest challenge in this new paradigm
•
Cloud and an interconnected world
•
Merging data security with data value and productivity
What’s required?
•
Seamless, boundless security framework – data flow
•
Maximize data utility & Minimizing risk – finding the right balance
Value-preserving data-centric security methods
•
How to keep track of your data and monitor data access outside the enterprise
•
Best practices for protecting data and privacy in the perimeter-less enterprise.
What New Data Security Technologies are Available for Cloud?
How can Cloud Data Security work in Context to the Enterprise?
51
Thank you!
Questions?
Please contact us for more information
www.protegrity.com
[email protected]
Similar
Water in the Air - Earth Science With Mrs. Locke
Water in the Air - Earth Science With Mrs. Locke