The Realities of Data Security and Compliance: Compliance Security

Similar documents
Beyond PCI A Cost Effective Approach to Data Protection

Protecting Your Data in the Cloud. Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com

Ulf Mattsson CTO Protegrity ulf. mattsson AT protegrity. com

Understanding New Options in Data Protection for the Data Warehouse Environment

PCI DSS Compliance. Ulf Mattsson, CTO

Bridging the Gap Between Privacy and Data Insight

2017 Annual Meeting of Members and Board of Directors Meeting

Venue : Conference Hall, Second Floor YMCA Building Jai Singh Marg, Connaught Place, New Delhi

Defense in Depth Security in the Enterprise

Teradata and Protegrity High-Value Protection for High-Value Data

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Locking Down the Cloud Security is Not a Myth

GUIDE TO STAYING OUT OF PCI SCOPE

Choosing the level that works for you!

McAfee Database Security

Navigating the PCI DSS Challenge. 29 April 2011

6 Vulnerabilities of the Retail Payment Ecosystem

CipherCloud CASB+ Connector for ServiceNow

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

A QUICK PRIMER ON PCI DSS VERSION 3.0

Security Readiness Assessment

Is Your Payment Card Data Secure Enough?

PCI Compliance in Oracle E-Business Suite

Virtual Machine Encryption Security & Compliance in the Cloud

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

How do you decide what s best for you?

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

PCI compliance the what and the why Executing through excellence

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Ways Global FOR RETAIL

Cybersecurity Auditing in an Unsecure World

AKAMAI CLOUD SECURITY SOLUTIONS

Network Security Protection Alternatives for the Cloud

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Site Data Protection (SDP) Program Update

How to Dramatically Lower the Cost and Pain of the Yearly PCI DSS Audit

Is Your Compliance Strategy Putting Your Business at Risk?

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Security Update PCI Compliance

Applying Oracle Technologies in PCI DSS certification process

COMPLETING THE PAYMENT SECURITY PUZZLE

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

PCI COMPLIANCE IS NO LONGER OPTIONAL

IBM Exam 00M-662 Security Systems Sales Mastery Test v2 Version: 7.1 [ Total Questions: 72 ]

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Opting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.

Next Generation Authentication

SECURITY PRACTICES OVERVIEW

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Combating Cyber Risk in the Supply Chain

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Clearing the Path to PCI DSS Version 2.0 Compliance

Protegrity Vaultless Tokenization

Security

Compliance in 5 Steps

Daxko s PCI DSS Responsibilities

Merchant Guide to PCI DSS

THE ACCENTURE CYBER DEFENSE SOLUTION

Data Privacy and Protection GDPR Compliance for Databases

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

How NOT To Get Hacked

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

It s About the Data, Stupid.

Cybersecurity The Evolving Landscape

the SWIFT Customer Security

Oracle Database Security Assessment Tool (DBSAT) Overview

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Cloud Customer Architecture for Securing Workloads on Cloud Services

Google Cloud Platform: Customer Responsibility Matrix. April 2017

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Data Classification, Security, and Privacy

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

2017 THALES DATA THREAT REPORT

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Vormetric Data Security

The IT Search Company

Evolution of Cyber Attacks

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Commerce PCI: A Four-Letter Word of E-Commerce

PCI DSS 3.2 AWARENESS NOVEMBER 2017

PCI DSS Compliance. White Paper Parallels Remote Application Server

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

12 Habits of Highly Secured Magento Merchants

PCI Compliance Whitepaper

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

The Need For A New IT Security Architecture: Global Study On The Risk Of Outdated Technologies

10 FOCUS AREAS FOR BREACH PREVENTION

Transcription:

The Realities of Data Security and Compliance: Compliance Security Ulf Mattsson, CTO, Protegrity Ulf.mattsson @ protegrity.com

Bio - A Passion for Sailing and International Travel 2

Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents Encryption and Intrusion Prevention Co-founder of Protegrity (Data Security) Received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Google and other leading companies Research member of the International Federation for Information Processing g( (IFIP) WG 11.3 Data and Application Security Member of PCI Security Standards Council American National Standards d Institute t (ANSI) X9 Information Systems Audit and Control Association (ISACA) Information Systems Security Association (ISSA) Institute of Electrical and Electronics Engineers (IEEE) 3

Articles ISACA New York Metro Chapter 4

5

Agenda Review trends in data security threats Present case studies - protecting PCI and PII data Position different data security options Discuss how to protect the entire data flow Present a risk adjusted approach to data security Discuss data security in cloud environments 6

2010 Data Breach Investigations Report 1. Six years, 900+ breaches, and over 900 million compromised records 2. The majority of cases have not yet been disclosed and may never be 3. Over half of the breaches occurred outside the U.S. Online Data is Compromised Most Frequently: % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 7

PCI DSS 1.2 - Making Data Unreadable Encrypted Data (PCI DSS) SSL Public Network? Encrypted Data (PCI DSS) OS File System Storage System Data At Rest (PCI DSS) 8

PCI DSS 1.2 - Making Data Unreadable Encrypted Data (PCI DSS) SS SL Public Network Attacker Clear Text Data Application Database Private Network Clear Text Data Encrypted Data (PCI DSS) OS File System Storage System Data At Rest (PCI DSS) 9

Threat Action Categories Compromised records 1. 90 % lost in highly sophisticated attacks 2. Hacking and Malware are more dominant Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 10

Industry Groups Represented by Percent of Breaches Financial Services Hospitality Retail Manufactoring Tech Services Government Business Services 0 5 10 15 20 25 30 35 % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 11

Data Compromised Most Frequently Payment card data/numbers Bank account data/numbers Personal information National security data Intellectual property Sensitive organizational data Autentication credentials Monetary assets/funds 0 20 40 60 80 100 % Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 12

The Changing Threat Landscape - Forrester Aug, 2010 Some issues have stayed constant: 1. Threat landscape continues to gain sophistication 2. Attackers will always be a step ahead of the defenders d Different motivation, methods and tools today: We're fighting highly organized, well-funded crime syndicates and nations Move from detective to preventative controls needed: Several layers of security to address more significant areas of risks Source: http://www.csoonline.com/article/602313/the-changing-threat-landscape?page=2 13

Patching Software vs. Locking Down Data User Attacker Software Patching Application Database OS File System Storage System Not a Single Intrusion Exploited a Patchable Vulnerability Backup Source: 2010 Data Breach Investigations Report, Verizon Business RISK team and USSS 14

Case Studies Retail Environments Point of Sale E-Commerce Branch Office Aggregation Information in the wild Short lifecycle / High risk Temporary information Short lifecycle / High risk Operations Analysis Archive Operating information Typically 1 or more year lifecycle Decision making information Typically multi-year lifecycle High volume database analysis Wide internal audience with privileges Archive Typically multi-year lifecycle 15 : Encryption service

Case Studies Retail Environments Study #1 Major US Retailer PCI/PII/PHI Data 1. Transparency to exiting applications 2. Central key management 3. Ensuring performance on the mainframe 4. Protect the flow of sensitive information From thousands of stores, Back office systems and Data warehouse Study #2 Major US Retailer PCI Data 1. Reduced cost TCO 2. Reduced attack surface 3. Transparency to exiting applications 4. Central key management 5. Protect the flow of sensitive credit card information From thousands of stores, Back office systems and Data warehouse 16

Case Study #1 PCI & Application Transparency Retail Store File Encryption: &*%#@(*% Encrypted Card Data Windows, UNIX, Linux, Mainframe z/os Encrypted Data Files Central HQ Y&SFD%))S( Encrypted Card Data Database Encryption: DB2 (zos, iseries), Oracle, SQL Server : Encryption service 17

Case Study #1: Granularity of Reporting and Separation of Duties User / Client 3 rd Party Database Encryption Database Native Encryption OS File System Encryption User Access Patient Health Record x Read a xxx DBA Read b xxx z Write c xxx Possible DBA manipulation User Access Patient Health Record z Write c xxx User Acces s Patient Possible DBA manipulation Health Data Record Health Data File Complete Log No Read Log Database Process Read?? PHI002 No 0001 Information Database On User Process Read?? PHI002 0001 or Record Database Process Write?? PHI002 0001 18 : Encryption service

Case Study #2 PCI, Reduce Cost and Attack Surface Retail Store Data Entry Tokenization Server Tokens Y&SFD%))S( Encrypted Card Data Retail Store Data Servers $ Tokens DataTokens HQ Applications & Databases 19 : Encryption service

Tokenization in a Cloud Environment Data Entry Tokenization Server Cloud And Virtualized Environments Y&SFD%))S( Encrypted Card Data Data Token Partner Communication 20 : Encryption service

Best Practices from Visa Best Practices for Token Generation Token type Single Use Multi Use Algorithm and key Known strong algorithm ANSI or ISO approved algorithm One way irreversible function Unique q number sequence OK OK Hashing Secret per transaction Secret per merchant Randomly generated value OK OK 21

Matching Data Protection Solutions with Risk Level Example: Data Field Risk Level Risk Level Low Risk (1-5) High Risk (16-25) Solution Monitor Credit Card Number 25 Social Security Number 20 Monitor, mask, CVV (Card Verification) 20 At Risk access control Customer Name 12 (6-15) limits, format Secret Formula 10 control encryption Employee Name 9 Employee Health Record 6 Zip Code 3 Tokenization, strong encryption 22

Choose Your Defenses Different Approaches Web Application Firewall Database Columns Applications Database Activity Monitoring Data Loss Prevention Database Activity Monitoring Data Files Database Log Files Database Server Encryption/Tokenization 23

Choose Your Defenses Cost Effective PCI Firewalls Encryption/Tokenization for data at rest Anti-virus & anti-malware solution Encryption for data in motion Access governance systems Identity & access management systems Correlation or event management systems Web application firewalls (WAF) Endpoint encryption solution Data loss prevention systems (DLP) Intrusion detection or prevention systems Database scanning and monitoring (DAM) ID & credentialing system DAM DLP WAF 0 10 20 30 40 50 60 70 80 90 Source: 2009 PCI DSS Compliance Survey, Ponemon Institute : Encryption service 24

Choose Your Defenses Positioning of Alternatives Evaluation Criteria i Database Protection Approach Monitoring, Blocking, Masking Formatted Field Encryption Database Column Encryption* Distributed Tokenization (new)* Central Tokenization (old)* Database File Encryption* Performance Storage Availability Transparency Security * Compliant to PCI DSS 1.2 for making PAN unreadable Best Worst 25

Making Data Unreadable Encryption vs. Tokenization Evaluation Criteria i Protection ti Method Area Scalability Security Impact Availability Latency CPU Consumption Data Flow Protection Compliance Key Management Randomness Separation of Duties Database Database Centralized Distributed File Column Tokenization Tokenization Encryption Encryption (old) (new) Best 26 Worst

Evaluating Different Tokenization Solutions Evaluation Criteria Hosted/Outsourced On-premises Area Criteria Central Distributed Central Distributed (old) (new) (old) (new) Operational Needs Availability Scalability Performance Data Types Security Identifiable - PII Cardholder - PCI Separation Compliance Scope Best Worst ost 27

Data Protection Challenges Actual protection ti is not the challenge Management of solutions Key management Security policy Auditing and reporting Minimizing impact on business operations Transparency Performance vs. security Minimizing the cost implications Maintaining compliance Implementation Time 28

Sample Enterprise Data Protection Model File System Protector Policy Audit Log Database Protector Application Protector Enterprise Data Security Administrator i t Tokenization Server Secure Archive : Encryption service 29

Please contact us for more information Ulf Mattsson ulf.mattsson@protegrity.com Sal Arena Sal.arena@protegrity.com 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback