4. Teradata and Protegrity
• Strategic partnership since 2004
• Advocated solution for data protection on Teradata Databases
• Proven parallel and scalable data protection for Teradata MPP platforms
• Collaboration on forward-looking roadmaps
– New and advanced data protection options
– Integration with new Teradata Database features
– Seamless operation on large data warehouse systems
• World-class customers
4
5. Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata
Databases
– Provides additional separation of duties through a separate
Security Manager interface for creation and maintenance of
security policies
– Includes a patented key management system for secure key
generation and protection of keys when stored
– Supports multiple data protection options including strong
encryption and tokenization
– Supports multiple cryptographic algorithms and key strengths
– Automates the process of converting clear text data to cipher text
5
6. Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata
Databases
– Provides additional access controls to protect sensitive information
(even DBC can not see unencrypted data unless specifically authorized
by the Security Manager)
– Includes additional auditing separate from database audit logs (such as
the Access Log)
– Designed to fully exploit Teradata Database parallelism and scalability
– Enterprise-wide solution that works with most major databases and
operating systems (not just Teradata)
6
10. Some of you have already met Yuri.
Source: http://www.youtube.com/user/ProtegrityUSA
10
10
11. Last year he and his “anonymous”
friends hacked AT&T.
Source: http://www.youtube.com/user/ProtegrityUSA
11
11
12. This year they hacked Sony and bought
BMW M5s.
Source: http://www.youtube.com/user/ProtegrityUSA
13. • Data including
passwords and personal
details were stored in
clear text
• Attacks were not
coordinated and not
advanced
• Majority of attacks
were SQL Injection
dumps and Distributed
Denial of Service (DDoS)
13
14. Next month Yuri plans to hit a major
telco with the keys provided by a
disgruntled employee.
Source: http://www.youtube.com/user/ProtegrityUSA
14
15. Then Yuri is going to buy a private
jet.
Source: http://www.youtube.com/user/ProtegrityUSA
15
16. Hospitality
Retail
Financial Services
Government
Tech Services
Manufacturing
Transportation
Media
Healthcare
Business Services
0 10 20 30 40 50 %
*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
16
18. So how does Yuri do it?
Source: http://www.youtube.com/user/ProtegrityUSA
18
19. Hacking
Malware
Physical
Error
Misuse
Social
0 20 40 60 80 100 %
*: Number of records
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
19
20. “Usually, I just
need one
disgruntled
employee.
Just one.”
Source: http://www.youtube.com/user/ProtegrityUSA
20
21. • Attackers stole information about SecurID
two-factor authentication
• 60 different types of customized malware
• Advanced Persistent Threat (APT) malware
tied to a network in Shanghai
• A tool written by a Chinese hacker 10 years
ago
21
22. Third party fraud detection
Notified by law enforcement
Reported by customer/partner…
Unusual system behavior
Reported by employee
Internal security audit or scan
Internal fraud detection
Brag or blackmail by perpetrator
Third party monitoring service
0 10 20 30 40 50 %
*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
22
24. • Some issues have stayed constant:
• Threat landscape continues to gain sophistication
• Attackers will always be a step ahead of the defenders
• Different motivation, methods and tools today:
• We are fighting highly organized, well-funded
crime syndicates and nations
• Move from detective to preventative controls needed
Source: Forrester and http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
24
28. What is Cost Effective Data Protection?
Firewalls
Encryption/Tokenization for data at rest
Anti-virus & anti-malware solution
Encryption for data in motion
Access governance systems
Identity & access management systems
Correlation or event management systems
Web application firewalls (WAF) WAF
Endpoint encryption solution
Data loss prevention systems (DLP) DLP
Intrusion detection or prevention systems
Database scanning and monitoring (DAM) DAM
ID & credentialing system
0 10 20 30 40 50 60 70 80 90 %
Source: PCI DSS Compliance Survey, Ponemon Institute
28
29. Can New Data Security Help Creativity?
Risk
Traditional
High – Access
Control
Old and flawed:
Minimal access New:
levels so people Creativity
can only carry Happens
out their jobs At the edge
Low -
Data Tokens
Access
I I Right Level
Low High
Source: InformationWeek Aug 15, 2011
29
31. How Did Data Security Evolve?
Year Event
Memory Data Tokenization introduced as a fully distributed
2010
model
Centralized Data Tokenization introduced with hosted payment
service
DTP (Data Type Preserving encryption) used by in commercial
2005
databases
Attack on SHA-1 hash announced
DES was withdrawn
AES (Advance Encryption Standard) accepted as a FIPS-approved
2001
algorithm
1988 IBM AS/400 used tokenization in shadow files
1975 DES (Data Encryption Standard) draft submitted by IBM
1900 BC Cryptography used in Egypt
31
32. How Can We Limit Changes to Applications?
Intrusiveness (to Applications and Databases)
Encryption
Standard
Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*
Strong Encryption - !@#$%a^.,mhu7/////&*B()_+!@
Alpha - aVdSaH 1F4hJ 1D3a
Encoding
Tokenizing or
Numeric - 666666 777777 8888 Formatted
Encryption
Partial - 123456 777777 1234
Clear Text Data - 123456 123456 1234
Data
I
Length
Original
32
33. What Is The Next Step
In Data Protection?
The Promise Of A
Better World
33
37. What is Tokenization and What is the Benefit?
• Tokenization
– Tokenization is process that replaces sensitive data in systems with inert
data called tokens which have no value to the thief
– Tokens resemble the original data in data type and length
• Benefit
– Greatly improved transparency to systems and processes that need to be
protected
• Result
– Reduced remediation
– Reduced need for key management
– Reduce the points of attacks
– Reduce the PCI DSS audit costs for retail scenarios
37
39. Tokens Can Be More Flexible Than Encryption
Type of Data Input Token Comment
Token Properties
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date
E-mail Address ulf.mattsson@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric, delimiters
in input preserved
SSN Delimiters 075-67-2278 287-38-2567 Numeric, delimiters in
input
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits
exposed
39
40. What Is The Impact
On Performance
And Scalability
40
41. Speed of Different Protection Methods
Transactions per second (16 digits)
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 - I I I I
I
Basic Format Data AES CBC Modern
Data Preserving Type Encryption Data
Tokenization Encryption Preservation Standard Tokenization
Encryption
41 *: Speed will depend on the configuration
42. Security of Different Protection Methods
Security
Level
High
Low
I I I I I
Basic Format Data AES CBC Modern
Data Preserving Type Encryption Data
Tokenization Encryption Preservation Standard Tokenization
Encryption
42 *: Speed will depend on the configuration
43. Data Protection Methods
The next step in data protection; Tokenization
Data Protection Methods Performance Storage Security Transparency
System without data protection
Monitoring + Blocking + Masking
Data Type Preservation
Strong Encryption
Tokenization
Hashing
Best Worst
43
45. The Bottleneck when Using Old Basic Tokenization
Large footprint becomes larger
Clique Replication becomes more complex
Solution may be unmanageable and expensive
Node
AMP Token Server
AMP
Protegrity
Agent
AMP
AMP
Node
AMP
AMP
Protegrity
Agent
AMP
AMP
Credit Card Social Security Passport
Number Number Number
45
46. Modern Tokenization for Teradata Architecture
Small footprint
Clique Small static token tables
High availability
Node
High scalability
Tokenization AMP
Operations High performance
Protegrity AMP
Agent No replication required
AMP
AMP
No chance of collisions
Node
Tokenization AMP
Protegrity
Operations AMP
Agent
AMP
AMP
46
48. Performance Comparison
• Basic Tokenization
– 5 tokens per second (outsourced)
– 5000 tokens per second (in-house)
• Modern Tokenization
– 200,000 tokens per second (Protegrity)
• Single commodity server with 10 connections.
• Will grow linearly with additional servers and/or connections
– 9,000,000+ tokenizations per second (Protegrity /Teradata)
48
50. Tokenization Case Studies
Customer 1: Extensive enterprise End-to-End credit card data protection
switching to Protegrity Tokenization
• Performance Challenge: Initial tokenization
• Vendor Lock-In: What if we want to switch payment processor?
• Performance Challenge: Operational tokenization (SLAs)
Customer 2: Desired single vendor to provide data protection including
tokenization
• Combined use of tokenization and encryption
• Looking to expand tokens beyond CCN to PII
Customer 3: Reduce compliance cost. 50 million Credit Cards, 700 million daily
transactions
• Performance Challenge: Initial tokenization
• End-to-End Tokens: Started with the EDW and expanding to stores
50
51. Case Study – Large Chain Store
Faster PCI audit
• Half that time
• Qualified Security Assessors had no issues with the effective segmentation provided by
Tokenization
Lower maintenance cost
• Do not have to apply all 12 requirements of PCI DSS
to every system
Better security
• Ability to eliminate several business processes such as generating daily reports for data
requests and access
Strong performance
• Rapid processing rate for initial tokenization
• Sub-second transaction SLA
51
53. Protegrity Data Protection for Teradata
Clique
Enterprise Security
Administrator (ESA) Policy Enforcement
Node Agent
(UDF / UDT)
Data Protection
Audit Logs Log Proxy AMP
Server
Operations
Policy AMP
Policy Deployment
Management Server
AMP Protected Data
PEP
Server
AMP
Key
Management
Node
Data Protection
AMP
Operations
Audit AMP
Management
AMP
PEP
Server AMP
53
54. Protegrity in the ETL Process
Sources Transformation Targets
SQL
Server
Protegrity Policy Role Based
DB2
Access Control
ETL Platform Original Value
Informatica
No Access
Teradata Load
Data Stage
Processes
Teradata Token
AS/400
• Cleansing Mask
• Integration EDW
• Transformation Hash
Test Data
Mainframe
Oracle
54
56. Data Masking is Not Secure
Risk
Data at rest Data display
Masking Masking
High –
Exposure: Exposure:
Data in clear
Data is only
before masking
obfuscated
Low -
Data Tokens
System
I I I I Type
Test / dev Integration Trouble Production
testing shooting
56
58. Why Protegrity?
• Protegrity’s Tokenization allows compliance across:
– PCI
– PII
– PHI
• Innovative: Pushing data protection with industry leading innovation such
as out patented database protection system and the Protegrity
Tokenization
• Proven: Proven platform currently protects the worlds largest companies
• Experienced: Experienced staff will be there with support along the way
to complete data protection
58
59. How To Securing The Sensitive Data Flow
Secure
Collection POS e-commerce Branch
Audit
Secure Log
Distribution Tokenization
Policy
Database
Protector
Security
Administrator Application
Protector
File System
Protector
59
61. Why Tokenization?
1. No masking needed
2. No encryption/decryption when using
3. No key management across enterprise
61
62. Why Modern Tokenization?
1. Better – small footprint
2. Faster – high performance
3. Lower total cost of ownership
62
63. Tokenization Differentiators
Basic Tokenization Modern Tokenization
Footprint Large, Expanding Small, Static
High Availability, Complex, expensive No replication required
Disaster Recovery replication required
Distribution Practically impossible to Easy to deploy at different geographically
distribute geographically distributed locations
Reliability Prone to collisions No collisions
Performance, Will adversely impact Little or no latency. Fastest industry
Latency, and performance & scalability tokenization
Scalability
Extendibility Practically impossible Unlimited Tokenization Capability
63
64. Thank you!
Q&A
ulf.mattsson@protegrity.com
Got Tokens?
Meet Yuri at the
Protegrity booth #201
64
Notes de l'éditeur
a storyNeuroscientists have found the brain gets bored easilypresentations include demonstrations, video clips, and other speakers. All of theelements are planned and collected well before the slides are created.
a storyNeuroscientists have found the brain gets bored easilypresentations include demonstrations, video clips, and other speakers. All of theelements are planned and collected well before the slides are created.
a storyNeuroscientists have found the brain gets bored easilypresentations include demonstrations, video clips, and other speakers. All of theelements are planned and collected well before the slides are created.
a storyNeuroscientists have found the brain gets bored easilypresentations include demonstrations, video clips, and other speakers. All of theelements are planned and collected well before the slides are created.
*Sixty-four percent of this center pertains to the direct and indirect costs associated with enabling security technologies.Table 1 summarizes the total, average, median, maximum and minimum compliance costs for each of the six activity centers defined in our cost framework in Part IV. Please note that these cost statistics are defined for a 12-month period. Data security represents the largest cost center for the benchmark sample, while policy represents the smallest.
*Sixty-four percent of this center pertains to the direct and indirect costs associated with enabling security technologies.Table 1 summarizes the total, average, median, maximum and minimum compliance costs for each of the six activity centers defined in our cost framework in Part IV. Please note that these cost statistics are defined for a 12-month period. Data security represents the largest cost center for the benchmark sample, while policy represents the smallest.
40 "Risk management" is just another term for the cost-benefit tradeoff associated with any security decision.Protecting data according to risk enables organizations to determine their most significantsecurity exposures, target their budgets towards addressing the most critical issues,strengthen their security and compliance profile, and achieve the right balance betweenbusiness needs and security demands. As discussed earlier, a report by the Ponemon Institute, a privacy andinformation management research firm, found that data breach incidents cost $202 per compromisedrecord in 2008, with an average total per-incident costs of $6.65 million.All security spend figures produced by government and private research firms indicate that enterprisescan put strong security into place for about 10% the average cost of a breach. You can find the rightbalance between cost and security by doing a risk analysis.
*Sixty-four percent of this center pertains to the direct and indirect costs associated with enabling security technologies.Table 1 summarizes the total, average, median, maximum and minimum compliance costs for each of the six activity centers defined in our cost framework in Part IV. Please note that these cost statistics are defined for a 12-month period. Data security represents the largest cost center for the benchmark sample, while policy represents the smallest.
40 "Risk management" is just another term for the cost-benefit tradeoff associated with any security decision.Protecting data according to risk enables organizations to determine their most significantsecurity exposures, target their budgets towards addressing the most critical issues,strengthen their security and compliance profile, and achieve the right balance betweenbusiness needs and security demands. As discussed earlier, a report by the Ponemon Institute, a privacy andinformation management research firm, found that data breach incidents cost $202 per compromisedrecord in 2008, with an average total per-incident costs of $6.65 million.All security spend figures produced by government and private research firms indicate that enterprisescan put strong security into place for about 10% the average cost of a breach. You can find the rightbalance between cost and security by doing a risk analysis.
40 "Risk management" is just another term for the cost-benefit tradeoff associated with any security decision.Protecting data according to risk enables organizations to determine their most significantsecurity exposures, target their budgets towards addressing the most critical issues,strengthen their security and compliance profile, and achieve the right balance betweenbusiness needs and security demands. As discussed earlier, a report by the Ponemon Institute, a privacy andinformation management research firm, found that data breach incidents cost $202 per compromisedrecord in 2008, with an average total per-incident costs of $6.65 million.All security spend figures produced by government and private research firms indicate that enterprisescan put strong security into place for about 10% the average cost of a breach. You can find the rightbalance between cost and security by doing a risk analysis.
40 "Risk management" is just another term for the cost-benefit tradeoff associated with any security decision.Protecting data according to risk enables organizations to determine their most significantsecurity exposures, target their budgets towards addressing the most critical issues,strengthen their security and compliance profile, and achieve the right balance betweenbusiness needs and security demands. As discussed earlier, a report by the Ponemon Institute, a privacy andinformation management research firm, found that data breach incidents cost $202 per compromisedrecord in 2008, with an average total per-incident costs of $6.65 million.All security spend figures produced by government and private research firms indicate that enterprisescan put strong security into place for about 10% the average cost of a breach. You can find the rightbalance between cost and security by doing a risk analysis.