SlideShare a Scribd company logo

DataPower for PCI

D
DanteJara8

IBM Datapower - PC Solutions

Technology
1 of 41
Download to read offline
Xchel Martínez Galicia IBM Hybrid Cloud: Technical Connectivity, Integration and SOA IT Specialist xchel@mx1.ibm.com César Tort Integration & Development - Key Accounts ctort@mx1.ibm.com March 27th, 2018 IBM DataPower - PCI Solutions
2 “Stores of the future will be more connected and experience-driven… Data security will be a major concern” Planet Retail
Confidential – Liverpool and IBM About this presentation 3 © Copyright IBM Corporation 2018. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Confidential – Liverpool and IBM • About PCI (Payment Card Industry) • PCI DSS (Data Security Standard) • Which kind of data should be protected? • What are WebSphere DataPower Appliances? • WebSphere DataPower and the PCI DSS “Digital Dozen” Content 4
About PCI (Payment Card Industry)
Confidential – Liverpool and IBM 6 About PCI (Payment Card Industry) § The PCI Security Standards Council (PCI SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. § The Council was founded in 2006, with American Express, Discover Financial Services, Japan Credit Bureau International, MasterCard and Visa Inc. as founding members. § As of 2018, the PCI SSC lists 797 Participating Organizations around the world. IBM is one of them! § Founding members have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs.
PCI DSS (Data Security Standard)
Confidential – Liverpool and IBM 8 § For whom serves PCI DSS? Those who work with and are associated with payment cards. This includes: retail (e-commerce & brick & mortar), merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments. § What is the objective to work with PCI DSS? – Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. – Helping vendors understand and implement standards for creating/maintain secure payment solutions. § Why is important comply with PCI DSS? Potential liabilities • Lost confidence, so customers go to other merchants • Diminished sales • Cost of reissuing new payment cards • Fraud losses • Higher subsequent costs of compliance • Legal costs, settlements and judgments • Fines and penalties • Termination of ability to accept payment cards • Lost jobs (CISO, CIO, CEO and dependent professional positions) • Going out of business PCI DSS (Data Security Standard)
Confidential – Liverpool and IBM 9 But, what is PCI DSS? § What is PCI DSS? PCI DSS provides a baseline of technical and operational requirements designed to protect account data. It includes 12 requirements, below is a high-level overview
Which kind of data should be protected?
Confidential – Liverpool and IBM 11 Which kind of data should be protected? § Where are the crown jewels? Cardholder data refers to any information contained on a customer’s payment card. The data is printed on either side of the card and is contained in digital format on the magnetic stripe embedded in the backside of the card. Some payment cards store data in chips embedded on the front side. The front side usually has the primary account number (PAN), cardholder name and expiration date. The magnetic stripe or chip holds these plus other sensitive data for authentication and authorization.
Confidential – Liverpool and IBM 12 Which kind of data should be protected? § Here they are the crown jewels!!
What are WebSphere DataPower Gateway Appliances?
Confidential – Liverpool and IBM 14 What are WebSphere DataPower Gateway Appliances? Product Value “Specialized purpose-built hardened embedded network devices that take the “hard parts” of SOA security and integration traditionally requiring complex and costly software systems and delivers them in a simple “uncrate, rack, configure and deploy” platform.” Powerful and uniquely efficient message and file oriented configuration-driven Security and Integration platform with the extremely low operational TCO of a true network device.
Confidential – Liverpool and IBM 15 Over to 3,000 worldwide installations and growing! § Used by 95% of top global insurances firms § SaaS providers, ASPs, regulators, etc. § Agencies and ministries § Defense and security organizations § Crown corporations Insurance Government Banking § Retailers § Utilities, Power, Oil and Gas § Airlines § etc. Many, many, more § 80% of top 100 Banks § Numerous regional banks and credit unions § SaaS providers, ASPs, regulators, etc.
Confidential – Liverpool and IBM 16 Over 2200 DataPower Appliance clients § The largest portfolio of SOA appliances § 80% of customers are repeat buyers § Appliance Innovator: leading appliance market since 2003 § 90% of top 100 Financial Institutions are DataPower installations § Broadest support for open standards and programming models § Proven to accelerate time-to-market and lowers total cost of ownership “One of the strongest points for IBM comes from its industry-leading experience with both SOA and appliances. Because IBM has been in the SOA game for a long time, it has built up extensive and pervasive SOA skills globally...IBM has developed a solid business approach to the appliance marketplace, taking into account the challenges of adding new members to the range, maintaining a consistent focus and ensuring clients continue to get ongoing value.” ~ Source: November 2012, Lustratus Research, Inc: A Competitive Review of SOA Appliances Gartner reported that IBM continues to be number one in key areas including Integration Appliances - Source: April 2012, “IBM Named Marketshare Leader in Middleware Software” http://www-03.ibm.com/press/us/en/pressrelease/37376.wss IBM DataPower Appliances Lead the Market The Leader in SOA Appliances
Confidential – Liverpool and IBM 17 • Data format & language – JavaScript ‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0 • Security policy enforcement ‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos, SPNEGO ‒ RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication (LTPA) ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM) ‒ SAF & IBM RACF® integration with z/OS ‒ Internet Content Adaptation Protocol ‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3 Supported standards & protocols • Transport & connectivity – HTTP, HTTPS, WebSocket Proxy – FTP, FTPS, SFTP – WebSphere MQ – WebSphere MQ File Transfer Edition (MQFTE) – TIBCO EMS – WebSphere Java Message Service (JMS) – IBM IMS Connect, & IMS Callout – NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0, POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle, Sybase, IMS • Transport Layer Security ‒ SSL versions 2 and 3 ‒ TLS versions 1.0, 1.1, and 1.2 • Public key infrastructure (PKI) ‒ RSA, 3DES, DES, AES, SHA, X.509, CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12 ‒ XKMS for integration with Tivoli Security Policy Manager (TSPM) • Management ‒ Simple Network Management Protocol (SNMP) ‒ SYSLOG ‒ IPv4, IPv6 • Open File Formats ‒ Distributed Management Task Force (DMTF) Open Virtualization Format (OVF) ‒ VMware Virtual Machine Disk Format (VMDK) • Web services – WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management (WSDM) – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation (DIME) – Multipurpose Internet Mail Extensions (MIME) – XML-binary Optimized Packaging (XOP) – Message Transmission Optimization Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and Integration (UDDI versions 2 and 3), UDDI version 3 subscription – WebSphere Service Registry and Repository (WSRR)
Confidential – Liverpool and IBM 18 Internet Trusted Domain Business Consumer 1 B2B Partner Gateway 2 Secure Gateway (Web Services, Web Applications) 3 Intelligent Load Distribution Application Application System z DMZ 4 Internal Security 5 Light Weight Integration 6 Web Service Management 7 Legacy Integration 8 Run time SOA Governance HMC Mobile WebSphere DataPower - Use Cases
WebSphere DataPower and the PCI DSS “Digital Dozen”
Confidential – Liverpool and IBM 20 WebSphere DataPower ideal solution for many requirements: ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks WebSphere DataPower and the PCI DSS “Digital Dozen” ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security
Confidential – Liverpool and IBM Req. 12 Req. 10 Req. 7,8,9 Req. 3,4 Req. 1 21 § Web Services (XML) - Filter on any content, metadata or network variables § Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling § Data Validation - Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed § Field Level Security - WS-Security, encrypt & sign individual fields, non-repudiation § Encryption of transport layer - HTTP, HTTPS, SSL. § Anti Virus Protection - messages and attachments checked for viruses; integrates with corporate virus checking software through ICAP protocol § XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc § Management & Logging - manage & track services, logging of all activities, audit. § Security Policy Management - security policies “universally understood” by multiple software solutions, eases PCI certification process. § Easy Configuration & Management - WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security) Req. 5 DataPower - Key Functions for PCI Compliance
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 22 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 23 ▪ An important – but small – part of the DataPower ▪ Integrated multi-layer filters: – IP-layer params (e.g., client IP address) – SSL params (e.g., client certificate) – Any part of HTTP header – XPath or XML configuration files for any part of SOAP header – XPath or XML configuration files on any part of XML payload – First-level filter select based on service, URL, etc. ▪ Easy “point and click” XPath Filtering ▪ Enable/Disable each SOAP method using WSDL wizard ▪ Can be applied at any point in message processing XML/SOAP Firewall
Confidential – Liverpool and IBM 24 Web Application Firewall ▪ URL-encoded HTTP application protection in addition to XML Web Services firewall security ▪ Protection for static or dynamic HTML-based applications ▪ Supports browser-based clients and HTTP/HTTPS backend servers ▪ Wizard-driven configuration ▪ Cross-site scripting and SQL Injection protection ▪ AAA framework support for web applications ▪ General name-value criteria boundary profiles for: – Query string and form parameters – HTTP headers – Cookies ▪ HTML Input Conversion Maps for form processing and handling ▪ Cookie watermarking (sign and/or encrypt) ▪ Rate limiting and traffic throttling/shaping ▪ HTTP Header stripping, injection, rewriting and method filtering ▪ Content-type filtering ▪ Dynamic routing and load balancing ▪ Session handling policies ▪ SSL Acceleration & Termination (Link) ▪ Customizable error handling
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 25 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 26 DataPower: Protecting Cardholder Data Encrypted & digitally signed Message <Credit Card> <Cust>Brian P. Bell</Cust> <Encrypted CCN> ws389maz301</Encrypted CCN> <Credit Type>AMEX</Credit Type> ………………. </Credit Card> Key Functions: Terminate SSL Defend against XML threats Validate XML (schema) Authentication Authorization Audit/Transaction Logging Filter data Encrypt/Decrypt message Digitally sign message Mask back-end resources Route based on content Encrypted XML data is delivered to the database to the encrypted credit card for later use DB2 9 Client sends credit card information to be stored in the database though an supported protocol Response message is sent confirming the insertion of the encrypted credit card number into the database Response message is received confirming the insertion of the encrypted credit card number into the database Protocols: HTTP/s, MQ, Tibco, JMS, FTPs, NFS, etc Direct DB Connect Incoming Message – data not encrypted <Credit Card> <Cust>Brian P. Bell</Cust> <CreditCardNumber> 3732 955939 395500</CreditCardNumber> <Credit Type>AMEX</Credit Type> ………………. </Credit Card>
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 27 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 28 Field-level XML Security ▪ Sign, verify, encrypt & decrypt ▪ XML Encryption & XML Digital Signature at: – Message-level – Part-of-message or field-level – Headers, as building block of other security specs ▪ Field-level security configurable from the WebGUI ▪ Verify-all option (data-driven verification of all signatures) ▪ DataPower’s own implementation, listed in W3C Interop matrix: – http://www.w3.org/Signature/2001/04/05- xmldsig-interop.html – http://www.w3.org/Encryption/2002/02-xenc- interop.html – Agility for interoperability or customization ▪ Secure Attachment Processing: – Supports the full SOAP with Attachments specification (MIME/DIME) – WS-Security ▪ Last-mile Security for SOA
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 29 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 30 DataPower Anti-Virus Protection § Allows messages and attachments to be checked for viruses § Integrates with corporate virus checking software through the ICAP protocol § Anti-Virus Processing Action eases configuration and use of this capability § Includes pre-configured Host Types (CLAM, Symantec, Trend, Webwasher) as well as customizability
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 31 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 32 Access Control Enforce Who can access Which Web service & When ▪ Deploy as a high-speed access policy enforcement point ▪ Modular authentication/authorization architecture: – x = extract-identity() – z = extract-resource() – zm = map-resource(z) – y = authenticate(x); if (y = null) reject – ym = map-credentials-attributes(y) – allowed = authorize(ym, zm); if (!allowed) reject – audit-and-post-processing(); ▪ Identity examples include: - WS-Security user/pass token - SSL client certificate - SAML assertion - HTTP basic-auth - Proprietary SSO cookie/token ▪ Resource examples: - URL - SOAP method
Confidential – Liverpool and IBM 33 Access Control (2) Leading Standards and Third-party Integration Support ▪ Access control policy: – On-board: certs, XML file [can start simple] – Off-board: external access control servers ▪ Standards-based integration: – LDAP (for CRL, authentication, authorization) – RADIUS (authentication) – XKMS (for CRL, authentication) – SAML (consume, authentication, authorization, produce) – WS-Security, WS-Trust, WS-* – Outbound SOAP or HTTP call ▪ Integration with access management solutions: – Tivoli Access Manager – Tivoli Federated Identity Manager – RSA ClearTrust – Microsoft Active Directory – Sun Identity Server – Netegrity SiteMinder or TransactionMinder – Oblix – CA eTrust – …others including custom integration with any customer environment
Confidential – Liverpool and IBM 34 Access Control (3) AAA Framework Diagram - Authenticate, Authorize, Audit Extract Identity Extract Resource Authenticate Authorize Audit & Accounting SAML WS -Security SSL client cert HTTP Basic -Auth SAML assertion Non -repudiation Monitoring Web Service URI SOAP op name Transfer amount DataPower AAA Framework SOAP/ XML Message SOAP/ XML Message External Access Control Server or On -Board Policy Map Credentials Map Resource
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 35 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 36 Compliance = Appliance! ▪ Regulatory Compliance is an ever-growing concern for large enterprise customers – e.g. The Financial Services industry alone has recently had to deal with Sarbanes-Oxley, Basel II and PCI DSS ▪ In practice, compliance consists of demonstrating that your company’s policies meet the regulations, and then “attesting” that you follow your documented policies – Attesting is the hard part! ▪ DataPower’s configured processing has always been labeled “policies” ▪ DataPower policies can be exported in human-readable form (XML), thereby reducing the pain associated with attestation – It makes an extremely difficult process much easier ▪ DataPower’s certification to a number of industry standards (FIPS 140- 2, CC EAL4 Evaluation) also makes it compliance-friendly
Confidential – Liverpool and IBM 37 WS-Policy/WS-Security Policy DataPower’s out-of-the-box support for the WS-Policy standards framework means that DataPower runtime policies can be expressed in a way that is both “human readable” and “universally understood” by multiple software solutions.
Confidential – Liverpool and IBM 38 Open Web Application Security Project Compliance Provides Protection Against 100 % Of OWASP Top 10 Risks
Confidential – Liverpool and IBM 39 Summary: Business Benefits § Key Reusable Core IT Functionality: Solves complex SOA IT service integration and security challenges in a secure, easy to consume and extremely low TCO network device § Configuration Driven: All enforced policies and mediations are configuration driven, not programmed. This significantly simplifies and reduces deployment requirements and cost § Flexibility: Secure, integrate, bridge and version applications without application modification § Reduce Complexity: Do work “in the network” as the data flows over the wire instead of on application servers, reducing infrastructure footprint and freeing up application servers to run more business logic § Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy” § Reduce Risk: Takes the “grunt work” out of SOA application security and integration allowing you to focus on building your business logic. “In the network” platform allows improved security and audit capabilities without application modification § Lower TCO: It’s a network device. Customers’ own data has shown that DataPower appliances can be 7X-8X less expensive to operate in the data center than software alternatives § A New Approach: These are not “software pre-installed on servers”. DataPower applies sophisticated embedded technology to solve complex IT challenges in new and novel ways
3 “I’ve been in retail for 30 years. There has been more change in the last five years than in the previous 25 years” 40 Andy Clarke
Thank you!

Recommended

Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
How to Process Transactions Like a Boss! AWS Developer Workshop at Web Summit...
How to Process Transactions Like a Boss! AWS Developer Workshop at Web Summit...How to Process Transactions Like a Boss! AWS Developer Workshop at Web Summit...
How to Process Transactions Like a Boss! AWS Developer Workshop at Web Summit...Amazon Web Services
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_dataKelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 
IBM Cloud for Financial Services Overview
IBM Cloud for Financial Services OverviewIBM Cloud for Financial Services Overview
IBM Cloud for Financial Services OverviewSuzanne Livingston
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBTShanmugavel Sankaran
 
Hw09 Large Scale Transaction Analysis
Hw09 Large Scale Transaction AnalysisHw09 Large Scale Transaction Analysis
Hw09 Large Scale Transaction AnalysisCloudera, Inc.
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Amazon Web Services
 

Recommended

Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
How to Process Transactions Like a Boss! AWS Developer Workshop at Web Summit...
How to Process Transactions Like a Boss! AWS Developer Workshop at Web Summit...How to Process Transactions Like a Boss! AWS Developer Workshop at Web Summit...
How to Process Transactions Like a Boss! AWS Developer Workshop at Web Summit...Amazon Web Services
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_dataKelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 
IBM Cloud for Financial Services Overview
IBM Cloud for Financial Services OverviewIBM Cloud for Financial Services Overview
IBM Cloud for Financial Services OverviewSuzanne Livingston
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBTShanmugavel Sankaran
 
Hw09 Large Scale Transaction Analysis
Hw09 Large Scale Transaction AnalysisHw09 Large Scale Transaction Analysis
Hw09 Large Scale Transaction AnalysisCloudera, Inc.
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Amazon Web Services
 
Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...
Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...
Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...Sutedjo Tjahjadi
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Serviceswebhostingguy
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA
 
Infographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsInfographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsClint Walker
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020Ulf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptxJoseLuna802663
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big riskIBM Sverige
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Domino and AWS: collaborative analytics and model governance at financial ser...
Domino and AWS: collaborative analytics and model governance at financial ser...Domino and AWS: collaborative analytics and model governance at financial ser...
Domino and AWS: collaborative analytics and model governance at financial ser...Domino Data Lab
 
Indonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isvIndonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isvPandu W Sastrowardoyo
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deckRichard (Dick) Kaufman
 
Real-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo LogicReal-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo LogicAmazon Web Services
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 

More Related Content

Similar to DataPower for PCI

Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...
Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...
Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...Sutedjo Tjahjadi
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Serviceswebhostingguy
 
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA
 
Infographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsInfographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsClint Walker
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020Ulf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big riskIBM Sverige
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Domino and AWS: collaborative analytics and model governance at financial ser...
Domino and AWS: collaborative analytics and model governance at financial ser...Domino and AWS: collaborative analytics and model governance at financial ser...
Domino and AWS: collaborative analytics and model governance at financial ser...Domino Data Lab
 
Indonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isvIndonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isvPandu W Sastrowardoyo
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deckRichard (Dick) Kaufman
 
Real-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo LogicReal-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo LogicAmazon Web Services
 

Similar to DataPower for PCI (20)

Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...
Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...
Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Services
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
 
Infographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-StandardsInfographic-2-MainFrame-Compliance-Standards
Infographic-2-MainFrame-Compliance-Standards
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI Compliance
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big risk
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Domino and AWS: collaborative analytics and model governance at financial ser...
Domino and AWS: collaborative analytics and model governance at financial ser...Domino and AWS: collaborative analytics and model governance at financial ser...
Domino and AWS: collaborative analytics and model governance at financial ser...
 
Indonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isvIndonesia new default short msp client presentation partnership with isv
Indonesia new default short msp client presentation partnership with isv
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
 
Real-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo LogicReal-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo Logic
 

Recently uploaded

AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 

Recently uploaded (20)

AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 

DataPower for PCI

  • 1. Xchel Martínez Galicia IBM Hybrid Cloud: Technical Connectivity, Integration and SOA IT Specialist xchel@mx1.ibm.com César Tort Integration & Development - Key Accounts ctort@mx1.ibm.com March 27th, 2018 IBM DataPower - PCI Solutions
  • 2. 2 “Stores of the future will be more connected and experience-driven… Data security will be a major concern” Planet Retail
  • 3. Confidential – Liverpool and IBM About this presentation 3 © Copyright IBM Corporation 2018. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
  • 4. Confidential – Liverpool and IBM • About PCI (Payment Card Industry) • PCI DSS (Data Security Standard) • Which kind of data should be protected? • What are WebSphere DataPower Appliances? • WebSphere DataPower and the PCI DSS “Digital Dozen” Content 4
  • 5. About PCI (Payment Card Industry)
  • 6. Confidential – Liverpool and IBM 6 About PCI (Payment Card Industry) § The PCI Security Standards Council (PCI SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. § The Council was founded in 2006, with American Express, Discover Financial Services, Japan Credit Bureau International, MasterCard and Visa Inc. as founding members. § As of 2018, the PCI SSC lists 797 Participating Organizations around the world. IBM is one of them! § Founding members have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs.
  • 7. PCI DSS (Data Security Standard)
  • 8. Confidential – Liverpool and IBM 8 § For whom serves PCI DSS? Those who work with and are associated with payment cards. This includes: retail (e-commerce & brick & mortar), merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments. § What is the objective to work with PCI DSS? – Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. – Helping vendors understand and implement standards for creating/maintain secure payment solutions. § Why is important comply with PCI DSS? Potential liabilities • Lost confidence, so customers go to other merchants • Diminished sales • Cost of reissuing new payment cards • Fraud losses • Higher subsequent costs of compliance • Legal costs, settlements and judgments • Fines and penalties • Termination of ability to accept payment cards • Lost jobs (CISO, CIO, CEO and dependent professional positions) • Going out of business PCI DSS (Data Security Standard)
  • 9. Confidential – Liverpool and IBM 9 But, what is PCI DSS? § What is PCI DSS? PCI DSS provides a baseline of technical and operational requirements designed to protect account data. It includes 12 requirements, below is a high-level overview
  • 10. Which kind of data should be protected?
  • 11. Confidential – Liverpool and IBM 11 Which kind of data should be protected? § Where are the crown jewels? Cardholder data refers to any information contained on a customer’s payment card. The data is printed on either side of the card and is contained in digital format on the magnetic stripe embedded in the backside of the card. Some payment cards store data in chips embedded on the front side. The front side usually has the primary account number (PAN), cardholder name and expiration date. The magnetic stripe or chip holds these plus other sensitive data for authentication and authorization.
  • 12. Confidential – Liverpool and IBM 12 Which kind of data should be protected? § Here they are the crown jewels!!
  • 13. What are WebSphere DataPower Gateway Appliances?
  • 14. Confidential – Liverpool and IBM 14 What are WebSphere DataPower Gateway Appliances? Product Value “Specialized purpose-built hardened embedded network devices that take the “hard parts” of SOA security and integration traditionally requiring complex and costly software systems and delivers them in a simple “uncrate, rack, configure and deploy” platform.” Powerful and uniquely efficient message and file oriented configuration-driven Security and Integration platform with the extremely low operational TCO of a true network device.
  • 15. Confidential – Liverpool and IBM 15 Over to 3,000 worldwide installations and growing! § Used by 95% of top global insurances firms § SaaS providers, ASPs, regulators, etc. § Agencies and ministries § Defense and security organizations § Crown corporations Insurance Government Banking § Retailers § Utilities, Power, Oil and Gas § Airlines § etc. Many, many, more § 80% of top 100 Banks § Numerous regional banks and credit unions § SaaS providers, ASPs, regulators, etc.
  • 16. Confidential – Liverpool and IBM 16 Over 2200 DataPower Appliance clients § The largest portfolio of SOA appliances § 80% of customers are repeat buyers § Appliance Innovator: leading appliance market since 2003 § 90% of top 100 Financial Institutions are DataPower installations § Broadest support for open standards and programming models § Proven to accelerate time-to-market and lowers total cost of ownership “One of the strongest points for IBM comes from its industry-leading experience with both SOA and appliances. Because IBM has been in the SOA game for a long time, it has built up extensive and pervasive SOA skills globally...IBM has developed a solid business approach to the appliance marketplace, taking into account the challenges of adding new members to the range, maintaining a consistent focus and ensuring clients continue to get ongoing value.” ~ Source: November 2012, Lustratus Research, Inc: A Competitive Review of SOA Appliances Gartner reported that IBM continues to be number one in key areas including Integration Appliances - Source: April 2012, “IBM Named Marketshare Leader in Middleware Software” http://www-03.ibm.com/press/us/en/pressrelease/37376.wss IBM DataPower Appliances Lead the Market The Leader in SOA Appliances
  • 17. Confidential – Liverpool and IBM 17 • Data format & language – JavaScript ‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0 • Security policy enforcement ‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos, SPNEGO ‒ RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication (LTPA) ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM) ‒ SAF & IBM RACF® integration with z/OS ‒ Internet Content Adaptation Protocol ‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3 Supported standards & protocols • Transport & connectivity – HTTP, HTTPS, WebSocket Proxy – FTP, FTPS, SFTP – WebSphere MQ – WebSphere MQ File Transfer Edition (MQFTE) – TIBCO EMS – WebSphere Java Message Service (JMS) – IBM IMS Connect, & IMS Callout – NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0, POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle, Sybase, IMS • Transport Layer Security ‒ SSL versions 2 and 3 ‒ TLS versions 1.0, 1.1, and 1.2 • Public key infrastructure (PKI) ‒ RSA, 3DES, DES, AES, SHA, X.509, CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12 ‒ XKMS for integration with Tivoli Security Policy Manager (TSPM) • Management ‒ Simple Network Management Protocol (SNMP) ‒ SYSLOG ‒ IPv4, IPv6 • Open File Formats ‒ Distributed Management Task Force (DMTF) Open Virtualization Format (OVF) ‒ VMware Virtual Machine Disk Format (VMDK) • Web services – WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management (WSDM) – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation (DIME) – Multipurpose Internet Mail Extensions (MIME) – XML-binary Optimized Packaging (XOP) – Message Transmission Optimization Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and Integration (UDDI versions 2 and 3), UDDI version 3 subscription – WebSphere Service Registry and Repository (WSRR)
  • 18. Confidential – Liverpool and IBM 18 Internet Trusted Domain Business Consumer 1 B2B Partner Gateway 2 Secure Gateway (Web Services, Web Applications) 3 Intelligent Load Distribution Application Application System z DMZ 4 Internal Security 5 Light Weight Integration 6 Web Service Management 7 Legacy Integration 8 Run time SOA Governance HMC Mobile WebSphere DataPower - Use Cases
  • 19. WebSphere DataPower and the PCI DSS “Digital Dozen”
  • 20. Confidential – Liverpool and IBM 20 WebSphere DataPower ideal solution for many requirements: ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks WebSphere DataPower and the PCI DSS “Digital Dozen” ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security
  • 21. Confidential – Liverpool and IBM Req. 12 Req. 10 Req. 7,8,9 Req. 3,4 Req. 1 21 § Web Services (XML) - Filter on any content, metadata or network variables § Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling § Data Validation - Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed § Field Level Security - WS-Security, encrypt & sign individual fields, non-repudiation § Encryption of transport layer - HTTP, HTTPS, SSL. § Anti Virus Protection - messages and attachments checked for viruses; integrates with corporate virus checking software through ICAP protocol § XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc § Management & Logging - manage & track services, logging of all activities, audit. § Security Policy Management - security policies “universally understood” by multiple software solutions, eases PCI certification process. § Easy Configuration & Management - WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security) Req. 5 DataPower - Key Functions for PCI Compliance
  • 22. Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 22 The PCI DSS consists of 12 requirements:
  • 23. Confidential – Liverpool and IBM 23 ▪ An important – but small – part of the DataPower ▪ Integrated multi-layer filters: – IP-layer params (e.g., client IP address) – SSL params (e.g., client certificate) – Any part of HTTP header – XPath or XML configuration files for any part of SOAP header – XPath or XML configuration files on any part of XML payload – First-level filter select based on service, URL, etc. ▪ Easy “point and click” XPath Filtering ▪ Enable/Disable each SOAP method using WSDL wizard ▪ Can be applied at any point in message processing XML/SOAP Firewall
  • 24. Confidential – Liverpool and IBM 24 Web Application Firewall ▪ URL-encoded HTTP application protection in addition to XML Web Services firewall security ▪ Protection for static or dynamic HTML-based applications ▪ Supports browser-based clients and HTTP/HTTPS backend servers ▪ Wizard-driven configuration ▪ Cross-site scripting and SQL Injection protection ▪ AAA framework support for web applications ▪ General name-value criteria boundary profiles for: – Query string and form parameters – HTTP headers – Cookies ▪ HTML Input Conversion Maps for form processing and handling ▪ Cookie watermarking (sign and/or encrypt) ▪ Rate limiting and traffic throttling/shaping ▪ HTTP Header stripping, injection, rewriting and method filtering ▪ Content-type filtering ▪ Dynamic routing and load balancing ▪ Session handling policies ▪ SSL Acceleration & Termination (Link) ▪ Customizable error handling
  • 25. Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 25 The PCI DSS consists of 12 requirements:
  • 26. Confidential – Liverpool and IBM 26 DataPower: Protecting Cardholder Data Encrypted & digitally signed Message <Credit Card> <Cust>Brian P. Bell</Cust> <Encrypted CCN> ws389maz301</Encrypted CCN> <Credit Type>AMEX</Credit Type> ………………. </Credit Card> Key Functions: Terminate SSL Defend against XML threats Validate XML (schema) Authentication Authorization Audit/Transaction Logging Filter data Encrypt/Decrypt message Digitally sign message Mask back-end resources Route based on content Encrypted XML data is delivered to the database to the encrypted credit card for later use DB2 9 Client sends credit card information to be stored in the database though an supported protocol Response message is sent confirming the insertion of the encrypted credit card number into the database Response message is received confirming the insertion of the encrypted credit card number into the database Protocols: HTTP/s, MQ, Tibco, JMS, FTPs, NFS, etc Direct DB Connect Incoming Message – data not encrypted <Credit Card> <Cust>Brian P. Bell</Cust> <CreditCardNumber> 3732 955939 395500</CreditCardNumber> <Credit Type>AMEX</Credit Type> ………………. </Credit Card>
  • 27. Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 27 The PCI DSS consists of 12 requirements:
  • 28. Confidential – Liverpool and IBM 28 Field-level XML Security ▪ Sign, verify, encrypt & decrypt ▪ XML Encryption & XML Digital Signature at: – Message-level – Part-of-message or field-level – Headers, as building block of other security specs ▪ Field-level security configurable from the WebGUI ▪ Verify-all option (data-driven verification of all signatures) ▪ DataPower’s own implementation, listed in W3C Interop matrix: – http://www.w3.org/Signature/2001/04/05- xmldsig-interop.html – http://www.w3.org/Encryption/2002/02-xenc- interop.html – Agility for interoperability or customization ▪ Secure Attachment Processing: – Supports the full SOAP with Attachments specification (MIME/DIME) – WS-Security ▪ Last-mile Security for SOA
  • 29. Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 29 The PCI DSS consists of 12 requirements:
  • 30. Confidential – Liverpool and IBM 30 DataPower Anti-Virus Protection § Allows messages and attachments to be checked for viruses § Integrates with corporate virus checking software through the ICAP protocol § Anti-Virus Processing Action eases configuration and use of this capability § Includes pre-configured Host Types (CLAM, Symantec, Trend, Webwasher) as well as customizability
  • 31. Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 31 The PCI DSS consists of 12 requirements:
  • 32. Confidential – Liverpool and IBM 32 Access Control Enforce Who can access Which Web service & When ▪ Deploy as a high-speed access policy enforcement point ▪ Modular authentication/authorization architecture: – x = extract-identity() – z = extract-resource() – zm = map-resource(z) – y = authenticate(x); if (y = null) reject – ym = map-credentials-attributes(y) – allowed = authorize(ym, zm); if (!allowed) reject – audit-and-post-processing(); ▪ Identity examples include: - WS-Security user/pass token - SSL client certificate - SAML assertion - HTTP basic-auth - Proprietary SSO cookie/token ▪ Resource examples: - URL - SOAP method
  • 33. Confidential – Liverpool and IBM 33 Access Control (2) Leading Standards and Third-party Integration Support ▪ Access control policy: – On-board: certs, XML file [can start simple] – Off-board: external access control servers ▪ Standards-based integration: – LDAP (for CRL, authentication, authorization) – RADIUS (authentication) – XKMS (for CRL, authentication) – SAML (consume, authentication, authorization, produce) – WS-Security, WS-Trust, WS-* – Outbound SOAP or HTTP call ▪ Integration with access management solutions: – Tivoli Access Manager – Tivoli Federated Identity Manager – RSA ClearTrust – Microsoft Active Directory – Sun Identity Server – Netegrity SiteMinder or TransactionMinder – Oblix – CA eTrust – …others including custom integration with any customer environment
  • 34. Confidential – Liverpool and IBM 34 Access Control (3) AAA Framework Diagram - Authenticate, Authorize, Audit Extract Identity Extract Resource Authenticate Authorize Audit & Accounting SAML WS -Security SSL client cert HTTP Basic -Auth SAML assertion Non -repudiation Monitoring Web Service URI SOAP op name Transfer amount DataPower AAA Framework SOAP/ XML Message SOAP/ XML Message External Access Control Server or On -Board Policy Map Credentials Map Resource
  • 35. Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 35 The PCI DSS consists of 12 requirements:
  • 36. Confidential – Liverpool and IBM 36 Compliance = Appliance! ▪ Regulatory Compliance is an ever-growing concern for large enterprise customers – e.g. The Financial Services industry alone has recently had to deal with Sarbanes-Oxley, Basel II and PCI DSS ▪ In practice, compliance consists of demonstrating that your company’s policies meet the regulations, and then “attesting” that you follow your documented policies – Attesting is the hard part! ▪ DataPower’s configured processing has always been labeled “policies” ▪ DataPower policies can be exported in human-readable form (XML), thereby reducing the pain associated with attestation – It makes an extremely difficult process much easier ▪ DataPower’s certification to a number of industry standards (FIPS 140- 2, CC EAL4 Evaluation) also makes it compliance-friendly
  • 37. Confidential – Liverpool and IBM 37 WS-Policy/WS-Security Policy DataPower’s out-of-the-box support for the WS-Policy standards framework means that DataPower runtime policies can be expressed in a way that is both “human readable” and “universally understood” by multiple software solutions.
  • 38. Confidential – Liverpool and IBM 38 Open Web Application Security Project Compliance Provides Protection Against 100 % Of OWASP Top 10 Risks
  • 39. Confidential – Liverpool and IBM 39 Summary: Business Benefits § Key Reusable Core IT Functionality: Solves complex SOA IT service integration and security challenges in a secure, easy to consume and extremely low TCO network device § Configuration Driven: All enforced policies and mediations are configuration driven, not programmed. This significantly simplifies and reduces deployment requirements and cost § Flexibility: Secure, integrate, bridge and version applications without application modification § Reduce Complexity: Do work “in the network” as the data flows over the wire instead of on application servers, reducing infrastructure footprint and freeing up application servers to run more business logic § Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy” § Reduce Risk: Takes the “grunt work” out of SOA application security and integration allowing you to focus on building your business logic. “In the network” platform allows improved security and audit capabilities without application modification § Lower TCO: It’s a network device. Customers’ own data has shown that DataPower appliances can be 7X-8X less expensive to operate in the data center than software alternatives § A New Approach: These are not “software pre-installed on servers”. DataPower applies sophisticated embedded technology to solve complex IT challenges in new and novel ways
  • 40. 3 “I’ve been in retail for 30 years. There has been more change in the last five years than in the previous 25 years” 40 Andy Clarke