SlideShare a Scribd company logo

2014 11 data at rest protection for base24 - lessons learned in production

Thomas Burg
Thomas Burg

Until late 2013, all customers running BASE24 on the HP NonStop platform had to rely on compensating controls in the area of PCI 3.4. With the advent on solutions enabling full compliance in the area of protection of data at rest for BASE24, it is important to pick a solution which fully satisfies your requirements and also makes sure BASE24 stays as stable and performant as it is. This presentation explores some areas comForte has found to be rather relevant due its various proof of concepts and with the customers already in production with its product, SecurData/24.

Software
1 of 35
Download to read offline
copyright (2014) comForte 21 1
This part of the screen/slide are theso-called speaker notes Viewing instructions: please see actual slide copyright (2014) comForte 21 2
copyright (2014) comForte 21 3
We start off with the summary and most important lesson of thispresentation about data-at-rest protection for BASE24… Copyright comForte 2014 4
It CAN be done and it HAS be done! copyright (2014) comForte 21 5
We now, briefly,look at potential reasons to protect data at rest in BASE24 environments. Copyright comForte 2014 6
The PCI compliance situation for BASE24 is as follows: •Hundreds of customers running BASE24 classic on HP NonStop •Each of them is relying on so-called compensating controls to satisfy PCI requirement 3.4 (which states that PAN data cannot be in the clear on disk) •The HP VLE product is _not_ the answer (!) •Compensating controls are (1) costly (2) only an option if no other solution is available •With SecurData (and competing products), now there IS another solution available copyright (2014) comForte 21 7
Let's look at some basic principles of securing data-at-rest, from an attacker's perspective. To steal credit card data, the attacker would need to bypass your perimeterprotection, getarround your anti-virus scanning, overcomeaccess control mechanisms to get onto your internal network systems where credit card data is storedandavoid detection through monitoring happening at the variouslevels. Recent data breaches have shown that this IS possible using so called Advanced Persistent Threats. These attacks are real. They are very sophisticated. They find the data. They get around the walls. They get through the„walls“. Insider attacks are another serious danger. A privileged user with legitimate access to sensitive data storage is already inside many of thesewalls. Ifa disgruntled employee or contractor goes rogue, damage can be significant. Here PCI requirement 3.4 comes into play: Even when credit card information is stolen, misplaced, lost or misused, it's protected as long as the PAN is renderedunreadable. Rendering the PAN unreadable is your last line of defense. That's why it is a core requirement of the PCI standard. It is also obvious, that encryption of the data can only be effective against insider attacks and advanced persistent theats if decryption keys are managed independently from the operating system and are not tied to user accounts. That's why this is expilicitly required for encryption solutions in the PCI standard–andthisiswhytheHP VLE productalonedoesNOT sufficetobePCI 3.4 compliant. copyright (2014) comForte 21 8
In this section, we look at some features a complete solution should have in comForte’sopinion. copyright (2014) comForte 21 9
Wearelookingat this simplified picture of a Payment Processing system. This architecturefitsBASE24 classic well, asitdoesBASE24-eps or home-grownpaymentprocessingengines. The systemtypicallywrites transaction data including the PAN to log files. Itmay also store PANs in card holder files –all in clear text. Finally, it may create export files for transmission to other systems in regular intervals and it may update card holder data from import files stored on the system. A typical NonStop Payment System processes and stores a MASSIVE amount of PANs, potentially millions on a single day. Any malicious access to these files would be absolutely disastrous; it would be very expensive in post-incident handling, it will probably get you on the front- page of newspapers and massively damage your brand. copyright (2014) comForte 21 10
Now let's come back to BASE24 systems: Why do such a critical systems rely on compensating controls instead of fully implementing PCI-DSS for the best protection of the data? Unfortunately, BASE24 does not provide any data level encryption. Changing the BASE24 code and database to implement that protection would be a huge effort and is simply not feasible for most customers in practice. Thus, BASE24 users world-wide were forced to fall back on compensating controls as the second best choice. This is where the comForte SecurData/24 solution comes in: For the first time ever, BASE24 can be made fully PCI 3.4 compliant. SecurData/24 works completely transparent at the I/O level. It does not require any code changes and can be integrated easily into existing processing environments. And unlike disk volume level encryption, SecurData/24 manages logical access to decryption keys independently of native operating system mechanisms and does not tie it to user accounts. [SecurData/24 isa variant ofthegeneralSecurDataproduct, pre-configuredspecificallyforBASE24 classic users]. Even better, it cannot only help you to achieve full 3.4 complaince for the BASE24 servers, but also for other enterprise systems exchanging PAN data with them. copyright (2014) comForte 21 11
copyright (2014) comForte 21 12
The extra timespentbySecurData fora singletransactionistypicallylessthan150 microseconds–bothin real time andCPU time. The reasonisthatthereisnofileI/O at all andthatonlya fewmathematicaloperationsarerequired. 150 microsecondsper transactionexplainsiswhytheperformanceoverheadisso low. The productscalesverywellandhasso faralwaysmatchedSLA timesduringExtracts. copyright (2014) comForte 21 13
copyright (2014) comForte 21 14
Detailedauditing in computer-readable format is a standard feature of the solution. This screen shows the audit in its default format which is name/value pairs. This is easily to be read by computers and should be fed into a central SIEM system. copyright (2014) comForte 21 15
Here we have converted the output from the prior slide into an Excel sheet, showing the detailedinformation available in the audit log. The audit log can be configured to write a new set of data in regular intervals (hourly, daily, …) or via request from the command-line interface. copyright (2014) comForte 21 16
The requirement here is to convert from a file transfer of atemporary Extract file to a “direct upload” to the remote system without having to store an intermediate file. This is one of the advanced features of the product. copyright (2014) comForte 21 17
This slide shows how the requirement from the previous file is met: TheSecurData intercept library is bound into the (extract) application and does an on-the-fly file transfer without even requiring an intermediate file. This works both for FTP transfers as for SFTP transfers. Under the hood, the powerful concept of “pipes” under Unix is used to construct a chain of processes through which the data is fed without an intermediate file. In the given example, the command “cat > remote_file” is executed directly on the remote system. The input into this “process pipe chain” is coming from the SDATA file relocation server. copyright (2014) comForte 21 18
"Just intercept" is not enough –there IS devilin detailwhenprotectinga BASE24 systemproperly. HerearesomefeatureswhichSecurData hasbuiltin andwhicharealreadyusedin production. (Note: asofNovember 2014, SQL/MX isnot implementedyet). copyright (2014) comForte 21 19
Thereare three core components in SecurData: •The SecurData Intercept library is bound into the application andintercepting all data base I/Os •For each application data base I/O the SecurData Manager is now tokenizing respectively de-tokenizing the PAN before the data base is really accessed. •By design, SecurData is open towards which “Tokenization engine” is being used. 28-Nov-14 copyright (2014) comForte 21 20
During the design stages of the product comForte made sure that there will be no ‘engine lock-in’ with SecurData. After all, there are many large players offering tokenization and/or encryption solutions and we wanted to make sure each customer can use his preferred vendor. We also designed our own, patent-pending, tokenization algorithm. Comparing SecurData with enterprise data protection solutions The aforementioned enterprise data protection solutions do not offer any solution for instrumenting HP NonStop applications without code changes. While they may be offering an API for HP NonStop servers, they leave it to the application programmers to integrate it into their application. SecurData is therefore not competing with these solutions, but rather complementing them with its unique capabilities for application-transparent data protection. Powerful built-in tokenization engine To address the requirements of customers who are looking for a self-contained and cost-effective solution for their NonStop application, SecurData includes a very powerful data-at-rest protection engine itself. The SecurData tokenization engine runs directly on the NonStop Server, with minimal performance impact for the application. It uses a patent-pending stateless tokenization scheme (tokens and sensitive data elements are NOT stored in a database) which has been analyzed by renowned independent cryptologists. Easy integration with enterprise data protection solutions comForte SecurData can be easily integrated with any cross-platform enterprise data protection solution, such as Protegrity’sData Security Platform, RSA’s Data Protection Manager or Voltage’s Secure Data product. comForte SecurData provides the glue between the application and the enterprise data protection solution, to avoid rewriting any application code. Under the strategic partnership with Protegrity (see https://www.comforte.com/resources/news/strategic-partnership/), comForte SecurData is fully integrated with Protegrity’sEnterprise Security Administrator (ESA), which has been proven to meet performance requirements of high volume online transaction and batch processing. Before using another enterprise data protection solution it should be ensured that it meets the specific data format and performance requirements of the target application. 28-Nov-14 copyright (2014) comForte 21 21
22 copyright (2014) comForte 21 and Protegrity
We will now look at atypical project which starts with an evaluation of the product and ends with the product being in production. copyright (2014) comForte 21 23
Some fun with the letter “P” –6 stePsto take theproduct in production. We’ll look at them in some more detail next. copyright (2014) comForte 21 24
copyright (2014) comForte 21 25
comForte stronglybelieves to have a very powerful,stable and flexible offering in SecurData. copyright (2014) comForte 21 26
copyright (2014) comForte 21 27
The PANfinder product is a complementaryproduct to SecurData. In a nutshell, it is a scanning engine for PANs (and other confidential) on HP NonStop. It will scan the whole file system as well as databases and come back with a (sanitized) list of all files containing PANs. A scan prior to the usage of SecurData will return all locations of critical files (prepare for some surprises). A scan after installing SecurData should return zero critical files – otherwise you probably missed some during the design stages. copyright (2014) comForte 21 28
comForte provides 24/7 support tohelp you when the unexpected happen. We also support you in setting up plans how to deal with some scenarios such as CPU outages or unexpected problems with SecurData. copyright (2014) comForte 21 29
copyright (2014) comForte 21 30
We finally look at some customers who haveput SecurData in production. copyright (2014) comForte 21 31
Wehave blanked out the customer names here. copyright (2014) comForte 21 32
Again, the customer names have been blankedout. copyright (2014) comForte 21 33
We will nowsummarize the key points of this presentation copyright (2014) comForte 21 34
For any further questions or for more information please talk to your account executive or contact the author at t.burg@comforte.com. You can also find more information any at www.comforte.com/securdata This is the last slide of this presentation . copyright (2014) comForte 21 35

Recommended

BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization options
Thomas Burg
 
California Breakfast Seminar
California Breakfast SeminarCalifornia Breakfast Seminar
California Breakfast Seminar
NuoDB
 
Splicecom Maximiser Vision
Splicecom Maximiser VisionSplicecom Maximiser Vision
Splicecom Maximiser VisionKimmoKapanen
 
Aaron Nasseh - ISO & Agent Partner Programs
Aaron Nasseh - ISO & Agent Partner ProgramsAaron Nasseh - ISO & Agent Partner Programs
Aaron Nasseh - ISO & Agent Partner Programs
Aaron Nasseh
 
Temenos_Connect_Mobile_Banking_Overview
Temenos_Connect_Mobile_Banking_OverviewTemenos_Connect_Mobile_Banking_Overview
Temenos_Connect_Mobile_Banking_OverviewDavid Courtney
 
Paggas Technologies - Company Overview Presentation
Paggas Technologies - Company Overview PresentationPaggas Technologies - Company Overview Presentation
Paggas Technologies - Company Overview Presentation
Paggas Technologies
 
E rewards loyalty system in UAE, Dubai,Middle East, Bahrain, Abu Dhabi, Doha,...
E rewards loyalty system in UAE, Dubai,Middle East, Bahrain, Abu Dhabi, Doha,...E rewards loyalty system in UAE, Dubai,Middle East, Bahrain, Abu Dhabi, Doha,...
E rewards loyalty system in UAE, Dubai,Middle East, Bahrain, Abu Dhabi, Doha,...
AVI INFOSYS LLC
 
TD - uLaw Payment Integration
TD - uLaw Payment IntegrationTD - uLaw Payment Integration
TD - uLaw Payment Integration
uLawPractice Jillian Lim
 

Recommended

BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization options
Thomas Burg
 
California Breakfast Seminar
California Breakfast SeminarCalifornia Breakfast Seminar
California Breakfast Seminar
NuoDB
 
Splicecom Maximiser Vision
Splicecom Maximiser VisionSplicecom Maximiser Vision
Splicecom Maximiser VisionKimmoKapanen
 
Aaron Nasseh - ISO & Agent Partner Programs
Aaron Nasseh - ISO & Agent Partner ProgramsAaron Nasseh - ISO & Agent Partner Programs
Aaron Nasseh - ISO & Agent Partner Programs
Aaron Nasseh
 
Temenos_Connect_Mobile_Banking_Overview
Temenos_Connect_Mobile_Banking_OverviewTemenos_Connect_Mobile_Banking_Overview
Temenos_Connect_Mobile_Banking_OverviewDavid Courtney
 
Paggas Technologies - Company Overview Presentation
Paggas Technologies - Company Overview PresentationPaggas Technologies - Company Overview Presentation
Paggas Technologies - Company Overview Presentation
Paggas Technologies
 
E rewards loyalty system in UAE, Dubai,Middle East, Bahrain, Abu Dhabi, Doha,...
E rewards loyalty system in UAE, Dubai,Middle East, Bahrain, Abu Dhabi, Doha,...E rewards loyalty system in UAE, Dubai,Middle East, Bahrain, Abu Dhabi, Doha,...
E rewards loyalty system in UAE, Dubai,Middle East, Bahrain, Abu Dhabi, Doha,...
AVI INFOSYS LLC
 
TD - uLaw Payment Integration
TD - uLaw Payment IntegrationTD - uLaw Payment Integration
TD - uLaw Payment Integration
uLawPractice Jillian Lim
 
Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
AVI INFOSYS LLC
 
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
GXS
 
CardConnect
CardConnectCardConnect
CardConnect
AaronCSmith2
 
Payment System
Payment SystemPayment System
Payment System
Innova IT Solutions
 
Jupiter Business Systems Profile_NVOAgency_FA
Jupiter Business Systems Profile_NVOAgency_FAJupiter Business Systems Profile_NVOAgency_FA
Jupiter Business Systems Profile_NVOAgency_FAdorcas afandi
 
Temenos Insight Risk
Temenos Insight RiskTemenos Insight Risk
Temenos Insight Risk
ahmedzafar
 
POS Software
POS SoftwarePOS Software
POS SoftwareExit Retail Solutions
 
VoIP Softswitch
VoIP SoftswitchVoIP Softswitch
VoIP Softswitch
REVE Systems
 
Automate your practices for better governance with LMKT VO8 Solution
Automate your practices for better governance with LMKT VO8 SolutionAutomate your practices for better governance with LMKT VO8 Solution
Automate your practices for better governance with LMKT VO8 Solution
LMKT Private Limited
 
Tally.net and remote capabilities
Tally.net and remote capabilitiesTally.net and remote capabilities
Tally.net and remote capabilities
Accounts Arabia
 
VoIP Billing Software
VoIP Billing SoftwareVoIP Billing Software
VoIP Billing Software
REVE Systems
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013Hai Nguyen
 
Moneytor Vending Telemetry
Moneytor Vending TelemetryMoneytor Vending Telemetry
Moneytor Vending Telemetry
scardin
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud SecurityGaurav Ahluwalia
 
Time and attendance software
Time and attendance softwareTime and attendance software
Time and attendance software
pftecsoft
 
Ten questions to ask before choosing SCADA software
Ten questions to ask before choosing SCADA softwareTen questions to ask before choosing SCADA software
Ten questions to ask before choosing SCADA software
Trihedral
 
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic AlgorithamIRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET Journal
 
IoT Solution Starter Kit for Intelligent Factory
IoT Solution Starter Kit for Intelligent FactoryIoT Solution Starter Kit for Intelligent Factory
IoT Solution Starter Kit for Intelligent Factory
Advantech Europe E-IOT Business Group
 
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsEnterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsMolten Technologies
 
Catching the Software Defined Storage Wave
Catching the Software Defined Storage WaveCatching the Software Defined Storage Wave
Catching the Software Defined Storage Wave
DataCore Software
 
Building Efficient Edge Nodes for Content Delivery Networks
Building Efficient Edge Nodes for Content Delivery NetworksBuilding Efficient Edge Nodes for Content Delivery Networks
Building Efficient Edge Nodes for Content Delivery Networks
Rebekah Rodriguez
 
Gartner Cool Vendor Report 2014
Gartner Cool Vendor Report 2014Gartner Cool Vendor Report 2014
Gartner Cool Vendor Report 2014
jenjermain
 

More Related Content

What's hot

Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
AVI INFOSYS LLC
 
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
GXS
 
CardConnect
CardConnectCardConnect
CardConnect
AaronCSmith2
 
Payment System
Payment SystemPayment System
Payment System
Innova IT Solutions
 
Jupiter Business Systems Profile_NVOAgency_FA
Jupiter Business Systems Profile_NVOAgency_FAJupiter Business Systems Profile_NVOAgency_FA
Jupiter Business Systems Profile_NVOAgency_FAdorcas afandi
 
Temenos Insight Risk
Temenos Insight RiskTemenos Insight Risk
Temenos Insight Risk
ahmedzafar
 
VoIP Softswitch
VoIP SoftswitchVoIP Softswitch
VoIP Softswitch
REVE Systems
 
Automate your practices for better governance with LMKT VO8 Solution
Automate your practices for better governance with LMKT VO8 SolutionAutomate your practices for better governance with LMKT VO8 Solution
Automate your practices for better governance with LMKT VO8 Solution
LMKT Private Limited
 
Tally.net and remote capabilities
Tally.net and remote capabilitiesTally.net and remote capabilities
Tally.net and remote capabilities
Accounts Arabia
 
VoIP Billing Software
VoIP Billing SoftwareVoIP Billing Software
VoIP Billing Software
REVE Systems
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013Hai Nguyen
 
Moneytor Vending Telemetry
Moneytor Vending TelemetryMoneytor Vending Telemetry
Moneytor Vending Telemetry
scardin
 

What's hot (13)

Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
Loyalty Cards UAE, Customer Loyalty System, Customer Loyalty Program , AVI-in...
 
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
Focus on Regional Banking: Meeting the Connectivity Needs of Commercial Clients
 
CardConnect
CardConnectCardConnect
CardConnect
 
Payment System
Payment SystemPayment System
Payment System
 
Jupiter Business Systems Profile_NVOAgency_FA
Jupiter Business Systems Profile_NVOAgency_FAJupiter Business Systems Profile_NVOAgency_FA
Jupiter Business Systems Profile_NVOAgency_FA
 
Temenos Insight Risk
Temenos Insight RiskTemenos Insight Risk
Temenos Insight Risk
 
POS Software
POS SoftwarePOS Software
POS Software
 
VoIP Softswitch
VoIP SoftswitchVoIP Softswitch
VoIP Softswitch
 
Automate your practices for better governance with LMKT VO8 Solution
Automate your practices for better governance with LMKT VO8 SolutionAutomate your practices for better governance with LMKT VO8 Solution
Automate your practices for better governance with LMKT VO8 Solution
 
Tally.net and remote capabilities
Tally.net and remote capabilitiesTally.net and remote capabilities
Tally.net and remote capabilities
 
VoIP Billing Software
VoIP Billing SoftwareVoIP Billing Software
VoIP Billing Software
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
 
Moneytor Vending Telemetry
Moneytor Vending TelemetryMoneytor Vending Telemetry
Moneytor Vending Telemetry
 

Similar to 2014 11 data at rest protection for base24 - lessons learned in production

Time and attendance software
Time and attendance softwareTime and attendance software
Time and attendance software
pftecsoft
 
Ten questions to ask before choosing SCADA software
Ten questions to ask before choosing SCADA softwareTen questions to ask before choosing SCADA software
Ten questions to ask before choosing SCADA software
Trihedral
 
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic AlgorithamIRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET Journal
 
IoT Solution Starter Kit for Intelligent Factory
IoT Solution Starter Kit for Intelligent FactoryIoT Solution Starter Kit for Intelligent Factory
IoT Solution Starter Kit for Intelligent Factory
Advantech Europe E-IOT Business Group
 
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsEnterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsMolten Technologies
 
Catching the Software Defined Storage Wave
Catching the Software Defined Storage WaveCatching the Software Defined Storage Wave
Catching the Software Defined Storage Wave
DataCore Software
 
Building Efficient Edge Nodes for Content Delivery Networks
Building Efficient Edge Nodes for Content Delivery NetworksBuilding Efficient Edge Nodes for Content Delivery Networks
Building Efficient Edge Nodes for Content Delivery Networks
Rebekah Rodriguez
 
Gartner Cool Vendor Report 2014
Gartner Cool Vendor Report 2014Gartner Cool Vendor Report 2014
Gartner Cool Vendor Report 2014
jenjermain
 
Glue con2011 future_of_net_systems
Glue con2011 future_of_net_systemsGlue con2011 future_of_net_systems
Glue con2011 future_of_net_systems
James Urquhart
 
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
Thomas Burg
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
David Sweigert
 
Pivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First LookPivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First Look
VMware Tanzu
 
TH VV U S I N G M I D D L E - W A R E , C U S T O M.docx
TH VV U S I N G M I D D L E - W A R E , C U S T O M.docxTH VV U S I N G M I D D L E - W A R E , C U S T O M.docx
TH VV U S I N G M I D D L E - W A R E , C U S T O M.docx
mattinsonjanel
 
137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)
Karteek Irukulla
 
IRJET- ALPYNE - A Grid Computing Framework
IRJET- ALPYNE - A Grid Computing FrameworkIRJET- ALPYNE - A Grid Computing Framework
IRJET- ALPYNE - A Grid Computing Framework
IRJET Journal
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
akquinet enterprise solutions GmbH
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02
Manikandan Suresh
 

Similar to 2014 11 data at rest protection for base24 - lessons learned in production (20)

SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud Security
 
Time and attendance software
Time and attendance softwareTime and attendance software
Time and attendance software
 
Ten questions to ask before choosing SCADA software
Ten questions to ask before choosing SCADA softwareTen questions to ask before choosing SCADA software
Ten questions to ask before choosing SCADA software
 
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic AlgorithamIRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
 
IoT Solution Starter Kit for Intelligent Factory
IoT Solution Starter Kit for Intelligent FactoryIoT Solution Starter Kit for Intelligent Factory
IoT Solution Starter Kit for Intelligent Factory
 
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsEnterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktops
 
Catching the Software Defined Storage Wave
Catching the Software Defined Storage WaveCatching the Software Defined Storage Wave
Catching the Software Defined Storage Wave
 
Building Efficient Edge Nodes for Content Delivery Networks
Building Efficient Edge Nodes for Content Delivery NetworksBuilding Efficient Edge Nodes for Content Delivery Networks
Building Efficient Edge Nodes for Content Delivery Networks
 
Gartner Cool Vendor Report 2014
Gartner Cool Vendor Report 2014Gartner Cool Vendor Report 2014
Gartner Cool Vendor Report 2014
 
BinionsIIa
BinionsIIaBinionsIIa
BinionsIIa
 
Glue con2011 future_of_net_systems
Glue con2011 future_of_net_systemsGlue con2011 future_of_net_systems
Glue con2011 future_of_net_systems
 
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Pivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First LookPivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First Look
 
TH VV U S I N G M I D D L E - W A R E , C U S T O M.docx
TH VV U S I N G M I D D L E - W A R E , C U S T O M.docxTH VV U S I N G M I D D L E - W A R E , C U S T O M.docx
TH VV U S I N G M I D D L E - W A R E , C U S T O M.docx
 
137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)
 
IRJET- ALPYNE - A Grid Computing Framework
IRJET- ALPYNE - A Grid Computing FrameworkIRJET- ALPYNE - A Grid Computing Framework
IRJET- ALPYNE - A Grid Computing Framework
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02
 
RFP-Final3
RFP-Final3RFP-Final3
RFP-Final3
 

More from Thomas Burg

HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop
Thomas Burg
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RAC
Thomas Burg
 
HP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inHP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-in
Thomas Burg
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
Thomas Burg
 
The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...
Thomas Burg
 
comForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopcomForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStop
Thomas Burg
 
2014 02 comForte SecurTape product
2014 02 comForte SecurTape product2014 02 comForte SecurTape product
2014 02 comForte SecurTape product
Thomas Burg
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber Attacks
Thomas Burg
 
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
Thomas Burg
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications today
Thomas Burg
 

More from Thomas Burg (10)

HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RAC
 
HP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inHP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-in
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...
 
comForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopcomForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStop
 
2014 02 comForte SecurTape product
2014 02 comForte SecurTape product2014 02 comForte SecurTape product
2014 02 comForte SecurTape product
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber Attacks
 
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications today
 

Recently uploaded

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 

Recently uploaded (20)

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 

2014 11 data at rest protection for base24 - lessons learned in production

  • 2. This part of the screen/slide are theso-called speaker notes Viewing instructions: please see actual slide copyright (2014) comForte 21 2
  • 4. We start off with the summary and most important lesson of thispresentation about data-at-rest protection for BASE24… Copyright comForte 2014 4
  • 5. It CAN be done and it HAS be done! copyright (2014) comForte 21 5
  • 6. We now, briefly,look at potential reasons to protect data at rest in BASE24 environments. Copyright comForte 2014 6
  • 7. The PCI compliance situation for BASE24 is as follows: •Hundreds of customers running BASE24 classic on HP NonStop •Each of them is relying on so-called compensating controls to satisfy PCI requirement 3.4 (which states that PAN data cannot be in the clear on disk) •The HP VLE product is _not_ the answer (!) •Compensating controls are (1) costly (2) only an option if no other solution is available •With SecurData (and competing products), now there IS another solution available copyright (2014) comForte 21 7
  • 8. Let's look at some basic principles of securing data-at-rest, from an attacker's perspective. To steal credit card data, the attacker would need to bypass your perimeterprotection, getarround your anti-virus scanning, overcomeaccess control mechanisms to get onto your internal network systems where credit card data is storedandavoid detection through monitoring happening at the variouslevels. Recent data breaches have shown that this IS possible using so called Advanced Persistent Threats. These attacks are real. They are very sophisticated. They find the data. They get around the walls. They get through the„walls“. Insider attacks are another serious danger. A privileged user with legitimate access to sensitive data storage is already inside many of thesewalls. Ifa disgruntled employee or contractor goes rogue, damage can be significant. Here PCI requirement 3.4 comes into play: Even when credit card information is stolen, misplaced, lost or misused, it's protected as long as the PAN is renderedunreadable. Rendering the PAN unreadable is your last line of defense. That's why it is a core requirement of the PCI standard. It is also obvious, that encryption of the data can only be effective against insider attacks and advanced persistent theats if decryption keys are managed independently from the operating system and are not tied to user accounts. That's why this is expilicitly required for encryption solutions in the PCI standard–andthisiswhytheHP VLE productalonedoesNOT sufficetobePCI 3.4 compliant. copyright (2014) comForte 21 8
  • 9. In this section, we look at some features a complete solution should have in comForte’sopinion. copyright (2014) comForte 21 9
  • 10. Wearelookingat this simplified picture of a Payment Processing system. This architecturefitsBASE24 classic well, asitdoesBASE24-eps or home-grownpaymentprocessingengines. The systemtypicallywrites transaction data including the PAN to log files. Itmay also store PANs in card holder files –all in clear text. Finally, it may create export files for transmission to other systems in regular intervals and it may update card holder data from import files stored on the system. A typical NonStop Payment System processes and stores a MASSIVE amount of PANs, potentially millions on a single day. Any malicious access to these files would be absolutely disastrous; it would be very expensive in post-incident handling, it will probably get you on the front- page of newspapers and massively damage your brand. copyright (2014) comForte 21 10
  • 11. Now let's come back to BASE24 systems: Why do such a critical systems rely on compensating controls instead of fully implementing PCI-DSS for the best protection of the data? Unfortunately, BASE24 does not provide any data level encryption. Changing the BASE24 code and database to implement that protection would be a huge effort and is simply not feasible for most customers in practice. Thus, BASE24 users world-wide were forced to fall back on compensating controls as the second best choice. This is where the comForte SecurData/24 solution comes in: For the first time ever, BASE24 can be made fully PCI 3.4 compliant. SecurData/24 works completely transparent at the I/O level. It does not require any code changes and can be integrated easily into existing processing environments. And unlike disk volume level encryption, SecurData/24 manages logical access to decryption keys independently of native operating system mechanisms and does not tie it to user accounts. [SecurData/24 isa variant ofthegeneralSecurDataproduct, pre-configuredspecificallyforBASE24 classic users]. Even better, it cannot only help you to achieve full 3.4 complaince for the BASE24 servers, but also for other enterprise systems exchanging PAN data with them. copyright (2014) comForte 21 11
  • 13. The extra timespentbySecurData fora singletransactionistypicallylessthan150 microseconds–bothin real time andCPU time. The reasonisthatthereisnofileI/O at all andthatonlya fewmathematicaloperationsarerequired. 150 microsecondsper transactionexplainsiswhytheperformanceoverheadisso low. The productscalesverywellandhasso faralwaysmatchedSLA timesduringExtracts. copyright (2014) comForte 21 13
  • 15. Detailedauditing in computer-readable format is a standard feature of the solution. This screen shows the audit in its default format which is name/value pairs. This is easily to be read by computers and should be fed into a central SIEM system. copyright (2014) comForte 21 15
  • 16. Here we have converted the output from the prior slide into an Excel sheet, showing the detailedinformation available in the audit log. The audit log can be configured to write a new set of data in regular intervals (hourly, daily, …) or via request from the command-line interface. copyright (2014) comForte 21 16
  • 17. The requirement here is to convert from a file transfer of atemporary Extract file to a “direct upload” to the remote system without having to store an intermediate file. This is one of the advanced features of the product. copyright (2014) comForte 21 17
  • 18. This slide shows how the requirement from the previous file is met: TheSecurData intercept library is bound into the (extract) application and does an on-the-fly file transfer without even requiring an intermediate file. This works both for FTP transfers as for SFTP transfers. Under the hood, the powerful concept of “pipes” under Unix is used to construct a chain of processes through which the data is fed without an intermediate file. In the given example, the command “cat > remote_file” is executed directly on the remote system. The input into this “process pipe chain” is coming from the SDATA file relocation server. copyright (2014) comForte 21 18
  • 19. "Just intercept" is not enough –there IS devilin detailwhenprotectinga BASE24 systemproperly. HerearesomefeatureswhichSecurData hasbuiltin andwhicharealreadyusedin production. (Note: asofNovember 2014, SQL/MX isnot implementedyet). copyright (2014) comForte 21 19
  • 20. Thereare three core components in SecurData: •The SecurData Intercept library is bound into the application andintercepting all data base I/Os •For each application data base I/O the SecurData Manager is now tokenizing respectively de-tokenizing the PAN before the data base is really accessed. •By design, SecurData is open towards which “Tokenization engine” is being used. 28-Nov-14 copyright (2014) comForte 21 20
  • 21. During the design stages of the product comForte made sure that there will be no ‘engine lock-in’ with SecurData. After all, there are many large players offering tokenization and/or encryption solutions and we wanted to make sure each customer can use his preferred vendor. We also designed our own, patent-pending, tokenization algorithm. Comparing SecurData with enterprise data protection solutions The aforementioned enterprise data protection solutions do not offer any solution for instrumenting HP NonStop applications without code changes. While they may be offering an API for HP NonStop servers, they leave it to the application programmers to integrate it into their application. SecurData is therefore not competing with these solutions, but rather complementing them with its unique capabilities for application-transparent data protection. Powerful built-in tokenization engine To address the requirements of customers who are looking for a self-contained and cost-effective solution for their NonStop application, SecurData includes a very powerful data-at-rest protection engine itself. The SecurData tokenization engine runs directly on the NonStop Server, with minimal performance impact for the application. It uses a patent-pending stateless tokenization scheme (tokens and sensitive data elements are NOT stored in a database) which has been analyzed by renowned independent cryptologists. Easy integration with enterprise data protection solutions comForte SecurData can be easily integrated with any cross-platform enterprise data protection solution, such as Protegrity’sData Security Platform, RSA’s Data Protection Manager or Voltage’s Secure Data product. comForte SecurData provides the glue between the application and the enterprise data protection solution, to avoid rewriting any application code. Under the strategic partnership with Protegrity (see https://www.comforte.com/resources/news/strategic-partnership/), comForte SecurData is fully integrated with Protegrity’sEnterprise Security Administrator (ESA), which has been proven to meet performance requirements of high volume online transaction and batch processing. Before using another enterprise data protection solution it should be ensured that it meets the specific data format and performance requirements of the target application. 28-Nov-14 copyright (2014) comForte 21 21
  • 22. 22 copyright (2014) comForte 21 and Protegrity
  • 23. We will now look at atypical project which starts with an evaluation of the product and ends with the product being in production. copyright (2014) comForte 21 23
  • 24. Some fun with the letter “P” –6 stePsto take theproduct in production. We’ll look at them in some more detail next. copyright (2014) comForte 21 24
  • 26. comForte stronglybelieves to have a very powerful,stable and flexible offering in SecurData. copyright (2014) comForte 21 26
  • 28. The PANfinder product is a complementaryproduct to SecurData. In a nutshell, it is a scanning engine for PANs (and other confidential) on HP NonStop. It will scan the whole file system as well as databases and come back with a (sanitized) list of all files containing PANs. A scan prior to the usage of SecurData will return all locations of critical files (prepare for some surprises). A scan after installing SecurData should return zero critical files – otherwise you probably missed some during the design stages. copyright (2014) comForte 21 28
  • 29. comForte provides 24/7 support tohelp you when the unexpected happen. We also support you in setting up plans how to deal with some scenarios such as CPU outages or unexpected problems with SecurData. copyright (2014) comForte 21 29
  • 31. We finally look at some customers who haveput SecurData in production. copyright (2014) comForte 21 31
  • 32. Wehave blanked out the customer names here. copyright (2014) comForte 21 32
  • 33. Again, the customer names have been blankedout. copyright (2014) comForte 21 33
  • 34. We will nowsummarize the key points of this presentation copyright (2014) comForte 21 34
  • 35. For any further questions or for more information please talk to your account executive or contact the author at t.burg@comforte.com. You can also find more information any at www.comforte.com/securdata This is the last slide of this presentation . copyright (2014) comForte 21 35