2011 San Diego Teradata PARTNERS Conference

1. Ulf Mattsson, CTO
Protegrity

2. What Is Tokenization
on the Node ?
2

3. 3

4. Teradata and Protegrity
• Strategic partnership since 2004
• Advocated solution for data protection on Teradata Databases
• Proven parallel and scalable data protection for Teradata MPP platforms
• Collaboration on forward-looking roadmaps
– New and advanced data protection options
– Integration with new Teradata Database features
– Seamless operation on large data warehouse systems
• World-class customers
4

5. Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata
Databases
– Provides additional separation of duties through a separate
Security Manager interface for creation and maintenance of
security policies
– Includes a patented key management system for secure key
generation and protection of keys when stored
– Supports multiple data protection options including strong
encryption and tokenization
– Supports multiple cryptographic algorithms and key strengths
– Automates the process of converting clear text data to cipher text
5

6. Protegrity Data Protection for Teradata
• A comprehensive data protection solution for Teradata
Databases
– Provides additional access controls to protect sensitive information
(even DBC can not see unencrypted data unless specifically authorized
by the Security Manager)
– Includes additional auditing separate from database audit logs (such as
the Access Log)
– Designed to fully exploit Teradata Database parallelism and scalability
– Enterprise-wide solution that works with most major databases and
operating systems (not just Teradata)
6

7. Select Protegrity Customers
Select Protegrity Customers
7

8. Data Breaches Gone Mad - Learn how to Secure your Data
Warehouse Straight Away!
www.protegrity.com
8

9. Who Are The
Hackers and What
Are They Doing?
9

10. Some of you have already met Yuri.
Source: http://www.youtube.com/user/ProtegrityUSA
10
10

11. Last year he and his “anonymous”
friends hacked AT&T.
Source: http://www.youtube.com/user/ProtegrityUSA
11
11

12. This year they hacked Sony and bought
BMW M5s.
Source: http://www.youtube.com/user/ProtegrityUSA

13. • Data including
passwords and personal
details were stored in
clear text
• Attacks were not
coordinated and not
advanced
• Majority of attacks
were SQL Injection
dumps and Distributed
Denial of Service (DDoS)
13

14. Next month Yuri plans to hit a major
telco with the keys provided by a
disgruntled employee.
Source: http://www.youtube.com/user/ProtegrityUSA
14

15. Then Yuri is going to buy a private
jet.
Source: http://www.youtube.com/user/ProtegrityUSA
15

16. Hospitality
Retail
Financial Services
Government
Tech Services
Manufacturing
Transportation
Media
Healthcare
Business Services
0 10 20 30 40 50 %
*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
16

17. Source: Trustwave Global Security Report 2011
17

18. So how does Yuri do it?
Source: http://www.youtube.com/user/ProtegrityUSA
18

19. Hacking
Malware
Physical
Error
Misuse
Social
0 20 40 60 80 100 %
*: Number of records
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
19

20. “Usually, I just
need one
disgruntled
employee.
Just one.”
Source: http://www.youtube.com/user/ProtegrityUSA
20

21. • Attackers stole information about SecurID
two-factor authentication
• 60 different types of customized malware
• Advanced Persistent Threat (APT) malware
tied to a network in Shanghai
• A tool written by a Chinese hacker 10 years
ago
21

22. Third party fraud detection
Notified by law enforcement
Reported by customer/partner…
Unusual system behavior
Reported by employee
Internal security audit or scan
Internal fraud detection
Brag or blackmail by perpetrator
Third party monitoring service
0 10 20 30 40 50 %
*: Number of breaches
Source: 2011 Data Breach Investigations Report, Verizon Business RISK team and USSS
22

23. Why Should
I Care?
23

24. • Some issues have stayed constant:
• Threat landscape continues to gain sophistication
• Attackers will always be a step ahead of the defenders
• Different motivation, methods and tools today:
• We are fighting highly organized, well-funded
crime syndicates and nations
• Move from detective to preventative controls needed
Source: Forrester and http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2
24

25. How Can We Secure
The Sensitive Data
Flow?
25

26. We Need To Protect The Data Flow
: Enforcement point
Unprotected sensitive information: Protected sensitive information
26

27. What Has Industry
Done
To Protect Itself?
27

28. What is Cost Effective Data Protection?
Firewalls
Encryption/Tokenization for data at rest
Anti-virus & anti-malware solution
Encryption for data in motion
Access governance systems
Identity & access management systems
Correlation or event management systems
Web application firewalls (WAF) WAF
Endpoint encryption solution
Data loss prevention systems (DLP) DLP
Intrusion detection or prevention systems
Database scanning and monitoring (DAM) DAM
ID & credentialing system
0 10 20 30 40 50 60 70 80 90 %
Source: PCI DSS Compliance Survey, Ponemon Institute
28

29. Can New Data Security Help Creativity?
Risk
Traditional
High – Access
Control
Old and flawed:
Minimal access New:
levels so people Creativity
can only carry Happens
out their jobs At the edge
Low -
Data Tokens
Access
I I Right Level
Low High
Source: InformationWeek Aug 15, 2011
29

30. What has Industry
Done To
Protect Databases?
30

31. How Did Data Security Evolve?
Year Event
Memory Data Tokenization introduced as a fully distributed
2010
model
Centralized Data Tokenization introduced with hosted payment
service
DTP (Data Type Preserving encryption) used by in commercial
2005
databases
Attack on SHA-1 hash announced
DES was withdrawn
AES (Advance Encryption Standard) accepted as a FIPS-approved
2001
algorithm
1988 IBM AS/400 used tokenization in shadow files
1975 DES (Data Encryption Standard) draft submitted by IBM
1900 BC Cryptography used in Egypt
31

32. How Can We Limit Changes to Applications?
Intrusiveness (to Applications and Databases)
Encryption
Standard
Hashing - !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*
Strong Encryption - !@#$%a^.,mhu7/////&*B()_+!@
Alpha - aVdSaH 1F4hJ 1D3a
Encoding
Tokenizing or
Numeric - 666666 777777 8888 Formatted
Encryption
Partial - 123456 777777 1234
Clear Text Data - 123456 123456 1234
Data
I
Length
Original
32

33. What Is The Next Step
In Data Protection?
The Promise Of A
Better World
33

34. Replace Sensitive Data With Fake Data
Data
Random number Token
34

35. Replace Sensitive Data With Data Tokens
Tokenization De-tokenization
Applications & Databases
Unprotected sensitive information:
: Data Token Protected sensitive information:
35

36. Yuri Hates Tokens!
36

37. What is Tokenization and What is the Benefit?
• Tokenization
– Tokenization is process that replaces sensitive data in systems with inert
data called tokens which have no value to the thief
– Tokens resemble the original data in data type and length
• Benefit
– Greatly improved transparency to systems and processes that need to be
protected
• Result
– Reduced remediation
– Reduced need for key management
– Reduce the points of attacks
– Reduce the PCI DSS audit costs for retail scenarios
37

38. Tokens For PCI,
PII & PHI
38

39. Tokens Can Be More Flexible Than Encryption
Type of Data Input Token Comment
Token Properties
Credit Card 3872 3789 1620 3675 8278 2789 2990 2789 Numeric
Medical ID 29M2009ID 497HF390D Alpha-Numeric
Date 10/30/1955 12/25/2034 Date
E-mail Address ulf.mattsson@protegrity.com empo.snaugs@svtiensnni.snk Alpha Numeric, delimiters
in input preserved
SSN Delimiters 075-67-2278 287-38-2567 Numeric, delimiters in
input
Credit Card 3872 3789 1620 3675 8278 2789 2990 3675 Numeric, Last 4 digits
exposed
39

40. What Is The Impact
On Performance
And Scalability
40

41. Speed of Different Protection Methods
Transactions per second (16 digits)
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 - I I I I
I
Basic Format Data AES CBC Modern
Data Preserving Type Encryption Data
Tokenization Encryption Preservation Standard Tokenization
Encryption
41 *: Speed will depend on the configuration

42. Security of Different Protection Methods
Security
Level
High
Low
I I I I I
Basic Format Data AES CBC Modern
Data Preserving Type Encryption Data
Tokenization Encryption Preservation Standard Tokenization
Encryption
42 *: Speed will depend on the configuration

43. Data Protection Methods
The next step in data protection; Tokenization
Data Protection Methods Performance Storage Security Transparency
System without data protection
Monitoring + Blocking + Masking
Data Type Preservation
Strong Encryption
Tokenization
Hashing
Best Worst
43

44. How does
Tokenization on
Teradata Work?
44

45. The Bottleneck when Using Old Basic Tokenization
Large footprint becomes larger
Clique Replication becomes more complex
Solution may be unmanageable and expensive
Node
AMP Token Server
AMP
Protegrity
Agent
AMP
AMP
Node
AMP
AMP
Protegrity
Agent
AMP
AMP
Credit Card Social Security Passport
Number Number Number
45

46. Modern Tokenization for Teradata Architecture
Small footprint
Clique Small static token tables
High availability
Node
High scalability
Tokenization AMP
Operations High performance
Protegrity AMP
Agent No replication required
AMP
AMP
No chance of collisions
Node
Tokenization AMP
Protegrity
Operations AMP
Agent
AMP
AMP
46

47. The World’s
Smallest & Fastest
Tokenizer
47

48. Performance Comparison
• Basic Tokenization
– 5 tokens per second (outsourced)
– 5000 tokens per second (in-house)
• Modern Tokenization
– 200,000 tokens per second (Protegrity)
• Single commodity server with 10 connections.
• Will grow linearly with additional servers and/or connections
– 9,000,000+ tokenizations per second (Protegrity /Teradata)
48

49. What Is The
Customer
Experience?
49

50. Tokenization Case Studies
Customer 1: Extensive enterprise End-to-End credit card data protection
switching to Protegrity Tokenization
• Performance Challenge: Initial tokenization
• Vendor Lock-In: What if we want to switch payment processor?
• Performance Challenge: Operational tokenization (SLAs)
Customer 2: Desired single vendor to provide data protection including
tokenization
• Combined use of tokenization and encryption
• Looking to expand tokens beyond CCN to PII
Customer 3: Reduce compliance cost. 50 million Credit Cards, 700 million daily
transactions
• Performance Challenge: Initial tokenization
• End-to-End Tokens: Started with the EDW and expanding to stores
50

51. Case Study – Large Chain Store
Faster PCI audit
• Half that time
• Qualified Security Assessors had no issues with the effective segmentation provided by
Tokenization
Lower maintenance cost
• Do not have to apply all 12 requirements of PCI DSS
to every system
Better security
• Ability to eliminate several business processes such as generating daily reports for data
requests and access
Strong performance
• Rapid processing rate for initial tokenization
• Sub-second transaction SLA
51

52. How does Protegrity
on Teradata Work?
52

53. Protegrity Data Protection for Teradata
Clique
Enterprise Security
Administrator (ESA) Policy Enforcement
Node Agent
(UDF / UDT)
Data Protection
Audit Logs Log Proxy AMP
Server
Operations
Policy AMP
Policy Deployment
Management Server
AMP Protected Data
PEP
Server
AMP
Key
Management
Node
Data Protection
AMP
Operations
Audit AMP
Management
AMP
PEP
Server AMP
53

54. Protegrity in the ETL Process
Sources Transformation Targets
SQL
Server
Protegrity Policy Role Based
DB2
Access Control
ETL Platform Original Value
Informatica
No Access
Teradata Load
Data Stage
Processes
Teradata Token
AS/400
• Cleansing Mask
• Integration EDW
• Transformation Hash
Test Data
Mainframe
Oracle
54

55. Data Masking is
Not Effective
55

56. Data Masking is Not Secure
Risk
Data at rest Data display
Masking Masking
High –
Exposure: Exposure:
Data in clear
Data is only
before masking
obfuscated
Low -
Data Tokens
System
I I I I Type
Test / dev Integration Trouble Production
testing shooting
56

57. Who Is
Protegrity?
57

58. Why Protegrity?
• Protegrity’s Tokenization allows compliance across:
– PCI
– PII
– PHI
• Innovative: Pushing data protection with industry leading innovation such
as out patented database protection system and the Protegrity
Tokenization
• Proven: Proven platform currently protects the worlds largest companies
• Experienced: Experienced staff will be there with support along the way
to complete data protection
58

59. How To Securing The Sensitive Data Flow
Secure
Collection POS e-commerce Branch
Audit
Secure Log
Distribution Tokenization
Policy
Database
Protector
Security
Administrator Application
Protector
File System
Protector
59

60. How Will This
Improve My Life?
60

61. Why Tokenization?
1. No masking needed
2. No encryption/decryption when using
3. No key management across enterprise
61

62. Why Modern Tokenization?
1. Better – small footprint
2. Faster – high performance
3. Lower total cost of ownership
62

63. Tokenization Differentiators
Basic Tokenization Modern Tokenization
Footprint Large, Expanding Small, Static
High Availability, Complex, expensive No replication required
Disaster Recovery replication required
Distribution Practically impossible to Easy to deploy at different geographically
distribute geographically distributed locations
Reliability Prone to collisions No collisions
Performance, Will adversely impact Little or no latency. Fastest industry
Latency, and performance & scalability tokenization
Scalability
Extendibility Practically impossible Unlimited Tokenization Capability
63

64. Thank you!
Q&A
ulf.mattsson@protegrity.com
Got Tokens?
Meet Yuri at the
Protegrity booth #201
64