Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MYTHBUSTERS: Can You Secure Payments in the Cloud?


Published on

Discussion of if and how you can secure payments in the cloud. Covers the issue, compliance considerations, regulatory changes and their impact, and provides a rationale for using a cloud to decouple your payments processes from your legacy infrastructure.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

MYTHBUSTERS: Can You Secure Payments in the Cloud?

  1. 1. The Leader in Active Cyber Defense MYTHBUSTERS: Can You Secure Payments in the Cloud? KURT HAGERMAN | CISO, ARMOR SEPTEMBER 2015
  2. 2. BETWEEN YOU AND THE THREAT KURT HAGERMAN • CISA- and CISSP-certified • Frequent speaker and author on security for the payments industry, healthcare industry and cloud security • 25-year veteran in IT, security consulting and auditing Chief Information Security Officer | ARMOR
  3. 3. Fact or Fiction: Can You Secure Payments in the Cloud?
  4. 4. BETWEEN YOU AND THE THREAT • It’s not secure • Not trusted • Loss of control • Lack of compliance • Unknown location of data Myths About the Cloud
  5. 5. You Against Them
  6. 6. BETWEEN YOU AND THE THREAT No Easy Task YOU ARE: • Risk-Aware and in tune with your industry’s challenges. • Required to meet numerous and overlapping regulations and mandates. • Faced with customer demand to process sensitive data in online and mobile channels.
  8. 8. BETWEEN YOU AND THE THREAT Security spending doubled in past 4 years Many of these organizations were “compliant” on various security frameworks Major shortage in security talent and getting worse Average hacker dwell time is 205 days across enterprises LATEST 2014 2013 2012 2011 A World of Targets
  9. 9. BETWEEN YOU AND THE THREAT Where You’re Being Hit More than half of you have been targeted. This is where threat actors attack you most often. 62% of companies were targets of payments fraud in 2014. 77 % 34 % 27 % Source: Association for Financial Professionals 2015 Payments Fraud & Control Survey CHECKS WIRES CREDIT & DEBIT CARDS Most Targeted Methods
  10. 10. The Compliance Landscape
  11. 11. BETWEEN YOU AND THE THREAT “Why is cybersecurity so hard? In general, it’s hard because attacks & defenses evolve together: A system that was secure yesterday might no longer be secure tomorrow.” Jeremy Epstein Lead Program Director National Science Foundation
  12. 12. BETWEEN YOU AND THE THREAT Regulatory Landscape SOX
  13. 13. BETWEEN YOU AND THE THREAT Legal Ramifications Evolving “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the Third Circuit (Philadelphia) • Example of Government Overreach • Ruling of “Harm” Left to FTC based on no published standards • Virtually impossible to comply • Even When PCI-Compliant, Your Organization Could Still be Liable for Data Loss
  14. 14. BETWEEN YOU AND THE THREAT FISMA NIST 800-53 ISO 27001 Which Frameworks are Proven? Each are good. But they lack the prescriptiveness needed to help you build or evaluate a strong security program. What about the Payment Card Industry Data Security Standard?
  15. 15. BETWEEN YOU AND THE THREAT 12 Key PCI Security Requirements CONTROL OBJECTIVES PCI DSS REQUIREMENTS Build & Maintain Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Maintain Vulnerability Management Program 5. Use and regularly update antivirus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor & Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security.
  16. 16. BETWEEN YOU AND THE THREAT IT’S TRUSTED • Prescriptive framework • Vetted process • Widely adopted IT’S EFFECTIVE • Helps manage risk • Protects brands • Mitigates loss during breach response The PCI Baseline
  17. 17. How Do You Secure This Data?
  18. 18. BETWEEN YOU AND THE THREAT Follow PCI Best Practices Leverage as strong baseline for all your sensitive data Has been copied or mirrored by other governing bodies (NACHA for instance) Includes cross-over into other compliance requirements
  19. 19. BETWEEN YOU AND THE THREAT Use a Cloud Solution to Decouple Payment Data • Decouple to secure infrastructure • Isolate and secure access to sensitive data • Reduce scope for compliance • Faster audits and lower costs AUTHORIZED USERS INTERNAL & EXTERNAL SYSTEM USERS LARGE IT ENVIRONMENT
  20. 20. BETWEEN YOU AND THE THREAT We Trust The Experts For a Reason
  21. 21. A Real-World Case Study
  22. 22. BETWEEN YOU AND THE THREAT The Company Popular utility provider secures millions of transactions each month in PCI-compliant cloud. Region: Employees: Industry: Market: Customers: Southwest More than 10,000 Utilities Residential & Commercial 1 - 5 Million
  23. 23. BETWEEN YOU AND THE THREAT • Large Southern Retail & Commercial Utility Company • Leveraged Legacy ERP System for Online Payments • Couldn’t Meet PCI Compliance • Entire network was in Scope The Challenge
  24. 24. BETWEEN YOU AND THE THREAT • Traditional Check, Cash, Credit Cards & ACH Payments • Data-at-Rest Presented PCI Challenge • Data Existed Throughout Corporate Systems & Network • Connected to Multiple Third-Party Banking & Payment Applications The Details
  25. 25. BETWEEN YOU AND THE THREAT • Decouple Payment Data from Corporate Environment • Reduce Scope of PCI Audit • Tokenization of Payment Data • Implement Business Continuity Strategy The Solution “By decoupling data from monolithic IT environments, utilities, eCommerce, retailers and other financial institutions are able to reduce the risk of data breaches and achieve PCI compliance.”
  26. 26. BETWEEN YOU AND THE THREAT • Designed as Fully Redundant Environments • Included Direct Contentions to two Data Centers • Meets Strict Business Continuity Requirements • Leverages multiple security layers to thwart targeted attacks The Infrastructure FPO 4 LOAD BALANCERS 4 DATABASE SERVERS 4 WEB SERVERS 4 APPLICATION SERVERS 2 MPLS CIRCUITS FOR DIRECT CONNECTION TO ARMOR DATA CENTERS
  27. 27. What’s Your Strategy?
  28. 28. BETWEEN YOU AND THE THREAT • More tools and technologies? • How much is this going to cost? • How am I going to implement? • In what time period? • Do I have the people and expertise? Traditional DIY Approach: Difficult & Complex
  29. 29. BETWEEN YOU AND THE THREAT Comparing Cloud Responsibility 29 Security Layer Security Feature DIY Cloud Public Cloud Secure Managed Cloud IP Reputation Filtering C C V Perimeter DDoS Mitigation C C V Web application firewall C C V Segmentation C S V Network Network Firewall (Hypervisor based) C S V Vulnerability Scanning C C V Secure Remote Access C S V Encryption in Transit C C S Intrusion Detection C C V Hardened Operating System C C V Server/OS Secure Remote Administrative Access C S V OS Patching C C V Anti-Virus/Anti-Malware C C V Log Management C C V Time Synchronization C C V File Integrity Monitoring C C V Encryption C S S DLP C C S Configuration Management C C V Host Intrusion Detection C C V Hardened Hypervisor C S V Virtual Isolated Management C V V Secure Storage C V V Rogue Wireless Scanning C V V Physical 24x7 Support Staff C V V Entry Controls C V V Video Monitoring C V V Environmental Controls C V V Vendor-ProvidedV Vendor, Customer- Shared Client-ProvidedC S Key
  30. 30. BETWEEN YOU AND THE THREAT What To Look For From Cloud Vendors The Key Attributes • Expertise • Track record • Technology • People • Process • Certification • Ability to execute and delivery You need to deal with vendors are transparent about how what they do directly assists you in mitigating risk and addressing your compliance requirements. Your vendor should……. • Provide a clear concise explanation of the specific security controls they include and how these benefit you • Be able to articulate the boundaries between their responsibility and yours • Provide you with documentation that backs up their claims about being “Compliant” including independent audit reports that clearly state the scope of the assessment, the controls framework used and especially how this compliance can be leveraged by YOU
  31. 31. BETWEEN YOU AND THE THREAT LIGHTEN IT & SECURITY BURDEN PROTECT YOUR BUSINESS Focus on Your Business Leave It to the Experts Increase Performance Enhance Scalability Get Better Security for your Environment Make Compliance Less Costly and Time Consuming Reduce Overall Costs Facilitate BCDR Planning
  32. 32. BETWEEN YOU AND THE THREAT The Cloud Isn’t Secure Enough for Payment Transactions
  33. 33. The Leader in Active Cyber Defense 1-877-262-3473 x8073 KURT HAGERMAN Questions? SEPTEMBER 2015