Life After Compliance march 2010 v2
•Download as PPT, PDF•
0 likes•490 views
Learn how to get more out of your PCI investment with this presentation from SafeNet titled: "Life After Compliance". Derek Tumulak discusses current approaches to PCI DSS compliance, challenges to ensuring compliance, and how to achieve best practices while addressing compliance challenges.
![Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (7)
Similar to Life After Compliance march 2010 v2
Similar to Life After Compliance march 2010 v2 (20)
More from SafeNet
More from SafeNet (20)
Recently uploaded
Recently uploaded (20)
Life After Compliance march 2010 v2
- 1. SafeNet The Foundation of Information Security Life After Compliance: Get More Out of Your PCI Investment
- 3. SAFENET
- 7. Market Trends, Threat Drivers
- 8. Online Fraud is on the Rise Source: Anti-Phishing Working Group, March 2009 The number of crimeware‐spreading sites infecting PCs with password‐stealing crimeware reached an all time high of 31,173 in December, an 827 percent increase from January of 2008. Phishing: $3.2 Billion lost in 2007 in the US alone Gartner Dec. 2007
- 9. What Are The Threats? Source: Ponemon Institute, 2009
- 10. A Look Back: PCI DSS Effectiveness
- 11. What Is It Costing? Source: Ponemon Institute, 2009 47%
- 12. CURRENT APPROACH AND CHALLENGES
- 15. Where Is The Industry Today? Source: Aberdeen Group, 2009 Objective Requirement Current Capability Known Incidents Avg. PCI Spend Build & Maintain Secure Network 1. Firewall Configurations 85% 16% $250K 2. No Default Passwords 16% Protect Cardholder Data 3. Protect Stored Cardholder Data 71% 23% $242K 4. Encrypt Transmission Across Networks 12% Maintain Vulnerability Mgmt Program 5. Use &Update Antivirus Software 61% 19% $114K 6. Develop & Maintain Secure Applications 28% Strong Access Control 7. Restrict Access Business Need-to-Know 65% 24% $124K 8. Assign a Unique ID 18% 9. Restrict Physical Access 15% Regularly Monitor & Test 10. Track and Monitor Network Access 78% 23% $169K 11. Regularly Test Security Systems 22% Maintain IS Policy 12. Maintain Policies for IS 83% 23% $118K
- 16. ADDRESSING CHALLENGES AND BEST PRACTICES
- 19. Lesson #2: Involve stakeholders
- 20. Lesson #3: Data Discovery and Classification
- 21. Lesson #4: Establish Threat Model
- 22. Lesson #5: Document and Define security policies and Procedures
- 23. Lesson #6: Determine Where to Protect Data “ Many organizations understand the benefits of encryption … but are dumbfounded by the question of just where to encrypt the data?.” Jon Oltsik, Senior Analyst, Enterprise Strategy Group Deployment Effort Security Application/Web/Token Database Storage/Tape File
- 24. DATA PROTECTION
- 27. Approaches to Data Protection
- 28. SAFENET APPROACH
- 31. Unrivaled Customer Success from Some of the World’s Most Respected and Admired Companies
- 32. SafeNet DataSecure Data Protection, Key, and Policy Management Mainframes Web/App Servers Endpoint Devices Network Shares File Servers Structured Data Unstructured Data
- 33. QUESTIONS?
Editor's Notes
- So What: >25 years focus on information security >Size matters >Private, Profitable, and Proud of it >Certifications are important >Customers count on SafeNet
- The most classified information in the world World’s largest deployment of top secret communications globally Between the KIV-7 and secure telephones, almost every piece of classified material transmitted is protected by SafeNet technology (Note – In some locales, it may be preferable not to mention too much about our association with the U.S. government, so this section might be amended to remove this reference) The most money that moves in the world 80% of the worlds bank to bank electronic transfers are protected by our HSM’s Our products are used by SWIFT – who carry 80% of the bank to bank electronic transfers – and by the U.S. Federal Reserve to securely transfer funds within the U.S. banking system – a total of more than 1 trillion dollars A DAY! The most digital identities in the world - Most major digital identity deployments rely on SFNT The most high-value software in the world - 42 million Sentinel keys have been sold to protect software vendors against piracy. The most of any vendor.
- Market forces, such as compliance, globalization, outsourcing, SaaS, and cloud computing, have driven greater proliferation of data, information exchange, and access to data by “outsiders.” As this happens, the threats continue to mount, as more people inside and outside of the organization need access to data. More questions and concerns are introduced: The traditional boundaries of an enterprise have disappeared as data is hosted, outsourced, managed, or accessed by partners, third-party vendors, and a mobile workforce How do you protect your information assets without restricting business processes? The outsider has become the insider, and even “authorized” users need secure access control. There is no clear delineation between bad guys and good guys.
- We can’t be complacent, even when the numbers are steady, there is always a spike pending
- The US has been diligent about documenting security breaches. Here you will find two tracks of information. The bar is the number of payment cards affected from a data breach. Opponents of PCI will claim that it isn’t working highlighting the two spikes that occurred in 2007 and 2009. What is important to note is this is the time of the largest breaches in history: TJX and Heartland Payment Processing. In fact, the number of breaches in 06 and 08 are quite low. The opponents will then say that those numbers are consistent with 2003 and 2004 prior to the standards release, but back then, breach notification laws were not yet in place, therefore, organizations were not required to disclose. Countless breaches occurred during this period which were not reflected. The second line is the trend line of number of incidents. This line is from numerous segments including: Healthcare, Government, Universities, only a small number of these are payment card related.
- Since the PCI mandate was introduced in 2005, you will notice that the cost per breached record has increased 47%. Several elements go into this figure: litigation costs associated with the breach, pr costs, cost for notifications, consulting and repairs, and campaigns for brand repair. What can not be measured, is the lost opportunity costs and revenues from people turning away from your organization.
- There are two ways to look at PCI DSS, one is that it is the ceiling, the most any organization wants to do. The mandate is seen as overly complex and not easily adaptable within their infrastructure. Others look at this as an opportunity to establish budget and implement a strong security platform for protecting all of their information, not just credit cards. Often times these companies will have a dedicated officer tasked with implementing and sustaining compliance, with a set budget.
- For a number of years, the Aberdeen Group have conducted a bench marking study to compare PCI implementations amongst best in class organizations compared to the industry averages. The approaches they take are often different, but to start, it is best to take a step back and think about the approach. Don’t just look at PCI as a bunch of check boxes. Often refer to a CoBIT or ISO standard for Information Security and use those frameworks and best practices for approaching your compliance implementation. With this approach, organizations have been able to implement good security policy, while also becoming PCI compliant. The time to market was actually consistent at 11 months, but the cost savings from taking a holistic approach was half. Even for the areas that are the most difficult to meet, such as protecting stored cardholder data. Often times organizations will segment out the credit card data separate from the other information but this results in extra management and operational issues and overhead.
- Here you will see the different elements of the digital dozen, where the current implementation stands and the correlation to known incidences. A few requirements to mention, where we have been able to aid customers, are the protection of stored cardholder data, developing and maintaining secure applications, and restricting access to a business need to know. The reason for these higher numbers often relate back to complex systems, gap in security codes, and confusion of the various technologies in the market. To offset these problems, it is important to start by scoping your project and doing a data discovery investigation to determine where the sensitive information resides. It is also important to trust your vendors to ensure you are buying payment applications that are PA DSS compliant, and if you are building your own application, secure the application development codes. There is also a lot of fodder in the marketplace about end-to-end encryption, in actuality, there is no one vendor that has a complete solution. There are multiple vendors, like SafeNet, who can offer several products that solve several compliance issues, but no one can solve everything. The important thing when doing vendor selection is Trust, Experience, and Security.
- When getting started in the PCI implementation, there are a few starter questions to ask
- In the states a lot of the big retailers fought PCI in the beginning, including a joint trip down to DC to take on the “big three”. After this meeting more than one of them had a publicly disclosed breach. Some of this is derived from ignorance – they have no idea of the techniques that are being employed to get at the sensitve data (refer to Trisha’s preso) and that it is a business/criminal enterprise some of which is which is sponsored by unfriendly government groups. PCI is now at 1.2, ex: w/ 1.1 key rotation is no longer defined as “periodic” but once per annum PCI Auditors are not as open to “compensating controls” which were once an interim mechanism for passing a PCI audit, after a number of breaches by organizations that had passed a PCI audit but had systems which were passed with compensating controls. It’s more than just PCI. Worked with a retailer who’s launch for a new brand of stores was leaked on the Internet, including their catalogue shoot. (IP)
- To ensure a successful project. Get everyone involved – this will help with buy-in and cooperation where different groups will feel they are part of the project. There are going to be few people (if any) who have an end-to-end knowledge of all the systems. Not all these people have to be involved with all meetings, etc. but there needs to be good communication to keep everyone in the loop. I’ve been talking to some organizations that have been working on this for over three years. Communication includes educating end users – why we are doing this and how you can help and why it is in your interest. Outside help – with the economy, etc. – many organizations are running barebones and don’t have the cycles to take on another project. You can also leverage the experience of an outfit that has been through this before.
- If you don’t know where the data is, you can’t protect it. Establish classification PCI, PII – sensitivity levels, etc.
- After data and discovery phase, you can establish what your threat model is Example, CSR who pages through screens of customer data and writes down CC#s or takes pictures using their cell phone (rate limiting would help and/or masking data) Business need to know
- Absolute minimum to do job, change evaluate at business processes. For example if 95% of the time CSRs can get by with last four of CC# for validation only allow CSRs access to last 4 and requeu the 5% to supervisors or a special group of CSRs. From Data dsicoverety and classification and threat model one can establish policies and procedures Those with a business need to know Eliminate data – Reports, backups, log files, archives, etc. I had 100’s of thousands if not over a million SS#s along with patient diagnostic codes, full address, name, etc.
- Data can be encrypted in a number of different locations. Encrypting at the Storage/Tape level provides protection against physical attack such as theft of the storage device or tape. The number of different attacks that you can protect against increases progressively as you encrypt at the file, database and finally at the Application level, where a solution is able to protect against physical attack as well as many different logical attacks that could be perpetrated from either outside of the enterprise or by a malicious inside user or administrator. There is incrementally more development effort required for more secure solutions. This of course needs to be considered when resources are scarce. On the other hand, as enterprises scale, budgets and requirements change and it is unfortunate when a company finds itself in the situation where they have spent a major portion of their budget on a solution that does not scale or fully meet their requirements. For the above reasons, enterprises that are presented with proposals from a variety of different solution-specific vendors often find it difficult to make a decision. ____________________________________________________ Key Message: Security and Deployment Effort vary considerably based on where encryption is deployed
- The market is changing…DP 1.0 technologies are no longer adequate for today’s enterprise organization. 1.0 is where many organizations are at today, this is where many companies are stuck. 2.0 is where the data protection market is headed. Let’s take a look at each one of these…(go through each row) SafeNet’s Approach: Data-centric Protection What's Changing Data-conscious vs. perimeter/network-centric Proactive protection vs. passive protection Why Is It Happening Data was born to be free. Passive protection techniques of trying to constrain data movement based on ‘source/destination’ or ‘all or nothing’ protection are not enough anymore What To Do Data-conscious security infrastructure, providing persistent data protection as data is created, used, stored, moved What You Gain Proactive data protection: Protect once, comply many Protected infrastructure What To Look At Scalable and extensible infrastructure with integrated policy, key and ID management platform
- After reviewing the best practices and determining which approach to use for your implementation there are a few initial questions you must ask:
- Many customers will use one or more approaches to protecting their data