XYGATE Data Protection

Optimizing Voltage Security Tokenization and Encryption

for HP NonStop Environments

GTUG April 2015

Agenda

• Introduction to XYPRO
• Introduction to HP Voltage Data-centric
Security
• Data Protection for the HP NonStop
• Unique Requirements
• HP Voltage SecureData Optimization
with XYPRO XDP
• XDP Deployment Options
• Summary

XYPRO Technology – All Rights Reserved 2

Your Speakers today

Anna Russell Andrew Price

EMEA Account Director, VP Technology
HP Security Voltage XYPRO Technology

XYPRO Technology – All Rights Reserved 3

About XYPRO

• Specialists in mission-critical security and compliance

• Founded in 1983 – over 30 years working with
the HP NonStop community
• XYGATE Merged Audit (XMA) and XYGATE User
Authentication (XUA) bundled with NonStop OS
• We wrote the books on HP NonStop security
• Partnered with Voltage Security to bring industry-leading
tokenization and encryption to HP NonStop community

XYPRO Technology – All Rights Reserved 4

XYPRO Solutions Partnership with

XYPRO Technology – All Rights Reserved 5

The Effects of Data
breaches
Shocking Numbers

• Estimated losses of $400 Million

• 700 Million compromised records
• 79,790 Security Incidents last
year
The Effects of Data
breaches

• 2,122 Confirmed Data Breaches in 2014

• The forecasted average loss for a breach of 1,000 records is between
$52,000 and $87,000.
15,000,000

SHADED REGION REPRESENTS

10,000,000 THE ESTIMATED AVERAGE LOSS

EXPECTED LOSS (US$)

WITH 95% CONFIDENCE

5,000,000

0
10m 50m 100m
NUMBER OF RECORDS
Traditional “Solutions” to Data Breaches

• Protecting data at rest is easy, isn’t it? Why are we still seeing these breaches?
• Two problems
• Traditional infrastructure solutions do not protect the data consistently throughout the enterprise
• Implementing traditional encryption solutions is hard!

XYPRO has been partnering with HP Security Voltage for over two years to address
these issues
About HP Security Voltage

• HP Security Voltage : Founded in 2002 out of Stanford University,

based in Cupertino, California.
• Acquired by HP : February 2015
• Mission: To protect the world’s sensitive data
• By: Providing encryption and tokenization solutions
that protect data wherever it is used or stored
• Market Leadership:
–PCI solutions are used by six of the top eight U.S. payment processors
–Provide the world’s most pervasive email encryption solutions
–Contribute technology to multiple standards organizations
Major Security Breaches Continue To Occur...

WHY?
Major Security Breaches Continue To Occur...
Impossible to protect against every vulnerability –
IT infrastructures will continue to be breached

WHY? Impossible to keep all data behind a firewall –

there is no longer the concept of a “perimeter”

The data must be pervasively protected

Why has this not happened to date?

Problems with Traditional Data Protection
Need to change data structures and applications

7412 3456 7890 0000

Fully encrypted data is unusable until decrypted

AES
8juYE%Uks&dDFa2345^WFLERG

? Ija&3k24kQotugDF2390^320OWioNu2(*872weWaasIUahjw2%quiFIBw3tug^5a…
Key management can be a nightmare

Requires multiple, piecemeal solutions, which create

multiple security gaps
Multiple Solutions with Multiple Security Gaps
Threats to Traditional IT Data Security Gaps
Data Infrastructure Security Ecosystem

Data & Applications

Credential Authentication
Compromise Management
Security Gap
Middleware
Traffic

Data Security Coverage

SSL/TLS/Firewalls
Interceptors
Security Gap
Databases
SQL Injection, Database Encryption
Malware
Security Gap
File Systems
Malware, SSL/TLS/Firewalls
Insiders

Security Gap

Malware, Storage
Disk Encryption
Insiders
Advantages of HP Security Voltage Data Protection
Minimal change to data structures and applications

7412 3456 7890 0000 7412 3456 7890 0000

Protected data behaves
versus correctly

FPE
AES
in applications and analytics
8juYE%Uks&dDFa2345^WFLERG 7412 3423 3526 0000
? Ija&3k24kQotugDF2390^320OWioNu2(*872weWaasIUahjw2%quiFIBw3tug^5a…
Simplified operations via Stateless Key Management
versus
Name SS# Salary Address Enroll Date
2890 Ykzbpoi
Kwfdv Cqvzgk 161-82-1292 100000 Clpppn, CA 10/17/2005
End-to-end Security
Preserve format, within
structure
versus andabehavior
consistent
Data Protection Framework Policy controlled,
dynamically generated Keys
Key Database
HP Security Voltage Provides This Protection
Threats to Traditional IT Data Security Gaps HP Security Voltage
Data Infrastructure Security Ecosystem Data-centric Security

Data & Applications

Credential Authentication
Compromise Management
Security Gap
Middleware
Traffic

Data Security Coverage

SSL/TLS/Firewalls
Interceptors

Data Protection
Security Gap

End-to-end
Databases
SQL Injection, Database Encryption
Malware
Security Gap
File Systems
Malware, SSL/TLS/Firewalls
Insiders

Security Gap

Malware, Storage
Disk Encryption
Insiders
NonStop Environment:
Unique Data Protection Requirements
• Protect extremely sensitive data and mission-critical applications
• Support older legacy applications and newer (often ported)
applications
• Support a wide variety of data types including payments
and other PII (e.g., SSN, DoB)
• Support NonStop’s OS personalities and executable types
• Conform to NonStop fault tolerance fundamentals
• Be highly performant
• Be secure and integrate with NonStop’s unique security framework

XYPRO Technology – All Rights Reserved

 XYGATE®Data Protection

XDP
Data-Centric Security

XDP - powered by HP Security

Voltage
Format Preserving Encryption and Secure Stateless Tokenization, Optimized for Mission Critical
NonStop Environments
 XYGATE®Data Protection

XDP
Data-Centric Security

XYGATE Data Protection (XDP)

• Optimizes Voltage SecureData for NonStop environments

• Simplifies Voltage implementation
• Enhances Voltage functionality
• Integrates Voltage to NonStop security framework
• Enhances Voltage fault-tolerance, parallelism and scalability
• Provides NonStop database-specific tools for Voltage

• Can be implemented in two ways

• As an intercept library, requiring absolutely no changes to the application
• As an SDK that requires a small amount of programming in the customer’s
preferred programing language

XYPRO Technology – All Rights Reserved

Traditional Encryption and Payment Processing

Payment Settlement Logs, Reports Customer

Authorizatio Processes & Backups Service
n Application
Clear
Data

Encrypte Encrypte Encrypte Clear

d Data d Data d Data Data

PAN:7412 3456 7890 0000 8juYE%UkFa2345^WFLE 8juYE%UkFa2345^WFLE 8juYE%UkFa2345^WFLE PAN:XXXX XXXX XXXX 0000

Live Data Capture – Traditional Encryption Requires Database Schema and

Credit Card Primary Application Re-engineering Requires Decryption of
Account Number (PAN) whole encrypted PAN, even
Traditional Key Management adds complexity and cost if we only need last 4 digits

19
 XYGATE®Data Protection

XDP
Data-Centric Security

Data Protection Technologies

First Name: Gunther
Last Name: Robertson
• Format-Preserving Encryption (FPE) PAN: 4564 1234 1234 1234
DOB: 20-07-1966
• Secure Stateless Tokenization (SST) SSN: 934-72-2356
• Page-Integrated Encryption (PIE) Live Data
Ija&3k24kQotugDF2390^32
0OWioNu2(*872weWaasIUahjw2%quiFI
• Protects structured data while maintaining functional and ogjsH&a$%2lQpw*#m
analytic integrity of the data WUYBw3
Oiuqwriuweuwr%oIUOw1@
• High-performance tokenization without database
management headaches Traditional Encryption
First Name: Uywjlqo
• Extends end-to-end protection to browser, through and Last Name: Muwruwwbp
beyond the SSL tunnel PAN: 4564 1279 6945 1234
DOB: 18-06-1972
• Minimizes implementation time while maximizing data value SSN: 298-24-2356
Voltage FPE/SST

XYPRO Technology
(C) 2014 – All Rights
Voltage Security, Inc. Reserved
All Rights Reserved 20
 XYGATE®Data Protection
Data-centric Security and Payment Processing
XDP
Data-Centric Security

Payment Settlement Logs, Reports Customer

Authorizatio Processes & Backups Service
n
Decrypt & Tokenize
Application
Tokenize
dData

Tokenize Tokenize Tokenize Tokenize

dData dData dData dData

PAN: 7412 8724 9002 0000 7412 8752 8346 0000 7412 8752 8346 0000 7412 8752 8346 0000 7412 8752 8346 0000

Live Data Encrypted in

Last 4 Digits already
Secure Reader end-to- SST Tokenized PAN Data used throughout.
available without change
end to Payment No Live Data in internal processes or systems
Authorization Host

21
 XYGATE®Data Protection

XDP
Data-Centric Security

XDP Intercept Library

HP NonStop
• No application changes required NonStop
NonStop
Databases
Applications
• XDP intercept library functions Clear (e.g.,
Tokenize
XD d/Encrypt
by overlaying the system’s I/O Data BASE24)
P
ed Data
procedures with additional
Upstrea
functionality to encrypt/tokenize m
on the fly Apps XM Pathway
• All sensitive data is protected in A Tokenized
XDP /
the database Voltage
Servers
/Encrypted
Data

• Application sees clear data and one time Other

is unaware that an intercept Systems
Z/ OS
library is being used SIEM Key Linux
Unix
(e.g., HP Management
• XDP configuration files control ArcSight) Servers
Windows
Hadoop
behavior (such as which files or Etc.

fields to access and protect)

XYPRO Technology – All Rights Reserved

 XYGATE®Data Protection

XDP
Data-Centric Security

XDP SDK
HP NonStop
• Lightweight programmatic NonStop
NonStop
Databases
interface that can embed directly Clear Applications
Tokenize
into NonStop application Data (e.g.,
BASE24)
d/Encrypt
ed Data
• Enables multi-threaded NonStop
Upstrea
applications to have non-blocking m
XDP
access to Voltage SDK Pathway
Apps
Audit Data
encryption/tokenization engine Tokenized
XDP / /Encrypted
• Supports multiple programming XM Voltage Data
Servers
languages A
one time Other
• Minimal code changes Systems
Z/ OS
Linux
SIEM Key
Unix
(e.g., HP Management
Windows
ArcSight) Servers Hadoop
Etc.

XYPRO Technology – All Rights Reserved

 XYGATE®Data Protection

XDP
Data-Centric Security

Data-centric Security – Case studies

A Large Latin American Payments Switch

• Tokenize PAN data stored in Sun-Solaris
• No Data-structure Changes
• Quick launch (installing & implementing)
• Next stage tokenize PAN data in BASE24 (Legacy Payments Application)

XYPRO Technology – All Rights Reserved 24

 XYGATE®Data Protection

XDP
Data-Centric Security

Data-centric Security – Case studies

A Top 10 Financial Institution

• PCI scope reduction for HP Nonstop and IBM mainframe
• Mission-critical core transaction and card issuer systems
• Voltage tokenization natively on core processing platforms
• Streamlined PCI compliance, reduced risk of internal and external access
• Minimal business impact including to complex z/OS Hogan applications

“Tokenization impact on average auth response time is miniscule”, HP NonStop POS Team member

XYPRO Technology – All Rights Reserved 25

 XYGATE®Data Protection

XDP
Data-Centric Security

Data-centric Security – Case studies

A Large Health Retailer

• PII scope reduction for HP Nonstop and IBM mainframe
• Mission-critical medical patient and prescription systems
• Voltage tokenization natively on core platforms
• Streamlined PII protection, reduced risk of internal and external access
• Minimal business impact including to complex z/OS applications

XYPRO Technology – All Rights Reserved 26

 XYGATE®Data Protection

XDP
Data-Centric Security

XYPRO/Voltage Advantages

• Industry-leading Voltage Security tokenization and encryption

• Standards-based • Support for wide variety of data types
• Industry-proven • Stateless key management
• Multi-platform support • Flexible
• Runs natively on NonStop

• XDP optimization of Voltage for NonStop environments

• No application changes required on NonStop
• Support for nowaited/non-blocking encryption/tokenization
• Support for NonStop’s OS personalities and executable types
• Multiple language support: C, TAL and COBOL
• Distributed architecture provides fault-tolerance, parallelism and scalability
• Built-in access control and auditing, as with all XYGATE products

XYPRO Technology – All Rights Reserved

 Thank
you!

Format-Preserving Encryption
(FPE)
& Secure-Stateless-Tokenization (SST

XYPRO Technology – All Rights Reserved 28