Successfully reported this slideshow.
Your SlideShare is downloading. ×

A webinar on PCI DSS

Ad

Kennet Westby
President and Co-Founder
PCI DSS 3.0 Update

Ad

Enough is enough
2
Compliance
Security
Risk Management Compliance does not equal Security
 It’s time to take a look at c...

Ad

New Standards are Forcing the Issue
 Major changes in the DSS 3.0 focus on
continuous compliance and ongoing
diligence in...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Loading in …3
×

Check these out next

1 of 28 Ad
1 of 28 Ad

More Related Content

A webinar on PCI DSS

  1. 1. Kennet Westby President and Co-Founder PCI DSS 3.0 Update
  2. 2. Enough is enough 2 Compliance Security Risk Management Compliance does not equal Security  It’s time to take a look at comprehensive risk management » What is the health of your organizations data security program? » The focus should be on protecting your relationship with your customers and their PFI » Ensure Risk Assessments are being performed and cover all card processes • Don’t follow the SAQ as a guideline for appropriate card data risk management • Are you aware of all sensitive assets involved in payment processes? • Are you aware of the threats? • If you had to look beyond the PCI DSS to mitigate risk, where would you start?
  3. 3. New Standards are Forcing the Issue  Major changes in the DSS 3.0 focus on continuous compliance and ongoing diligence in security operations  Don’t be compliant with your assessment; be compliant with the standards  Compliance depends on day-in, day-out adherence to control operations  Can you do more? Leverage good risk management practices to identify areas of weakness and opportunities for improvement3
  4. 4. PCI DSS 3.0 – Scope and Segmentation 4 It’s important to review the guidance on how to accurately determine the scope of a PCI DSS engagement and the intent of segmentation. Systems that provide security services to the CDE = “In Scope” As per the PCI SSC “Segmentation = Isolation” Scope Identification Process (for assessed organizations)
  5. 5. PCI DSS 3.0 – New Reporting Template 5 Guidance as to the intent of each PCI DSS requirement is now included within the standard itself. The “Guidance” column helps clarify the PCI SSC’s intent for each and every requirement. Mandatory Reporting Template For 3.0 assessments, QSAs must submit all Report on Compliance (ROCs) on the new, SSC-controlled 3.0 Reporting Template. Control Re-Numbering Many requirements have been consolidated and/or renumbered, which has cleaned up the requirements table considerably. Section-Specific Policy Requirements Security policies and daily operational procedures (formerly requirements 12.1.1 and 12.2) have been given their own requirement in each of the PCI DSS Sections (at the end of each).
  6. 6. Critical Changes to Existing Requirements – Requirement 3 – Protect Stored Data Restrict key access definitions and improved key management process recommendations Strengthen key access controls with split knowledge Clarify the intent of “unrecoverable data”
  7. 7. Critical Changes to Existing Requirements Requirement 6.6 Flexibility Added options to the interpretation of this requirement by changing “web-application firewall” to “automated technical solution that detects and prevents web-based attacks”.
  8. 8. Critical Changes to Existing Requirements – Requirement 7, Restrict Access to Cardholder Data Requirement 7 Flexibility Additional focus and sub controls on restricting privileged user access
  9. 9. PCI DSS 3.0 – Critical Changes to Existing Requirements Password Complexity Flexibility Password complexity and strength requirements have been combined into a single requirement and the PCI SSC has now allowed for some flexibility in meeting these requirements.
  10. 10. More Critical Changes to Existing Requirements Requirement 10, Track and Monitor Access New Logging Events Enhanced logging requirement to include stopping or pausing of the audit logs. Log Reviews for Critical Components Daily or continuous log reviews have been split into two categories: Critical systems and “Everything else”.
  11. 11. Renewed Emphasis on Security Management 11 • Awareness and testing of CDE Boundaries and Approved Connections (in AoC, 11.3) • Periodic Evaluation of Antivirus Controls (5.1.2) • Awareness of Access Roles and Privileges Required (7.1, 7.1.1) • Device tampering detection procedures & education (9.9) • Point-of-Interaction Inventories (9.9.1.a) • Expanded penetration tests (11.3) • Service Provider Management (DSS 12.8.x)
  12. 12. How Strong is your IT Risk Management Program? 12  Risk assessment should be used to identify areas of improvement beyond compliance  Take a data-centric approach to security to get greatest risk management  Defense in depth  Physical and logical access controls in place  Sufficient network segmentation  SIEM solutions  Encryption and/or tokenization What would your security controls program look like? This… Or this…
  13. 13. Ryan Holland – Sr Manager, Partner Solution Architects
  14. 14. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints • Customers configure AWS security features • Get access to a mature vendor marketplace • Can implement and manage their own controls • Gain additional assurance above AWS controls Security is a shared responsibility between AWS and our customers
  15. 15. Customers retain ownership of their intellectual property and content • Customers manage their privacy objectives how they choose to • Select the AWS geographical Region and no automatic replication elsewhere • Customers can encrypt their content, retain management and ownership of keys and implement additional controls to protect their content within AWS The security of our services and customers is key to AWS • Security starts at the top in Amazon with a dedicated CISO and strong cultural focus • Dedicated internal teams constantly looking at the security of our services • AWS support personnel have no access to customer content Customers retain full ownership and control of their content
  16. 16. Every customer has access to the same security capabilities AWS maintains a formal control environment • SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70) • SOC 2 Security • ISO 27001 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP (FISMA), ITAR, FIPS 140-2 • HIPAA and MPAA capable Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  17. 17. PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant (Level 1 is >300,000 transactions/year, the highest level) 14 services in scope (Aug 2013): – EC2, EBS, S3, VPC, RDS, ELB, IAM, Glacier, Direct Connect, DynamoDB, SimpleDB, Elastic Map Reduce, and new in 2013: CloudHSM, Redshift Covers public services; no special configuration/options Leverage the work of our QSA AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) – can support forensic investigations Includes all global regions Yearly refresh cycle
  18. 18. PCI DSS Level 1 Service Provider AWS Provides customers and customer’s auditors with: – Attestation of Compliance – PCI Responsibility Summary
  19. 19. AWS partners can help you build secure solutions Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Fine-grained IAM capability + = AWS partner solutions These products and more are available on the AWS marketplace - WAF, VPN, IPS, AV, API gateways, data encryption, user management Your secure AWS solutions
  20. 20. PREVENT LOSS OF SENSITIVE DATA, COMPLETE PCI AUDITS, AT A LOWER TCO WITH HIGHLY SECURE SERVER ENCRYPTION AND KEY MANAGEMENT. PROVEN PCI 3.0 COMPLIANCE WITH STRONGER DATA SECURITY Sol Cates Chief Security Officer Vormetric
  21. 21. Vormetric Protects Cardholder Information Requirement 3 Protect stored cardholder data Requirement 7 Restrict access to cardholder data by business need to know Requirement 10 Track and monitor all access to network resources and cardholder data
  22. 22. Vormetric Data Security Platform Simple, efficient solution for the lowest TCO data-at-rest security Vormetric Transparent Encryption Big Data Vormetric Application Encryption Structured Databases Unstructured Files • File and Volume Level Encryption • Access Control Applications Big Data • Field Level Data Encryption Vormetric Key Management • KMIP Compliant • Oracle and SQL Server TDE • Certificate Storage Vormetric Security Intelligence • Splunk • HP ArcSight • IBM QRadar • LogRhythm Vormetric Data Security Manager • Key and Policy Manager
  23. 23. Encryption and Key Management DSM in the cloud or on the customer premise supporting Requirement 3 Policies & Logs Vormetric Data Security Manager Keys Virtual or Physical Servers Enforce separation of provider and enterprise responsibilities Extensible to multiple cloud providers and traditional servers Pay as you grow, deploy licenses on demand Customer is always the custodian of policies and keys Enterprise Data Center Environment VPN Link
  24. 24. *$^!@#)( -|”_}?$%- :>> Encrypted John Smith 401 Main Street Clear Text Vormetric Transparent Encryption Simplified encryption and access control for Requirement 7 Storage Database Application User File Systems Volume Managers Vormetric Security Intelligence Logs to SIEM Big Data, Databases or Files Allow/Block Encrypt/Decrypt Vormetric Data Security Manager on Enterprise premise or in cloud virtual or physical appliance Approved Processes and Users Privileged Users Cloud Provider / Outsource Administrators *$^!@#)( -|”_}?$%- :>> • Encryption • Access Control • Security Intelligence DSM
  25. 25. Vormetric Security Intelligence Supporting Requirement 10 of breaches took months, or even years, to discover.66% Verizon 2013 data breach investigations report Log and audit data access, in support: Alarm abnormal access patterns Identify compromised users, administrators and applications Accelerate APT and malicious insider recognition Supports compliance and contractual mandate reporting of breaches were spotted by an external party – 9% were spotted by customers. 69%
  26. 26. attempted to read and was denied access Admin Dirk Snowman imitated user steve this file because he violated this policy
  27. 27. Implement with Confidence Vormetric Data Security is quick and easy to administer, while having negligible impact on performance. It’s the perfect solution for meeting PCI DSS requirements. One of the tipping points for us was Vormetric’s management console. It makes creating encryption profiles -- which contain unique guard points, security policies, and keys -- a snap. It’s one of the easiest products to implement I’ve ever used. i i Daryl Belfry, Director of IT, TAB Bank Jim Fallon, Security Ops manager, Airlines Reporting Corporation Coalfire White Paper: Using Encryption and Access Control for PCI DSS 3.0 Compliance in AWS Vormetric.com -> Resources -> White Papers
  28. 28. Vormetric Data Security Platform Delivers the Lowest Total Cost of Ownership Simplicity Intuitive, consistent, repeatable, organization-wide policy management reduces cost, resources and errors Transparent deployment, application-layer when necessary Efficiency One platform – many use cases – ready for “what’s next” Preserve SLAs and use fewer servers w/high-performance encryption and HA Better Security and Faster Compliance File to field data-at-rest encryption, key management, privileged users access control, and gathering of security intelligence Accelerate the detection of insider abuse and APT

×