1) Data protection technologies should be evaluated based on their impact on performance, storage requirements, security, transparency to applications, and separation of duties. 2) Both passive approaches like database monitoring and active approaches like column-level encryption can be used for end-to-end data protection in the enterprise. Native database encryption has some disadvantages compared to third-party solutions. 3) When implementing data protection, organizations should consider using different formats like encryption, tokenization, or hashing depending on the use case and sensitivity of the data. Central management of keys, policies, and reporting is important.

1. Ulf Mattsson, CTO, Protegrity Corporation
How to Evaluate Data Protection Technologies

2. Protecting Data in the Enterprise Data Flow
Collection • ‘Information in the wild’
- Short lifecycle / High risk
POS e-commerce Branch
• Temporary information
Aggregation - Short lifecycle / High risk
• Operating information
- Typically 1 or more year lifecycle
- Broad and diverse computing and database
Operations environment
• Decision making information
- Typically multi-year lifecycle
Analysis - Homogeneous computing environment
- High volume database analysis
• Archive
-Typically multi-year lifecycle
Archive -Preserving the ability to retrieve the data
in the future is important
Payment System Integrity

3. PCI Case Study – Large Retailer
• Minimal impact to the legacy environment
– Encrypting PAN in the POS application and decrypting in
HQ server
– Encrypting PAN in databases, transparent to applications
– Software encryption – 10 million transactions per second
• End-to-end encryption within the control of a single
enterprise
– Modifications of applications, files and databases
– Definition of “Strong cryptography” - PCI DSS Glossary
1.2
– Central management of encryption keys, policy and
reporting
– Key Management - Industry Standards are missing (IEEE
P1619.3, OASIS/KMIP …)
Payment System Integrity 03

4. End-to-end Encryption - Challenges
• End-to-end encryption in the financial environment
– End-to-end encryption is a very difficult thing to accomplish in the
financial environment
– The people and devices at one end do not usually have any
relationship (such as shared keys) with those at the other end -
things are more point-to-point
– Expanding the scope - flow through the existing payment networks
and not break them
– Or change all those networks (not easy!) or provide a separate path
for messages using a new scheme
– OASIS/KMIP Key Management is immature in the area of support for
banking and finance requirements
– Some vendors add proprietary encryption capability to the terminals
themselves
Payment System Integrity 4

5. Planned Proposal to X9 for New Standard
• Current scope - client-end-terminal to acquirer
– It's not quite clear what direction this will end up taking
– Encryption/decryption to be done in software for performance reasons
• X9 ANSI Standard may be published within 36-40 months
– ASC X9 working group - one initial meeting so far
– More time for people to actually implement it
• Target audience for this guideline or standard
– POS Device Implementers, ATM Implementers, Store Controller
Implementers, Retail Host System Implementers, Processing System
Implementers and Acquiring System Implementers
Payment System Integrity 5

6. Protecting Data in the Enterprise Data Flow
Passive Approaches and Active Approaches = End-To-End Protection
Passive Approaches
Active Approaches
Web Application Database
Firewall Columns
Database
Activity
Applications Monitoring
Database Activity Database
Monitoring / Log Files
Data Loss Prevention Tablespace
Datafiles
Database Server
Payment System Integrity 6

7. Passive Data Protection Approaches
• Web Application Firewall
– Protects against malicious attacks by inspecting application traffic
• Data Loss Prevention
– Tags and monitors movement of sensitive assets
– Protects against the unintentional outbound leakage of sensitive
assets
• Database Activity Monitoring
– Inspects , monitors, and reports database traffic into and out of
databases
– Can block malicious activity; seldom used due to false positives
• Database Log Mining
– Mines log files that are created by databases for good or bad activity
Payment System Integrity 7

8. Active Data Protection Approaches
• Application Protection
– Utilizes crypto APIs to protect sensitive assets in applications
– This approach helps you protect data as it enters your business
systems
• Column Level Protection
– Protects data inside the database at the column level
– Can be deployed in a transparent approach to minimizes
changes to your environment
– Considered to be the most secure approach to protect sensitive
assets
• Database file protection
– Protects the data by encrypting the entire database file
Payment System Integrity 8

9. Passive Database Protection Approaches
Operational Impact Profile
Database Protection Performance Storage Security Transparency Separation
Approach of Duties
Web Application Firewall
Data Loss Prevention
Database Activity Monitoring
Database Log Mining
Best Worst
Payment System Integrity 9

10. Active Database Protection Approaches
Operational Impact Profile
Database Protection Performance Storage Security Transparency Separation
Approach of Duties
Application Protection - API
Column Level Encryption;
FCE, AES, 3DES
Column Level Replacement;
Tokens
Tablespace - Datafile
Protection
Best Worst
Payment System Integrity 10

11. How about Native Database Encryption?
• Advantages
– Available from most database vendors
– Enables you to get started quickly
• Disadvantages
– Mostly non-transparent solutions
– Some vendors do not protect the Data Encryption Keys well
enough
– Lack of secure interoperability between instances of the same
vendor
– No secure interoperability with databases from other vendors
– No centralization of policy, key management, and audit reporting
Payment System Integrity 11

12. Security for the Sensitive Data Flow
Points of collection
Store Back Office Collectio
Web Retail Store
Apps Locales$%&# $%&#
T-Logs, Back
$%&# Store
Journals $%&#
Office DB
Branches/
$%&# Applicati
Stores
ons
HQ
Polling
Server
Log
$%&#
Aggregation
` Poli
Poli
cy
cy
Manager $%^& *@K$
Operations
Multiplex ERP
Reports
Log
ing Log
Platform
Analytics
Detailed Analytical
7ks##@
Tactical Focused / Summary Analytical Archive
Partners
(Financial Log Active Access / Alerting
Institutions)
Payment System Integrity 12

13. Data Protection Options and Formats
• Clear – actual value is readable – not for cardholder
data
• Hash – unreadable, not reversible – not for
cardholder data
• Encrypted – unreadable, reversible
• Replacement value (tokens) – unreadable,
reversible
• Partial encryption/replacement – unreadable,
reversible
Payment System Integrity 13

14. Data in the Clear
• Description
– Audit only
– Masking
– Access Control Limits
• Advantages
– Low impact on existing applications
– Performance and time to deploy
• Considerations
– Underlying data exposed
Payment System Integrity 14

15. Strong Encryption
• Description
– Industry standard (AES CBC …)
• Advantages
– Widely deployed
– Compatibility
– Performance
• Considerations
– Storage and type
– Transparency to applications
– Key rotation
Payment System Integrity 15

16. Format Controlling Encryption
• Description
Maintains data type, length
–
• Advantages
– Reduces changes to downstream systems
– Storage
– Partial encryption
• Considerations
– Performance
– Security and key rotation
– Transparency to applications
Payment System Integrity 16

17. Replacement Value (i.e. tokens, alias)
• Description
– Proxy value created to replace original data
– Centrally managed, protected
• Advantages
– No changes to most downstream systems
– Out of scope for compliance
– No local key rotation
• Considerations
– Transparency for applications needing original data
– Availability and performance for applications needing
original data
Payment System Integrity 17

18. “Strong cryptography” - PCI DSS
Glossary 1.2
• Examples - AES (128 bits and higher) and TDES
– Payment Card Industry (PCI) Data Security Standard
(DSS)
– Payment Application Data Security Standard (PA-DSS)
• NIST Special Publication 800-57
– Five confidentiality modes (ECB, CBC, OFB, CFB, and
CTR)
– One authentication mode (CMAC)
– Two combined modes for confidentiality and
authentication (CCM and GCM)
• Some New Encryption Modes of operation that NIST is
considering
Payment System Integrity
– FFSEM, Feistel Finite Set Encryption Mode (Posted February,

19. Data Protection Capabilities
Storage Performance Storage Security Transparency
Clear
Strong
Encryption
Format
Controlling
Encryption
Token
Hash
Best Worst
Payment System Integrity 19

20. Data Protection Implementation Choices
• Data Protection Layers
– Application
– Database
– File System
• Data Protection Topologies
– Remote or local service
• Data Security Management
– Central management of keys, policy and reporting
Payment System Integrity 20

21. Data Protection Implementation Choices
System Layer Performance Transparency Security
Application
Database
File System
Topology Performance Scalability Security
Local Service
Remote Service
Best Worst
Payment System Integrity 21

22. Data Protection Strategies
• Where to start?
– “Perimeter towards Database” Strategy
– “Database towards Perimeter” Strategy
– Combined Strategy
• Use risk based methodology to determine how to protect sensitive
assets
– Value of your data X Exposure = Risk
– Apply the appropriate approach based on risk
• Choose a protection vendor with
– Broad coverage of protection options
– Central policy, key, and audit management
– Ability to protect across a wide range of database platforms
Payment System Integrity 22