Dealing with Risk and Compliance to secure your growth 16th May 2018 John Bycroft, SVP Sales Europe
Top op d driv ivers f for D Data S Secu ecurit ity I Investment Reputation and Customer or partner Compliance brand protection recommendation Regulations http://www.infosecurity-magazine.com/news/research-data-breaches-up-security/ https://www.bloomberg.com/news/articles/2017-03-02/world-s-biggest-banks-fined-321-billion-since-financial-crisis 2
Top op d driv ivers f for D Data S Secu ecurit ity I Investment Compliance Regulations Reputation and brand protection Customer or partner recommendation http://www.infosecurity-magazine.com/news/research-data-breaches-up-security/ https://www.bloomberg.com/news/articles/2017-03-02/world-s-biggest-banks-fined-321-billion-since-financial-crisis 3
Comforte a and S Secu ecurit ity 4
So o what c can y you d do? o? >Ignore the issue or… >Hope that it does not happen to you >Do something 5
PROTE TECT Y YOUR D R DATA W WITH H TOKEN KENISATI TION >“Data protection with tokenisation is proving to be more effective than network perimeter defenses or intrusion detection and is endorsed by the most well-known and respected compliance standards worldwide” PCI DSS 3.2 ASC X9 GDPR Standard 119-2 Render Primary Account Defines the minimum Data security measures Number (PAN) unreadable security requirements for should allow Pseudonymizing anywhere it is stored implementing tokenisation (tokenising or encrypting) of (clause 3.4) personal data According to Gartner Research, tokenisation has emerged as a best practice for protecting sensitive fields or columns in databases during the past few years. 6
Tok okenis isatio ion (data s secu curit ity) >Is the process of substituting a sensitive data element (e.g. PAN) with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value. >The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenisation system like comForte‘s SecurDPS 7
tokenisation – the c e concep cept PAN: 4026157151401408 (or SSN, Name,etc) tokenisation Token: 67a1cefb12aa897d engine OR : 67z1xExn12VT1408 OR : 4026158BDFAF1408 OR : ... Target format configurable in Various mechanisms possible to perform actual tokenisation tokenisation engine. Important to have a distinguish-method for online migration 9
com omForte Token enisati tion Engine > Stateless/Vaultless tokenisation > Security validated by independent comForte cryptologists Tokenisation engine > High performance > Collision-free > Patented technology based on unbalanced Feistel networks > Linearly scalable Tokenisation Tokenisation Algorithm Table 10
Enterpris ise Tok okenis isatio ion system i is missio ion-cr criti tical Looking for: > Availability > Scalability > Reliability > Security > Easy Integration > Fault-Tolerance > Performance …while keeping effort for tokenisation services management and consumers low 11
SecurDPS framework 12
NonStop op a as the e token enisati tion on ser erver HPE NonStop Tokens SecurDPS with Protection Engine Secure Channel Secure Channel Secure Channel (SSH) (SSH) (SSH) comForte SecurDPS comForte SecurDPS comForte SecurDPS Tokens Tokens Tokens Linux/Unix hosts MS Windows hosts Other Enterprise hosts 13
Today - Satellite Prot To otecti tion Node Appliance ce HPE NonStop Virtualized x86 Server • Appliance based on custom minimal OpenBSD • No root access, just end point userids and keys • No persistent storage, just ram disk • logging via syslog or to Tokens • SDF & Vaults loaded from NonStop for local processing Secure Channel • Unlimited scalability and fail-over of protection nodes (SSH) • High performance – first measurements easily 100k TPS SecurDPS with Protection Engine • (depending on strategy and underlying hardware SecurDPS Protection Node Cluster performance) Secure Channel Secure Channel Secure Channel (SSH) (SSH) (SSH) comForte SecurDPS comForte SecurDPS comForte SecurDPS Tokens Tokens Tokens Linux/Unix hosts MS Windows hosts Other Enterprise hosts 14
COMF CO MFORTE D DATA P PRO ROTECTION C N CLUSTER - ARCHI HITECTUR URE Y E YOU CAN R REL ELY O Y ON EA Failure of single PN will be transparent for enterprise EA EA application (EA) connectors, other PN will take over PN EA EA PN PN Cluster of Management Console (MC) Audit Console creates a solid Protection Nodes configures SDF (configuration audit trail and allows real-time PN file) and generates token tables MC AC insights into key questions monitor/restart around enterprise data MC can be stopped after cluster each other protection startup! PN PN EA EA PN SDF & token tables & In environments with EA EA endpoint authentication NonStop (optional), NS data loaded into PN can run as MC and/or PN EA 15
Secu ecurDPS – Integration C Capabilities Use of API Transparent Integration SecurDPS integration can be done by: Application A Application B Transparent Integration capabilities SecurDPS API No code change required SecurDPS Full support of HP NonStop, and can also cover common use cases for Transparency Layer Windows and Linux/Unix Allows for protecting files that are accessed by 3 rd party applications that SecurDPS Data Processing Layer cannot be changed, such as file transfers clients, operating systems tools etc. SecurDPS API Data processing layer provides capabilities to locate and replace sensitive data in the intercepted I/O stream Data Protection Data Protection Transparency allows for migrating from non-tokenised to tokenised Platform API Platform API without interruption of service (actual tokenisation (actual tokenisation operations) operations) API access for explicit control of protection engine If tight integration with the application is desired TKNs TKNs Tokens Tokens 16
Secu ecurDPS S SmartAPI – Not j just a t a Simp mple A API SecurDPS makes high availability tokenization easy > Automatic failover > Automatic load balancing > Automatic (re)distribution PN PN PN PN PN PN > Automatic integrity assurance > Automatic scaling SmartAPI SmartAPI EA EA All transparent to the Enterprise App! 17
SecurDPS deployment options 18
Secu ecurDPS E Enterpris ise O On-Prem AC On PN PN Premise MC App Tokens PN 19
Secu ecurDPS E Enterpris ise H Hybrid id w with th o on-prem a and cl clou oud app Public Cloud Cloud PN PN App Tokens PN AC On PN PN Premise MC App Tokens PN 20
SecurDP rDPS Hy S Hybr brid C Cloud De Deploym yment – no o PANs t to cl o clou oud SecurDPS Cloud AC MC Index Table Tweak PN PN App Tokens PN Cloud or On-Premise 21
SecurDP rDPS Hy S Hybr brid C Cloud De Deploym yment Public Cloud AC MC Tokens Index Table Tweak USVs SecurDPS TKN<->USV PN PN App Tokens Log CASB PN Cloud or On-Premise 22
comFor orte e - contact cts John Bycroft SVP Sales EMEA Tel: +44 118 909 9076 Email: j.bycroft@comforte.com 23
Security specials 24
Key p prot otect ection & & HSM i integ egrati tion on Multiple layers of key encryption Optional vendor agnostic HSM integration Optional Key custodians for split knowledge / dual control Key custodians can authorise key usage for unattended startup 25
Secu ecurDPS Key h hier erarch chy 26
The e typ ypes of of t the e keys an and t the e su supported alg algorit ithms ar are as as follows: Key/Secret Type Supported Purpose and Usage Algorithms Vault KEK Asymmetric RSA OAEP Encrypt a DEK. 2048, 3072 1 , 4096 1 Bits DEK Symmetric cbc-aes-256-sha-128 Encrypt a file. cbc-aes-256-sha-256 cbc-aes-256-sha-512 Index Table Large ANSI X9.119-2-2017 Tokenize a sensitive data string (such as the PAN). Random i.e. comForte Table Tokenization Algorithm 27
Key h hier erarch chy w with a a HSM 28
Combining g the E Encryption K Key P Protection Layer ers ( (example e NonStop) > As a result, the keys in the key store HPE NonStop can be protected by multiple SecurDPS optional key encryption layers: Manager SCD/HSM > Encryption with a secret derived from the (e.g. HPE Atalla IPC obfuscated code secret and the custodian’s TCP/IP Encryption Keyserver NSP) Proxy passphrases (if the key is under custodian CS MFK control) > Encryption with an HSM/SCD working key KeyStore > Encryption with the key store Masterkey. Outline color of box indicates key used Key Name Key Data > Obviously, for the SecurDPS forencryption: - Master File Key (MFK) WK0 Masterkey Masterkey Masterkey itself layer 3 is not - Working Key for Masterkey (WK0) - Masterkey Custodian Passphrases - SecurDPS Code Secret (CS) available. The diagram depicts an Vaultkey WK1 - SecurDPSMasterkey Vaultkey - Working Key for Vault (WK1) overview of this multi-layer - Vault Key Custodian Passphrases approach. 29
Recommend
More recommend