the business of privacy

The Business of PrivacyThe Business of Privacy

Sathvik Krishnamurthy

President and CEO, Voltage Security Inc.

[email protected]

May 1, 2008

Presented by:

By 2011, the digital universe will be 10 times what it was in 2006

By 2011, the digital universe will be 10 times what it was in 2006

*** Confidential and Proprietary ***

Source: Wall Street Journal, IDC March 2008

– An Updated Forecast of Worldwide Information Growth Through 2011

“People sent emails, took digital pictures, processed

credit cards and generally did things that collectively

created 281 exabytes of data by the end 2007”

“Approximately 70% of the digital universe is created

by individuals, but enterprises are responsible for the

security, privacy, reliability and compliance of 85% ”

2

Data Breaches Are On The RiseData Breaches Are On The Rise


Source: etiolated.org/research, January 2008

3

Over 215 Million Records BreachedOver 215 Million Records Breached

*** Confidential and Proprietary ***4

Breach Type August 2007 – February 2008 Examples

Files & Documents

HartfordUni. Of RenoBates CollegeDixie State CollegeCitiGroup/ABN AmroPurdueTexas A&M

Backup Tapes Flash DriveDocumentsConfidential files, SSNsExcel SpreadsheetsPurdue – Document with SSNsFiles with Social Security numbers grabbed online

Databases & Applications

Art.comCommerce BankTD AmeritradeVoxantPfizerMonster.comHMRC – UK TaxOmniAmerican BankDavison CompaniesMLSGear.comMTV

Credit Card NumbersCustomer DataCustomer DataCustomer account dataEmployee dataMonster.comTax agency loses millions of bank account detailsInternational criminals hacked into systemOver 200,000 customer identities stolenCustomer data stolen by hackersEmployee Data stolen via compromised laptop

Source: Privacy Rights Clearinghouse,- March 2008

100% of these risks could have been mitigated

Information loss is an expensive reality Information loss is an expensive reality

� Short term remediation costs can run $100-$300 per lost customer record

� Customer notification

� Credit monitoring

� IT remedial action

� Audit fees

� Legal costs

� Long term costs can be higher

� Lost revenue

� Loss of future customers

� Loss of brand, customer trust & reputation

� Litigation

� Loss of shareholder value

Source: July 2007, IT Policy Compliance Group

5 *** Confidential and Proprietary ***

Risks: Crime, Costs, ComplianceRisks: Crime, Costs, Compliance

� Well funded, staffed and managed organized crime targeting financial institutions

� Recent studies estimate US$2.4 billion in fraud losses

� 15 million Americans victimized by fraud related to identity theft

� 7th year in a row, identity theft is the fastest growing crime in the US

� Outsourced IT environments increase risks of compromise

� Developer access to production data (DAP) also an internal threat

� Customer data breaches result in reputational risk

� Brand loses confidence; consumers seek alternatives (major concerns stated by customers)

� PCI DSS and other regulations driving adoption of solutions

� New regulations include: Identity Theft Red Flag Regulation


Trend: Escalating Attacks Threaten Reputations & ProfitsBearingPoint Research

Trend: Escalating Attacks Threaten Reputations & ProfitsBearingPoint Research

� International criminal groups have changed focus from Europe (7-8 years ago) to Canada (4-5 years ago) and now to the US (9-10 months ago)

� “Canada is now home to the largest number of criminal syndicates in the world” and they will increasingly attack the US as Canadian firms introduce additional defensive measures.

� A Gartner study indicated that there are an estimated US$2.4 billion in fraud losses just from unauthorized access to checking accounts each year.

� Unauthorized credit card charges rose nearly fourfold from 2005 to 2006 to an average of $2,550.

� About 15 million Americans were victimized by some form of fraud related to identity theft in the 12 months ending August 2006.

� At least one-third of illegal bank account transfers, credit card and ATM/debit card withdrawals and purchases result from various kinds of electronic data theft.


1. Source: The Economist – The World in 2007, “Boom-time for Mafias” Misha Glenny2. Source: Building an Edge – “Eight opportunities for better consumer banking fraud

control”3. Source: The Gartner Group – “Fraud: Getting Over It With the Right Approach”,

Avivah Litan4. Source: CyberSource - “8th Annual Online Fraud Report“5. Source: The Gartner Group – “The Truth Behind Identify Theft Numbers”

1. Source: The Gartner Group – “Fraud: Getting Over It With the Right Approach”, Avivah Litan

2. Source: The Economist – The World in 2007, “Boom-time for Mafias”, Misha Glenny :

3. CyberSource - “8th Annual Online Fraud Report“

Trend: Data Crime is directly affecting customersBearingPoint research

Trend: Data Crime is directly affecting customersBearingPoint research

� In 2006, 31.2 million US clients changed their online banking behavior due to concerns about fraud.

� There were 109 million “Phishing” attacks against US companies in 2006, a 100% increase over 2005.

� High unemployment, low wages and excellent education systems in Brazil, Russia and China (the three biggest centers of global cyber-crime) mean that ever more people will be drawn into this trade.

� In the past two years hackers have given up “ego-hacking” – bringing down security systems or hospital networks for a laugh, which until 2003 accounted for 90% of hacking – and turned instead to the outright criminal sort, which by the end of 2007 will itself amount to 90% of hacking.

� 2006 US Online fraud is estimated at $3B, 1% of transactions, but businesses cut-off an estimated 4% of transactions because of fraud concerns.

� A fraud loss dollar is not an expense dollar – it is a dollar of lost EBIT.


Outsourced IT environments increase risks of compromise

Outsourced IT environments increase risks of compromise

� 33% of Enterprises considering or already outsourcing according to Forrester Research

� Companies don't own large parts of the infrastructure where data is stored and processed

� Developer access to production data poses a large threat


Customer data breaches result in reputational risk

Customer data breaches result in reputational risk

� "The National Survey on Data Security Breach Notification"The Ponemon Institute

� About 23 million adults have been notified that their data was compromised or lost

� They reacted badly: 20% terminated their accounts immediately after notification

� Another 40% are considering termination

� TJX

� 45.7 million accounts compromised over 18 month period

� Credit card companies claim 94 million (65 million Visa an 29 million mastercard)


Regulations driving adoption of solutionsRegulations driving adoption of solutions

� 38 States have enacted data breach disclosure laws plus pending legislation in DC

� Payment Card Industry Data Security Standard driving data protection initiatives

� Identity Theft Red Flag Regulation

� “Sarbanes-Oxley” of security

� Public and private companies need board level approval of proactive measures against identity-theft



Business Information WorkflowsBusiness Information Workflows

Internal

Broker/Dealer Network

HQ

Insurance Broker

Customer s

Sales

Insurance Broker

Statement Delivery Customer Service

Supply ChainBusiness Partners

Supplier 1 Supplier 2

Supplier 3

Manufacturing

Transportation

Warehouse

Logistics

HQ

Lawyers

Insurance BrokerResellers

System Integrators

Distributor s

Technical

Support

Customer s

BusinessPartners

How on earth do we protect this information?How on earth do we protect this information?

� Emails

� Documents

� Files

� Back up tapes

� Structured and unstructured data

� USB Drives

� Network file shares

� CDs and DVDs


The Answer Seems Simple…The Answer Seems Simple…

� Securing infrastructure not enough

� Protecting laptops and servers not enough

� Monitoring data leakage not enough

� Human error, insiders and criminals still a threat

� Need to persistently protect the data everywhere it goes


Need to Encrypt Information Wherever It GoesNeed to Encrypt Information Wherever It Goes

Customer Service email to High Net Worth Individuals

Encrypted HR files posted on portal/extranet for benefit administrators

Email

Files

Data

PII, Credit card info persistently encrypted in databases and applications

OnOn--SiteSite SaaSSaaS


Why Has Encryption Been Difficult?Why Has Encryption Been Difficult?

� Key management: getting the right key, to the right person, at the right time is hard

� Lots of IT infrastructure and training needed to make this work

� Encryption products are hard to use

� End users don’t like to change how they use things e.g. email

� Encryption breaks other important security systems� Anti-virus, anti-spam, e-discovery, archiving

� Encryption is difficult to incorporate into existing applications� Requires detailed knowledge of cryptography


New Innovations can make the differenceNew Innovations can make the difference

� Identity-Based Encryption (IBE)

� First proposed by Adi Shamir (1984), Public Key approach

� New approach invented by Dr. Dan Boneh, Dr. Matt Franklin

� Encrypt to anyone –identity is your key

� Format-Preserving Encryption (FPE)� Based on Existing AES and 3DES algorithms

� Enhanced to add format management

� Encrypt data so protected data “fits” existing infrastructure


Identity-Based EncryptionIdentity-Based Encryption

Basic Idea: Public-Key Encryption where Identities are Public Keys

� IBE Public Key:

[email protected]

� RSA Public Key:

Public exponent=0x10001Modulus=13506641086599522334960321627880596993888147

5605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563



Benefits Drive TCO Advantage: 3-5x Cost Savings

Benefits Drive TCO Advantage: 3-5x Cost Savings

Source: Ferris Research, IBE/PKI TCO Comparison, April 2006

$0

$10

$20

$30

$40

$50

$60

$70

Typical Voltage High Voltage Low Voltage Typical PKI

Cost/User/Month

Informal learning

Peer support time

Share of platform

Operations

Installation

Software licenses

Hardware

� IBE & platform benefits drive lower TCO� Architecture: reduced administration/management overhead

� Usability: reduced user training & education

19

Typical IBE


So What Else Is Broken?Approaches incomplete and incur massive cost and re-development

So What Else Is Broken?Approaches incomplete and incur massive cost and re-development

� Whole Database Encryption

� Encrypt whole database file

� No security of data within applications

� Performance implications

� Look-aside Database

� CC# indexed, actual CC# in Protected database

� Need online lookup for every access

� Requires major re-architecture

1234567890123456 383491

CC IndexAccount #

4391471208007120 1234567890123456

CC#CC Index

� Traditional Application-level Encryption

� Encrypt data itself, throughout lifecycle

� Requires DB schema/app format changes

� Heavy implementation cost

43911471208007120

� Column-Level Encryption

� Encrypt data via native capabilities or triggers/views

� Major database type/version dependencies

� No separation of duties, no data security in apps

U2FsdGVkX1+ybF...4391471208007120

Encrypted CC#CC#


Format-Preserving Encryption (FPE)Innovative Cryptography -- Simple Solution

Format-Preserving Encryption (FPE)Innovative Cryptography -- Simple Solution

� New technology enables encryption of data, without loss of formatting

� Supports data of any format� Credit Card, Social Security, Bank Account, National Insurance� Maintain rules such as credit card checksums

� No Database schema changes required

� Encrypted data “fits” in existing fields

� Reduces application changes: only trusted applications need to be updated

� e.g. payment processing application uses actual CC#

1298 7328 4318 4033 FPE

U2FsdGVkX1+ybFtu2oLMeycPGkwEZ9lHmTt

sit5IhP…AES


� Challenge: Hundreds of databases, Test and

Production Separation concern

� Mixed Platforms: DB2 , Oracle, SQL Server,

Sybase, etc, containing:� SSN, FEID

� Credit card numbers

� Name & Address etc

� Solution: FPE, Key Management System,

Masking scripts� ~2 Day Pilot

� ~3-4 week deployment

Customer Case Studies: Protection & MaskingCustomer Case Studies: Protection & Masking

� Challenge: Data Warehouse, PCI

Compliance

� DEC Midrange + Oracle Legacy Database

~6 Terabytes of data

� 5 applications affected (NT4, C++)

� Load, Batch Pay, Payment, Lookup,

Reversals

� Solution: FPE Key Manager, SOA

Server, ~10 lines code.� 1 week Pilot

� ~2 weeks deployment

� ~3 weeks integration & testing

Legacy approach >~18 months

FPE – < 2 months

Time Time

Legacy approach > ~12 months

FPE – < 2 months



ING Canada - confidentiality of critical discount levels with low cost of operations

ING Canada - confidentiality of critical discount levels with low cost of operations

� Largest Property and Casualty Insurance Provider in Canada

� Key concerns� Protecting business critical pricing and

discounting info in supply chain� Securing internal communications

� Implementation � Organizations wide� Multiple lines of business� Multiple languages/locales (French, English)

� Requirements� Custom branding supporting both English

and French, customized by business offering

� Most convenient for users with the lowest cost of support

Fortune 100 – Securing the supply chainFortune 100 – Securing the supply chain

� Key concerns

� Protecting business critical pricing and discounting info in supply chain

� Securing internal communications

� Implementation

� 100,000 statements a year from ERP applications like SAP

� Integration with Symantec Enterprise Vault

� Requirements

� Native Active Directory support

� Symantec Enterprise Vault Integration

� Low cost through elimination of storage requirements

� Results

� Ensure confidentiality of critical discount levels with low cost of operations



Manulife/John HancockManulife/John Hancock

� Number 2 North American insurance company has over 10,000 brokers

� Key concerns� Generating costly paper statements of

sensitive financial nature

� Implementation � Integration with Siebel CRM,

Solution hosted by IBM � Basis for later organization-wide rollout

(complete Q2 2008)

� Must haves:� Push based thus no storage

infrastructure required� Easy to use system eliminated high help-

desk call costs of other systems

� Voltage Value� Cut commission notification time by 3 days, and costs by $12-$15 per broker

� Eliminated costly helpdesk call volumes of 1 per 1000 users per week.


XL GlobalXL Global

� Multinational Insurance/Re-Insurance managing over $40 Billion in assets

� Key concerns� Satisfying privacy regulations across 35

countries with a best practice approach� Usability and mobile use

� Implementation � Centrally managed deployment across 35

countries

� Requirements� Native Outlook Integration, including support

for Active Directory across many domains� Native Blackberry Integration

� Result� Ensure compliance with various regulations by utilizing best of breed message protection while maintaining high usability and a native experience in Outlook and on Blackberry devices

Great security makes you moneyGreat security makes you money


Danback attributes a half-million-dollar deal the firm recently sealed with a New York investment bank to Integro's email

encryption capabilities.

"The [win] was largely due to the security of our infrastructure and our ability to send and receive

encrypted messages.”

Fred Danback Principal and Head of Global Technology

Services

Voltage Security Making Encryption Work To Protect The World’s Information

Voltage Security Making Encryption Work To Protect The World’s Information

� Headquartered: Silicon Valley - Palo Alto, CA

� Team – Renowned experts in messaging, security and enterprise software

� 75 employees, 20 offshore in Pune, India

� Product Lines

� Voltage SecureMail – policy-based email encryption

� Voltage SecureFile – protection of files, documents and portals

� Voltage SecureData – securing and masking data in databases and applications

� Voltage Security Network – Managed Service for protecting email and documents

� Company Momentum

� Over 440 customers with 1.5M licensed users

� #1 OEM’d Email Encryption solution in the world

� Partners: Microsoft, IBM, McAfee, Symantec, Secure Computing, Proofpoint, NTT Communications, BearingPoint, MphasiS/EDS, KPMG


A Selection of Enterprise CustomersA Selection of Enterprise Customers


Industry SupportIndustry Support

� BearingPoint� Global Management and Technology Consulting

� Security and Risk Management for Financial Services

� KPMG� Global expertise with legacy integration

� Implemented large retail customer in less than 2 months

� MphasiS, an EDS company� Application development, BPO and ITO for business

optimization


ConclusionConclusion

� Data is proliferating – especially online

� Trying to safeguard it with one approach is not enough

� It can be protected

� New innovations are necessary to protect data wherever it goes
