Your SlideShare is downloading. ×
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet

168
views

Published on

Presentación de Alexandre Bento de SafeNet sobre tecnologías para el cumplimiento de PCI DSS.

Presentación de Alexandre Bento de SafeNet sobre tecnologías para el cumplimiento de PCI DSS.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
168
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © SafeNet Confidential and Proprietary 1 Alexandre Bento alexandre.bento@safenet-inc.com Tecnologías para el Cumplimiento
  • 2. © SafeNet Confidential and Proprietary 2 Agenda  ¿Quién es Safenet?  Market Background PCI  Desafíos para PCI  Soluciones SafeNet para PCI  Caso de Éxito
  • 3. © SafeNet Confidential and Proprietary 3 ¿Quien es Safenet?
  • 4. © SafeNet Confidential and Proprietary 4 SafeNet Fact Sheet La compañía más grande enfocada exclusivamente en la protección de la información de alto valor. Fundada: 1983 Capital: Privado Éxito Global con más de 25.000 clientes en 100 paises Empleados: Alrededor de 1.500 en 25 paises, Reconocido liderazgo en Tecnología de Seguridad, más de 550 ingenieros expertos en cifrado Acreditados con los productos certificados en los más altos estándares de seguridad
  • 5. © SafeNet Confidential and Proprietary 5 Líder en Confianza. Protegemos cosas como: > la mayoría del dinero que se mueve en el mundo. 80% de todas las transferencias intrabancarias -SWIFT- $1 trillón por día > la mayoría de las identidades digitales en el mundo. 84% de la cuota de mercado de protección de claves raíces de PKI (Salomon Smith Barney) - módulos criptográficos (HSMs) > el número 1 en cifrado de conexiones WAN alta velocidad para Frame Relay, ATM, líneas dedicadas y Ethernet > el número 1 en Tokens USB en el mundo (IDC)
  • 6. © SafeNet Confidential and Proprietary 6 Market Background PCI
  • 7. © SafeNet Confidential and Proprietary 7 ¿Cuales son las amenazas? Fuente: Ponemon Institute, 2009
  • 8. © SafeNet Confidential and Proprietary 8 La Evolución de las Incidencias
  • 9. © SafeNet Confidential and Proprietary 9 ¿Objetivo de los Ataques?  Data, Data and more Data  Vulnerabilities
  • 10. © SafeNet Confidential and Proprietary 10 ¿Objetivo de los Ataques?  Data, Data and more Data  Vulnerabilities
  • 11. © SafeNet Confidential and Proprietary 11 ¿Objetivo de los Ataques?  Data, Data and more Data  Vulnerabilities
  • 12. © SafeNet Confidential and Proprietary 12 ¿Objetivo de los Ataques?  Data, Data and more Data  Vulnerabilities
  • 13. © SafeNet Confidential and Proprietary 13 Fraude Online en Alta Fuente: Anti-Phishing Working Group, marzo 2009 El número de páginas web infectando PCs con programas diseñados para el robo de contraseñas alcanzo las 31,173 en diciembre 2009, un incremento de 827 % desde enero de 2008. Phishing: $3.2 Mil Millones de Dólares en 2007 solo en EEUU Gartner Dic. 2007
  • 14. © SafeNet Confidential and Proprietary 14 ¿Cómo logran hacerlo?  Troyanos, Key loggers, Root kits  Vulnerabilidad Web o Aplicación  Miembro de la organización que se deja corromper
  • 15. © SafeNet Confidential and Proprietary 15 ¿Cómo logran hacerlo?  Trojans, Key loggers, Root kits  Web or Application Vulnerabilities  The corruptible insider
  • 16. © SafeNet Confidential and Proprietary 16 ¿Cuanto están costando? Fuente: Ponemon Institute, 2009 47%
  • 17. © SafeNet Confidential and Proprietary 17 Desafios para PCI
  • 18. © SafeNet Confidential and Proprietary 18 ¿PCI DSS es El Suelo o El Techo ? • ―PCI DSS es El Techo‖ • Obstáculos a la Implementación―¿excusas?‖ • Demasiado Complejo • No está al día con las actuales amenazas • Demasiado tiempo para implementar • Demasiado costoso para cumplir • ―PCI DSS es solo El Suelo‖ • Apalancar la Inversión • Mayor Protección • 50% Ventaja de Coste
  • 19. © SafeNet Confidential and Proprietary 19 ¿Cuanto está Costando? Allocation of PCI Investment Best-in-Class All Others Cost to achieve initial compliance $520K $958K Time to report 11 mo 11 mo Annual cost to sustain compliance $135K $300K Average time since first reporting 2.0 yrs 2.3 yrs Average total spend on PCI compliance $784K $1,642K Build & Maintain a Secure Network $197K $375K Protect Cardholder Data $186K $399K Maintain a Vulnerability Mgmt Program $88K $188K Implement Strong Access Control $93K $211K Regularly Monitor and Test $124K $317K Maintain an IS Policy $97K $152K Fuente: Aberdeen Group, 2009
  • 20. © SafeNet Confidential and Proprietary 20 Buenas Prácticas  Es protección, no una Casilla de Punteo  Implique a los stakeholders  Descubrimiento y clasificación de los datos  Establezca el modelo de la amenaza  Documente y defina las políticas de seguridad y los procedimientos  Determine dónde proteger datos
  • 21. © SafeNet Confidential and Proprietary 21 ¿Cómo está la Industria hoy? Objective Requirement Current Capability Known Incidents Avg. PCI Spend Build & Maintain Secure Network 1. Firewall Configurations 85% 16% $250K 2. No Default Passwords 16% Protect Cardholder Data 3. Protect Stored Cardholder Data 71% 23% $242K 4. Encrypt Transmission Across Networks 12% Maintain Vulnerability Mgmt Program 5. Use &Update Antivirus Software 61% 19% $114K 6. Develop & Maintain Secure Applications 28% Strong Access Control 7. Restrict Access Business Need-to-Know 65% 24% $124K 8. Assign a Unique ID 18% 9. Restrict Physical Access 15% Regularly Monitor & Test 10. Track and Monitor Network Access 78% 23% $169K 11. Regularly Test Security Systems 22% Maintain IS Policy 12. Maintain Policies for IS 83% 23% $118K Fuente: Aberdeen Group, 2009
  • 22. © SafeNet Confidential and Proprietary 22 Soluciones de Safenet para PCI
  • 23. © SafeNet Confidential and Proprietary 23 Proteja los datos del titular de la tarjeta que fueron almacenadosReq. 3 Hard Disk Encryption SafeNet ProtectDrive Data Tokenization SafeNet DataSecure SafeNet Hardware Security Modules File/Folder Encryption SafeNet ProtectFile Unstructured Data Database Encryption SafeNet DataSecure for Structured Data
  • 24. © SafeNet Confidential and Proprietary 24 SafeNet DataSecure Platform Intelligent Data Protection DataSecure is the industry’s most trusted platform to provide intelligent data protection for ALL information assets—both structured and unstructured, using centralized: key management policy management logging and auditing Business Needs SafeNet Solution Protect sensitive data at the web, application, mainframe, database tiers, including file servers Protect Data at Risk – Most flexible and scalable hardware-based encryption platform for heterogeneous environments Implement data encryption controls for compliance Comply w/ Legislation – Proven compliance with laws requiring protection of sensitive information Reduce cost & complexity with secure key management and centralized policy management Reduce Operational Cost – Ease of management and administration with best-in- class security management console
  • 25. © SafeNet Confidential and Proprietary 25 SafeNet DataSecure Data Protection, Key, and Policy Management Mainframes Web/App Servers Endpoint Devices Network Shares File Servers
  • 26. © SafeNet Confidential and Proprietary 26 DataSecure Database Integration • Database Connectors • Oracle 8i, 9i, 10g, 11g • IBM DB2 version 8, 9 • IBM UDB version 8, 9 • Microsoft SQL Server 2000, 2005, 2008 • Teradata 12 • Application changes not required • Batch processing tools for managing large data sets • Vendor Transparent Database Integration • SQL Server 2008 • Oracle 11g Customer Database
  • 27. © SafeNet Confidential and Proprietary 27 • Software Libraries • Microsoft .NET, CAPI • JCE (Java) • PKCS#11 (C/C++) • SafeNet ICAPI (C/C++) • z/OS (Cobol, Assembler, etc.) • XML • Support for virtually all application and web server environments DataSecure Application Integration Reporting Application Customer Database E-Commerce Application
  • 28. © SafeNet Confidential and Proprietary 28 ProtectFile and ProtectDrive  File Protection for PCs, File Servers, and Network Shares Windows Server 2003 Windows XP, Vista RHEL 4, 5  File Server Encryption File Encryption Keys (FEKs) protect files on disk FEKs are encrypted with a Key Encryption Key (KEK) that resides on the DataSecure appliance  Policy configured on DataSecure and pushed to file systems  Mobile Handset Support  Full Disk Encryption with ProtectDrive End User Laptop Network Shares Corporate File Server
  • 29. © SafeNet Confidential and Proprietary 29  File & Folder encryption whilst cryptographically enforcing user and group permission-based access to confidential data. Protection of workgroup data against unauthorized access File & Folder Encryption
  • 30. © SafeNet Confidential and Proprietary 30  DataSecure—acts as the ―vault‖ for sensitive data values and token by protecting with strong encryption and key management  Token Manager—replaces sensitive data with format-preserving tokenization via: Secure Message Layer - SOA-based interface, callable from anywhere Protected Zone - host of the Secure Message Layer, handles calling DataSecure and generating tokens DataSecure Tokenization Protected Zone DataSecure Secure Message Layer DataSecure Token Manager
  • 31. © SafeNet Confidential and Proprietary 31 ¿Que es la Tokenización?  On the most basic level – Replacement of sensitive structured data with data of a similar size that is not sensitive (a ―token‖) Stores sensitive data in an encrypted protected zone  More sophisticated approaches involve – 1-to-1 mapping of tokens to sensitive data (referential integrity) Presentation Options: Masked data: XXXXX6789 Data with dashes in it: 123-45-6789 Token type options: Purely random digits Sequential First two/last four, first six, etc.  Benefits – Data protection is ―transparent‖ to pure end users and systems Only the ―protected zone‖ remains in scope of compliance audits Only authenticated end users or systems can access data in the clear from the protected zone
  • 32. © SafeNet Confidential and Proprietary 32 DataSecure Token Manager  DataSecure—locks the ―vault‖ for sensitive data values and token with strong encryption and key management  Token Manager—replaces sensitive data with format-preserving tokenization via: Secure Message Layer— SOA- based interface, callable from anywhere Protected Zone— host of the Secure Message Layer, handles calling DataSecure and generating tokens ProtectedZone DataSecure Secure Message Layer Data Vault
  • 33. © SafeNet Confidential and Proprietary 33 ProtectedZone DataSecure Secure Message Layer Data Vault Tokenization Use Case – Credit Card #’s PCI Auditor for Compliance
  • 34. © SafeNet Confidential and Proprietary 34 SafeNet DataSecure Interface
  • 35. © SafeNet Confidential and Proprietary 35 SafeNet DataSecure Interface
  • 36. © SafeNet Confidential and Proprietary 36  Disk encryption of desktops – in conjunction with Certificate Services  Access to Pre-Boot Authentication only with Token/Certificate – no UserID/Password Logon Protection of all data in case of theft, loss and end of life Disk Encryption
  • 37. © SafeNet Confidential and Proprietary 37 Codifique la transmisión de los datos de los titulares de las tarjetas a través de redes públicas abiertas Encrypt Network Communications SafeNet High Speed Ethernet Encryption Req. 4
  • 38. © SafeNet Confidential and Proprietary 38 Network Encryption  Edge Layer- SSL/IPSec  Boundary Layer- MPLS, ATM, Frame Relay, Ethernet transport connecting branch offices, remote sites, partners  Core Layer- Typically SONET or Ethernet transport over carrier WAN or dark fiber
  • 39. © SafeNet Confidential and Proprietary 39 Best Fit for Layer 2 Encryption  Ethernet Encryption  SONET Encryption  Ethernet Encryption 10/1G 100/10M
  • 40. © SafeNet Confidential and Proprietary 40 Simplified Management – Layer 2 Transport Customer Premise Router Layer 2 Encryptor Carrier Switch LAN Operations Center Disaster Recovery Location Operations Center When something changes here… or here… or here!!! nothing changes here… No administrative burden, no outages and no security policy changes Company Confidential
  • 41. © SafeNet Confidential and Proprietary 41 Security Management Center II • Easy Installation and Simple Ongoing Management • Intuitive web-based GUI • Virtualization Support with VMWare and Solaris Zones Lowest Cost of Ownership • Full Audit and Event logging and Reporting • Secure Remote Management and Encrypted Communications • Integrated Key Manager with Optional Hardware-Security Secure Operations • Simple Management Design for Thousands of Encryptors • Rapid Deployment Tools for Large Installations • Enterprise Class High-Availability Features Scalability / Reliability SMC II Is The Only Truly Enterprise Class Encryptor Management Platform
  • 42. © SafeNet Confidential and Proprietary 42 Desarrolle y Mantenga Sistemas y Aplicaciones Seguras Secure Application Development Tools SafeNet Hardware Security Modules Approved Payment Applications SafeNet Hardware Security Modules Req. 6
  • 43. © SafeNet Confidential and Proprietary 43 HSM - Protección de Transacciones Los HSMs de SafeNet proporcionan la forma más segura, fácil y rápida de integrar la solución de seguridad para aplicaciones y transacciones para empresas y gobiernos. Las Certificaciones FIPS y Common Criteria. CA4 Luna PCM ProtectServer Gold Luna PCI Luna SA / SP ProtectHost EFT Luna XML Luna SX
  • 44. © SafeNet Confidential and Proprietary 44 HSM Technology Breadth of Hardware Security Offerings Customizable, Economical SOA, Web Services FastestNetworked, Scaleable Performance PCM, CA4 Luna PCI Luna SA / SP / IS Offline Key Archive, Registration Auth Protect Server Luna XML Protect Host EFT Payments, EMV/EFT 4000+/sec600/sec 7000/sec27/sec 600/sec1200/sec 300+/sec
  • 45. © SafeNet Confidential and Proprietary 45 Restrinja el acceso a los datos y Asigne un ID exclusiva para cada persona que tenga acceso al sistema informático Privileged User Management SafeNet Authentication SafeNet DataSecure Strong User Authentication SafeNet Authentication Network Access Management SafeNet Authentication Req. 7 & 8
  • 46. © SafeNet Confidential and Proprietary 46 PKI Certificates User Name & Passwords Biometric Credentials Barcode & Magnetic Swipe encoding* Access Controls* Photo ID* * Photo ID, Access Control, Bar Code/Magnetic Swipe are applicable to smart cards only Protección de Identidades – Autenticación
  • 47. © SafeNet Confidential and Proprietary 47 Soluciones SafeNet para el Ecosistema PCI
  • 48. © SafeNet Confidential and Proprietary 48 Beneficios Benefits Proof Points Single Key Management and Encryption Solution  Comprehensive, core-to-edge solution from a SINGLE vendor  ONLY solution that secures data across the connected enterprise for data at rest, in transit, and in use Reduces the Cost and Complexity  Integrated security platform with centralized policy management and reporting All critical PCI encryption and key management requirements are centrally implemented Streamlined Implementation  Designed for fast and easy integration into existing IT infrastructure Highest Security  FIPS 140-2 Level 2 and Level 3, and CC Validations  More than 25 years experience Comprehensive Audit Trails  Centralized logging and auditing of all cryptographic functions
  • 49. © SafeNet Confidential and Proprietary 49 Caso de Éxito
  • 50. © SafeNet Confidential and Proprietary 50 British Airways Business Drivers • PCI info in Oracle DB, and mainframe • Proprietary flight information on mainframe Technical Requirement • Sensitive data on their mainframes • General security & granular level security. • Gartner said “FIPS level 2 will eventually be a PCI requirement.” Why SafeNet • Batch processing between their mainframe and two other databases • Files needed column level encryption at a command line to handle credit card data. • Level 2 FIPS compliance • SafeNet is the only company to offer command line file protection and conversion on the mainframe Later Phases • Working directly with business owners • Sales • Risk Management
  • 51. © SafeNet Confidential and Proprietary 51 British Airways Bulk Load TU 3rd Party Apps InternalApps z/OS Mainframe Linux MachinesWindows FTP Servers Windows File Servers NAS
  • 52. © SafeNet Confidential and Proprietary 52 Casos de Éxito
  • 53. © SafeNet Confidential and Proprietary 53 Alexandre Bento alexandre.bento@safenet-inc.com Gracias