@CloudExpo Authors: Elizabeth White, Liz McMillan, Zakia Bouachraoui, Dana Gardner, Pat Romanski

Blog Feed Post

Andy Thurai on “On Yet, Another Breach”

I have been sitting on this blog/thought for awhile but it’s even more timely now with the Global Payments breach  (Reported first by Brian Krebs on his security blog). Global Payments is a merchant acquirer that has contracts with retailers for handling the processing of card transactions (credit card, debit cards, gift cards of all brands). Though the information about the breach is still being assembled, it is estimated that information about 10 million+ accounts was lost.  Though Global specializes in “mom-and-pop shop” transactions, the company itself  is very well established ($167 Billion worth of transactions last year alone). This breach happened in spite of having decent security measures in place. What is worse is that the data stolen is full “ track 1” and “track 2”, which means using that stolen data, one could easily produce counterfeit cards. (Be on the lookout for unauthorized charges in your account – it is hard to dispute a transaction when someone swipes a card unless you catch it early – I can tell you that from personal experience).

The problem lies in the whole complex payment systems that were developed years ago for payment transactions. In those days, security was not on everyone’s mind. That was partly because because most of these systems ran on private networks (and leased lines) and the hackers those days were not that savvy. It is sad, but true, that it is much cheaper for the companies to deal with the breaches than to make their systems more secure. You might recall a serious breach with Heartland Payment systems a couple of years ago, where they lost about 130 million cards. Last year hackers stole payment card information for more than 100 million customers of off Sony’s PlayStation Network. Suffice it to say – that in between these events, there were multiple smaller breaches that went unnoticed.

If you are a security architect and are wondering how you can safeguard your  company from such disasters,  we here at Intel can help you. While we have many solutions that can help in various areas,  I would like to talk about a particular solution, our Tokenization Solution – Intel Expressway Tokenization Broker (Intel ETB).

A few years ago, PCI-DSS released a new directive that opened the door for a new concept called tokenization. Of paramount importance when dealing with sensitive data is the overarching need to keep it secure.  Up until a few years ago, that was done by encryption. While an encryption solution is very good for what aims to achieve, the attendant issues ended up becoming major issues (key management, key rotation, encryption strength, etc). If a hacker catches a  transaction in flight, or hacks in to the systems and catch that transaction in memory/ process (where the data might be in clear) the issue becomes even graver.

In order to avoid this, PCI-DSS released a directive (and updated it late last year with PCI DSS 2.0 Aug 2011) for tokenizing the PAN (Primary Account Number) information. At the heart of this directive is the fact that if you create a true random token (i.e., format preserving surrogate) there is no way that a hacker who intercepts that message can get the original information back. Hence, there is no monetary loss if someone were to capture the token in flight or from storage.

Intel provides hardened proxy Token Brokers that one can either slide in front of or  in back of any application (we do support almost all standard protocols and data formats) that can sit in the line of traffic and perform these tokenization actions. Essentially that means very little or no work is required on the applications/API/services side. By sliding our proxies in the line of traffic, you can ensure that all of the channels are secure and that no one can sneak in.

An application needing original data can come back to Intel ETB and then be provided with the original data. This can be either a side call (as in a call to an API to reverse the data) or via an in-line reverse translation, so that the receiving application will receive the original data without a need for modification.  In this scenario, only the necessary applications (or the proxies) would know where to go to resolve the token. Such an application would need to be white listed.  Moreover, the connection could be made as a 2-way mutually authenticated SSL that would establish the identity of both sides, ensuring that the information travels securely end-to-end.

Tokens are stored in a hardened database which is nearly impossible to breach and which only Intel ETB can connect to. All the communication from Intel ETB to the database is secure and the database has a white list of only tokenization brokers that it, in turn, can connect to.

In short, by using Intel Tokenization Broker (Intel ETB) solution you get,

  • Storage and processing using surrogate data and not the original data.
  • Format preserving tokenization allowing the preservation of parts of PAN information for internal purposes.
  • It can handle any form of data such as MS word, Excel, PDF or any other document type.
  • Solution comes with the necessary security certifications (CC EAL 4+, FIPS 140-2 Level, etc)
  • Allows you to secure the perimeter, secure the edge, secure the API.
  • Will reduce PCI scope, Protect Card Holder data,
  • It can work anywhere within the enterprise, extended enterprise, including partner locations, or in virtual environments such as in the cloud.
  • Can be in DMZ due to a hardened appliance form factor.
  • Results in Reduction of annual assessment costs.
  • Helps with compliance issues.
  • Provides a hardware based random token generator.
  • Full disk encryption, database storage encryption, Secure Boot/ BIOS, Tripwire, snooping block

If you are interested either in PAN tokenization or PII tokenization (such as SS#, DOB, etc) use the bottom link to check out our solution details and reach out to me if you need further details.

http://software.intel.com/en-us/articles/Expressway-Tokenization-Broker-Reduce-PCI-Scope/ .

Also, check out this whitepaper by Walter Conway, QSA, who is an expert on this subject.

As George Santayana once wrote, “those who cannot remember the past, are condemned to repeat it.” I’m hopeful that we will be able to help our customers protect their enterprises so that hese things won’t happen in the future.


Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field  and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.



Read the original blog entry...

More Stories By Application Security

This blog references our expert posts on application and web services security.

CloudEXPO Stories
Eggplant, the customer experience optimization specialist, announced the latest enhancements to its Digital Automation Intelligence (DAI) Suite. The new capabilities augment Eggplant’s continuous intelligent automation by making it simple and quick for teams to test the performance and usability of their products as well as basic functionality, delivering a better user experience that drives business outcomes.
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and cost-effective resources on AWS, coupled with the ability to deliver a minimum set of functionalities that cover the majority of needs – without configuration complexity.
Intel is an American multinational corporation and technology company headquartered in Santa Clara, California, in the Silicon Valley. It is the world's second largest and second highest valued semiconductor chip maker based on revenue after being overtaken by Samsung, and is the inventor of the x86 series of microprocessors, the processors found in most personal computers (PCs). Intel supplies processors for computer system manufacturers such as Apple, Lenovo, HP, and Dell. Intel also manufactures motherboard chipsets, network interface controllers and integrated circuits, flash memory, graphics chips, embedded processors and other devices related to communications and computing.
"There is a huge interest in Kubernetes. People are now starting to use Kubernetes and implement it," stated Sebastian Scheele, co-founder of Loodse, in this SYS-CON.tv interview at DevOps at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.