Tokenization vs encryption vs masking
Download as PPTX, PDF5 likes3,053 views
The document discusses various data protection methods including tokenization, encryption, and their implementation in compliance with security standards like PCI DSS and NIST. It evaluates different approaches based on criteria such as performance, security, and total cost of ownership, while emphasizing the need for adaptable protection methods as security requirements evolve. The document also highlights the importance of integrating these security measures in both production and non-production environments for maintaining data confidentiality and integrity.
Tokenization vs encryption vs masking
- 1. SIGNIFICANTLY DIFFERENT TOKENIZATION APPROACHES Property Dynamic Pre-generated Vault-based Vaultless 1
- 2. TOKENIZATION VS. ENCRYPTION Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY TokenizationEncryption 2
- 3. POSITIONING DIFFERENT PROTECTION OPTIONS Evaluation Criteria Strong Encryption Formatted Encryption Tokens Security & Compliance Total Cost of Ownership Use of Encoded Data Best Worst 3
- 4. TOKENIZATION SERVER LOCATION Best Worst Tokenization Server Location Evaluation Aspects Mainframe Remote Area Criteria DB2 Work Load Manager Separate Address Space In-house Out-sourced Operational Availability Latency Performance Security Separation PCI DSS Scope 4
- 5. RISK ADJUSTED DATA PROTECTION Data Protection Methods Performance Storage Security Transparency System without data protection Monitoring + Blocking + Masking Format Controlling Encryption Downstream Masking Strong Encryption Tokenization Hashing Best Worst Protection Method Extensibility: Data Protection Methods must evolve with changes in the security industry and with compliance requirements. The Protegrity Data Security Platform can be easily extended to meet security and compliance requirements. 5
- 6. Making Data Unreadable – Protection Methods (Pro’s & Con’s) Evaluating Different Tokenization ImplementationsIO Interface Protection Method System Layer Granularity AES/CBC, AES/CTR … Formatted Encryption Data Tokenization Hashing Data Masking Application Column/Field Record Database Column Table Table Space OS File IO Block Storage System IO Block Best Worse 66
- 7. Best Worst Area Impact Formatted Encryption Strong Encryption Dynamic Tokenization (old) Static Tokenization (new) Scalability Availability Latency CPU Consumption Security Data Flow Protection Compliance Scoping Key Management Randomness Separation of Duties Evaluating Column Encryption & Tokenization Database Column EncryptionEvaluation Criteria Tokenization 7
- 8. POSITIONING DIFFERENT PROTECTION OPTIONS Area Evaluation Criteria Strong Field Encryption Formatted Encryption Distributed Token Security High risk data Compliance to PCI, NIST Initial Cost Transparent to applications Expanded storage size Transparent to databases schema Operation al Cost Performance impact when loading data Long life-cycle data Unix or Windows mixed with “big iron” (EBCDIC) Easy re-keying of data in a data flow Disconnected environments Distributed environments Best Worst 8
- 9. DE-IDENTIFICATION / ANONYMIZATION Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address [email protected] [email protected] SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 9
- 10. 123456 777777 1234 123456 123456 1234 !@#$%a^///&*B()..,,,gft_+!@4#$2%p^&*Hashing - Strong Encryption - Alpha - Partial - Clear Text Data - Intrusiveness (to Applications and Databases) I Original I Longer !@#$%a^.,mhu7/////&*B()_+!@ Tokenizing or Formatted Encryption Data Length Standard Encryption Encoding Evaluating Field Encryption & Tokenization 123456 aBcdeF 1234 10
- 11. I Format Preserving Encryption Security of Different Protection Methods I Modern Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization High Low Security Level 11
- 12. 10 000 000 - 1 000 000 - 100 000 - 10 000 - 1 000 - 100 - Transactions per second I Format Preserving Encryption Speed of Different Protection Methods I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization Speed will depend on the configuration 12
- 13. Time Total Cost of Ownership Total Cost of Ownership 1. System Integration 2. Performance Impact 3. Key Management 4. Policy Management 5. Reporting 6. Paper Handling 7. Compliance Audit 8. … Strong Encryption: 3DES, AES … I 2010 I 1970 What Has The Industry Done? I 2005 I 2000 Format Preserving Encryption: FPE, DTP … Basic Tokenization Vaultless Tokenization High - Low - 13
- 14. FINE GRAINED SECURITY: ENCRYPTION OF FIELDS 14 Production Systems Encryption of fields • Reversible • Policy Control (authorized / Unauthorized Access) • Lacks Integration Transparency • Complex Key Management • Example: !@#$%a^.,mhu7///&*B()_+!@ Non-Production Systems
- 15. FINE GRAINED SECURITY: MASKING OF FIELDS 15 Non-Production Systems Masking of fields • Not reversible • No Policy, Everyone can access the data • Integrates Transparently • No Complex Key Management • Example: 0389 3778 3652 0038 Production Systems
- 16. FINE GRAINED SECURITY: TOKENIZATION OF FIELDS 16 Production Systems Non-Production Systems Tokenization (Pseudonymization) • No Complex Key Management • Business Intelligence • Example: 0389 3778 3652 0038 • Reversible • Policy Control (Authorized / Unauthorized Access) • Not Reversible • Integrates Transparently
- 17. Safe Integration – Enterprise & Public Cloud Safe Integration 17
- 18. Corporate Network SECURITY GATEWAY DEPLOYMENT – APPLICATION EXAMPLE Backend System Cloud Gateway External Service Enterprise Security Administrator Security Officer 18
- 19. Corporate Network SECURITY GATEWAY DEPLOYMENT – DATABASE EXAMPLE Backend System Cloud Gateway Enterprise Security Administrator Security Officer RDBMS 19
- 20. Corporate Network Backend System Cloud Gateway Enterprise Security Administrator Security Officer SECURITY GATEWAY DEPLOYMENT – INDEXING RDBMS Index Index Query re-write 20
- 21. Corporate Network Backend System Cloud Gateway Enterprise Security Administrator Security Officer SECURITY GATEWAY DEPLOYMENT – SEARCH RDBMS Query re-write Order preserving encryption 21
- 22. Trust RISK ADJUSTED COMPUTATION – LOCATION AWARENESS Elasticity Out- sourced In-house Corporate Network Private Cloud Private Cloud Public Cloud H L Processing Cost H L 22
- 23. Trust BALANCING RISK & OPERATIONAL REQUIREMENTS Elasticity Out- sourced In-house Private Cloud Private Cloud Public Cloud H L Clear Data Index Data Encryption Keys & Token Mappings Protected Data 23
- 24. Type of Data Use Case I Structured How Should I Secure Different Data? I Un-structured Simple – Complex – PCI PHI PII Encryption of Files Card Holder Data Tokenization of Fields Protected Health Information 24 Personally Identifiable Information
Editor's Notes
- #2: Compare Vaultless tokenization to other tokenization approaches No data replication/collision issues – guaranties data integrity, no data corruption, allows parallel computing across many servers and location High scalability and performance
- #3: CACS 2012 NYM 2012
- #4: These are particular use cases where you should “watch out”. It does not capture ALL of criteria and use cases
- #6: Risk Adjusted Data Protection means that you should protect data based on the risk of the sensitive data. Risk can be assessed by acknowledging the value of the data (is the data valuable to the bad guys) and its exposure. So, valuable data that is widely exposed should be protected with strong protection like Strong encryption or tokenization while data that may have little or no value to the bad guys that is also widely exposed can be protected with a reduced protection approach like monitoring without encryption or Format Controlling Encryption. This chart shows several approaches to protect sensitive data along with a set of criteria that we have found useful when comparing the merits of each method. Performance is self describing, storage refers to the impact that a method has on storage. For example, strong encryption will require adding padding to the crypto text so that the final data will be larger than the original. When a data store is billions of records this can have an impact on the cost of the solution. Some methods are considered more secure than others. Format Controlling Encryption and Strong Encryption are both encryption approaches but FCE is not NIST approved and so it’s security properties are less secure than strong encryption. Some compliance requirements may require a method that is NIST approved. Finally, transparency refers to the degree to which a protection method effects systems and processes. A protection method that is not transparent will require remediation to systems that are being protected. This could translate to higher protection costs. Tokenization has been gaining popularity due to it’s high transparent characteristics that are seen to reduce protection costs. I then select one or two protection methods and mention something about them; Strong encryption and tokenization provide extreme protection while FCE, due to it’s non NIST approval and it’s performance issues may have limited use. (this is a landmine for Voltage that can be mentioned explicitly or implicitly – depending on the audience and the prospect)
- #9: These are particular use cases where you should “watch out”. It does not capture ALL of criteria and use cases
- #10: De-identification or Anonymization can be a cost effective approach to protect data
- #12: CACS 2012 NYM 2012
- #13: CACS 2012 abstract NYM 2012
- #14: CACS 2012 abstract NYM 2012
- #15: What are the key characteristics of encryption, tokenization and masking and how the can be used in production and test /dev? Encryption of fields Reversible Policy Control (authorized / Unauthorized Access) Lacks Integration Transparency Complex Key Management Example !@#$%a^.,mhu7///&*B()_+!@
- #16: What are the key characteristics of masking? Masking of fields Not reversible No Policy, Everyone can access the data Integrates Transparently No Complex Key Management Example 0389 3778 3652 0038
- #17: What are the key characteristics of tokenization? No Complex Key Management Business Intelligence Production systems Reversible Policy Control (Authorized / Unauthorized Access) Test / dev Not Reversible Integrates Transparently
- #18: The reason for high interest is based on the Cloud Gateway Benefits Example Eliminates the threat of third parties exposing your sensitive information Delivers a secure and uncompromised SaaS user experience Identifies malicious activity and proves compliance to third parties and detailed audit trails Eases cloud adoption process and acceptance Product is transparent and has close to 0% overhead impact Simplifies compliance requirements Ability to outsource a portion of your IT security requirements Eliminates data residency concerns and requirements Greatly reduces cloud application security risk Enables partner access to your sensitive data Controls cloud security from the enterprise Protects your business from third party access
- #19: Important use case. Example - How it works The enterprise wants to protect their sensitive data before it leaves their Trusted Domain and enters the SaaS . The enterprise users (and their Security/IT personnel) will likely not possess detailed knowledge of the contents of the web services protocols running between their client devices and the SaaS servers. However, as part of their work flows, they know their business-intelligence data they are entering in a web form (e.g. in HTML). Further, they are able to identify the individual fields in various web forms that need to be protected. The goal then is to determine how to map web form fields to the web services protocol / payload data elements such that an in-line security gateway can protect those fields. Protecting data on a Server (or Service) located outside of the their trust domain, or the Server may be located inside your enterprise or in a private cloud environment such provided by Cloud Service Providers (CSP). Cloud Gateway can be installed on a physical server or virtual machine behind your corporate firewall, or deploy it in a virtual private cloud. Talk about the Enterprise Security Administration – a single point of control for data security.
- #20: Important use case. Example - How it works The enterprise wants to protect their sensitive data before it leaves their Trusted Domain and enters the SaaS . The enterprise users (and their Security/IT personnel) will likely not possess detailed knowledge of the contents of the web services protocols running between their client devices and the SaaS servers. However, as part of their work flows, they know their business-intelligence data they are entering in a web form (e.g. in HTML). Further, they are able to identify the individual fields in various web forms that need to be protected. The goal then is to determine how to map web form fields to the web services protocol / payload data elements such that an in-line security gateway can protect those fields. Protecting data on a Server (or Service) located outside of the their trust domain, or the Server may be located inside your enterprise or in a private cloud environment such provided by Cloud Service Providers (CSP). Cloud Gateway can be installed on a physical server or virtual machine behind your corporate firewall, or deploy it in a virtual private cloud. Talk about the Enterprise Security Administration – a single point of control for data security.
- #21: Important use case. Example - How it works The enterprise wants to protect their sensitive data before it leaves their Trusted Domain and enters the SaaS . The enterprise users (and their Security/IT personnel) will likely not possess detailed knowledge of the contents of the web services protocols running between their client devices and the SaaS servers. However, as part of their work flows, they know their business-intelligence data they are entering in a web form (e.g. in HTML). Further, they are able to identify the individual fields in various web forms that need to be protected. The goal then is to determine how to map web form fields to the web services protocol / payload data elements such that an in-line security gateway can protect those fields. Protecting data on a Server (or Service) located outside of the their trust domain, or the Server may be located inside your enterprise or in a private cloud environment such provided by Cloud Service Providers (CSP). Cloud Gateway can be installed on a physical server or virtual machine behind your corporate firewall, or deploy it in a virtual private cloud. Talk about the Enterprise Security Administration – a single point of control for data security.
- #22: Important use case. Example - How it works The enterprise wants to protect their sensitive data before it leaves their Trusted Domain and enters the SaaS . The enterprise users (and their Security/IT personnel) will likely not possess detailed knowledge of the contents of the web services protocols running between their client devices and the SaaS servers. However, as part of their work flows, they know their business-intelligence data they are entering in a web form (e.g. in HTML). Further, they are able to identify the individual fields in various web forms that need to be protected. The goal then is to determine how to map web form fields to the web services protocol / payload data elements such that an in-line security gateway can protect those fields. Protecting data on a Server (or Service) located outside of the their trust domain, or the Server may be located inside your enterprise or in a private cloud environment such provided by Cloud Service Providers (CSP). Cloud Gateway can be installed on a physical server or virtual machine behind your corporate firewall, or deploy it in a virtual private cloud. Talk about the Enterprise Security Administration – a single point of control for data security.
- #23: Cloud is only one of the platforms in an Enterprise. The flow of Sensitive data need to be secured across all platforms, including Cloud. Important Goals: GWs & Agents enforce Enterprise Policy across Cloud & On-premises Data & Applications Goals: Automated Protection of the entire Data flow, including legacy systems, Cloud and Big Data. Single point of control for policy and audit. You security posture depends on the policy and the enforcement. The security policy is the foundation for protecting data. It is usually managed by the Security Officer. Think of it as the glue that binds distributed data protection throughout the enterprise. This is policy based data security, protecting the entire data flow against threats and minimizing audit and compliance requirements. This is also an illustration of the Protegrity Software. You can find more information in the attached material.
- #24: Cloud is only one of the platforms in an Enterprise. The flow of Sensitive data need to be secured across all platforms, including Cloud. Important Goals: GWs & Agents enforce Enterprise Policy across Cloud & On-premises Data & Applications Goals: Automated Protection of the entire Data flow, including legacy systems, Cloud and Big Data. Single point of control for policy and audit. You security posture depends on the policy and the enforcement. The security policy is the foundation for protecting data. It is usually managed by the Security Officer. Think of it as the glue that binds distributed data protection throughout the enterprise. This is policy based data security, protecting the entire data flow against threats and minimizing audit and compliance requirements. This is also an illustration of the Protegrity Software. You can find more information in the attached material.