Cross border - off-shoring and outsourcing privacy sensitive data
1. Cross-Border - Off-Shoring and Outsourcing
Privacy Sensitive Data
Ulf Mattsson, CTO
Protegrity
ulf.mattsson AT protegrity.com
2. Ulf Mattsson, CTO Protegrity
20 years with IBM
• Research & Development & Global Services
Inventor
• Encryption, Tokenization & Intrusion Prevention
Involvement
• PCI Security Standards Council (PCI SSC)
• American National Standards Institute (ANSI) X9
• Encryption & Tokenization
• International Federation for Information Processing
• IFIP WG 11.3 Data and Application Security
• ISACA New York Metro chapter
2
5. Cloud Services
Services usually provided by a third party
• Can be virtual, public, private, or hybrid
Increasing adoption – up 12% from 2012*
Often an outsourced solution, sometimes cross-border
Allows for greater accessibility of data and low overhead
*Source: GigaOM
8. Drivers for Data Security
Regulations & Laws
• Payment Card Industry Data Security Standard (PCI DSS)
• National Privacy Laws
• Cross-Border & Outsourcing Privacy Laws
Expanding Threat Landscape
• Hackers & APT
• Internal Threats & Rogue Privileged Users
• Excessive Privilege or Security Negligence
Sensitive Data Insight & Usability
• Unprotected Sensitive or Restricted Data is Unusable for
Marketing, Monetization, Outsourcing, etc.
Vulnerabilities in Emerging Technologies
8
10. PCI Data Security Standards Council
Founded in 2006, comprised of four major credit card
brands
Each card brand enforcement program issues fines,
fees and schedule deadlines
• Visa's Cardholder Information Security Program (CISP)
http://www.visa.com/cisp
• MasterCard's Site Data Protection (SDP) program
http://www.mastercard.com/us/sdp/index.html
• Discover's Discover Information Security and Compliance
(DISC) program
http://www.discovernetwork.com/fraudsecurity/disc.html
• American Express Data Security Operating Policy (DSOP)
http://www.americanexpress.com/datasecurity
10
11. PCI DSS
Build and maintain a secure
network.
1.
2.
Install and maintain a firewall configuration to protect
data
Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect cardholder data.
3.
4.
Protect stored data
Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a vulnerability
management program.
5.
6.
Use and regularly update anti-virus software
Develop and maintain secure systems and
applications
Implement strong access
control measures.
7.
8.
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer
access
Restrict physical access to cardholder data
9.
Regularly monitor and test
networks.
Maintain an information
security policy.
11
10. Track and monitor all access to network resources
and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
12. PCI DSS 3.0
Protection of cardholder data in memory
Clarification of key management dual control and split
knowledge
Recommendations on making PCI DSS business-asusual and best practices
Security policy and operational procedures added
Increased password strength
New requirements for point-of-sale terminal security
More robust requirements for penetration testing
12
13. PCI DSS Cloud Guidelines
Relevant to all sensitive data that is outsourced to cloud
1. Clients retain responsibility for the data they put in the cloud
2. Public-cloud providers often have multiple data centers, which may
often be in multiple countries or regions
3. The client may not know the location of their data, or the data may
exist in one or more of several locations at any particular time
4. A client may have little or no visibility into the controls
5. In a public-cloud environment, one client’s data is typically stored
with data belonging to multiple other clients. This makes a public
cloud an attractive target for attackers
13
15. National Privacy Laws - USA
Heath Information Portability and Accountability Act – HIPAA
1. Names
11. Certificate/license numbers
2. All geographical subdivisions
smaller than a State
12. Vehicle identifiers and serial
numbers
3. All elements of dates (except
year) related to individual
13. Device identifiers and serial
numbers
4. Phone numbers
14. Web Universal Resource Locators
(URLs)
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
15. Internet Protocol (IP) address
numbers
8. Medical record numbers
16. Biometric identifiers, including
finger prints
9. Health plan beneficiary
numbers
17. Full face photographic images
10. Account numbers
15
18. Any other unique identifying
number
17. National Privacy Laws - India
Information Technology Act – 2000 (IT Act)
• Requires that the corporate body and Data Processor
implement reasonable security practices and standards
• IS/ISO/IEC 27001 requirements recognized
Information Technology Act – 2008 (Amended IT Act)
• Damages for negligence and wrongful gain or loss
• Criminal punishment for disclosing Sensitive Personal
Information (SPI)
India Privacy Law – 2011
• Expanded definition of SPI to passwords, financial data,
health data, medical treatment records, and more
Right to Privacy Bill – 2013 (Proposed)
• Increased jail terms & fines for disclosure of SPI
• Addresses data handled for foreign clients
17
19. Cross-Border & Outsourcing Laws
The laws of the sending country apply to data sent
across international borders, including outsourced
operations
• i.e. National Privacy Laws
APEC Cross-Border Privacy Laws
• Non-binding privacy enforcement in Asia-Pacific region
19
29. Sensitive Data Insight & Usability
Big Data and Cloud environments are designed for
access and deep insight into vast data pools
Data can monetized not only by marketing
analytics, but through sale or use by a third party
The more accessible and usable the data is, the
greater this ROI benefit can be
Security concerns and regulations are often viewed
as opponents to data insight
29
30. Big Data Vulnerabilities and Concerns
Big Data (Hadoop) was designed for data access,
not security
Security in a read-only environment introduces new
challenges
Massive scalability and performance requirements
Sensitive data regulations create a barrier to
usability, as data cannot be stored or transferred in
the clear
Transparency and data insight are required for ROI
on Big Data
30
31. Cloud Vulnerabilities and Concerns
Public cloud security is often not visible to the client,
but client is still responsible for security
Greater access to shared data sets by more users
creates additional points of vulnerability
Data redundancy for high availability, often across
multiple data centers, increases vulnerability
Virtualization can create numerous security issues
Transparency and data insight are required for ROI
How do you lock this?
31
33. What is de-identification of identifiable data?
The solution to protecting Identifiable data is to properly deidentify it.
Personally Identifiable Information
Health Information / Financial Information
Personally Identifiable Information
Health Information / Financial Information
Redact the information – remove it.
The identifiable portion of the record is de-identified with any
number of protection methods such as masking, tokenization,
encryption, redacting (removed), etc.
The method used will depend on your use case and the
reason that you are de-identifying the data.
33
34. Identifiable Sensitive Information
Field
Real Data
Tokenized / Pseudonymized
Name
Joe Smith
csu wusoj
Address
100 Main Street, Pleasantville, CA
476 srta coetse, cysieondusbak, CA
Date of Birth
12/25/1966
01/02/1966
Telephone
760-278-3389
760-389-2289
E-Mail Address
joe.smith@surferdude.org
eoe.nwuer@beusorpdqo.org
SSN
076-39-2778
937-28-3390
CC Number
3678 2289 3907 3378
3846 2290 3371 3378
Business URL
www.surferdude.com
www.sheyinctao.com
Fingerprint
Encrypted
Photo
Encrypted
X-Ray
Encrypted
Healthcare /
Financial
Services
34
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual healthcare data, but
not needed with de-identification
35. De-Identified Sensitive Data
Field
Real Data
Tokenized / Pseudonymized
Name
Joe Smith
csu wusoj
Address
100 Main Street, Pleasantville, CA
476 srta coetse, cysieondusbak, CA
Date of Birth
12/25/1966
01/02/1966
Telephone
760-278-3389
760-389-2289
E-Mail Address
joe.smith@surferdude.org
eoe.nwuer@beusorpdqo.org
SSN
076-39-2778
076-28-3390
CC Number
3678 2289 3907 3378
3846 2290 3371 3378
Business URL
www.surferdude.com
www.sheyinctao.com
Fingerprint
Encrypted
Photo
Encrypted
X-Ray
Encrypted
Healthcare /
Financial
Services
35
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
36. How Should I Secure Different Data?
Use
Case
Tokenization
of Fields
Encryption
of Files
Simple –
Card
Holder
Data
PII
PCI
Personally Identifiable Information
Complex –
Protected
Health
Information
I
Un-structured
36
PHI
I
Structured
Type of
Data
37. Research Brief
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for protecting sensitive data over
encryption
Nearly half of the respondents (47%) are currently
using tokenization for something other than cardholder
data
Over the last 12 months, tokenization users had 50%
fewer security-related incidents than tokenization nonusers
37
Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
38. Vaultless Tokenization & Data Insight
The business intelligence exposed through Vaultless
Tokenization can allow many users and processes to
perform job functions on protected data
Extreme flexibility in data de-identification can allow
responsible data monetization
Data remains secure throughout data flows, and can
maintain a one-to-one relationship with the original
data for analytic processes
38
41. Privacy Impacts BPO & Offshore Business Solutions
Business Process Outsourcing (BPO)
• Business Processes
• E.g. Loans, Mortgages, Call Centre, Claims Processing, ERP,
etc.
• Application Development
• Need to de-identify Data for Testing and Development
Off-Shoring
• Same as Outsourcing, but data is sent for business functions
(like call center, etc.) off-shore.
Laws governing your ability to send real data to 3rd parties are
already restrictive, and becoming more so
Penalties for infringement are growing more severe
Risk of data breaches and data theft is increased
41
42. Examples
Major Bank in EU wants to centralise EDW
operations in a single country and therefore send
customer data from country A to country B. Privacy
Laws in country A prohibit this.
Private Bank in Europe wants to offshore Finance
Operations. Privacy Law prohibits transfer of citizen
data to India.
Retail Bank in Scandinavia wants to offshore
Customer Services. Privacy law prevents transfer of
citizen data to the Far East.
42
44. Protegrity Use Case: UniCredit
CHALLENGES
The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers,
birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming
source data from various European banking entities, and existing data within those systems, which would be
consolidated at the Italian HQ.
45. Case Study - Large US Chain Store
Reduced cost
• 50 % shorter PCI audit
Quick deployment
• Minimal application changes
• 98 % application transparent
Top performance
• Performance better than encryption
Stronger security
45
46. Case Study: Large Chain Store
Why? Reduce compliance cost by 50%
• 50 million Credit Cards, 700 million daily transactions
• Performance Challenge: 30 days with Basic to 90 minutes with
Vaultless Tokenization
• End-to-End Tokens: Started with the D/W and expanding to
stores
• Lower maintenance cost – don’t have to apply all 12 requirements
• Better security – able to eliminate several business and daily
reports
• Quick deployment
• Minimal application changes
• 98 % application transparent
46
47. Please contact us for more information
Ulf.Mattsson@protegrity.com
www.protegrity.com