Life After Compliance march 2010 v2


Published on

Learn how to get more out of your PCI investment with this presentation from SafeNet titled: "Life After Compliance". Derek Tumulak discusses current approaches to PCI DSS compliance, challenges to ensuring compliance, and how to achieve best practices while addressing compliance challenges.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • So What: >25 years focus on information security >Size matters >Private, Profitable, and Proud of it >Certifications are important >Customers count on SafeNet
  • The most classified information in the world World’s largest deployment of top secret communications globally Between the KIV-7 and secure telephones, almost every piece of classified material transmitted is protected by SafeNet technology (Note – In some locales, it may be preferable not to mention too much about our association with the U.S. government, so this section might be amended to remove this reference) The most money that moves in the world 80% of the worlds bank to bank electronic transfers are protected by our HSM’s Our products are used by SWIFT – who carry 80% of the bank to bank electronic transfers – and by the U.S. Federal Reserve to securely transfer funds within the U.S. banking system – a total of more than 1 trillion dollars A DAY! The most digital identities in the world - Most major digital identity deployments rely on SFNT The most high-value software in the world - 42 million Sentinel keys have been sold to protect software vendors against piracy. The most of any vendor.
  • Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As this happens, the threats continue to mount, as more people inside and outside of the organization need access to data. More questions and concerns are introduced: The traditional boundaries of an enterprise have disappeared as data is hosted, outsourced, managed, or accessed by partners, third-party vendors, and a mobile workforce How do you protect your information assets without restricting business processes? The outsider has become the insider, and even “authorized” users need secure access control. There is no clear delineation between bad guys and good guys.
  • We can’t be complacent, even when the numbers are steady, there is always a spike pending
  • The US has been diligent about documenting security breaches. Here you will find two tracks of information. The bar is the number of payment cards affected from a data breach. Opponents of PCI will claim that it isn’t working highlighting the two spikes that occurred in 2007 and 2009. What is important to note is this is the time of the largest breaches in history: TJX and Heartland Payment Processing. In fact, the number of breaches in 06 and 08 are quite low. The opponents will then say that those numbers are consistent with 2003 and 2004 prior to the standards release, but back then, breach notification laws were not yet in place, therefore, organizations were not required to disclose. Countless breaches occurred during this period which were not reflected. The second line is the trend line of number of incidents. This line is from numerous segments including: Healthcare, Government, Universities, only a small number of these are payment card related.
  • Since the PCI mandate was introduced in 2005, you will notice that the cost per breached record has increased 47%. Several elements go into this figure: litigation costs associated with the breach, pr costs, cost for notifications, consulting and repairs, and campaigns for brand repair. What can not be measured, is the lost opportunity costs and revenues from people turning away from your organization.
  • There are two ways to look at PCI DSS, one is that it is the ceiling, the most any organization wants to do. The mandate is seen as overly complex and not easily adaptable within their infrastructure. Others look at this as an opportunity to establish budget and implement a strong security platform for protecting all of their information, not just credit cards. Often times these companies will have a dedicated officer tasked with implementing and sustaining compliance, with a set budget.
  • For a number of years, the Aberdeen Group have conducted a bench marking study to compare PCI implementations amongst best in class organizations compared to the industry averages. The approaches they take are often different, but to start, it is best to take a step back and think about the approach. Don’t just look at PCI as a bunch of check boxes. Often refer to a CoBIT or ISO standard for Information Security and use those frameworks and best practices for approaching your compliance implementation. With this approach, organizations have been able to implement good security policy, while also becoming PCI compliant. The time to market was actually consistent at 11 months, but the cost savings from taking a holistic approach was half. Even for the areas that are the most difficult to meet, such as protecting stored cardholder data. Often times organizations will segment out the credit card data separate from the other information but this results in extra management and operational issues and overhead.
  • Here you will see the different elements of the digital dozen, where the current implementation stands and the correlation to known incidences. A few requirements to mention, where we have been able to aid customers, are the protection of stored cardholder data, developing and maintaining secure applications, and restricting access to a business need to know. The reason for these higher numbers often relate back to complex systems, gap in security codes, and confusion of the various technologies in the market. To offset these problems, it is important to start by scoping your project and doing a data discovery investigation to determine where the sensitive information resides. It is also important to trust your vendors to ensure you are buying payment applications that are PA DSS compliant, and if you are building your own application, secure the application development codes. There is also a lot of fodder in the marketplace about end-to-end encryption, in actuality, there is no one vendor that has a complete solution. There are multiple vendors, like SafeNet, who can offer several products that solve several compliance issues, but no one can solve everything. The important thing when doing vendor selection is Trust, Experience, and Security.
  • When getting started in the PCI implementation, there are a few starter questions to ask
  • In the states a lot of the big retailers fought PCI in the beginning, including a joint trip down to DC to take on the “big three”. After this meeting more than one of them had a publicly disclosed breach. Some of this is derived from ignorance – they have no idea of the techniques that are being employed to get at the sensitve data (refer to Trisha’s preso) and that it is a business/criminal enterprise some of which is which is sponsored by unfriendly government groups. PCI is now at 1.2, ex: w/ 1.1 key rotation is no longer defined as “periodic” but once per annum PCI Auditors are not as open to “compensating controls” which were once an interim mechanism for passing a PCI audit, after a number of breaches by organizations that had passed a PCI audit but had systems which were passed with compensating controls. It’s more than just PCI. Worked with a retailer who’s launch for a new brand of stores was leaked on the Internet, including their catalogue shoot. (IP)
  • To ensure a successful project. Get everyone involved – this will help with buy-in and cooperation where different groups will feel they are part of the project. There are going to be few people (if any) who have an end-to-end knowledge of all the systems. Not all these people have to be involved with all meetings, etc. but there needs to be good communication to keep everyone in the loop. I’ve been talking to some organizations that have been working on this for over three years. Communication includes educating end users – why we are doing this and how you can help and why it is in your interest. Outside help – with the economy, etc. – many organizations are running barebones and don’t have the cycles to take on another project. You can also leverage the experience of an outfit that has been through this before.
  • If you don’t know where the data is, you can’t protect it. Establish classification PCI, PII – sensitivity levels, etc.
  • After data and discovery phase, you can establish what your threat model is Example, CSR who pages through screens of customer data and writes down CC#s or takes pictures using their cell phone (rate limiting would help and/or masking data) Business need to know
  • Absolute minimum to do job, change evaluate at business processes. For example if 95% of the time CSRs can get by with last four of CC# for validation only allow CSRs access to last 4 and requeu the 5% to supervisors or a special group of CSRs. From Data dsicoverety and classification and threat model one can establish policies and procedures Those with a business need to know Eliminate data – Reports, backups, log files, archives, etc. I had 100’s of thousands if not over a million SS#s along with patient diagnostic codes, full address, name, etc.
  • Data can be encrypted in a number of different locations. Encrypting at the Storage/Tape level provides protection against physical attack such as theft of the storage device or tape. The number of different attacks that you can protect against increases progressively as you encrypt at the file, database and finally at the Application level, where a solution is able to protect against physical attack as well as many different logical attacks that could be perpetrated from either outside of the enterprise or by a malicious inside user or administrator. There is incrementally more development effort required for more secure solutions. This of course needs to be considered when resources are scarce. On the other hand, as enterprises scale, budgets and requirements change and it is unfortunate when a company finds itself in the situation where they have spent a major portion of their budget on a solution that does not scale or fully meet their requirements. For the above reasons, enterprises that are presented with proposals from a variety of different solution-specific vendors often find it difficult to make a decision. ____________________________________________________ Key Message: Security and Deployment Effort vary considerably based on where encryption is deployed
  • The market is changing…DP 1.0 technologies are no longer adequate for today’s enterprise organization. 1.0 is where many organizations are at today, this is where many companies are stuck. 2.0 is where the data protection market is headed. Let’s take a look at each one of these…(go through each row) SafeNet’s Approach: Data-centric Protection What's Changing Data-conscious vs. perimeter/network-centric Proactive protection vs. passive protection Why Is It Happening Data was born to be free. Passive protection techniques of trying to constrain data movement based on ‘source/destination’ or ‘all or nothing’ protection are not enough anymore What To Do Data-conscious security infrastructure, providing persistent data protection as data is created, used, stored, moved What You Gain Proactive data protection: Protect once, comply many Protected infrastructure What To Look At Scalable and extensible infrastructure with integrated policy, key and ID management platform
  • After reviewing the best practices and determining which approach to use for your implementation there are a few initial questions you must ask:
  • Many customers will use one or more approaches to protecting their data
  • Life After Compliance march 2010 v2

    1. 1. SafeNet The Foundation of Information Security Life After Compliance: Get More Out of Your PCI Investment
    2. 2. Agenda <ul><li>SafeNet </li></ul><ul><li>Market Background </li></ul><ul><li>Current Approaches and Challenges </li></ul><ul><li>Addressing Challenges and Best Practices </li></ul><ul><li>Data Protection </li></ul><ul><li>SafeNet Approach </li></ul>
    3. 3. SAFENET
    4. 4. <ul><li>Founded: 1983 </li></ul><ul><li>Ownership: Private </li></ul><ul><li>Global Footprint with more than 25,000 customers in 100 countries </li></ul><ul><li>Employees: 1,600 in 25 countries </li></ul><ul><li>Recognized Security technology leadership, over 600 encryption engineers strong </li></ul><ul><li>Accredited with products certified to the highest security standards </li></ul>The largest company exclusively focused on the protection of high-value information assets. SafeNet Fact Sheet
    5. 5. Proven Leader. Trusted to Protect. SafeNet protects: <ul><li>the most money that moves in the world . 80% of all electronic banking transfers -- $1 trillion a day </li></ul><ul><li>the most digital identities in the world. Most PKI identities for governments and F-100 companies </li></ul><ul><li>the most high-value software in the world. 80 million hardware keys; more than any other vendor </li></ul><ul><li>the most classified information in the world. The largest deployment of government communications security </li></ul>
    7. 7. Market Trends, Threat Drivers
    8. 8. Online Fraud is on the Rise Source: Anti-Phishing Working Group, March 2009 The number of crimeware‐spreading sites infecting PCs with password‐stealing crimeware reached an all time high of 31,173 in December, an 827 percent increase from January of 2008. Phishing: $3.2 Billion lost in 2007 in the US alone Gartner Dec. 2007
    9. 9. What Are The Threats? Source: Ponemon Institute, 2009
    10. 10. A Look Back: PCI DSS Effectiveness
    11. 11. What Is It Costing? Source: Ponemon Institute, 2009 47%
    13. 13. Is PCI DSS The Floor or Ceiling? <ul><li>“ PCI DSS is the ceiling” </li></ul><ul><ul><li>Implementation obstacles “excuses?” </li></ul></ul><ul><ul><ul><li>It is overly complex </li></ul></ul></ul><ul><ul><ul><li>Out of touch with current threats </li></ul></ul></ul><ul><ul><li>Longer time to implement </li></ul></ul><ul><ul><li>More costly to meet compliance </li></ul></ul><ul><li>“ PCI DSS is only the floor” </li></ul><ul><ul><li>Leveraged the investment </li></ul></ul><ul><ul><ul><li>10% greater protection </li></ul></ul></ul><ul><ul><li>50% cost advantage </li></ul></ul>
    14. 14. What Is It Costing? Source: Aberdeen Group, 2009 Allocation of PCI Investment Best-in-Class All Others Cost to achieve initial compliance $520K $958K Time to report 11 mo 11 mo Annual cost to sustain compliance $135K $300K Average time since first reporting 2.0 yrs 2.3 yrs Average total spend on PCI compliance $784K $1,642K <ul><ul><li>Build & Maintain a Secure Network </li></ul></ul>$197K $375K <ul><ul><li>Protect Cardholder Data </li></ul></ul>$186K $399K <ul><ul><li>Maintain a Vulnerability Mgmt Program </li></ul></ul>$88K $188K <ul><ul><li>Implement Strong Access Control </li></ul></ul>$93K $211K <ul><ul><li>Regularly Monitor and Test </li></ul></ul>$124K $317K <ul><ul><li>Maintain an IS Policy </li></ul></ul>$97K $152K
    15. 15. Where Is The Industry Today? Source: Aberdeen Group, 2009 Objective Requirement Current Capability Known Incidents Avg. PCI Spend Build & Maintain Secure Network 1. Firewall Configurations 85% 16% $250K 2. No Default Passwords 16% Protect Cardholder Data 3. Protect Stored Cardholder Data 71% 23% $242K 4. Encrypt Transmission Across Networks 12% Maintain Vulnerability Mgmt Program 5. Use &Update Antivirus Software 61% 19% $114K 6. Develop & Maintain Secure Applications 28% Strong Access Control 7. Restrict Access Business Need-to-Know 65% 24% $124K 8. Assign a Unique ID 18% 9. Restrict Physical Access 15% Regularly Monitor & Test 10. Track and Monitor Network Access 78% 23% $169K 11. Regularly Test Security Systems 22% Maintain IS Policy 12. Maintain Policies for IS 83% 23% $118K
    17. 17. Compliance Questions You Should Be Asking <ul><li>Do I need to keep card data? </li></ul><ul><li>How do I de-scope? </li></ul><ul><li>Are there technologies that can help me de-scope? </li></ul><ul><li>Does outsourcing work for me? </li></ul><ul><li>What happens if my business processes change? </li></ul><ul><li>How do I keep abreast of new legislation? </li></ul><ul><li>How do I make sure that people accessing protected data are who they say they are? </li></ul><ul><li>Can my firewall help me? My IPS? My Disk Encryption? What approach should I take? Should I just encrypt all of my databases? </li></ul>
    18. 18. Lesson #1: It’s Protection, not a Check Box <ul><li>PCI-DSS has evolved, as well as interpretation and enforcement </li></ul><ul><li>Learn from other’s mistakes </li></ul><ul><li>It’s more than just passing an audit </li></ul><ul><ul><li>PCI is about protecting your business and your customers </li></ul></ul><ul><li>It’s more than just PCI </li></ul><ul><ul><li>Plan for protecting PII, IP and other sensitive data. </li></ul></ul>
    19. 19. Lesson #2: Involve stakeholders
    20. 20. Lesson #3: Data Discovery and Classification
    21. 21. Lesson #4: Establish Threat Model
    22. 22. Lesson #5: Document and Define security policies and Procedures
    23. 23. Lesson #6: Determine Where to Protect Data “ Many organizations understand the benefits of encryption … but are dumbfounded by the question of just where to encrypt the data?.” Jon Oltsik, Senior Analyst, Enterprise Strategy Group Deployment Effort Security Application/Web/Token Database Storage/Tape File
    25. 25. As Threats Change Data Protection Strategies Must Change as Well Data Protection 2.0 Data Protection 1.0 <ul><li>Perimeter focused security </li></ul><ul><li>All-or-nothing encryption </li></ul><ul><li>Keep bad guys out, authorized users get full access </li></ul><ul><li>Multiple products to meet business and security needs </li></ul><ul><li>High level or very specific policy only, </li></ul><ul><li>No proper central policy management </li></ul><ul><li>Data-centric protection—intelligence to protect the data itself throughout its lifecycle </li></ul><ul><li>Granular, selective protection over subset of unstructured or structured data (files, fields, and columns) </li></ul><ul><li>Granular data protection for authorized users, assure compartmentalization </li></ul><ul><li>Centrally managed solution that addresses business, compliance, data governance & security </li></ul><ul><li>Centralized policy and key management providing data use tracking and control </li></ul>
    26. 26. Qualifying Questions for Encryption <ul><li>What is the threat model you are protecting against? </li></ul><ul><ul><li>Physical media theft (tapes, drives) </li></ul></ul><ul><ul><li>Logical threats (application, database, systems being compromised) </li></ul></ul><ul><li>What is the data you want to encrypt? </li></ul><ul><li>What threat model are you protecting against? </li></ul><ul><li>Where are you going to perform encryption? </li></ul><ul><li>Are you indexing on the data you want to encrypt? </li></ul><ul><li>Are you using the data as a primary or foreign key? </li></ul><ul><li>What is the access mode for the data? </li></ul><ul><li>How many applications access the data? </li></ul><ul><li>What types of queries do you perform on the data? </li></ul><ul><li>Are you using stored procedures and building logic into the database? </li></ul><ul><li>Are you importing/exporting data from columns/fields you are encrypting? </li></ul><ul><li>Are you running batched processes that operate on encrypted data? </li></ul>
    27. 27. Approaches to Data Protection
    29. 29. SafeNet Data Protection Portfolio Identity Protection - Authentication <ul><li>Offering the broadest range of authenticators, from smart cards and tokens to mobile phone auth—all managed from a single platform </li></ul><ul><li>The industry’s only unified authentication platform offering customers the freedom to adapt to changing environments </li></ul><ul><li>The market leader in certificate-based token authentication </li></ul><ul><li>Unique technology offerings with client-less tokens, high-assurance solutions, and more </li></ul>Communication Protection - High-Speed Network Encryption <ul><li>SafeNet high-speed network encryptors combine the highest performance with the easiest integration and management. </li></ul><ul><li>Solutions for Ethernet, SONET up to 10Gb </li></ul><ul><li>Best-in-class Security Management Center </li></ul><ul><li>Zero bandwidth loss, low- latency encryption </li></ul><ul><li>Unparalleled leverage across classified and COTS communication protection ( FIPS 140-2 Level 3) </li></ul><ul><li>The fastest, most secure, and easiest to integrate application & transaction security solution for enterprise and government </li></ul><ul><li>Market leader in enterprise-grade HSMs </li></ul><ul><li>Industry innovator in payment HSMs </li></ul><ul><li>Widest portfolio of platforms and solutions </li></ul><ul><li>SafeNet delivered its 75,000th HSM—Sets industry milestone </li></ul>Transaction and Identity Protection - HSM <ul><li>World’s first and only unified platform that delivers intelligent data protection and control for ALL information assets </li></ul><ul><li>Data-centric, persistent protection across data centers, endpoints, and into the cloud </li></ul><ul><li>Centralized policy, key management, logging, and auditing </li></ul><ul><li>Integrated perimeter data leakage prevention </li></ul><ul><li>Appliance-based, proven scalability, and high performance </li></ul>Data Encryption and Control - DataSecure
    30. 30. <ul><li>SafeNet data encryption and control solutions protect information throughout its lifecycle – wherever it resides – from the data center to the broadest array of endpoint devices and into the cloud. </li></ul><ul><li>DataSecure is a unified platform for data encryption, key management, and granular access controls. eSafe Smart Suite offers data loss prevention capabilities. </li></ul><ul><li>. </li></ul>DataSecure EdgeSecure ProtectDB ProtectApp ProtectZ ProtectFile eSafe Smart Suite ProtectDrive Identity Protection - Authentication Communication Protection - High-Speed Network Encryption Transaction and Identity Protection - HSM Data Encryption and Control - DataSecure Token Manager
    31. 31. Unrivaled Customer Success from Some of the World’s Most Respected and Admired Companies
    32. 32. SafeNet DataSecure Data Protection, Key, and Policy Management Mainframes Web/App Servers Endpoint Devices Network Shares File Servers Structured Data Unstructured Data
    33. 33. QUESTIONS?