Abstract. Meeting PCI DSS compliance is important, but it is also im perative to understand that ... The emergence of cl
—~— _________
PREEMINENT TRUSTED GLOBAL INFORMATION SECURITY COMMUNITY
ISSA Journal I December 2010
Next Generation Tokenization for Compliance and Cloud Data Protection By Ulf 1~v.1attsson
—
ISSA member, New York Metro, USA Chapter
This arLicle will discuss how next-generation tokenization protects data as it flows across systems while minimizing PCI compliance costs.
Abstract Meeting PCI DSS compliance is important, but it is also im perative to understand that compliance does not equal secu rity: PCI DSS was intended to be the floor, not the ceiling. The emergence of cloud computing has added a new wrinkle to the ongoing efforts to improve data security. This article will discuss the factors that must be considered when secur ing data in the Cloud, and how next-generation tokenization protects data as it flows across systems while minimizing PCI compliance costs.
Data breaches and the Cloud
T
the United States Secret Service (USSS), has been con he Verizon ducting annual Business data RISK breach team, investigations, in cooperation the with cur rent finding being “2010 Data Breach Investigations Report.” The purpose of the report is to study the common elements and characteristics that can be found in data breaches. In six years, the Verizon Business RISK team and USSS combined dataset now spans 900+ breaches and over 900 million com promised records. As in previous years, the 2010 report showed that nearly all data was breached from servers and online applications, with 98% of all server breaches resulting from hacking and mal ware as the most dominant perpetrators. Financial services, hospitality, and retail comprised the “Big Three” industries, recorded as being 33%, 23%, and 15%, respectively, of all data breaches. Targeting of financial organizations is hardly shocking, as financial records represent the nearest approxi mation to actual cash for the criminal. An astounding 94% of
all compromised records (note: records differ from breach es2) in 2009 were attributed to financial services. Financial firms hold large volumes of sensitive consumer data for long periods of time, and because of this, fall under very stringent government regulation requirements that re quire them to submit remediation validation records if data is found to be vulnerable, as well as regular compliance re ports proving that they are’adequately securing the data they have access to. Despite being under such stringent compli ance standards, 7900 of financial firms whose data had been breached failed to meet PCI DSS compliance, the minimum security measure. Thus, organizations have been searching for a solution that protects the business from endpoint to endpoint, while efficiently meeting compliance. In addition to the constantly evolving security threats that must be mitigated, enterprises are quickly adopting cloud computing practices that add a new element to the data secu rity conundrum. According to Gartner forecasts, worldwide revenue from use of cloud services will increase nearly 17% this year to $68.3 billion and will approach $150 billion in 2014, a 20.5% compound annual growth rate over the next five years.3 While its growing popularity is undeniable, the Cloud also has serious data security issues. In the Cloud, data moves at a faster pace and frees up on-premise network bandwidth, which is what makes it attractive. Unfortunately, those per forming the data breaches recognize the Cloud’s vulnerabili ties and are quickly capitalizing on them. At DEFCON 2010, one of the largest hacker conferences in the world, 100 attend ees who have already hacked or have tried to hack the Cloud participated in an in-depth survey. 96% of the participants 2 Note: one compromised record is defined as the record of one individual, whereas one data breach is defined as one company’s data being breached.
I
32
3 Rob O’Regan, “UK cloud adoption picks up as CIOs adapt to new delivery model” — http:!/searchvirtualdatacentre.techtarget.co.uklnews/column/0,294698,sid2o3 gci 152 21 8,00.html.
“2010 Data Breach Investigations Report”— http://www.verizonbusiness.com/ resourceslreports/rp 20 I0-data-breach-report_en_xg.pdf.
SSO2O1O Information Systems Security Association
•
www.issa.org •
[email protected] • All rights reserved
ISSA Journal I December 2010
Next Generation Tokenization for Compliance and Cloud Data Protection I UIf Mattsson
believed that the Cloud would open up more hacking oppor tunities for them.4 Given its rapid adoption rate, enterprises need a solution that will secure the cloud today and tpmor row.
Encryption and tokenization Recognizing the vulrierabilities that theCloud faces, we must establish a way to secure data that does not hinder the bene fits of the Cloud including remote data access from anywhere with an Internet connection, quick content delivery, easily sharable content, and better version control. Two options that have been used in on-premise data security are becoming a hot debate for which i~.better to secure data in the cloud: en-, cryption or tokenizatioh. While there is nO silver bullet to the data security and compliance woes of large enterprise organi zations, all eyes are on tokenization right now.
The difference between end-to-end encryption and tokenization
Journal.5 Zadjmool pointed out that “some early adopters are quietly discarding their tokenization and data field. encryption strat egies and returning4to.more traditiOnal card processing integrations.” He also mentioned that there are no standards to regulate an4 define exactly~,whatJs arid is not tokeniza tion. What he failed to do is acknov~1edge that there are different forms of tokenization. It is no surprise to me that companies that have tried first generation methods have not seen the results that they were.promised. Here’s why. Currently’ there are two forms of tokenization available: “first :generation” and “next genera tion.” First generation tokeniza tion is available in two flavors: dynamic and static.
123456789 289552678 092892789 892252657 892672456 902 672678 892252782 892256739 930363782 627282889
892257786 89225 2662
Dynamic First Generation Tokenization (Figure 1) • Large, expanding footprint • Complex replication • Prone to collisions • Latency impact on perfor mance • Expanding to additional categories oftokenizations multiplies the inherent problems
End-to-end encryption encrypts sensitive data through out most of its life cycle, from capture to disposal, provid ing a strong protection of individual data fields. While it is a practical approach on the surface, encryption keys are still vulnerable to exposure, which can be very dangerous in the riskier cloud environment. Encryption also lacks versatility, as applications and databases must be able to read specific data type and length in order to decipher the original data. If a database and data length are incompatible, the text will be rendered unreadable.
Dynamic first generation is defined by large lookup tables that assign a token value to the original encrypted sensitive data (Figure 1). These tables grow dynamicall)’ as they accept new, un tokenized sensitive data. Tokens, encrypted sensitive data, and other fields that contain administrative data expand these tables, in creasing the already large footprints.
Token ization solves many of these problems. At the basic 1ev el, tokenization is different from encryption in that it is based on randomness, not on a mathematical formula, meaning it eliminates keys by replacing sensitive data with random to kens to mitigate the chance that thieves can do anything with the data if they get it. The token cannot be discerned or ex ploited since the only way to get back to the original value is to reference the lookup table that connects the token with the original encrypted value. There is no formula, only a lookup.
A variation of first generation tokenization is the pre-populated token lookup table — static first generation. This approach attempts to reduce the overhead of the tokenization pro cess by pre-~opulating lookup tables with the anticipated combinations of the original sen 447261904 550261567 sitive data, thereby eliminating the tokeni 772561234 zation process (Figure 2). But because the token lookup tables are pre-populated, they also ‘Pre-Generated Static First Generation carry a large footprint. Tokenization (Figure 2) While these approaches offer ‘.Large, static footprint great promise, they also intro-” • No replication needed duce great challenges: • No collisions
A token by definition will look like the original value in data type and length. These properties will enable it to travel in side applications, databases, and other components without modifications, resulting in greatly increased transparency. This will also reduce remediation costs to applications, da tabases, and other components where sensitive data lives, be cause the tokenized data will match the data type and length of the original.
Latency: Large token tables are not mobile. The need to use tokenization throughout the enterprise will introduce latency and thus poor perfor mance and poor scalability.
First generation tokenization There are compelling arguments that question the validity of this emerging technology, like those explained in Ray Za djmool’s article, “Are Tokenization and Data Field Encryp tion Good for Business?” that appeared in November’s ISSA
Replication: Dynamic token tables must always be syn 5
4
Help Net Security — http://ww~s’.net.securitv.orgIsecworld.php?id 97 3
SS©2olo Information Systems Security Association
•
123456789 289552678 092892789 892252657 892672456 902 67 2678 892252782 892256739 930363782 62728 2889 892257786 892252662 398162903 83626 1945
• Latency impact on perfor mance • Faster than having to tokenize repeatedly • Expanding to additional categoriesoftokenizations • multiplies the inherent problems • Practical limitations on hat can be pre-generated
Ray Zadjmool, “Are Tokenization and Data Field Encryption Good for Eiisiness?~ ISSA Journal, November 2010— Online: http://www.bluetoad.com/ publication/?i=5 1180; PDF: https://www.issa.org/Library/Journals/20 l0fNovember/ Zadjmoo.Are°b2oTokenization%2oand%2OData%2OField%2oEncryption.pdf.
www.issa.org •
[email protected]
•
All
rights reserved
33
ISSA Journal I December 2010
Next Generation Tokenization for Compliance and Cloud Data Protection I Ulf Mattsson
chronized, an expensive and complex process that may eventually lead to collisions. Complex replication require ments impact the ability to scale performance to meet business needs and to deliver high availability. • Practical limitation on the number of data categories that can be tokenized: Consider the large lookup tables that would be needed to token ize credit cards for a mer chant. Now consider the impact of adding social security numbers, email addresses, and any other fields that may be deemed sensitive. The use of dynamic or static first generation tokenization quickly turns into an impractical solution.
PCI audit costs are reduced and the risk of a security breach is minimized. Because authentic primary account numbers (PAN) are only required at authorization and settlement, se curity is immediately strengthened by the decrease of poten tial targets for would-be attackers. Simultaneously, PCI com pliance costs are significantly decreased because tokenization brings data out of scope and eliminates the need for annual re-encryption that PCI requires with encryption strategies. Because they all need high availability, high performance, scalability, and quick response times that it offers, next to kenization is well suited for financial, retailer, health care, and telecommunications industries.
Like first generation tokenization, next generation tokeni zation is built around the same concept of replacing sensi tive data with random tokens. However, a key different iator of next generation tokenization is that it employs small 193746 footprint token servers that free up the 402751 process from many of the challenges 402815 faced by the first generation tokeniza 593610 tion (Figure 3). 375023
As Zadjmool pointed out, standards have yet to be developed for tokenization, but the PCI Standards Security Council is in the process of creating guidance and validation documents to help provide clarity on this emerging technology. In the meantime, Visa’s “Best Practices for Tokenization” 6 Version 1.0, which was published on July 14, can provide some clarity until the Council releases its own standards. But be careful because this draft implies a “one size fits all” architectural solution open enough for botched implementations. This includes encryption pretending to be tokenization that lacks security requirements, where random-based tokenization is the only true end-to-end solution.
Here are the key features of next gen eration tokenization:
Conclusion
Next generation tokenization
• Distributed: Token servers with small footprints en able the distribution of the tokenization process so that token operations can be ex ecuted closer to the data. Thus, latency is eliminated or greatly reduced, depend ing on the deployment ap proach used.
1,000,000 max entries
Next Generation Tokenization (FIgure 3) • Small, static footprint • No replication needed • No collisions Little or no latency • Fastest in the industry • Can work in parallel environ ments • Can extend to as many data categories of data while maintaining the small footprint • No limitations on what can be tokenized
• Scalable: The smaller foot print also enables the cre ation of farms of token servers that are based on in expensive commodity hard ware that create any scaling required by the business, without the need for complex or expensive replication. • Versatile: Any number of different data categories rang ing from credit card numbers to medical records can be tokenized without the penalty of increasing the footprint, and more data types can benefit from the transparent properties that tokens offer. • Icicreased performance: Next generation tokenization has been benchmarked at approximately 200,000 tokens per second performance metrics that are hard to achieve with first generation tokenization or encryption. When next generation tokenization is applied strategically to enterprise applications, confidential data management and
34
A holistic solution for data security should be based on cen tralized data security management that protects sensitive in formation throughout the entire flow of data across the en terprise, from acquisition to deletion. While no technology can guarantee 100% security, tokenization and encryption are proven to dramatically reduce the risk of credit card data loss and identity theft. Next generation tokenization in par ticular has the potential to help businesses protect sensitive data in the Cloud in a much more efficient and scalable man ner, allowing them to lower the costs associated with compli ance in ways never before imagined.
About the Author UlfMattsson is the chief technology officer of Protegrity, a leader in enterprise data security management. He is commonly considered one of the founding fathers of tokenization and has been advising the industry’s top analysts and stakeholders including PCI Security Standards Council, ISACA, and Visa as they navigate the role of tokenization in payments security. Ulf is the inventor of more than 20 patents in the areas of encryption key management, policy driven data encryption, internal threat protection, data usage control, and intrusion prevention. He may be reached at ulf:mattsson @protegrity.com.
6 ‘Best Practices for Tokenization.” Visa tokenization_best_practices.pdf.
—
http://usa.visa.com/downloadimerchants/
SSD201o Information Systems Security Association • www.issa.org •
[email protected] • All rights reserved
‘4
a,’
a
U.
a’
