SlideShare une entreprise Scribd logo

Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson

Ulf Mattsson
Ulf Mattsson

Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson

1  sur  32
Télécharger pour lire hors ligne
Enterprise Data Protection - Understanding your Options and Strategies Ulf Mattsson, CTO, Protegrity
Ulf Mattsson 20 years with IBM Research, Development & Services Inventor of 21 patents – Distributed Tokenization, Encryption Key Management, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security Received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Google, Cisco, Ingres and other leading companies Received US Green Card ‘EB 11 – Individual of Extraordinary Ability’ endorsed by IBM Research Created the Architecture of the Protegrity Database Security Technology Member of • American National Standards Institute (ANSI) X9 • Institute of Electrical and Electronics Engineers (IEEE) • Information Systems Security Association (ISSA) • Information Systems Audit and Control Association (ISACA) 2
This session will review Current/evolving data security risks Different options for data protection strategies for PCI DSS and other regulations • Solutions for protecting enterprise data against advanced attacks from internal and external sources • How to provide a balanced mix of different approaches to protect sensitive information like credit cards across different systems in the enterprise, including tokenization, encryption and hashing Studies on data protection in an enterprise environment • Recommendations for how to balance performance and security, in real- world scenarios, and when to use encryption at the database level, application level and file level http://www.pciknowledgebase.com/ 4
The Gartner 2010 CyberThreat Landscape 5
Understand Your Enemy & Data Attacks Breaches attributed to insiders are much larger than those caused by outsiders The type of asset compromised most frequently is online data, not laptops or backups: Source: Verizon Business Data Breach Investigations Report (2008 and 2009) 6
Top 15 Threat Action Types Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team 7
Targeted Threat Growth 8
9
Choose Your Defenses Where is data exposed to attacks? Data Entry ATTACKERS 990 - 23 - 1013 RECENT ATTACKS Data System SNIFFER ATTACK Authorized/ Application SQL INJECTION Un-authorized MALWARE / TROJAN Users Database 111 - 77 - 1013 DATABASE ATTACK Database Admin File System FILE ATTACK System Admin MEDIA ATTACK Storage HW Service People (Disk) Contractors Backup (Tape) Unprotected sensitive information: Protected sensitive information 10
Dataset Comparison – Data Type Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team 11
Data Defenses – New Methods Format Controlling Encryption Example of Encrypted format: Key Manager 111-22-1013 Application Databases Data Tokenization Token Server Example of Token format: 1234 1234 1234 4560 Key Manager Application Token Databases 12
What Is Format Controlling Encryption (FCE)? Where did it come from? • Before 2000 – Different approaches, some are based on block ciphers (AES, 3DES ) • Before 2005 – Used to protect data in transit within enterprises What exactly is it? • Secret key encryption algorithm operating in a new mode • Cipher text output can be restricted to same as input code page – some only supports numeric data • The new modes are not approved by NIST 13
FCE Considerations Unproven level of security – makes significant alterations to the standard AES algorithm Encryption overhead – significant CPU consumption is required to execute the cipher Key management – is not able to attach a key ID, making key rotation more complex - SSN Some implementations only support certain data (based on data size, type, etc.) Support for “big iron” systems – is not portable across encodings (ASCII, EBCDIC) Transparency – some applications need full clear text 14
What Is Data Tokenization? Where did it come from? • Found in Vatican archives dating from the 1300s • In 1988 IBM introduced the Application System/400 with shadow files to preserve data length • In 2005 vendors introduced tokenization of account numbers What exactly is it? • It IS NOT an encryption algorithm or logarithm. • It generates a random replacement value which can be used to retrieve the actual data later (via a lookup) • Still requires strong encryption to protect the lookup table(s) 15
Old Technology - A Centralized Token Solution Customer Application Token Server Customer Application Customer Application 16
Choose Your Defenses – Data Flow Example Point of Sale • ‘Information in the wild’ Collection E-Commerce - Short lifecycle / High risk Branch Office Encryption • Temporary information Aggregation - Short lifecycle / High risk • Operating information - Typically 1 or more year lifecycle Operations -Broad and diverse computing and database environment Central Data Token • Decision making information Analysis - Typically multi-year lifecycle - Homogeneous environment - High volume database analysis • Archive Archive -Typically multi-year lifecycle -Preserving the ability to retrieve the data in the future is important 17
Central Tokenization Considerations Transparency – not transparent to downstream systems that require the original data Performance & availability – imposes significant overhead from the initial tokenization operation and from subsequent lookups Performance & availability – imposes significant overhead if token server is remote or outsourced Security vulnerabilities of the tokens themselves – randomness and possibility of collisions Security vulnerabilities typical in in-house developed systems – exposing patterns and attack surfaces 18
An Enterprise View of Different Protection Options Evaluation Criteria Strong Formatted Old Central Encryption Encryption Tokenization Disconnected environments Distributed environments Performance impact when loading data Transparent to applications Expanded storage size Transparent to databases schema Long life-cycle data Unix or Windows mixed with “big iron” (EBCDIC) Easy re-keying of data in a data flow High risk data Security - compliance to PCI, NIST Best Worst 19
Old Technology - A Centralized Token Solution Customer Application Token Server Customer Application Customer Application 20
New Technology - Distributed Tokenization Customer Application Token Server Customer Application Customer Application Token Token Server Customer Server Application 21
A Central Token Solution vs. A Distributed Token Solution Static Random Customer Dynamic Static Static Token Application Random Random Random Static Table Token Table Token Token Random - Table Table Customer Token Customer - Application Table Application - Distributed - Static Customer Distributed - Token Tables Application Static . Token Tables . . Customer . Application . Static . Random Customer Static Static . Customer Token Application Random Random . Application Static Table Token Token . Random Table Table Token Customer Table Application Distributed Static Distributed Central Dynamic Token Tables Static Token Table Token Tables
Evaluating Different Tokenization Implementations Evaluating Different Tokenization Implementations Evaluation Area Hosted/Outsourced On-site/On-premises Area Criteria Central (old) Distributed Central (old) Distributed Integrated Availability Operati onal Scalability Needs Performance Per Server Pricing Model Per Transaction Identifiable - PII Data Types Cardholder - PCI Separation Security Compliance Scope Best Worst 23
Protecting the Data Flow - Choose Your Defenses 24
Choose Your Defenses - Operational Impact Database Protection Performance Storage Availability Transparency Security Approach Monitoring, Blocking, Masking Column Level Formatted Encryption Column Level Strong Encryption Column Level Replacement; Scalable Distributed Tokens Column Level Replacement; Central Tokens Tablespace - Datafile Protection Best Worst 25
Compliance to Legislation - Technical Safeguards HIPAA, HITECH, State Laws, PCI DSS Policy Data •Separation of Duties •Access Control PHI, PII, PAN Database •Data Integrity Admin, •Audit & Reporting Users •Data Transmission Business Associates, Covered Entities Examples of PII/PHI breaches: Express Scripts extortion attempt, Certegy breach and the Countrywide breach 26
Compliance – How to be Able to Produce Required Reports User X (or DBA) Application/Tool Compliant Database User Access Patient Health Record 3rd Party Protected x Read a xxx Patient Health Log Record DBA Read b xxx a xxx z Write c xxx b xxx Possible DBA c xxx Not Compliant manipulation Performance? Database User Access Patient Health Record Process 001 No Read DB Native z Write c xxx Log Not Compliant Health Data Health User Access Patient Record Data File OS File No 3rd Party Database Read ? ? PHI002 Process 0001 Information Health Data Database On User File PHI002 Read ? ? PHI002 Process 0001 or Record Database Write ? ? PHI002 Process 0001 27
Data Protection Challenges Actual protection is not the challenge Management of solutions • Key management • Security policy • Auditing and reporting Minimizing impact on business operations • Transparency • Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time 28
Protegrity – A Centralized Data Security Approach Secure Secure Database Archive Storage Protector Secure Distribution File System Secure Protector Policy & Key Policy Usage Creation Audit Log Enterprise Data Security Administrator Secure Collection Application Auditing & Protector Reporting Big Iron Protector 29
Protegrity Value Proposition Protegrity delivers, application, database, file protectors across all major enterprise platforms. Protegrity’s Risk Adjusted Data Security Platform continuously secures data throughout its lifecycle. Underlying foundation for the platform includes comprehensive data security policy, key management, and audit reporting. Enables customers to achieve data security compliance (PCI, HIPAA, PEPIDA, SOX and Federal & State Privacy Laws) 30
Protegrity and PCI DSS Build and maintain a secure 1. Install and maintain a firewall configuration to network. protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data. 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a vulnerability 5. Use and regularly update anti-virus software management program. 6. Develop and maintain secure systems and applications Implement strong access control 7. Restrict access to data by business need-to-know measures. 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test 10. Track and monitor all access to network networks. resources and cardholder data 11. Regularly test security systems and processes Maintain an information security 12. Maintain a policy that addresses information policy. security 31
Please contact us for more information Ulf Mattsson ulf.mattsson@protegrity.com Rose Rieger rose.rieger@protegrity.com Iain Kerr, President and CEO 203 326 7200 32

Recommandé

Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
 
The past, present, and future of big data security
The past, present, and future of big data securityThe past, present, and future of big data security
The past, present, and future of big data securityUlf Mattsson
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCUlf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
Big Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinBig Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinSridhar Karnam
 
An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...IJECEIAES
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Denodo
 

Recommandé

Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
 
The past, present, and future of big data security
The past, present, and future of big data securityThe past, present, and future of big data security
The past, present, and future of big data securityUlf Mattsson
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCUlf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
Big Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinBig Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinSridhar Karnam
 
An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...IJECEIAES
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Denodo
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big DataNicolas Morales
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data securityUlf Mattsson
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!cisoplatform
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBlue Coat
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsLindaWatson19
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect stormUlf Mattsson
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014kevintsmith
 
Security Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowSecurity Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowMapR Technologies
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Information Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data MiningInformation Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data Miningwanani181
 
5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention5 Myths About Data Loss Prevention
5 Myths About Data Loss PreventionGary Bahadur
 
Protecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsProtecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsat MicroFocus Italy ❖✔
 
Big security for_big_data
Big security for_big_dataBig security for_big_data
Big security for_big_dataShyam Sarkar
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Ulf Mattsson
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonUlf Mattsson
 
How to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceHow to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceUlf Mattsson
 

Contenu connexe

Tendances

Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big DataNicolas Morales
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data securityUlf Mattsson
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!cisoplatform
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBlue Coat
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsLindaWatson19
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect stormUlf Mattsson
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014kevintsmith
 
Security Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowSecurity Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowMapR Technologies
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Information Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data MiningInformation Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data Miningwanani181
 
5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention5 Myths About Data Loss Prevention
5 Myths About Data Loss PreventionGary Bahadur
 
Protecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsProtecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsat MicroFocus Italy ❖✔
 
Big security for_big_data
Big security for_big_dataBig security for_big_data
Big security for_big_dataShyam Sarkar
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Ulf Mattsson
 

Tendances (20)

Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big Data
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data security
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect storm
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloud
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
 
Security Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowSecurity Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to Know
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
 
Information Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data MiningInformation Security in Big Data : Privacy and Data Mining
Information Security in Big Data : Privacy and Data Mining
 
5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention
 
Protecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environmentsProtecting your data against cyber attacks in big data environments
Protecting your data against cyber attacks in big data environments
 
Big security for_big_data
Big security for_big_dataBig security for_big_data
Big security for_big_data
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...
 

Similaire à Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson

ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonUlf Mattsson
 
How to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceHow to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceUlf Mattsson
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonUlf Mattsson
 
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf MattssonISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf MattssonUlf Mattsson
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionUlf Mattsson
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesCamilo Fandiño Gómez
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmontscm24
 
Customer Success - A Government Security Agency
Customer Success - A Government Security AgencyCustomer Success - A Government Security Agency
Customer Success - A Government Security AgencyBloombase
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Amazon Web Services
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk managementAEC Networks
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Oracle BH
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 

Similaire à Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson (20)

ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf Mattsson
 
How to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceHow to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conference
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
 
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf MattssonISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
ISACA National Capital Area Chapter (NCAC) in Washington, DC - Ulf Mattsson
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmont
 
Customer Success - A Government Security Agency
Customer Success - A Government Security AgencyCustomer Success - A Government Security Agency
Customer Success - A Government Security Agency
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Vormetric - Gherkin Event
Vormetric - Gherkin EventVormetric - Gherkin Event
Vormetric - Gherkin Event
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 

Plus de Ulf Mattsson

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesUlf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeUlf Mattsson
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchainUlf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonUlf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 

Plus de Ulf Mattsson (20)

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
Book
BookBook
Book
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 

Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson

  • 1. Enterprise Data Protection - Understanding your Options and Strategies Ulf Mattsson, CTO, Protegrity
  • 2. Ulf Mattsson 20 years with IBM Research, Development & Services Inventor of 21 patents – Distributed Tokenization, Encryption Key Management, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention Research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security Received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Google, Cisco, Ingres and other leading companies Received US Green Card ‘EB 11 – Individual of Extraordinary Ability’ endorsed by IBM Research Created the Architecture of the Protegrity Database Security Technology Member of • American National Standards Institute (ANSI) X9 • Institute of Electrical and Electronics Engineers (IEEE) • Information Systems Security Association (ISSA) • Information Systems Audit and Control Association (ISACA) 2
  • 3.
  • 4. This session will review Current/evolving data security risks Different options for data protection strategies for PCI DSS and other regulations • Solutions for protecting enterprise data against advanced attacks from internal and external sources • How to provide a balanced mix of different approaches to protect sensitive information like credit cards across different systems in the enterprise, including tokenization, encryption and hashing Studies on data protection in an enterprise environment • Recommendations for how to balance performance and security, in real- world scenarios, and when to use encryption at the database level, application level and file level http://www.pciknowledgebase.com/ 4
  • 5. The Gartner 2010 CyberThreat Landscape 5
  • 6. Understand Your Enemy & Data Attacks Breaches attributed to insiders are much larger than those caused by outsiders The type of asset compromised most frequently is online data, not laptops or backups: Source: Verizon Business Data Breach Investigations Report (2008 and 2009) 6
  • 7. Top 15 Threat Action Types Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team 7
  • 9. 9
  • 10. Choose Your Defenses Where is data exposed to attacks? Data Entry ATTACKERS 990 - 23 - 1013 RECENT ATTACKS Data System SNIFFER ATTACK Authorized/ Application SQL INJECTION Un-authorized MALWARE / TROJAN Users Database 111 - 77 - 1013 DATABASE ATTACK Database Admin File System FILE ATTACK System Admin MEDIA ATTACK Storage HW Service People (Disk) Contractors Backup (Tape) Unprotected sensitive information: Protected sensitive information 10
  • 11. Dataset Comparison – Data Type Source: 2009 Data Breach Investigations Supplemental Report, Verizon Business RISK team 11
  • 12. Data Defenses – New Methods Format Controlling Encryption Example of Encrypted format: Key Manager 111-22-1013 Application Databases Data Tokenization Token Server Example of Token format: 1234 1234 1234 4560 Key Manager Application Token Databases 12
  • 13. What Is Format Controlling Encryption (FCE)? Where did it come from? • Before 2000 – Different approaches, some are based on block ciphers (AES, 3DES ) • Before 2005 – Used to protect data in transit within enterprises What exactly is it? • Secret key encryption algorithm operating in a new mode • Cipher text output can be restricted to same as input code page – some only supports numeric data • The new modes are not approved by NIST 13
  • 14. FCE Considerations Unproven level of security – makes significant alterations to the standard AES algorithm Encryption overhead – significant CPU consumption is required to execute the cipher Key management – is not able to attach a key ID, making key rotation more complex - SSN Some implementations only support certain data (based on data size, type, etc.) Support for “big iron” systems – is not portable across encodings (ASCII, EBCDIC) Transparency – some applications need full clear text 14
  • 15. What Is Data Tokenization? Where did it come from? • Found in Vatican archives dating from the 1300s • In 1988 IBM introduced the Application System/400 with shadow files to preserve data length • In 2005 vendors introduced tokenization of account numbers What exactly is it? • It IS NOT an encryption algorithm or logarithm. • It generates a random replacement value which can be used to retrieve the actual data later (via a lookup) • Still requires strong encryption to protect the lookup table(s) 15
  • 16. Old Technology - A Centralized Token Solution Customer Application Token Server Customer Application Customer Application 16
  • 17. Choose Your Defenses – Data Flow Example Point of Sale • ‘Information in the wild’ Collection E-Commerce - Short lifecycle / High risk Branch Office Encryption • Temporary information Aggregation - Short lifecycle / High risk • Operating information - Typically 1 or more year lifecycle Operations -Broad and diverse computing and database environment Central Data Token • Decision making information Analysis - Typically multi-year lifecycle - Homogeneous environment - High volume database analysis • Archive Archive -Typically multi-year lifecycle -Preserving the ability to retrieve the data in the future is important 17
  • 18. Central Tokenization Considerations Transparency – not transparent to downstream systems that require the original data Performance & availability – imposes significant overhead from the initial tokenization operation and from subsequent lookups Performance & availability – imposes significant overhead if token server is remote or outsourced Security vulnerabilities of the tokens themselves – randomness and possibility of collisions Security vulnerabilities typical in in-house developed systems – exposing patterns and attack surfaces 18
  • 19. An Enterprise View of Different Protection Options Evaluation Criteria Strong Formatted Old Central Encryption Encryption Tokenization Disconnected environments Distributed environments Performance impact when loading data Transparent to applications Expanded storage size Transparent to databases schema Long life-cycle data Unix or Windows mixed with “big iron” (EBCDIC) Easy re-keying of data in a data flow High risk data Security - compliance to PCI, NIST Best Worst 19
  • 20. Old Technology - A Centralized Token Solution Customer Application Token Server Customer Application Customer Application 20
  • 21. New Technology - Distributed Tokenization Customer Application Token Server Customer Application Customer Application Token Token Server Customer Server Application 21
  • 22. A Central Token Solution vs. A Distributed Token Solution Static Random Customer Dynamic Static Static Token Application Random Random Random Static Table Token Table Token Token Random - Table Table Customer Token Customer - Application Table Application - Distributed - Static Customer Distributed - Token Tables Application Static . Token Tables . . Customer . Application . Static . Random Customer Static Static . Customer Token Application Random Random . Application Static Table Token Token . Random Table Table Token Customer Table Application Distributed Static Distributed Central Dynamic Token Tables Static Token Table Token Tables
  • 23. Evaluating Different Tokenization Implementations Evaluating Different Tokenization Implementations Evaluation Area Hosted/Outsourced On-site/On-premises Area Criteria Central (old) Distributed Central (old) Distributed Integrated Availability Operati onal Scalability Needs Performance Per Server Pricing Model Per Transaction Identifiable - PII Data Types Cardholder - PCI Separation Security Compliance Scope Best Worst 23
  • 24. Protecting the Data Flow - Choose Your Defenses 24
  • 25. Choose Your Defenses - Operational Impact Database Protection Performance Storage Availability Transparency Security Approach Monitoring, Blocking, Masking Column Level Formatted Encryption Column Level Strong Encryption Column Level Replacement; Scalable Distributed Tokens Column Level Replacement; Central Tokens Tablespace - Datafile Protection Best Worst 25
  • 26. Compliance to Legislation - Technical Safeguards HIPAA, HITECH, State Laws, PCI DSS Policy Data •Separation of Duties •Access Control PHI, PII, PAN Database •Data Integrity Admin, •Audit & Reporting Users •Data Transmission Business Associates, Covered Entities Examples of PII/PHI breaches: Express Scripts extortion attempt, Certegy breach and the Countrywide breach 26
  • 27. Compliance – How to be Able to Produce Required Reports User X (or DBA) Application/Tool Compliant Database User Access Patient Health Record 3rd Party Protected x Read a xxx Patient Health Log Record DBA Read b xxx a xxx z Write c xxx b xxx Possible DBA c xxx Not Compliant manipulation Performance? Database User Access Patient Health Record Process 001 No Read DB Native z Write c xxx Log Not Compliant Health Data Health User Access Patient Record Data File OS File No 3rd Party Database Read ? ? PHI002 Process 0001 Information Health Data Database On User File PHI002 Read ? ? PHI002 Process 0001 or Record Database Write ? ? PHI002 Process 0001 27
  • 28. Data Protection Challenges Actual protection is not the challenge Management of solutions • Key management • Security policy • Auditing and reporting Minimizing impact on business operations • Transparency • Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time 28
  • 29. Protegrity – A Centralized Data Security Approach Secure Secure Database Archive Storage Protector Secure Distribution File System Secure Protector Policy & Key Policy Usage Creation Audit Log Enterprise Data Security Administrator Secure Collection Application Auditing & Protector Reporting Big Iron Protector 29
  • 30. Protegrity Value Proposition Protegrity delivers, application, database, file protectors across all major enterprise platforms. Protegrity’s Risk Adjusted Data Security Platform continuously secures data throughout its lifecycle. Underlying foundation for the platform includes comprehensive data security policy, key management, and audit reporting. Enables customers to achieve data security compliance (PCI, HIPAA, PEPIDA, SOX and Federal & State Privacy Laws) 30
  • 31. Protegrity and PCI DSS Build and maintain a secure 1. Install and maintain a firewall configuration to network. protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data. 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a vulnerability 5. Use and regularly update anti-virus software management program. 6. Develop and maintain secure systems and applications Implement strong access control 7. Restrict access to data by business need-to-know measures. 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test 10. Track and monitor all access to network networks. resources and cardholder data 11. Regularly test security systems and processes Maintain an information security 12. Maintain a policy that addresses information policy. security 31
  • 32. Please contact us for more information Ulf Mattsson ulf.mattsson@protegrity.com Rose Rieger rose.rieger@protegrity.com Iain Kerr, President and CEO 203 326 7200 32