SlideShare a Scribd company logo

IBM DataPower PCI Solutions

gaborvodics
gaborvodics

This document discusses IBM DataPower PCI solutions. It provides an overview of the Payment Card Industry Data Security Standard (PCI DSS) and its requirements. It then describes how IBM DataPower appliances can help organizations meet many of the PCI DSS requirements by providing functions like firewalling, encryption, access control, logging, and security policy management. The document also highlights some of DataPower's key products and capabilities for PCI compliance, and provides contact information for the IBM sales representative.

1 of 36
Download to read offline
IBM DataPower PCI Solutions Steven Cawn WebSphere DataPower World Wide Sales leader scawn@us.ibm.com 1
What is PCI DSS? • Payment Card Industry Data Security Standard (PCI DSS) is a global security program that was created to increase confidence in the payment card industry and reduce risks to PCI Members, Merchants, Service Providers and Consumers. 2
Payment Card Industry – History Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self- Assessment Questionnaire (SAQ) for companies handling smaller volumes. •Initial specifications adopted December 2004 •1.1 Specifications adopted September 2006 •1.2 Specifications adopted October 2008 •1.2.1 specifications adopted August 2009 •2.0 specifications adopted October 2010 •As of January 2011, every institution must abide by 2.0 specifications 3
To Whom Does PCI DSS Apply? • All merchants & service providers that store, process, use, or transmit cardholder data • Retail (e-commerce & brick & mortar) • Hospitality (restaurants, hotels, casinos) • Convenience Stores (gas stations, fast food) • Transportation (airlines, car rental, travel agencies) • Financial Services (credit card processors, banks, insurance companies) • Healthcare/Education (hospitals, universities) • Government (where payment cards are accepted) 4
PCI DSS Requirements “The Digital Dozen” Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data sent across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security – Connected Entities 5 and Contracts PCI DSS Ver. 1.1
PCI Non-Compliance Consequences (Global) • If non-compliant and a breach occurs… – Merchants/Service Providers have liability for the acquirer bank's losses, cost of the investigations, litigation costs and card re-issuance costs – Fines per incident from Visa (against acquiring bank) – Restrictions imposed by card companies (prohibiting future credit card processing) – Repayment of losses may exceed the ability to pay and cause total failure of the organization • Other potential consequences: – Damaged brand reputation – Invasive media attention – Loss of customers 6
Over to 1,800 worldwide installations and growing Government Agencies and ministries Defense and security organizations Crown corporations Banking 80% of top 100 Banks Numerous regional banks and credit unions SaaS providers, ASPs, regulators, etc. Insurance Used by 95% of top global insurances firms SaaS providers, ASPs, regulators, etc. Many, many, more Retailers Utilities, Power, Oil and Gas Airlines etc. 7
What are WebSphere DataPower Appliances? Business Value The purpose of WebSphere DataPower Appliances is to take the ‘hard parts’ of SOA deployments (service security, integration, ESB, load distribution, etc.) that are traditionally performed by software on application servers, yet have nothing to do with Business Logic, and move those ‘hard parts’ into highly efficient hardened configuration driven devices in the network. By moving this computationally intensive “grunt work” into the network, your application servers regain cycles to do what you pay for them to do: Run Business Logic 88
What are WebSphere DataPower Appliances? Product Value “Specialized purpose-built hardened embedded network devices that take the “hard parts” of SOA security and integration traditionally requiring complex and costly software systems and delivers them in a simple “uncrate, rack, configure and deploy” platform.” Powerful and uniquely efficient message and file oriented configuration-driven Security and Integration platform with the extremely low operational TCO of a true network device. 99
WebSphere DataPower - Use Cases Internet DMZ Trusted Domain Application Business 1 B2B Partner Gateway Application 2 Secure Gateway (Web Services, Web Applications) 4 Internal Security 3 Intelligent Load 5 Enterprise Service Bus Consumer Distribution Mobile 6 Web Service Management HMC 7 Legacy Integration System z 8 Run time SOA Governance 10
WebSphere DataPower and the PCI DSS “Digital Dozen” Complete WebSphere DataPower ideal solution for many requirements: solution Part of • Build and Maintain a Secure Network solution – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications • Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data • Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes • Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 11
DataPower - Key Functions for PCI Compliance Easy to Use Appliance Purpose-Built Purpose- for SOA Security Req. 1 Web Services (XML) - Filter on any content, metadata or network variables Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling Data Validation - Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed Req. 3,4 Field Level Security - WS-Security, encrypt & sign individual fields, non-repudiation Encryption of transport layer - HTTP, HTTPS, SSL. Req. 5 Anti Virus Protection - messages and attachments checked for viruses; integrates with corporate virus checking software through ICAP protocol Req. 7,8,9 XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc Req. 10 Management & Logging - manage & track services, logging of all activities, audit. Req. 12 Security Policy Management - security policies “universally understood” by multiple software solutions, eases PCI certification process. Easy Configuration & Management - WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security) 12
WebSphere DataPower: Protecting Cardholder Data Incoming Message – data not encrypted Encrypted & digitally signed Message <Credit Card> <Credit Card> <Cust>Brian P. Bell</Cust> <Cust>Brian P. Bell</Cust> <CreditCardNumber> <Encrypted CCN> Client sends credit Encrypted XML 3732 955939 395500</CreditCardNumber> ws389maz301</Encrypted CCN> card information to data is delivered to <Credit Type>AMEX</Credit Type> <Credit Type>AMEX</Credit Type> be stored in the the database to the ………………. ………………. database though an encrypted credit </Credit Card> </Credit Card> supported protocol card for later use Protocols: HTTP/s, MQ, Tibco, JMS, FTPs, NFS, etc Direct DB Connect Database Response Response message is Key Functions: message is sent received confirming Terminate SSL confirming the the insertion of the Defend against XML threats insertion of the encrypted credit Validate XML (schema) encrypted credit card number into Authentication card number into the database Authorization the database Audit/Transaction Logging Filter data Requirement 3 Encrypt/Decrypt message Protect stored cardholder data. Digitally sign message Requirement 4: Mask back-end resources Route based on content Encrypt transmission of cardholder data across open, 13 public networks.
Access Control & Credential Mapping Requirement 7 Restrict access to cardholder data by business need-to-know. Requirement 8 Assign a unique ID to each person with computer access. 1. Client send request to App Server 2. Request carry client username & Password 3. DataPower will authenticate client 4. DataPower will map credentials for unified communication with backend* 14 * Assuming all authentic users are authorized. Otherwise TAM or similar must be used for Authorization
DataPower Anti-Virus Protection • Allows messages and attachments to be checked for viruses • Integrates with corporate virus checking software through the ICAP protocol • Anti-Virus Processing Action eases configuration and use of this capability • Includes pre-configured Host Types (CLAM, Symantec, Trend, Webwasher) as well as customizability 15
Logging of Transactions Requirement 10 Track and monitor all access to network resources and cardholder data. DataPower can Log transactions passing through it to: - On-the-box File System - Database - Network File System - MQ queues - FTP Server DataPower could be integrated with monitoring software via SNMP protocol (not vendor specific) Requirement 5 Use and regularly update anti-virus software DataPower could integrate with Antivirus for attachments scanning 16
Protection against Open Web Application Security Project (OWASP) Top 10 Attacks Top 10 Most Critical Web Application Security Risks 17
Open Web Application Security Project Compliance Provides Protection Against 100 % Of OWASP Top 10 Risks 18
DataPower has deployments cross industry for PCI Compliance National Uniform Provider Major Prepaid Wireless carrier Large US based Insurance Provider Telecommunication Provider in Australia 19
Summary: Business Benefits Key Reusable Core IT Functionality: Solves complex SOA IT service integration and security challenges in a secure, easy to consume and extremely low TCO network device Configuration Driven: All enforced policies and mediations are configuration driven, not programmed. This significantly simplifies and reduces deployment requirements and cost Flexibility: Secure, integrate, bridge and version applications without application modification Reduce Complexity: Do work “in the network” as the data flows over the wire instead of on application servers, reducing infrastructure footprint and freeing up application servers to run more business logic Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy” Reduce Risk: Takes the “grunt work” out of SOA application security and integration allowing you to focus on building your business logic. “In the network” platform allows improved security and audit capabilities without application modification Lower TCO: It’s a network device. Customers’ own data has shown that DataPower appliances can be 7X-8X less expensive to operate in the data center than software alternatives A New Approach: These are not “software pre-installed on servers”. DataPower applies sophisticated embedded technology to solve complex IT challenges in new and novel ways 20 20
DataPower Product Family Highlights B2B Appliance XB62 B2B Messaging (AS1/AS2/AS3/EDI) Trading Partner Profile Management B2B Transaction Viewer Support for HL7 and EDIfact Industry Pack Integration Appliance XI50B, XI50z, XI52 Service Gateway XG45 Hardware ESB Enhanced Security Capabilities “Any-to-Any” Conversion at wire- Centralized Policy Enforcement speed Fine-grained Authorization and Bridges multiple protocols Authentication Integrated message-level security Network Load Balancing Network Load Balancing 21
Mobile Payments Industry Activities some examples Mobile Payments Conference October 10-11, 2012 | Park Central Hotel New York WEBINAR: Does Your Call Recording Comply with PCI Data Security Standards? Learn Best Practices for Secure Handling of Customer Payment Card Data Tuesday July 31, 2012 2:00PM EST/11:00AM PST Even though PCI has been around since the mid 2000’s, industry activities are going on almost every week 22
Additional Information WebSphere DataPower home page http://www-01.ibm.com/software/integration/datapower WebSphere DataPower Information Center (online help): – http://publib.boulder.ibm.com/infocenter/wsdatap/v3r8m1/index.jsp developerWorks – http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.h tml WebSphere Education – http://www.ibm.com/software/websphere/education/ IBM Software Services for WebSphere – http://www.ibm.com/developerworks/websphere/services/ IBM WebSphere DataPower SOA Appliance Handbook – http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780137148196 DataPower SOA Appliance Customer Forum – http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198 23
Additional Information Global WebSphere Community – http://www.websphereusergroup.org/datapower Technotes – http://www.ibm.com/search/csass/search?q=&sn=spe&lang=en&filter=collection:stgsysx,d blue,ic,pubs,devrel1&prod=U692969C82819Q63 • DataPower Redbooks – http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower DataPower on YouTube - http://www.youtube.com/watch?v=LRy0twFpmUQ zEnterprise and PCI-DSS compliance – http://www.businesswire.com/news/home/20100308006657/en/atsec-Publishes-Payment- Card-Industry-Compliance-Large • Certification Whitepaper regarding PCI Compliance – http://www.atsec.com/downloads/white-papers/PCI_Compliance_for_LCS.pdf 24
Thank You 25
OWASP DataPower Compliance Details 26
Threat: A1- Injection • Threat description – Injection flaws, such as SQL, Command shell, or LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands, or accessing unauthorized data. • DataPower mitigation –Data type checking for invalid input –XML Threat protection setting for XPath injection –SQL injection filter configuration rejects SQL injections –Regular-expression filters used as a “catch-all” for shell injections, LDAP calls, PHP code, or any other programming language 27
Threat: A2 - Cross-Site Scripting (XSS) • Threat description –XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • DataPower mitigation –Native XSS filter configuration for rejecting incoming/outgoing traffic that contains XSS content 28
Threat: A3 - Broken Authentication and Session Management • Threat description – Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities. • DataPower mitigation – Broad security standards support, i.e. WS-Security, XACML, SAML, SSL/TLS – “Out-of-the-box” integration with many industry-leading PDP solutions, such as Tivoli Access Manager, Active Directory, LDAP, SiteMinder, etc. – Centralized platform for Security governance – Tools for configurable AAA and Crypto processing, as well as key protection 29
Threat: A4 - Insecure Direct Object References • Threat description –A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. • DataPower mitigation –Enforces security decisions based on properly classified users authorized to specific resources and actions in a policy. –Transforms and exposes indirect object identifiers that are mapped to direct object identifiers at the application, such as references to a SSN or an Account number. 30
Threat: A5 - Cross-Site Request Forgery (CSRF) • Threat description – A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. • DataPower mitigation – Provides several building blocks to prevent such attacks: • Creation, or checking Nonce values • Generation, or validation Digital Signatures on each request • Creation, or confirmation for Hash values • Injection, or parsing of secondary session cookies present in hidden HTTP fields 31
Threat: A6 - Security Misconfiguration • Threat description – Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. The system could be completely compromised without one knowing it. Causing all data to be stolen, or modified slowly over time. • DataPower’s mitigation – DataPower can't solve this problem alone, but it can significantly reduce the scope of what must be configured, or programmed – By pulling security policies and functions away from application servers and centralizing them on DataPower, the chance of security misconfiguration is reduced because the number of systems that contain security processing code is also reduced. – Additionally, centralizing corporate wide security policies on a common gateway means that services that trust the gateway are all configured to share a consistent security policy among them. 32
Threat: A7 - Insecure Cryptographic Storage • Threat description – Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes • DataPower mitigation – Standards based cryptographic processing, such as encryption and hash operations – Secured key material stored in the encrypted part of the file system – Encrypts sensitive data and stores it in a database. Providing authorized applications to access confidential data through DataPower – in essence functioning as a Data-as-a-Service (DaaS) provider 33
Threat: A8 - Failure to Restrict URL Access • Threat description – Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. • DataPower mitigation – Leverage DataPower’s explicit white-list policy model using Matching rules – Enforces per-request authentication and resource-based authorization based on the AAA framework – URL-Rewrites to hide the original URL of the backend application 34
Threat: A9 - Insufficient Transport Layer Protection • Threat description – Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. • DataPower mitigation – SSL Proxy configuration secures traffic using SSL/TLS – Strong SSL Cipher suite is available and enabled by default – Clients can be trusted using mutual authentication – CRL and OCSP support ensures certificates are valid and trusted – The key material is stored securely in an encrypted portion of the flash memory 35
Threat: A10 - Invalid Redirects and Forwards • Threat description –Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. • DataPower mitigation –Applications not expecting Re-directs can be configured to reject HTTP 302 –HTTP Front-side handler, User-Agent and URL Re-write configurations can be used to flag and reject these requests as potential threats 36

Recommended

Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Datapowercommonusecases 130509114200-phpapp02
Datapowercommonusecases 130509114200-phpapp02Datapowercommonusecases 130509114200-phpapp02
Datapowercommonusecases 130509114200-phpapp02Krystel Hery
 
Whats new in data power
Whats new in data powerWhats new in data power
Whats new in data powersflynn073
 
Common DataPower use cases, incl Caching with XC-10 appliance.
Common DataPower use cases, incl Caching with XC-10 appliance.Common DataPower use cases, incl Caching with XC-10 appliance.
Common DataPower use cases, incl Caching with XC-10 appliance.sflynn073
 
WebSphere Integration User Group 13 July 2015 : DataPower session
WebSphere Integration User Group 13 July 2015 : DataPower sessionWebSphere Integration User Group 13 July 2015 : DataPower session
WebSphere Integration User Group 13 July 2015 : DataPower sessionHugh Everett
 
Datapowercommonusecases 130509114200-phpapp02
Datapowercommonusecases 130509114200-phpapp02Datapowercommonusecases 130509114200-phpapp02
Datapowercommonusecases 130509114200-phpapp02Cristina Garrido Lema
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway
 
Data power use cases
Data power use casesData power use cases
Data power use casessflynn073
 

Recommended

Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Datapowercommonusecases 130509114200-phpapp02
Datapowercommonusecases 130509114200-phpapp02Datapowercommonusecases 130509114200-phpapp02
Datapowercommonusecases 130509114200-phpapp02Krystel Hery
 
Whats new in data power
Whats new in data powerWhats new in data power
Whats new in data powersflynn073
 
Common DataPower use cases, incl Caching with XC-10 appliance.
Common DataPower use cases, incl Caching with XC-10 appliance.Common DataPower use cases, incl Caching with XC-10 appliance.
Common DataPower use cases, incl Caching with XC-10 appliance.sflynn073
 
WebSphere Integration User Group 13 July 2015 : DataPower session
WebSphere Integration User Group 13 July 2015 : DataPower sessionWebSphere Integration User Group 13 July 2015 : DataPower session
WebSphere Integration User Group 13 July 2015 : DataPower sessionHugh Everett
 
Datapowercommonusecases 130509114200-phpapp02
Datapowercommonusecases 130509114200-phpapp02Datapowercommonusecases 130509114200-phpapp02
Datapowercommonusecases 130509114200-phpapp02Cristina Garrido Lema
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway
 
Data power use cases
Data power use casesData power use cases
Data power use casessflynn073
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API ManagementRui Santos
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to DatapowerShilpin Pvt. Ltd.
 
Datasheet: WebSphere DataPower Service Gateway XG45
Datasheet: WebSphere DataPower Service Gateway XG45Datasheet: WebSphere DataPower Service Gateway XG45
Datasheet: WebSphere DataPower Service Gateway XG45Sarah Duffy
 
WebSphere DataPower B2B Appliance overview
WebSphere DataPower B2B Appliance overviewWebSphere DataPower B2B Appliance overview
WebSphere DataPower B2B Appliance overviewSarah Duffy
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemuguntafloridawusergroup
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateway
 
Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Gennadiy Civil
 
IBM Connectivity and Integration
IBM Connectivity and IntegrationIBM Connectivity and Integration
IBM Connectivity and IntegrationIBM Sverige
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven CawnValeri Illescas
 
Enterprise grade cloud services with data power virtual
Enterprise grade cloud services with data power virtualEnterprise grade cloud services with data power virtual
Enterprise grade cloud services with data power virtualsflynn073
 
Datasheet: WebSphere DataPower B2B Appliance XB62
Datasheet: WebSphere DataPower B2B Appliance XB62Datasheet: WebSphere DataPower B2B Appliance XB62
Datasheet: WebSphere DataPower B2B Appliance XB62Sarah Duffy
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 Natalia Kataoka
 
DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksOzair Sheikh
 
Inter connect2015 ame-3495
Inter connect2015 ame-3495Inter connect2015 ame-3495
Inter connect2015 ame-3495Phil Coxhead
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
 
Layer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and ComplexityLayer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and ComplexityCA API Management
 
CBS PCI Webinar - April
CBS PCI Webinar - AprilCBS PCI Webinar - April
CBS PCI Webinar - AprilGary Stotko
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016 Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016 Thierry Matusiak
 

More Related Content

What's hot

2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API ManagementRui Santos
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
Datasheet: WebSphere DataPower Service Gateway XG45
Datasheet: WebSphere DataPower Service Gateway XG45Datasheet: WebSphere DataPower Service Gateway XG45
Datasheet: WebSphere DataPower Service Gateway XG45Sarah Duffy
 
WebSphere DataPower B2B Appliance overview
WebSphere DataPower B2B Appliance overviewWebSphere DataPower B2B Appliance overview
WebSphere DataPower B2B Appliance overviewSarah Duffy
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemuguntafloridawusergroup
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateway
 
Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Gennadiy Civil
 
IBM Connectivity and Integration
IBM Connectivity and IntegrationIBM Connectivity and Integration
IBM Connectivity and IntegrationIBM Sverige
 
Enterprise grade cloud services with data power virtual
Enterprise grade cloud services with data power virtualEnterprise grade cloud services with data power virtual
Enterprise grade cloud services with data power virtualsflynn073
 
Datasheet: WebSphere DataPower B2B Appliance XB62
Datasheet: WebSphere DataPower B2B Appliance XB62Datasheet: WebSphere DataPower B2B Appliance XB62
Datasheet: WebSphere DataPower B2B Appliance XB62Sarah Duffy
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 Natalia Kataoka
 
DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksOzair Sheikh
 
Inter connect2015 ame-3495
Inter connect2015 ame-3495Inter connect2015 ame-3495
Inter connect2015 ame-3495Phil Coxhead
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
 
Layer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and ComplexityLayer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and ComplexityCA API Management
 

What's hot (18)

2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparison
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikala
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to Datapower
 
Datasheet: WebSphere DataPower Service Gateway XG45
Datasheet: WebSphere DataPower Service Gateway XG45Datasheet: WebSphere DataPower Service Gateway XG45
Datasheet: WebSphere DataPower Service Gateway XG45
 
WebSphere DataPower B2B Appliance overview
WebSphere DataPower B2B Appliance overviewWebSphere DataPower B2B Appliance overview
WebSphere DataPower B2B Appliance overview
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemugunta
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
 
Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...
 
IBM Connectivity and Integration
IBM Connectivity and IntegrationIBM Connectivity and Integration
IBM Connectivity and Integration
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
 
Enterprise grade cloud services with data power virtual
Enterprise grade cloud services with data power virtualEnterprise grade cloud services with data power virtual
Enterprise grade cloud services with data power virtual
 
Datasheet: WebSphere DataPower B2B Appliance XB62
Datasheet: WebSphere DataPower B2B Appliance XB62Datasheet: WebSphere DataPower B2B Appliance XB62
Datasheet: WebSphere DataPower B2B Appliance XB62
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
 
DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance Benchmarks
 
Inter connect2015 ame-3495
Inter connect2015 ame-3495Inter connect2015 ame-3495
Inter connect2015 ame-3495
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
 
Layer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and ComplexityLayer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and Complexity
 

Viewers also liked

CBS PCI Webinar - April
CBS PCI Webinar - AprilCBS PCI Webinar - April
CBS PCI Webinar - AprilGary Stotko
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016 Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016 Thierry Matusiak
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerThierry Matusiak
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions Thierry Matusiak
 
IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - PowerpointThierry Matusiak
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
 

Viewers also liked (9)

CBS PCI Webinar - April
CBS PCI Webinar - AprilCBS PCI Webinar - April
CBS PCI Webinar - April
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016 Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One Pager
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security Strategy
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions
 
IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
 

Similar to IBM DataPower PCI Solutions

Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial ServicesCloudera, Inc.
 
DataPower for PCI
DataPower for PCIDataPower for PCI
DataPower for PCIDanteJara8
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Amazon Web Services
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
 
Managed security services
Managed security servicesManaged security services
Managed security servicesmanoharparakh
 
CASE STUDY: UK NATIONAL HEALTH SERVICE
CASE STUDY: UK NATIONAL HEALTH SERVICECASE STUDY: UK NATIONAL HEALTH SERVICE
CASE STUDY: UK NATIONAL HEALTH SERVICEForgeRock
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingKaseya
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2jeffirby
 
Vormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric Inc
 

Similar to IBM DataPower PCI Solutions (20)

Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial Services
 
DataPower for PCI
DataPower for PCIDataPower for PCI
DataPower for PCI
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI Compliance
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
 
Managed security services
Managed security servicesManaged security services
Managed security services
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
CASE STUDY: UK NATIONAL HEALTH SERVICE
CASE STUDY: UK NATIONAL HEALTH SERVICECASE STUDY: UK NATIONAL HEALTH SERVICE
CASE STUDY: UK NATIONAL HEALTH SERVICE
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Vormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rules
 

IBM DataPower PCI Solutions

  • 1. IBM DataPower PCI Solutions Steven Cawn WebSphere DataPower World Wide Sales leader scawn@us.ibm.com 1
  • 2. What is PCI DSS? • Payment Card Industry Data Security Standard (PCI DSS) is a global security program that was created to increase confidence in the payment card industry and reduce risks to PCI Members, Merchants, Service Providers and Consumers. 2
  • 3. Payment Card Industry – History Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self- Assessment Questionnaire (SAQ) for companies handling smaller volumes. •Initial specifications adopted December 2004 •1.1 Specifications adopted September 2006 •1.2 Specifications adopted October 2008 •1.2.1 specifications adopted August 2009 •2.0 specifications adopted October 2010 •As of January 2011, every institution must abide by 2.0 specifications 3
  • 4. To Whom Does PCI DSS Apply? • All merchants & service providers that store, process, use, or transmit cardholder data • Retail (e-commerce & brick & mortar) • Hospitality (restaurants, hotels, casinos) • Convenience Stores (gas stations, fast food) • Transportation (airlines, car rental, travel agencies) • Financial Services (credit card processors, banks, insurance companies) • Healthcare/Education (hospitals, universities) • Government (where payment cards are accepted) 4
  • 5. PCI DSS Requirements “The Digital Dozen” Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data sent across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security – Connected Entities 5 and Contracts PCI DSS Ver. 1.1
  • 6. PCI Non-Compliance Consequences (Global) • If non-compliant and a breach occurs… – Merchants/Service Providers have liability for the acquirer bank's losses, cost of the investigations, litigation costs and card re-issuance costs – Fines per incident from Visa (against acquiring bank) – Restrictions imposed by card companies (prohibiting future credit card processing) – Repayment of losses may exceed the ability to pay and cause total failure of the organization • Other potential consequences: – Damaged brand reputation – Invasive media attention – Loss of customers 6
  • 7. Over to 1,800 worldwide installations and growing Government Agencies and ministries Defense and security organizations Crown corporations Banking 80% of top 100 Banks Numerous regional banks and credit unions SaaS providers, ASPs, regulators, etc. Insurance Used by 95% of top global insurances firms SaaS providers, ASPs, regulators, etc. Many, many, more Retailers Utilities, Power, Oil and Gas Airlines etc. 7
  • 8. What are WebSphere DataPower Appliances? Business Value The purpose of WebSphere DataPower Appliances is to take the ‘hard parts’ of SOA deployments (service security, integration, ESB, load distribution, etc.) that are traditionally performed by software on application servers, yet have nothing to do with Business Logic, and move those ‘hard parts’ into highly efficient hardened configuration driven devices in the network. By moving this computationally intensive “grunt work” into the network, your application servers regain cycles to do what you pay for them to do: Run Business Logic 88
  • 9. What are WebSphere DataPower Appliances? Product Value “Specialized purpose-built hardened embedded network devices that take the “hard parts” of SOA security and integration traditionally requiring complex and costly software systems and delivers them in a simple “uncrate, rack, configure and deploy” platform.” Powerful and uniquely efficient message and file oriented configuration-driven Security and Integration platform with the extremely low operational TCO of a true network device. 99
  • 10. WebSphere DataPower - Use Cases Internet DMZ Trusted Domain Application Business 1 B2B Partner Gateway Application 2 Secure Gateway (Web Services, Web Applications) 4 Internal Security 3 Intelligent Load 5 Enterprise Service Bus Consumer Distribution Mobile 6 Web Service Management HMC 7 Legacy Integration System z 8 Run time SOA Governance 10
  • 11. WebSphere DataPower and the PCI DSS “Digital Dozen” Complete WebSphere DataPower ideal solution for many requirements: solution Part of • Build and Maintain a Secure Network solution – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications • Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data • Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes • Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 11
  • 12. DataPower - Key Functions for PCI Compliance Easy to Use Appliance Purpose-Built Purpose- for SOA Security Req. 1 Web Services (XML) - Filter on any content, metadata or network variables Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling Data Validation - Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed Req. 3,4 Field Level Security - WS-Security, encrypt & sign individual fields, non-repudiation Encryption of transport layer - HTTP, HTTPS, SSL. Req. 5 Anti Virus Protection - messages and attachments checked for viruses; integrates with corporate virus checking software through ICAP protocol Req. 7,8,9 XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc Req. 10 Management & Logging - manage & track services, logging of all activities, audit. Req. 12 Security Policy Management - security policies “universally understood” by multiple software solutions, eases PCI certification process. Easy Configuration & Management - WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security) 12
  • 13. WebSphere DataPower: Protecting Cardholder Data Incoming Message – data not encrypted Encrypted & digitally signed Message <Credit Card> <Credit Card> <Cust>Brian P. Bell</Cust> <Cust>Brian P. Bell</Cust> <CreditCardNumber> <Encrypted CCN> Client sends credit Encrypted XML 3732 955939 395500</CreditCardNumber> ws389maz301</Encrypted CCN> card information to data is delivered to <Credit Type>AMEX</Credit Type> <Credit Type>AMEX</Credit Type> be stored in the the database to the ………………. ………………. database though an encrypted credit </Credit Card> </Credit Card> supported protocol card for later use Protocols: HTTP/s, MQ, Tibco, JMS, FTPs, NFS, etc Direct DB Connect Database Response Response message is Key Functions: message is sent received confirming Terminate SSL confirming the the insertion of the Defend against XML threats insertion of the encrypted credit Validate XML (schema) encrypted credit card number into Authentication card number into the database Authorization the database Audit/Transaction Logging Filter data Requirement 3 Encrypt/Decrypt message Protect stored cardholder data. Digitally sign message Requirement 4: Mask back-end resources Route based on content Encrypt transmission of cardholder data across open, 13 public networks.
  • 14. Access Control & Credential Mapping Requirement 7 Restrict access to cardholder data by business need-to-know. Requirement 8 Assign a unique ID to each person with computer access. 1. Client send request to App Server 2. Request carry client username & Password 3. DataPower will authenticate client 4. DataPower will map credentials for unified communication with backend* 14 * Assuming all authentic users are authorized. Otherwise TAM or similar must be used for Authorization
  • 15. DataPower Anti-Virus Protection • Allows messages and attachments to be checked for viruses • Integrates with corporate virus checking software through the ICAP protocol • Anti-Virus Processing Action eases configuration and use of this capability • Includes pre-configured Host Types (CLAM, Symantec, Trend, Webwasher) as well as customizability 15
  • 16. Logging of Transactions Requirement 10 Track and monitor all access to network resources and cardholder data. DataPower can Log transactions passing through it to: - On-the-box File System - Database - Network File System - MQ queues - FTP Server DataPower could be integrated with monitoring software via SNMP protocol (not vendor specific) Requirement 5 Use and regularly update anti-virus software DataPower could integrate with Antivirus for attachments scanning 16
  • 17. Protection against Open Web Application Security Project (OWASP) Top 10 Attacks Top 10 Most Critical Web Application Security Risks 17
  • 18. Open Web Application Security Project Compliance Provides Protection Against 100 % Of OWASP Top 10 Risks 18
  • 19. DataPower has deployments cross industry for PCI Compliance National Uniform Provider Major Prepaid Wireless carrier Large US based Insurance Provider Telecommunication Provider in Australia 19
  • 20. Summary: Business Benefits Key Reusable Core IT Functionality: Solves complex SOA IT service integration and security challenges in a secure, easy to consume and extremely low TCO network device Configuration Driven: All enforced policies and mediations are configuration driven, not programmed. This significantly simplifies and reduces deployment requirements and cost Flexibility: Secure, integrate, bridge and version applications without application modification Reduce Complexity: Do work “in the network” as the data flows over the wire instead of on application servers, reducing infrastructure footprint and freeing up application servers to run more business logic Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy” Reduce Risk: Takes the “grunt work” out of SOA application security and integration allowing you to focus on building your business logic. “In the network” platform allows improved security and audit capabilities without application modification Lower TCO: It’s a network device. Customers’ own data has shown that DataPower appliances can be 7X-8X less expensive to operate in the data center than software alternatives A New Approach: These are not “software pre-installed on servers”. DataPower applies sophisticated embedded technology to solve complex IT challenges in new and novel ways 20 20
  • 21. DataPower Product Family Highlights B2B Appliance XB62 B2B Messaging (AS1/AS2/AS3/EDI) Trading Partner Profile Management B2B Transaction Viewer Support for HL7 and EDIfact Industry Pack Integration Appliance XI50B, XI50z, XI52 Service Gateway XG45 Hardware ESB Enhanced Security Capabilities “Any-to-Any” Conversion at wire- Centralized Policy Enforcement speed Fine-grained Authorization and Bridges multiple protocols Authentication Integrated message-level security Network Load Balancing Network Load Balancing 21
  • 22. Mobile Payments Industry Activities some examples Mobile Payments Conference October 10-11, 2012 | Park Central Hotel New York WEBINAR: Does Your Call Recording Comply with PCI Data Security Standards? Learn Best Practices for Secure Handling of Customer Payment Card Data Tuesday July 31, 2012 2:00PM EST/11:00AM PST Even though PCI has been around since the mid 2000’s, industry activities are going on almost every week 22
  • 23. Additional Information WebSphere DataPower home page http://www-01.ibm.com/software/integration/datapower WebSphere DataPower Information Center (online help): – http://publib.boulder.ibm.com/infocenter/wsdatap/v3r8m1/index.jsp developerWorks – http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.h tml WebSphere Education – http://www.ibm.com/software/websphere/education/ IBM Software Services for WebSphere – http://www.ibm.com/developerworks/websphere/services/ IBM WebSphere DataPower SOA Appliance Handbook – http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780137148196 DataPower SOA Appliance Customer Forum – http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198 23
  • 24. Additional Information Global WebSphere Community – http://www.websphereusergroup.org/datapower Technotes – http://www.ibm.com/search/csass/search?q=&sn=spe&lang=en&filter=collection:stgsysx,d blue,ic,pubs,devrel1&prod=U692969C82819Q63 • DataPower Redbooks – http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower DataPower on YouTube - http://www.youtube.com/watch?v=LRy0twFpmUQ zEnterprise and PCI-DSS compliance – http://www.businesswire.com/news/home/20100308006657/en/atsec-Publishes-Payment- Card-Industry-Compliance-Large • Certification Whitepaper regarding PCI Compliance – http://www.atsec.com/downloads/white-papers/PCI_Compliance_for_LCS.pdf 24
  • 25. Thank You 25
  • 27. Threat: A1- Injection • Threat description – Injection flaws, such as SQL, Command shell, or LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands, or accessing unauthorized data. • DataPower mitigation –Data type checking for invalid input –XML Threat protection setting for XPath injection –SQL injection filter configuration rejects SQL injections –Regular-expression filters used as a “catch-all” for shell injections, LDAP calls, PHP code, or any other programming language 27
  • 28. Threat: A2 - Cross-Site Scripting (XSS) • Threat description –XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • DataPower mitigation –Native XSS filter configuration for rejecting incoming/outgoing traffic that contains XSS content 28
  • 29. Threat: A3 - Broken Authentication and Session Management • Threat description – Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities. • DataPower mitigation – Broad security standards support, i.e. WS-Security, XACML, SAML, SSL/TLS – “Out-of-the-box” integration with many industry-leading PDP solutions, such as Tivoli Access Manager, Active Directory, LDAP, SiteMinder, etc. – Centralized platform for Security governance – Tools for configurable AAA and Crypto processing, as well as key protection 29
  • 30. Threat: A4 - Insecure Direct Object References • Threat description –A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. • DataPower mitigation –Enforces security decisions based on properly classified users authorized to specific resources and actions in a policy. –Transforms and exposes indirect object identifiers that are mapped to direct object identifiers at the application, such as references to a SSN or an Account number. 30
  • 31. Threat: A5 - Cross-Site Request Forgery (CSRF) • Threat description – A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. • DataPower mitigation – Provides several building blocks to prevent such attacks: • Creation, or checking Nonce values • Generation, or validation Digital Signatures on each request • Creation, or confirmation for Hash values • Injection, or parsing of secondary session cookies present in hidden HTTP fields 31
  • 32. Threat: A6 - Security Misconfiguration • Threat description – Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. The system could be completely compromised without one knowing it. Causing all data to be stolen, or modified slowly over time. • DataPower’s mitigation – DataPower can't solve this problem alone, but it can significantly reduce the scope of what must be configured, or programmed – By pulling security policies and functions away from application servers and centralizing them on DataPower, the chance of security misconfiguration is reduced because the number of systems that contain security processing code is also reduced. – Additionally, centralizing corporate wide security policies on a common gateway means that services that trust the gateway are all configured to share a consistent security policy among them. 32
  • 33. Threat: A7 - Insecure Cryptographic Storage • Threat description – Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes • DataPower mitigation – Standards based cryptographic processing, such as encryption and hash operations – Secured key material stored in the encrypted part of the file system – Encrypts sensitive data and stores it in a database. Providing authorized applications to access confidential data through DataPower – in essence functioning as a Data-as-a-Service (DaaS) provider 33
  • 34. Threat: A8 - Failure to Restrict URL Access • Threat description – Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. • DataPower mitigation – Leverage DataPower’s explicit white-list policy model using Matching rules – Enforces per-request authentication and resource-based authorization based on the AAA framework – URL-Rewrites to hide the original URL of the backend application 34
  • 35. Threat: A9 - Insufficient Transport Layer Protection • Threat description – Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. • DataPower mitigation – SSL Proxy configuration secures traffic using SSL/TLS – Strong SSL Cipher suite is available and enabled by default – Clients can be trusted using mutual authentication – CRL and OCSP support ensures certificates are valid and trusted – The key material is stored securely in an encrypted portion of the flash memory 35
  • 36. Threat: A10 - Invalid Redirects and Forwards • Threat description –Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. • DataPower mitigation –Applications not expecting Re-directs can be configured to reject HTTP 302 –HTTP Front-side handler, User-Agent and URL Re-write configurations can be used to flag and reject these requests as potential threats 36